Cryptography for Blockchains beyond ECDSA and SHA256
|
|
- April Parker
- 6 years ago
- Views:
Transcription
1 Cryptography for Blockchains beyond ECDSA and SHA256 S IGNATURES AND Z ERO K NOWLEDGE P ROOFS Benedikt Bünz Stanford University
2 Overview 1. Signatures 1. ECDSA 2. BLS 3. Threshold Signatures 4. Ring Signatures 5. Blind Signatures 2. Zero-Knowledge Proofs 1. An illustrative example (SUDOKU) 2. Sigma protocols 3. SNARKs 4. PCPs, CS-Proofs and STARKs 5. Bulletproofs
3 Signatures Did Bob or Bart say this? Send 1 BTC to Alice Bob Alice Bart
4 Signatures Did Bob or Bart say this? Send 1 BTC to Alice Bob Bob Alice Bart
5 Signature (Formal Definiton) Keygen (sk,pk) Sign (sk,m) σ Verify(pk, σ,m) {0,1} Correctness: Verify(PK,SIGN(SK,M),M)=1 SECURITY: After seeing n signatures no adversary can create a signature on new message
6 Signature (Diagram) (sk,pk) Keygen pk σ Sign(sk,m) m, σ Verify(pk, m, σ)
7 Signature (ECDSA) Used in Bitcoin (and other Cryptocurrencies) Designed because of a patent conflict Malleable: Given (pk,σ,m)-> σ % with Verify(pk,σ %,m) -> Transaction malleability -> Fooled Mt. Gox Cash Out Twice After seeing n signatures no adversary can create a new signature on any message
8 Preliminaries: Discrete Log and Pairings Random x Z * Given g, g. G it s hard to produce x Pairing (Bilinear Map) e: G, > G 4, G is a special elliptic curve g 5, g 6 G, e g 5, g 6 = e g, g 5 6 e g 5, h = e g, h 5 = e g, h 5 e(g, u v) = e(g, u) e(g, v)
9 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): e σ, g =?
10 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): e σ, g =? e H(m), g. e σ, g
11 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): e σ, g =? e H(m), g. e σ, g = e H m., g
12 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): e σ, g =? e H(m), g. e σ, g = e H m., g = e H m, g.
13 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): σ is 32 bytes! e σ, g =? e H(m), g. e σ, g = e H m., g = e H m, g. = e H m, g.
14 BLS Properties: Deterministic m H m. x No randomness, impossible to have two valid signatures for a message, public key pair
15 BLS Properties: Signature aggregation pk D, m D, σ D and pk E, m E, σ E Aggregate signature σ = σ D σ E Verify(g, pk D, pk E, m D, m E, σ): e σ, g = e σ, g =? e H(m), g.
16 BLS Properties: Signature aggregation pk D, m D, σ D and pk E, m E, σ E Aggregate signature σ = σ D σ E Verify(g, pk D, pk E, m D, m E, σ): e σ, g = e H m D, pk D e(h(m E ), pk E ) e σ, g = e σ D σ E, g e σ, g =? e H(m), g.
17 BLS Properties: Signature aggregation pk D, m D, σ D and pk E, m E, σ E e σ, g =? e H(m), g. Aggregate signature σ = σ D σ E Verify(g, pk D, pk E, m D, m E, σ): e σ, g = e H m D, pk D e(h(m E ), pk E ) e σ, g = e σ D σ E, g = e σ D, g e σ E, g e σ D, g = e H m D, pk D e σ E, g = e H m E, pk E e σ D, g e σ E, g = e H m D, pk D e H m E, pk E
18 BLS Properties: Signature aggregation Take n signatures under n public keys on n messages and create a single small signature Each Bitcoin transaction includes public key and is message Take all Bitcoin transactions in a block and create a single signature Take all Bitcoin transactions in the blockchain and have a single signature 32 bytes!
19 Threshold Signature (Diagram) Different from multisig (1 pk) (sk 1,,sk n,pk ) Keygen(t,n) pk σ Sign(sk 1,,sk t,m) m, σ Verify(pk,m, σ)
20 Threshold Difficult for ECDSA (Gennaro et al. 16) Easy for Schnorr, BLS Indistinguishable from normal signature (privacy benefits) Can support 1000s of keys/ signatures don t grow with (t,n)
21 Threshold signature from Shamir secret sharing
22 Ring Signature (Diagram) (sk 1,,sk n,pk ) Keygen(t,n) pk σ Sign(sk i,m) m, σ Verify(pk,m, σ) σ hides i
23 Ring Signatures Used in Monero to hide sender Monero s signatures are linear in n Can be logarithmic in n (Bootle et al. 2015)
24 Blind Signature (Diagram) (sk,pk ) Keygen(t,n) pk c c=commit(m;r) b BlindSign(sk,c) b σ =Unblind(pk,b,r) s.t. Verify(pk,m, σ)=1
25 Blind Signature Separate Custodian from transaction details
26 Zero Knowledge Proofs of Knowledge SUDOKUS, SNARKS, STARKS AND BULLETS
27 Zero Knowledge Proof of Knowledge No idea what the solution is But Alice must know it I know the solution to this complex equation Prove it Challenge Response
28 Zero Knowledge Proof of Knowledge Applications Confidential Transactions Mimblewimble ZeroCash Hawk Zero-Knowledge contingent payments Proofs of Solvency for Bitcoin Exchanges Confidential Payment Channels Blockchain compression
29 SUDOKU
30 SUDOKU
31 Zero-Knowledge SUDOKU Can you help me with this Sudoku? If you pay me! Prove that you know the solution first Ok
32 Zero-Knowledge SUDOKU (Gradwohl et al. 05)
33 Zero-Knowledge SUDOKU Open Row 4
34 Zero-Knowledge SUDOKU Open Column 2
35 Zero-Knowledge SUDOKU Open Box 1
36 Zero-Knowledge SUDOKU Show original puzzle
37 Zero-Knowledge SUDOKU Analysis P[Cheating] EF EG Open Row/Column/Box/Original
38 Zero-Knowledge SUDOKU Amplifying 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Row/Column/Box/Original
39 Problem: Bob learns solution 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Row/Column/Box/Original New permutation in every round
40 Zero-Knowledge 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Row 1 New permutation in every round
41 Zero-Knowledge 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Row 1 New permutation in every round
42 Zero-Knowledge 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Box 2 New permutation in every round
43 Zero-Knowledge for public keys (Sigma protocol) I know x such that g x =y r Z * A = g < s = r + c z c s c Z * g P =?
44 Zero-Knowledge for public keys (Sigma protocol) I know x such that g x =y r Z * A = g < s = r + c z c s c Z * g P =? A y S A y S = g < g. S g < g. S = g <T. S
45 Non-Interactive Zero-Knowledge (NIZK) I know x such that g x =y r Z * A = g < s = r + c z c s c Z * g P =? A y S A y S = g < g. S g < g. S = g <T. S
46 Non-Interactive Zero-Knowledge (NIZK) I know x such that g x =y r Z * A = g < s = r + c z c s c Z * g P =? A y S A y S = g < g. S g < g. S = g <T. S
47 Non-Interactive Zero-Knowledge (NIZK) I know x such that g x =y r Z * A = g < c = H(A, y) s = r + c z s g P =? A y S A y S = g < g. S g < g. S = g <T. S
48 Non-Interactive Zero-Knowledge (NIZK) I know x such that g x =y r Z * A = g < c = H(A, y) s = r + c z π = (A, c, s) g P =? A y S c =? H(A, y)
49 Schnorr signature I know x such that g x =y r Z * A = g < c = H(A, y) s = r + c z π = (A, c, s) g P =? A y S g P =? A y S c =? H(A, y)
50 Schnorr signature I know x such that g x =y r Z * A = g < c = H(A, y, M) s = r + c z σ = A, c, s, M g P =? A y S c =? H(A, y, M)
51 Sigma protocols Good for NIZKs in public key systems Range proofs Proofs of solvency (Dagher et al. 15) Not good for more complicated statements
52 Proofs for complex statement I know x such that H(x)=y/ This is the correct blockchain π
53 Goal: Succinct proofs I know x such that H(x)=y/ This is the correct blockchain π Proof is a 100 bytes no matter what the statement is Verifying it takes ms
54 Preprocessing SNARK Open Row 7
55 Preprocessing SNARK: Idea sent queries once This can be reused Open Row 7,Row 13, Column 4, Box 1 and the perm Special compression function to compress answers (Pairing) Compressed response: π
56 Preprocessing SNARK: Idea sent queries once This can be reused Open Row 7,Row 13, Column 4, Box 1 and the perm Special compression function to compress answers (Pairing) If Alice knows queries She can cheat Compressed response: π
57 Preprocessing SNARK: Encrypt queries This can be reused Open Row 7,Row 13, Column 4, Box 1 and the perm Special compression function to compress answers (Pairing) If Alice knows queries She can cheat Compressed response: π
58 Preprocessing SNARK: Encrypt queries This can be reused Open Row 7,Row 13, Column 4, Box 1 and the perm Special compression function to compress answers (Pairing) Compressed response: π
59 Preprocessing SNARK: Trusted Setup Encrypted Queries Short Encrypted Answers Setup slow Special compression function to compress answers (Pairing) Proving slow Compressed response: π Verify π Using encrypted answers Verification fast
60 Preprocessing SNARK: Malicious Setup Encrypted Queries Short Encrypted Answers Can create cheating proofs Special compression function to compress answers (Pairing) Compressed response: π Verify π Using encrypted answers
61 Preprocessing SNARK: Use multiple parties Encrypted Queries Short Encrypted Answers Special compression function to compress answers (Pairing) ZCash did this Compressed response: π Verify π Using encrypted answers
62 PCP Theorem Open 2 fields PCP Theorem: For any sized Sudoku, P[Cheating]<= 1/3
63 CS-Proofs (use Fiat-Shamir) (Micali 91) Commit: Open 2 fields=h(commit) PCP Theorem: For any sized Sudoku, P[Cheating]<= 1/3
64 CS-Proofs (use Fiat-Shamir) (Micali 91) Commit: Open 2 fields=h(commit) Not practical
65 STARKs (Ben-Sasson 17) Making strides 2 DX cycles 131 GB Ram usage 1.8 MB proofs Commit: Open 2 fields=h(commit)
66 Dreaming of STARKs ZCash without trusted setup Blockchain aggregation (doesn t need Zero-Knowledge) Confidential smart contracts Resolving verifiers dilema Generic verifiable computation (Outsourcing) Very active research area but still not there
67 Bulletproofs (Short proofs but linear verification) Bünz et al. 17 based on Bootle et al. 16 Proofs are very short (log(n) for statement of size n) Verification is like proving (slow) Replacement for Sigma protocols No trusted setup! Just discrete log assumption
68 Bulletproofs (What is it good for?) Range proofs for confidential transactions/mimblewimble 670 bytes instead of 4 KB per range proof Aggregation: Two range proofs 736 bytes vs. 8 KB 16 range proofs 928 bytes vs. 61KB Mimblewimble size: 17 GB vs 160 GB Built in: simple CoinJoin protocol for combining confidential transactions Solvency proofs Verifiable shuffles NIZKs for Smart Contracts
69 References (Signatures) BLS ECDSA Threshold: BLS/Schnorr Threshold: Ring Signatures: Blind Signatures:
70 References (Proofs) Provisions: Zero-Knowledge contingent payments: Zero-cash: ZK-SUDOKU: Sigma Protocols: ftp://ftp.inf.ethz.ch/pub/crypto/publications/cradam98.pdf SNARKs: (Groth first SNARK) (GGPR SNARKs of today) (Pinocchio the most used) (SNARKs for C) PCPs: CS Proofs: STARKs: Bulletproofs:
71 Thank you! CS. STANFORD. EDU
COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationCryptography in Blockchain Part I: Crypto Basics and. Monero. Zhiguo Wan Shandong University
Cryptography in Blockchain Part I: Crypto Basics and Monero Zhiguo Wan Shandong University Outline Crypto Basics Monero and RingCT Zero Knowledge Proof ZeroCash and ZK- SNARK Group G< >, Ring R and
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationHow to Use Bitcoin to Incentivize Correct Computations CCS 2014
How to Use Bitcoin to Incentivize Correct Computations Ranjit Kumaresan Technion Iddo Bentov Technion CCS 2014 Formal model that incorporates coins Ideal functionalities F with coins If party P i has (say)
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationMinimal Design for Decentralized Wallet. Omer Shlomovits
Minimal Design for Decentralized Wallet Omer Shlomovits 1 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationEfficient Zero-Knowledge Range Proofs in Ethereum
Efficient Zero-Knowledge Range Proofs in Ethereum Tommy Koens, Coen Ramaekers and Cees van Wijk ING, blockchain@ing.com 1 Introduction Two months ago I (Tommy) joined ING s blockchain team. This job change
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationSubversion-zero-knowledge SNARKs
An extended abstract of this work appears in PKC 18. This is the full version. Subversion-zero-knowledge SNARKs Georg Fuchsbauer 1 Abstract Subversion zero knowledge for non-interactive proof systems demands
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationSubversion-Resistant Zero Knowledge
Subversion-Resistant Zero Knowledge Georg Fuchsbauer joint work with Mihir Bellare and Alessandra Scafuro ECRYPT-NET Workshop on Crypto for the Cloud & Implementation 27 June 2017 Content of this talk
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationQuo Vadis PKI? IEEE International Conference on Public Key Infrastructure and its Applications: PKIA 2017 Bangalore 14-15, November 2017
Quo Vadis PKI? IEEE International Conference on Public Key Infrastructure and its Applications: PKIA 2017 Bangalore 14-15, November 2017 C.E.Veni Madhavan Informatics and Security Laboratory Department
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationLattice Signature Schemes. Vadim Lyubashevsky INRIA / ENS Paris
Lattice Signature Schemes Vadim Lyubashevsky INRIA / ENS Paris LATTICE PROBLEMS The Knapsack Problem A = t mod q A is random in Z q n x m s is a random small vector in Z q m t=as mod q s Given (A,t), find
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationcient Computational Integrity (CI) from PCPs
Concretely e cient Computational Integrity (CI) from PCPs Eli Ben-Sasson, Technion June 2017 E. Ben-Sasson Concretely e cient CI from PCPs June 2017 1 / 29 Motivation PCP e ciency Recent asymptotic progress:
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationC C : A Framework for Building Composable Zero-Knowledge Proofs
C C : A Framework for Building Composable Zero-Knowledge Proofs Ahmed Kosba Zhichao Zhao Andrew Miller Yi Qian T-H. Hubert Chan Charalampos Papamanthou Rafael Pass abhi shelat Elaine Shi : UMD : HKU :
More informationUniversal Designated Verifier Signature Proof (or How to Efficiently Prove Knowledge of a Signature)
Universal Designated Verifier Signature Proof (or How to Efficiently Prove Knowledge of a Signature) Joonsang Baek, Reihaneh Safavi-Naini, and Willy Susilo Centre for Information Security, School of Information
More informationPrimary-Secondary-Resolver Membership Proof Systems
Primary-Secondary-Resolver Membership Proof Systems Moni Naor and Asaf Ziv Weizmann Institute of Science, Department of Computer Science and Applied Mathematics. {moni.naor,asaf.ziv}@weizmann.ac.il. Abstract.
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationOblivious Evaluation of Multivariate Polynomials. and Applications
The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationStatistical WI (and more) in Two Messages
Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationScalable, transparent, and post-quantum secure computational integrity
Scalable, transparent, and post-quantum secure computational integrity Eli Ben-Sasson * Iddo Bentov Yinon Horesh * Michael Riabzev * March 6, 2018 Abstract Human dignity demands that personal information,
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationEmbedded Proofs for Verifiable Neural Networks
Embedded Proofs for Verifiable Neural Networks Hervé Chabanne 1,3, Julien Keuffer 1,2, and Refik Molva 2 1 Idemia, Issy-les-Moulineaux, France 2 Eurecom, Biot, France 3 Telecom ParisTech, Paris, France
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationA Post-Quantum Digital Signature Scheme based on Supersingular Isogenies
Post-Quantum Digital Signature Scheme based on Supersingular Isogenies by Youngho Yoo thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationShort Signature Scheme From Bilinear Pairings
Sedat Akleylek, Barış Bülent Kırlar, Ömer Sever, and Zaliha Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey {akleylek,kirlar}@metu.edu.tr,severomer@yahoo.com,zyuce@stm.com.tr
More informationHomomorphic Signatures for Polynomial Functions
An extended abstract of this work appears in Advances in Cryptology EUROCRYPT 2011, ed. K. Paterson, Springer LNCS 6632 (2011), 149 168. This is the full version. Homomorphic Signatures for Polynomial
More informationInteractive proof and zero knowledge protocols
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More information