Interactive and Non-Interactive Proofs of Knowledge
|
|
- Pierce Bailey
- 5 years ago
- Views:
Transcription
1 Interactive and Non-Interactive Proofs of Knowledge Olivier Blazy ENS / CNRS / INRIA / Paris 7 RUB Sept 2012 O. Blazy (ENS RUB) INIPoK Sept / 63
2 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63
3 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63
4 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63
5 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63
6 Proof of Knowledge Alice Bob interactive method for one party to prove to another the knowledge of a secret S. 1 Completeness: S is true verier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verier that S is true Classical Instantiations : Schnorr proofs, Sigma Protocols... O. Blazy (ENS RUB) INIPoK Sept / 63
7 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Racko. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (ENS RUB) INIPoK Sept / 63
8 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Racko. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (ENS RUB) INIPoK Sept / 63
9 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Racko. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (ENS RUB) INIPoK Sept / 63
10 Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verier that it is true 3 Zero-knowledge: if S is true, no cheating verier learns anything other than this fact. O. Blazy (ENS RUB) INIPoK Sept / 63
11 Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verier that it is true 3 Zero-knowledge: if S is true, no cheating verier learns anything other than this fact. O. Blazy (ENS RUB) INIPoK Sept / 63
12 Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: S is true verier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verier that S is true 3 Zero-knowledge: S is true no cheating verier learns anything other than this fact. O. Blazy (ENS RUB) INIPoK Sept / 63
13 History of NIZK Proofs Inecient NIZK Blum-Feldman-Micali, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZK But limited by the Random Oracle Ecient NIZK Groth-Ostrovsky-Sahai, Groth-Sahai, O. Blazy (ENS RUB) INIPoK Sept / 63
14 History of NIZK Proofs Inecient NIZK Blum-Feldman-Micali, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZK But limited by the Random Oracle Ecient NIZK Groth-Ostrovsky-Sahai, Groth-Sahai, O. Blazy (ENS RUB) INIPoK Sept / 63
15 History of NIZK Proofs Inecient NIZK Blum-Feldman-Micali, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZK But limited by the Random Oracle Ecient NIZK Groth-Ostrovsky-Sahai, Groth-Sahai, O. Blazy (ENS RUB) INIPoK Sept / 63
16 Applications of NIZK Proofs Fancy signature schemes group signatures ring signatures traceable signatures Ecient non-interactive proof of correctness of shue Non-interactive anonymous credentials CCA-2-secure encryption schemes (with public veriability) Identication E-voting, E-cash... O. Blazy (ENS RUB) INIPoK Sept / 63
17 Conditional Actions Group Manager Certication of a public key User pk Cert π The User should know the associated sk. O. Blazy (ENS RUB) INIPoK Sept / 63
18 Conditional Actions Signer Signature of a blinded message User C(M) σ π The User should know the plaintext M. O. Blazy (ENS RUB) INIPoK Sept / 63
19 Conditional Actions Server Transmission of private information User Request info π The User should possess some credentials. O. Blazy (ENS RUB) INIPoK Sept / 63
20 Soundness Only people proving they know the expected secret should be able to access the information. Zero-Knowledge The authority should not learn said secret. O. Blazy (ENS RUB) INIPoK Sept / 63
21 1 General Remarks 2 Building blocks Bilinear groups aka Pairing-friendly environments Commitment / Encryption Signatures Security hypotheses 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63
22 Symmetric bilinear structure (p, G, G T, e, g) bilinear structure: G, G T multiplicative groups of order p p = prime integer g = G e : G G G T e(g, g) = G T e(g a, g b ) = e(g, g) ab, a, b Z deciding group membership, group operations, eciently computable. bilinear map O. Blazy (ENS RUB) INIPoK Sept / 63
23 Denition (Encryption Scheme) E = (Setup, EKeyGen, Encrypt, Decrypt): Setup(1 K ): param; EKeyGen(param): public encryption key pk, private decryption key dk; Encrypt(pk, m; r): ciphertext c on m M and pk; Decrypt(dk, c): decrypts c under dk. F(M) Encrypt SE pk, r r dk Random E C r Decrypt E Indistinguishability: Given M 0, M 1, it should be hard to guess which one is encrypted in C. O. Blazy (ENS RUB) INIPoK Sept / 63
24 Denition (Linear Encryption) Setup(1 K ): Generates a multiplicative group (p, G, g). EKeyGen E (param): dk = (µ, ν) $ Z 2 p, and pk = (X 1 = g µ, X 2 = g ν ). Encrypt(pk = (X 1, X 2 ), M; α, β): For M, and random α, β $ Z 2 p, C = ( c 1 = X α 1, c 2 = X β 2, c 3 = g α+β M ). Decrypt(dk = (µ, ν), C = (c 1, c 2, c 3 )): Computes M = c 3 /(c 1/µ 1 c 1/ν 2 ). Randomization (BBS04) Random(pk, C; r, s) : C = ( c 1 X r 1, c 2X s 2, c 3g r+s) = ( X α+r 1, X β+s 2, g α+r+β+s M ) O. Blazy (ENS RUB) INIPoK Sept / 63
25 Denition (Commitment Scheme) E = (Setup, Commit, Decommit): Setup(1 K ): param, ck; Commit(ck, m; r): c on the input message m M using r $ R; Decommit(c, m; w) opens c and reveals m, together with w that proves the correct opening. M Commit ck, r r Decommit C O. Blazy (ENS RUB) INIPoK Sept / 63
26 Pedersen Setup(1 K ): g, h G; Commit(m; r): c = g m h r ; Decommit(c, m; r): c? = g m h r. O. Blazy (ENS RUB) INIPoK Sept / 63
27 F(M) s sk; s SignS σ(f) Denition (Signature Scheme) S = (Setup, SKeyGen, Sign, Verif): Setup(1 K ): param; SKeyGen(param): public verication key vk, private signing key sk; Sign(sk, m; s): signature σ on m, under sk; Verif(vk, m, σ): checks whether σ is valid on m. Random S Unforgeability: Given q pairs (m i, σ i ), it should be hard to output a valid σ on a fresh m. O. Blazy (ENS RUB) INIPoK Sept / 63
28 Denition (Waters Signature) (Wat05) Setup S (1 K ): Generates (p, G, G T, e, g), an extra h, and (u i ) for the Waters function (F(m) = u 0 i um i i ). SKeyGen S (param): Picks x $ Z p and outputs sk = h x, and vk = g x ; Sign(sk, m; s): Outputs σ(m) = (skf(m) s, g s ); Verif(vk, m, σ): Checks the validity of σ: e(g, σ 1 )? = e(f(m), σ 2 ) e(vk, h) Randomization Random(σ; r) : σ = ( σ 1 F(m) r, σ 2 g r ) = ( skf(m) r+s, g r+s) O. Blazy (ENS RUB) INIPoK Sept / 63
29 Denition (DL) Given g, h G 2, it is hard to compute α such that h = g α. Denition (CDH) Given g, g a, h G 3, it is hard to compute h a. Denition (DLin) Given u, v, w, u a, v b, w c G 6, it is hard to decide whether c = a + b. O. Blazy (ENS RUB) INIPoK Sept / 63
30 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge Groth Sahai methodology Motivation Signature on Ciphertexts Application to other protocols Waters Programmability 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63
31 Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1,..., X n G n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T determined by A i G, γ i,j Z p and t T G T. Groth-Sahai WI proofs that elements in G that were committed to satisfy PPE Setup(G): commitment key ck; Com(ck, X G; ρ): commitment c X to X ; Prove(ck, (X i, ρ i ) i=1,...,n, (E)): proof φ; Verify(ck, c Xi, (E), φ): checks whether φ is valid. O. Blazy (ENS RUB) INIPoK Sept / 63
32 Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1,..., X n G n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T determined by A i G, γ i,j Z p and t T G T. Groth-Sahai WI proofs that elements in G that were committed to satisfy PPE Setup(G): commitment key ck; Com(ck, X G; ρ): commitment c X to X ; Prove(ck, (X i, ρ i ) i=1,...,n, (E)): proof φ; Verify(ck, c Xi, (E), φ): checks whether φ is valid. O. Blazy (ENS RUB) INIPoK Sept / 63
33 n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T Assumption DLin SXDH SD Variables PPE 9 (2,2) 1 Linear Verication 12n m + 3n + 16 n + 1 [ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1 Properties: correctness soundness witness-indistinguishability randomizability Commitments and proofs are publicly randomizable. O. Blazy (ENS RUB) INIPoK Sept / 63
34 n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T Assumption DLin SXDH SD Variables PPE 9 (2,2) 1 Linear Verication 12n m + 3n + 16 n + 1 [ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1 Properties: correctness soundness witness-indistinguishability randomizability Commitments and proofs are publicly randomizable. O. Blazy (ENS RUB) INIPoK Sept / 63
35 n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T Assumption DLin SXDH SD Variables PPE 9 (2,2) 1 Linear Verication 12n m + 3n + 16 n + 1 [ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1 Properties: correctness soundness witness-indistinguishability randomizability Commitments and proofs are publicly randomizable. O. Blazy (ENS RUB) INIPoK Sept / 63
36 Electronic Voting For dessert, we let people vote Chocolate Cake Cheese Cake Fruit Salad Brussels Sprout After collection, we count the number of ballots: Chocolate Cake 123 Cheese Cake 79 Fruit Salad 42 Brussels sprout 1 O. Blazy (ENS RUB) INIPoK Sept / 63
37 Authentication Only people authorized to vote should be able to vote People should be able to vote only once Anonymity Votes and voters should be anonymous Receipt freeness O. Blazy (ENS RUB) INIPoK Sept / 63
38 Homomorphic Encryption and Signature approach The voter generates his vote v. The voter encrypts v to the server as c. The voter signs c and outputs σ. (c, σ) is a ballot unique per voter, and anonymous. Counting: granted homomorphic encryption C = c. The server decrypts C. O. Blazy (ENS RUB) INIPoK Sept / 63
39 Electronic Cash Identify Deposit Withdraw Randomize Spend Randomize O. Blazy (ENS RUB) INIPoK Sept / 63
40 Protocol Withdrawal: A user get a coin c from the bank Spending: A user pays a shop with the coin c Deposit: The shop gives the coin c back to the bank Electronic Coins Chaum 81 Expected properties Unforgeability Coins are signed by the bank No Double-Spending Each coin is unique Anonymity Blind Signature Denition (Blind Signature) A blind signature allows a user to get a message m signed by an authority into σ so that the authority even powerful cannot recognize later the pair (m, σ). O. Blazy (ENS RUB) INIPoK Sept / 63
41 Round-Optimal Blind Signature Fischlin 06 The user encrypts his message m in c. The signer then signs c in σ. The user veries σ. He then encrypts σ and c into C σ and C and generates a proof π. π: C σ is an encryption of a signature over the ciphertext c encrypted in C, and this c is indeed an encryption of m. Anyone can then use C, C σ, π to check the validity of the signature. O. Blazy (ENS RUB) INIPoK Sept / 63
42 Vote E-Cash A user should be able to encrypt a ballot. He should be able to sign this encryption. Receiving this vote, one should be able to randomize for Receipt-Freeness. A user should be able to encrypt a token The bank should be able to sign it providing Unforgeability This signature should now be able to be randomized to provide Anonymity Our Solution Same underlying requirements; Advance security notions in both schemes requires to extract some kind of signature on the associated plaintext; General Framework for Signature on Randomizable Ciphertexts; Revisited Waters, Commutative encryption / signature. O. Blazy (ENS RUB) INIPoK Sept / 63
43 Commutative properties Encrypt To encrypt a message m: c = (pk 1 r 1, pk 2 r 2, F(m) g r1+r2 ) O. Blazy (ENS RUB) INIPoK Sept / 63
44 Commutative properties Encrypt To encrypt a message m: c = (pk 1 r 1, pk 2 r 2, F(m) g r1+r2 ) Sign Encrypt To sign a valid ciphertext c 1, c 2, c 3, one has simply to produce. σ = (c 1 s, c 2 s, sk c 3 s, pk 1 s, pk 2 s, g s ). O. Blazy (ENS RUB) INIPoK Sept / 63
45 Commutative properties Encrypt To encrypt a message m: c = (pk 1 r 1, pk 2 r 2, F(m) g r1+r2 ) Sign Encrypt To sign a valid ciphertext c 1, c 2, c 3, one has simply to produce. σ = (c 1 s, c 2 s, sk c 3 s, pk 1 s, pk 2 s, g s ). Decrypt Sign Encrypt Using dk. σ = (σ 3 /σ dk1 1 σ dk2 2, σ 6 ) = (sk F(m) s, g s ). O. Blazy (ENS RUB) INIPoK Sept / 63
46 Denition (Signature on Ciphertexts) SE = (Setup, SKeyGen, EKeyGen, Encrypt, Sign, Decrypt, Verif): Setup(1 K ): param e, param s ; EKeyGen(param e ): pk, dk; SKeyGen(param s ): vk, sk; Encrypt(pk, vk, m; r): produces c on m M and pk; Sign(sk, pk, c; s): produces σ, on the input c under sk; Decrypt(dk, vk, c): decrypts c under dk; Verif(vk, pk, c, σ): checks whether σ is valid. Denition (Extractable Randomizable Signature on Ciphertexts) SE=(Setup, SKeyGen, EKeyGen, Encrypt, Sign, Random, Decrypt, Verif, SigExt): Random(vk, pk, c, σ; r, s ) produces c and σ on c, using additional coins; SigExt(dk, vk, σ) outputs a signature σ. O. Blazy (ENS RUB) INIPoK Sept / 63
47 Randomizable Signature on Ciphertexts [PKC 2011: BFPV] M Encrypt SE pk, r r dk Decrypt E C sk; s SignS sk, pk, c; s SignSE s Random S σ(m) SigExt SE r dk σ(c) O. Blazy (ENS RUB) INIPoK Sept / 63
48 Extractable SRC M Encrypt SE pk, r r Random E C r dk Decrypt E sk; s SignS sk, pk, c; s SignSE s Random S σ(m) SigExt SE r dk σ(c) r, s Random SE O. Blazy (ENS RUB) INIPoK Sept / 63
49 E-Voting [PKC 2011: BFPV] F(M) Encrypt SE pk, r r C User sk, pk, c; s SignSE σ(f) SigExt SE dk σ(c) r, s Authority Random SE O. Blazy (ENS RUB) INIPoK Sept / 63
50 Blind Signature [PKC 2011: BFPV] User F(M) Encrypt SE pk, r r dk C Signer Decrypt E sk, pk, c; s SignSE s Random S σ(f) SigExt SE r dk σ(c) O. Blazy (ENS RUB) INIPoK Sept / 63
51 Partially-Blind Signature User info C = C(M, info) σ(c ) Signer O. Blazy (ENS RUB) INIPoK Sept / 63
52 Partially-Blind Signature User Signer C = C(M, info) σ(c, info s ) O. Blazy (ENS RUB) INIPoK Sept / 63
53 Signer-Friendly Partially Blind Signature [SCN 2012: BPV] User F(M) Blind BS pk BS, r r C info C Signer skbs, C, infos; s SignBS s σ(f ) r Unblind BS σ(c ) info s Random S Verif O. Blazy (ENS RUB) INIPoK Sept / 63
54 Multi-Source Blind Signatures Wireless Sensor Network Captors Central Hub Receiver c 1 c i c n C = c i σ(c, s) O. Blazy (ENS RUB) INIPoK Sept / 63
55 Multi-Source Blind Signatures [SCN 2012: BPV] User i F i Blind BS pk BS, r i r i C i Signer R skbs, C 1,..., Cn; s SignBS s σ( F) dk BS σ( C i ) Random S Unblind BS Verif O. Blazy (ENS RUB) INIPoK Sept / 63
56 Two solutions Dierent Generators Each captor has a disjoint set of generators for the Waters function Enormous public key O. Blazy (ENS RUB) INIPoK Sept / 63
57 Two solutions Dierent Generators Each captor has a disjoint set of generators for the Waters function Enormous public key O. Blazy (ENS RUB) INIPoK Sept / 63
58 Two solutions Dierent Generators Each captor has a disjoint set of generators for the Waters function Enormous public key A single set of generators The captors share the same set of generators Waters over a non-binary alphabet? O. Blazy (ENS RUB) INIPoK Sept / 63
59 Two solutions Dierent Generators Each captor has a disjoint set of generators for the Waters function Enormous public key A single set of generators The captors share the same set of generators Waters over a non-binary alphabet? O. Blazy (ENS RUB) INIPoK Sept / 63
60 Programmability of Waters over a non-binary alphabet Denition ((m, n)-programmability) F is (m, n) programmable if given g, h there is an ecient trapdoor producing a X, b X such that F (X ) = g a X h b X, and for all X i, Z j, Pr[a X1 = = a Xm = 0 a Z1... a Zn 0] is not negligible. (1, q)-programmability of Waters function Why do we need it: Unforgeabilty, q signing queries, 1 signature to exploit. Choose independent and uniform elements (a i ) (1,...,l) in { 1, 0, 1}, and random exponents (b i ) (0,...,l), and setting a 0 = 1. Then u i = g a i h b i. F(m) = u 0 u m i i δ a = g i i δ b h i i = g a m h bm. O. Blazy (ENS RUB) INIPoK Sept / 63
61 Non (2, 1)-programmability Waters over a non-binary alphabet is not (2, 1)-programmable. (1, q)-programmability Waters over a polynomial alphabet remains (1, q)-programmable. O. Blazy (ENS RUB) INIPoK Sept / 63
62 Sum of random walks on polynomial alphabets Local Central Limit Theorem Lindeberg Feller O. Blazy (ENS RUB) INIPoK Sept / 63
63 New primitive: Signature on Randomizable Ciphertexts One Round Blind Signature Receipt Free E-Voting Signer-Friendly Blind Signature Multi-Source Blind Signature [PKC 2011: BFPV] [PKC 2011: BFPV] [PKC 2011: BFPV] [SCN 2012: BPV] [SCN 2012: BPV] Eciency DLin + CDH : 9l + 24 Group elements. SXDH + CDH + : 6l + 15, 6l + 7 Group elements. Other results based on Groth Sahai Methodology: Traceable Signatures Transferable E-Cash [2012: BP] [Africacrypt 2011: BCF+] O. Blazy (ENS RUB) INIPoK Sept / 63
64 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs Motivation Smooth Projective Hash Function Application to various protocols Manageable Languages O. Blazy (ENS RUB) INIPoK Sept / 63
65 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User O. Blazy (ENS RUB) INIPoK Sept / 63
66 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User O. Blazy (ENS RUB) INIPoK Sept / 63
67 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User O. Blazy (ENS RUB) INIPoK Sept / 63
68 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User O. Blazy (ENS RUB) INIPoK Sept / 63
69 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User π can be forwarded O. Blazy (ENS RUB) INIPoK Sept / 63
70 Certication of Public Keys: SPHF [ACP09] A user can ask for the certication of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certicate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. O. Blazy (ENS RUB) INIPoK Sept / 63
71 Certication of Public Keys: SPHF [ACP09] A user can ask for the certication of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certicate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. Implicit proof of knowledge of sk O. Blazy (ENS RUB) INIPoK Sept / 63
72 Smooth Projective Hash Functions [CS02] Denition Let {H} be a family of functions: X, domain of these functions L, subset (a language) of this domain such that, for any point x in L, H(x) can be computed by using either a secret hashing key hk: H(x) = Hash L (hk; x); or a public projected key hp: H (x) = ProjHash L (hp; x, w) [CS02,GL03] Public mapping hk hp = ProjKG L (hk, x) O. Blazy (ENS RUB) INIPoK Sept / 63
73 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (ENS RUB) INIPoK Sept / 63
74 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (ENS RUB) INIPoK Sept / 63
75 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (ENS RUB) INIPoK Sept / 63
76 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (ENS RUB) INIPoK Sept / 63
77 Certication of Public Keys: SPHF [ACP09] Server Certication of a public key pk, C = C(sk; r) P = Cert Hash(hk; (pk, C)) hp = ProjKG(hk, C) User P ProjHash(hp; (pk, C), r) = Cert O. Blazy (ENS RUB) INIPoK Sept / 63
78 Certication of Public Keys: SPHF [ACP09] Server Certication of a public key pk, C = C(sk; r) P = Cert Hash(hk; (pk, C)) hp = ProjKG(hk, C) User Implicit proof of knowledge of sk P ProjHash(hp; (pk, C), r) = Cert O. Blazy (ENS RUB) INIPoK Sept / 63
79 Oblivious Signature-Based Envelope (OSBE) [LDB03] A sender S wants to send a message P to U such that U gets P i it owns σ(m) valid under vk S does not learn whereas U gets the message P or not Correctness: if U owns a valid signature, he learns P Security Notions Oblivious: S does not know whether U owns a valid signature (and thus gets the message); Semantic Security: U does not learn any information about P if he does not own a valid signature. O. Blazy (ENS RUB) INIPoK Sept / 63
80 Oblivious Signature-Based Envelope (OSBE) [LDB03] A sender S wants to send a message P to U such that U gets P i it owns σ(m) valid under vk S does not learn whereas U gets the message P or not Correctness: if U owns a valid signature, he learns P Security Notions Oblivious: S does not know whether U owns a valid signature (and thus gets the message); Semantic Security: U does not learn any information about P if he does not own a valid signature. O. Blazy (ENS RUB) INIPoK Sept / 63
81 Oblivious Signature-Based Envelope (OSBE) [LDB03] A sender S wants to send a message P to U such that U gets P i it owns σ(m) valid under vk S does not learn whereas U gets the message P or not Correctness: if U owns a valid signature, he learns P Security Notions Oblivious: S does not know whether U owns a valid signature (and thus gets the message); Semantic Security: U does not learn any information about P if he does not own a valid signature. O. Blazy (ENS RUB) INIPoK Sept / 63
82 One-Round OSBE from IBE The authority owns the master key of an IBE scheme, and provides the decryption key (signature) associated to m to U. S wants to send a message P to U, if U owns a valid signature. S encrypts P under the identity m. Security properties Correct: trivial Oblivious: no message sent! Semantic Security: IND-CPA of the IBE But the authority can decrypt everything! O. Blazy (ENS RUB) INIPoK Sept / 63
83 One-Round OSBE from IBE The authority owns the master key of an IBE scheme, and provides the decryption key (signature) associated to m to U. S wants to send a message P to U, if U owns a valid signature. S encrypts P under the identity m. Security properties Correct: trivial Oblivious: no message sent! Semantic Security: IND-CPA of the IBE But the authority can decrypt everything! O. Blazy (ENS RUB) INIPoK Sept / 63
84 One-Round OSBE from IBE The authority owns the master key of an IBE scheme, and provides the decryption key (signature) associated to m to U. S wants to send a message P to U, if U owns a valid signature. S encrypts P under the identity m. Security properties Correct: trivial Oblivious: no message sent! Semantic Security: IND-CPA of the IBE But the authority can decrypt everything! O. Blazy (ENS RUB) INIPoK Sept / 63
85 A Stronger Security Model S wants to send a message P to U, if U owns/uses a valid signature. Security Notions Oblivious w.r.t. the authority: the authority does not know whether U uses a valid signature; Semantic Security: U cannot distinguish multiple interactions with : S sending P 0 from those with S sending P 1 if he does not own/use a valid signature; Semantic Security w.r.t. the Authority: after the interaction, the authority does not learn any information about P. O. Blazy (ENS RUB) INIPoK Sept / 63
86 Our New OSBE [TCC 2012: BPV] S wants to send a message P to U, if U owns a valid σ(m) under vk: With a Smooth Projective Hash Function L: C = C(σ, r) contains a valid σ(m) under vk the user U sends an encryption C of σ; A generates hk and the associated hp, computes H = Hash(hk; C), and sends hp together with c = P H; U computes X = ProjHash(hp; C, r), and gets P. Lin(pk, m) : {C(m)} WLin(pk, vk, m) : {C(σ(m))} (U, V, W, G) WLin(pk, vk, m): r, s Z p, (U, V, W ) = (u r, v s, g r+s σ), e(σ, g) = e(h, vk) e(f(m), G) O. Blazy (ENS RUB) INIPoK Sept / 63
87 Security Properties Oblivious w.r.t. the authority: IND-CPA of the encryption scheme (Hard-partitioned Subset of the SPHF); Semantic Security: Smoothness of the SPHF Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF Semantic Security w.r.t. the Authority requires one interaction round-optimal Standard model with Waters Signature + Linear Encryption CDH and DLin O. Blazy (ENS RUB) INIPoK Sept / 63
88 Security Properties Oblivious w.r.t. the authority: IND-CPA of the encryption scheme (Hard-partitioned Subset of the SPHF); Semantic Security: Smoothness of the SPHF Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF Semantic Security w.r.t. the Authority requires one interaction round-optimal Standard model with Waters Signature + Linear Encryption CDH and DLin O. Blazy (ENS RUB) INIPoK Sept / 63
89 Security Properties Oblivious w.r.t. the authority: IND-CPA of the encryption scheme (Hard-partitioned Subset of the SPHF); Semantic Security: Smoothness of the SPHF Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF Semantic Security w.r.t. the Authority requires one interaction round-optimal Standard model with Waters Signature + Linear Encryption CDH and DLin O. Blazy (ENS RUB) INIPoK Sept / 63
90 σ(m) Commit σ ck, σ; r Q Q = P H c hk = HashKG L H = Hash L (hk, c) hp = ProjKG L (hk, c) P ProjHash L (hp, C; w) = H P = Q H L = WLin(ck, vk, m) e(x, g) = e(f(m), σ 2 ) e(vk, h) O. Blazy (ENS RUB) INIPoK Sept / 63
91 Blind-Signatures [TCC 2012: BPV] User F(M) Encrypt SE pk, r r dk C Signer Decrypt E sk, pk, c; s SignSE Groth Sahai 9 l + 24 s Random S σ(f) SigExt SE r dk σ(c) O. Blazy (ENS RUB) INIPoK Sept / 63
92 Blind-Signatures [TCC 2012: BPV] User F(M) Encrypt SE pk, r r dk Decrypt E C Signer Groth Sahai 9 l + 24 sk, pk, c; s SignSE SPHF 8 l + 12 Languages s σ(f) SigExt SE r dk σ(c) BLin: {0, 1}, ELin: {C(C(...))}. Random S O. Blazy (ENS RUB) INIPoK Sept / 63
93 Alice Password Authenticated Key Exchange C(pw B ) C(pw A ), hp B hp A Bob H B H A H B H A Same value i both passwords are the same, and users know witnesses. O. Blazy (ENS RUB) INIPoK Sept / 63
94 Alice Language Authenticated Key Exchange C(L B ), C(L A ), C(M B) C(L A ), C(L B ), C(M A), hp B hp A Bob H B H A H B H A Same value i languages are as expected, and users know witnesses. O. Blazy (ENS RUB) INIPoK Sept / 63
95 Die Hellman / Linear Tuple Conjunction / Disjunction (g, h, G = g a, H = h a ) hp = g κ h λ Oblivious Transfer, Implicit Opening of a ciphertext Valid Die Hellman tuple? hp a = G κ H λ (U = u a, V = v b, W = g a+b ) Valid Linear tuple? hp = u κ g λ, v µ g λ hp a 1 hpb = 2 Uκ V µ W λ O. Blazy (ENS RUB) INIPoK Sept / 63
96 Die Hellman / Linear Tuple Conjunction / Disjunction (g, h, G = g a, H = h a ) hp = g κ h λ Oblivious Transfer, Implicit Opening of a ciphertext Valid Die Hellman tuple? hp a = G κ H λ (U = u a, V = v b, W = g a+b ) Valid Linear tuple? hp = u κ g λ, v µ g λ hp a 1 hpb = 2 Uκ V µ W λ O. Blazy (ENS RUB) INIPoK Sept / 63
97 Die Hellman / Linear Tuple Conjunction / Disjunction L 1 L 2 Simultaneous verication hp = hp 1, hp 2 H 1 H = H 2 1 H 2 A i O. Blazy (ENS RUB) INIPoK Sept / 63
98 Die Hellman / Linear Tuple Conjunction / Disjunction L 1 L 2 Simultaneous verication hp = hp 1, hp 2 H 1 H = H 2 1 H 2 A i L 1 L 2 hp = hp 1, hp 2, hp Is it a bit? One out of 2 conditions H = L 1?hp w1 : hp w2 hp 1 2 = X hk1 1 O. Blazy (ENS RUB) INIPoK Sept / 63
99 Die Hellman / Linear Tuple Conjunction / Disjunction L 1 L 2 Simultaneous verication hp = hp 1, hp 2 H 1 H = H 2 1 H 2 A i L 1 L 2 hp = hp 1, hp 2, hp Is it a bit? One out of 2 conditions H = L 1?hp w1 : hp w2 hp 1 2 = X hk1 1 BLin. O. Blazy (ENS RUB) INIPoK Sept / 63
100 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation (e = h r M, u 1 = g r, u 1 2 = g r, v = (cd α 2 ) r ) Veriability of the CS hp = g κg µ (cd α 1 ) η h λ 2 hp r = u κ 1 uµ v η (e/m) λ 2 Implicit Opening of a ciphertext, veriability of a ciphertext, PAKE (g r, g s, g r+s 1 2, h r 3 1 hs M, (c 2 1d α 1 )r )(c 2 d α 2 )s ) Veriability of the LCS hp = g κg θ(c 1 3 1d α 1 )η h λ, g µ g θ(c 2 3 1d α 1 )η h λ hp r 1 hps = 2 uκ 1 uµ 2 uθv η 3 (e/m) λ O. Blazy (ENS RUB) INIPoK Sept / 63
101 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation (e = h r M, u 1 = g r, u 1 2 = g r, v = (cd α 2 ) r ) Veriability of the CS hp = g κg µ (cd α 1 ) η h λ 2 hp r = u κ 1 uµ v η (e/m) λ 2 Implicit Opening of a ciphertext, veriability of a ciphertext, PAKE (g r, g s, g r+s 1 2, h r 3 1 hs M, (c 2 1d α 1 )r )(c 2 d α 2 )s ) Veriability of the LCS hp = g κg θ(c 1 3 1d α 1 )η h λ, g µ g θ(c 2 3 1d α 1 )η h λ hp r 1 hps = 2 uκ 1 uµ 2 uθv η 3 (e/m) λ O. Blazy (ENS RUB) INIPoK Sept / 63
102 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation (U = u a, V = v s, G = h s g a ) Previous Language ELin hp = u η g λ, v θ h λ hp a 1 hps = 2 Uη V θ G λ O. Blazy (ENS RUB) INIPoK Sept / 63
103 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation ( i A k e(y i, A k,i ) For each variables: hp i = u κ i g λ, v µ i g ( λ i A k e(hp w i i, A k,i ) ) ( ) HPZ k,i w i i Bk i = ( i A k e(h i, A k,i ) ) ( ) Z i B k H k,i i /D λ k ) ( ) Z Z k,i i i B k = D k Knowledge of a secret key, Knowledge of a (secret) signature on a (secret) message valid under a (secret) verication key,... O. Blazy (ENS RUB) INIPoK Sept / 63
104 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation ( e(y i, A k,i ) e(y i, Y j ) γi,j i j A k Z Zk,i i i B k Anonymous membership to a group, other way to do BLin,... e(g b, g 1 b ) = 1 T ) = D k O. Blazy (ENS RUB) INIPoK Sept / 63
105 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge O. Blazy (ENS RUB) INIPoK Sept / 63
106 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
107 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
108 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
109 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
110 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
111 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures [TCC 2012: BPV] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
112 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures Oblivious Signature-Based Envelope [TCC 2012: BPV] [TCC 2012: BPV] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
113 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures Oblivious Signature-Based Envelope (v)-pake, LAKE, Secret Handshakes [TCC 2012: BPV] [TCC 2012: BPV] [eprint/sub 2012: BPCV] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
114 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures Oblivious Signature-Based Envelope (v)-pake, LAKE, Secret Handshakes E-Voting [TCC 2012: BPV] [TCC 2012: BPV] [eprint/sub 2012: BPCV] [sub 2012: BP] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
115 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures Oblivious Signature-Based Envelope (v)-pake, LAKE, Secret Handshakes E-Voting [TCC 2012: BPV] [TCC 2012: BPV] [eprint/sub 2012: BPCV] [sub 2012: BP] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63
116 Groth-Sahai Allows to combine eciently classical building blocks Allows several kind of new signatures under standard hypotheses Smooth Projective Hash Functions Can handle more general languages under better hypotheses Do not add any extra-rounds in an interactive scenario More ecient in the usual cases O. Blazy (ENS RUB) INIPoK Sept / 63
117 Groth-Sahai Allows to combine eciently classical building blocks Allows several kind of new signatures under standard hypotheses Smooth Projective Hash Functions Can handle more general languages under better hypotheses Do not add any extra-rounds in an interactive scenario More ecient in the usual cases O. Blazy (ENS RUB) INIPoK Sept / 63
Non-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationRemoving Erasures with Explainable Hash Proof Systems
Removing Erasures with Explainable Hash Proof Systems Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France firstname.lastname@ens.fr www.di.ens.fr/~{abdalla,fbenhamo,pointche} October
More informationCommuting Signatures and Verifiable Encryption
Commuting Signatures and Verifiable Encryption Georg Fuchsbauer Dept. Computer Science, University of Bristol, UK georg@cs.bris.ac.uk Abstract. Verifiable encryption allows one to encrypt a signature while
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationImplicit Zero-Knowledge Arguments and Applications to the Malicious Setting
Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting Fabrice Benhamouda, Geoffroy Couteau, David Pointcheval, and Hoeteck Wee ENS, CNRS, INRIA, and PSL, Paris, France firstname.lastname@ens.fr
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationCryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies
IACR Summerschool Blockchain Technologies Cryptographic e-cash Jan Camenisch IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch ecash scenario & requirements Bank Withdrawal User Spend Deposit Merchant
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationSub-linear Blind Ring Signatures without Random Oracles
Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk
More informationAutomorphic Signatures and Applications
École normale supérieure Département d Informatique Université Paris 7 Denis Diderot Automorphic Signatures and Applications PhD thesis Georg Fuchsbauer 13 October 2010 Abstract We advocate modular design
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationPassword-Authenticated Key Exchange David Pointcheval
Password-Authenticated Key Exchange Privacy and Contactless Services May 27th, 2015 AKE AKE: Authenticated Key Exchange allows two players to agree on a common key authentication of partners 2 Diffie-Hellman
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationA Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System
A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System Zhengjun Cao 1, Lihua Liu 2, Abstract. In 2006, Groth, Ostrovsky and Sahai designed one non-interactive zero-knowledge (NIZK
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationAbstract. Often the core diculty in designing zero-knowledge protocols arises from having to
Interactive Hashing Simplies Zero-Knowledge Protocol Design Rafail Ostrovsky Ramarathnam Venkatesan y Moti Yung z (Extended abstract) Abstract Often the core diculty in designing zero-knowledge protocols
More informationOn the Impossibility of Structure-Preserving Deterministic Primitives
On the Impossibility of Structure-Preserving Deterministic Primitives Masayuki Abe 1, Jan Camenisch 2, Rafael Dowsley 3, and Maria Dubovitskaya 2,4 1 NTT Corporation, Japan, abe.masayuki@lab.ntt.co.jp
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationDivisible E-cash Made Practical
Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris,
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationExtractable Perfectly One-way Functions
Extractable Perfectly One-way Functions Ran Canetti 1 and Ronny Ramzi Dakdouk 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. canetti@watson.ibm.com 2 Yale University, New Haven, CT. dakdouk@cs.yale.edu
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationVerifier-Based Password-Authenticated Key Exchange: New Models and Constructions
Verifier-Based Password-Authenticated Key Exchange: New Models and Constructions Fabrice Benhamouda and David Pointcheval ENS, Paris, France October 14, 2014 Abstract. While password-authenticated key
More informationAnonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationDesignated Conrmer Signatures Revisited
Designated Conrmer Signatures Revisited Douglas Wikström ETH Zürich, Department of Computer Science douglas@inf.ethz.ch 26th February 2007 Abstract Previous denitions of designated conrmer signatures in
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationOn the Non-malleability of the Fiat-Shamir Transform
An extended abstract of this paper is published in the proceedings of the 13th International Conference on Cryptology in India [21] Indocrypt 2012. This is the full version. On the Non-malleability of
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationShort Randomizable Signatures
SESSION ID: CRYP-W02 Short Randomizable Signatures David Pointcheval Senior Researcher ENS/CNRS/INRIA Paris, France Joint work with Olivier Sanders S C I E N C E P A S S I O N
More informationPolicy-based Signature
Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013 1 2 3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, 2013. 2. [GS08] Jens Groth, Amit Sahai.
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi Brown University foteini@cs.brown.edu Anna Lysyanskaya Brown University anna@cs.brown.edu ABSTRACT We define and propose an efficient and provably secure construction
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationDual-System Simulation-Soundness with Applications to UC-PAKE and More
Dual-System Simulation-Soundness with Applications to UC-PAKE and More Charanjit S. Jutla IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com Arnab Roy Fujitsu Laboratories
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationShort Structure-Preserving Signatures
This is the full version of the extended abstract which appears in Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 2016). Short Structure-Preserving Signatures Essam Ghadafi University
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationAttribute-Based Signatures
Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek Abstract We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained
More informationHow not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios
How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios David Bernhard 1, Olivier Pereira 2, and Bogdan Warinschi 1 1 University of Bristol, {csxdb,csxbw}@bristol.ac.uk
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationShorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com 2 Fujitsu Laboratories
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationA Framework for Password-Based Authenticated Key Exchange
A Framework for Password-Based Authenticated Key Exchange Extended Abstract Rosario Gennaro and Yehuda Lindell IBM T.J. Watson Research Center Yorktown Heights, NY 10528, USA. {rosario,lindell}@us.ibm.com
More informationEfficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications
Efficient Cryptographic Primitives for Non-Interactive Zero-Knowledge Proofs and Applications by Kristiyan Haralambiev A dissertation submitted in partial fulfillment of the requirements for the degree
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More informationUniversal Designated Verifier Signature Proof (or How to Efficiently Prove Knowledge of a Signature)
Universal Designated Verifier Signature Proof (or How to Efficiently Prove Knowledge of a Signature) Joonsang Baek, Reihaneh Safavi-Naini, and Willy Susilo Centre for Information Security, School of Information
More informationSub-linear Zero-Knowledge Argument for Correctness of a Shuffle
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London jgroth@uclacuk Yuval Ishai Technion and UCLA yuvali@cstechnionacil February 4, 2008 Abstract A shuffle
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present
More informationHow to Shuffle in Public
How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More information