Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Size: px
Start display at page:

Download "Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics"

Transcription

1 Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 1 / 45

2 Introduction Very powerfull tool for cryptographers. At the heart of the privacy issue. Often misunderstood (name to well chosen). Origin in interactive proof systems: a prover tries to convince a verifier that he knows that some formula is true beyond reasonable doubt, through discussion. Interactive proofs, two approaches: Soundness (original problem): the prover tries to trick the verifier. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 2 / 45

3 Introduction Very powerfull tool for cryptographers. At the heart of the privacy issue. Often misunderstood (name to well chosen). Origin in interactive proof systems: a prover tries to convince a verifier that he knows that some formula is true beyond reasonable doubt, through discussion. Interactive proofs, two approaches: Soundness (original problem): the prover tries to trick the verifier. What if you don t trust the verifier? = information leakage, eg unix password storage. Thus we look for an interactive proof that convince a verifier of the validity of an assertion but brings no information to the verifier. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 2 / 45

4 Zero-Knowledge proofs intuitively Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 3 / 45

5 Zero-Knowledge proofs intuitively How to explain ZKP to your children [Quisquater et al., 1989] How to prove that you know something without revealing the something? Alibaba and the magic cave. F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 4 / 45

6 Zero-Knowledge proofs intuitively ZKP Quick Analyzis Based on a cut and choose approach.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 5 / 45

7 Zero-Knowledge proofs intuitively ZKP Quick Analyzis Based on a cut and choose approach. One can tune the fiability of the ZKP by. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 5 / 45

8 Zero-Knowledge proofs intuitively ZKP Quick Analyzis Based on a cut and choose approach. One can tune the fiability of the ZKP by More complicated cave (several tunnels). More repetitions of the challenge. Interactions can be done in parallel to accelerate the process.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 5 / 45

9 Zero-Knowledge proofs intuitively ZKP Quick Analyzis Based on a cut and choose approach. One can tune the fiability of the ZKP by More complicated cave (several tunnels). More repetitions of the challenge. Interactions can be done in parallel to accelerate the process. The proof of knowledge cannot be transmitted (easy to cheat).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 5 / 45

10 Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 6 / 45

11 Knowledge Complexity The raw probleme is to communicate a proof. Proofs are here probabilistic in nature. = on n-bits input we may erroneously be convinced of the correctness with small probability 1/2 n and convinced with very high probability 1 1/2 n Proofs are interactive: kind of challenge response scheme we have seen in cryptographic approaches. ZKP adress this question: How much knowledge should be communicated for proving a theorem T? Knowledge complexity is a measure of the amount of additional (apart from the fact that the theorem is true) knowledge contained in proofs. Here theorems are belongship to a language. Typically is x L. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 7 / 45

12 Interactive Proofs Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 8 / 45

13 Interactive Proofs The NP Case and Interactive Turing Machines NP proof system consists in two communicating Turing Machines A, the prover is exponential-time B, the verifier is polynomial-time F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 9 / 45

14 Interactive Proofs The NP Case and Interactive Turing Machines NP proof system consists in two communicating Turing Machines A, the prover is exponential-time B, the verifier is polynomial-time A, B are deterministic and interacts together: on input x belonging to an NP language L, A computes y (polynomialy bounded in the length of x, it is the certificate) and writes it down on a tape that B can read. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 9 / 45

15 Interactive Proofs The NP Case and Interactive Turing Machines NP proof system consists in two communicating Turing Machines A, the prover is exponential-time B, the verifier is polynomial-time A, B are deterministic and interacts together: on input x belonging to an NP language L, A computes y (polynomialy bounded in the length of x, it is the certificate) and writes it down on a tape that B can read. B checks that f L (y) = x where f L is a polynomial-time computable function relative to L (checks the certificate eg hamiltonian path). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 9 / 45

16 Interactive Proofs The NP Case and Interactive Turing Machines NP proof system consists in two communicating Turing Machines A, the prover is exponential-time B, the verifier is polynomial-time A, B are deterministic and interacts together: on input x belonging to an NP language L, A computes y (polynomialy bounded in the length of x, it is the certificate) and writes it down on a tape that B can read. B checks that f L (y) = x where f L is a polynomial-time computable function relative to L (checks the certificate eg hamiltonian path). It only captures a particular way to communicate proofs: only proofs that can be written down in a book. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 9 / 45

17 Interactive Proofs Interactive Turing Machines Here we deal with proofs that can be explained to a class. The proof is interactive because it can take advantage of the reaction of the people in the class (only answer to questions asked). What are the intuitive requirements for a theorem-proving procedure? 1 It is possible to prove a true statement.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 10 / 45

18 Interactive Proofs Interactive Turing Machines Here we deal with proofs that can be explained to a class. The proof is interactive because it can take advantage of the reaction of the people in the class (only answer to questions asked). What are the intuitive requirements for a theorem-proving procedure? 1 It is possible to prove a true statement. 2 It is impossible to prove a false statement.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 10 / 45

19 Interactive Proofs Interactive Turing Machines Here we deal with proofs that can be explained to a class. The proof is interactive because it can take advantage of the reaction of the people in the class (only answer to questions asked). What are the intuitive requirements for a theorem-proving procedure? 1 It is possible to prove a true statement. 2 It is impossible to prove a false statement. 3 Communicating the proof should be efficient: it does not matter how long must the prover compute to find the proof, but the computation required by the verifier should be easy.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 10 / 45

20 Interactive Proofs Interactive Turing Machines F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 11 / 45

21 Interactive Proofs Interactive Proof-Systems Definition (Interactive Proof System) Let L {0, 1}, and (A, B) an interactive pair TM. (A, B) is an interactive proof-system for L if A (the prover) has infinite power, B (the verifier) is polynomial time and they satisfy: 1 For x L, B halts and accepts with probability at least 1 1/n k for each k and sufficiently large n. 2 For x L and any ITM A, (A, B), B accepts with probability at most 1/n k for each k and sufficiently large n. Remarks: n is the size of the input. Probabilities are taken only over B s random tape.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 12 / 45

22 Interactive Proofs Interactive Proof-System example Let Z m be the set of integers between 1,..., m relatively prime to m. a Z m is a quadratic residue modulo m if a = x 2 x Z m, otherwise it is a quadratic nonresidue. mod m for some L = {(m, x) x Z m is a quadratic nonresidue }.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 13 / 45

23 Interactive Proofs Interactive Proof-System example Let Z m be the set of integers between 1,..., m relatively prime to m. a Z m is a quadratic residue modulo m if a = x 2 x Z m, otherwise it is a quadratic nonresidue. mod m for some L = {(m, x) x Z m is a quadratic nonresidue }. L NP. The prover factors m sends it to the verifier (quadratic residue is easy to compute if the modulus is prime).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 13 / 45

24 Interactive Proofs Interactive Proof-System example Let Z m be the set of integers between 1,..., m relatively prime to m. a Z m is a quadratic residue modulo m if a = x 2 x Z m, otherwise it is a quadratic nonresidue. mod m for some L = {(m, x) x Z m is a quadratic nonresidue }. L NP. The prover factors m sends it to the verifier (quadratic residue is easy to compute if the modulus is prime). But what about an interactive proof?. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 13 / 45

25 Interactive Proofs Interactive Proof for Nonresidue Membership Question : is (m, x) L? The verifier choose n = m random members of Z m: {r 1, r 2,..., r n }.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 14 / 45

26 Interactive Proofs Interactive Proof for Nonresidue Membership Question : is (m, x) L? The verifier choose n = m random members of Z m: {r 1, r 2,..., r n }. For each i, B flips a coin: heads: he computes t i = ri 2 tails: he computes t i = xri 2 mod m mod m. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 14 / 45

27 Interactive Proofs Interactive Proof for Nonresidue Membership Question : is (m, x) L? The verifier choose n = m random members of Z m: {r 1, r 2,..., r n }. For each i, B flips a coin: heads: he computes t i = ri 2 tails: he computes t i = xri 2 mod m mod m B sends {t 1, t 2,..., t n } to A. A is not restricted in computational power finds which of the t i are quadratic residues to tell B the results. If the information is correct B accepts.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 14 / 45

28 Interactive Proofs Interactive Proof for Nonresidue Membership: correctness Why is it correct? 1 If (m, x) L then A correctly predicts all last n coin tosses of B who will accept.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 15 / 45

29 Interactive Proofs Interactive Proof for Nonresidue Membership: correctness Why is it correct? 1 If (m, x) L then A correctly predicts all last n coin tosses of B who will accept. 2 If (m, x) L the t i are random quadratic residues and the prover still respond correctely with probability 1/2 n, since A has probability exactly 1/2 of guessing it correctly.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 15 / 45

30 Knowldege Complexity Classes Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 16 / 45

31 Knowldege Complexity Classes Communication is a tool for transfering/exchanging knowledge. 1 Knowledge is a notion relative to a specific model of computation. 2 One studies and gains knowledge about available objects. Here the participant trying to increase its knowledge is polynomially bounded. The intuitive idea is that knowledge has been transmitted if, in the limitation of its computational power, the verifier can distinguish between probability distributions. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 17 / 45

32 Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

33 Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

34 Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

35 Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b. Let Π 1 = {Π 1,x x I } and Π 2 = {Π 2,x x I } be two I-c-ensembles.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

36 Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b. Let Π 1 = {Π 1,x x I } and Π 2 = {Π 2,x x I } be two I-c-ensembles. let p D x,i (i {1, 2}) be the probability that D outputs 1 on input a x c bits long string randomly selected with Π i,x.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

37 Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b. Let Π 1 = {Π 1,x x I } and Π 2 = {Π 2,x x I } be two I-c-ensembles. let p D x,i (i {1, 2}) be the probability that D outputs 1 on input a x c bits long string randomly selected with Π i,x. Π 1 and Π 2 are at most p indistinguishable for p : N [0, 1], if for all distinguisher D p D x,1 p D x,2 < p( x ) + 1 x k for all k and sufficiently long x. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

38 Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b. Let Π 1 = {Π 1,x x I } and Π 2 = {Π 2,x x I } be two I-c-ensembles. let p D x,i (i {1, 2}) be the probability that D outputs 1 on input a x c bits long string randomly selected with Π i,x. Π 1 and Π 2 are at most p indistinguishable for p : N [0, 1], if for all distinguisher D p D x,1 p D x,2 < p( x ) + 1 x k for all k and sufficiently long x. 0-distinguishability is when the two ensembles are equal wrt to any polynomial-time computation. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

39 Knowldege Complexity Classes Knowledge computable from Communication Knowledge vs Information: A sends to B n random number it is n bits of information but 0 Knowledge (B could have chosen n random bits by himself).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 19 / 45

40 Knowldege Complexity Classes Knowledge computable from Communication Knowledge vs Information: A sends to B n random number it is n bits of information but 0 Knowledge (B could have chosen n random bits by himself). Let us write M[.] = {M[x]} x I the set of possible outputs of a probabilistic Turing machine on input x I. Similarily (A, B)[.] the ensemble associated to a interactive pair of Turing machines (A, B).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 19 / 45

41 Knowldege Complexity Classes Knowledge computable from Communication Knowledge vs Information: A sends to B n random number it is n bits of information but 0 Knowledge (B could have chosen n random bits by himself). Let us write M[.] = {M[x]} x I the set of possible outputs of a probabilistic Turing machine on input x I. Similarily (A, B)[.] the ensemble associated to a interactive pair of Turing machines (A, B). Definition Let (A, B) be an interactive pair of Turing machines. I the set of inputs. Let B be polynomial-time and f : N N be non-decreasing. A communicates at most f (n) bits of knowledge to B if there is a probabilistic polynomial-time machine M such that the I-ensemble M[.] and (A, B)[.] are at most 1 1/2 f (n) distinguishable.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 19 / 45

42 Knowldege Complexity Classes Knowledge computable from Communication Knowledge vs Information: A sends to B n random number it is n bits of information but 0 Knowledge (B could have chosen n random bits by himself). Let us write M[.] = {M[x]} x I the set of possible outputs of a probabilistic Turing machine on input x I. Similarily (A, B)[.] the ensemble associated to a interactive pair of Turing machines (A, B). Definition Let (A, B) be an interactive pair of Turing machines. I the set of inputs. Let B be polynomial-time and f : N N be non-decreasing. A communicates at most f (n) bits of knowledge to B if there is a probabilistic polynomial-time machine M such that the I-ensemble M[.] and (A, B)[.] are at most 1 1/2 f (n) distinguishable. A communicates at most f (n) bits of knowledge if for all polynomial-time bounded ITM B, A communicates at most f (n) bits of knowledge to B.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 19 / 45

43 Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x?. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

44 Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x? = Not if B can with high probability produce the same conversation about this specific x that he might have with A.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

45 Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x? = Not if B can with high probability produce the same conversation about this specific x that he might have with A. = If B can generate an honest conversation with probability 1/4 it means that A tells him something he doesn t know (2 bits of information).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

46 Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x? = Not if B can with high probability produce the same conversation about this specific x that he might have with A. = If B can generate an honest conversation with probability 1/4 it means that A tells him something he doesn t know (2 bits of information). = If B has a probability 1/2 100 of generating an honnest conversation then A tells a lot of information and B should definitely call!. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

47 Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x? = Not if B can with high probability produce the same conversation about this specific x that he might have with A. = If B can generate an honest conversation with probability 1/4 it means that A tells him something he doesn t know (2 bits of information). = If B has a probability 1/2 100 of generating an honnest conversation then A tells a lot of information and B should definitely call!. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

48 Knowldege Complexity Classes Knowledge Complexity of a Language How much knowledge have to communicate to provide the proof of theorem T?. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 21 / 45

49 Knowldege Complexity Classes Knowledge Complexity of a Language How much knowledge have to communicate to provide the proof of theorem T? = Enough to check that T is true but normally more. In the case of quadratic residues if one provides the square root of a, x it is enough. But it contains more information than the fact that a is a quadratic residue!. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 21 / 45

50 Knowldege Complexity Classes Knowledge Complexity of a Language How much knowledge have to communicate to provide the proof of theorem T? = Enough to check that T is true but normally more. In the case of quadratic residues if one provides the square root of a, x it is enough. But it contains more information than the fact that a is a quadratic residue! What is going to be measured is the additional knowledge that a prover gives to the verfier. Definition Let L be a language possessing an interactive proof-systeme (A, B), let f : N N be non decreasing. L has knowledge complexity f ()n if, when restricting the inputs of (A, B) to the strings in L, A communicates at most f (n) bits of knowledge. It is written L KC(f (n)).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 21 / 45

51 Knowldege Complexity Classes Knowledge Complexity of a Language: Informal Discussion This definition is done for yes-instances. If x L the verifier is convinced of that. The verifier possesses the text of the entire computation. This text has been used to check that x L but does not contain more than f (n) bits of additional knowledge. Indeed there is guarantee that we can generate such texts with probability distribution (1 1/2 f (n) ) indistinguishable from the real texts. If L KC(0), B wrt polynomial time computation the text is irrelevant for any other purpose than checking that x L. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 22 / 45

52 Interactive Proof for Nonresidue Membership is in KC(0) Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 23 / 45

53 Interactive Proof for Nonresidue Membership is in KC(0) ZKP for Nonresidue Membership { 0 if y is a quadratic residue mod m Q m (y) = 1 otherwise L = {(y, m) Q m (y) = 1}. We look for a ZKP to prove that L KC(0). Easy to compute if m is prime, or equivalently if the factorization of m in prime factors is known. It relies on result on number theory (beyond the scope of this lecture). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 24 / 45

54 Interactive Proof for Nonresidue Membership is in KC(0) Interactive program for Non-quadratic residue I Input (y, m) L and n = log 2 m 1 B chooses r 0 Z and a random bit C x. If C x = 0 then x = r 2 0 mod m else x = yr 2 0 mod m. B sends x to A. B chooses two sets B sends T S shuffled. T = {t 1,..., t n t i = ri 2 mod m} S = {t n+1,..., t 2n t i = yri 2 mod m} 2 A chooses Z (T S) of size n and sends it to B. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 25 / 45

55 Interactive Proof for Nonresidue Membership is in KC(0) Interactive program for Non-quadratic residue II 3 For all z Z, B sends r to A such that z = r 2 mod m or z = yr 2 mod m. Suppose that size of T Z and S Z differ by d. B chooses d elements in the larger set t i1,..., t id and sends their respective r ij B sets X = T Z {t i1,..., t id } Y = S Z {t i1,..., t id } If x = r 2 0 mod m then X = {r 0 r i = xt i mod m t i X } Y = {yr 0 r i = yxt i t i Y } If x = yr 2 0 mod m then X = {yr 0 r i = yxt i mod m t i X } Y = {r 0 r i = xt i t i Y } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 26 / 45

56 Interactive Proof for Nonresidue Membership is in KC(0) Interactive program for Non-quadratic residue III B sends X Y in random order to A 4 A checks for all w X Y that either w 2 = xt i mod m or wi 2 = yxt i mod m for some t i X Y and X Y > n/3. If not B tries to cheat. Otherwise A sends B the value v = Q m (x) 5 If v C x, B halts detecting cheating, otherwise iterates until n iteration have been completed (in this case B accepts (y, m) L). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 27 / 45

57 Extension to all NP-language Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 28 / 45

58 Extension to all NP-language ZKP for any NP-language Thanks to the magic of NP-completness one needs just to find a ZKP for a NP-complete problem! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 29 / 45

59 Extension to all NP-language ZKP for any NP-language Thanks to the magic of NP-completness one needs just to find a ZKP for a NP-complete problem! Provided that one-way functions exists, any S NP has a zero knowledge interactive proof. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 29 / 45

60 Extension to all NP-language ZKP for any NP-language Thanks to the magic of NP-completness one needs just to find a ZKP for a NP-complete problem! Provided that one-way functions exists, any S NP has a zero knowledge interactive proof. Problem of Graph three colouring: given G = (V, E) is there φ : Vf = {1, 2, 3} such that for all (v 1, v 2 ) E φ(v 1 ) φ(v 2 ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 29 / 45

61 Extension to all NP-language ZKP for any NP-language Thanks to the magic of NP-completness one needs just to find a ZKP for a NP-complete problem! Provided that one-way functions exists, any S NP has a zero knowledge interactive proof. Problem of Graph three colouring: given G = (V, E) is there φ : Vf = {1, 2, 3} such that for all (v 1, v 2 ) E φ(v 1 ) φ(v 2 ). Repeat t = 4 E times 1 Prover select a permutation π on {1, 2, 3} and commits to π(φ(i)). 2 Verifier select e = (v i, v j ) E. 3 Prover decommits i and j sent at step one. 4 Verifier checks that the decommitment is correct and that the decommited values are different. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 29 / 45

62 ZKP applications Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 30 / 45

63 ZKP applications Credentials Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 31 / 45

64 ZKP applications Credentials Credential proofs Sending login plus password exposes to replay attack. F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 32 / 45

65 ZKP applications Credentials Credential proofs Sending login plus password exposes to replay attack. One way to avoid the problem is to use some scheme with randomization and challenge/response. F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 32 / 45

66 ZKP applications Credentials Credential proofs Sending login plus password exposes to replay attack. One way to avoid the problem is to use some scheme with randomization and challenge/response. It remains the fact the server knows who has been logged in. F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 32 / 45

67 ZKP applications Credentials Credential proofs Sending login plus password exposes to replay attack. One way to avoid the problem is to use some scheme with randomization and challenge/response. It remains the fact the server knows who has been logged in. One of the features of the ZKP is the fact that they are non-transmissible. ZKP allows to simulate physical keys from this point of view: you can prove that you have the credentials without showing them. Like noone knows when a physical key has been used or not. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 32 / 45

68 ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

69 ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

70 ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. The interactive ZKP plays like this: Alice produces an isomorphic graph to G: H F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

71 ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. The interactive ZKP plays like this: Alice produces an isomorphic graph to G: H Alice commits to H using a commitment scheme.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

72 ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. The interactive ZKP plays like this: Alice produces an isomorphic graph to G: H Alice commits to H using a commitment scheme. Bob chooses one question among: 1 Prove the graph isomorphism between G and H. 2 Prove the hamiltonian path in H.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

73 ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. The interactive ZKP plays like this: Alice produces an isomorphic graph to G: H Alice commits to H using a commitment scheme. Bob chooses one question among: 1 Prove the graph isomorphism between G and H. 2 Prove the hamiltonian path in H. Alice complies regarding the question asked, first she reveals H then: 1 gives the isomorphism. 2 gives the list of vertices making the Hamiltonian circuit. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

74 ZKP applications Credentials Interactive Proofs of Knowledge of Knowledge[Feige et al., 1988] Goldwasser s definition of interactive proofs of membership is based on language recognition: is x L true?. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 34 / 45

75 ZKP applications Credentials Interactive Proofs of Knowledge of Knowledge[Feige et al., 1988] Goldwasser s definition of interactive proofs of membership is based on language recognition: is x L true? = There is one bit of in information leaked!. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 34 / 45

76 ZKP applications Credentials Interactive Proofs of Knowledge of Knowledge[Feige et al., 1988] Goldwasser s definition of interactive proofs of membership is based on language recognition: is x L true? = There is one bit of in information leaked! Feige Fiat Shamir give a more subtle definition: one may prove that he knows whether or not x L without revealing if either x L or x L.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 34 / 45

77 ZKP applications Credentials Interactive Proofs of Knowledge of Knowledge[Feige et al., 1988] Goldwasser s definition of interactive proofs of membership is based on language recognition: is x L true? = There is one bit of in information leaked! Feige Fiat Shamir give a more subtle definition: one may prove that he knows whether or not x L without revealing if either x L or x L. Suppose that A wants to prove that he has settled the Goldbach s conjecture. A wants to convinced B without giving him the proof or a counterexample.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 34 / 45

78 ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

79 ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it. Alice will prove to Bob that she knows whether a certain number is a quadratic residue or non-quadratic residue modulo n. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

80 ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it. Alice will prove to Bob that she knows whether a certain number is a quadratic residue or non-quadratic residue modulo n. Alice chooses k random numbers S 1,..., S k in Z n. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

81 ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it. Alice will prove to Bob that she knows whether a certain number is a quadratic residue or non-quadratic residue modulo n. Alice chooses k random numbers S 1,..., S k in Z n. Alice chooses I j, j {1..k} as ±(1/Sj 2 ) mod n. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

82 ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it. Alice will prove to Bob that she knows whether a certain number is a quadratic residue or non-quadratic residue modulo n. Alice chooses k random numbers S 1,..., S k in Z n. Alice chooses I j, j {1..k} as ±(1/Sj 2 ) mod n. Alice publishes I 1,..., I k and keep S 1,..., S k secrets. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

83 ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Check Repeat as many times as needed (t times): 1 Alice picks random R and sends X = ±R 2 mod n. 2 Bob sends a random boolean vector (E 1,..., E k ). 3 A sends Y = R E j =1 S j mod n. 4 B checks X = ±Y 2 E j =1 I j mod n.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 36 / 45

84 ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Check Repeat as many times as needed (t times): 1 Alice picks random R and sends X = ±R 2 mod n. 2 Bob sends a random boolean vector (E 1,..., E k ). 3 A sends Y = R E j =1 S j mod n. 4 B checks X = ±Y 2 E j =1 I j mod n. Good values for 0-knowledge: k = O(log log n). t = O(log n). Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 36 / 45

85 ZKP applications Group Signature Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 37 / 45

86 ZKP applications Group Signature Group Signature [Chaum and van Heyst, 1991, Bellare et al., 2003] Originally [Chaum and van Heyst, 1991]. A group of participant has one manager and one public key gpk. Each member of the group i has a signing key based on which it can produce a signature relative to gpk. The manager has a secret key gmsk based on which given a signature σ it can extract the identity (traceability) of the member who created σ (impossible for others anonymity). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 38 / 45

87 ZKP applications Group Signature Group Signature [Chaum and van Heyst, 1991, Bellare et al., 2003] Originally [Chaum and van Heyst, 1991]. A group of participant has one manager and one public key gpk. Each member of the group i has a signing key based on which it can produce a signature relative to gpk. The manager has a secret key gmsk based on which given a signature σ it can extract the identity (traceability) of the member who created σ (impossible for others anonymity). Security discussion: ZKP is only used in some subprotocols. The problem is to know whate exactly is the attack model and definition of adversarial sucess. Can the attacker see previous signatures? Can he have external information ruling out potential signers? Can he call teh group manager? etc. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 38 / 45

88 ZKP applications Anonymous Blacklisting Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 39 / 45

89 ZKP applications Anonymous Blacklisting Anonymous Blacklisting [Henry and Goldberg, 2011] The problem raised by anonymous communications (like with Tor) can be the abusers. There is no way for service providers to make anonymous users accountable for their actions. Anonymous blacklisting systems (or anonymous revocation systems) cope with this problem: that is to be able to revoke access of any user that misbehave without revealing their identity. There is a large literature on the subject. The protocols are complex and rely hevily on blind signatures and ZKP. = same problem than with Group Signature: hard to be convinced that it makes a fool-proof security certification. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 40 / 45

90 Conclusion Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 41 / 45

91 Conclusion Conclusion Knowledge complexity is different from information content, computational complexity or algorithmic complexity.. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 42 / 45

92 Conclusion Conclusion Knowledge complexity is different from information content, computational complexity or algorithmic complexity. The terms can be misleading. Take care of the precise context, the precise list of hypotheses are used when one talks about ZKP. ZKP is a very powerful tool to prove some privacy properties.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 42 / 45

Similar documents

Zero-Knowledge Proofs and Protocols

Zero-Knowledge Proofs and Protocols Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is

More information

Notes on Zero Knowledge

Notes on Zero Knowledge U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18

More information

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked

More information

Lecture Notes, Week 10

Lecture Notes, Week 10 YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive

More information

Introduction to Cryptography Lecture 13

Introduction to Cryptography Lecture 13 Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple

More information

Introduction to Modern Cryptography. Benny Chor

Introduction to Modern Cryptography. Benny Chor Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19. Hard Core

More information

Lecture 10: Zero-Knowledge Proofs

Lecture 10: Zero-Knowledge Proofs Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam

More information

Theory of Computation Chapter 12: Cryptography

Theory of Computation Chapter 12: Cryptography Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption

More information

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof

More information

Homework 3 Solutions

Homework 3 Solutions 5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction

More information

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover

More information

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 3: Interactive Proofs and Zero-Knowledge CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

Lecture 14: Secure Multiparty Computation

Lecture 14: Secure Multiparty Computation 600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine

More information

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1 Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes

More information

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018 18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what

More information

Cryptographic Protocols Notes 2

Cryptographic Protocols Notes 2 ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:

More information

Notes on Complexity Theory Last updated: November, Lecture 10

Notes on Complexity Theory Last updated: November, Lecture 10 Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp

More information

Lecture 15 - Zero Knowledge Proofs

Lecture 15 - Zero Knowledge Proofs Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,

More information

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016 Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages

More information

Lecture 18: Zero-Knowledge Proofs

Lecture 18: Zero-Knowledge Proofs COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be

More information

Winter 2011 Josh Benaloh Brian LaMacchia

Winter 2011 Josh Benaloh Brian LaMacchia Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial

More information

Great Theoretical Ideas in Computer Science

Great Theoretical Ideas in Computer Science 15-251 Great Theoretical Ideas in Computer Science Lecture 28: A Computational Lens on Proofs December 6th, 2016 Evolution of proof First there was GORM GORM = Good Old Regular Mathematics Pythagoras s

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer

More information

2 Natural Proofs: a barrier for proving circuit lower bounds

2 Natural Proofs: a barrier for proving circuit lower bounds Topics in Theoretical Computer Science April 4, 2016 Lecturer: Ola Svensson Lecture 6 (Notes) Scribes: Ola Svensson Disclaimer: These notes were written for the lecturer only and may contain inconsistent

More information

An Anonymous Authentication Scheme for Trusted Computing Platform

An Anonymous Authentication Scheme for Trusted Computing Platform An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols

More information

Zero-Knowledge Proofs 1

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs 1 CS 702 SEMINAR Theme : Cryptography Instructor : Prof. C. Pandu Rangan ZERO-KNOWLEDGE PROOFS G. Venkatesan CS 93133 Dept. of C.S & E I.I.T Madras Zero-Knowledge Proofs 2 Outline

More information

Cryptology. Vilius Stakėnas autumn

Cryptology. Vilius Stakėnas autumn Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................

More information

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses. CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial

More information

Lecture Notes 20: Zero-Knowledge Proofs

Lecture Notes 20: Zero-Knowledge Proofs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation

More information

An Epistemic Characterization of Zero Knowledge

An Epistemic Characterization of Zero Knowledge An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. e-mail: {halpern, rafael, vraman}@cs.cornell.edu

More information

Interactive protocols & zero-knowledge

Interactive protocols & zero-knowledge Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes

More information

Introduction to Modern Cryptography Lecture 11

Introduction to Modern Cryptography Lecture 11 Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police

More information

Theoretical Cryptography, Lectures 18-20

Theoretical Cryptography, Lectures 18-20 Theoretical Cryptography, Lectures 18-20 Instructor: Manuel Blum Scribes: Ryan Williams and Yinmeng Zhang March 29, 2006 1 Content of the Lectures These lectures will cover how someone can prove in zero-knowledge

More information

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index

More information

ECash and Anonymous Credentials

ECash and Anonymous Credentials ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials

More information

Cryptographic Protocols FS2011 1

Cryptographic Protocols FS2011 1 Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs

More information

Foundations of Cryptography

Foundations of Cryptography - 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such

More information

Lecture 24: Randomized Complexity, Course Summary

Lecture 24: Randomized Complexity, Course Summary 6.045 Lecture 24: Randomized Complexity, Course Summary 1 1/4 1/16 1/4 1/4 1/32 1/16 1/32 Probabilistic TMs 1/16 A probabilistic TM M is a nondeterministic TM where: Each nondeterministic step is called

More information

Lecture 12: Interactive Proofs

Lecture 12: Interactive Proofs princeton university cos 522: computational complexity Lecture 12: Interactive Proofs Lecturer: Sanjeev Arora Scribe:Carl Kingsford Recall the certificate definition of NP. We can think of this characterization

More information

Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs

Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs Chunming Tang 1, Dingyi Pei 1,2 Zhuojun Liu 3 1 Institute of Information Security of Guangzhou University, P.R.China 2 State

More information

The Laws of Cryptography Zero-Knowledge Protocols

The Laws of Cryptography Zero-Knowledge Protocols 26 The Laws of Cryptography Zero-Knowledge Protocols 26.1 The Classes NP and NP-complete. 26.2 Zero-Knowledge Proofs. 26.3 Hamiltonian Cycles. An NP-complete problem known as the Hamiltonian Cycle Problem

More information

Notes for Lecture 25

Notes for Lecture 25 U.C. Berkeley CS276: Cryptography Handout N25 Luca Trevisan April 23, 2009 Notes for Lecture 25 Scribed by Alexandra Constantin, posted May 4, 2009 Summary Today we show that the graph isomorphism protocol

More information

Lecture 26: Arthur-Merlin Games

Lecture 26: Arthur-Merlin Games CS 710: Complexity Theory 12/09/2011 Lecture 26: Arthur-Merlin Games Instructor: Dieter van Melkebeek Scribe: Chetan Rao and Aaron Gorenstein Last time we compared counting versus alternation and showed

More information

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R

More information

Dr George Danezis University College London, UK

Dr George Danezis University College London, UK Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets

More information

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL 1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica

More information

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Non-Interactive Zero-Knowledge Proofs of Non-Membership Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building

More information

Magic Functions. In Memoriam Bernard M. Dwork

Magic Functions. In Memoriam Bernard M. Dwork Magic Functions In Memoriam Bernard M. Dwork 1923 1998 Cynthia Dwork Moni Naor Omer Reingold Larry Stockmeyer Abstract We prove that three apparently unrelated fundamental problems in distributed computing,

More information

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Lecture 5. 1 Review (Pairwise Independence and Derandomization) 6.842 Randomness and Computation September 20, 2017 Lecture 5 Lecturer: Ronitt Rubinfeld Scribe: Tom Kolokotrones 1 Review (Pairwise Independence and Derandomization) As we discussed last time, we can

More information

Lecture Examples of problems which have randomized algorithms

Lecture Examples of problems which have randomized algorithms 6.841 Advanced Complexity Theory March 9, 2009 Lecture 10 Lecturer: Madhu Sudan Scribe: Asilata Bapat Meeting to talk about final projects on Wednesday, 11 March 2009, from 5pm to 7pm. Location: TBA. Includes

More information

Selections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark

Selections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark Selections:! Internet voting with over-the-shoulder coercion-resistance Jeremy Clark Overview We consider the problem of over-theshoulder adversaries in Internet voting We design a voting protocol resistant

More information

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw

More information

CS151 Complexity Theory. Lecture 13 May 15, 2017

CS151 Complexity Theory. Lecture 13 May 15, 2017 CS151 Complexity Theory Lecture 13 May 15, 2017 Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P

More information

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics 0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic

More information

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle

More information

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen

More information

Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science A Cryptography and Data Security. Claude Crépeau Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

More information

Lecture 15: Interactive Proofs

Lecture 15: Interactive Proofs COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction

More information

Commitment Schemes and Zero-Knowledge Protocols (2011)

Commitment Schemes and Zero-Knowledge Protocols (2011) Commitment Schemes and Zero-Knowledge Protocols (2011) Ivan Damgård and Jesper Buus Nielsen Aarhus University, BRICS Abstract This article is an introduction to two fundamental primitives in cryptographic

More information

An Epistemic Characterization of Zero Knowledge

An Epistemic Characterization of Zero Knowledge An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. e-mail: {halpern, rafael, vraman}@cs.cornell.edu

More information

Interactive protocols & zero-knowledge

Interactive protocols & zero-knowledge Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online Anthony Várilly-Alvarado Rice University Mathematics Leadership Institute, June 2010 Our Goal Today I will

More information

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits

More information

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Augmented Black-Box Simulation and Zero Knowledge Argument for NP Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of

More information

Pseudorandom Generators

Pseudorandom Generators Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators

More information

Zero-Knowledge Against Quantum Attacks

Zero-Knowledge Against Quantum Attacks Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP

More information

An Introduction to Probabilistic Encryption

An Introduction to Probabilistic Encryption Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic

More information

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH. CMPSCI 601: Recall From Last Time Lecture 26 Theorem: All CFL s are in sac. Facts: ITADD, MULT, ITMULT and DIVISION on -bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE

More information

Lecture 3,4: Multiparty Computation

Lecture 3,4: Multiparty Computation CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,

More information

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Analysis - Post-Quantum Security of Fiat-Shamir by Dominic Unruh Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis

More information

A An Overview of Complexity Theory for the Algorithm Designer

A An Overview of Complexity Theory for the Algorithm Designer A An Overview of Complexity Theory for the Algorithm Designer A.1 Certificates and the class NP A decision problem is one whose answer is either yes or no. Two examples are: SAT: Given a Boolean formula

More information

Multiparty Computation

Multiparty Computation Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:

More information

III. Authentication - identification protocols

III. Authentication - identification protocols III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security

More information

The Class NP. NP is the problems that can be solved in polynomial time by a nondeterministic machine.

The Class NP. NP is the problems that can be solved in polynomial time by a nondeterministic machine. The Class NP NP is the problems that can be solved in polynomial time by a nondeterministic machine. NP The time taken by nondeterministic TM is the length of the longest branch. The collection of all

More information

Interactive proof and zero knowledge protocols

Interactive proof and zero knowledge protocols Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir

More information

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1) SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the

More information

One can use elliptic curves to factor integers, although probably not RSA moduli.

One can use elliptic curves to factor integers, although probably not RSA moduli. Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties

More information

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,

More information

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach

More information

Lecture 3: Randomness in Computation

Lecture 3: Randomness in Computation Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,

More information

Lecture 20: conp and Friends, Oracles in Complexity Theory

Lecture 20: conp and Friends, Oracles in Complexity Theory 6.045 Lecture 20: conp and Friends, Oracles in Complexity Theory 1 Definition: conp = { L L NP } What does a conp computation look like? In NP algorithms, we can use a guess instruction in pseudocode:

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

Turing Machines and Time Complexity

Turing Machines and Time Complexity Turing Machines and Time Complexity Turing Machines Turing Machines (Infinitely long) Tape of 1 s and 0 s Turing Machines (Infinitely long) Tape of 1 s and 0 s Able to read and write the tape, and move

More information

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator

More information

Group Undeniable Signatures

Group Undeniable Signatures Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw

More information

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il

More information

An Identification Scheme Based on KEA1 Assumption

An Identification Scheme Based on KEA1 Assumption All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to

More information

Quantum Computing Lecture 8. Quantum Automata and Complexity

Quantum Computing Lecture 8. Quantum Automata and Complexity Quantum Computing Lecture 8 Quantum Automata and Complexity Maris Ozols Computational models and complexity Shor s algorithm solves, in polynomial time, a problem for which no classical polynomial time

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of

More information

How to Go Beyond the Black-Box Simulation Barrier

How to Go Beyond the Black-Box Simulation Barrier How to Go Beyond the Black-Box Simulation Barrier Boaz Barak December 30, 2008 Abstract The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback