Skip to content

Instantly share code, notes, and snippets.

@alxiong

alxiong/log-eurocrypt23.md

Created May 12, 2023 13:27
Show Gist options
  • Save alxiong/8d431224bc54d93901de373e1cf518a5 to your computer and use it in GitHub Desktop.
Save alxiong/8d431224bc54d93901de373e1cf518a5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
log-eurocrypt23.md

Reflection on Eurocrypt 2023

Top personal takeaways are:

  • Lattice-based crypto is the perfect sub-direction to contribute in
    • Vadim's remark on state of lattice: KEM, signatures, FHE, Functional commitments, ZKPs. Some reduces to more structured Lattices than others for efficiency.
      • Confidence in lattice hardness, but IP issue is somewhat tricky.
      • The most convincing slide presents the CNSA timeline for mandatory transition to PQC by 2033 -- not a matter of if or when, it's gonna happen!
    • Missing:
      • threshold crypto (rejection sampling on individual share doesn't guarantee successful secret reconstruction?)
      • scripts for parameter selections, the concretely efficient schemes such as LaBRADOR [BS22] uses lots of heuristics.
    • Many new assumptions: k-R-ISIS [ACLM+22], BASIS [Wu], especially newer, more compact scheme relies on more strucutres, and these assumptions need more investigations.
    • Implementations:
      • Gregor at IBM Zurich (and his team) has plans to open source more lattice implementations.
      • Russell Lai also seems to have coded up many primitives.
      • Chiesa suggested we should spend enough time thinking about the right level of abstraction and API design, and avoid being a hodge-podge of tools.
  • Interesting perspective: usually we need abstraction to generalize a long list of concrete instantiations, in crypto, we (mostly) only have integer factorization, DLog, and lattice, yet we invented so many higher-level primitives for composing new constructions. It's not a problem, but sometimes in Lattice, leaky abstraction occurs all the time (e.g. use a specific/concrete property of lattice in construction of a FHE scheme).
  • Knowledge soundness extractors are highly non-trivial, usually with loose-bounds -- this might affect composability down the road (without generic composer/extractors). E.g. quantum rewinding very different, as measuring the state collapses the quantum states.
  • Should try more high-assurance or formally verified toolchains.

Miscellaneous notes:

  • Worth checking out
    • PIANO: Fast single-server PIR with sublinear server computation
    • Garbled RAM [LO13]: some techniques/challenges looks smimilar to lookup relations. More recent work NanoRAM.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment