Interactive protocols & zero-knowledge
|
|
- Dina Daniel
- 6 years ago
- Views:
Transcription
1 Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes that verifiers learn nothing beyond recognizing language. 1
2 Class NP and verifiers Definition 3.6 A verifier V for language L Σ is a computable function V : Σ { 0,1} { 0,1} such that { { } : V ( w,c) } = 1. L = w Σ c 0,1 Definition 3.7 V is a polynomial verifier for language L Σ if V is a verifier for L and 1. the running time of V on input ( w,c) is polynomial in w, 2. there is a polynomial p:n N such that for all w L there ( ) is a c { 0,1} p w with V ( w,c) = 1. If language L has a polynomial verifier we call it polynomially verifiable. 2
3 Class NP and verifiers Theorem 3.8 A language L is in NP if and only if there is a polynomial verifier for L. verifier w L? prover outputs 1, iff ( ) = 1 V w,c try c! 3
4 SAT and NP SAT:= { ϕ ϕ is a satisfiable Boolean formula} verifier ϕ SAT? prover outputs 1, iff ( ) ϕ c = 1 try assignment c! SAT NP. 4
5 Quadratic residues Definition 3.9 Let N N, then QR N { s 2 = v mod N} is called the set of ( ) := v Z N s Z N quadratic residues modulo N. QNR ( N) := Z N \ QR ( N) is called the set of quadratic nonresidues modulo N. QR := N,v QNR := N,v {( ) v QR ( N) } {( ) v QR ( N) } Property If v QR N ( ) and u QNR N ( ), then v u QNR N ( ). 5
6 QR is in NP Observation QR NP. verifier ( N,v) N ZN prover outputs 1, iff s 2 = v mod N try s! 6
7 Quadratic non-residues and protocols What about QNR and NP? Don t know, but. verifier ( N,v) N Z N prover b { 0,1},r Z N, y := r 2 v b mod N y b b outputs 1 iff b = b 7
8 Quadratic non-residues and protocols Properties If ( N,v) QNR, then P can make V accept with prob. 1. If ( N,v) QR, then no matter what P does, V accepts only with prob
9 Interactive protocols Interactive protocols - use randomness - use communication - allow error in acceptance/rejection Definition 3.10 A language L is in the class IP, if there are V,P and a protocol V/P with 1. for all w L the verifier V outputs 1 with probability 2 3 after execution of V/P with input w, 2. for all w L and all provers P the verifier outputs 1 with probability 1 3 after execution of V/ P with P and input w, 3. the overall running time of V is polynomial. 9
10 Interactive protocols Definition 3.10 A language L is in the class IP, if there are V,P and a protocol V/P with 1. for all w L the verifier V outputs 1 with probability 2 3 after execution of V/P with input w, 2. for all w L and all provers P the verifier outputs 1 with probability 1 3 after execution of V/ P with P and input w, 3. the overall running time of V is polynomial. Remarks In protocol V/ P V behaves as in V/P, but P may behave differently from P. May assume that format of message of P is as in V/P. Constants 2 3 and 1 3 are arbitrary, 1+ ε ( ) & 1 ε ( ) suffice. 10
11 QR,QNR and IP Observation QR and QNR are in IP. Theorem 3.11 NP IP. 11
12 QR is in NP Observation QR NP. verifier ( N,v) N Z N prover outputs 1, iff s 2 = v mod N try s! 12
13 Fiat-Shamir revisited P/A r Z N *,x := r 2 mod N b t: = r s A mod N ( N,v) N Z N x b t V/B b { 0,1} outputs 1, iff t 2 = x v A b mod N Properties ( ) QR, then P can make V accept with prob. 1. ( ) QNR, then no matter what P does, V accepts only with prob If N,v If N,v
14 Fiat-Shamir revisited 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. V/B accepts. 14
15 Transcripts Definition 3.11 Let L be a language,v L and V/P be an interactive protocol for L. A transcript τ { 0,1} of V/P on input v consists of v, the output and all messages exchanged between V and P. By T ( V,P v) we denote the random variable ( ) = τ corresponding to these transcripts, i.e. Pr T V,P v denotes the probability that the transcript of V/P on input v is τ. Remark Similarly for a probabilistic algorithm S we denote by S v ( ) the random variable corresponding to the output of S on input v, i.e. by Pr S v ( ) = τ we denote the probability that S on input v outputs τ. 15
16 Fiat-Shamir revisited 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. V/B accepts. 16
17 Zero-knowledge protocols Definition 3.12 Let L be a language and V/P be an interactive protocol for L. Protocol V/P is called a (honest verifier) zero-knowledge protocol, if there is a ppt S such that for all v L and all τ { 0,1} Pr T V,P ( v) = τ = Pr S ( v ) = τ. Remarks Definition only says something about v L. ppt verifier V learn nothing from execution of V/P since all it learns (=transcript) it can compute alone (via S). 17
18 Zero-knowledge protocols and Fiat-Shamir Theorem 3.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. Fact Let N N, then every element in QR ( N) has the same number of square roots modulo N, namely Z N QR ( N). 18
19 Fiat-Shamir identification protocol 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. B accepts. 19
20 Zero-knowledge protocols and Fiat-Shamir Theorem 3.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. S on input v Z N b { 0,1},t Z N x := t 2 v b mod N output ( v,x,b, t,1) 20
21 Zero-knowledge protocols and Fiat-Shamir Theorem 4.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. Why is zero-knowledge possible? - Protocol and simulator compute same transcripts, but in different order. - In Fiat-Shamir, first compute square, then square root. - In simulator, first compute root, then square it. - Squaring is easy, taking square roots modulo N (probably) not. 21
22 Perfect zero-knowledge protocols Definition 3.14 Let L be a language and V/P be an interactive protocol for L. Protocol V/P is called a perfect zero-knowledge protocol, if for all ppt verifiers V there is a ppt S such that for all v L and all τ { 0,1} 1. with probability 1 2 S output a special symbol, 2. Pr T v V,P ( ) = τ = Pr S v ( ) = τ S ( v). Remarks In protocol V /P P behaves as in V/P, but V may behave differently from V. May assume that format of message of V is as in V/P. 22
23 Zero-knowledge protocols and Fiat-Shamir Theorem 4.15 The Fiat-Shamir protocol is a perfect zero-knowledge protocol for the language QR. S on input v Z N b { 0,1},t Z N,x := t 2 v b mod N simulate V with input ( v,n,x), until V outputs a bit b. if b b, output, else output ( v,x,b, t,1) 23
24 Fiat-Shamir identification - offers security against cheating prover and verifier, - has significant round and communication complexity, - has significant computational complexity. - Schnorr and Okamoto protocols improve this. - Fiat-Shamir based on factoring problem, - Schnorr and Okamoto based on discrete logarithm problem. 24
25 Candidates for one-way functions 3. Gen( 1 n ) generates prime number p 2 n and generator g Samp ( I) x Z p 1 f I for the multiplicative group Z p,i = ( p,g) ( x) outputs g x mod p Idea Exponentiation is easy, discrete logarithm is difficult. 25
26 Schnorr identification setup TA chooses primes p,q such that q p 1 and q > 2 l, chooses generator z of Z p and sets g:= z p 1 q. A chooses a Z q, sets v A := g a mod p. TA sets cert(a) := ( id(a),v A,Sign ( TA id(a),v )) A Remark g has order q. 26
27 Schnorr identification protocol A k Z q,x := g k mod p cert(a),x challenge r B verifies cert(a) { } r 1,,2 l y : = k + a r mod q y response accepts iff y r x = g v A mod p 27
28 Impersonation in Schnorr protocol Theorem 3.16 For any δ 2 l+2 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g,v A C impersonates A with probability δ, then C on input p,q,g,v A computes a discrete logarithm of v A to base g with probability 0.03; 2. If C runs in time T, then C runs in time O ( T/δ + log 2 ( p) ). 28
29 From C to C C on input p,q,g,v A 1. repeat at most 1 δ times a) z { 0,1} R,r { 1,,2 l } b) simulate C with random bits z and r c) if C succeeds set r 1 : = r and goto 2) 2. repeat at most 1 δ times a) r { 1,,2 l } b) simulate C with random bits z and r c) if C succeeds set r 2 : = r and goto 3) 3. if r 1 r 2, output r 1,r 2 and corresponding y 1,y 2. 29
30 Zero-knowledge protocols and Schnorr Theorem 3.17 The Schnorr protocol is a zero-knowledge protocol. Observations - The Schnorr protocol is not known to be perfect zeroknowledge. - No attacks against Schnorr protocol are known. Okamoto protocol - efficiency similar to Schnorr - still not zero-knowledge - but witness hiding 30
31 Okamoto identification setup TA chooses primes p,q such that q p 1 and q > 2 l, chooses generator z of Z p and sets g:= z p 1 q, chooses g 1,g 2 g A chooses a 1,a 2 Z q, sets v := g 1 a 1 g 2 a 2 mod p. TA sets cert(a) := ( id(a),v,sign ( TA id(a),v )) Remark g,g 1,g 2 have order q. 31
32 Okamoto identification protocol A k 1,k 2 Z q, B x := g 1 k 1 g 2 k 2 mod p y : = k + a r mod q y : = k + a r mod q cert(a),x r y 1,y 2 verifies cert(a) { } r 1,,2 l accepts iff y x = g 1 y 1 g 2 2 v r mod p 32
33 Okamoto identification protocol - security - security against cheating prover as in Schnorr protocol - security against cheating verifier in 2 steps o show that Okamoto is witness indistinguishable (unconditionally) o under assumption that discrete logarithm is hard show that witness indistinguishability implies witness hiding, i.e. cheating B cannot learn A s secret. 33
34 Witnesses and discrete logarithms Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v,g 1,g 2 called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Theorem 3.19 For any δ > 0 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g and g 1,g 2,v g, C finds a pair ( a 1,a ) 2 W(v,g 1,g 2 ) with probability δ, then C on input p,q,g.g 1,g 2 computes the discrete logarithm of g 2 to base g 1 with probability δ ( 1 1 q); 2. If C runs in time T, then C runs in time O ( T+log 3 (p)). 34
35 Witnesses and discrete logarithms Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v,g 1,g 2 called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Claim p,q,g,g 1,g 2,v : W ( v,g 1,g ) 2 = q 35
36 Cheating provers and discrete logarithms Theorem 3.20 For any δ > 2 l+2 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g,g 1 g 2,v A C impersonates A with probability δ, then C on input p,q,g,g 1,g 2 computes the discrete logarithm of g 1 to base g 2 with probability 0.03; 2. If C runs in time T, then C runs in time O ( T/δ + log 3 ( p) ). 36
37 Witnesses and witness indistinguishability Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Lemma 3.21 Given p,q,g,g 1,g 2 and v g as before, then for all ( b 1,b ) 2 W ( v) and all possible transcripts ( x,r,y 1,y ) 2 of the Okamoto protocol there is a unique ( l 1,l ) 2 Z 2 q chosen by A with on input v the transcript is ( x,r,y 1,y 2 ), B accepts, i.e. the Okamoto protocol is witness indistinguishable. 37
38 Witness hiding Theorem 3.22 Given p,q,g,g 1,g 2 and v g as before. Assuming that the discrete logarithm problem is hard, then given a transcript of the Okamoto protocol no ppt B can compute a pair ( b 1,b ) 2 W ( v), i.e. the Okamoto protocol is witness hiding. 38
Interactive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationLecture 19: Interactive Proofs and the PCP Theorem
Lecture 19: Interactive Proofs and the PCP Theorem Valentine Kabanets November 29, 2016 1 Interactive Proofs In this model, we have an all-powerful Prover (with unlimited computational prover) and a polytime
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationCS151 Complexity Theory. Lecture 13 May 15, 2017
CS151 Complexity Theory Lecture 13 May 15, 2017 Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationCS151 Complexity Theory. Lecture 14 May 17, 2017
CS151 Complexity Theory Lecture 14 May 17, 2017 IP = PSPACE Theorem: (Shamir) IP = PSPACE Note: IP PSPACE enumerate all possible interactions, explicitly calculate acceptance probability interaction extremely
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationStatistically Secure Sigma Protocols with Abort
AARHUS UNIVERSITY COMPUTER SCIENCE MASTER S THESIS Statistically Secure Sigma Protocols with Abort Author: Anders Fog BUNZEL (20112293) Supervisor: Ivan Bjerre DAMGÅRD September 2016 AARHUS AU UNIVERSITY
More informationVI. The Fiat-Shamir Heuristic
VI. The Fiat-Shamir Heuristic - as already seen signatures can be used and are used in practice to design identification protocols - next we show how we can obtain signatures schemes from - protocols using
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationNon-Interactive Zero Knowledge (II)
Non-Interactive Zero Knowledge (II) CS 601.442/642 Modern Cryptography Fall 2017 S 601.442/642 Modern CryptographyNon-Interactive Zero Knowledge (II) Fall 2017 1 / 18 NIZKs for NP: Roadmap Last-time: Transformation
More informationAn Epistemic Characterization of Zero Knowledge
An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. e-mail: {halpern, rafael, vraman}@cs.cornell.edu
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationInteractive proof and zero knowledge protocols
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 22 November 27, 2017 CPSC 467, Lecture 22 1/43 BBS Pseudorandom Sequence Generator Secret Splitting Shamir s Secret Splitting Scheme
More informationNotes for Lecture 25
U.C. Berkeley CS276: Cryptography Handout N25 Luca Trevisan April 23, 2009 Notes for Lecture 25 Scribed by Alexandra Constantin, posted May 4, 2009 Summary Today we show that the graph isomorphism protocol
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More information198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007
198:538 Complexity of Computation Lecture 16 Rutgers University, Spring 2007 8 March 2007 In this lecture we discuss Shamir s theorem that PSPACE is the set of languages that have interactive proofs with
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationLecture 12: Interactive Proofs
princeton university cos 522: computational complexity Lecture 12: Interactive Proofs Lecturer: Sanjeev Arora Scribe:Carl Kingsford Recall the certificate definition of NP. We can think of this characterization
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationZero Knowledge and Soundness are Symmetric
Zero Knowledge and Soundness are Symmetric Shien Jin Ong and Salil Vadhan School of Engineering and Applied Sciences Harvard University Cambridge, Massachusetts, USA {shienjin,salil}@eecs.harvard.edu Abstract.
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More informationShamir s Theorem. Johannes Mittmann. Technische Universität München (TUM)
IP = PSPACE Shamir s Theorem Johannes Mittmann Technische Universität München (TUM) 4 th Joint Advanced Student School (JASS) St. Petersburg, April 2 12, 2006 Course 1: Proofs and Computers Johannes Mittmann
More informationAn Epistemic Characterization of Zero Knowledge
An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. e-mail: {halpern, rafael, vraman}@cs.cornell.edu
More informationRational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science
Rational Proofs with Multiple Provers Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science Outline of the Talk RATIONAL INTERACTIVE PROOFS with MULTI-PROVERs Interactive Proofs [GMR,
More informationOn the Security of Classic Protocols for Unique Witness Relations
On the Security of Classic Protocols for Unique Witness Relations Yi Deng 1,2, Xuyang Song 1,2, Jingyue Yu 1,2, and Yu Chen 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationZero-Knowledge Proofs 1
Zero-Knowledge Proofs 1 CS 702 SEMINAR Theme : Cryptography Instructor : Prof. C. Pandu Rangan ZERO-KNOWLEDGE PROOFS G. Venkatesan CS 93133 Dept. of C.S & E I.I.T Madras Zero-Knowledge Proofs 2 Outline
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationGQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks
GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks [Mihir Bellare, Adriana Palacio] Iliopoulos Fotis School of Electrical and Computer Engineering
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationIntroduction to Interactive Proofs & The Sumcheck Protocol
CS294: Probabilistically Checkable and Interactive Proofs January 19, 2017 Introduction to Interactive Proofs & The Sumcheck Protocol Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Pratyush Mishra
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationLecture 26. Daniel Apon
Lecture 26 Daniel Apon 1 From IPPSPACE to NPPCP(log, 1): NEXP has multi-prover interactive protocols If you ve read the notes on the history of the PCP theorem referenced in Lecture 19 [3], you will already
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationLecture : PSPACE IP
IITM-CS6845: Theory Toolkit February 16, 2012 Lecture 22-23 : PSPACE IP Lecturer: Jayalal Sarma.M.N. Scribe: Sivaramakrishnan.N.R. Theme: Between P and PSPACE 1 Interactive Protocol for #SAT In the previous
More informationClassical Verification of Quantum Computations
Classical Verification of Quantum Computations Urmila Mahadev UC Berkeley September 12, 2018 Classical versus Quantum Computers Can a classical computer verify a quantum computation? Classical output (decision
More information2 Evidence that Graph Isomorphism is not NP-complete
Topics in Theoretical Computer Science April 11, 2016 Lecturer: Ola Svensson Lecture 7 (Notes) Scribes: Ola Svensson Disclaimer: These notes were written for the lecturer only and may contain inconsistent
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationThe Proof of IP = P SP ACE
The Proof of IP = P SP ACE Larisse D. Voufo March 29th, 2007 For a long time, the question of how a verier can be convinced with high probability that a given theorem is provable without showing the whole
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationCircuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.
Circuit Complexity Circuit complexity is based on boolean circuits instead of Turing machines. A boolean circuit with n inputs computes a boolean function of n variables. Now, identify true/1 with yes
More informationMagic Functions. In Memoriam Bernard M. Dwork
Magic Functions In Memoriam Bernard M. Dwork 1923 1998 Cynthia Dwork Moni Naor Omer Reingold Larry Stockmeyer Abstract We prove that three apparently unrelated fundamental problems in distributed computing,
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols Mihir Bellare and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive,
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationInteractive and Noninteractive Zero Knowledge Coincide in the Help Model
Interactive and Noninteractive Zero Knowledge Coincide in the Help Model Dragos Florin Ciocan and Salil Vadhan School of Engineering and Applied Sciences Harvard University Cambridge, MA 02138 ciocan@post.harvard.edu,
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationCryptographic Hardness Assumptions
Chapter 2 Cryptographic Hardness Assumptions As noted in the previous chapter, it is impossible to construct a digital signature scheme that is secure against an all-powerful adversary. Instead, the best
More informationZero-Knowledge Against Quantum Attacks
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More information