George Danezis Microsoft Research, Cambridge, UK
|
|
- Lewis Dickerson
- 5 years ago
- Views:
Transcription
1 George Danezis Microsoft Research, Cambridge, UK
2 Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets allow you to use cinema / train Bars require customers to be older than 18 But do you want the barman to know your address?
3 Usual way: Identity provider certifies attributes of a subject. Identity consumer checks those attributes Match credential with live person (biometric) Examples: E-passport: signed attributes, with lightweight access control. Attributes: nationality, names, number, pictures,... Identity Cards: signatures over attributes Attributes: names, date of birth, picture, address,...
4 The players: Issuer (I) = Identity provider Prover (P) = subject Verifier (V) = identity consumer Properties: The prover convinces the verifier that he holds a credential with attributes that satisfy some boolean formula: Simple example age=18 AND city=cambridge Prover cannot lie Verifier cannot infer anything else aside the formula Anonymity maintained despite collusion of V & I
5 1. Issuing protocol: Prover gets a certified credential. Issuer Passport Issuing Authority Name=Peggy, age=25, address=cambridge, Status=single Cannot learn anything beyond age Prover Peggy 2. Showing Protocol: Prover makes assertions about some attributes age=25 Verifier Victor (Bar staff Checking age)
6 Single-show credential (Brands & Chaum) Blind the issuing protocol Show the credential in clear Multiple shows are linkable BAD Protocols are simpler GOOD We will Focus on these Multi-show (Camenisch & Lysyanskaya) Random oracle free signatures for issuing (CL) Blinded showing Prover shows that they know a signature over a particular ciphertext. Cannot link multiple shows of the credential More complex no implementations
7 Cryptographic preliminaries The discrete logarithm problem Schnorr s Identification protocol Unforgeability, simulator, Fiat-Shamir Heuristic Generalization to representation Showing protocol Linear relations of attributes AND-connective Issuing protocol Blinded issuing
8 Assume p a large prime (>1024 bits 2048 bits) Detail: p = qr+1 where q also large prime Denote the field of integers modulo p as Z p Example with p=5 Addition works fine: 1+2 = 3, 3+3 = 1,... Multiplication too: 2*2 = 4, 2*3 = 1,... Exponentiation is as expected: 2 2 = Choose g in the multiplicative group of Z p Such that g is a generator Example: g=
9 Exponentiation is computationally easy: Given g and x, easy to compute g x But logarithm is computationally hard: Given g and g x, difficult to find x = log g g x If p is large it is practically impossible Related DH problem Given (g, g x, g y ) difficult to find g xy Stronger assumption than DL problem
10 Efficient to find inverses Given c easy to calculate g -c mod p (p-1) c mod p-1 Efficient to find roots Given c easy to find g 1/c mod p c (1/c) = 1 mod (p-1) Note the case N=pq (RSA security) No need to be scared of this field.
11 Exemplary of the zero-knowledge protocols credentials are based on. Players Public g a generator of Z p Prover knows x (secret key) Verifier knows y = g x (public key) Aim: the prover convinces the verifier that she knows an x such that g x = y Zero-knowledge verifier does not learn x! Why identification? Given a certificate containing y
12 Knows: x Public: g, p Knows: y=g x P->V: g w = a (witness) Peggy (Prover) Random: w V->P: c P->V: cx+w = r (challenge) (response) Victor (Verifier) Check: g r = y c a g cx+w = (g x ) c g w
13 Assume that Peggy (Prover) does not know x? If, for the same witness, Peggy forges two valid responses to two of Victor s challenges r 1 = c 1 x + w r 2 = c 2 x + w Then Peggy must know x 2 equations, 2 unknowns (x,w) can find x
14 The verifier learns nothing new about x. How do we go about proving this? Verifier can simulate protocol executions On his own! Without any help from Peggy (Prover) This means that the transcript gives no information about x How does Victor simulate a transcript? (Witness, challenge, response)
15 Need to fake a transcript (g w, c, r ) Simulator: Trick: do not follow the protocol order! First pick the challenge c Then pick a random response r Then note that the response must satisfy: g r = (g x ) c g w -> g w = g r / (g x ) c Solve for g w Proof technique for ZK but also important in constructions (OR)
16 Schnorr s protocol Requires interaction between Peggy and Victor Victor cannot transfer proof to convince Charlie (In fact we saw he can completely fake a transcript) Fiat-Shamir Heuristic H[ ] is a cryptographic hash function Peggy sets c = H[g w ] Note that the simulator cannot work any more g w has to be set first to derive c Signature scheme Peggy sets c = H[g w, M]
17 Traditional Schnorr For fixed g, p and public key h = g x Peggy proves she knows x such that h = g x General problem Fix prime p, generators g 1,..., g l Public key h =g 1 x 1g2 x 2... gl x l Peggy proves she knows x 1,..., x l such that h =g 1 x 1 g 2 x 2... g l x l
18 Knows: x 1,..., x l Public: g, p Knows: h = g 1 X1 g 2 X2... g l Xl Peggy (Prover) l random: w i P->V: 0<i<l g w i = a (witness) V->P: c (challenge) Victor (Verifier) r i = cx i +w i P->V: r 1,..., r l Check: ( 0<i<l g i r i) = hc a (response) Let s convince ourselves: ( 0<i<l g i r i ) = ( 0<i<l g i x i ) c ( 0<i<l g w i) = h c a
19 Knows: x 1,..., x l Public: g, p Knows: h = g 1 X1 g 2 X2... g l Xl Peggy (Prover) l random: w i P->V: 0<i<l g w i = a (witness) V->P: c (challenge) Victor (Verifier) r i = cx i +w i P->V: r 1,..., r l Check: ( 0<i<l g i r i) = hc a (response) Lets convince ourselves: ( 0<i<l g i r i ) = ( 0<i<l g i x i ) c ( 0<i<l g w i) = h c a
20 Relation to DL representation Credential representation: Attributes x i Credential h =g 1 X1 g 2 X2... g l Xl, Sig Issuer (h) Credential showing protocol Peggy gives the credential to Victor Peggy proves a statement on values x i X age = 28 AND x city = H[Cambridge] Merely DL rep. proves she knows x i
21 Remember: Attributes x i, i = 1,...,4 Credential h =g 1 x 1g2 x 2 g3 x 3 g 4 x 4, Sig Issuer (h) Example relation of attributes: (x 1 + 2x 2 10x 3 = 13) AND (x 2 4x 3 = 5) Implies: (x 1 = 2x 3 +3) AND (x 2 = 4x 3 +5) Substitute into h h = g 1 2x 3 +3 g 2 4x 3 +5 g 3 x 3 g4 x 4= (g13 g 25 )(g 12 g 24 g 3 ) x 3 g4 x 4 Implies: h / (g 13 g 25 ) = (g 12 g 24 g 3 ) x 3 g4 x 4
22 Example (continued) (x 1 + 2x 2 10x 3 = 13) AND (x 2 4x 3 = 5) Implies: h / (g 13 g 25 ) = (g 12 g 24 g 3 ) x 3 g4 x 4 How do we prove that in ZK? DL representation proof! h = h / (g 13 g 25 ) g 1 = g 12 g 24 g 3 g 2 = g 4 Prove that you know x 3 and x 4 such that h = (g 1 ) x 3 (g2 ) x 4
23 Knows: x 1, x 2, x 3, x 4 Public: g, p Knows: h = g 1 X1 g 2 X2 g 3 X3 g 4 X4 random: w 1, w 2 Peggy (Prover) P->V: g 1 w 1 g2 w 2 = a V->P: c (witness) (challenge) Victor (Verifier) r 1 = cx 3 +w 1 r 2 = cx 4 +w 2 P->V: r 1, r 2 Check: (g 1 ) r 1 (g2 ) r 2 = (h )c a (response)
24 Reminder h = g 1 X1 g 2 X2 g 3 X3 g 4 X4 h = h / (g 13 g 25 ) g 1 = g 12 g 24 g 3 g 2 = g 4 a = g 1 w 1 g2 w 2 r 1 = cx 3 +w 1 r 2 = cx 4 +w 1 Check: (g 1 ) r 1 (g2 ) r 2 = (h )c a => (g 1 ) (cx 3+w 1) (g 2 ) (cx 4+w 1) = (h / (g 13 g 25 )) c g 1 w 1 g 2 w 2 => (g 1 2x 3 +3 g 2 4x 3 +5 g 3 x 3g4 x 4) = h x 1 x 2
25 Showing any relation implies knowing all attributes. Can make non-interactive (message m) c = H[h, m, a ] Other proofs: (OR) connector (simple concept) (x age =18 AND x city =H[Cambridge]) OR (x age =15) (NOT) connector Inequality (x age > 18) (Yao s millionaire protocol)
26 Standard tools Schnorr ZK proof of knowledge of discrete log. DL rep. ZK proof of knowledge of representation. Credential showing representation + certificate ZK proof of linear relations on attributes (AND) More reading: (OR), (NOT), Inequality
27 1. Issuing protocol: Prover gets a certified credential. Issuer Cannot learn anything Prover Credential h =g 1 X1 g 2 X2... g l Xl Sig Issuer (h) 2. Showing Protocol: Prover makes assertions about some attributes Verifier
28 Prover cannot falsify a credential Unlinkability Issuer cannot link a showing transcript to an instance of issuing h, Sig issuer (h) have to be unlinkable to issuing Achieving unlinkability Issuer s view: h = g 1 X1 g 2 X2...g l Xl Prover uses: h = g 1 X1 g 2 X2...g l Xl g 0 a 1
29 Knows: x 1, x 2,..., x l Public: g, p Knows: x 1, x 2,..., x l Private: x 0, (y 1,..., y l ) Public: h 0 = g x 0, g i = g y i Rand: w 0 I->P: g w 0 = a0 (witness) Prover Issuer P->I: c 0 (challenge) Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3 r 0 = c 0 (x 0 + i x i y i ) +w 0 I->P: r 0 (response) Credential: h = g a 1 g i x i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0] Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1
30 Knows: x 1, x 2,..., x l Public: g, p Knows: x 1, x 2,..., x l Private: x 0, (y 1,..., y l ) Public: h 0 = g x 0, g i = g y i Rand: w 0 I->P: g w 0 = a0 (witness) Prover Issuer Non interactive signature: c 0 = H[h, a 0 ] P->I: c 0 (challenge) Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3 r 0 = c 0 (x 0 + i x i y i ) +w 0 I->P: r 0 (response) ZK knowledge proof of the representation of h 0 h = g x 0 gi x i Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1 = g (x 0 + i x i y i ) : just Schnorr!
31 Public: g, p, h 0 = g x 0, g i = g y i Knows: x 1, x 2,..., x l I->P: g w 0 = a0 (witness) P->I: c 0 (challenge) I->P: r 0 (response) Prover Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3 Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1 Schnorr Verification: Issuer knows the representation of (h 0 h)! Credential: h = g a 1 g i x i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0]
32 Public: g, p, h 0 = g x 0, g i = g y i Knows: x 1, x 2,..., x l I->P: g w 0 = a0 (witness) Prover P->I: c 0 (challenge) I->P: r 0 (response) Unlinkable Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3 Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1 1) Set c 0 2) Get r 0 such that... Credential: h = g a 1 g i x i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0] My Goal
33 Public: g, p, h 0 = g x 0, g i = g y i Knows: x 1, x 2,..., x l I->P: g w 0 = a0 (witness) Prover Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3? (response) Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1 Credential: h = g a 1 g x i i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0] P->I: c 0 (challenge) I->P: r 0
34 Goal: c 0 = H[h, g a 2 (h0 h) a 3 a0 ] = H[h, g r 0 (h0 h ) -c 0 ] So g a 2(h 0 h) a 3a 0 = g r 0(h 0 h ) -c 0 must be true Lets follow: g r 0(h 0 h ) -c 0 = g a 2(h 0 h) a 3a 0 g (r 0 + a 2 + c 0 a 1) (h 0 h) -(c 0+a 3) g -c 0a 1 = g a 2 (h 0 h) a 3 a 0 (g r 0 (h0 h) -c 0) (g a 2(h 0 h) a 3 ) = (g a 2(h 0 h) a 3 ) a 0 Substitute r 0 and c 0 TRUE
35 Issuer sees: c o, r 0, h Such that g r o = (h0 h) c 0 a0 Verifier sees: c 0, r 0, h Relation: Random: a 1, a 2, a 3 h = h g a 1 c 0 = c 0 + a 3 r 0 = r 0 + a 2 + c 0 a 1 Even if they collude they cannot link the credential issuing and showing
36 Authentication between Issuer and Peggy Need to check that Peggy has the attributes requested Issuing protocol should not be run in parallel! (simple modifications are required)
37 Putting it all together: Issuer and Peggy run the issuing protocol. Peggy gets: Credential: h = g a 1 g i x i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0] Peggy and Victor run the showing protocol Victor checks the validity of the credential first Peggy shows some relation on the attributes (Using DL-rep proof on h )
38 Credential issuing Proof of knowledge of DL-rep & x 0 of issuer Peggy assists & blinds proof to avoid linking Further topics Transferability of credential Double spending
39 Attribute based access control Federated identity management Electronic cash (double spending) Privacy friendly e-identity Id-cards & e-passports Multi-show credentials!
40 Core: Claus P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4: , Stefan Brands. Rethinking public key infrastructures and digital certificates building in privacy. MIT Press. More: Jan Camenisch and Markus Stadler. Proof systems for general statements about discrete logarithms. Technical report TR 260, Institute for Theoretical Computer Science, ETH, Zurich, March Jan Camenisch and Anna Lysianskaya. A signature scheme with efficient proofs. (CL signatures)
41 Peggy wants to prove (A OR B) Say A is true and B is false Simple modification of Schnorr Peggy sends witness Victor sends commitment c Peggy uses simulator for producing a response r B for B (That sets a particular c B ) Peggy chooses c A such that c = c A + c B Then she produces the response r A for A Key concept: simulators are useful, not just proof tools!
42 Designated verifier proof A OR knowledge of verifier s key Simulate the second part Third parties do nor know if A is true or the statement has been built by the designated verifier! Non-interactive proof not transferable!
Dr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationAnonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi Brown University foteini@cs.brown.edu Anna Lysyanskaya Brown University anna@cs.brown.edu ABSTRACT We define and propose an efficient and provably secure construction
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationImproved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials
Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials Amira Barki, Solenn Brunet, Nicolas Desmoulins and Jacques Traoré August 11th, 2016 Selected Areas in Cryptography SAC 2016
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationEfficient Group Signatures without Trapdoors
Efficient Group Signatures without Trapdoors Giuseppe Ateniese and Breno de Medeiros The Johns Hopkins University Department of Computer Science Baltimore, MD 21218, USA ateniese@cs.jhu.edu, breno.demedeiros@acm.org
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationA METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES
Mathematica Moravica Vol. 7 (2003), 51 59 A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES Constantin Popescu Abstract. A group signature scheme allows any group member to sign on behalf of the group
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationA Fully-Functional group signature scheme over only known-order group
A Fully-Functional group signature scheme over only known-order group Atsuko Miyaji and Kozue Umeda 1-1, Asahidai, Tatsunokuchi, Nomi, Ishikawa, 923-1292, Japan {kozueu, miyaji}@jaist.ac.jp Abstract. The
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationAccumulators and U-Prove Revocation
Accumulators and U-Prove Revocation Tolga Acar 1, Sherman S.M. Chow 2, and Lan Nguyen 3 1 Intel Corporation tolga.acar@intel.com 2 Microsoft Research lan.duy.nguyen@microsoft.com 3 Department of Information
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationGroup Blind Digital Signatures: A Scalable Solution to Electronic Cash
Group Blind Digital Signatures: A Scalable Solution to Electronic Cash Anna Lysyanskaya 1 and Zulfikar Ramzan 1 Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge MA 02139,
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Ernie Brickell Intel Corporation ernie.brickell@intel.com Jan Camenisch IBM Research jca@zurich.ibm.com Liqun Chen HP Laboratories liqun.chen@hp.com February 11, 2004 Abstract
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationA Direct Anonymous Attestation Scheme for Embedded Devices
A Direct Anonymous Attestation Scheme for Embedded Devices He Ge 1 and Stephen R. Tate 2 1 Microsoft Corporation, One Microsoft Way, Redmond 98005 hege@microsoft.com 2 Department of Computer Science and
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationUnlinkable Divisible Electronic Cash
Unlinkable Divisible Electronic Cash Toru Nakanishi and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University, 3-1-1 Tsushimanaka, Okayama 700-8530,
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationRZ 3730 (# 99740) 03/19/2009 Revised version: 04/29/2010 Computer Science 48 pages. Specification of the Identity Mixer Cryptographic Library
RZ 3730 (# 99740) 03/19/2009 Revised version: 04/29/2010 Computer Science 48 pages Research Report Specification of the Identity Mixer Cryptographic Library Version 2.3.0* Security Team** Computer Science
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationA Practical and Provably Secure Coalition-Resistant Group Signature Scheme
A Practical and Provably Secure Coalition-Resistant Group Signature Scheme Giuseppe Ateniese 1, Jan Camenisch 2, Marc Joye 3, and Gene Tsudik 4 1 Department of Computer Science, The Johns Hopkins University
More informationThe Cramer-Shoup Strong-RSA Signature Scheme Revisited
The Cramer-Shoup Strong-RSA Signature Scheme Revisited Marc Fischlin Johann Wolfgang Goethe-University Frankfurt am Main, Germany marc @ mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationBorromean Ring Signatures
Borromean Ring Signatures Gregory Maxwell, Andrew Poelstra 2015-06-02 (commit 34241bb) Abstract In 2002, Abe, Ohkubo, and Suzuki developed a new type of ring signature based on the discrete logarithm problem,
More informationGQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks
GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks [Mihir Bellare, Adriana Palacio] Iliopoulos Fotis School of Electrical and Computer Engineering
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationUniversal Accumulators with Efficient Nonmembership Proofs
Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li 1, Ninghui Li 2, and Rui Xue 3 1 Intel Corporation jiangtao.li@intel.com 2 Purdue University ninghui@cs.purdue.edu 3 University of
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationAdditive Combinatorics and Discrete Logarithm Based Range Protocols
Additive Combinatorics and Discrete Logarithm Based Range Protocols Rafik Chaabouni 1 Helger Lipmaa 2,3 abhi shelat 4 1 EPFL LASEC, Switzerland 2 Cybernetica AS, Estonia 3 Tallinn University, Estonia 4
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationColluding Attacks to a Payment Protocol and Two Signature Exchange Schemes
Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes Feng Bao Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 Email: baofeng@i2r.a-star.edu.sg Abstract.
More informationDigital Signature Scheme Based on a New Hard Problem
Computer Science Journal of Moldova, vol.16, no.2(47), 2008 Digital Signature Scheme Based on a New Hard Problem Niolay A. Moldovyan Abstract Factorizing composite number n = qr, where q and r are two
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationPrivate Intersection of Certified Sets
Private Intersection of Certified Sets Jan Camenisch 1 and Gregory M. Zaverucha 2 1 IBM Research Zürich Research Laboratory CH-8803 Rüschlikon jca@zurich.ibm.com 2 Cheriton School of Computer Science University
More informationMontgomery-Suitable Cryptosystems
Montgomery-Suitable Cryptosystems [Published in G. Cohen, S. Litsyn, A. Lobstein, and G. Zémor, Eds., Algebraic Coding, vol. 781 of Lecture Notes in Computer Science, pp. 75-81, Springer-Verlag, 1994.]
More informationSecurity Arguments for Digital Signatures and Blind Signatures
J. Cryptology (2000) 13: 361 396 DOI: 10.1007/s001450010003 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures David Pointcheval and
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationEfficient Zero-Knowledge Range Proofs in Ethereum
Efficient Zero-Knowledge Range Proofs in Ethereum Tommy Koens, Coen Ramaekers and Cees van Wijk ING, blockchain@ing.com 1 Introduction Two months ago I (Tommy) joined ING s blockchain team. This job change
More informationThe RSA public encryption scheme: How I learned to stop worrying and love buying stuff online
The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online Anthony Várilly-Alvarado Rice University Mathematics Leadership Institute, June 2010 Our Goal Today I will
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationA handy multi-coupon system
A handy multi-coupon system Sébastien Canard 1, Aline Gouget 2, and Emeline Hufschmitt 1 1 France Telecom, R&D Division 42 rue des Coutures, BP 6243, 14066 Caen Cedex, France {sebastien.canard,emeline.hufschmitt}@orange-ft.com
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More information