Subversion-Resistant Zero Knowledge
|
|
- Franklin Horn
- 5 years ago
- Views:
Transcription
1 Subversion-Resistant Zero Knowledge Georg Fuchsbauer joint work with Mihir Bellare and Alessandra Scafuro ECRYPT-NET Workshop on Crypto for the Cloud & Implementation 27 June 2017
2 Content of this talk M. Bellare, G. F., A. Scafuro: NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion ASIACRYPT 16 (eprint 2016/372) G. F.: Subversion-zero-knowledge SNARKs eprint 2017/587
3 Motivation 2013 compromised security not covered by standard model here: parameter subversion
4 Motivation 2013 compromised security not covered by standard model here: parameter subversion Example: Dual EC RNG trusted parameters P, Q ISO standard; NSA paid RSA $10 million knowledge of log Q P predictable [ShuFer07] break TLS [CFN + 14]
5 Motivation 2013 compromised security not covered by standard model here: parameter subversion goal: subversion resistance this work: NIZK, relies on common reference string ( ) example: zk-snark parameters for Zerocash ( ) [BCG + 14]
6 Related work NIZK 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14] NIZK in bare PK model [Wee07] CRS via multiparty computation [KKZZ14, BSCG + 15] UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]
7 Related work NIZK 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14] NIZK in bare PK model [Wee07] CRS via multiparty computation [KKZZ14, BSCG + 15] UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11] Subversion Algorithm-substitution attacks [BPR14, AMV15] Kleptography [YY96, YY97], cliptography [RTYZ16] Backdoored blockciphers [RP97, PG97, Pat99]
8 Non-interactive proofs let L N P prove x L crs π / Prover: x, w Verifier: x
9 Non-interactive proofs crs π Soundness: π x L Prover: x, w Verifier: x
10 Non-interactive proofs crs π Witness-indistinguishability: π[w] π[w ] Prover: x, w Verifier: x
11 Non-interactive proofs crs Prover: x, w π Zero-knowledge: crs π Simulator: x, w Verifier: x
12 Non-interactive proofs crs π Zero-knowledge: Prover: x, w crs π Simulator: x, w Verifier: x
13 Subversion-resistant NI proofs crs π Subversion Soundness: π x L Prover: x, w Verifier: x
14 Subversion-resistant NI proofs π crs Subversion WI: π[w] π[w ] Prover: x, w Verifier: x
15 Non-interactive proofs crs π Zero-knowledge: Prover: x, w crs π Simulator: x, w Verifier: x
16 Subversion-resistant NI proofs $ crs π Subversion ZK: Prover: x, w crs,$ π Simulator: x, w Verifier: x
17 Subversion-resistant NI proofs $ crs π : ( crs, $, ) ( crs, $, ) Prover: x, w π Simulator: x, w Verifier: x
18 Our results S-SND S-ZK S-WI SND ZK WI
19 Our results S-SND S-ZK S-WI SND ZK WI
20 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI
21 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI w w witness for x? Prover: x, w Verifier: x
22 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI ε Prover: x, w Verifier: x
23 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI???
24 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI (if L is non-trivial) crs x, π Breaking S-SND: π x / L
25 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI crs x, π (if L is non-trivial) Breaking S-SND: π x / L
26 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI?
27 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI? Non-interactive Zaps [GOS06] NI WI proofs without CRS No CRS subversion-resistant
28 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI DLin?
29 Our results Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI DLin? implies 2-move ZK (verifier chooses CRS) only achieved under extractability assumpt s [BCPR14] construction under new knowledge of exponent assumption
30 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, )
31 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s )
32 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s
33 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s checkable via pairing: e(g s, h) = e(g, h s )
34 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s idea: crs trapdoor
35 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s idea: crs trapdoor Zap! Prove: x L I know s
36 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) KEA: (g, h) (g s, h s ) s idea: crs trapdoor who chooses h? Prove: x L I know s
37 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) DH-KEA: (g s, h s, h = g η ) s OR η Prove: x L I know s or η
38 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) crs = (g s, h s, h = g η ) prove knowledge how? Prove: x L I know s or η
39 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) crs = (g s, h s, h = g η ) Enc(pk, s) prove knowledge how? Prove: x L I know s or η
40 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) pk? Enc(pk, s) crs = (g s, h s, h = g η ) prove knowledge how? Prove: x L I know s or η
41 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) crs = (g s, h s, h = g η ) pk Enc(pk, s) prove knowledge how? Prove: x L I know s or η
42 Achieving SND + S-ZK π : ( crs, $, ) ( crs, $, ) crs = (g s, h s, h = g η ) pk Enc(pk, s) make sk extractable prove knowledge how? Prove: x L I know s or η
43 Results for NIZKs Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI DLin DH-KEA
44 Results for NIZKs Standard Subversion-resistant Possible? Assumpt s: SND ZK WI S-SND S-ZK S-WI DLin DH-KEA NIZK
45 SNARKs Succinct Non-interactive ARgument of Knowledge succinct: π independent of x and w proves knowledge of w
46 Arguments of knowledge crs π Soundness: π x L Prover: x, w Verifier: x
47 Arguments of knowledge crs π Prover: x, w Knowledge Soundness: extractor: π w extracted w Verifier: x
48 Applications of SNARKs Outsourcing of computation x f(x), π
49 Applications of SNARKs Outsourcing of computation x f(x), π Anonymous cryptocurrencies: Zerocash [BCGGMTV 14] coin is commitment to serial number
50 Applications of SNARKs Outsourcing of computation x f(x), π Anonymous cryptocurrencies: Zerocash [BCGGMTV 14] coin is commitment to serial number transaction creates new coins; reveals spent serial no. s proves that everything done correctly S π
51 Subversion resistance SNARKs are perfect zero-knowledge but not subversion-sound (CRS contains simulation trapdoor)
52 Subversion resistance SNARKs are perfect zero-knowledge but not subversion-sound (CRS contains simulation trapdoor) Subversion zero-knowledge?
53 Subversion resistance SNARKs are perfect zero-knowledge but not subversion-sound (CRS contains simulation trapdoor) Subversion zero-knowledge? Yes! under new KE assumption DH-KEA: (g s, g t, g st ) s OR t
54 Subversion resistance SNARKs are perfect zero-knowledge but not subversion-sound (CRS contains simulation trapdoor) Subversion zero-knowledge? Yes! under new KE assumption SKE: ( g, g s, g s2 ) s
55 Approach CRS for SNARKs: ( g, g s, g s2,..., g sd, { g p j (s) } j, { g α i k β kp j,k (s) } i,j,... ) for random s, α i, β k,...
56 Approach CRS for SNARKs: ( g, g s, g s2,..., g sd, { g p j (s) } j, { g α i k β kp j,k (s) } i,j,... ) for random s, α i, β k,... Check of consistency? e ( g s2, h ) = e ( g s, h s) e ( g αp j(s), h ) = e ( i (gsi ) p j,i, h α)
57 Approach CRS for SNARKs: ( g, g s, g s2,..., g sd, { g p j (s) } j, { g α i k β kp j,k (s) } i,j,... ) for random s, α i, β k,... Check of consistency? e ( g s2, h ) = e ( g s, h s) e ( g αp j(s), h ) = e ( i (gsi ) p j,i, h α) Simulation? extraction of s but no other values
58 SNARK 1 & 2 Gennaro et al. s original SNARKs [GGPR13] symm. bilin. grps, π G 9 QSP-based (boolean circuits) QAP-based (arithmetic circuits)
59 SNARK 1 & 2 Gennaro et al. s original SNARKs [GGPR13] symm. bilin. grps, π G 9 QSP-based (boolean circuits) QAP-based (arithmetic circuits) CRS checkable? Proofs simulatable with s?
60 SNARK 1 & 2 Gennaro et al. s original SNARKs [GGPR13] symm. bilin. grps, π G 9 QSP-based (boolean circuits) QAP-based (arithmetic circuits) CRS checkable? Proofs simulatable with s? subversion zero knowledge
61 SNARK 3 Optimized Pinocchio [PHGR13, BCTV14] asymm. bilin. grps, π G 7 1 G 2 QAP-based (arithmetic circuits) underly
62 SNARK 3 Optimized Pinocchio [PHGR13, BCTV14] asymm. bilin. grps, π G 7 1 G 2 QAP-based (arithmetic circuits) underly CRS checkable? Proofs simulatable with s?
63 SNARK 3 Optimized Pinocchio [PHGR13, BCTV14] asymm. bilin. grps, π G 7 1 G 2 QAP-based (arithmetic circuits) underly CRS checkable? add 4 group elements Proofs simulatable with s? subversion zero knowledge
64 SNARK 4 Danezis et al. s SNARKs [DFGK14] asymm. bilin. grps, π G 3 1 G 2 SSP-based (boolean circuits)
65 SNARK 4 Danezis et al. s SNARKs [DFGK14] asymm. bilin. grps, π G 3 1 G 2 SSP-based (boolean circuits) CRS checkable? Proofs simulatable with s? subversion zero knowledge
66 SNARK 5 Groth s SNARKs [Groth16] asymm. bilin. grps, π G 2 1 G 2 QAP-based (arithmetic circuits) knwl-snd in generic grp model
67 SNARK 5 Groth s SNARKs [Groth16] asymm. bilin. grps, π G 2 1 G 2 QAP-based (arithmetic circuits) knwl-snd in generic grp model CRS checkable? Proofs simulatable with s?
68 SNARK 5 Groth s SNARKs [Groth16] asymm. bilin. grps, π G 2 1 G 2 QAP-based (arithmetic circuits) knwl-snd in generic grp model CRS checkable? Proofs simulatable with s? extract more simulate under SKE subv. ZK
69 Zcash Is Zcash anonymous if parameters set up maliciously? uses SNARK w/o checkable CRS parameters set up using MPC [BCGTV15] uses ROM proofs to prove correctness
70 Summary SNARKs Assuming SKE: [GGPR13], QSP: [GGPR13], QAP: [BCTV14]: [DFGK14]: [Groth16]: subversion-zk subversion-zk subversion-zk after extending CRS subversion-zk subversion-zk
71 Zcash Is Zcash anonymous if parameters set up maliciously? uses SNARK w/o checkable CRS parameters set up using MPC [BCGTV15] uses ROM proofs to prove correctness CRS checkable proofs simulatable
72 Zcash Is Zcash anonymous if parameters set up maliciously? uses SNARK w/o checkable CRS parameters set up using MPC [BCGTV15] uses ROM proofs to prove correctness CRS checkable proofs simulatable Zcash is subversion-anonymous in the ROM (if users verify CRS correctness)
73 THANK YOU! QUESTIONS?
Subversion-zero-knowledge SNARKs
An extended abstract of this work appears in PKC 18. This is the full version. Subversion-zero-knowledge SNARKs Georg Fuchsbauer 1 Abstract Subversion zero knowledge for non-interactive proof systems demands
More informationNIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion
A preliminary version of this paper appears in the proceedings of ASIACRYPT 2016. This is the full version. NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion Mihir Bellare 1 Georg
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationZKBoo: Faster Zero-Knowledge for Boolean Circuits
Aarhus University ZKBoo: Faster Zero-Knowledge for Boolean Circuits Irene Giacomelli, Jesper Madsen and Claudio Orlandi Usenix Security Symposium 2016 1 / 15 Zero-Knowledge (ZK) Arguments Alice Bob. Private
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationNon-interactive zaps of knowledge
Non-interactive zaps of knowledge Georg Fuchsbauer 1,2 and Michele Orrù 2,1 1 Inria 2 École normale supérieure, CNRS, PSL Research University, Paris, France first.last@ens.fr Abstract. While non-interactive
More informationOn QA-NIZK in the BPK Model
On QA-NIZK in the BPK Model Behzad Abdolmaleki 1, Helger Lipmaa 1, Janno Siim 1,2, and Michał Zając 1 1 University of Tartu, Estonia 2 STACC, Estonia Abstract. While the CRS model is widely accepted for
More informationCryptography for Blockchains beyond ECDSA and SHA256
Cryptography for Blockchains beyond ECDSA and SHA256 S IGNATURES AND Z ERO K NOWLEDGE P ROOFS Benedikt Bünz Stanford University Overview 1. Signatures 1. ECDSA 2. BLS 3. Threshold Signatures 4. Ring Signatures
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationPublic-Key Encryption Resistant to Parameter Subversion and its Realization from Efficiently-Embeddable Groups
A preliminary version of this paper appears in the proceedings of PKC 2018. This is the full version. Public-Key Encryption Resistant to Parameter Subversion and its Realization from Efficiently-Embeddable
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationPinocchio-Based Adaptive zk-snarks and Secure/Correct Adaptive Function Evaluation
Pinocchio-Based Adaptive zk-snarks and Secure/Correct Adaptive Function Evaluation Meilof Veeningen, meilof.veeningen@philips.com Philips Research, Eindhoven, The Netherlands Abstract. Pinocchio is a practical
More informationC C : A Framework for Building Composable Zero-Knowledge Proofs
C C : A Framework for Building Composable Zero-Knowledge Proofs Ahmed Kosba Zhichao Zhao Andrew Miller Yi Qian T-H. Hubert Chan Charalampos Papamanthou Rafael Pass abhi shelat Elaine Shi : UMD : HKU :
More informationQuasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh Yuval Ishai Amit Sahai David J. Wu Abstract Succinct non-interactive arguments (SNARGs) enable verifying NP computations with significantly
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationPrivacy-Preserving Outsourcing by Distributed Verifiable Computation. Meilof Veeningen Philips Research MPC 2016, Aarhus, May
Privacy-Preserving Outsourcing by Distributed Verifiable Computation Meilof Veeningen MPC 2016, Aarhus, May 30 2016 2 3 4 5 6 Outsourcing Computations on Sensitive Data (I) privacy? x f(x) correctness?
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationSignatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)
Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Michael Backes 1,3, Lucjan Hanzlik 2,3, Kamil Kluczniak 4, and Jonas Schneider 2,3 1 CISPA Helmholtz
More informationFoundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationExtractable Perfectly One-way Functions
Extractable Perfectly One-way Functions Ran Canetti 1 and Ronny Ramzi Dakdouk 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. canetti@watson.ibm.com 2 Yale University, New Haven, CT. dakdouk@cs.yale.edu
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationFang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University Are classical cryptographic protocols secure against quantum attackers? 2 Are classical cryptographic
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationLimits of Extractability Assumptions with Distributional Auxiliary Input
Limits of Extractability Assumptions with Distributional Auxiliary Input Elette Boyle Cornell University ecb227@cornell.edu Rafael Pass Cornell University rafael@cs.cornell.edu November 20, 2013 Abstract
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationScalable Multi-party Computation for zk-snark Parameters in the Random Beacon Model
Scalable Multi-party Computation for zk-snark Parameters in the Random Beacon Model Sean Bowe sean@z.cash Ariel Gabizon ariel@z.cash November 5, 2017 Ian Miers imiers@cs.jhu.edu Abstract Zero-knowledge
More informationMalleable Signatures: New Definitions and Delegatable Anonymous Credentials
Malleable Signatures: New Definitions and Delegatable Anonymous Credentials Melissa Chase Microsoft Research Email: melissac@microsoft.com Markulf Kohlweiss Microsoft Research Email: markulf@microsoft.com
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationInformation Security Theory vs. Reality
Information Security Theory vs. Reality 0368-4474-01, Winter 2015-2016 Lecture 12: Verified computation and its applications, course conclusion Eran Tromer 1 2 Verified computation using computational
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present
More informationBatch Range Proof For Practical Small Ranges
Batch Range Proof For Practical Small Ranges Kun Peng and Feng Bao dr.kun.peng@gmail.com Institute for Inforcomm Research (I 2 R), Singapore 1 Agenda 1. Introduction 2. Range proof 3. Batch proof 4. Extended
More informationScalable, transparent, and post-quantum secure computational integrity
Scalable, transparent, and post-quantum secure computational integrity Eli Ben-Sasson * Iddo Bentov Yinon Horesh * Michael Riabzev * March 6, 2018 Abstract Human dignity demands that personal information,
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationImplicit Zero-Knowledge Arguments and Applications to the Malicious Setting
Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting Fabrice Benhamouda, Geoffroy Couteau, David Pointcheval, and Hoeteck Wee ENS, CNRS, INRIA, and PSL, Paris, France firstname.lastname@ens.fr
More informationEmbedded Proofs for Verifiable Neural Networks
Embedded Proofs for Verifiable Neural Networks Hervé Chabanne 1,3, Julien Keuffer 1,2, and Refik Molva 2 1 Idemia, Issy-les-Moulineaux, France 2 Eurecom, Biot, France 3 Telecom ParisTech, Paris, France
More informationPolicy-based Signature
Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013 1 2 3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, 2013. 2. [GS08] Jens Groth, Amit Sahai.
More informationPrastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification
More informationOn the (In)security of SNARKs in the Presence of Oracles
On the (In)security of SNARKs in the Presence of Oracles Dario Fiore 1 and Anca Nitulescu 2 1 IMDEA Software Institute, Madrid, Spain dario.fiore@imdea.org 2 CNRS, ENS, INRIA, and PSL, Paris, France anca.nitulescu@ens.fr
More informationEfficient Fully-Leakage Resilient One-More Signature Schemes
Efficient Fully-Leakage Resilient One-More Signature Schemes Antonio Faonio IMDEA Software Institute, Madrid, Spain In a recent paper Faonio, Nielsen and Venturi (ICALP 2015) gave new constructions of
More informationIdentification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks
Identification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks Hiroaki Anada and Seiko Arita Institute of Information Security, Yokohama, Japan hiroaki.anada@gmail.com,
More informationOptimally Sound Sigma Protocols Under DCRA
Optimally Sound Sigma Protocols Under DCRA Helger Lipmaa University of Tartu, Tartu, Estonia Abstract. Given a well-chosen additively homomorphic cryptosystem and a Σ protocol with a linear answer, Damgård,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationEfficient Adaptively Secure Zero-knowledge from Garbled Circuits
Efficient Adaptively Secure Zero-knowledge from Garbled Circuits Chaya Ganesh 1, Yashvanth Kondi 2, Arpita Patra 3, and Pratik Sarkar 4 1 Department of Computer Science, Aarhus University. ganesh@cs.nyu.edu
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationEfficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting
Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting Jonathan Bootle 1, Andrea Cerulli 1, Pyrros Chaidos 1, Jens Groth 1, and Christophe Petit 2 1 University College London
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationVerifiable Computing: Between Theory and Practice. Justin Thaler Georgetown University
Verifiable Computing: Between Theory and Practice Justin Thaler Georgetown University Talk Outline 1. The VC Model: Interactive Proofs and Arguments 2. VC Systems: How They Work 3. Survey and Comparison
More informationMaking the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits
Making the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits Yuval Ishai Mor Weiss Guang Yang Abstract A Probabilistically Checkable Proof PCP) allows a randomized verifier,
More informationVerifiable ASICs: trustworthy hardware with untrusted components
Verifiable ASICs: trustworthy hardware with untrusted components Riad S. Wahby, Max Howald, Siddharth Garg, abhi shelat, and Michael Walfish Stanford University New York University The Cooper Union The
More informationQuadratic Span Programs and Succinct NIZKs without PCPs
Quadratic Span Programs and Succinct NIZKs without PCPs Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova Abstract. We introduce a new characterization of the NP complexity class, called
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationGeneralizing Efficient Multiparty Computation
Generalizing Efficient Multiparty Computation Bernardo David 1, Ryo Nishimaki 2, Samuel Ranellucci 1, and Alain Tapp 3 1 Department of Computer Science Aarhus University, Denmark {bernardo,samuel}@cs.au.dk
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationSuccinct Non-Interactive Arguments via Linear Interactive Proofs
Succinct Non-Interactive Arguments via Linear Interactive Proofs Nir Bitansky Tel Aviv University Rafail Ostrovsky UCLA Alessandro Chiesa MIT September 15, 2013 Yuval Ishai Technion Omer Paneth Boston
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationA More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument Helger Lipmaa 1 and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 State University of New York at Buffalo, USA
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationUniversally Composable Adaptive Oblivious Transfer
Universally Composable Adaptive Oblivious Transfer Matthew Green Susan Hohenberger Johns Hopkins University {mgreen,susan}@cs.jhu.edu September 14, 2013 Abstract In an oblivious transfer (OT) protocol,
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationSub-linear Blind Ring Signatures without Random Oracles
Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk
More informationNearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution
Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller University College London Abstract There have been tremendous
More informationProofs of Ignorance and Applications to 2-Message Witness Hiding
Proofs of Ignorance and Applications to 2-Message Witness Hiding Apoorvaa Deshpande Yael Kalai September 25, 208 Abstract We consider the following paradoxical question: Can one prove lack of knowledge?
More informationOptimally Sound Sigma Protocols Under DCRA
Optimally Sound Sigma Protocols Under DCRA Helger Lipmaa University of Tartu, Tartu, Estonia Abstract. Given a well-chosen additively homomorphic cryptosystem and a Σ protocol with a linear answer, Damgård,
More informationEfficient Zero-Knowledge Arguments from Two-Tiered Homomorphic Commitments
Efficient Zero-Knowledge Arguments from Two-Tiered Homomorphic Commitments Jens Groth University College London, UK j.groth@ucl.ac.uk Abstract. We construct practical and efficient zero-knowledge arguments
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationEfficient Zero-Knowledge Arguments from Two-Tiered Homomorphic Commitments
Efficient Zero-Knowledge Arguments from Two-Tiered Homomorphic Commitments Jens Groth University College London j.groth@ucl.ac.uk Abstract. We construct practical and efficient zero-knowledge arguments
More informationDelegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs
Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs Chunming Tang 1, Dingyi Pei 1,2 Zhuojun Liu 3 1 Institute of Information Security of Guangzhou University, P.R.China 2 State
More informationThe Hunting of the SNARK
The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Shafi Goldwasser Huijia Lin Aviad Rubinstein Eran Tromer July 24, 2014 Abstract The existence of succinct non-interactive arguments for
More informationSNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. Madars Virza
SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge by Madars Virza B.Sc., University of Latvia (2011) Submitted to the Department of Electrical Engineering and Computer Science
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols Mihir Bellare and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive,
More informationTightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationShort Structure-Preserving Signatures
This is the full version of the extended abstract which appears in Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 2016). Short Structure-Preserving Signatures Essam Ghadafi University
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More information