Bernardo David

• Cryptographer
• Professor (Associate) at IT University of Copenhagen

Fairness in Secure Multiparty Computation (MPC) is known to be impossible to achieve in the presence of a dishonest majority. Previous works have proposed combining MPC protocols with cryptocurrencies in order to financially punish aborting adversaries, providing an incentive for parties to honestly follow the protocol. The focus of existing work i...

Homomorphic universally composable (UC) commitments allow for the sender to reveal the result of additions and multiplications of values contained in commitments without revealing the values themselves while assuring the receiver of the correctness of such computation on committed values. In this work, we construct essentially optimal additively ho...

Uniform randomness beacons whose output can be publicly attested to be unbiased are required in several cryptographic protocols. A common approach to building such beacons is having a number parties run a coin tossing protocol with guaranteed output delivery (so that adversaries cannot simply keep honest parties from obtaining randomness, consequen...

We present “Ouroboros Praos”, a proof-of-stake blockchain protocol that, for the first time, provides security against fully-adaptive corruption in the semi-synchronous setting: Specifically, the adversary can corrupt any participant of a dynamically evolving population of stakeholders at any moment as long the stakeholder distribution maintains an...

Oblivious transfer (OT) is a primitive of great importance in two-party and multi-party computation. We introduce a general construction of universally composable (UC) oblivious transfer protocols based on lossy cryptosystems in the common reference string (CRS) model, yielding protocols under several assumptions. In order to achieve this, we show...

The proliferation of Decentralised Finance (DeFi) and Decentralised Autonomous Organisations (DAO), which in current form are exposed to front-running of token transactions and proposal voting, demonstrate the need to shield user inputs and internal state from the parties executing smart contracts. In this work we present “Eagle”, an efficient UC-s...

In the classical setting of differential privacy, a privacy-preserving query is performed on a private database, after which the query result is released to the analyst; a differentially private query ensures that the presence of a single database entry is protected from the analyst's view. In this work, we contribute the first definitional framewo...

The classical “BGW protocol” (Ben-Or, Goldwasser, and Wigderson, STOC 1988) shows that secure multiparty computation (MPC) among n parties can be realized with perfect full security if \(t < n/3\) parties are corrupted. This holds against malicious adversaries in the “standard” model for MPC, where a fixed set of n parties is involved in the full e...

Front-running is the malicious, and often illegal, act of both manipulating the order of pending trades and injecting additional trades to make a profit at the cost of other users. In decentralized finance (DeFi), front-running strategies exploit both public knowledge of user trades from transactions pending on the network and the miner’s ability t...

Many decentralized applications require a common source of randomness that cannot be biased or predicted by any single party. Randomness beacons provide such a functionality, allowing parties to periodically obtain fresh random outputs and verify that they are computed correctly. In this work, we propose Mt. Random, a multi-tiered randomness beacon...

Recently, time-based primitives such as time-lock puzzles (TLPs) and verifiable delay functions (VDFs) have received a lot of attention due to their power as building blocks for cryptographic protocols. However, even though exciting improvements on their efficiency and security (e.g. achieving non-malleability) have been made, most of the existing...

We study the notion of anonymous credentials with Publicly Auditable Privacy Revocation (PAPR). PAPR credentials simultaneously provide conditional user privacy and auditable privacy revocation. The first property implies that users keep their identity private when authenticating unless and until an appointed authority requests to revoke this priva...

A number of recent works have constructed cryptographic protocols with flavors of adaptive security by having a randomly-chosen anonymous committee run at each round. Since most of these protocols are stateful, transferring secret states from past committees to future, but still unknown, committees is a crucial challenge. Previous works have tackle...

Achieving adaptive (or proactive) security in cryptographic protocols is notoriously difficult due to the adversary’s power to dynamically corrupt parties as the execution progresses. Inspired by the work of Benhamouda et al. in TCC 2020, Gentry et al. in CRYPTO 2021 introduced the YOSO (You Only Speak Once) model for constructing adaptively (or pr...

We present "FairPoS", the first blockchain protocol that achieves input fairness with adaptive security. Here, we introduce a novel notion of "input fairness": the adversary cannot learn the plain-text of any finalized client input before it is include in a block in the chain's common-prefix. Should input fairness hold, input ordering attacks which...

The proliferation of Decentralised Finance (DeFi) and De-centralised Autonomous Organisations (DAO), which in current form are exposed to front-running of token transactions and proposal voting, demonstrate the need to shield user inputs and internal state from the parties executing smart contracts. In this work we present "Eagle", an efficient UC-...

The Universal Composability (UC) framework (FOCS ’01) is the current standard for proving security of cryptographic protocols under composition. It allows to reason about complex protocol structures in a bottom-up fashion: any building block that is UC-secure can be composed arbitrarily with any other UC-secure construction while retaining their se...

Sealed-bid auctions are a common way of allocating an asset among a set of parties but require trusting an auctioneer who analyses the bids and determines the winner. Many privacy-preserving computation protocols for auctions have been proposed to eliminate the need for a trusted third party. However, they lack fairness, meaning that the adversary...

Front-running is the malicious, and often illegal, act of both manipulating the order of pending trades and injecting additional trades to make a profit at the cost of other users. In decentralized finance (DeFi), front-running strategies exploit both public knowledge of user trades from transactions pending on the network and the miner's ability t...

Time-based primitives like time-lock puzzles (TLP) are finding widespread use in practical protocols, partially due to the surge of interest in the blockchain space where TLPs and related primitives are perceived to solve many problems. Unfortunately, the security claims are often shaky or plainly wrong since these primitives are used under composi...

Cryptocurrency exchange services are either trusted central entities that have been routinely hacked (losing over 8 billion USD), or decentralized services that make all orders public before they are settled. The latter allows market participants to “front run” each other, an illegal operation in most jurisdictions. We extend the “Insured MPC” appr...

Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct the first universally composable (UC) protocol for oblivious transfer secure against active static adversaries based on the Computational Diffie-He...

In this paper we present ALBATROSS, a family of multiparty randomness generation protocols with guaranteed output delivery and public verification that allows to trade off corruption tolerance for a much improved amortized computational complexity. Our basic stand alone protocol is based on publicly verifiable secret sharing (PVSS) and is secure un...

While many tailor made card game protocols are known, the vast majority of those lack three important features: mechanisms for distributing financial rewards and punishing cheaters, composability guarantees and flexibility, focusing on the specific game of poker. Even though folklore holds that poker protocols can be used to play any card game, thi...

The research on secure poker protocols without trusted intermediaries has a long history that dates back to modern cryptography's infancy. Two main challenges towards bringing it into real-life are enforcing the distribution of the rewards, and penalizing misbehaving/aborting parties. Using recent advances on cryptocurrencies and blockchain technol...

While many tailor made card game protocols are known, the vast majority of those lack three important features: mechanisms for distributing financial rewards and punishing cheaters, composability guarantees and flexibility , focusing on the specific game of poker. Even though folklore holds that poker protocols can be used to play any card game, th...

The two main challenges in deploying real world secure poker protocols lie in enforcing the distribution of rewards and dealing with misbehaving/aborting parties. Using recent advances in cryptocurrencies and blockchain techniques, Kumaresan et al. (CCS 2015) and Bentov et al. (ASIACRYPT 2017) were able to solve those problems for the general case...

A Mobile Ad-Hoc Network (MANET) automatically reorganizes itself, allowing moving nodes to join or leave the network at any point in time without disrupting the communication. An essential element of such systems is a routing protocol able to quickly restructure existing routes when nodes leave and provide routes to new nodes. In most MANET routing...

While many cryptographic protocols for card games have been proposed, all of them focus on card games where players have some state that must be kept secret from each other, e.g closed cards and bluffs in Poker. This scenario poses many interesting technical challenges, which are addressed with cryptographic tools that introduce significant computa...

While many cryptographic protocols for card games have been proposed, all of them focus on card games where players have some state that must be kept secret from each other, e.g closed cards and bluffs in Poker. This scenario poses many interesting technical challenges, which are addressed with cryptographic tools that introduce significant computa...

Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct a round-optimal (2 rounds) universally composable (UC) protocol for oblivious transfer secure against active adaptive adversaries from any OW-CPA s...

We present “Ouroboros”, the first blockchain protocol based on proof of stake with rigorous security guarantees. We establish security properties for the protocol comparable to those achieved by the bitcoin blockchain protocol. As the protocol provides a “proof of stake” blockchain discipline, it offers qualitative efficiency advantages over blockc...

We construct the first UC commitment scheme for binary strings with the optimal properties of rate approaching 1 and linear time complexity (in the amortised sense, using a small number of seed OTs). On top of this, the scheme is additively homomorphic, which allows for applications to maliciously secure 2-party computation. As tools for obtaining...

We propose an efficient unconditionally secure protocol for privacy preserving comparison of ℓ-bit integers when both integers are shared between two semi-honest parties. Using our comparison protocol as a building block, we construct two-party generic private machine learning classifiers. In this scenario, one party holds an input while the other...

We focus on generalizing constructions of Batch Single-Choice Cut-And-Choose Oblivious Transfer and Multi-sender k-out-of-n Oblivious Transfer, which are at the core of efficient secure computation constructions proposed by Lindell et al. and the IPS compiler. Our approach consists in showing that such primitives can be based on a much weaker and s...

We propose the first UC secure commitment scheme with (amortized) computational complexity linear in the size of the string committed to. After a preprocessing phase based on oblivious transfer, that only needs to be done once and for all, our scheme only requires a pseudorandom generator and a linear code with efficient encoding. We also construct...

Linear algebra operations on private distributed data are frequently required in several practical scenarios (e.g., statistical analysis and privacy preserving databases). We present universally composable two-party protocols to compute inner products, determinants, eigenvalues, and eigenvectors. These protocols are built for a two-party scenario w...

We present a new compact verifiable secret sharing scheme, based on this we present the first construction of a homomorphic UC commitment scheme that requires only cheap symmetric cryptography, except for a small number of seed OTs. To commit to a k-bit string, the amortized communication cost is O(k) bits. Assuming a sufficiently efficient pseudor...

Oblivious transfer (OT) is a fundamental two-party cryptographic primitive that implies secure multiparty computation. In this paper, we introduce the first OT based on the Learning Parity with Noise (LPN) problem. More specifically, we use the LPN variant that was introduced by Alekhnovich (FOCS 2003). We prove that our protocol is secure against...

We present an efficient structure-preserving tagged one-time signature scheme with tight security reductions to the decision-linear assumption. Our scheme features short tags consisting of a single group element and gives rise to the currently most efficient structure-preserving signature scheme based on the decision-liner assumption with constant-...

This paper presents efficient structure-preserving signature schemes based on assumptions as simple as Decisional-Linear. We first give two general frameworks for constructing fully secure signature schemes from weaker building blocks such as variations of one-time signatures and random-message secure signatures. They can be seen as refinements of...

Committed Oblivious Transfer (COT) is a two-party primitive that combines one-out-of-two oblivious transfer with bit commitment. In the beginning of COT, a sender is committed to bits b0, b1 and a receiver to a choice bit c. In the end, the receiver is committed to bc without learning anything about b1-c, while the sender learns nothing about c. Th...

We introduce an efficient fully simulatable construction of oblivious transfer based on the McEliece assumptions in the common reference string model. This is the first efficient fully simulatable oblivious protocol based on coding assumptions. Moreover, being based on the McEliece assumptions, the proposed protocol is a good candidate for the post...

This paper presents the modified exponential fitting test for automatically identifying malicious activities in honeypot data based on state of the art model order selection schemes. Model order selection (MOS) schemes are frequently applied in several signal processing applications, such as RADAR , SONAR, communications, channel modeling, medical...

We introduce a general construction of fully simulatable oblivious transfer based on lossy encryption. Furthermore, we extend the common definition of lossy encryption by introducing the notion of computationally lossy encryption. If the cryptosystem used is computationally lossy, our general construction yields oblivious transfer protocols with co...

This paper aims at studying privacy-preserving tests for proximity. In a private proximity test, Alice can verify if she is close to Bob without either party revealing any other information about their location. We propose a system for private proximity testing based on the pre-distribution of data: the so-called commodity-based model. Our system i...

We introduce the first efficient fully simulatable construction of oblivious transfer based on the McEliece assumptions in the common reference string model.

A formal classification of attacks and vulnerabilities that affect current internet banking systems is presented along with two attacks which demonstrate the insecurity of such systems. Based ona thoroughanalysis of current security models, we propose a guidelines for designing secure internet banking systems which are not affected by the presented...

ntrusion detection systems (IDS) are essential com- ponents in a secure network environment, allowing for early detection of malicious activities and attacks. By employing information provided by an IDS it is possible to apply appropriate countermeasures and mitigate attacks that would otherwise seriously undermine network security. However, curren...

Low rate wireless personal networks are vulnerable to several attacks focused on the Media Access Layer. Malicious or faulty nodes can subvert CSMA/CA and GTS allocation algorithms, achieving MAC unfairness in order to obtain higher medium access priority or to interrupt legitimate communication, ultimately leading to Denial-of-Service. While there...

In this paper we propose the first code-based oblivious transfer protocol with perfect (unconditional) security for one of the parties. To obtain this result we show that the McEliece cryptosystem is rerandomizable, a property that might be of independent interest.

In this paper we propose the first code-based oblivious transfer pro-tocol with perfect (unconditional) security for one of the parties. To obtain this result we show that the McEliece cryptosystem is rerandomizable, a property that might be of independent interest.