- Speaker: Jintai Ding
- Title: Quantum-Proof Blockchain
- Abstract: Blockchain technology is now going through explosive development with the aim to build a new generation of revolutionary financial technology. The most successful example is new digital currency bitcoin. The fundamental building block in blockchain technology is actually cryptographic algorithms, which is why bitcoin is actually called a cryptocurrency. The main cryptographic algorithms used in blockchain technology are hash functions and elliptic curve digital signatures. As we all know, quantum computers are not such a significant threat to the security of Hash functions but it can be fatal to the elliptic curve digital signatures. In this presentation, we will first show how the quantum computers can threat the security of blockchain technology, in particular, why the existing blockchain technology used in bitcoins can not fundamentally avoid such a practical attack. Then we will explain the challenges we will face if if we just plug in existing post-quantum cryptographic solutions as a drop-in to replace the existing elliptic curve signatures, in particular, the key size problem and a few others. In the end, we will present some of the new solutions we have been developing to deal with these fundamental problems including a new type of proof of work algorithms, which, we believe, provide very viable solutions for the future long term secure blockchain technology.

- Speaker: David Naccache
- Title: Missing Species in the Digital Signatures Zoo?
- Abstract: This talks describes new OWFs and signature schemes. The new signature schemes are interesting because 1. they are based on factoring and 2. they do not belong to the two common design blueprints which are the inversion of a trapdoor permutation and the Fiat-Shamir transform. The signature algorithms are derived from a new OWF whose inversion is as provably as difficult as factoring. By opposition to the DLP, Rabin or RSA, which assume that the target modulus is built into the OWF, the new OWF does not require any built-in parameters except the modulus' size. Given of their strangeness and very different design the new signature schemes seem to be an overlooked "missing species" in the corpus of known signature algorithms (based on arithmetics modulo p q^4, the produced signatures are primes, i.e. a sort of Australian platypus...) . We stress that despite the signature schemes' very simple description (one formula), we did not manage to prove their security nor find any attacks against them. We hence conjecture their security and invite the community to scrutinize them. Common work with Eric Brier (Ingenico) and Houda Ferradi (NTT Labs)

- Speaker: Dennis Jackson
- Title: Automated Analysis of Digital Signatures’ Unexpected Behaviours
- Abstract: Automated protocol analysis tools, such as Tamarin and Proverif, have found a prominent role in analysing widely used security protocols such as TLS, 5G and Signal. However, these automated tools work in the "Symbolic Model", which abstracts and approximates the behaviour of cryptographic primitives. In this talk, we consider the symbolic approximation of digital signatures, which has remained unchanged since 2001. How well does it capture the properties of real signature schemes? We uncover a surprising mismatch between these symbolic approximations and real world signatures. There are a number of unusual and esoteric signature scheme properties which have been reported in the academic literature, are permitted by the traditional definition of signature scheme security (EUF-CMA), yet are not captured by contemporary symbolic analysis tools. This discrepancy is significant. We consider a series of protocols with known attacks and show that existing analysis tools incorrectly verify these protocols as being secure. We provide a new symbolic model of digital signatures which resolves this mismatch and can automatically find these attacks. Additionally, using our improved model we discover previously unknown attacks on real world protocols, including an attack on a protocol which was previously verified to be “secure”.