NIST Workshop on Privacy-Enhancing Cryptography 2024

WPEC 2024 welcoming remarks

WPEC 2024, the NIST Workshop on Privacy-Enhancing Cryptography 2024, will bring together multiple perspectives of Privacy-Enhancing Cryptography (PEC) from diverse stakeholders. The 3-days virtual workshop is organized for sharing insights about PEC capabilities, use-cases, real-world deployment, initiatives, challenges and opportunities, and the related context of privacy & auditability. The workshop features the topics of Private-Set Intersection (PSI), Fully-Homomorphic Encryption (FHE), Secure Multi-Party Computation (MPC), and Zero-Knowledge Proofs (ZKP). In the first day (2024-Sep-24), the workshop hosts The First PSI Day. In the second day (2024-Sep-25), the workshop hosts various talks about PEC in Government, and FHE. In the final day (2024-Sep-26), the workshop hosts talks on MPC and ZKP. This talk will open up the workshop, welcome participants and attendees, set expectations, present the schedule, and give other logistics notes.

Joint work with: René Peralta (NIST) and Angela Robinson (NIST)

Abstract. In 2-party private set intersection (PSI), different techniques are favorable depending on whether the input sets are large (e.g., millions of items) or small (e.g., hundreds of items). In this talk I will motivate the need for different techniques and describe the state of the art for PSI on small sets. I will also describe in detail an application of PSI-for-small-sets to significantly enhance privacy and security features of authentication in the SSH (secure shell) protocol.

Joint work with: Ni Trieu, Lawrence Roy, Stanislav Lyakhov, Yeongjin Jang

Abstract. In this presentation, we introduce an efficient and actively secure private set intersection (PSI) protocol for password checkup scenarios, where a server with one large set performs PSI with multiple clients, each holding a small set. First, we demonstrate the use of an oblivious verifiable unpredictable function (OVUF) to instantiate this PSI efficiently. The OVUF-based PSI protocol enhances one-time, reusable, and asynchronous linear-size server encoding. It allows multiple clients to perform low-cost interactions with the server, with complexity linear to the size of each client's set. Next, we present an efficient instantiation of a fully maliciously secure OVUF based on weak multiplication-to-addition (MtA) triples, which is of independent interest. The weak MtA triples leverage oblivious transfer (OT), reducing communication in OT messages to achieve optimal complexity for OVUF. Finally, we briefly discuss the protocol's performance in this setting, with the server set up to millions and clients set ranging from hundreds to thousands, demonstrating high efficiency compared to other state-of-the-art work.

Joint work with: Xiao Wang (Northwestern University), Jonathan Katz (Google and University of Maryland), Phillipp Schoppmann (Google), Mariana Raykova (Google)

Abstract. In this talk, we will explore the increasing use of Private Set Intersection (PSI) protocols in various industrial applications, such as Microsoft's and Google's password monitoring systems and Apple's detection of Child Sexual Abuse Material (CSAM). Samsung SDS's proof-of-concept for secure data aggregation with Korean government agencies highlights the practical applications of PSI, which can be performed without a trusted third party using Circuit-PSI.Circuit-PSI allows arbitrary computations without revealing intersection information but has performance drawbacks compared to Simple PSI. By leveraging homomorphic encryption schemes, we can reduce the communication costs associated with Circuit-PSI and its optimized version, Unbalanced Circuit-PSI. This talk will also address the necessity for Circuit-PSI to match records based on quasi-identifiers or fuzzy matching in real-world applications, proposing a technology combining multiple Circuit-PSI protocols and Multi-Party Computation (MPC) techniques.Additionally, we will identify security and performance challenges in PSI protocols, focusing on the Oblivious Pseudo-Random Function (OPRF) and the Oblivious Key-Value Store (OKVS) algorithm. We will discuss potential security issues when a malicious receiver inserts more key-value pairs than expected, compromising PSI security. Our proposed solutions include evaluating and preventing such attacks and introducing a novel OPRF protocol incorporating techniques from the SoftSpoken OT framework, balancing communication and computation costs for more efficient and secure PSI protocols.

Joint work with: (Samsung SDS) Kyoohyung Han, Byeonghak Lee, (Sungshin Women's University) Yongha Son.

Abstract. In this presentation, we introduce a new class of problems called Private Collection Matching (PCM), in which clients aim to determine whether a collection of sets owned by a server matches their interests. This class of problems is closely linked to an existing cryptographic primitive called Private Set Intersection (PSI), as interest in server sets is often determined based on a function of their intersection with the client's set. However, we show that existing privacy-preserving cryptographic primitives, including PSI, cannot solve PCM problems efficiently without harming privacy. We propose a modular framework that enables designers to build privacy-preserving PCM systems that output one bit: whether a collection of server sets matches the client's set. The communication cost of our protocols scales linearly with the size of the client's set and is independent of the number of server elements. We demonstrate the potential of our framework by designing and implementing novel solutions for two real-world PCM problems: determining whether a dataset has chemical compounds of interest, and determining whether a document collection has relevant documents. Our evaluation shows that we offer a privacy gain with respect to existing works at a reasonable communication and computation cost.

Joint work with: Mathilde Raynal (EPFL), Wouter Lueks (CISPA Helmholtz Center for Information Security), Carmela Troncoso (EPFL)

Abstract. In this talk we present the state of art protocol for performing Private Set Intersection (PSI) for moderate to large set sizes(500+ elements). These protocols are based on a combination of the cryptographic primitive known as Vector Oblivious LinearEvaluation (VOLE) and a linear data structure referred to as a Oblivious Key-Value Store (OKVS). Details of these protocols willbe presented along with a brief description of how other primitives (e.g. OPRF, multi-party PSI) can be constructed from themas well. In addition, we will present how these protocols make use of the Learning Parity with Noise (LPN) assumptions alongwith a discussion on why LPN is believed to be hard for both classical and quantum adversaries. This will primarily focusattacks in to so called linear test framework along with a brief discussion on algebraic attacks.

Join work with: Phillipp Schoppmann, Srinivasan Raghuraman

Abstract. In this presentation, we talk about a new Approximate Private Set Intersection scheme that allows for fuzzy matching of set items.  Under the assumption that the set elements are either close (due to errors or rounding) or far enough apart, we can greatly improve the performance of matching close elements under various distance metrics.  Asymptotically, we improve the result from quadratic to near-linear, and empirically is 20x faster with 30\% less communication than previous schemes. This adds to the growing menagerie of PSI flavors, and in this talk we also explore broad and narrow approaches towards a path to standardizing specific PSI schemes or PSI as a whole.

Joint work with: Wutichai Chongchitmate, and Rafail Ostrovsky

Abstract. In this talk, I will present various private set intersection (PSI) protocols, with a particular focus on the multi-party setting. I will cover the development from the first practical multi-party PSI protocol in the semi-honest setting (Kolesnikov et al., CCS 2017) to the state-of-the-art protocol in the malicious setting (Nevo et al., CCS 2021).  These protocols are designed to avoid computationally intensive public-key operations and are secure with any number of participants (i.e., without an honest majority). Furthermore, I will explore various variants of multi-party PSI, including PSI-cardinality and delegated computation. These variants have significant applications in areas like contact tracing and secure dot product computations.

Joint work with: Vladimir Kolesnikov, Naor Matania, Benny Pinkas, Mike Rosulek,  Ofri Nevo, Avishay Yanai, Thai Duong, Duong Hieu Phan, Jiahui Gao

Abstract. Structure-Aware Private Set Intersection (sa-PSI) is a PSI variant where Alice has an input set \(S_A\) belonging to a publicly known family of structured sets (for example, a high-dimensional ball, union of balls) and Bob's input set \(S_B\) consists of an unstructured collection of elements. The main motivation for sa-PSI is to enable Alice (or Bob) to learn the intersection with protocol communication and computation cost that scales with a succinct description size of Alice's input \(S_A\), instead of her set cardinality \(|S_A|\). sa-PSI can be useful in applications like noisy/fuzzy biometric matching, privacy-preserving ride sharing among others. In this talk, I will present in detail a general framework for semi-honest sa-PSI using a cryptographic building block called Function Secret Sharing.

Joint work with: Benjamin Goff, Peihan Miao, Mike Rosulek and Jaspal Singh

Abstract. Unbalanced private set intersection (PSI) refers to PSI variants that are optimized for settings where a client has a significantly smaller input set than the server. There exist numerous real-world applications for which efficient unbalanced PSI protocols would be nice to have, e.g., to implement mobile private contact discovery. In this talk, we will motivate why unbalanced PSI is important through discussing such real-world applications. Furthermore, we will present general approaches and state-of-the-art constructions for implementing unbalanced PSI. Finally, we will highlight a number of promising works that construct efficient unbalanced PSI through a combination with private information retrieval (PIR).

Abstract. Private Set Intersection (PSI) is a well-established area in applied cryptography with numerous applications and real-world deployments. PSI protocols enable parties to compute the intersection of their private datasets without revealing additional information. The case of an asymmetric PSI protocol presents several scalability challenges since one of the two sets is several order of magnitude larger than the other. Consequently, the community has shifted to scalable PSI designs that permit controlled disclosure in the form of cryptographic leakage. In this talk, we discuss security issues that we discovered (and fixed) in a recent asymmetric PSI protocol called “Might I Get Pwned” (MIGP). We will present the leakage issues of the original construction and demonstrate how an adversary can exploit this leakage with Deep Neural Networks to reconstruct encrypted credentials.

Joint work with: Dario Pasquini, Danilo Francati, Giuseppe Ateniese

At the end of "The First PSI Day", after numerous talks about Private Set Intersection (PSI), the PEC team will propose some questions for reflection or open comments by the various speakers of the day.

An Introduction to the 2nd day of the workshop, and Notes on Privacy-Related National Strategies

Abstract. With an increased focus on equity across the federal government, federal agencies and civil society have a need to join datasets with sensitive demographic data. Given legal, policy, and ethical constraints, the agencies that collect demographics cannot share them directly with such stakeholders in many cases. This presentation will show the application of Google's Private Join and Compute protocol to a public dataset of race and ethnicity information, enabling secure measurement of demographic disparities without explicit data sharing. We will describe the adaptations to open-source tools that were required to implement the protocol on government infrastructure. We will also illustrate potential use cases of the work that were ascertained through user interviews, including enabling third party audits of machine learning models. This presentation aims to be a primer on the practicalities of demonstrating a Privacy Enhancing Cryptography protocol on real infrastructure in a government setting.

Joint work with: Marina DeFrates, Samantha Weinstock

Abstract. In this talk we will present an overview of the United States Privacy-Enhancing Technologies Lab, a collaboration between \NIST\ and the Census Bureau to create an online collection of documentation, use cases, and testing sandbox for privacy-enhancing technologies. We will discuss the goals and brief history of the project, its current focus on an example implementation of privacy-preserving federated learning, and plans for the future of our work.

Joint work with: Naomi Lefkovitz

Abstract to appear.

Abstract. The NIH Homomorphic Encryption and Privacy Enhancing Technologies (PETs) webinar series (https://datascience.nih.gov/homomorphic-encryption-and-privacy-enhancing-technologies-webinar-series) cumulated in an in-person workshop for the webinar presenters to discuss key issues in linking disparate data from disparate data resources (e.g., different data repositories) to conduct large-scale analysis, to train and develop tools for analyzing data, etc. This workshop discussion and future work product will provide insights on how to promote sharing of and integration of data while maintaining confidentiality via homomorphic encryption, other PETs, and challenges in application of techniques including the ethical, legal, and social implication of increasing data sharing and access to data and data containing sensitive information. To date, fully homomorphic encryption schemes are limited by the amount of data that can be encrypted, the accumulation of noise, and the power and speed required to perform encryption and conduct analyses on encrypted data. Workshop participants discussed the limitations of current fully homomorphic encryptions schemes, the challenges needed to overcome these limitations, and applications of other alternatives that would maintain privacy while allowing integration of disparate data across data bases and combining homomorphic encryption with other PETs such as differential privacy and / or block chain technologies.

Abstract. Data collaboration is critical for improving the quality of models, identifying trends, and fighting financial crime. However, both regulations and the proprietary nature of the data discourage institutions from sharing their data, thus severely limiting the global fight against money laundering. To address the first challenge, anti-financial crime legislation such as USA PATRIOT Act and EU 5th Anti-Money Laundering Directive have been put forward to allow financial institutions to collaborate on sensitive information related to suspicious activity. Nevertheless, participation of financial institutions is still scarce due to proprietorship and perceived risks to competition-sensitive information. Privacy-preserving technologies such as fully homomorphic encryption (FHE) are being considered to address these challenges. Secure collaboration capabilities based on FHE allow private search without the need of sharing data in the clear. But despite regulatory and technical advancements, developing solutions to fight financial crime remains challenging. In this presentation, we will describe real-world use cases of private collaboration for fighting financial crime. Concretely, we will discuss case studies, such as with the US Department of Treasury, UK Information Commissioner's Office and Mastercard's Cross Border Data Collaboration project using Duality Technologies' platform. In the process, we will identify insights and challenges that should be considered when designing solutions for FHE-based private search, private information retrieval or private set intersection for practical application in fighting financial crime.

Join work with: Yuriy Polyakov

Abstract. Fully Homomorphic Encryption (FHE) is an encryption scheme that allows to perform arbitrary computations on encrypted data. In this talk I will present an overview of FHE, covering the functionality, security properties, and main approaches to the design of FHE schemes. The presentation will focus on the security guarantees offered by current FHE schemes, how these guarantees may or may not fit specific application settings, and research directions currently being investigated to make FHE more robust, efficient and widely applicable. Specific topics covered in the talk include security against passive and active attacks, the security of exact vs approximate computations, the distributed decryption problem, and a recently introduced notion of ``application aware'' security.

Abstract. In this talk, we present an affordable and practical acceleration of approximate homomorphic computing to enable real world privacy-preserving machine learning applications. Our initial analysis reveals that memory bandwidth is the main performance bottleneck due to the large amount of data that needs to be shuttled between the compute units and the main memory. To alleviate this memory bandwidth bottleneck, we make three contributions. First, we introduce memory-aware design techniques wherein we propose several hardware-centric and algorithmic optimizations while considering small cache sizes that exist in the most commercially available compute platforms. Through these techniques, we observe significant improvement in CKKS bootstrapping throughput. However, we also observe that the memory bandwidth still remains a bottleneck. Our second contribution is FAB, an FPGA-based accelerator that implements fully packed bootstrapping for the first time on an FPGA while utilizing several FPGA-centric design optimizations. Our design utilizes limited on-chip memory and the compute resources efficiently, thus providing practical performance at a fraction of ASIC cost. Even though FAB outperforms all prior CPU/GPU implementations by 9.5x to 456x, the performance is still limited by the bootstrapping operation, which could not be parallelized on multiple FPGAs. To overcome this we propose HEAP, an FHE accelerator with parallelized bootstrapping using a hybrid scheme switching approach. HEAP uses the CKKS scheme for the non-bootstrapping steps, but switches to the TFHE scheme when performing the bootstrapping step of the CKKS scheme. The approach in HEAP is agnostic of the hardware and can be mapped to any system with multiple compute nodes. With this proposed approach, we require smaller-sized bootstrapping keys leading to about 18× less amount of data to be read from the main memory for the keys. HEAP outperforms FAB by 15.39x for the bootstrapping operation. HEAP outperforms FAB and FAB-2 for the logistic regression model training by 14.71x and 11.57x, respectively.

Fully Homomorphic Encryption (FHE) is one of the core technologies in Privacy Enhancing Cryptography. Its applicability encompasses a broad range of functionalities (PSI, PIR, privacy-preserving AI,  threshold cryptography, etc). Unlike hardware-based solutions like Trusted Execution Environments (TEEs), which have larger attack surfaces, FHE offers cryptographic security with a smaller attack surface. However, it is sometimes discarded for being computationally too heavy for practical deployment. In this presentation, we will first highlight the concrete performance of the CKKS FHE scheme (Cheon, Kim, Kim and Song, Asiacrypt ‘17), when implemented in central and graphical processor units (CPU and GPU). CKKS natively enables approximate computations on complex and real numbers and may also be used for exact computations (Drucker, Moshkowitz, Pelleg, Shaul; J. Cryptol. ‘24). The strong performance of CKKS enables practical solutions for numerous privacy-preserving applications, such as privacy-preserving AI. It also makes it possible to homomorphically evaluate massive circuits, such as those occurring in large language model inference. We will then focus on the FHE-based approach for privacy-preserving AI outsourcing, focusing on image and text classification. AI services offered by cloud providers make AI accessible by automating model training, but raise privacy concerns since sensitive data is handled on remote servers. For practical performance, we leverage public transformer encoders—such as Vision Transformer for images and BERT, MPNET, and E5 for text. Instead of applying homomorphic encryption to the entire model, we protect only the features extracted by open source transformers. This approach accelerates both training and inference dramatically. As an example, we showcase one application of classification of vehicles. Using FHE-based Vision Transformer takes about 4 minutes for training and 0.2 seconds for inference, demonstrating the method’s practicality. A live demo using AutoFHE (https://autofhe.com) will be shown in the presentation.

Abstract. In this talk, we will explain the concept of a Decentralized Fully Homomorphic Encryption (FHE) Computer. This system seamlessly integrates the principles of decentralized computing—security, privacy, fault tolerance, and resilience—with the advantages of Fully Homomorphic Encryption, resulting in a secure distributed network capable of performing computations on encrypted data. The results of these computations remain encrypted, and only the data owner, who possesses the decryption key, can decrypt and verify the output, thereby maintaining data privacy throughout the entire process. This topic directly addresses several key areas of interest:Applied and programmable cryptography;Cryptography use cases;Applications of ZK, FHE, and MPC;Decentralized FHE/MPC-based network architectures;The impact of applied crypto usability on a widespread adoption;Economics of computation in applied cryptography (e.g., market strategies).%%%The talk will provide in-depth insights into the practical applications of FHE within decentralized networks, highlighting the security and privacy benefits of this approach, along with the pros and cons it entails. I will present key points of our ongoing research and development, demonstrating how these advancements can address current challenges in secure multi-party computations, data analysis, privacy-preserving smart contracts, and collaborative computing. Additionally, I will discuss some of the known limitations and roadblocks in the adoption of FHE that we are currently working to overcome. My ultimate goal is to equip attendees with a deeper understanding of the potential and challenges of integrating FHE with decentralized systems, fostering advancements in secure and private computing technologies.

Joint work with: Fair Math team

Abstract to appear

Abstract. This time slot is for some reflection comments in the end of the WPEC 2024 afternoon session on Fully-Homomorphic Encryption (session 2b).

Abstract. This brief presentation, opening the MPC session (3a) of WPEC 2024, will recall the scope of the NIST Threshold Call and how it relates to privacy-enhancing cryptography, and give an update about its upcoming second public draft.

Abstract. This talk will provide a fundamental introduction to secure multi-party computation (MPC). It will explore various trust models supported by MPC and the types of computations that can be efficiently executed using it. The talk will also delve into current and future applications of MPC, along with the most prevalent methods for its implementation.

Abstract. In this talk, we will delve into advancements in optimizing n-party Multi-Party Computation (MPC) protocols for machine learning (ML), focusing on system and theoretical innovations presented in two key papers. Firstly, we explore MPC-Pipe, an efficient pipeline scheme designed to enhance the performance of n-party MPC protocols. Traditional MPC implementations suffer from significant performance bottlenecks due to the sequential implementation of communication and computation phases. MPC-Pipe introduces three innovative pipeline schemes, thereby improving GPU utilization and reducing idle times. This approach demonstrates substantial performance gains, with throughput improvements of up to 50% and latency reductions of up to 16% for deep neural networks and transformer models in various network settings. Additionally, we present CompactTag, a scheme that significantly reduces the overhead of actively secure n-party MPC by compacting the tags associated with input data. CompactTag leverages a novel tagging mechanism that ensures data integrity and authenticity while minimizing the computation costs typically associated with traditional tagging methods. This innovation is particularly effective in large-scale ML training scenarios, where reducing overhead can lead to substantial performance improvements. Optimizing MPC for machine learning from both system and theoretical perspectives is essential for advancing privacy-preserving technologies. The innovations presented in MPC-Pipe and CompactTag offer practical solutions to overcome existing bottlenecks, enhancing the performance of MPC protocols in ML applications.

Abstract. Graphs are fundamental tools for modelling data in diverse real-world applications such as communication networks, traffic systems, and social networks. However, graph data is often distributed across multiple data owners and contains sensitive information, posing significant privacy concerns that impede collaborative analysis. Privacy-preserving graph analysis enables computations on graphs that store sensitive information, ensuring that all information about the topology of the graph, as well as data associated with the nodes and edges, remains hidden.In this talk, we will discuss potential solutions for privacy-preserving graph analysis, with an emphasis on using secure multiparty computation (MPC). We will review existing MPC-based approaches for privacy-preserving graph analysis, identifying their limitations in terms of efficiency, scalability, and adaptability. Furthermore, we will present our results in enhancing privacy-preserving graph analysis and highlight the remaining challenges.Specifically, we will introduce our highly scalable framework, Graphiti, that can realize any graph algorithm securely. Since round complexity forms one of the key parameters in determining the efficiency of MPC protocols, one of our key technical contributions is that Graphiti has round complexity independent of the graph size, which in turn allows for attaining the desired scalability.This is in contrast to the state-of-the-art framework of GraphSC by Araki et al. (CCS'21) whose round complexity scales with the graph size. Benchmarks show that Graphiti takes less than 2 minutes for contact tracing via BFS for 10 hops when computing over a graph of size 10⁷. Concretely, it improves over the Araki et al. (CCS'21) by up to a factor of 964x in online run time.

Joint work with: Nishat Koti, Varsha Bhat Kukkala, Arpita Patra

Abstract. Secure multi-party computation (MPC) is a versatile technology that has been adopted in public sector, advertising technology, financial industry, healthcare and more. However, MPC exists in a space with other technologies like fully homomorphic encryption, differential privacy, confidential computing, zero knowledge and several others. In this talk, we will discuss the strengths of MPC, its synergies with other technologies and illustrate it all with examples of real-world applications and traction.

Joint work with: Brian LaMacchia, Andrei Lapets, MPC Alliance member organisations.

Abstract. This time slot in the end of session 3a at WPEC 2024 is reserved for PEC-related lightning comments by attendees of the workshop.

Abstract. In this talk we will introduce zero-knowledge proofs, the security properties they achieve, and explain how they work. We will furthermore discuss some technical challenges we face when we want to deploy zero-knowledge proofs in real-world applications such as how to achieve fast and small proofs without trusting other parties. We will also present some interesting use cases where zero-knowledge proofs play an important role, for example, how they are used in electronic voting, machine learning and blockchain applications. We will finally share our insights from the recent ICMS workshop on zero-knowledge proofs and review other initiatives of community building and standardization efforts.

Abstract. We present a simple and efficient post-quantum verifiable decryption scheme improving upon the framework by Gjøsteen et al. (ACISP 2022) based on a passively secure distributed decryption scheme and MPC-in-the-Head techniques. Our improvements lead to 440x smaller proof sizes compared to Gjøsteen et al., by adapting the nearly linear decryption algorithm by Boyle et al. (Eurocrypt 2019). This furthermore lead to 10x decrease in proof size compared to the state-of-the-art schemes by Silde (Voting 2022) and Lyubashevsky et al. (PKC 2021).

Joint work with: Thomas Haines, Peter B. Rønne, Tjerand Silde

Abstract to appear

Abstract. In this talk, we'll explore Provably Forgotten Signatures, an approach that adds privacy by upgrading existing systems to prevent linkability (or ``correlation'') and instead of overhauling them entirely. It aims to be compatible with already-deployed implementations of digital credential standards such as ISO/IEC 18013-5 mDL, SD-JWT, and W3C Verifiable Credentials, while also aligning with cryptographic security standards such as FIPS 140-2/3. It is compatible with and can even pave the way for future privacy technologies such as post-quantum cryptography (PQC) or zero-knowledge proofs (ZKPs) while unlocking beneficial use cases today. Given the challenges in deploying zero-knowledge proof systems in today's production environments, we propose a simpler approach that, when combined with key and signature cycling, can provide protection from both verifier-verifier collusion and issuer-verifier collusion by using confidential computing environments: the issuer can forget the unique values that create the risk in the first place, and provide proof of this deletion to the user. This is implementable today, and would be supported by existing hardware security mechanisms that are suitable for high-assurance environments.

Abstract. eIDAS 2.0 (electronic IDentification, Authentication and trust Services) is a very ambitious regulation aimed at equipping European citizens with a digital identity wallet that not only needs to achieve a high level of security but also needs to be available as soon as possible for a large number of citizens and respect their privacy (as per GDPR - General Data Protection Regulation).  As of today (July 2024), it does not seem that this goal has been achieved in the European Digital Identity Architecture and Reference Framework (ARF).  The goal of this presentation is to introduce the foundations of a digital identity wallet solution that could help move closer to this objective by leveraging the proven anonymous credentials protocol BBS (also known as BBS+) but modifying it to avoid the limitations that have hindered its widespread adoption, especially in certified infrastructures requiring hardware implementation.  In particular, the solution we propose, which we call BBS\#, does not use bilinear pairings or pairing-friendly curves and only depends on the hardware implementation of well-known (i.e., listed in the SOG-IS Crypto Working Group document on agreed cryptographic mechanisms) digital signature schemes such as ECDSA or ECSDSA (also known as ECSchnorr) using classical elliptic curves.  In this presentation, after reminding the main aspects of the eIDAS 2.0 context, we will recall the stringent stated requirements from the European Commission for eIDAS 2.0 to achieve a Level of Assurance High and explain why current anonymous credentials protocols such as BBS/BBS+ fail to satisfy them.  We will then present our proposed protocol BBS\# and show that it is possible to achieve eIDAS 2.0 transactions which are not only efficient (around 50 ms on SIM Cards or Android StrongBox), secure and certifiable at the highest level but also provide strong (optimal) privacy protection for all European ID Wallet users.

Abstract. This final slot of WPEC 2024 will make some final remarks about what we learned during the 3-day workshop, and will thank all participants (speakers and attendees).