Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
|
|
- Winifred Black
- 5 years ago
- Views:
Transcription
1 Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
2 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof Use computer algebra to solve systems of polyn. eq. Esp. to find Gröbner bases Enables proof verification by practitioners
3 Anonymity Correctness Data is public (Data, source) is private
4 π, r ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) d 3 =c π(3) e 2 =d ψ(2) e 3 =d ψ(3) m ψ(π(1)) m ψ(π(2)) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server Not yet correct: what if a server cheats?
5 pk, π, r proof pk, ψ,s proof sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) d 3 =c π(3) e 2 =d ψ(2) e 3 =d ψ(3) m ψ(π(1)) m ψ(π(2)) m ψ(π(3)) Prove that shuffling was correct, send proof to the next server Verify all previous proofs, shuffle, create your own proof Verify all proofs
6 Shuffle argument: efficient zero knowledge argument of correctness of shuffling Many shuffles in the random oracle model exist Several of them are quite efficient Existing CRS model arguments much less efficient
7 Assumption proposed in that paper, proof in GBGM Assmpt. proposed 2010+, but not in that paper, proof in GBGM L-Zhang (2012) Fauzi-L (2016) Fauzi-L-Zajac CRS length 7n + 6 8n n + 14 Communic. 12n n + 2 7n + 3 P comp. (units) V comp. (units) GBGM? PSDL, DLIN (comp.) KE, PKE (knowledge) TSDH, PCDH, PSP (comp.) 2x PKE (knowledge) Soundness Full Culpable Full Pure GBGM n: number of ciphertexts (say 100,000) 1 unit = n million machine cycles According to speed records on BN curves
8 td crs Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
9 Correctness Soundness Zero knowledge (privacy) td crs Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
10 Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T Requirements: Efficiently computable Non-degeneracy: e (g 1, g 2 ) 1 Bilinearity: e (g 1a, g 2b ) = e (g 1, g 2 ) ab
11 Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a What else should be hard?
12 People disagree A few hundred (thousand?) known pairing-related hardness assumptions Each of them has to be cryptanalysed Easiest sanity check: does this assumption hold in the generic model?
13 Protocol Assumption 1 (known) Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or Con: each arrow might mean a loss in efficiency
14 Protocol Generic Model Con: proof in GGM is only for restricted adversaries Pro: only one arrow, thus smaller loss in efficiency
15 Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is product of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates Note: we do not handle G T as a generic group
16 Polynomials (TTP knows X) Linear combinations (only group operation) Quadratic tests (can use bilinear map) X 1 V 1 (X)=Σ ij b 1ij h 1i (X) h 2i (X)=0 {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } V u (X)=Σ ij b uij h 1i (X) h 2i (X)=0 X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary) Verifications (verifier) {h ji } = {f ji, h ji }
17 jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice = restricted to be as in the honest case
18 Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently CRS composition: Compose CRS-s of individual subarguments together, getting one big CRS
19 Soundness check: Is the composed protocol sound? Subarguments get extra inputs in CRS If not: introduce new random variables that guarantee CRS elements are used in only correct subarguments, reiterate
20 Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly Correctly: so that the soundness proof goes through
21 Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero
22 Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials V (X) := (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0
23 In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 Goal: find coefficients s.t. verification equation is satisfied CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
24 Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X j α X ρk ] V (X) = 0 This is a system of polynomial equations and a nasty one of more than 20 polynomial equations
25
26 Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS Obtain that A i (X) = a I P I (X) => Sound
27
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationA More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument Helger Lipmaa 1 and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 State University of New York at Buffalo, USA
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationAn Ecient Pairing-Based Shue Argument
An Ecient Pairing-Based Shue Argument Prastudy Fauzi 1, Helger Lipmaa 2, Janno Siim 2,3, and Michaª Zaj c 2 1 Aarhus University, Aarhus, Denmark 2 University of Tartu, Tartu, Estonia 3 STACC, Tartu, Estonia
More informationEfficient Culpably Sound NIZK Shuffle Argument without Random Oracles
Efficient Culpably Sound NIZK Shuffle Argument without Random Oracles Prastudy Fauzi and Helger Lipmaa University of Tartu, Estonia Abstract. One way to guarantee security against malicious voting servers
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationCS151 Complexity Theory. Lecture 13 May 15, 2017
CS151 Complexity Theory Lecture 13 May 15, 2017 Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationHow to Shuffle in Public
How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationA Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System
A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System Zhengjun Cao 1, Lihua Liu 2, Abstract. In 2006, Groth, Ostrovsky and Sahai designed one non-interactive zero-knowledge (NIZK
More informationEfficient Public-Key Distance Bounding
Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols:
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho Mistunaga 1, Yoshifumi Manabe 2, Tatsuaki Okamoto 3 1 Graduate School of Informatics, Kyoto University, Sakyo-ku Kyoto
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationProofs of Retrievability via Fountain Code
Proofs of Retrievability via Fountain Code Sumanta Sarkar and Reihaneh Safavi-Naini Department of Computer Science, University of Calgary, Canada Foundations and Practice of Security October 25, 2012 Outsourcing
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationOn QA-NIZK in the BPK Model
On QA-NIZK in the BPK Model Behzad Abdolmaleki 1, Helger Lipmaa 1, Janno Siim 1,2, and Michał Zając 1 1 University of Tartu, Estonia 2 STACC, Estonia Abstract. While the CRS model is widely accepted for
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More information6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14
6.841/18.405J: Advanced Complexity Wednesday, April 2, 2003 Lecture Lecture 14 Instructor: Madhu Sudan In this lecture we cover IP = PSPACE Interactive proof for straightline programs. Straightline program
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationThe Kernel Matrix Diffie-Hellman Assumption
The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationProofs of Ignorance and Applications to 2-Message Witness Hiding
Proofs of Ignorance and Applications to 2-Message Witness Hiding Apoorvaa Deshpande Yael Kalai September 25, 208 Abstract We consider the following paradoxical question: Can one prove lack of knowledge?
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationProgression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments
Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments Helger Lipmaa Institute of Computer Science, University of Tartu, Estonia Abstract. In 2010, Groth constructed
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationOn the (Im)possibility of Projecting Property in Prime-Order Setting
On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationThe Laws of Cryptography Zero-Knowledge Protocols
26 The Laws of Cryptography Zero-Knowledge Protocols 26.1 The Classes NP and NP-complete. 26.2 Zero-Knowledge Proofs. 26.3 Hamiltonian Cycles. An NP-complete problem known as the Hamiltonian Cycle Problem
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present
More informationMechanizing Elliptic Curve Associativity
Mechanizing Elliptic Curve Associativity Why a Formalized Mathematics Challenge is Useful for Verification of Crypto ARM Machine Code Joe Hurd Computer Laboratory University of Cambridge Galois Connections
More informationJORDAN NORMAL FORM. Contents Introduction 1 Jordan Normal Form 1 Conclusion 5 References 5
JORDAN NORMAL FORM KATAYUN KAMDIN Abstract. This paper outlines a proof of the Jordan Normal Form Theorem. First we show that a complex, finite dimensional vector space can be decomposed into a direct
More information15-251: Great Theoretical Ideas In Computer Science Recitation 9 : Randomized Algorithms and Communication Complexity Solutions
15-251: Great Theoretical Ideas In Computer Science Recitation 9 : Randomized Algorithms and Communication Complexity Solutions Definitions We say a (deterministic) protocol P computes f if (x, y) {0,
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationIterative Methods for Solving A x = b
Iterative Methods for Solving A x = b A good (free) online source for iterative methods for solving A x = b is given in the description of a set of iterative solvers called templates found at netlib: http
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationRate-Limited Secure Function Evaluation: Definitions and Constructions
An extended abstract of this paper is published in the proceedings of the 16th International Conference on Practice and Theory in Public-Key Cryptography PKC 2013. This is the full version. Rate-Limited
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationEfficient Culpably Sound NIZK Shuffle Argument without Random Oracles
Efficient Culpably Sound NIZK Shuffle Argument without Random Oracles Full Version, November 25, 2015 Prastudy Fauzi and Helger Lipmaa University of Tartu, Estonia Abstract. One way to guarantee security
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationAnalysing the microrna-17-92/myc/e2f/rb Compound Toggle Switch by Theorem Proving
Analysing the microrna-17-92/myc/e2f/rb Compound Toggle Switch by Theorem Proving Giampaolo Bella and Pietro Liò @ Catania and Cambridge Under the auspices of British Council's grant ``Computer-assisted
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationCOS Cryptography - Final Take Home Exam
COS 433 - Cryptography - Final Take Home Exam Boaz Barak May 12, 2010 Read these instructions carefully before starting to work on the exam. If any of them are not clear, please email me before you start
More informationSub-linear Zero-Knowledge Argument for Correctness of a Shuffle
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London jgroth@uclacuk Yuval Ishai Technion and UCLA yuvali@cstechnionacil February 4, 2008 Abstract A shuffle
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationTheoretical Cryptography, Lectures 18-20
Theoretical Cryptography, Lectures 18-20 Instructor: Manuel Blum Scribes: Ryan Williams and Yinmeng Zhang March 29, 2006 1 Content of the Lectures These lectures will cover how someone can prove in zero-knowledge
More informationQuantum Attacks on Classical Proof Systems
Quantum Attacks on Classical Proof Systems The Hardness of Quantum Rewinding University of Tartu With Andris Ambainis, Ansis Rosmanis QCrypt 2014 Classical Crypto (Quick intro.) Quantum Attacks on Classical
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationCompact Proofs of Retrievability
Compact Proofs of Retrievability Hovav Shacham hovav@cs.ucsd.edu Brent Waters bwaters@cs.utexas.edu Abstract In a proof-of-retrievability system, a data storage center must prove to a verifier that he
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationEfficient Modular NIZK Arguments from Shift and Product
Efficient Modular NIZK Arguments from Shift and Product Prastudy Fauzi 1, Helger Lipmaa 1, and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 National and Kapodistrian University of Athens, Greece
More informationMachine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser
Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser Classification (Machine Learning) Supervised learning (training) Classification data set
More informationSecure Vickrey Auctions without Threshold Trust
Secure Vickrey Auctions without Threshold Trust Helger Lipmaa Helsinki University of Technology, {helger}@tcs.hut.fi N. Asokan, Valtteri Niemi Nokia Research Center, {n.asokan,valtteri.niemi}@nokia.com
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More information