CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
|
|
- Barrie Stanley
- 5 years ago
- Views:
Transcription
1 CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu
2 UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols Pairing-based cryptography
3 THIS TIME Pairing-based NIZK in the CRS model An example of Groth-Sahai proofs: efficient NIZK proofs for algebraic relations
4 BACKGROUND READING Jens Groth, Amit Sahai. Efficient Noninteractive Proof Systems for Bilinear Groups. SIAM Journal on Computing, 2012 Alex Escala, Jens Groth. Fine-Tuning Groth- Sahai Proofs. PKC 2015
5 REMINDER: PAIRINGS Pairing: function ê: G 1 G 2 G T that satisfies Bilinearity: ê (ag 1, bg 2 ) = ab ê (g 1, g 2 ) ê ([a] 1, [b] 2 ) = [ab] T Non-degenerative: ê ([a] 1, [b] 2 ) 0 if a, b 0, g i 0 Efficiently computable Setup (1 κ ) returns (p, G 1, G 2, G T, ê) Basic fact of pairings: ê ([a] 1, [b] 2 ) = ê ([c] 1, [d] 2 ) <=> ab = cd
6 REMINDER: NIZK td x Simulator π P(crs, td, x) crs Output Ver(crs, x, π) x, ω π P(crs, x, ω) x, π Output Ver(crs, x, π) Output Ver(crs, x, π)
7 GROTH-SAHAI PROOFS Let Com be a commitment scheme Goal (general): Given A i = Com (a i ), verify that various algebraic equations hold between a i a i can be either a group element (a i ) or integer Example goal: for A i = Com(a i ), B i = Com(b i ), it holds that C = Com(Σb i a i )
8 GROTH-SAHAI PROOFS Only hardness assumption: The commitment scheme is secure Several instantiations known (XDH, DLIN,...) Variant 0: Com is perfectly binding/comp. hiding Perfectly sound/computationally NIZK Variant 1: Com is comp. binding/perfectly hiding Computationally sound/perfectly NIZK
9 DUAL-MODE COMMITMENTS Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") Theorem: crs 0 and crs 1 are indistinguishable crs 0 crs 1 Theorem: Com[crs 0 ] is perfectly binding Theorem: Com[crs 1 ] is perfectly hiding and trapdoor The only difference is in the CRS. The rest of Com is the same in both cases
10 DUAL-MODE COMMITMENTS Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") Theorem: crs 0 and crs 1 are indistinguishable crs 0 crs 1 Theorem: Com[crs 0 ] is perfectly binding Theorem: Com[crs 1 ] is perfectly hiding and trapdoor Corollary. Com[crs 0 ] is computationally hiding Corollary. Com[crs 1 ] is computationally binding
11 COM[CRS0] IS COMP. BINDING (CHECK AT HOME) Lemma. If crs 0 and crs 1 are computationally indistinguishable, and Com[crs 0 ] is perfectly binding, then Com[crs 0 ] is computationally binding. Proof: Assume that Com[crs 0 ] is not comp. binding. Thus, there adv. A that can on input crs 0 produce (C, m, r, m*, r*), s.t. C = Com (m; r) = Com (m*; r*), m* m, with probability ε Α. Assume Com[crs 0 ] is perf. binding. We construct adv. B that distinguishes crs 0 and crs 1 with probability ε Β ε Α / / 4. B is given as an input crs i for i {0, 1}. B sends crs i to A. If A succeeds, then B outputs i* 0, otherwise B outputs i* 0. ε B = Pr[i* = i] = Pr[i* = 0 i = 0] Pr[i = 0] + Pr[i* = 1 i = 1] Pr[i = 1] = (Pr[i* = 0 i = 0] + Pr[i* = 1 i = 1]) / 2 = (Pr[A succeeds i = 0] + (1 - Pr[A succeeds i = 1])) / 2 = ε Α / / 2-1 / 4 = ε Α / / 4
12 GS PROOFS: IDEA Use Com with CRS from one of two different distributions crs 0 ("binding") or crs 1 ("hiding") crs 0 and crs 1 are indistinguishable crs 0 crs 1 GS proofs with Com[crs 0 ] are perfectly sound GS proofs with Com[crs 1 ] are perfectly zero-knowledge GS proofs with Com[crs 0 ] are computationally zero-knowledge GS proofs with Com[crs 1 ] are computationally sound
13 DMC: TECHNICALITIES We need two separate commitment schemes: DMC G, to commit to group elements and DMC E, to commit to exponents DMC G and DMC E have to play well together Due to this and DMC requirements, DMC G / DMC E are somewhat complicated
14 DIFFERENT INSTANTIATIONS Different instantiations of DMC E /DMC G are known based on say XDH, DLIN, SH assumptions We will describe DMC E /GS proof with XDH thus we need to use asymmetric pairings Will not have time to describe DMC G, DLIN/SH setting proofs,...
15 DDH: DIFFERENT VIEW Denote G = (g 1, h), E = (E 1, E 2 ) X = (g 1, h, E 1, E 2 ) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent Corollary 1. X=(g 1, h, E 1, E 2 ) is not a DDH tuple iff {G, E} is a basis of the vector space V = G 1 2 E G E G not DDH DDH
16 DDH: DIFFERENT VIEW X=(g 1, h, E 1, E 2 ) is a DDH tuple iff E = G for some scalar a iff E and G are linearly dependent Corollary 2. B is a DDH tuple => each vector c <G> can be written nonuniquely as c 1 G + c 2 E while c <G> cannot be written as c 1 G + c 2 E B is not a DDH tuple => each vector c V can be written uniquely as c 1 G + c 2 E E unique (c 1,c 2 )C=c 1 G + c 2 E G (c 1,c 2 )C c 1 G + c 2 E G ( c 1 c 2 )C=c 1 G + c 2 E E not DDH DDH
17 DMCE: IDEA We need to create crs 0 and crs 1 that are computationally indistinguishable under XDH Idea: let crs χ = (gk, g 1, h, E 1, E 2 ), where each vector c V can be written uniquely as c 1 G + c 2 E (g 1, h, E 1, E 2 ) is not a DDH tuple if χ = 0 indistinguishable under XDH assumption (g 1, h, E 1, E 2 ) is a DDH tuple if χ = 1 each vector c <G> can be written non-uniquely as c 1 G + c 2 E while c <G> cannot be written as c 1 G + c 2 E
18 DMC FOR EXPONENTS 1. // χ = hiding mode? 1 : 0 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ, (m, r) crs χ c = Com (m; r) me + rg χ = 0: (g 1, h, E 1, E 2 ) is not a DDH tuple. χ = 1: (g 1, h, E 1, E 2 ) is a DDH tuple. crs 0 crs 1 due to XDH assumption. crs χ crs χ c Store c Open: (m, r) Note: Com (1; 0) = E
19 PERFECT BINDING WITH CRS 0 crs 0 = (gk, G = [(1, x)]₁, E yg + [(0, 1)] 1 Com (m; r) = me + rg = [(my + r, m + (my + r)x)] 1 = Elgamal (m; my + r) // r is random Thus perfectly binding and computationally hiding
20 PERFECT HIDING WITH CRS 1 crs 0 = (gk, G = [(1, x)]₁, E yg Com (m; r) = me + rg = (my + r)g random element of <G> Perfectly hiding since r is random Since crs 0 crs 1, and DMCE[crs 0 ] is perfectly binding => this version is computationally binding under XDH
21 TRAPDOOR WITH CRS 1 crs 1 = ( gk, G = [(1, x)] 1, E yg) Com (m; r) = me + rg = (my + r)g Set td y Given td and m*, compute r* such that my + r = m*y + r* Com (m*; r*) = (m*y + r*)g = (my + r)g = Com (m; r) Clearly trapdoor
22 DMCE SECURITY: THEOREM Theorem. Assume XDH holds. DMC E is either perfectly binding and computationally hiding (if crs 0 is used), or computationally binding, perfectly hiding, and trapdoor (if crs 1 is used). Proof. Given on previous pages.
23 FIRST GROTH-SAHAI PROOF Goal: Given Z i = Com (z i ; r i ) G 1 2 and A i, T G 2 Z i, A i, T are public Construct NIZK proof that z i A i = T Denote (A, B) C := (A C, B C) Bilinear operation! The first argument of is a commitment G 1 2
24 FIRST GROTH-SAHAI PROOF Goal: given Z i = Com(z i ; r i ), A i, T, prove that z i A i = 1 T (*) The basic idea is always similar Use commitments instead of messages, and additions/bilinear operations in different algebraic domain show that if randomness is zero then (Com (z i ; 0) A i ) = Com (1; 0) T Both and are bilinear operations For any randomness: to prove (*), derive π G 2 from (Com (z i ; r i ) A i ) = Com (1; 0) T + (, ) π order important: asymmetric pairings π compensates for added randomness
25 VERIFICATION WITHOUT PRIVACY First, consider the case without privacy Z i = Com(z i ; 0) = z i E + 0G (Com(z i ; 0) A i ) = (z i E A i ) Com (1; 0) = E = E ( z i A i ) = E T Thus (Com (z i ; 0) A i ) = Com (1; 0) T
26 GENERAL CASE WITH RANDOMNESS Recall: crs χ = (gk, G [(1, x)] 1, E yg + [(0, 1 - χ)] 1 Z i = Com(z i ; r i ) = z i E + r i G (Z i A i ) = ((z i E + r i G) Aᵢ) = E ( z i A i ) + G ( r i A i ) = T =: π
27 GS PROOF OF Z I A I = T 1. // χ = [hiding mode] 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ crs χ crs χ, ({A i, Z i }, T), ({z i, r i }) crs χ, ({A i, Z i }, T) π r i A i G 2 π Accept if (Z i A i ) = E T + G π
28 SOUNDNESS WITH CRS 0 crs 0 = (gk, G = [(1, x)]₁, E yg + [(0, 1)] 1 Assume Z i = Com (z i ; r i ) = z i E + r i G for some z i Component-wise verification: ((z i E 1 + r i g 1 ) A i ) = E 1 T + g 1 π (Z i A i ) = E T + G π ((z i E 2 + r i h ) A i ) = E 2 T + h π (( z i g 1 + 0) A i ) = g 1 T + 0 x Second - x first Thus g 1 z i A i = g 1 T Thus z i A i = T, as needed
29 ZERO KNOWLEDGE WITH CRS 1 crs 1 = (gk, G = [(1, x)]₁, E yg Trapdoor com.: Com (1; 0) = E = yg = Com (0; y) Simulator writes Z i = Com (z i *; r i *) for z i * = 0 and some r i * Basic idea: the simulator creates a GS proof that z i *A i - t*t = 0, where t* is an opening of comm. E Since prover has z i * = z i, t* = 1, the prover must be honest Simulator, knowing y, can take z i * = t* = 0
30 ZERO KNOWLEDGE crs 1 = (gk, G = [(1, x)]₁, E yg Com (1; 0) = E = yg = Com (0; y) Simulator writes Z i = Com(0; r i *) = r i *G Simulator creates π* r i *A i - yt // GS proof for 0A i - 0T = 0 Verification succeeds: G π* = G ( r i *A i - yt) = (r i *G A i ) - yg T = (Z i A i ) - E T
31 SIMULATING PROOF OF ZᵢAᵢ = T 1. // χ = [hiding mode] 2. gk Setup (1 κ ) 3. g 1 G 1, x,y Z p 4. G [(1, x)] 1 5. E yg + [(0, 1 - χ)] 1 6. crs χ (gk, G, E) 7. td y crs χ, td crs χ crs χ, td, ({A i, Z i }, T), {z i, r i } crs χ, ({A i, Z i }, T) π* r i *A i - yt G 2 π* Accept if (Z i A i ) = E T + G π*
32 FIRST GS PROOF DONE We saw how to do one concrete GS proof Details are somewhat scary but the proof is very efficient Prover: n exponentiations Verifier: 2n + 4 pairings We used additive notation, so ag isexponentiation CRS: 4 group elements Proof length: 1 group element
33 SOME OTHER POSSIBLE SETTINGS FOR GS Prove you have committed to X i, Y i, s.t. i (A i Y i ) + i j a ij (X i Y j ) = T or to X i, y i s.t. y i A i + b j X j + i j y i c ij X j = T where all other values are publicly known
34 COMPARISON WITH Σ-PROTOCOLS Good: non-interactive, arguably easier to understand (?) suits well other pairing-based protocols Bad: often less efficient requires specific algebraic structure pairings, while Σ-protocols work in many settings E.g., Groth-Sahai does not work with Paillier
35 WHY RELEVANT Pairing-based primitives are "algebraic" Example. Boneh-Boyen signature of m with sk A s [1 / (m + sk A )] 1 Verification: accept if s ([m] 2 + [sk A ] 2 ) = [1] T In some protocols, cannot reveal s before the end of the protocol, but need to prove you know s Need GS proof: S = Com (s; r) pk = [sk A ] 2 s ([m] 2 [sk A ] 2 ) = [1] T
36 GS PROOF FOR CIRCUITS Recall: to show that circuit is correctly computed, one needs a ZK proof that the committed value is Boolean ZK proof that c = Com (mg; r) and m {0, 1}: Include signatures of 0 and 1 (but nothing else) to the CRS Create a randomized commitment c sign of Sign (mg) Construct GS proof that c sign commits to a signature of mg Need structure-preserving signatures"
37 STUDY OUTCOMES Efficient NIZK from pairings Dual-mode commitment Groth-Sahai proofs Idea One example
38 THIS WAS THE LAST LECTURE This was the last lecture
39 STUDY OUTCOMES OF THE COURSE Goal of cryptographic protocols: security against malicious adversary security = correctness + privacy General design principles
40 STUDY OUTCOMES (CONT.) Most general principle: design passively secure protocol achieve active security by employing ZK proofs (In the case MPC, one uses different techniques)
41 STUDY OUTCOMES: PASSIVE SECURITY Employing homomorphic cryptography Elgamal, Paillier Recursion (BDD,...) Better comp. efficiency by allowing many rounds Glimpse to multi-party computation Glimpse to garbled circuits Pairing-based cryptography
42 STUDY OUTCOMES: ACTIVE SECURITY Σ-protocols Basic protocols, composition Getting full 4-round ZK from Σ-protocols Pairing-based NIZK protocols Groth-Sahai
43 FURTHER DIRECTIONS Different basic techniques for passive security: lattice-based cryptography, much more garbled circuits, much more multi-party computation, much more pairings... for active security: cut-and-choose, ZK based on other algebraic techniques Many insanely clever ideas to improve efficiency Other aspects: verification,... Concrete applications: e-voting, auctions, e-cash,...
44 THIS COURSE IN FIVE YEARS More emphasis on quantum-safe protocols Lattice-based crypto Fancy applications like fully homomorphic crypto More on information-theoretic crypto // also quantum-safe MPC Need many more hours :) No course in 2017, in 2018 will have 32 lectures
45
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument Helger Lipmaa 1 and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 State University of New York at Buffalo, USA
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationPrastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationGeneralizing Efficient Multiparty Computation
Generalizing Efficient Multiparty Computation Bernardo David 1, Ryo Nishimaki 2, Samuel Ranellucci 1, and Alain Tapp 3 1 Department of Computer Science Aarhus University, Denmark {bernardo,samuel}@cs.au.dk
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationAdditive Combinatorics and Discrete Logarithm Based Range Protocols
Additive Combinatorics and Discrete Logarithm Based Range Protocols Rafik Chaabouni 1 Helger Lipmaa 2,3 abhi shelat 4 1 EPFL LASEC, Switzerland 2 Cybernetica AS, Estonia 3 Tallinn University, Estonia 4
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationSub-linear Blind Ring Signatures without Random Oracles
Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationGroth Sahai proofs revisited
Groth Sahai proofs revisited E. Ghadafi, N.P. Smart, and B. Warinschi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi,nigel,bogdan}@cs.bris.ac.uk
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationPractical Round-Optimal Blind Signatures in the Standard Model
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationA Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System
A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System Zhengjun Cao 1, Lihua Liu 2, Abstract. In 2006, Groth, Ostrovsky and Sahai designed one non-interactive zero-knowledge (NIZK
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationLecture 16: Public Key Encryption:II
Lecture 16: Public Key Encryption:II Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 1 / 17 Last time PKE from ANY trapdoor
More informationEfficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications
Efficient Cryptographic Primitives for Non-Interactive Zero-Knowledge Proofs and Applications by Kristiyan Haralambiev A dissertation submitted in partial fulfillment of the requirements for the degree
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationImplicit Zero-Knowledge Arguments and Applications to the Malicious Setting
Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting Fabrice Benhamouda, Geoffroy Couteau, David Pointcheval, and Hoeteck Wee ENS, CNRS, INRIA, and PSL, Paris, France firstname.lastname@ens.fr
More informationPolicy-based Signature
Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013 1 2 3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, 2013. 2. [GS08] Jens Groth, Amit Sahai.
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationUniversally Composable Adaptive Oblivious Transfer
Universally Composable Adaptive Oblivious Transfer Matthew Green Susan Hohenberger Johns Hopkins University {mgreen,susan}@cs.jhu.edu September 14, 2013 Abstract In an oblivious transfer (OT) protocol,
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationCommuting Signatures and Verifiable Encryption
Commuting Signatures and Verifiable Encryption Georg Fuchsbauer Dept. Computer Science, University of Bristol, UK georg@cs.bris.ac.uk Abstract. Verifiable encryption allows one to encrypt a signature while
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationBlack-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way
Proceedings on Privacy Enhancing Technologies ; 2016 (3):62 82 Tibor Jager and Andy Rupp* Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way Abstract: We formalize and construct
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationOn the (Im)possibility of Projecting Property in Prime-Order Setting
On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationEfficient Culpably Sound NIZK Shuffle Argument without Random Oracles
Efficient Culpably Sound NIZK Shuffle Argument without Random Oracles Prastudy Fauzi and Helger Lipmaa University of Tartu, Estonia Abstract. One way to guarantee security against malicious voting servers
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationA Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles
A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles Michele Ciampi DIEM University of Salerno ITALY mciampi@unisa.it Giuseppe Persiano
More informationSubversion-Resistant Zero Knowledge
Subversion-Resistant Zero Knowledge Georg Fuchsbauer joint work with Mihir Bellare and Alessandra Scafuro ECRYPT-NET Workshop on Crypto for the Cloud & Implementation 27 June 2017 Content of this talk
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationSecure Equality and Greater-Than Tests with Sublinear Online Complexity
Secure Equality and Greater-Than Tests with Sublinear Online Complexity Helger Lipmaa 1 and Tomas Toft 2 1 Institute of CS, University of Tartu, Estonia 2 Dept. of CS, Aarhus University, Denmark Abstract.
More informationGarbled Protocols and Two-Round MPC from Bilinear Maps
Garbled Protocols and Two-Round MPC from Bilinear Maps Sanjam Garg University of California, Berkeley sanjamg@berkeley.edu Akshayaram Srinivasan University of California, Berkeley akshayaram@berkeley.edu
More informationSub-linear Zero-Knowledge Argument for Correctness of a Shuffle
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London jgroth@uclacuk Yuval Ishai Technion and UCLA yuvali@cstechnionacil February 4, 2008 Abstract A shuffle
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationEfficient Fully-Leakage Resilient One-More Signature Schemes
Efficient Fully-Leakage Resilient One-More Signature Schemes Antonio Faonio IMDEA Software Institute, Madrid, Spain In a recent paper Faonio, Nielsen and Venturi (ICALP 2015) gave new constructions of
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationExtractable Perfectly One-way Functions
Extractable Perfectly One-way Functions Ran Canetti 1 and Ronny Ramzi Dakdouk 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. canetti@watson.ibm.com 2 Yale University, New Haven, CT. dakdouk@cs.yale.edu
More informationShorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com 2 Fujitsu Laboratories
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationOn the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations
On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations Ronald Cramer, Ivan Damgård and Valerio Pastro CWI Amsterdam and Dept. of Computer Science, Aarhus University Abstract.
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationSignatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)
Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Michael Backes 1,3, Lucjan Hanzlik 2,3, Kamil Kluczniak 4, and Jonas Schneider 2,3 1 CISPA Helmholtz
More informationDelayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds
Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds Michele Ciampi DIEM Università di Salerno ITALY mciampi@unisa.it Rafail Ostrovsky UCLA Los Angeles rafail@cs.ucla.edu
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationNon-interactive zero-knowledge proofs in the quantum random oracle model
Non-interactive zero-knowledge proofs in the quantum random oracle model Dominique Unruh University of Tartu Abstract. We present a construction for non-interactive zero-knowledge proofs of knowledge in
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA
More informationRound Optimal Blind Signatures
Round Optimal Blind Signatures Dominique Schröder University of Maryland Dominique Unruh Saarland University May 25, 2011 Abstract. All known round optimal (i.e., two-move) blind signature schemes either
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More information6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturer: Ran Canetti Highlights of last week s lectures Formulated the ideal commitment functionality for a single instance, F com. Showed that
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationEncryption Switching Protocols Revisited: Switching modulo p
Encryption Switching Protocols Revisited: Switching modulo p Guilhem Castagnos 1, Laurent Imbert 2 and Fabien Laguillaumie 2,3 1 IMB UMR 5251, Université de Bordeaux, LFANT/INRIA 2 CNRS, Université Montpellier/CNRS
More informationMinimal Assumptions for Efficient Mercurial Commitments
Minimal Assumptions for Efficient Mercurial Commitments Yevgeniy Dodis Abstract Mercurial commitments were introduced by Chase et al. [8] and form a key building block for constructing zero-knowledge sets
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationThe Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation Sanjam Garg 1, Pratyay Mukherjee, 1 Omkant Pandey 2, Antigoni Polychroniadou 3 1 University of California, Berkeley {sanjamg,pratyay85}@berkeley.edu 2 Drexel
More informationEfficient Protocols for Set Membership and Range Proofs
Efficient Protocols for Set Membership and Range Proofs Jan Camenisch 1 Rafik Chaabouni 1,2 abhi shelat 3 1 IBM ZRL 2 EPFL LASEC 3 U. of Virginia ASIACRYPT 2008 December 9, 2008 Introduction Our Focus
More informationInteractive and Noninteractive Zero Knowledge Coincide in the Help Model
Interactive and Noninteractive Zero Knowledge Coincide in the Help Model Dragos Florin Ciocan and Salil Vadhan School of Engineering and Applied Sciences Harvard University Cambridge, MA 02138 ciocan@post.harvard.edu,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More information