Suvradip Chakraborty (suvradip.chakraborty@inf.ethz.ch) is the contact person for Bachelors and Masters of the FoC group.

Adaptor signatures are a cryptographic primitive that ties together the
authorization of a message and the leakage of a secret value -- a concept
particularly useful in the context of decentralized payment systems. While
there exist various constructions for adaptor signatures where one party takes
the role of a signer, less attention has been given to settings where there are
multiple (potential) signers authorizing a message.

The goal of the thesis is to formally define one of the possible multi-signer notions and present a provably secure construction. Earliest possible starting date 01.03.2022.

**Preliminary references:**

[EFH+21]: https://eprint.iacr.org/2021/150.pdf

**Contact:** Kristina Hostáková

The goal of the thesis is to formally define one of the possible multi-signer notions and present a provably secure construction. Earliest possible starting date 01.03.2022.

[EFH+21]: https://eprint.iacr.org/2021/150.pdf

A zero-knowledge proof system is a protocol between a prover and a verifier,
where the prover attempts to convince the verifier that a statement x belongs
to an NP language. The honest prover possesses a witness w for the fact that x
is a valid statement in the language and the zero-knowledge property asks that
during the interaction with the verifier, no information is leaked about the
witness w. Moreover, a cheating prover should not be able to convince the
verifier to accept any statements which are not in the language.

Zero knowledge protocols have many applications, for example in privacy-preserving authentication or in building other cryptographic protocols.

In this project, we will look at recent breakthroughs in the field of zero-knowledge and attempt to build on these techniques to obtain new results. Earliest possible starting date 01.04.2021.

**Preliminary references:**

[ADk+19]: http://eprint.iacr.org/2019/732

**Contact:** Bogdan Ursu

Zero knowledge protocols have many applications, for example in privacy-preserving authentication or in building other cryptographic protocols.

In this project, we will look at recent breakthroughs in the field of zero-knowledge and attempt to build on these techniques to obtain new results. Earliest possible starting date 01.04.2021.

[ADk+19]: http://eprint.iacr.org/2019/732

Secure Multi-Party Computation (MPC) enables mutually untrusting parties to perform a
shared computation without revealing any information about their input that is
not already leaked by the result of the computation.

Depending on the network and adversary model, i.e. how parties communicate and what capabilities an attacker possesses, different notions are achievable or impossible. Early works show that when a majority or parties is corrupt, then output cannot be guaranteed, and indeed not even fairness [Cle86].

To sidestep this fundamental impossibility,*Identifiable Abort* has been
introduced [IOZ14]: here an adversary may abort the protocol but it must reveal
the identity of at least one corrupted party.
Recently, given a broadcast, [Bra21] has shown that relatively small setups suffice for n-party MPC using the graph-theoretical technique of [BMM+20].
The goal of this thesis is to extend the technique of [BMM+20] to protocols *without* broadcast to achieve analogous bounds for the minimal size as [Bra21].
Another possible topic is to improve or show the impossibility of improving the scaling behavior of the protocols in [Bra21] to support a larger number of overall parties.

**Contact:** Nicholas Brandt

Keywords: Combinatorics, Graph Theory, Universal Composability

Depending on the network and adversary model, i.e. how parties communicate and what capabilities an attacker possesses, different notions are achievable or impossible. Early works show that when a majority or parties is corrupt, then output cannot be guaranteed, and indeed not even fairness [Cle86].

To sidestep this fundamental impossibility,

Keywords: Combinatorics, Graph Theory, Universal Composability

IND-CPA and IND-CCA are considered as standard notions of security for encryption schemes. However, in many scenarios these security notions are not sufficient for intended applications. Consider for example a setting where several senders send (potentially related) messages to a recipient using the recipient's public key. Now, if an adversary corrupts a party, it might not only learn the message, but also the encryption randomness.Nevertheless, we would still hope to obtain security for the ciphertexts sent by uncorrupted parties, up to what can be learned from the leaked messages. Such an attack is called selective opening attack (SOA) and it has been shown that SOA security does not follow from IND security, neither in the CPA [HRW15], nor in the CCA setting [HR14]. Another example, where IND security of encryption does not suffice to guarantee security, is when messages related to the secret key are encrypted, or even the secret key itself. The security notion here would be key-dependent message (KDM) security or circular security [MO13]. Finally, one can consider a scenario where keys are encrypted under other keys and sequences of such encryptions are possible; this happens e.g. in constructions of multicast encryption and continuous group key agreement. Despite corruption, one would like to guarantee security unless a current group member is corrupted; this is implied if the encryption scheme is secure under generalized selective decryption (GSD) [Pan07], which again does not follow from IND-CPA alone [KKPW21].

A possible thesis topic could be to compare these different security notions and variants thereof, and provide an overview on known constructions and separations. For an MSc thesis, we will additionally consider ways to achieve SOA and KDM security simultaneously.

**Contact:** Karen Klein

A possible thesis topic could be to compare these different security notions and variants thereof, and provide an overview on known constructions and separations. For an MSc thesis, we will additionally consider ways to achieve SOA and KDM security simultaneously.