Lecture 10: Zero-Knowledge Proofs
|
|
- Francis Atkinson
- 6 years ago
- Views:
Transcription
1 Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, Some of these slides are based on note by Boaz Barak.
2 Quo vadis? Eo Romam Iterum Crucifigi So far, we became familiar with a variety of cryptographic primitives, as well as specific implementations of them. These include: Perfect secrecy, computational secrecy Pseudorandomness generators/functions/permutations and DES/AES Symmetric Encryption stream ciphers, block ciphers, different modes of operation Data Integrity, MACs, Cryptographic hashing Public key framework, Key exchange Diffie Hellman, Merkle Public-key Encryptions Elgamal, RSA, Rabin, GoldwasserMicali Signature schemes FDH-RSA, Generic Construction Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
3 Quo vadis? Eo Romam Iterum Crucifigi In the remaining weeks, we will introduce a number of additional cryptographic primitives, as well as cryptographic notions with proposed implementations. These include: Zero knowledge proofs Identification and user authentication schemes Hard core bits Coin flipping over the phone Secret sharing Computing over encrypted data Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
4 Zero Knowledge Proofs Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
5 Story (Naor, Naor, Reingold) This is Waldo. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
6 Where is Waldo? Daughter: I see Waldo in the picture. Dad: I also see him. Daughter: Really, where? Dad: Prove to me the you see it, and I ll show him to you Daughter:???? What should the daughter do? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
7 Proofs Proofs In mathematics and in life, we often want to convince or prove things to others. Typically, if I know that X is true, and I want to convince you of that, I try to present all the facts I know and the inferences from that fact that imply that X is true. Example: I know that is not a prime since it is , to prove to you that fact, I will present these factor and demonstrate that indeed = Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
8 Zero-Knowledge Proofs Goldwasser, Micali and Rackoff Typically, a proof yields some knowledge, beyond the fact that the statement is true. In the example, we learned that is not a prime, and, in addition, we learned its factorization. Zero knowledge proof tries to avoid it. Intuitively: Zero-Knowledge Proofs (GMR 82 ) Alice will prove to Bob that a statement X is true, Bob will completely convinced that X is true, but will not learn anything as a result of this process. One of the most beautiful and influential concepts in CS Lead to many applications (E.g., practical digital signatures and hardness of approximation). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
9 Application 1: Identification We want to control access to the department. Sol: Give authorized people a smart card with a PIN and put a box outside the building that verifies the PIN. Problem: Box is outside! Someone may attack it and discover the PIN. by reading the memory by installing a fake box that records the user s PIN Better if the box contains no secret information at all Sol: Let the box store f(p IN) where f is one-way function. The user proves in ZK to the Box that he knows PIN We will see details later Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
10 Application 2: Protocol Design Alice & Bob don t trust each other and run some crypto protocol Security holds if Alice and Bob follow the instructions e.g., Alice should choose an RSA modulus n = pq But what if Alice does not follow the protocol? e.g., chooses n = pqr Security may be lost! Bad Sol: Alice sends her inputs and let Bob verify that all is well e.g., reveals n, p, q This is bad for Alice: her inputs are private and she does not trust Bob! Sol: Alice proves to Bob that she followed the instructions of the protocol correctly using Zero-Knowledge Proofs Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
11 Plan Interactive Proofs Honest Verifier Zero Knowledge Proofs Special Soundness Property Next week: Applications, General Zero-Knowledge, and Zero-Knowledge for all NP Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
12 Mathematical Proofs Proof system: Axioms and inference rules Soundness: Cannot prove false statements Completeness: Can prove all true statements Proof is a fixed static string that can be verified by anyone Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
13 Interactive Probabilistic Proofs Public statement: x is in a language L e.g., x PRIMES, x QR n Verifier Vicky suspects that Peggy is cheating accept/reject Prover Peggy Tries to convince that x L Completeness: If statement is true (x L) the Vicky accepts Soundness: If statement is false (x / L), Vicky rejects whp 99%. The proof is an interactive probabilistic game (rather than a fixed string) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
14 Silly Example: Coke and Pepsi There are two bottles on the table labeled by 0 and 1. Peggy: One bottle is pepsi and one is coke Vicky: Suspects that both are coke. Verifier Vicky Toss a coin b Secretly fills a cup from bottle # b Accept iff b = b b Prover Peggy Peggy tastes and guesses Bottle # b. Completeness: If Peggy is honest (knows how to distinguish), Vicky will accept w/p 1. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
15 Silly Example: Coke and Pepsi There are two bottles on the table labeled by 0 and 1. Peggy: One bottle is pepsi and one is coke Vicky: Suspects that both are coke. Verifier Vicky Toss a coin b Secretly fills a cup from bottle # b Accept iff b = b b Prover Peggy Crazy computation... Soundness: If Peggy cheats and bottles are both coke Vicky will reject w/p 1/2. To reduce the soundness error to 2 k repeat the protocol k times, and accept iff Peggy never errs. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
16 Reminder: Graph isomorphism Def: A graph G 0 = (V, E 0 ) is isomorphic to a graph G 1 = (V, E 1 ) if there exists a permutation π over the nodes V s.t. (i, j) is an edge of G 0 iff (π(i), π(j)) is an edge in G 1 Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
17 Proof for Graph non-isomorphism Public statement: G 0 = (V, E 0 ) is not isomorphic to G 1 = (V, E 1 ) Verifier Vicky Randomly choose bit b and permutation π Π Accept iff b = b π(g b ) b Prover Peggy Peggy guesses which graph was used Completeness: If graphs are non-isomorphic Peggy can guess b w/p 1. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
18 Proof for Graph non-isomorphism Public statement: G 0 = (V, E 0 ) is not isomorphic to G 1 = (V, E 1 ) Verifier Vicky Randomly choose bit b and permutation π Π Accept iff b = b π(g b ) b Prover Peggy Crazy computation! Soundness: If graphs are isomorphic no matter what Peggy does Vicky will reject w/p 1/2. The r.v π(g 0 ) and π(g 1 ) are identically distributed Therefore, Vicky cannot distinguish them and can t guess b with probability better than 1/2 Soundness error can be reduced via repetition. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
19 Graph isomorphism I Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Verifier Vicky Accept iff π(g 0 ) = G 1 π Prover Peggy Private input: isomorphism π Completeness: If graphs are isomorphic Vicky is always convinced. Soundness: If graphs are non-isomorphic no matter what Peggy does Vicky will reject w/p 1. What did Vicky learn from the proof? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
20 Graph isomorphism II Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Vicky b R {0, 1} Accept iff α(g b ) = H H = σ(g 0 ) b { σ if b = 0, α = σ π if b = 1. Peggy (π) σ R Π Completeness: If graphs are isomorphic Vicky is always convinced. If b = 0 then α(g b ) = σ(g 0 ) = H. If b = 1 then α(g b ) = α(g 1 ) = σ π(g 1 ) = σ(g 0 ) = H. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
21 Graph isomorphism II Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Vicky b R {0, 1} H b α Peggy (π) Crazy computation Accept iff α(g b ) = H Soundness: If graphs are non-isomorphic Vicky will reject w/p 1/2. H cannot be isomorphic to both graphs (why?) With probability 1/2 Vicky will choose the graph G b to which H is not isomorphic Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
22 What did Vicky learn from the proof? Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Vicky b R {0, 1} H = σ(g 0 ) Peggy (π) σ R Π b { σ if b = 0, α = σ π if b = 1. If Vicky is honest then she learns nothing from the proof: All she sees is a random graph H isomorphic to G b via random permutation α She could have computed it by herself! How can we formulate that? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
23 Zero-Knowledge Proofs Definition The view view V (x) of the verifier V in a proof system is a random variable that consists of the public input x, the internal randomness of V, and the incoming messages. Definition (Honest Verifier Perfect Zero-Knowledge Proofs) An HVZK system for a language L is a proof system (P, V ) that has an efficient simulator S that runs in expected polynomial time such that for every x L S(x) view V (x). Simulator is allowed to run in expected polynomial time means that the two r.v. s are identically distributed Weaker variant: S(x) and view V (x) are (t, ɛ) indistinguishable. Stronger variant: require ZK against a cheating verifier Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
24 Graph Isomorphism is in HVZK Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Vicky b R {0, 1} H = σ(g 0 ) b { σ if b = 0, α = σ π if b = 1. Peggy (π) σ R Π HVZK: Vicky s view is (H, b, α) where b R {0, 1}, α R Π, and H = α(g b ) The simulator S can generate it easily: α R Π, b R {0, 1}, H = α(g b ) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
25 Sequential Repetitions Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Repeat k times: Vicky b i R {0, 1} k H i = σ i (G 0 ) Peggy (π) R σ b i i Π { σ i if b i = 0, α i = σ i π if b i = 1. Recall that we suggested to amplify soundness via repetition Does HVZK is preserved under k-wise sequential repetition? Thm. k-wise repetition preserve HVZK Proof: just invoke the basic simulator k times with ind. randomness Does parallel repetition preserve HVZK? Yes Does it preserve soundness? Not always Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
26 Another example: Quadratic Residue Reminder: Let n = pq be an RSA modulus. Then: x QR n if there exists w such that w 2 = x (mod n) QR n is a subgroup of Z n If x R QR n and y QR n then xy is uniform in QR n On the other hand, x / QR n, y QR n then xy / QR n Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
27 HVZK for Quadratic Residue Public information: x and n = pq (Vicky does not know p and q). Peggy claims that x is in QR n. Vicky b R {0, 1} Accept iff: b = 0 & y = z 2 OR b = 1 & yx = z 2 Completeness: Trivial. y = u 2 b { u if b = 0, z = uw if b = 1. Peggy w : w 2 = x u R Z n Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
28 HVZK for Quadratic Residue Public information: x and n = pq (Vicky does not know p and q). Peggy claims that x is in QR n. Vicky b R {0, 1} Accept iff: b = 0 & y = z 2 OR b = 1 & yx = z 2 y = u 2 b { u if b = 0, z = uw if b = 1. Peggy w : w 2 = x Crazy Computation HVZK: The view is y R QR n, b R {0, 1}, z R Z n subject to yx b = z 2 Simulator S does the following: b R {0, 1}, z R Z n, y = z 2 /x b (mod n). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
29 HVZK for Quadratic Residue Public information: x and n = pq (Vicky does not know p and q). Peggy claims that x is in QR n. Vicky b R {0, 1} Accept iff: b = 0 & y = z 2 OR b = 1 & yx = z 2 y = u 2 b { u if b = 0, z = uw if b = 1. Peggy w : w 2 = x Crazy Computation Soundness: If x / QR n then Vicky will reject w/p 1/2. Either y is not QR n or yx is not QR n (why?) With probability 1/2 Vicky will hit the non-qr element In fact, if Peggy succeeds with probability better than 1/2 + ɛ then in some sense she must know w (Why?) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
30 Special Soundness Public information: x and n = pq (Vicky does not know p and q). Peggy claims that x is in QR n. Vicky b R {0, 1} Accept iff: b = 0 & y = z 2 OR b = 1 & yx = z 2 y = u 2 b { u if b = 0, z = uw if b = 1. Peggy w : w 2 = x Crazy Computation Special Soundness: Given valid answer to 2 different challenges (b = 0 and b = 1) we can recover w. Given y and yx we can recover x by division Hence, Peggy proved that she knows a sqrt of x. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
31 Schnorr s protocol Schnorr suggested the following proof of knowledge for the discrete logarithm: Public statement: Peggy knows discrete log of h w.r.t. g, where these are members of some group G of order q, and g is a generator. Vicky b R Z q Accept iff: ah b = g c a = g r b c = r+xb (mod q) Peggy x : g x = h r R Z q Completeness:? HVZK:? Special Soundness:? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
32 Sigma protocols Protocols of the following for are called Sigma Protocols Public statement: x L and Peggy knows a witness w Vicky challenge b R R Accept iff: (a, b, c) are valid a b c Peggy w commit a The protocol satisfies: Completeness: x L, Pr[(P, V )(x) = accept] = 1 HVZK: S, x L, S(x) view V (x) Special Soundness: Given a pair of accepting transcripts (a, b, c) and (a, b, c ) with b b it is possible to efficiently recover the witness w. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
33 Properties of Sigma Protocols Sigma protocols have nice properties: can be repeated in parallel can be nicely composed can be combined to prove: I know a witness for x OR/AND for x easily transformed to work against cheating verifiers Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
34 Application: Identification Scheme We assume that there is a public key tied to Alice s identity The key is published on authenticated public record and everyone knows it Alice also holds the corresponding private key These keys are distributed once and for all by some trusted party (e.g., government, university security unit) Eve s attack avenue is the Alice-Bob connection. Eve may play the role of Bob and ask Alice to identify many times Then, using this information she may talk to Bob and try to impersonate Alice Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
35 Identification via Zero-Knowledge Let f : W X be a one-way function (e.g., squaring mod n = pq, or discrete log). Private key: w R W, Public key: x = f(w) stored in a public file next to Peggy s name. To identify herself, Peggy proves that she knows w via a sigma protocol. Impersonation is as hard as convincing a verifier to accept. By special soundness, if you can impersonate you know w. Since the protocol is zero-knowledge, Eve cannot impersonate Peggy even if Eve heard Alice identifying herself many times. (To obtain full security we need ZK against cheating verifier) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
36 Sigma protocols Removing Interaction Public statement: x L and Peggy knows a witness w Vicky challenge b R R Accept iff: (a, b, c) are valid b a c Peggy w commit a How can we make the protocol non-interactive? (Remove b) Idea: Let the prover choose b. This may be bad, the prove can pose herself an easy challenge b. Fiat-Shamir: Let b = H(a) where H is a hash function. Security holds in the random-oracle model. Open question: Remove interaction without random oracle. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
37 Application: Signature Schemes Let f : W X be a one-way function (e.g., squaring mod n = pq, or discrete log). Private key: w R W, Public key: x = f(w). To sign m herself, Peggy proves that she knows w via a sigma protocol where b = H(m, a). Forging is as hard as convincing a verifier to accept. By special soundness, if you can forge you know w. Since the protocol is zero-knowledge, forging remains hard even after seeing many signed messages. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
38 Example: Schnorr s signature Schnorr suggested the following proof of knowledge for the discrete logarithm: Public parameters: group G of prime order q and a generator g. Private key: x R Z q Public key: y = g x To sign m do the following: Vicky Accept iff: ah b = g c a = g r b = H(a, m) c = r+xb (mod q) Peggy x : g x = h r R Z q The scheme can be optimized such that the signature consists of only two group elements. See Ex 4. Several variants exist including Elgamal signatures, and the Digital Signature Algorithm (DSA/DSS) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, / 38
Lecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19. Hard Core
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationLecture 5. 1 Review (Pairwise Independence and Derandomization)
6.842 Randomness and Computation September 20, 2017 Lecture 5 Lecturer: Ronitt Rubinfeld Scribe: Tom Kolokotrones 1 Review (Pairwise Independence and Derandomization) As we discussed last time, we can
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationInteractive proof and zero knowledge protocols
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationZero-Knowledge Proofs 1
Zero-Knowledge Proofs 1 CS 702 SEMINAR Theme : Cryptography Instructor : Prof. C. Pandu Rangan ZERO-KNOWLEDGE PROOFS G. Venkatesan CS 93133 Dept. of C.S & E I.I.T Madras Zero-Knowledge Proofs 2 Outline
More informationZero-Knowledge Against Quantum Attacks
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationLecture 12: Interactive Proofs
princeton university cos 522: computational complexity Lecture 12: Interactive Proofs Lecturer: Sanjeev Arora Scribe:Carl Kingsford Recall the certificate definition of NP. We can think of this characterization
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationLecture 26: Arthur-Merlin Games
CS 710: Complexity Theory 12/09/2011 Lecture 26: Arthur-Merlin Games Instructor: Dieter van Melkebeek Scribe: Chetan Rao and Aaron Gorenstein Last time we compared counting versus alternation and showed
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationCommitment Schemes and Zero-Knowledge Protocols (2011)
Commitment Schemes and Zero-Knowledge Protocols (2011) Ivan Damgård and Jesper Buus Nielsen Aarhus University, BRICS Abstract This article is an introduction to two fundamental primitives in cryptographic
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationStatistically Secure Sigma Protocols with Abort
AARHUS UNIVERSITY COMPUTER SCIENCE MASTER S THESIS Statistically Secure Sigma Protocols with Abort Author: Anders Fog BUNZEL (20112293) Supervisor: Ivan Bjerre DAMGÅRD September 2016 AARHUS AU UNIVERSITY
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationCS151 Complexity Theory. Lecture 13 May 15, 2017
CS151 Complexity Theory Lecture 13 May 15, 2017 Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P
More informationHow to Go Beyond the Black-Box Simulation Barrier
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak December 30, 2008 Abstract The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationNotes for Lecture 25
U.C. Berkeley CS276: Cryptography Handout N25 Luca Trevisan April 23, 2009 Notes for Lecture 25 Scribed by Alexandra Constantin, posted May 4, 2009 Summary Today we show that the graph isomorphism protocol
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationLecture 9 - One Way Permutations
Lecture 9 - One Way Permutations Boaz Barak October 17, 2007 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier to do than to reverse. Leonid Levin Quick
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More information