Lattice-Based Zero-Knowledge Arguments for Integer Relations
|
|
- Lisa Webb
- 5 years ago
- Views:
Transcription
1 Lattice-Based Zero-Knowledge Arguments for Integer Relations Benoît Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018
2 Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations. Large : Committed integers X, Y, Z are of bit-size L = poly(n). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
3 Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations. Large : Committed integers X, Y, Z are of bit-size L = poly(n). Relations : Addition: X + Y = Z over Z Multiplication: X Y = Z over Z Range: X [α, β] Set non-membership: X SET, where SET is a public set. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
4 Zero-Knowledge Proofs/Arguments for Integer Relations We study the problem of proving in ZK and under standard lattice assumptions that large committed integers satisfy certain relations. Large : Committed integers X, Y, Z are of bit-size L = poly(n). Relations : Addition: X + Y = Z over Z Multiplication: X Y = Z over Z Range: X [α, β] Set non-membership: X SET, where SET is a public set. Assumptions : Solutions from DL/strong-RSA, e.g. + and : Fujisaki-Okamoto (C 97), Damgård-Fujisaki (AC 02), Lipmaa (AC 03), Couteau et al. (EC 17) Range: Camenisch et al. (AC 08), Gonzalez-Ràfols (ACNS 17) Set non-membership: Camenisch-Lysyanskaya (C 02), Nakanishi et al. (PKC 09), Bayer-Groth (EC 13) Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
5 In the Lattice Setting... The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X, Y, Z of bit-size L = poly(n) satisfy X + Y = Z over Z: Require to prove X + Y = Z mod q for a large modulus q = 2 poly(n). Each ring element (used in the commitment) would cost thousand times L bits. Proving that X, Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k L bits, where k Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
6 In the Lattice Setting... The considered problem is still open! If we were to use known ZK proofs in ideal lattices to prove that X, Y, Z of bit-size L = poly(n) satisfy X + Y = Z over Z: Require to prove X + Y = Z mod q for a large modulus q = 2 poly(n). Each ring element (used in the commitment) would cost thousand times L bits. Proving that X, Y are small w.r.t. q (i.e., no reduction mod q occurs) and proving the additive relation would cost k L bits, where k Strong assumptions: at least sub-exponential approximation factors. Ensuring soundness is non-trivial. Some limited forms of range proofs/arguments, e.g., X [0, 2 m 1]. No efficient non-membership argument is known. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
7 Our Results Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly(n) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC 08). Small modulus: q = Õ( L n). Weak assumption: SIVP γ is hard for γ = Õ( L n). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
8 Our Results Statistical ZK arguments for relations among committed integers, under mild assumptions in general (i.e., non-ideal) lattices. Integers of bit-size L = poly(n) are committed via the SIS-based commitment scheme by Kawachi-Tanaka-Xagawa (AC 08). Small modulus: q = Õ( L n). Weak assumption: SIVP γ is hard for γ = Õ( L n). Addition argument with comm. cost ζ + 20L κ, where ζ is the cost of proving openings and κ = ω(log n) - the number of repetitions. Range arguments with comm. cost ζ + O(L) κ, for ranges of size 2 L. Non-membership argument with comm. cost O(n log SET ). Multiplication arguments that can achieve sub-quadratic complexity O(L ) in both computation and comm. aspects. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
9 Outline 1 Background and Our Results 2 Our Ideas and Techniques Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
10 Binary Additions with Carries Main idea: View integer additions as binary additions with carries, then prove in ZK that they are done correctly. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
11 Binary Additions with Carries Main idea: View integer additions as binary additions with carries, then prove in ZK that they are done correctly. Suppose that we add two bits x and y with carry-in c in to obtain a bit z and carry-out c out. x y c in z c out Then, the relations among these bits are captured by equations z = x + y + c in mod 2, c out = x y + z c in + c in mod 2. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
12 Additions of Committed Integers Let X = (x L 1,..., x 0 ) 2, Y = (y L 1,..., y 0 ) 2, Z = (z L, z L 1,..., z 0 ) 2. For i [0, L 1], let c i+1 be the carry-out of the i-th addition. We have: z 0 + x 0 + y 0 = 0 mod 2 c 1 + x 0 y 0 = 0 mod 2 z 1 + x 1 + y 1 + c 1 = 0 mod 2 c 2 + x 1 y 1 + z 1 c 1 + c 1 = 0 mod 2. z L 1 + x L 1 + y L 1 + c L 1 = 0 mod 2 z L + x L 1 y L 1 + z L 1 c L 1 + c L 1 = 0 mod 2. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
13 Additions of Committed Integers Let X = (x L 1,..., x 0 ) 2, Y = (y L 1,..., y 0 ) 2, Z = (z L, z L 1,..., z 0 ) 2. For i [0, L 1], let c i+1 be the carry-out of the i-th addition. We have: z 0 + x 0 + y 0 = 0 mod 2 c 1 + x 0 y 0 = 0 mod 2 z 1 + x 1 + y 1 + c 1 = 0 mod 2 c 2 + x 1 y 1 + z 1 c 1 + c 1 = 0 mod 2. z L 1 + x L 1 + y L 1 + c L 1 = 0 mod 2 z L + x L 1 y L 1 + z L 1 c L 1 + c L 1 = 0 mod 2. X, Y, Z are committed via [KTX-AC 08] equations modulo q. a 0 x a L 1 x L 1 + b j r 1,j = c x mod q; a 0 y a L 1 y L 1 + b j r 2,j = c y mod q; a 0 z a L x L + b j r 3,j = c z mod q. Goal: Prove in ZK that we know the secret bits x i, y i, z i, c i, r k,j such that all equations mod 2 and mod q hold Stern-like techniques. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
14 Stern-like Zero-Knowledge Techniques Stern (Crypto 93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
15 Stern-like Zero-Knowledge Techniques Stern (Crypto 93): ZK protocol for the Syndrome Decoding problem. Use random permutations to prove constraints of secret witnesses satisfying matrix-vector equations. Recently adapted into the lattice setting. Handling secret bits [Libert, Ling, N, Wang - EC 16]: For any b {0, 1}, let b = 1 b and ext 2 (b) = (b, b) {0, 1} 2. For any c {0, 1}, define P c as the permutation transforming v = (v 0, v 1 ) Z 2 into P c (v) = (v c, v c ). Observation: v = ext 2 (b) P c (v) = ext 2 (b + c mod 2). (1) Proving knowledge of secret bit b that may appear in several correlated equations. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
16 Stern-like Zero-knowledge Techniques (cont.) Products of 2 secret bits [Libert, Ling, Mouhartem, N, Wang - AC 16]: For any bits b 1, b 2, define ext 4 (b 1, b 2 ) = (b 1 b 2, b 1 b 2, b 1 b 2, b 1 b 2 ) {0, 1} 4. For any bits c 1, c 2, define T c1,c 2 as the permutation transforming v = (v 0,0, v 0,1, v 1,0, v 1,1 ) Z 4 T c1,c 2 (v) = (v c1,c 2, v c1,c 2, v c1,c 2, v c1,c 2 ). Observation: v = ext 4 (b 1, b 2 ) T c1,c 2 (v) = ext 4 (b 1 + c 1 mod 2, b 2 + c 2 mod 2). (2) Proving knowledge of product of secret bits b 1 b 2, where b 1, b 2 may appear in other equations. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
17 Stern-like ZK Arguments for Integer Additions Using permuting techniques, we can prove that all the secrets in the equations mod 2 and mod q are well-formed: Bits x i, y i, z i, c i, r k,j Bit products x 0 y 0, x 1 y 1,..., x L 1 y L 1, z 1 c 1,..., z L 1 c L 1. To prove that the equations hold: 1 Transform all equations into M 2 s = 0 mod 2 and M q t = c mod q. 2 Random masking with vectors over Z 2 and Z q : M 2 (s + r s ) = M 2 r s mod 2 M q (t + r t ) c = M q r t mod q. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
18 Inequalities and Range Arguments Additions of non-negative integers Inequalities, ranges Inequalities X Y : There exists non-negative Z s.t. X + Z = Y. X < Y : There exists non-negative Z s.t. X + Z + 1 = Y. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
19 Inequalities and Range Arguments Additions of non-negative integers Inequalities, ranges Inequalities X Y : There exists non-negative Z s.t. X + Z = Y. X < Y : There exists non-negative Z s.t. X + Z + 1 = Y. Ranges X [α, β], [α, β), (α, β], [α, β], where α, β may be hidden. Two inequalities, e.g., X α and X < β. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
20 Inequalities and Range Arguments Additions of non-negative integers Inequalities, ranges Inequalities X Y : There exists non-negative Z s.t. X + Z = Y. X < Y : There exists non-negative Z s.t. X + Z + 1 = Y. Ranges X [α, β], [α, β), (α, β], [α, β], where α, β may be hidden. Two inequalities, e.g., X α and X < β. Next: Range arguments + additional techniques Set non-membership arguments. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
21 Non-Membership Arguments Problem Given a public set SET = {S 1,..., S M } containing M = poly(n) integers of bit-size n, where S 1 < S 2 <... < S M. Prove in ZK that committed integer X does not belong to SET. Target: Communication complexity O(log M). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
22 Non-Membership Arguments Problem Given a public set SET = {S 1,..., S M } containing M = poly(n) integers of bit-size n, where S 1 < S 2 <... < S M. Prove in ZK that committed integer X does not belong to SET. Target: Communication complexity O(log M). Let S 0 = 0 n and S M+1 = 1 n. Prove that X (S j, S j+1 ), for some j. 1 Y < X < Z, for some secret Y, Z. Range argument. 2 Y, Z {S 0, S 1,..., S M, S M+1 } and Y, Z are consecutive. Structures/techniques allowing O(log M) membership argument. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
23 Lattice-Based Merkle Hash Trees u u 0 u 1 u 00 u 01 u 10 u 11 u 000 u 001 u 010 u 011 u 100 u 101 u 110 u 111 S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 Y Z Build a Merkle tree over {S 0, S 1,..., S M, S M+1 } and prove knowledge of 2 tree paths from leaves Y and Z to root u [LLNW-EC 16]. Prove that the two tree paths are consecutive: V = (011) 2 and W = (100) 2 satisfy V + 1 = W (integer addition). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
24 Arguments for Integer Multiplications Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments O(L 2 ) multiplication argument. Straightforward; suitable for practical values of L, e.g., L 8000 Can we break the quadratic barrier? E.g., with Karatsuba algorithm? Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
25 Arguments for Integer Multiplications Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments O(L 2 ) multiplication argument. Straightforward; suitable for practical values of L, e.g., L 8000 Can we break the quadratic barrier? E.g., with Karatsuba algorithm? X = X 1 X 0 X = 2 L/2 X 1 + X 0 Y = Y 1 Y 0 Y = 2 L/2 Y 1 + Y 0. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
26 Arguments for Integer Multiplications Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments O(L 2 ) multiplication argument. Straightforward; suitable for practical values of L, e.g., L 8000 Can we break the quadratic barrier? E.g., with Karatsuba algorithm? X = X 1 X 0 X = 2 L/2 X 1 + X 0 Y = Y 1 Y 0 Y = 2 L/2 Y 1 + Y 0. Karasuba s observation: The number of partial products can be reduced from 4 to 3 complexity O(L log 2 3 ) X Y = (2 L 2 L/2 )(X 1 Y 1 ) + (1 2 L/2 )(X 0 Y 0 ) + 2 L/2 (X 1 + X 0 )(Y 1 + Y 0 ). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
27 Arguments for Integer Multiplications Prove committed L-bit integers X, Y and 2L-bit integer Z satisfy XY = Z. O(L) addition arguments O(L 2 ) multiplication argument. Straightforward; suitable for practical values of L, e.g., L 8000 Can we break the quadratic barrier? E.g., with Karatsuba algorithm? X = X 1 X 0 X = 2 L/2 X 1 + X 0 Y = Y 1 Y 0 Y = 2 L/2 Y 1 + Y 0. Karasuba s observation: The number of partial products can be reduced from 4 to 3 complexity O(L log 2 3 ) X Y = (2 L 2 L/2 )(X 1 Y 1 ) + (1 2 L/2 )(X 0 Y 0 ) + 2 L/2 (X 1 + X 0 )(Y 1 + Y 0 ). Our method: Emulate the Karatsuba multiplication X Y and prove that it gives Z in ZK ZK argument for multiplicative relations with sub-quadratic communication/computation complexity O(L log 2 3 ). Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
28 Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability. Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
29 Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability. Some concrete estimations of comm cost for range argument X [α, β]: Range size β α Commitment opening Membership X [α, β] Total comm. cost 3.54 MB 4.4 MB 6.13 MB 9.59 MB Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
30 Reduce relations of large integers to binary additions with carries. Proving binary operations in ZK using Stern-like techniques. Small modulus, weak lattice assumptions, scalability. Some concrete estimations of comm cost for range argument X [α, β]: Range size β α Commitment opening Membership X [α, β] Total comm. cost 3.54 MB 4.4 MB 6.13 MB 9.59 MB Thank you for your attention! Khoa Nguyen Lattice-Based ZK for Integers CRYPTO / 15
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationZero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1, San Ling 2, Khoa Nguyen 2, and Huaxiong Wang 2 1 Ecole
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationA Provably Secure Group Signature Scheme from Code-Based Assumptions
A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15 Group Signatures
More informationLattice-Based Group Signatures: Achieving Full Dynamicity with Ease
Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationarxiv: v1 [cs.cr] 25 Jan 2018
Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu arxiv:1801.08323v1 [cs.cr] 25 Jan 2018 Division of Mathematical Sciences, School of Physical and Mathematical
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationAccumulators and U-Prove Revocation
Accumulators and U-Prove Revocation Tolga Acar 1, Sherman S.M. Chow 2, and Lan Nguyen 3 1 Intel Corporation tolga.acar@intel.com 2 Microsoft Research lan.duy.nguyen@microsoft.com 3 Department of Information
More informationBatch Range Proof For Practical Small Ranges
Batch Range Proof For Practical Small Ranges Kun Peng and Feng Bao dr.kun.peng@gmail.com Institute for Inforcomm Research (I 2 R), Singapore 1 Agenda 1. Introduction 2. Range proof 3. Batch proof 4. Extended
More informationAdaptive Oblivious Transfer with Access Control from Lattice Assumptions
Adaptive Oblivious Transfer with Access Control from Lattice Assumptions Benoît Libert 1,2, San Ling 3, Fabrice Mouhartem 2, Khoa Nguyen 3, and Huaxiong Wang 3 1 CNRS, Laboratoire LIP, France 2 ENS de
More informationOn the Design and Implementation of E cient Zero-Knowledge Proofs of Knowledge?
On the Design and Implementation of E cient Zero-Knowledge Proofs of Knowledge? Endre Bangerter 1, Stephan Krenn 2, Ahmad-Reza Sadeghi 3, Thomas Schneider 3, and Joe-Kai Tsay 4 1 Bern University of Applied
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationZero-knowledge Argument for Polynomial Evaluation with Application to Blacklists
Zero-knowledge Argument for Polynomial Evaluation with Application to Blacklists Stephanie Bayer and Jens Groth University College London {s.bayer,j.groth}@cs.ucl.ac.uk Abstract. Verification of a polynomial
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication
CPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication March, 2006 1 Introduction We have now seen that the Fast Fourier Transform can be applied to perform
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationA Lattice-Based Group Signature Scheme with Message-Dependent Opening
A Lattice-Based Group Signature Scheme with Message-Dependent Opening Benoît Libert, Fabrice Mouhartem, Khoa Nguyen To cite this version: Benoît Libert, Fabrice Mouhartem, Khoa Nguyen. A Lattice-Based
More informationSPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a
SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a Ronald Cramer 1 Ivan Damgård 2 Daniel Escudero 2 Peter Scholl 2 Chaoping Xing 3 August 21, 2018 1 CWI, Amsterdam 2 Aarhus University, Denmark 3
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationForward-Secure Group Signatures from Lattices
Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University,
More informationSecure Equality and Greater-Than Tests with Sublinear Online Complexity
Secure Equality and Greater-Than Tests with Sublinear Online Complexity Helger Lipmaa 1 and Tomas Toft 2 1 Institute of CS, University of Tartu, Estonia 2 Dept. of CS, Aarhus University, Denmark Abstract.
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationEfficient Protocols for Set Membership and Range Proofs
Efficient Protocols for Set Membership and Range Proofs Jan Camenisch 1 Rafik Chaabouni 1,2 abhi shelat 3 1 IBM ZRL 2 EPFL LASEC 3 U. of Virginia ASIACRYPT 2008 December 9, 2008 Introduction Our Focus
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationA new zero-knowledge code based identification scheme with reduced communication
A new zero-knowledge code based identification scheme with reduced communication Carlos Aguilar, Philippe Gaborit, Julien Schrek Université de Limoges, France. {carlos.aguilar,philippe.gaborit,julien.schrek}@xlim.fr
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationNew Commitment Schemes with Applications to Anonymous Bitcoin!
New Commitment Schemes with Applications to Anonymous Bitcoin! Henry Corrigan-Gibbs and Dan Boneh! (Work in progress)!! Stanford Security Forum! 14 April 2014! Isn t Bitcoin already anonymous?! Yes and
More informationRelaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs
Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs Cecilia Boschini, Jan Camenisch, and Gregory Neven IBM Research Zurich {bos, jca, nev}@zurich.ibm.com Abstract. Higher-level cryptographic
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationCS 6260 Some number theory
CS 6260 Some number theory Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of positive integers and N = {0, 1, 2,...} the set of non-negative integers. If
More informationThe Cramer-Shoup Strong-RSA Signature Scheme Revisited
The Cramer-Shoup Strong-RSA Signature Scheme Revisited Marc Fischlin Johann Wolfgang Goethe-University Frankfurt am Main, Germany marc @ mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationShor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017
Shor s Algorithm Polynomial-time Prime Factorization with Quantum Computing Sourabh Kulkarni October 13th, 2017 Content Church Thesis Prime Numbers and Cryptography Overview of Shor s Algorithm Implementation
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationZero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash
Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash Benoît Libert 1,2, San Ling 3, Khoa Nguyen 3, and Huaxiong Wang 3 1 CNRS, Laboratoire LIP, France 2 ENS de Lyon, Laboratoire LIP
More informationCPSC 518 Introduction to Computer Algebra Asymptotically Fast Integer Multiplication
CPSC 518 Introduction to Computer Algebra Asymptotically Fast Integer Multiplication 1 Introduction We have now seen that the Fast Fourier Transform can be applied to perform polynomial multiplication
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationOn related-key attacks and KASUMI: the case of A5/3
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1, M.J.B. Robshaw 2, Huaxiong Wang 1 1 Nanyang Technological University, Singapore 2 Applied Cryptography Group, Orange Labs, France
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationHow to improve information set decoding exploiting that = 0 mod 2
How to improve information set decoding exploiting that 1 + 1 = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris Representation Find unique solution to hard problem in cryptography
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationAlgorithms (II) Yu Yu. Shanghai Jiaotong University
Algorithms (II) Yu Yu Shanghai Jiaotong University Chapter 1. Algorithms with Numbers Two seemingly similar problems Factoring: Given a number N, express it as a product of its prime factors. Primality:
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationProof of Plaintext Knowledge for Code-Based Public-Key Encryption Revisited
Proof of Plaintext Knowledge for Code-Based Public-Key Encryption Revisited Rong Hu, Kirill Morozov and Tsuyoshi Takagi Abstract In a recent paper at Asiacrypt 2012, Jain et al point out that Véron code-based
More informationLinear Bandwidth Naccache-Stern Encryption
Linear Bandwidth Naccache-Stern Encryption Benoît Chevallier-Mames 1, David Naccache 2, and Jacques Stern 2 1 dcssi, Laboratoire de cryptographie, 51, Boulevard de la Tour Maubourg, f-75700 Paris, France
More informationA METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES
Mathematica Moravica Vol. 7 (2003), 51 59 A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES Constantin Popescu Abstract. A group signature scheme allows any group member to sign on behalf of the group
More informationEfficient Pseudorandom Generators Based on the DDH Assumption
Efficient Pseudorandom Generators Based on the DDH Assumption Andrey Sidorenko (Joint work with Reza Rezaeian Farashahi and Berry Schoenmakers) TU Eindhoven Outline Introduction provably secure pseudorandom
More informationSealed-bid Auctions with Efficient Bids
Sealed-bid Auctions with Efficient Bids Toru Nakanishi, Daisuke Yamamoto, and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University 3-1-1 Tsushima-naka,
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationImproved Zero-knowledge Proofs of Knowledge for the ISIS Problem, and Applications
Improved Zero-knowledge Proofs of Knowledge for the ISIS Problem, and Applications San Ling 1, Khoa Nguyen 1, Damien Stehlé 2, Huaxiong Wang 1 1 Division of Mathematical Sciences, School of Physical and
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationSome Comments on the Security of RSA. Debdeep Mukhopadhyay
Some Comments on the Security of RSA Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Computing
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationComputational Number Theory. Adam O Neill Based on
Computational Number Theory Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Secret Key Exchange - * Is Alice Ka Public Network Ka = KB O KB 0^1 Eve should have a hard time getting information
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationEfficient Multiplicative Homomorphic E-Voting
Efficient Multiplicative Homomorphic E-Voting Kun Peng and Feng Bao Institute for Infocomm Research, Singapore dr.kun.peng@gmail.com Abstract. Multiplicative homomorphic e-voting is proposed by Peng et
More informationarxiv: v1 [cs.cr] 1 May 2012
A SECRET SHARING SCHEME BASED ON GROUP PRESENTATIONS AND THE WORD PROBLEM arxiv:1205.0157v1 [cs.cr] 1 May 2012 MAGGIE HABEEB, DELARAM KAHROBAEI, AND VLADIMIR SHPILRAIN Abstract. A (t, n)-threshold secret
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationAdditive Combinatorics and Discrete Logarithm Based Range Protocols
Additive Combinatorics and Discrete Logarithm Based Range Protocols Rafik Chaabouni 1 Helger Lipmaa 2,3 abhi shelat 4 1 EPFL LASEC, Switzerland 2 Cybernetica AS, Estonia 3 Tallinn University, Estonia 4
More information