Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
|
|
- Jack Allison
- 5 years ago
- Views:
Transcription
1 Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017
2 How can a sender of a message prove themselves trustworthy without revealing who they are? 2 of 23
3 Example: Bitcoin Pay Alice a coin Signed: aaaaaaa Bitcoin uses digital signatures: Trustworthy? Anonymous? Bob Bob s wallet 3 of 23
4 Example: Bitcoin Bob Bob s wallet Pay Alice a coin Signed: aaaaaaa Bitcoin uses digital signatures: Trustworthy? Bob can always convince the verifiers. An adversary cannot forge Bob s signature. An adversary cannot use Bob s signature on a different message. Anonymous? 3 of 23
5 Example: Bitcoin Bob Bob s wallet Pay Alice a coin Signed: aaaaaaa Bitcoin uses digital signatures: Trustworthy = Anonymous = Pseudonymous Bob s real name might be Roberta. Can often uncover Bob s real world identity based on what he spends. 3 of 23
6 Example: Zerocoin Example: Zerocoin Owner of an unspent coin Pay Alice a coin Signed: aaaaaaa Zerocoin uses signatures of knowledge: Trustworthy? The owner of an unspent coin can compute a signature. A person without an unspent coin cannot compute a signature. A signature cannot be adapted for use on a different message. Anonymous? 4 of 23
7 Example: Zerocoin Owner of Bob an unspent coin Pay Alice a coin Signed: aaaaaaa Zerocoin uses signatures of knowledge: Trustworthy = Anonymous = Signature of knowledge provides no additional information as to who the spender is. 4 of 23
8 Example: Zerocoin Example: Zerocoin Owner of Bob an unspent coin Pay Alice a coin Signed: aaaaaaa Zerocoin uses signatures of knowledge: Trustworthy = Anonymous = Signature of knowledge provides no additional information as to who the spender is. However signatures of knowledge are large and take a long time to verify => Zerocoin not efficient. 4 of 23
9 Example: Zcash Example: Zcash Owner of Bob an unspent coin Pay Alice a coin Signed: aaaaaaa Zcash uses zk-snarks: Trustworthy? Anonymous? zk-snarks provides no additional information as to who the spender is. zk-snarks are small and take a small time to verify => Zcash is efficient. 5 of 23
10 Owner of Bob an unspent coin Pay Alice a coin Signed: aaaaaaa Standard zk-snarks do not provide this property. Zcash has to take additional steps to prevent transaction malleability. Example: Zcash Example: Zcash Zcash uses zk-snarks: Trustworthy = The owner of an unspent coin can compute a proof. A person without an unspent coin cannot compute a proof. A proof cannot be adapted for use on a different message????? Anonymous = 5 of 23
11 Our Contributions We construct the first simulation-extractable SNARK (SE-SNARK). We exploit a link between signatures of knowledge and SE-SNARKs to also get the first succinct signature of knowledge. Ingredients: 1. Asymmetric bilinear groups; 2. Square arithmetic programs; 3. External power knowledge of exponent assumption; 4. Computational assumption. 6 of 23
12 Plan Definitions Square Arithmetic Programs Construction Efficiency
13 Asymmetric Bilinear Groups prime bp = p, G, H, T, e Function e: G H T Groups of order p There are efficient algorithms for deciding group membership and computing group operations; No isomorphism between G and H is efficiently computable in either direction. Properties: Bilinearity: e G a, H b = e(g, H) ab Non-degeneracy: if X 1 and Y 1 then e X, Y 1 Efficient: e is efficiently computable. 7 of 23
14 SE-SNARK Simulation-Extractable zero-knowledge Succinct Non-interactive ARgument of Knowledge 8 of 23
15 SE-SNARKs A person knows a witness for an instance Φ. Properties: Correct: Zero Knowledge: Sound: A person who knows a witness can always convince the verifier. The verifier learns no information from the proof except that the instance is true. A false statement cannot be proven. Simulation-Extractable: Old proofs cannot be used to forge new proofs of false statements. 9 of 23
16 Zero-Knowledge Zero Knowledge: The verifier learns no information from the proof except that the instance is true. CRS (CRS, τ) Setup(R) CRS, τ π f(crs, Φ, w) π ρ τ (CRS, Φ) 10 of 23
17 Zero-Knowledge Zero Knowledge: The verifier learns no information from the proof except that the instance is true. CRS (CRS, τ) Setup(R) CRS, τ π f(crs, Φ, w) π ρ τ (CRS, Φ) π 10 of 23
18 Zero-Knowledge Zero Knowledge: The verifier learns no information from the proof except that the instance is true. CRS (CRS, τ) Setup(R) CRS, τ π f(crs, Φ, w) π ρ τ (CRS, Φ) π 10 of 23
19 Zero-Knowledge Zero Knowledge: The verifier learns no information from the proof except that the instance is true. CRS (CRS, τ) Setup(R) CRS, τ π f(crs, Φ, w) π ρ τ (CRS, Φ) Did the prover use the witness or the trapdoor to compute π? 10 of 3
20 Simulation-Extractability Simulation-Extractable: Old proofs cannot be used to forge new proofs of false statements. CRS (CRS, τ) Setup(R) Φ i CRS, τ π f(crs, Φ,?? ) ORACLE π i ρ τ (CRS, Φ i ) I know a witness for Φ π i (Φ, π) EITHER Φ, π = (Φ i, π i ) 11 of 23
21 Simulation-Extractability Simulation-Extractable: Old proofs cannot be used to forge new proofs of false statements. (CRS, τ) Setup(R) CRS CRS, τ Φ i Implies Soundness π f(crs, Φ,?? ) ORACLE π i ρ τ (CRS, Φ i ) I know a witness for Φ π i (Φ, π) EITHER Φ, π = (Φ i, π i ) 11 of 23
22 Succinctness The size of the proof and the time taken to verify a proof does not depend on the size of the witness. 12 of 23
23 Signature of Knowledge A person who knows a witness for an instance Φ has signed a message. Properties: Correct: Zero Knowledge: Sound: A person who knows a witness can always convince the verifier. The verifier learns no information from the signature except that the instance is true. A false statement cannot be signed. Simulation-Extractable: Old signatures cannot be used to forge new signatures of false statements. 13 of 23
24 Plan Definitions Square Arithmetic Programs Construction Efficiency
25 Arithmetic Circuits u 1 v 1 u 2 v 2 u 1 v3 w 2 w 3 w 1 v u 2 4 w 5 u 3 v 4 w 4 Encoding of NP languages. The instance is some of the wire values that are revealed. The witness is the value of the remaining wires. 14 of 23
26 Arithmetic Circuits u 1 v 1 u 2 v 2 u 1 v3 w 2 w 3 u 1 = 5 w 1 v u 2 w 4 4 w 5 u 3 v 4 w 2 = 7 Encoding of NP languages. The instance is some of the wire values that are revealed. The witness is the value of the remaining wires. 14 of 23
27 Arithmetic Circuits u 1 v 1 u 2 v 2 u 1 v3 w 2 w 3 w 1 v u 2 4 w 5 u 3 v 4 w 4 Prover commits to values of wires. Prover shows Output wires consistent with input wires. Multiplication and addition gates calculated correctly. 14 of 23
28 Quadratic Arithmetic Programs [GGPREurocrypt13] Relation described by degree n 1 polynomials R = p, l, u i X, v i X, w i X m i=0, t X degree n polynomial Instance Φ = (s 1,, s l ) and witness w = (s l+1,, s m ) satisfy arithmetic circuit C if and only if σ m i=0 s i u i (X) σ m i=0 s i v i (X) = σ m i=0 s i w i (X) + mod t(x) 15 of 23
29 Quadratic Arithmetic Programs [GGPREurocrypt13] Relation described by degree n 1 polynomials R = p, l, u i X, v i X, w i X m i=0, t X degree n polynomial Instance Φ = (s 1,, s l ) and witness w = (s l+1,, s m ) satisfy arithmetic circuit C if and only if σ m i=0 s i u i (X) σ m i=0 s i v i (X) = σ m i=0 s i w i (X) + mod t(x) s 0 = 1 15 of 23
30 Square Arithmetic Programs We can ensure that left input wires and right input wires are the same if we double the size of the circuit. Relation described by R = p, l, u i X, w i X (s 1,, s m ) satisfy circuit C if and only if s 0 = 1 σ m i=0 s i u i X 2 = σ m i=0 degree 2n 1 polynomials m i=0, t X s i w i (X) + mod t(x) degree 2n polynomial 16 of 23
31 Plan Definitions Square Arithmetic Programs Construction Efficiency
32 Groth Eurocrypt 2016 Construction Instance = Φ v u 1 v 2 1 u u v3 1 2 w 2 w 3 w 1 Commitment to left input wires Commitment to right input wires u 3 v 4 Proof = (A, B, C) group elements. u 4 v 2 w 4 Commitment to output wires w 5 17 of 23
33 Groth Eurocrypt 2016 Construction Instance = Φ Verification Equation: Proof = (A, B, C) group elements. Known function of Φ e(a, B) = e(g α, H β )e(g f Φ 1 δ 1, H δ 1)e(C, H δ ) secret Each of these pairings contribute towards knowledge soundness 17 of 23
34 Groth Eurocrypt 2016 is Sound Multiplication and addition gates evaluated correctly e(a, B) = e(g α, H β )e(g f Φ 1 δ 1, H δ 1)e(C, H δ ) α, β ensure internal wires are consistent Hard to find G f(φ) or H f(φ) = prover must use their witness. 18 of 23
35 Groth Eurocrypt 2016 not SE Suppose A, B, C satisfy e(a, B) = e(g α, H β )e(g f Φ 1 δ 1, H δ 1)e(C, H δ ) Then so does A, B H r, A r C Then so does A r, B 1 r, C 19 of 23
36 Our Techniques: 1 Suppose A, B, C satisfy e(ag α, BH β ) = e(g α, H β )e(g f Φ 1 δ 1, H δ 1)e(C, H δ ) Second verification equation e(a, H γ ) = e(g γ, B) Then so does A r, B 1 r, C 20 of 23
37 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23
38 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23
39 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23
40 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23
41 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23
42 Plan Definitions Square Arithmetic Programs Construction Efficiency
43 Efficiency Public parameters and prover computation a bit higher than the others. Verifier computation is low Verifier equations are minimal for SE-SNARKs Proof in full version Proof size is minimal for SE-SNARKs eprint.iacr.org/2017/540 Implemented in libsnark by Popovs, Chiesa, and Virza github.com/scipr-lab/libsnark/tree/master/libsnark/zk_proof_systems/ppzksnark/r1cs_se_ppzksnark 23 of 23
44 Thank-you for listening
Lattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationA Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System
A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System Zhengjun Cao 1, Lihua Liu 2, Abstract. In 2006, Groth, Ostrovsky and Sahai designed one non-interactive zero-knowledge (NIZK
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationSubversion-Resistant Zero Knowledge
Subversion-Resistant Zero Knowledge Georg Fuchsbauer joint work with Mihir Bellare and Alessandra Scafuro ECRYPT-NET Workshop on Crypto for the Cloud & Implementation 27 June 2017 Content of this talk
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationSubversion-zero-knowledge SNARKs
An extended abstract of this work appears in PKC 18. This is the full version. Subversion-zero-knowledge SNARKs Georg Fuchsbauer 1 Abstract Subversion zero knowledge for non-interactive proof systems demands
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationzksnarks in a Nutshell
zksnarks in a Nutshell Christian Reitwießner chris@ethereum.org Abstract The possibilities of zksnarks are impressive; you can verify the correctness of computations without having to execute them, and
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationCryptography for Blockchains beyond ECDSA and SHA256
Cryptography for Blockchains beyond ECDSA and SHA256 S IGNATURES AND Z ERO K NOWLEDGE P ROOFS Benedikt Bünz Stanford University Overview 1. Signatures 1. ECDSA 2. BLS 3. Threshold Signatures 4. Ring Signatures
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationC C : A Framework for Building Composable Zero-Knowledge Proofs
C C : A Framework for Building Composable Zero-Knowledge Proofs Ahmed Kosba Zhichao Zhao Andrew Miller Yi Qian T-H. Hubert Chan Charalampos Papamanthou Rafael Pass abhi shelat Elaine Shi : UMD : HKU :
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationEfficient Zero-Knowledge Range Proofs in Ethereum
Efficient Zero-Knowledge Range Proofs in Ethereum Tommy Koens, Coen Ramaekers and Cees van Wijk ING, blockchain@ing.com 1 Introduction Two months ago I (Tommy) joined ING s blockchain team. This job change
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationA Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles
A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles Michele Ciampi DIEM University of Salerno ITALY mciampi@unisa.it Giuseppe Persiano
More informationDelegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs
Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs Chunming Tang 1, Dingyi Pei 1,2 Zhuojun Liu 3 1 Institute of Information Security of Guangzhou University, P.R.China 2 State
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationProofs of Ignorance and Applications to 2-Message Witness Hiding
Proofs of Ignorance and Applications to 2-Message Witness Hiding Apoorvaa Deshpande Yael Kalai September 25, 208 Abstract We consider the following paradoxical question: Can one prove lack of knowledge?
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationAttribute-Based Signatures
Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek Abstract We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained
More informationNew Commitment Schemes with Applications to Anonymous Bitcoin!
New Commitment Schemes with Applications to Anonymous Bitcoin! Henry Corrigan-Gibbs and Dan Boneh! (Work in progress)!! Stanford Security Forum! 14 April 2014! Isn t Bitcoin already anonymous?! Yes and
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationMulti-Key Homomorphic Signatures Unforgeable under Insider Corruption
Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2, Raymond K. H. Tai 1, Harry W. H. Wong 1, and Sherman S. M. Chow 1 1 Chinese University of Hong Kong, Hong Kong
More informationInteractive PCP. Yael Tauman Kalai Georgia Institute of Technology Ran Raz Weizmann Institute of Science
Interactive PCP Yael Tauman Kalai Georgia Institute of Technology yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract A central line of research in the area of PCPs
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More informationMaking the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits
Making the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits Yuval Ishai Mor Weiss Guang Yang Abstract A Probabilistically Checkable Proof PCP) allows a randomized verifier,
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationBlack-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way
Proceedings on Privacy Enhancing Technologies ; 2016 (3):62 82 Tibor Jager and Andy Rupp* Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way Abstract: We formalize and construct
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationSignatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)
Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Michael Backes 1,3, Lucjan Hanzlik 2,3, Kamil Kluczniak 4, and Jonas Schneider 2,3 1 CISPA Helmholtz
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationEfficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting
Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting Jonathan Bootle 1, Andrea Cerulli 1, Pyrros Chaidos 1, Jens Groth 1, and Christophe Petit 2 1 University College London
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationStatistical WI (and more) in Two Messages
Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message
More informationOn the (In)security of the Fiat-Shamir Paradigm
On the (In)security of the Fiat-Shamir Paradigm Shafi Goldwasser Yael Tauman February 2, 2004 Abstract In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification
More informationElectronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP
Electronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP Yael Tauman Kalai Weizmann Institute of Science yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationSub-linear Blind Ring Signatures without Random Oracles
Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19. Hard Core
More informationEfficient Zero-Knowledge Arguments from Two-Tiered Homomorphic Commitments
Efficient Zero-Knowledge Arguments from Two-Tiered Homomorphic Commitments Jens Groth University College London j.groth@ucl.ac.uk Abstract. We construct practical and efficient zero-knowledge arguments
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationEfficient Group Signatures without Trapdoors
Efficient Group Signatures without Trapdoors Giuseppe Ateniese and Breno de Medeiros The Johns Hopkins University Department of Computer Science Baltimore, MD 21218, USA ateniese@cs.jhu.edu, breno.demedeiros@acm.org
More information