| 9:30 - 10:00 |
Registration |
| 10:00 - 10:15 |
Opening |
| 10:15 - 10:45 |
An Optimal Proof of Proof-of-Work
Zeta Avarikioti
Abstract: : Designing light clients for Proof-of-Work blockchains has been a foundational problem since Nakamoto's SPV construction in the Bitcoin paper. Over the years, communication was reduced from O(C) down to O(polylog(C)) in the system's lifetime C.
We present Blink, the first provably secure O(1) light client that does not require a trusted setup.
Bio: Zeta is a scientist at Common Prefix and is an upcoming Assistant Professor at the Technical University of Vienna (TU Wien) in Austria. She is currently a post-doctoral blockchain researcher at TU Wien working with professor Matteo Maffei. She graduated with a PhD from ETH Zürich, advised by Roger Wattenhofer, and holds an engineering degree from the National Technical University of Athens and a masters degree from National Kapodistian University of Athens. She specializes in distributed systems, scaling blockchains via sharding and channels, and the analysis of cryptoeconomic incentives. Among other venues, she has published in USENIX Security, CSF, Financial Cryptography, AFT, AAAI, and SODA. Highlights of her research include the papers BRICK: Asynchronous Payment Channels, Cerberus Channels: Incentivizing Watchtowers for Bitcoin, and Divide and Scale: Formalization of Distributed Ledger Sharding Protocols.
|
| 10:45 - 11:05 |
On-Chain Timestamps Are Accurate
Slides
Apostolos Tzinas
Abstract: When Satoshi Nakamoto introduced Bitcoin, a central tenet was that the blockchain functions as a timestamping server.
In the Ethereum era, smart contracts widely assume on-chain timestamps are mostly accurate.
In this paper, we prove this is indeed the case, namely that recorded timestamps do not wildly deviate from real-world time, a property we call timeliness. Assuming a global clock, we prove that all popular mechanisms for constructing blockchains (proof-of-work, longest chain proof-of-stake, and quorum-based proof-of-stake) are timely under honest majority, but a synchronous network is a necessary condition. Next we show that all timely blockchains can be suitably modified, in a black-box fashion, such that all honest parties output exactly the same ledgers at the same round, achieving a property we call supersafety, which may be of independent interest. Conversely, we also show that supersafety implies (perfect) timeliness, completing the circle.
Bio: Apostolos is a blockchain researcher and engineer at Common Prefix, specialising in blockchain consensus and decentralised finance. His research highlights include On-Chain Timestamps Are Accurate, published in Financial Cryptography 2024, and The Principal–Agent Problem in Liquid Staking, published in Financial Cryptography 2023’s 7th Workshop on Trusted Smart Contracts (WTSC). Apostolos also has extensive experience in deploying and managing both validators and full-nodes across the Ethereum and Cosmos ecosystems. In the past, as a web engineer at Maya Insights and NutriDice, he has gained extensive experience with a wide range of programming languages and technical stacks. Apostolos has a background in algorithms, having competed at national and balkan olympiads in informatics.
|
| 11:05 - 11:35 |
Rollerblade: Replicated Distributed Protocol Emulation on Top of Ledgers
Slides
Dionysis Zindros
Abstract: We observe that most fixed-party distributed protocols can be rewritten by replacing a party with a ledger (such as a blockchain system) and the authenticated channel communication between parties with cross-chain relayers. This transform is useful because blockchain systems are always online and have battle-tested security assumptions. We provide a definitional framework that captures this analogy. We model the transform formally, and posit and prove a generic metatheorem that allows translating all theorems from the party setting into theorems in the emulated setting, while preserving analogies between party honesty and ledger security. In the heart of our proof lies a reduction-based simulation argument. As an example, our metatheorem can be used to construct a consensus protocol on top of other blockchains, creating a reliable rollup that assumes only the majority of the underlying layer-1s are secure.
Bio: Dionysis is a co-founder and researcher at Common Prefix focusing on consensus, light clients, bridges, interoperability, and fast bootstrapping. He did his post-doc at Stanford University, advised by David Tse. He holds a PhD from the University of Athens, advised by Aggelos Kiayias, and an Electrical and Computer Engineering degree from the National Technical University of Athens. Among other venues, he has published in IEEE S&P (Oakland), ACM CCS, ESORICS, and Financial Crypto, and presented at Black Hat Europe and Asia. Highlights of his research include the papers Non-Interactive Proofs of Proof-of-Work, Proof-of-Stake Sidechains, Proof-of-Burn, and Proof-of-Work Sidechains.
|
| 11:35 - 12:10 |
Break |
| 12:10 - 12:55 |
Program Analysis for High-Value Smart Contract Vulnerabilities: Techniques and Insights
Yannis Smaragdakis
Abstract: A widespread belief in the blockchain security community is that automated techniques are only good for detecting shallow bugs, typically of small value. In this paper, we present the techniques and insights that have led us to repeatable success in automatically discovering high-value smart contract vulnerabilities.
Our vulnerability disclosures have yielded 10 bug bounties, for a total of over $3M, over high-profile deployed code, as well as hundreds of bugs detected in pre-deployment or under-audit code.
We argue that the elements of this surprising success are a) a very high-completeness static analysis approach that manages to maintain acceptable precision; b) domain knowledge, provided by experts or captured via statistical inference. We present novel techniques for automatically inferring domain knowledge from statistical analysis of a large corpus of deployed contracts, as well as discuss insights on the ideal precision and warning rate of a promising vulnerability detector. In contrast to academic literature in program analysis, which routinely expects false-positive rates below 50% for publishable results, we posit that a useful analysis for high-value real-world vulnerabilities will likely flag very few programs (under 1%) and will do so with a high false-positive rate (e.g., 95%, meaning that only one-of-twenty human inspections will yield an exploitable vulnerability).
Bio: Yannis is a Professor in the Department of Informatics of the University of Athens and co-founder of Dedaub, a top blockchain security company.
His area of research is Programming Languages with emphasis on program analysis. He has received an NSF Career award, European Research Council (ERC) Consolidator and Advanced grants, and "best paper" awards at OOPSLA'18, ECOOP'18, ISSTA'12, ASE'07, ISSTA'06, GPCE'04, and USENIX'99. More information on his work can be found at
https://yanniss.github.io
|
| 12:55 - 13:25 |
Formally Verifying Ethereum Smart Contracts with hevm and Act
Zoe Paraskevopoulou
Abstract:
Formal Verification has become a useful tool for ensuring reliability and security of smart contracts. This talk introduces two formal verification tools, hevm and Act, that are currently developed at Ethereum Foundation. hevm is a symbolic execution framework that can verify the correctness of smart contracts against a specified set of properties, identifying potential vulnerabilities. On the other hand, Act is a high-level specification language that allows developers to define the expected behavior of smart contracts and prove properties about using an SMT solver or a proof assistant. This talk will delve into the methodologies behind these tools, illustrating their practical applications.
Bio:
Zoe Paraskevopoulou is a formal verification researcher at Ethereum Foundation. Prior to joining Ethereum Foundation, she was a Postdoctoral Fellow at Northeastern University and a PhD student at Princeton University. Her research interests span formal verification, compilers and programming languages, and proof assistants.
|
| 13:30 - 15:00 |
Lunch Break |
| 15:00 - 15:45 |
Scaling Blockchain Protocols
Aggelos Kiayias
Abstract:
Scalability has been at the forefront of
research in blockchain protocols for more than a decade and, today, it still
remains a critical objective. In this talk i will overview some of the challenges
that arise in blockchain design as well as in modelling these protocols
when one takes scalability into consideration. I will also sample some of my recent
and ongoing work in this area.
Bio:
Aggelos Kiayias FRSE is chair in Cyber Security and Privacy and director of the Blockchain Technology Laboratory at the University of Edinburgh. He is also the Chief Scientist at blockchain technology company IOG (formerly IOHK). His research interests are in computer security, information security, applied cryptography and foundations of cryptography with a particular emphasis in blockchain technologies and distributed systems, e-voting and secure multiparty protocols as well as privacy and identity management. His research has been funded by the Horizon 2020 programme (EU), the European Research Council (EU), the Engineering and Physical Sciences Research Council (UK), the Secretariat of Research and Technology (Greece), the National Science Foundation (USA), the Department of Homeland Security (USA), and the National Institute of Standards and Technology (USA). He has received an ERC Starting Grant, a Marie Curie fellowship, an NSF Career Award, and a Fulbright Fellowship. He holds a Ph.D. from the City University of New York and he is a graduate of the Mathematics department of the University of Athens. He has over 100 publications in journals and conference proceedings in the area. He has served as the program chair of the Cryptographers’ Track of the RSA conference in 2011 and the Financial Cryptography and Data Security conference in 2017, as well as the general chair of Eurocrypt 2013. He also served as the program chair of Real World Crypto Symposium 2020 and the Public-Key Cryptography Conference 2020. In 2021 he was elected fellow of the Royal Society of Edinburgh.
|
| 15:45 - 16:05 |
AQQUA: Augmenting Quisquis with Auditability
Slides
Dimitris Karakostas
George Papadoulis
Abstract: We propose AQQUA: a digital payment system that combines auditability and privacy. Our scheme extends Quisquis, by adding two authorities; one for registration and one for auditing.
These authorities do not intervene in the everyday transaction processing; as a consequence the decentralized nature of the cryptocurrency is not disturbed.
Our construction is account-based. The accounts consist of an updatable public key which functions as a cryptographically unlinkable pseudonym,
and commitments to the balance, the total amount of coins spent and the total amount of coins received. In order to participate in the system the user creates an initial account with the registration authority. To protect their privacy, whenever they want to transact they create unlinkable new accounts by updating their public key and the total number of accounts they own (maintained in committed form). The audit authority may request an audit at will. The user must prove in zero-knowledge that all their accounts are compliant to specific policies.
We formally define a security model for the properties that a private and auditable digital payment system should possess and analyze the security of AQQUA.
|
| 16:05 - 16:35 |
EDI: Towards Measuring Blockchain Decentralization
Slides
Dimitris Karakostas
Abstract: Decentralization has been touted as the principal security advantage of blockchain-based financial applications.
Its exact semantics nevertheless remain highly contested and ambiguous, with proponents and critics disagreeing widely on the level of decentralization offered by existing systems. The Edinburgh Decentralization Index (EDI) is systematization effort of the current blockchain landscape with respect to decentralization. Our approach dissects blockchain systems into multiple layers, each possibly encapsulating multiple categories, and it enables a unified method for measuring decentralization in each one. This talk will provide an overview of our methodology and the research challenges that arise when trying to define and measure decentralization. It will also include detailed results on two layers, consensus and tokenomics, across multiple systems, like Bitcoin, Ethereum, Cardano and others, which enable a quantitative evaluation and comparison of these systems' decentralization.
|
| 16:35 - 17:00 |
Break |
| 17:00 - 17:30 |
Sumcheck Arguments and lattice-based succinct arguments
Slides
Katerina Sotiraki
Abstract: In this talk, I will present sumcheck arguments; a new class of interactive protocols which show that "split-and-fold protocols" (such as Bulletproofs and many more) are consequences of the Lund et al. sumcheck protocol from 1992.
I will explain how many existing commitment schemes can be framed as "sumcheck-friendly commitments" over rings and modules, and how to obtain succinct arguments for NP-complete statements over rings. This gives a lattice-based succinct argument from the SIS assumption, which was previously open. The talk is based on joint works with Jonathan Bootle and Alessandro Chiesa.
|
| 17:30 - 17:55 |
Beyond the circuit: How to Minimize Foreign Arithmetic in ZKP Circuits
George Kadianakis
Abstract: Zero-knowledge circuits are frequently required to prove gadgets that are not optimised for the constraint system in question. A
particularly daunting task is to embed foreign arithmetic such as Boolean operations, field arithmetic, or public-key cryptography.
We construct techniques for offloading foreign arithmetic from a zero-knowledge circuit including:
(i) equality of discrete logarithms across different groups;
(ii) scalar multiplication without requiring elliptic curve operations;
(iii) proving knowledge of an AES encryption.
To achieve our goal, we employ techniques inherited from rejection sampling and lookup protocols.
We implement and provide concrete benchmarks for our protocols.
|
| 17:55 - 18:00 |
Break |
| 18:00 - 18:25 |
Approximate Lower Bound Arguments
Pyrros Chaidos
Abstract:
Suppose a prover, in possession of a large body of valuable evidence, wants to quickly convince a verifier by presenting only a small portion of the evidence.
We define an Approximate Lower Bound Argument, or ALBA, which allows the prover to do just that: to succinctly prove knowledge of a large number of elements satisfying a predicate (or, more generally, elements of a sufficient total weight when a predicate is generalized to a weight function). The argument is approximate because there is a small gap between what the prover actually knows and what the verifier is convinced the prover knows. This gap enables very efficient schemes.
We present noninteractive constructions of ALBA in the random oracle and uniform reference string models and show that our proof sizes are nearly optimal. We also show how our constructions can be made particularly communication-efficient when the evidence is distributed among multiple provers, which is of practical importance when ALBA is applied to a decentralized setting.
We demonstrate two very different applications of ALBAs: for large-scale decentralized signatures and for proving universal composability of succinct proofs.
https://link.springer.com/chapter/10.1007/978-3-031-58737-5_3
Bio:
Pyrros is an Athens-based cryptographer. He holds a PhD from the University College of London, advised by Jens Groth. His research specializes in zero knowledge proof systems, including applications on proof-of-stake blockchains and circuit-friendly primitives.
|
| 18:25 - 18:45 |
Voting with coercion resistance and everlasting privacy using linkable ring signatures
Slides
Marianna Spyrakou
Abstract: We present an electronic voting protocol based on a novel linkable ring signature with unconditional anonymity. All voters create
private and public credentials during registration. To construct a ballot they randomly select public credentials as an anonymity set and provide
a proof of knowledge of their own secret credential via our linkable ring signature. The unconditional anonymity property prevents an attacker,
no matter how powerful, from deducing the identity of the voter, attaining everlasting privacy. Additionally, we provide coercion resistance in
the JCJ framework; when an adversary tries to coerce a specific behavior, a voter can evade this attack by creating the signature with a fake
but indistinguishable credential. During a moment of privacy the voters can cast their real vote. Our scheme also provides verifiability and ballot
secrecy.
|
| 18:50 |
Closing remarks |
| 20:00 |
Dinner (Dichtaki, Chlois 37, Zografou) |
