A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
|
|
- Myron Booth
- 6 years ago
- Views:
Transcription
1 A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
2 OUR RESULTS A new efficient CRS-based NIZK shuffle argument
3 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work
4 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical
5 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model
6 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof
7 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof Use computer algebra to solve systems of polyn. eq.
8 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof Use computer algebra to solve systems of polyn. eq. Esp. to find Gröbner bases
9 A BIT OF MOTIVATION: E-VOTING
10 A BIT OF MOTIVATION: E-VOTING
11 A BIT OF MOTIVATION: E-VOTING
12 A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes - Can we get away with that? - I m 140% sure!
13 A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes Anonymity Correctness - Can we get away with that? - I m 140% sure!
14 A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes Anonymity Correctness Data is public (Data, source) is private - Can we get away with that? - I m 140% sure!
15 SIMPLE MIX-NETS
16 SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 )
17 SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) π, r d 1 =c π(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) c 3 =Enc pk (m 3 ) d 3 =c π(3) Encryption protects against eavesdropping on the Internet
18 SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) π, r ψ,s d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) Encryption protects against eavesdropping on the Internet
19 SIMPLE MIX-NETS π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet
20 SIMPLE MIX-NETS Anonymity π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server
21 SIMPLE MIX-NETS Anonymity Correctness π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server Not enough: what if a server cheats?
22 ACCOUNTABLE MIX-NETS pk, π, r pk, ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3))
23 ACCOUNTABLE MIX-NETS proof pk, π, r pk, ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3))
24 ACCOUNTABLE MIX-NETS proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 2 =c π(2) d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 2 =d ψ(2) e 3 =d ψ(3) m ψ(π(1)) m ψ(π(2)) m ψ(π(3))
25 ACCOUNTABLE MIX-NETS proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 2 =c π(2) d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 2 =d ψ(2) e 3 =d ψ(3) Verify all proofs m ψ(π(1)) m ψ(π(2)) m ψ(π(3))
26 ACCOUNTABLE MIX-NETS Anonymity Correctness proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 3 =d ψ(3) Verify all proofs m ψ(π(3))
27 SHUFFLE ARGUMENT Shuffle argument: efficient zero knowledge argument of correctness of shuffling Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly.
28 SHUFFLE ARGUMENT Shuffle argument: efficient zero knowledge argument of correctness of shuffling Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly. Existing CRS model arguments not very efficient
29 CRS-BASED SHUFFLE ARGUMENTS Assumption proposed in that paper, proof in GBGM Assmpt. proposed 2010+, but not in that paper, proof in GBGM Lipmaa-Zhang (2012) Fauzi-Lipmaa (2016) This paper CRS length 7n + 6 8n n + 14 Communic. 12n n + 2 7n + 3 P comp. (units) V comp. (units) GBGM? PSDL, DLIN (comp.) TSDH, PCDH, PSP (comp.) Pure GBGM Soundness KE, PKE (knowledge) Full 2x PKE (knowledge) Culpable Full n: number of ciphertexts (say 100,000) 1 unit = n million machine cycles According to speed records on BN curves
30 ZERO KNOWLEDGE: CRS MODEL crs
31 ZERO KNOWLEDGE: CRS MODEL x, w crs
32 ZERO KNOWLEDGE: CRS MODEL crs x, w x
33 ZERO KNOWLEDGE: CRS MODEL crs x, w x P(crs,x,w)=π: Proof of x L
34 ZERO KNOWLEDGE: CRS MODEL crs x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
35 ZERO KNOWLEDGE: CRS MODEL td crs x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
36 ZERO KNOWLEDGE: CRS MODEL td crs Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
37 ZERO KNOWLEDGE: CRS MODEL Correctness Soundness Zero knowledge crs td Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
38 BILINEAR PAIRINGS
39 BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T
40 BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T
41 BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T
42 BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T Requirements: Efficiently computable Non-degeneracy: e (g 1, g 2 ) 1 Bilinearity: e (g 1a, g 2b ) = e (g 1, g 2 ) ab
43 ASSUMPTIONS & PAIRINGS Inverting pairings should be hard
44 ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B
45 ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a
46 ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a What else should be hard?
47 NON-GENERIC APPROACH Protocol
48 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known)
49 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new)
50 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model
51 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or
52 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or Con: each arrow might mean a loss in efficiency
53 GENERIC MODEL APPROACH Protocol Generic Model Con: proof in GGM is only for restricted adversaries Pro: only one arrow, thus smaller loss in efficiency
54 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to
55 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests
56 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements
57 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates
58 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates Note: we do not handle G T as a generic group
59 SOUNDNESS IN GBGM
60 SOUNDNESS IN GBGM X 1 X s Random variables (TTP)
61 SOUNDNESS IN GBGM Polynomials (TTP knows X) X 1 [X] = g X {[f 1i (X)] 1 } {[f 2i (X)] 2 } X s Random variables (TTP) CRS (TTP)
62 SOUNDNESS IN GBGM Polynomials (TTP knows X) Linear combinations (only group operation) X 1 [X] = g X {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary)
63 SOUNDNESS IN GBGM Polynomials (TTP knows X) Linear combinations (only group operation) Quadratic tests (can use bilinear map) X 1 [X] = g X V 1 (X)=Σ ij b 1ij h 1i (X) h 2i (X)=0 {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } V u (X)=Σ ij b uij h 1i (X) h 2i (X)=0 X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary) Verifications (verifier) {h ji } = {f ji, h ji }
64 SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0
65 SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary
66 SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice
67 SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice = restricted to be as in the honest case
68 INTUITION: CONSTRUCTING ARGUMENT Decomposing:
69 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument
70 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing)
71 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently
72 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently CRS composition:
73 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently CRS composition: Compose CRS-s of individual subarguments together, getting one big CRS
74 INTUITION: CONSTRUCTING ARGUMENT
75 INTUITION: CONSTRUCTING ARGUMENT
76 INTUITION: CONSTRUCTING ARGUMENT Soundness check: Is the composed protocol sound? Subarguments get extra inputs in CRS If not: introduce new random variables that guarantee CRS elements are used in only correct subarguments, reiterate
77 SUBARGUMENTS Permutation matrix argument :
78 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly
79 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument :
80 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts
81 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument :
82 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly
83 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly Correctly: so that the soundness proof goes through
84 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly Correctly: so that the soundness proof goes through
85 PERMUTATION MATRIX ARGUMENT Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero
86 PERMUTATION MATRIX ARGUMENT Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero
87 1-SPARSITY ARGUMENT Commitment:
88 1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2
89 1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs
90 1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1
91 1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials
92 1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials V (X) := (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2
93 1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials V (X) := (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0
94 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA
95 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk )
96 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
97 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
98 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
99 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
100 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
101 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 Goal: find coefficients s.t. verification equation is satisfied CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
102 SOLVING SYSTEM OF POL. EQUATIONS
103 SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0
104 SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X α j X ρ k ] V (X) = 0
105 SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X α j X ρ k ] V (X) = 0 This is a system of polynomial equations and a nasty one of more than 20 polynomial equations
106
107 SOLVING
108 SOLVING Used a mixture of computer algebra system and manual labor
109 SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients
110 SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS
111 SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS
112 SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS Obtain that A i (X) = a I P I (X) => Sound
113 THANK YOU!
Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification
More informationA More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument Helger Lipmaa 1 and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 State University of New York at Buffalo, USA
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationAn Ecient Pairing-Based Shue Argument
An Ecient Pairing-Based Shue Argument Prastudy Fauzi 1, Helger Lipmaa 2, Janno Siim 2,3, and Michaª Zaj c 2 1 Aarhus University, Aarhus, Denmark 2 University of Tartu, Tartu, Estonia 3 STACC, Tartu, Estonia
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationEfficient Culpably Sound NIZK Shuffle Argument without Random Oracles
Efficient Culpably Sound NIZK Shuffle Argument without Random Oracles Prastudy Fauzi and Helger Lipmaa University of Tartu, Estonia Abstract. One way to guarantee security against malicious voting servers
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationHow to Shuffle in Public
How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich
More informationAdditive Combinatorics and Discrete Logarithm Based Range Protocols
Additive Combinatorics and Discrete Logarithm Based Range Protocols Rafik Chaabouni 1 Helger Lipmaa 2,3 abhi shelat 4 1 EPFL LASEC, Switzerland 2 Cybernetica AS, Estonia 3 Tallinn University, Estonia 4
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationCS151 Complexity Theory. Lecture 13 May 15, 2017
CS151 Complexity Theory Lecture 13 May 15, 2017 Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P
More informationSecure Vickrey Auctions without Threshold Trust
Secure Vickrey Auctions without Threshold Trust Helger Lipmaa Helsinki University of Technology, {helger}@tcs.hut.fi N. Asokan, Valtteri Niemi Nokia Research Center, {n.asokan,valtteri.niemi}@nokia.com
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationA Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System
A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System Zhengjun Cao 1, Lihua Liu 2, Abstract. In 2006, Groth, Ostrovsky and Sahai designed one non-interactive zero-knowledge (NIZK
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationOn QA-NIZK in the BPK Model
On QA-NIZK in the BPK Model Behzad Abdolmaleki 1, Helger Lipmaa 1, Janno Siim 1,2, and Michał Zając 1 1 University of Tartu, Estonia 2 STACC, Estonia Abstract. While the CRS model is widely accepted for
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationRemote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationProofs of Retrievability via Fountain Code
Proofs of Retrievability via Fountain Code Sumanta Sarkar and Reihaneh Safavi-Naini Department of Computer Science, University of Calgary, Canada Foundations and Practice of Security October 25, 2012 Outsourcing
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho Mistunaga 1, Yoshifumi Manabe 2, Tatsuaki Okamoto 3 1 Graduate School of Informatics, Kyoto University, Sakyo-ku Kyoto
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationAnalysing the microrna-17-92/myc/e2f/rb Compound Toggle Switch by Theorem Proving
Analysing the microrna-17-92/myc/e2f/rb Compound Toggle Switch by Theorem Proving Giampaolo Bella and Pietro Liò @ Catania and Cambridge Under the auspices of British Council's grant ``Computer-assisted
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationThe Laws of Cryptography Zero-Knowledge Protocols
26 The Laws of Cryptography Zero-Knowledge Protocols 26.1 The Classes NP and NP-complete. 26.2 Zero-Knowledge Proofs. 26.3 Hamiltonian Cycles. An NP-complete problem known as the Hamiltonian Cycle Problem
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More informationEfficient Modular NIZK Arguments from Shift and Product
Efficient Modular NIZK Arguments from Shift and Product Prastudy Fauzi 1, Helger Lipmaa 1, and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 National and Kapodistrian University of Athens, Greece
More informationJORDAN NORMAL FORM. Contents Introduction 1 Jordan Normal Form 1 Conclusion 5 References 5
JORDAN NORMAL FORM KATAYUN KAMDIN Abstract. This paper outlines a proof of the Jordan Normal Form Theorem. First we show that a complex, finite dimensional vector space can be decomposed into a direct
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationProofs of Ignorance and Applications to 2-Message Witness Hiding
Proofs of Ignorance and Applications to 2-Message Witness Hiding Apoorvaa Deshpande Yael Kalai September 25, 208 Abstract We consider the following paradoxical question: Can one prove lack of knowledge?
More informationProgression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments
Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments Helger Lipmaa Institute of Computer Science, University of Tartu, Estonia Abstract. In 2010, Groth constructed
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More information6.841/18.405J: Advanced Complexity Wednesday, April 2, Lecture Lecture 14
6.841/18.405J: Advanced Complexity Wednesday, April 2, 2003 Lecture Lecture 14 Instructor: Madhu Sudan In this lecture we cover IP = PSPACE Interactive proof for straightline programs. Straightline program
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationMechanizing Elliptic Curve Associativity
Mechanizing Elliptic Curve Associativity Why a Formalized Mathematics Challenge is Useful for Verification of Crypto ARM Machine Code Joe Hurd Computer Laboratory University of Cambridge Galois Connections
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationPractical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes
Practical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes Michael O. Rabin Columbia University SEAS Harvard University
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationBatch Range Proof For Practical Small Ranges
Batch Range Proof For Practical Small Ranges Kun Peng and Feng Bao dr.kun.peng@gmail.com Institute for Inforcomm Research (I 2 R), Singapore 1 Agenda 1. Introduction 2. Range proof 3. Batch proof 4. Extended
More informationGroup Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationSub-linear Zero-Knowledge Argument for Correctness of a Shuffle
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London jgroth@uclacuk Yuval Ishai Technion and UCLA yuvali@cstechnionacil February 4, 2008 Abstract A shuffle
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationSelections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark
Selections:! Internet voting with over-the-shoulder coercion-resistance Jeremy Clark Overview We consider the problem of over-theshoulder adversaries in Internet voting We design a voting protocol resistant
More informationA short report on: On the Existence of Extractable One-Way Functions. Karim Baghery
A short report on: On the Existence of Extractable One-Way Functions Karim Baghery Supervised by Micha l Zajac University of Tartu, Estonia karim.baghery@ut.ee May 23, 2017 Abstract Extractability is one
More informationCOS Cryptography - Final Take Home Exam
COS 433 - Cryptography - Final Take Home Exam Boaz Barak May 12, 2010 Read these instructions carefully before starting to work on the exam. If any of them are not clear, please email me before you start
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationSubversion-Resistant Zero Knowledge
Subversion-Resistant Zero Knowledge Georg Fuchsbauer joint work with Mihir Bellare and Alessandra Scafuro ECRYPT-NET Workshop on Crypto for the Cloud & Implementation 27 June 2017 Content of this talk
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More informationTheoretical Cryptography, Lectures 18-20
Theoretical Cryptography, Lectures 18-20 Instructor: Manuel Blum Scribes: Ryan Williams and Yinmeng Zhang March 29, 2006 1 Content of the Lectures These lectures will cover how someone can prove in zero-knowledge
More informationEfficient Culpably Sound NIZK Shuffle Argument without Random Oracles
Efficient Culpably Sound NIZK Shuffle Argument without Random Oracles Full Version, November 25, 2015 Prastudy Fauzi and Helger Lipmaa University of Tartu, Estonia Abstract. One way to guarantee security
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationThe Kernel Matrix Diffie-Hellman Assumption
The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationA PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS
A PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS STEPHANIE DEACON, EDUARDO DUEÑEZ, AND JOSÉ IOVINO Abstract. We present a generalization of Pedersen s public-key threshold cryptosystem. Pedersen
More information