CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
|
|
- Alannah Wood
- 5 years ago
- Views:
Transcription
1 CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu
2 UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols: basics
3 Σ-PROTOCOLS: UP TO NOW We started from a very simple protocol for GI "intuitively" secure: complete, sound, ZK Formalized security requirements based on this concrete example Big promise: this is useful in general
4 THIS TIME Σ-protocols: short reminder Σ-protocols for DL based languages Composition of Σ-protocols Σ-protocols for "almost everything interesting" in the DL-world
5 REMINDER: Σ-PROTOCOLS x, ω 1st message: commitment a x 2nd message: challenge c 3rd message: response z Accepts iff prover knows ω such that (x, ω) R Requirement: c is chosen from publicly known challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol
6 REMINDER: Σ-PROTOCOLS x, ω 1st message: commitment a x 2nd message: challenge c 3rd message: response z Accepts iff prover knows ω such that (x, ω) R 1. Completeness 2. Special Soundness 3. Special Honest-Verifier ZK (SHVZK)
7 REMINDER: AUTHENTICATION pk, sk 1st message: commitment a pk 2nd message: challenge c 3rd message: response z Accepts iff prover knows sk such that (pk, sk) Gen GI protocol: sk = ω = secret isomorphism. Verifier convinced prover knows the secret key without any side information being leaked
8 NOTATION P has input (x, ω), V has input x Σ-protocol (P, V) is a proof of knowledge that P knows ω such that (x, ω) R for a public language L/relation R x L ω (x, ω) R Common notation: PK (ω: R (x, ω)) Secret values denoted by Greek letters We will now see: PK (ρ: h = g^ρ)
9 PROBLEM WITH GI Inefficient (for say authentication): having graphs as PK/SK is not efficient adjacency matrix: O (n²) bits Also we have many other elements of the protocols based on Elgamal. Better stick to the same cryptosystem Knowledge error κ = 1 / 2 Need to parallel-repeat protocol 40+ times to amplify
10 POK: KNOWLEDGE OF DL h = g^ρ, ρ 1st message: commitment a h 2nd message: challenge c 3rd message: response z Accepts iff prover knows ρ such that h = g^ρ Authentication: Proof of Knowledge of secret key corresponding to Elgamal PK h. General intepretation: PK of a discrete logarithm
11 IDEA GI: knowing isomorphism G₁ G₂ (knowing isomorphism G₁ H knowing isomorphism G₂ H for random H) Prover knows 0, 1 or 3 of isomorphisms DL: knowing DL of y = g^ρ (knowing DL of gʳ knowing DL of g^(ρ + r) for random r) φ:(g₁,g2) ψ:(g₁,h) ψφ ¹:(G2,H) ρ:h=g^ρ r:a=gʳ Prover knows 0, 1 or 3 of DL-s It is a bit like secret sharing r+ρ:ah=g^(ρ+r)
12 QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Accept if g^z = ah^c note: z = r or z = r + ρ plays the role of Gc z Completeness: g^z = g^(r + cρ) = ah^c
13 QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Special soundness. Extractor K(a, c, z, c* c, z*): // Accepting views, thus g^z = ah^c and g^(z*) = ah^(c*) 1. Return ρ (z - z*) / (c - c*) z Accept if g^z = ah^c Analysis. Divide the first verification equation with the second one: g^(z - z*) = h^(c - c*) Since c c*, h = g^((z - z*) / (c - c*)), thus extractor retrieves ρ correctly.
14 QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Accept if g^z = ah^c SHVZK. Simulator S (c): 1. Generate z Zp 2. Set a g^z / h^c 3. Return (a, z) z Analysis. First. (a, c, z) is accepting since a was generated so that the verification equation would accept. (tautology.) Second. In real execution (a, c, z) G {0, 1} Zp is completely random except that the verification equation holds. Thus in real execution one can start by generating c {0, 1}, z Zp, and then setting a g^z / h^c. Thus simulator's output is exactly from the same distribution as the real protocol's output
15 ON KNOWLEDGE ERROR We "hid" most of the technicalities "expected" poly-time extractor, etc Important: κ = 1 / 2 P* can guess V's challenge c with probability 1 / 2 We can decrease κ by using security amplification from Lecture 10 However, there is a much better way
16 QUIZ: IMPROVING Κ Question: how would you improve κ? without security amplification! Hint 1: κ = 1 / C C = challenge set, here C = {0, 1} Hint 2: the previous protocol did never require to have C = 2
17 QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1}ˢ z r + cρ Accept if g^z = ah^c z Completeness: g^z = g^(r + cρ) = ah^ρ
18 SECURITY PROOF All parts of security proof are same as before Only exception: In analysis of SHVZK, we get c {0, 1}ˢ both in the "protocol" and "simulator" case Simulator construction does not change Knowledge error: κ = 2 ˢ // probability P* guesses c
19 REMARKS In practice s = 40 may suffice Information-theoretic limit, not computational However, choosing s = 80 does not make the protocol less efficient This knowledge-of-dl (with variable s) Σ- protocol was proposed by Schnorr in 1991
20 COMPOSITION Another reason Σ-protocols are useful: they are extremely easy to compose... in a black-box way Automatic rules: 1. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) PK ((ω₁, ω₂): R₁ (x, ω₁) R₂ (x, ω₂)) 2. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) PK (ω: R₁ (x, ω) R₂ (x, ω)) Given those two rules (and suitable starting protocols), can "automatically" construct Σ-protocols for all languages in NP
21 "AND" COMPOSITION For i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Goal: construct protocol (P, V) for PK ((ω₁, ω₂): R₁ (x, ω₁) R₂ (x, ω₂)) (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ωᵢ, cᵢ; rᵢ) zᵢ Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
22 QUIZ: "AND" COMPOSITION (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
23 "AND" COMPOSITION: COMPLETENESS (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Completeness: Since both V₁ and V₂ accept, also V accepts Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
24 "AND": SPECIAL SOUNDNESS (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Special soundness. Extractor K (a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*): 1. ω₁ K₁ (a₁, c, z₁, c*, z₁*) 1. ω₂ K₂ (a₂, c, z₂, c*, z₂*) 2. Return (ω₁, ω₂) Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
25 REMARKS We will see two different types of AND compositions 1. ω₁ and ω₂ are independent random variables Example: PK ((m, r): c = Enc (m; r)) Extraction works: Kᵢ obtains ωᵢ
26 TYPE 2 Type 2: Both protocols use the same secret Composition works given the secret is unique not a completely automatic composition: need to prove s.s. every single time Both extractors successful => they return same value Example: PK (r: c₁ = hʳ c₂ = gʳ)
27 POK: DDH WITNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ z Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c) Second type AND composition
28 DDH WITNESS: COMPLETENESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ z Completeness. Clear, since (a₁, c, z) is accepting view for PK (ρ: e₁ = h^ρ) and (a₂, c, z) is accepting view for PK (ρ: e₂ = g^ρ) Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)
29 DDH WITNESS: SPECIAL SOUNDNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C Special soundness. Extractor K (a₁, a₂, c, z, c*, z*): 1. // K₁ (a₁, c, z, c*, z*) = K₂ (a₂, c, z, c*, z*) 2. ρ (z - z*) / (c - c*) 3. Return ρ z r + cρ z Analysis. Simple corollary of knowledge of DL protocols. One gets "the same" ρ from the use of the same c in both verification equations Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)
30 DDH WITNESS: SPECIAL SOUNDNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ SHVZK Simulator S (c): 1. z Zp, 2. (a₁, a₂) (h^z / e₁^c, g^z / e₂^c) 3. Return (a₁, a₂; c; z) z Analysis. Again, simple corollary. Acceptance is tautology. Distribution is the same since in both cases c and z are random and (a₁, a₂) just makes verification accept Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)
31 POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ (z₁, z₂) Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c) First type AND composition over two previous protocols
32 REMARKS AND-proof gives an easy way to get an AND of two Σ-protocols but its better to make it sure the result is correct by giving direct proof Example direct proofs were simple but sometimes it gets very tedious
33 OR-PROOF Assume that P knows a witness to one of x L₁ or x L₂ and wants to convince V in this Important: V should not get to know which witness P knows Example: L₀ = { e = Enc (0; ρ) for some ρ}, L₁ = { e = Enc (1; ρ) for some ρ} We know already how to construct protocols for both L = L₀ L₁ = {e = Enc (0; ρ) e = Enc (1; ρ) for some ρ} Verifier is convinced plaintext is Boolean
34 AND VS OR PROOF AND proof is simpler: R₁ R₂ is true iff both R₁ and R₂ are true Revealing in the proof that Rᵢ is true does not break ZK OR proof should not reveal which of R₁ and R₂ is true Additional layer of complexity
35 QUIZ: "OR" COMPOSITION For one i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) R₂ (x, ω)) (x, ω): s.t. Rᵢ(x, ω) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ω, c; rᵢ) zᵢ Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
36 QUIZ: "OR" COMPOSITION For one i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Problems: 1. Prover knows only witness ω for Rᵢ and thus cannot Goal: construct protocol (P, V) both for PK (ω: R₁ (x, execute branches of ω) R₂ (x, ω)) 2. Verifier should not know which branch P can execute (x, ω): s.t. Rᵢ(x, ω) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ω, c; rᵢ) Quiz: zᵢ how can P run the branch, without knowing corresponding secret, such that V cannot distinguish it from the real run? Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
37 ANSWER: USE SIMULATOR Need to run protocol without knowing witness? Answer: use the simulator Need it to be indistinguishable from real run? Answer: use the simulator
38 ... WITH A TRICK Problem: P should run one branch unsimulated Simulated branch can be created out-of-order, unsimulated cannot be Recall "special" meant the simulator can start from c, then create the rest, while P has to start with a So one of two must use c provided by V Question: how?
39 ... WITH A TRICK Idea: generate cᵢ first, then choose c3-i c - cᵢ One of c₁ and c₂ thus must be created "after" seeing c We really need the "special" ZK property
40 OR-PROOF (x, ω): R₁(x, ω) a₁ P₁ (x; r) c₂ C; (a₂, z₂) S₂ (c₂) (a₁, a₂) Assume wlog that P knows ω s.t. R₁ (x, ω) x c C = {0,..., C - 1} c₁ c - c₂ mod C z₁ P₁ (x, ω, c₁; r) (z₁, z₂, c₁) c₂ c - c₁ mod C Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) R₂ (x, ω))
41 SECURITY PROOF I will not give a full security proof, but it is easy Completeness: from completeness of first PK, and successful simulation of the second one Special soundness: OR-extractor runs extractors for both branches. One of them is successful, return this value SHVZK: since the first PK is SHVZK, and the second one is already simulated
42 POK: ELGAMAL PLAINTEXT IS BOOLEAN L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some ρ, μ {0, 1}} We depict prover when μ = 0, μ = 1 is dual (g, h, e₁, e₂), (μ, ρ) 1. r Zp 2. (a₁₁, a₁₂) (hʳ, gʳ) 3. c₂ Zp; z₂ Zp 4. a₂₁ g¹ h^(z₂) / e₁^(c₂) 5. a₂₂ g^(z₂) / e₂^(c₂) (a₁₁, a₁₂, a₂₁, a₂₂) c C (g, h, e₁, e₂) c₁ c - c₂ mod 2ˢ z₁ r + c₁ρ (c₁, z₁, z₂) c₂ c - c₁ mod C Accept if c₁ C, (h^(z₁), g^(z₁)) = (a₁₁e₁^(c₁), a₁₂e₂^(c₁)) (gh^(z₂), g^(z₂)) = (a₂₁e₁^(c₂), a₂₂e₂^(c₂))
43 SECURITY PROOF Left for homework
44 BOOLEAN CIRCUITS Another computation model Every node evaluates a Boolean function on its inputs Output of circuit: top value Complexity class of all Boolean functions that can be evaluated by circuits = class of efficient Boolean functions (P/poly) x y z
45 MONOTONE BOOLEAN CIRCUITS Consist of only and gates Can be used to evaluate any monotone Boolean function f (f (x) = 1 y > x) => f (y) = 1 What we saw is already sufficient to evaluate any monotone relation And in most protocols it is sufficient: if S is "valid input set" for a secure computation protocol then so is any S' S x y z
46 QUIZ: RANGE PROOF Assume protocol is secure for Bob if Alice's input belongs to range S = {0, 1,..., H - 1, H} E.g. e-voting: S = range of valid candidates Question: how would you construct PK ((μ, ρ): e = Enc (μ; ρ) μ S)? Hint: you are allowed to encrypt every bit of μ separately And assume initially H = 2ⁿ
47 ANSWER: RANGE PROOF Construct PK ({(μᵢ, ρᵢ)}: (e₁ = Enc (0; ρ₁) (e₁ = Enc (1; ρ₁))... (en = Enc (0; ρn) en = Enc (1; ρn))) e₁ = Enc (0; ρ₁) e₁ = Enc (1; ρ₁) en = Enc (0; ρn) en = Enc (1; ρn)
48 STUDY OUTCOMES Σ-protocols for DL-based languages Simple examples Composition rules "Everything interesting" has Σ-protocol
49 NEXT LECTURE How to build "real ZK" on top of Σ-protocols? Random Oracle Model? Interactive, four-message ZK
50 TUTORIAL Needed for exam Security proofs for "proof of Elgamal plaintext and randomizer"
51 POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ (z₁, z₂) Completeness. From composition, or directly: g^(z₁) h^(z₂) = gᵐ g^(cμ) hʳ h^(cρ) = a₁e₁^c g^(z₂) = gʳg^(cρ) = a₂e₂^c Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)
52 POK: ELGAMAL PLAINTEXT/RANDOMIZER (g, h, e₁, e₂), (μ, ρ) L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (z₁, z₂) (g, h, e₁, e₂) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) Analysis (direct). Verification eq gives us: (g^(z₁)h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c) (g^(z₁*)h^(z₂*), g^(z₂*)) = c (a₁e₁^(c*), C a₂e₂^(c*)) Divide first by second: (g^(z₁ - z₁*) h^(z₂ z₁ - z₂*), m g^(z₂ + cμ - z₂*)) = (e₁^(c - c*), e₂^(c - c*)) (g^((z₁ - z₁*) / (c - z₂ c*)) h^((z₂ r + cρ- z₂*) / (c - c*)), g^((z₂ - z₂*) / (c - c*))) = (e₁, e₂) Exponents matching mod p Special Soundness. From composition, or directly: Extractor K(a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*): 1. ρ (z₂ - z₂*) / (c - c*) // As before 2. μ (z₁ - z₁*) / (c - c*) 3. Return (μ, ρ) Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)
53 POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ HVSZK (direct): Simulator S (c): 1. z₁, z₂ Zp 2. a₁ g^(z₁) h^(z₂) / e₁^c 3. a₂ g^(z₂) / e₂^c 4. Return (a₁, a₂, z₁, z₂) (z₁, z₂) Analysis (direct). Trivial. Verification accepts. Distribution is the same as in the real case too. Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationLecture 26: Arthur-Merlin Games
CS 710: Complexity Theory 12/09/2011 Lecture 26: Arthur-Merlin Games Instructor: Dieter van Melkebeek Scribe: Chetan Rao and Aaron Gorenstein Last time we compared counting versus alternation and showed
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationFoundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationFang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University Are classical cryptographic protocols secure against quantum attackers? 2 Are classical cryptographic
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationAdditive Combinatorics and Discrete Logarithm Based Range Protocols
Additive Combinatorics and Discrete Logarithm Based Range Protocols Rafik Chaabouni 1 Helger Lipmaa 2,3 abhi shelat 4 1 EPFL LASEC, Switzerland 2 Cybernetica AS, Estonia 3 Tallinn University, Estonia 4
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationCommitment Schemes and Zero-Knowledge Protocols (2011)
Commitment Schemes and Zero-Knowledge Protocols (2011) Ivan Damgård and Jesper Buus Nielsen Aarhus University, BRICS Abstract This article is an introduction to two fundamental primitives in cryptographic
More informationA More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument Helger Lipmaa 1 and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 State University of New York at Buffalo, USA
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationCS151 Complexity Theory. Lecture 14 May 17, 2017
CS151 Complexity Theory Lecture 14 May 17, 2017 IP = PSPACE Theorem: (Shamir) IP = PSPACE Note: IP PSPACE enumerate all possible interactions, explicitly calculate acceptance probability interaction extremely
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More information1 Randomized Computation
CS 6743 Lecture 17 1 Fall 2007 1 Randomized Computation Why is randomness useful? Imagine you have a stack of bank notes, with very few counterfeit ones. You want to choose a genuine bank note to pay at
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationImproved OR-Composition of Sigma-Protocols
Improved OR-Composition of Sigma-Protocols Michele Ciampi 1, Giuseppe Persiano 2, Alessandra Scafuro 3, Luisa Siniscalchi 1, and Ivan Visconti 1 1 DIEM, University of Salerno, ITALY {mciampi,lsiniscalchi,visconti}@unisa.it
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationOn the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations
On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations Ronald Cramer, Ivan Damgård and Valerio Pastro CWI Amsterdam and Dept. of Computer Science, Aarhus University Abstract.
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationConcurrent Knowledge Extraction in the Public-Key Model
Concurrent Knowledge Extraction in the Public-Key Model Andrew C. Yao Moti Yung Yunlei Zhao Abstract Knowledge extraction is a fundamental notion, modeling machine possession of values (witnesses) in a
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationStatistically Secure Sigma Protocols with Abort
AARHUS UNIVERSITY COMPUTER SCIENCE MASTER S THESIS Statistically Secure Sigma Protocols with Abort Author: Anders Fog BUNZEL (20112293) Supervisor: Ivan Bjerre DAMGÅRD September 2016 AARHUS AU UNIVERSITY
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationGroup Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationOn the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses
On the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses Per Austrin, Kai-Min Chung, Mohammad Mahmoody, Rafael Pass, Karn Seth November 12, 2012 Abstract We initiate
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationOn the Security of Classic Protocols for Unique Witness Relations
On the Security of Classic Protocols for Unique Witness Relations Yi Deng 1,2, Xuyang Song 1,2, Jingyue Yu 1,2, and Yu Chen 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More information