Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
|
|
- Franklin Francis
- 6 years ago
- Views:
Transcription
1 Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group
2 Zero-Knowledge and Interaction ZK systems combine conflicting requirements - Soundness: No prover P can cheat (honest) verifier V - Zero-Knowledge: No info is leaked about proven statement Interaction is key to strike the balance - ZK Simulator can fake proof transcript by creating its parts out of order - But actual execution is interactive, so V can witness that things happen in the right order So how is Non-Interactive ZK possible?!
3 Non-Interactive Zero-Knowledge (NIZK) NIZK Removing Interaction from ZK - Can t conciliate Soundness and Zero Knowledge without leveraging another resource e.g., Interaction But the other resource need not be Interaction... NIZK Replacing Interaction in ZK with - Shared Randomness ([BFM88]) - Random Oracles (á la [FiSh86]) - Trusted Set-Up ([CLOS02]) - Correlated Secret Randomness ([CrDa04]) - Public-Key Infrastructure ([BCNP04])
4 Conventional NIZK [BFM88] Common Random String (CRS) model - P and V share a fixed, random string + Pro s ([BFM88], [BDMP91], [FLS90], [KiPe98]) - Elegant model, techniques and constructions - Efficient protocols for (few) NP-complete problems Con s - NIZKs in this model are not deniable ([Pas03]) - Efficient constructions for number-theoretic languages?
5 The Fiat-Shamir Heuristic Originally proposed to remove interaction from (public-coin) identification schemes Idea: Use random oracle to replace V s challenge(s) with hash of (partial) transcript - Random behavior of H makes it hard for cheating P to control value of challenge(s) + Can remove interaction from existing ZK protocol NIZKs are not deniable in this model, either Not really provable random oracles don t exist!
6 The Fiat-Shamir Heuristic Originally proposed to remove interaction from (public-coin) identification schemes Idea: Use random oracle to replace V s challenge(s) with hash of (partial) transcript - Random behavior of H makes it hard for cheating P to control value of challenge(s) + Can remove interaction from existing ZK protocol NIZKs are not deniable in this model, either Not really provable random oracles don t exist!
7 This Talk Provable alternative to Fiat-Shamir heuristic Overview - Compiler for (a large subclass of) Σ-protocols - Based on homomorphic encryption (e.g., Paillier) - Assume a PKI-like setting (Registered Public-Key model) Applications - Threshold RSA without Random Oracles - Linear NIZK protocol for Circuit Satisfiability Comparison with [BCNP04] and [GOS05]
8 Homomorphic Encryption Public-Key Encryption Scheme (E, D, KG), where - Ciphertexts form an Abelian group - Group operation efficiently computable Example: Paillier s Cryptosystem - Public key: 3k-bit RSA modulus n - Private key: factorization of n into two k-bit primes - E n (m; r) = (1 + n) m r n mod n 2 - E n (m 1 ; r 1 ) E n (m 2 ; r 2 ) = E n (m 1 + m 2 ; r 1 r 2 )
9 Σ-Protocols 3-move, public-coin interactive proof systems x a w P e V z - Public-coin: V s challenge is just a random bitstring - Virtually all efficient protocols have this form
10 Example: Equality of Dlogs in Z p L eqdlog : set of tuples x = (p,p,g 1,g 2,h 1,h 2 ), where - p is a k-bit prime s.t. p = 2p + 1 is also prime - g 1, g 2 have order p in Z p - h 1 = g w 1 mod p, h 2 = g w 2 mod p, for same w Z p L dlmodn : set of tuples x = (N,g 1,g 2,h 1,h 2 ) with properties as above, but w.r.t. RSA modulus N Useful in several applications - E.g., Threshold RSA (later)
11 Σ-Protocol for L eqdlog ŵ r {0,1} 3k (p, p, g 1, g 2, h 1, h 2 ) ĥ 1 = gŵ1 mod p, ĥ 1, ĥ2 ĥ 2 = gŵ2 mod p w P e V e r {0, 1} k w = ŵ + we w g w 1? ĥ1h e 1 (mod p) Σ eqdlog g w 2? ĥ2h e 2 (mod p)
12 The Role of Interaction in Σ-Protocols x a w P e V z Why 3 moves? - Soundness hinges upon P s ability to answer V s challenge So z must depend on e - ZK Simulator can fake transcript choosing e, then z, then a So P must convince V that a generated w/o knowing e
13 NIZK via Homomorphic Encryption Recap of requirements for Σ-protocols - P should send a without knowing challenge e - V should get a response z which depends on e What if P had a homomorphic encryption c of e? - Semantic Security prevents P from reading through c - Homomorphic property allows P to tinker with c and create encrypted answer E pubv (z)
14 A Compilation Technique for Σ-Protocols Preliminarily, V publishes a (hom.) public key pub V and an encrypted challenge, c = E pubv (e) Later, P computes a NIZK for V as follows x (pub V, c) (pub V, c) (priv V, e) w Generate a Compute c = E pubv (z) from w, pub V, c and (the coins used to prepare) a P (a, c) V Decrypt z = D privv ( c) Verify (a, e, z) as before Compile(Σ)
15 Compiling Σ eqdlog using Paillier (n V, c) P (n V, λ(n V )): 3k-bit RSA modulus and its Carmichael function e r {0, 1} k c = E nv (e) V (λ(n V ), e) (p, p, g 1, g 2, h 1, h 2 ) ŵ r {0,1} 3k w ĥ 1 = gŵ1, ĥ2 = gŵ2 c = E nv (ŵ)c w (ĥ1, ĥ2), c (= E nv (ŵ + we)) Compile(Σ eqdlog ) g w 1 w = D λ(nv )( c)? = ĥ1h e 1 g w 2? = ĥ2h e 2
16 Compilation Technique: Remarks Applies to Σ-protocol with linear answers - I.e., z = (z 1,...,z t ), and z j s linear (over Z) in e - True for dlog-, QR- and Paillier-based Σ-protocols Preserves efficiency of the given Σ-Protocol Technique compatible with OR-Construction - Given Σ-protocols for languages L l and L r, obtain a Σ-protocol for language L l L r Only Verifiers need public keys - Keys are not prover-specific
17 Compilation Technique: Security Correctness: Clear by inspection Intuition for Zero-Knowledge - Use Σ s simulator to get (z, a) that works with e = D privv (c) - Encrypt c = E pubv (z), yielding valid NIZK (a, c) - Self-simulatable ([BCNP04]), so NIZKs are deniable Intuition for Soundness - If P can find good (a, z) for false x, can recover e inside c Almost...
18 Compilation Technique: Security Correctness: Clear by inspection Intuition for Zero-Knowledge - Use Σ s simulator to get (z, a) that works with e = D privv (c) - Encrypt c = E pubv (z), yielding valid NIZK (a, c) - Self-simulatable ([BCNP04]), so NIZKs are deniable Intuition for Soundness - If P can find good (a, z) for false x, can recover e inside c Almost...
19 Soundness of Compile(Σ eqdlog ) Assume P cheats V with probability ε: given (n,c), P outputs (p,p,g 1,g 2,h 1,h 2 ), ((ĥ1,ĥ2), c), where h 1 = g w 1 1 (modp), h 2 = g w 2 2 (modp), w 1 w 2 ĥ 1 = gŵ1 1 (modp), ĥ 2 = gŵ2 2 (modp), z = Dec λ(n) ( c) Since (with probability ε) V accepts, it holds that { g z 1 h e 1 = ĥ1(modp) ( ) ( ) ) 1 w1 z (ŵ1 = = g2 z h e 2 = ĥ2(modp) 1 w 2 e ŵ 2
20 Soundness of Compile(Σ eqdlog ) (cont d) Hence, can invert Paillier on 3k-bit modulus in approx. time to compute dlog s modulo k-bit prime Best algorithm to invert Paillier is to first factor n State of the art for both factoring and dlog s is exp((c + o(1))k 1/3 log 2/3 k), where c < 2 Choosing Paillier modulus larger than dlog prime, ε can be made negligible (Complexity Leveraging)
21 The Registered Public-Key Model P (Rtrv, V) F KS Reg V (Reg,Coins) 1.(pub V, priv V ) KS(Coins) 2.Store(V, pub V ) KS: Key Setup Algorithm
22 The Registered Public-Key Model P V (Rtrv, V) F KS Reg (V, pub V ) KS: Key Setup Algorithm
23 The Registered Public-Key Model P (Rtrv, V) pub V V F KS Reg (V, pub V ) KS: Key Setup Algorithm
24 The Registered Public-Key Model (cont d) P (Rtrv, V) pub V F KS Reg (V, pub V ) V (Reg, Coins) 1.(pub V, priv V ) KS(Coins) 2.Store(V, pub V ) V s registration with FReg KS implementable (under standard PKI) via ZK Proof of Knowledge to CA Inefficient for generic key setup algorithm + Can be done efficiently for our Paillier-based compiler
25 Implementing the Key Setup Recall: p = q = 1.5k, n = pq, e [0, 2 k [,c = (1 + n) e r n mod n 2, (pub V,priv V ) ((n,c), (p,e)) High-level protocol between V and CA Step 0: V sends (n, c) to CA Step 1: V proves to CA that n is well-formed Step 2: V proves knowledge of value e hidden within c; and that e lies in specified interval
26 Implementing the Key Setup (cont d) Proving Well-Formedness of Modulus 1. V proves n = p i q j, for p q 3 mod 4, i, j odd ([GrPe87]) 2. To ensure i = j = 1, CA chooses (few) random elements in Z n, and V shows (in ZK) that they have n-th root modn (succeeds w.h.p. if (n, φ(n)) = 1, fails w.h.p. otherwise) Proving knowledge and range-property of e 1. V creates integer commitment Com to e, and proves knowledge of value hidden in Com [DaFu02] 2. V proves membership to range using Boudot s protocol 3. V shows that Com and c hide same value e
27 Auxiliary Σ-Protocol for the Key Setup (c, n, Com, G, H, N) ê r {0, 1} 3k, ŝ r {0,1} 4k ˆr r Z N ĉ = (1 + n)êˆr n mod n 2 ĉ, Com d dcom = GêHŝ mod N ẽ = ê + et s = ŝ + st r = ˆrr t mod n e, r, s P t ẽ, s, r G,H,N are chosen by CA, and V t r {0, 1} k (1 + n)ẽ r n? ĉc t (mod n 2 ) GẽH s? d ComCom t (mod N) e r {0, 1} k,s r {0, 1} 2k,r r Z n c = (1 + n) e r n mod n 2 Com = G e H s mod N
28 Applications Threshold RSA without Random Oracles Non-Interactive Bit-Commitment Scheme Linear NIZK for Circuit Sat. w/o R.O. s
29 Threshold RSA w/o Random Oracles S i S 1 v 1, a 1 v i, a i v l, a l b u D 1. Generate N = pq, p = 2p + 1, q = 2q + 1, with p, q k-bit primes 2. Choose signing/verification exponents (a, b) 3. Split a into l server shares a 1,..., a l 4. Publish random value u Z N along with v i = u a i mod N S l
30 Threshold RSA w/o Random Oracles (cont d) a 1 a i S i v i y i = x a i mod N π i = NIZK{(N, u, v i, x, y i ) L dlmodn } a l S 1 v 1 x y 1, π 1 y i, π i b u x v l y l, π l x S l 1. Send message x to be signed to all servers 2. Upon receiving (y i, π i ) from server S i : - If π i is valid, mark y i valid ; otherwise, mark y i invalid 3. Once (l + 1)/2 valid shares y i s have been collected, reconstruct y and check y b? x (mod N)
31 Threshold RSA w/o Random Oracles (cont d) Σ-protocol for L dlmodn analogous to Σ eqdlog - In particular, it is linear can apply our compiler Cheating server S i does not learn whether client accepted NIZK π i for its signature share y i - Client only uses NIZKs to pick valid shares - So single-theorem soundness is enough
32 Application Non-Int. Bit Commitments Apply OR-Construction to two copies of L eqdlog - Get L 1out2 with statements x = (p, p, g 1, g (0) 2, g(1) 2, h 1, h 2 ) s.t. (p, p, g 1, g (0) 2, h 1, h 2 ) L eqdlog (p, p, g 1, g (1) 2, h 1, h 2 ) L eqdlog Commit to b {0, 1} with stmt. x that uses g (b) 2 - Can prove validity of x with a NIZK that x L 1out2 - Can open x to committed bit via L eqdlog Can also prove relations among committed bits - Further application of OR-Construction
33 Application Circuit Satisfiability Goal: Prove input s.t. circuit C outputs 1 - P knows assignment to input-wires For each gate of C, P includes - NI commitments to the gates input- and output-wires - NIZK proof of consistency of input- and output-wires P also opens commitment to C s global output to 1 Remark: Size of NIZK is O(ks C ) (Linear ZK)
34 Comparison with NIZKs from [BCNP04] Same set-up assumption (Registered PK model) - NIZKs are deniable, as in our case Based on ZAP s + CCA2-encryption UC-secure, but not very efficient No efficient NIZKs for practical languages
35 Comparison with NIZKs of [GOS05] Common Reference String model - Trusted Set-up Assumption - No deniability Uses bilinear maps on hyperelliptic curves of composite order - Subgroup Decision Problem ([BGN05]) NIZK for Circuit Satisfiability as efficient as ours Practical applications? (Cook-Levin reduction) - In particular, not a compiler
36 Thanks!
37 S i S 1 Thanks! Thanks! Thanks! S l
Non-interactive Zero-Knowledge from Homomorphic Encryption
Non-interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård 1, Nelly Fazio 2,, and Antonio Nicolosi 2, 1 Aarhus University, Denmark ivan@brics.dk 2 Courant Institute of Mathematical Sciences,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationEfficient Constructions of Composable Commitments and Zero-Knowledge Proofs
Efficient Constructions of Composable Commitments and Zero-Knowledge Proofs Yevgeniy Dodis Victor Shoup Shabsi Walfish May 6, 2008 Abstract Canetti et al. [11] recently proposed a new framework termed
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationA Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles
A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles Michele Ciampi DIEM University of Salerno ITALY mciampi@unisa.it Giuseppe Persiano
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationA Generalization of Paillier s Public-Key System with Applications to Electronic Voting
A Generalization of Paillier s Public-Key System with Applications to Electronic Voting Ivan Damgård, Mads Jurik and Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS Abstract. We
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols Mihir Bellare and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive,
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationShort Undeniable Signatures Based on Group Homomorphisms
Short Undeniable Signatures Based on Group Homomorphisms Jean Monnerat 1 and Serge Vaudenay 2 1 SwissSign AG Pfingstweidstrasse 60b CH-8080 Zurich, Switzerland http://www.swisssign.com 2 EPFL CH-1015 Lausanne,
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationStatistically Secure Sigma Protocols with Abort
AARHUS UNIVERSITY COMPUTER SCIENCE MASTER S THESIS Statistically Secure Sigma Protocols with Abort Author: Anders Fog BUNZEL (20112293) Supervisor: Ivan Bjerre DAMGÅRD September 2016 AARHUS AU UNIVERSITY
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
A preliminary version of this paper appeared in Advances in Cryptology CRYPTO 04, Lecture Notes in Computer Science ol.??, M. Franklin ed., Springer-erlag, 2004. This is the full version. The Knowledge-of-Exponent
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationFoundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationCOS Cryptography - Final Take Home Exam
COS 433 - Cryptography - Final Take Home Exam Boaz Barak May 12, 2010 Read these instructions carefully before starting to work on the exam. If any of them are not clear, please email me before you start
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationEfficient RSA Key Generation and Threshold Paillier in the Two-Party Setting
Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting Carmit Hazay Gert Læssøe Mikkelsen Tal Rabin Tomas Toft Abstract The problem of generating an RSA composite in a distributed
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationCS 355: TOPICS IN CRYPTOGRAPHY
CS 355: TOPICS IN CRYPTOGRAPHY DAVID WU Abstract. Preliminary notes based on course material from Professor Boneh s Topics in Cryptography course (CS 355) in Spring, 2014. There are probably typos. Last
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationUniversally Verifiable Multiparty Computation from Threshold Homomorphic Cryptosystems
Universally Verifiable Multiparty Computation from Threshold Homomorphic Cryptosystems Berry Schoenmakers and Meilof Veeningen Dept of Mathematics & Computer Science TU Eindhoven, The Netherlands berry@win.tue.nl,
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationImproved Non-Committing Encryption Schemes based on a General Complexity Assumption
Improved Non-Committing Encryption Schemes based on a General Complexity Assumption Ivan Damgård and Jesper Buus Nielsen BRICS Department of Computer Science University of Aarhus Ny Munkegade DK-8000 Arhus
More informationRSA and Rabin Signatures Signcryption
T-79.5502 Advanced Course in Cryptology RSA and Rabin Signatures Signcryption Alessandro Tortelli 26-04-06 Overview Introduction Probabilistic Signature Scheme PSS PSS with message recovery Signcryption
More informationModulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain
Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Bart Mennink (K.U.Leuven) Joint work with: Jorge Guajardo (Philips Research Labs) Berry Schoenmakers (TU Eindhoven)
More information