BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Drupal iCal API//EN
X-WR-CALNAME:Events items teaser
X-WR-TIMEZONE:America/Toronto
BEGIN:VTIMEZONE
TZID:America/Toronto
X-LIC-LOCATION:America/Toronto
BEGIN:DAYLIGHT
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
DTSTART:20250309T070000
END:DAYLIGHT
BEGIN:STANDARD
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
DTSTART:20241103T060000
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
UID:69e2eafe57c4c
DTSTART;TZID=America/Toronto:20251008T103000
SEQUENCE:0
TRANSP:TRANSPARENT
DTEND;TZID=America/Toronto:20251008T113000
URL:https://uwaterloo.ca/combinatorics-and-optimization/events/crypto-readi
 ng-group-leonardo-colo
SUMMARY:Crypto Reading Group -Leonardo Colò
CLASS:PUBLIC
DESCRIPTION:TITLE:CSI-Otter: Isogeny-based (Partially) Blind Signatures fro
 m the\nClass Group Action with a Twist\n\nSpeaker\n Leonardo Colò\n\nAffi
 liation\n University of Waterloo\n\nLocation\n MC 6029\n\nABSTRACT: \n\n:
  In this paper\, we construct the first provably-secure isogeny-based\n(pa
 rtially) blind signature scheme. While at a high level the scheme\nresembl
 es the Schnorr blind signature\, our work does not directly\nfollow from t
 hat construction\, since isogenies do not offer as rich an\nalgebraic stru
 cture. Specifically\, our protocol does not fit into the\nlinear identific
 ation protocol abstraction introduced by Hauck\, Kiltz\,\nand Loss (EUROCY
 RPT’19)\, which was used to generically construct\nSchnorr-like blind si
 gnatures based on modules such as classical\ngroups and lattices. Conseque
 ntly\, our scheme is provably-secure in\nthe polylogarithmic (in the numbe
 r of security parameter) concurrent\nexecution and does not seem susceptib
 le to the recent efficient ROS\nattack exploiting the linear nature of the
  underlying mathematical\ntool. In more detail\, our blind signature explo
 its the quadratic twist\nof an elliptic curve in an essential way to endow
  isogenies with a\nstrictly richer structure than abstract group actions (
 but still more\nrestrictive than modules). The basic scheme has public key
  size 128 B\nand signature size 8 KB under the CSIDH-512 parameter sets—
 these are\nthe smallest among all provably secure post-quantum secure blin
 d\nsignatures. Relying on a new ring variant of the group action inverse\n
 problem (rGAIP)\, we can halve the signature size to 4 KB while\nincreasin
 g the public key size to 512 B. We provide preliminary\ncryptanalysis of r
 GAIP and show that for certain parameter settings\,\nit is essentially as 
 secure as the standard GAIP. Finally\, we show a\nnovel way to turn our bl
 ind signature into a partially blind\nsignature\, where we deviate from pr
 ior methods since they require\nhashing into the set of public keys while 
 hiding the corresponding\nsecret key—constructing such a hash function i
 n the isogeny setting\nremains an open problem.
DTSTAMP:20260418T022254Z
END:VEVENT
END:VCALENDAR