Lattice-Based Non-Interactive Arugment Systems
|
|
- Prudence Bates
- 5 years ago
- Views:
Transcription
1 Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai
2 Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems and Argument Systems [GMR85] x 0,1 Language L 0,1 accept if x L prover verifier Completeness: x L Pr P, V (x) = accept = 1 Honest prover convinces honest verifier of true statements
3 Soundness: x L, P Pr P, V x = accept = 0 No prover can convince honest verifier of false statement Proof Systems and Argument Systems [GMR85] x 0,1 Language L 0,1 accept if x L prover verifier In an argument system, we relax soundness to only consider computationally-bounded (i.e., polynomial-time) provers P Completeness: x L Pr P, V (x) = accept = 1 Honest prover convinces honest verifier of true statements
4 The Complexity Class NP NP the class of languages that are efficiently verifiable a language L is in NP if there exists a polynomial-time verifier R such that x L w 0,1 poly x R x, w = 1 Statement Witness
5 The Complexity Class NP NP the class of languages that are efficiently verifiable a language L is in NP if there exists a polynomial-time verifier R such that x L w 0,1 poly x R x, w = 1 In this talk, will focus on language of Boolean circuit satisfiability: L C = x C x, w = 1 for some w Boolean circuit
6 Non-Interactive Proof Systems for NP L C = x C x, w = 1 for some w prover (x, w) w verifier x accept if C x, w = 1 NP languages have non-interactive proof systems But what if we want other properties?
7 Non-Interactive Proof Systems for NP Zero-Knowledge: The proof reveals nothing more about the statement x prover other than x L C [GMR85] Fundamental primitive to modern cryptography (x, w) Important building block in many protocols (e.g., identification schemes, digital signatures, multiparty computation) L C = x C x, w = 1 for some w w Succinctness: The proof is significantly shorter than C (and verifier correspondingly, w ) [Kil92, Mic00, GW11] Natural complexity-theoretic question: what is the minimal communication x complexity for proofs of NP statements? Numerous applications to delegating and verifying computations as well as privacypreserving cryptocurrencies accept if C x, w = 1 NP languages have non-interactive proof systems But what if we want other properties?
8 The Landscape of Modern Cryptography PKE MPC Signatures SNARKs Short Signatures IBE FHE ABE PE FE Obfuscation Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Late 1970s Cryptography is the study of hardness [Slide inspired by Amit Sahai]
9 The Landscape of Modern Cryptography Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? Which assumptions imply succinct non-interactive arguments?
10 The Landscape of Modern Cryptography Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? Which assumptions imply succinct non-interactive arguments?
11 This Work Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? * In a weaker preprocessing model Which assumptions imply succinct non-interactive arguments?
12 This Work Which assumptions imply non-interactive zero-knowledge? Non-interactive zero-knowledge arguments from standard lattice assumptions in a preprocessing model [Kim-W; CRYPTO 2018] Which assumptions imply succinct non-interactive arguments? Succinct non-interactive arguments (SNARGs) from lattice-based assumptions [Boneh-Ishai-Sahai-W; EUROCRYPT 2017] First construction of a quasi-optimal SNARG from lattice-based assumptions [Boneh-Ishai-Sahai-W; EUROCRYPT 2018] Focus of this talk
13 Why Lattices? Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps (Conjectured) post-quantum resilience Diversifying cryptographic assumptions Enable new properties (e.g., quasi-optimality)
14 Succinct Non-Interactive Arguments
15 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x accept if V x, π = 1 Completeness: Honest prover convinces honest verifier of true statements
16 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x accept if V x, π = 1 Completeness: C x, w = 1 Pr V x, P x, w = 1 = 1 Soundness: No efficient prover can convince honest verifier of false statement
17 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x accept if V x, π = 1 Completeness: C x, w = 1 Pr V x, P x, w = 1 = 1 Soundness: for all provers P of size 2 λ (λ is a security parameter), x L C Pr V x, P x = 1 2 λ
18 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x Argument system is succinct if: accept if V x, π = 1 Prover communication is poly λ + log C V can be implemented by a circuit of size poly λ + x + log C Verifier complexity significantly smaller than classic NP verifier
19 Succinct Non-Interactive Arguments (SNARGs) L C = x C x, w = 1 for some w [Kil92, Mic00, GW11] prover (x, w) π = P x, w verifier x Argument system is succinct if: accept if V x, π = 1 Prover communication is poly λ + log C V can be implemented by a circuit of size poly λ + x + log C For general NP languages, succinct non-interactive arguments are unlikely to exist in the standard model [BP04, Wee05]
20 accept if V RO (x, π) = 1 Succinct Non-Interactive Arguments (SNARGs) Instantiation: CS proofs in the random oracle model [Mic94] [Kil92, Mic00, GW11] random oracle RO prover (x, w) π = P RO (x, w) Argument consists of a single message verifier x
21 Succinct Non-Interactive Arguments (SNARGs) Preprocessing SNARGs: allow expensive setup prover (x, w) common reference string (CRS) σ Setup 1 λ τ π = P(σ, x, w) Argument consists of a single message verification state [Kil92, Mic00, GW11] Can consider publiclyverifiable and secretlyverifiable SNARGs verifier x accept if V τ, x, π = 1
22 Complexity Metrics for SNARGs Soundness: for all provers P of size 2 λ : x L C Pr V x, P x = 1 2 λ How short can the proofs be? π = Ω λ Even in the designatedverifier setting How much work is needed to generate the proof? P = Ω C
23 Quasi-Optimal SNARGs Soundness: for all provers P of size 2 λ : x L C Pr V x, P x = 1 2 λ A SNARG (for Boolean circuit satisfiability) is quasi-optimal if it satisfies the following properties: Quasi-optimal succinctness: π = λ polylog λ, C = O(λ) Quasi-optimal prover complexity: P = O C + poly(λ, log C )
24 Asymptotic Comparisons Construction Prover Complexity Proof Size Assumption CS Proofs [Mic94] O( C ) O(λ 2 ) Random Oracle Groth [Gro16] O(λ C ) O(λ) Generic Group Groth [Gro10] GGPR [GGPR12] O(λ C 2 + C λ 2 ) O(λ C ) O(λ) O(λ) Knowledge of Exponent BCIOP (Pairing) [BCIOP13] O(λ C ) O(λ) Linear-Only Encryption This work (over integer lattices) This work (over ideal lattices) O(λ C ) O(λ) O C O(λ) For simplicity, we ignore low order terms poly λ, log C Linear-Only Vector Encryption Linear-Only Vector Encryption in the prover complexity
25 Constructing (Quasi-Optimal) SNARGs New framework for building preprocessing SNARGs (following [BCIOP13]): Step 1 (information-theoretic): Identify useful information-theoretic building block (linear PCPs and linear MIPs) Step 2 (cryptographic): Use cryptographic primitives to compile information-theoretic building block into a preprocessing SNARG Instantiating our framework yields new lattice-based SNARG candidates
26 Linear PCPs [IKO07] PCP where the proof oracle implements a linear function π F m q F m x, w π F m In these instantiations, verifier is oblivious (queries independent of statement) verifier q, π F accept/reject Several possible instantiations: based on the Walsh-Hadamard code [ALMSS92] or quadratic span programs [GGPR13]
27 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Prover constructs linear PCP π from (x, w) x, w Q = q 1 q 2 q 3 q k π F m part of the CRS Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof
28 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof
29 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof
30 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Step 1: Verifier encrypts its queries using an additively homomorphic encryption scheme Prover homomorphically computes Q T π Verifier decrypts encrypted response vector and applies linear PCP verification
31 From Linear PCPs to SNARGs [BCIOP13] Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Step 1: Verifier encrypts its queries using an additively homomorphic encryption scheme Prover homomorphically computes Q T π Verifier decrypts encrypted response vector and applies linear PCP verification
32 From Linear PCPs to SNARGs Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Two issues: Malicious prover can choose π based on the queries Malicious prover can apply different π to each query part of the CRS Step 2: Conjecture that the encryption scheme only supports a limited subset of homomorphic operations (linear-only vector encryption)
33 From Linear PCPs to SNARGs Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k Differs from [BCIOP13] compiler which relies on additional consistency checks to build a preprocessing SNARG Using linear-only vector encryption allows for efficient instantiation from lattices (resulting SNARG satisfies quasioptimal succinctness) part of the CRS Step 2: Conjecture that the encryption scheme only supports a limited subset of homomorphic operations (linear-only vector encryption)
34 Linear-Only Vector Encryption v 1 F k v 2 F k v m F k plaintext space is a vector space
35 Linear-Only Vector Encryption v 1 F k v 2 F k v m F k plaintext space is a vector space α i v i F k i [n] encryption scheme is semantically-secure and additively homomorphic
36 Linear-Only Vector Encryption v 1 F k v 2 F k v m F k adversary extractor ct α 1,, α m F, b F k For all adversaries, there is an efficient extractor such that if ct is valid, then the extractor is able to produce a vector of coefficients α 1,, α m F m and b F k such that Decrypt sk, ct = σ i [n] α i v i + b [Weaker property also suffices]
37 From Linear PCPs to SNARGs Oblivious verifier can commit to its queries ahead of time Q = q 1 q 2 q 3 q k encrypt row by row Prover constructs linear PCP π from (x, w) Linear-only vector encryption ensures that all prover strategies x, w can be explained by a linear function can appeal π to soundness F m of underlying linear PCP to argue soundness part of the CRS Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof
38 Instantiating Linear-Only Vector Encryption Conjecture: Regev encryption (specifically, variant of the [PVW08] scheme) based on lattices is a linear-only vector encryption scheme. Linear PCPs for Boolean circuit satisfiability Linear-Only Vector Encryption Preprocessing SNARG
39 Complexity of the Construction Oblivious verifier can commit to its queries ahead of time Evaluating inner product requires Ω C homomorphic operations; prover complexity: Ω λ Ω C = Ω λ C Q = q 1 q 2 q 3 q k encrypt row by row Prover constructs linear PCP π from (x, w) x, w π F m Proof consists of a single ciphertext: total part length of the CRS O(λ) bits Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof
40 For simplicity, we ignore low order terms poly λ, log C in the prover complexity Asymptotic Comparisons Construction Prover Complexity Proof Size Assumption CS Proofs [Mic94] O( C ) O(λ 2 ) Random Oracle Groth [Gro16] O(λ C ) O(λ) Generic Group Groth [Gro10] GGPR [GGPR12] O(λ C 2 + C λ 2 ) O(λ C ) O(λ) O(λ) Knowledge of Exponent BCIOP (Pairing) [BCIOP13] O(λ C ) O(λ) Linear-Only Encryption This work (over integer lattices) O(λ C ) O(λ) Linear-Only Vector Encryption
41 Towards Quasi-Optimality Oblivious verifier can commit to its queries ahead of time Evaluating inner product requires Ω C homomorphic operations; prover complexity: Ω λ Ω C = Ω λ C Q = q 1 q 2 q 3 q k encrypt row by row Proof consists of a constant number of ciphertexts: total length part of the CRS O(λ) bits Prover constructs linear PCP π from (x, w) x, w We pay π F m Ω(λ) for each homomorphic operation. Can we reduce this? Prover computes responses to linear PCP queries π, q 1 π, q 2 π, q k SNARG proof
42 Linear-Only Encryption over Rings Consider encryption scheme over a polynomial ring R p = Z p x ΤΦ l x Fl p x 1 x 1 x 1 + x 1 x 2 x 3 x 2 x 3 x 2 + x 2 x 3 + x 3 Homomorphic operations correspond to component-wise additions and scalar multiplications x l x l x l + x l Plaintext space can be viewed as a vector of field elements Using RLWE-based encryption schemes, can encrypt l = O(λ) field elements (p = poly λ ) with ciphertexts of size O(λ)
43 Linear-Only Encryption over Rings Consider encryption scheme over a polynomial ring R p = Z p x ΤΦ l x Fl p x 1 x 1 x 1 + x 1 x 2 x 3 x l x 2 x 3 x l x 2 + x 2 x 3 + x 3 x l + x l Homomorphic operations correspond to component-wise additions and scalar multiplications Amortized cost of homomorphic operation on a single field element is polylog(λ) Plaintext space can be viewed as a vector of field elements Using RLWE-based encryption schemes, can encrypt l = O(λ) field elements (p = poly λ ) with ciphertexts of size O(λ)
44 Linear-Only Encryption over Rings q 1 Fm p q 2 Fm p q 3 Fm p m q l F p π 1, q 1 π 2, q 2 π 3, q 3 π l, q l Given encrypted set of query vectors, prover can homomorphically apply independent linear functions to each slot Key idea: Check multiple independent proofs in parallel
45 Linear Multi-Prover Interactive Proofs (MIPs) x, w Verifier has oracle access to multiple linear proof oracles [Proofs may be correlated] Can convert linear MIP to preprocessing SNARG using linearonly (vector) encryption over rings π 1 π 2 π l
46 Linear Multi-Prover Interactive Proofs (MIPs) x, w π 1 π 2 π l Suppose Number of provers l = O λ Proofs π 1,, π l F m p where m = C Τl Number of queries to each π i is polylog(λ) Then, linear MIP is quasi-optimal
47 Linear Multi-Prover Interactive Proofs (MIPs) x, w Prover complexity: O lm = O C Linear MIP size: O l polylog λ = O(λ) Suppose Number of provers l = O λ Proofs π 1,, π l F m p where m = C Τl Number of queries to each π i is polylog(λ) Then, linear MIP is quasi-optimal π 1 π 2 π l
48 Quasi-Optimal Linear MIPs This work: Construction of a quasi-optimal linear MIP for Boolean circuit satisfiability Robust Decomposition Consistency Check Quasi-Optimal Linear MIP
49 Robust Decomposition Statementwitness for C Only depends on x (x, w) Encode x 1 x 2 x 3 x n w 1 w 2 w 3 w h Statement-witness for f 1,, f l Each constraint only needs to read a subset of the input bits Decompose C into constraint functions f 1,, f l, where each constraint can be computed by a circuit of size s/l f 1 f 2 Boolean circuit C of size s f l
50 Robust Decomposition Statementwitness for C Only depends on x (x, w) Encode x 1 x 2 x 3 x n w 1 w 2 w 3 w h Statement-witness for f 1,, f l Each constraint only needs to read a subset of the input bits Decompose C into constraint functions f 1,, f l, where each constraint can be computed by a circuit of size s/l f 1 f 2 Boolean circuit C of size s f l
51 Robust Decomposition Statementwitness for C Only depends on x (x, w) Encode x 1 x 2 x 3 x n w 1 w 2 w 3 w h Statement-witness for f 1,, f l Each constraint only needs to read a subset of the input bits Decompose C into constraint functions f 1,, f l, where each constraint can be computed by a circuit of size s/l f 1 f 2 Boolean circuit C of size s f l
52 Robust Decomposition Statementwitness for C Only depends on x (x, w) Encode x 1 x 2 x 3 x n w 1 w 2 w 3 w h Statement-witness for f 1,, f l Completeness: If C x, w = 1, then f i x, w = 1 for all i Robustness: If x L, then for all w, at most 2/3 of f i x, w = 1 Efficiency: (x, w ) can be computed by a circuit of size O(s) f 1 f 2 Boolean circuit C of size s f l
53 Robust Decomposition f 1 π 1 (x, w) Statement-witness for C Encode (x, w ) Statement-witness for f 1,, f l Boolean circuit C of size s f 2 f l π 2 π l Using linear PCP based on QSPs [GGPR13], π i = O( C Τl) and provides soundness 1/poly λ π i : linear PCP that f i (x, ) is satisfiable (instantiated over F p where p = poly(λ))
54 Robust Decomposition f 1 π 1 (x, w) Statement-witness for C Encode (x, w ) Statement-witness for f 1,, f l Boolean circuit C of size s f 2 π 2 Verifier invokes linear PCP verifier for each instance f l π l π i : linear PCP that f i (x, ) is satisfiable (instantiated over F p where p = poly(λ))
55 Robust Decomposition Boolean circuit C of size s f 1 f 2 f l π 1 π 2 π l Completeness: Follows by completeness of decomposition and linear PCPs Soundness: Each linear PCP provides 1Τpoly λ soundness and for false statement, at least 1/3 of the statements are false, so if l = Ω(λ), verifier accepts with probability Ω λ 2 π i : linear PCP that f i (x, ) is satisfiable (instantiated over F p where p = poly(λ))
56 Robust Decomposition Robustness: If x L, then for all w, at most 2/3 of f i x, w = 1 For false x, no single w can simultaneously satisfy f i x, ; however, all of the f i (x, ) could individually be satisfiable Completeness: Follows by completeness of decomposition and linear PCPs Soundness: Each linear PCP provides 1Τpoly λ soundness and for false statement, at least 1/3 of the statements are false, so if l = Ω(λ), verifier accepts with probability Ω λ 2 Problematic however if prover uses different x, w to construct proofs for different f i s
57 Consistency Checking Require that linear PCPs are systematic: linear PCP π contains a copy of the witness: π 1 π 2 π 3 w 1 w 3 w 1 w 2 w 2 w 3 other components other components other components Goal: check that assignments to w are consistent via linear queries to π i First few components of proof correspond to witness associated with the statement Each proof induces an assignment to a few bits of the common witness w
58 Quasi-Optimal Linear MIP Robust Decomposition C f 1 f 2 f l Robust decomposition can be instantiated by combining MPC-in-the-head paradigm [IKOS07] with a robust MPC protocol with polylogarithmic overhead [DIK10] Checking satisfiability of C corresponds to checking satisfiability of f 1,, f l (each of which can be checked by a circuit of size C Τl) For a false statement, no single witness can simultaneously satisfy more than a constant fraction of f i
59 Quasi-Optimal Linear MIP Robust Decomposition C Consistency Check f 1 f 2 f l Checking satisfiability of C corresponds to checking satisfiability of f 1,, f l (each of which can be checked by a circuit of size C Τl) For a false statement, no single witness can simultaneously satisfy more than a constant fraction of f i Check that consistent witness is used to prove satisfiability of each f i Relies on pairwise consistency checks and permuting the entries to obtain a nice replication structure
60 Asymptotic Comparisons Construction Prover Complexity Proof Size Assumption CS Proofs [Mic94] O( C ) O(λ 2 ) Random Oracle Groth [Gro16] O(λ C ) O(λ) Generic Group Groth [Gro10] GGPR [GGPR12] O(λ C 2 + C λ 2 ) O(λ C ) O(λ) O(λ) Knowledge of Exponent BCIOP (Pairing) [BCIOP13] O(λ C ) O(λ) Linear-Only Encryption This work (over integer lattices) This work (over ideal lattices) O(λ C ) O(λ) O C O(λ) For simplicity, we ignore low order terms poly λ, log C Linear-Only Vector Encryption Linear-Only Vector Encryption in the prover complexity
61 Conclusions A SNARG is quasi-optimal if it satisfies the following properties: Quasi-optimal succinctness: π = O(λ) Quasi-optimal prover complexity: P = O C + poly(λ, log C ) New framework for building SNARGs by combining linear PCPs (and linear MIPs) with linear-only vector encryption Framework yields first quasi-optimal SNARG by combining quasi-optimal linear MIP with linear-only vector encryption Construction of a quasi-optimal linear MIP possible by combining robust decomposition and consistency check
62 Summary Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? Which assumptions imply succinct non-interactive arguments?
63 Summary Factoring RSA Discrete Log BDDH DLIN SIS LWE Number Theory Bilinear Maps Lattices Multilinear Maps Which assumptions imply non-interactive zero-knowledge? * In a weaker preprocessing model Which assumptions imply succinct non-interactive arguments?
64 Acknowledgments Special thanks to all of my amazing collaborators!
Linear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationQuasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh Yuval Ishai Amit Sahai David J. Wu Abstract Succinct non-interactive arguments (SNARGs) enable verifying NP computations with significantly
More informationSuccinct Non-Interactive Arguments via Linear Interactive Proofs
Succinct Non-Interactive Arguments via Linear Interactive Proofs Nir Bitansky Tel Aviv University Rafail Ostrovsky UCLA Alessandro Chiesa MIT September 15, 2013 Yuval Ishai Technion Omer Paneth Boston
More informationLattice-Based SNARGs and Their Application to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh Yuval Ishai Amit Sahai David J. Wu Abstract Succinct non-interactive arguments (SNARGs) enable verifying NP computations
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationSuccinct Delegation for Low-Space Non-Deterministic Computation
Succinct Delegation for Low-Space Non-Deterministic Computation Saikrishna Badrinarayanan UCLA Email: saikrishna@cs.ucla.edu Dakshita Khurana UCLA Email: dakshita@cs.ucla.edu Amit Sahai UCLA Email: sahai@cs.ucla.edu
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationNon-Interactive Delegation for Low-Space Non-Deterministic Computation
Non-Interactive Delegation for Low-Space Non-Deterministic Computation Saikrishna Badrinarayanan UCLA Email: saikrishna@cs.ucla.edu Dakshita Khurana UCLA Email: dakshita@cs.ucla.edu Amit Sahai UCLA Email:
More informationRecursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data
Recursive omposition and Bootstrapping for SNARKs and Proof-arrying Data Nir Bitansky nirbitan@tau.ac.il Tel Aviv University Alessandro hiesa alexch@csail.mit.edu MIT Ran anetti canetti@tau.ac.il Boston
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationLATTICE-BASED NON-INTERACTIVE ARGUMENT SYSTEMS
LATTICE-BASED NON-INTERACTIVE ARGUMENT SYSTEMS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationOn Zero-Testable Homomorphic Encryption and Publicly Verifiable Non-Interactive Arguments
On Zero-Testable Homomorphic Encryption and Publicly Verifiable Non-Interactive Arguments Omer Paneth Guy N Rothblum April 3, 2018 Abstract We define and study zero-testable homomorphic encryption (ZTHE
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationOutput Compression, MPC, and io for Turing Machines
Output Compression, MPC, and io for Turing Machines Saikrishna Badrinarayanan Rex Fernando Venkata Koppula Amit Sahai Brent Waters Abstract In this work, we study the fascinating notion of output-compressing
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationOn the (In)security of SNARKs in the Presence of Oracles
On the (In)security of SNARKs in the Presence of Oracles Dario Fiore 1 and Anca Nitulescu 2 1 IMDEA Software Institute, Madrid, Spain dario.fiore@imdea.org 2 CNRS, ENS, INRIA, and PSL, Paris, France anca.nitulescu@ens.fr
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationEfficient Adaptively Secure Zero-knowledge from Garbled Circuits
Efficient Adaptively Secure Zero-knowledge from Garbled Circuits Chaya Ganesh 1, Yashvanth Kondi 2, Arpita Patra 3, and Pratik Sarkar 4 1 Department of Computer Science, Aarhus University. ganesh@cs.nyu.edu
More informationZKBoo: Faster Zero-Knowledge for Boolean Circuits
Aarhus University ZKBoo: Faster Zero-Knowledge for Boolean Circuits Irene Giacomelli, Jesper Madsen and Claudio Orlandi Usenix Security Symposium 2016 1 / 15 Zero-Knowledge (ZK) Arguments Alice Bob. Private
More informationWeak Zero-Knowledge Beyond the Black-Box Barrier
Weak Zero-Knowledge Beyond the Black-Box Barrier Nir Bitansky Dakshita Khurana Omer Paneth November 9, 2018 Abstract The round complexity of zero-knowledge protocols is a long-standing open question, yet
More informationVerifiable Computing: Between Theory and Practice. Justin Thaler Georgetown University
Verifiable Computing: Between Theory and Practice Justin Thaler Georgetown University Talk Outline 1. The VC Model: Interactive Proofs and Arguments 2. VC Systems: How They Work 3. Survey and Comparison
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationFrom FE Combiners to Secure MPC and Back
From FE Combiners to Secure MPC and Back Prabhanjan Ananth Saikrishna Badrinarayanan Aayush Jain Nathan Manohar Amit Sahai Abstract Functional encryption (FE) has incredible applications towards computing
More informationInteractive PCP. Yael Tauman Kalai Georgia Institute of Technology Ran Raz Weizmann Institute of Science
Interactive PCP Yael Tauman Kalai Georgia Institute of Technology yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract A central line of research in the area of PCPs
More informationSubversion-Resistant Zero Knowledge
Subversion-Resistant Zero Knowledge Georg Fuchsbauer joint work with Mihir Bellare and Alessandra Scafuro ECRYPT-NET Workshop on Crypto for the Cloud & Implementation 27 June 2017 Content of this talk
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationMaking the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits
Making the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits Yuval Ishai Mor Weiss Guang Yang Abstract A Probabilistically Checkable Proof PCP) allows a randomized verifier,
More informationSNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. Madars Virza
SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge by Madars Virza B.Sc., University of Latvia (2011) Submitted to the Department of Electrical Engineering and Computer Science
More informationThreshold Cryptosystems From Threshold Fully Homomorphic Encryption
Threshold Cryptosystems From Threshold Fully Homomorphic Encryption Dan Boneh Rosario Gennaro Steven Goldfeder Aayush Jain Sam Kim Peter M. R. Rasmussen Amit Sahai Abstract We develop a general approach
More informationA More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument Helger Lipmaa 1 and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 State University of New York at Buffalo, USA
More informationFrom Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again
From Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer August 17, 2011 Abstract The existence of
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationC C : A Framework for Building Composable Zero-Knowledge Proofs
C C : A Framework for Building Composable Zero-Knowledge Proofs Ahmed Kosba Zhichao Zhao Andrew Miller Yi Qian T-H. Hubert Chan Charalampos Papamanthou Rafael Pass abhi shelat Elaine Shi : UMD : HKU :
More informationMulti-Input Functional Encryption for Unbounded Arity Functions
Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationWatermarking Cryptographic Functionalities from Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu Digital Watermarking 1 Digital Watermarking Content is (mostly) viewable
More informationPublicly Verifiable Non-Interactive Arguments for Delegating Computation
Publicly Verifiable Non-Interactive Arguments for Delegating Computation Omer Paneth Guy N Rothblum December 4 2014 Abstract We construct publicly verifiable non-interactive arguments that can be used
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationFrom Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again
From Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer November 30, 2011 Abstract The existence
More informationSub-linear Zero-Knowledge Argument for Correctness of a Shuffle
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London jgroth@uclacuk Yuval Ishai Technion and UCLA yuvali@cstechnionacil February 4, 2008 Abstract A shuffle
More informationPoint Obfuscation and 3-round Zero-Knowledge
Point Obfuscation and 3-round Zero-Knowledge Nir Bitansky and Omer Paneth Tel Aviv University and Boston University September 21, 2011 Abstract We construct 3-round proofs and arguments with negligible
More informationProofs of Ignorance and Applications to 2-Message Witness Hiding
Proofs of Ignorance and Applications to 2-Message Witness Hiding Apoorvaa Deshpande Yael Kalai September 25, 208 Abstract We consider the following paradoxical question: Can one prove lack of knowledge?
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationSecure Arithmetic Computation with Constant Computational Overhead
Secure Arithmetic Computation with Constant Computational Overhead Benny Applebaum 1, Ivan Damgård 2, Yuval Ishai 3, Michael Nielsen 2, and Lior Zichron 1 1 Tel Aviv University, {bennyap@post,liorzichron@mail}.tau.ac.il
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation
ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation Nir Bitansky Omer Paneth February 12, 2015 Abstract We present new constructions of two-message and one-message
More informationSignatures of Correct Computation
Signatures of Correct Computation Charalampos Papamanthou 1, Elaine Shi 2, and Roberto Tamassia 3 1 UC Berkeley, cpap@cs.berkeley.edu 2 University of Maryland, elaine@cs.umd.edu 3 Brown University, rt@cs.brown.edu
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationNon-Interactive RAM and Batch NP Delegation from any PIR
Non-Interactive RAM and Batch NP Delegation from any PIR Zvika Brakerski Justin Holmgren Yael Kalai Abstract We present an adaptive and non-interactive protocol for verifying arbitrary efficient computations
More information1 The Low-Degree Testing Assumption
Advanced Complexity Theory Spring 2016 Lecture 17: PCP with Polylogarithmic Queries and Sum Check Prof. Dana Moshkovitz Scribes: Dana Moshkovitz & Michael Forbes Scribe Date: Fall 2010 In this lecture
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationStatistical WI (and more) in Two Messages
Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationEfficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting
Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting Jonathan Bootle 1, Andrea Cerulli 1, Pyrros Chaidos 1, Jens Groth 1, and Christophe Petit 2 1 University College London
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationQuantum Proofs of Knowledge
Dominique Unruh University of Tartu Dominique Unruh Post Quantum Crypto Post Quantum Crypto Classical crypto Secure against quantum computers Needs: Quantum hard problems (e.g., lacce crypto) New security
More informationConstructing Witness PRF and Offline Witness Encryption Without Multilinear Maps
Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps Tapas Pal, Ratna Dutta Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur-721302, India tapas.pal@iitkgp.ac.in,ratna@maths.iitkgp.ernet.in
More informationThe Hunting of the SNARK
The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Shafi Goldwasser Huijia Lin Aviad Rubinstein Eran Tromer July 24, 2014 Abstract The existence of succinct non-interactive arguments for
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationSeparating Succinct Non-Interactive Arguments From All Falsifiable Assumptions
Separating Succinct Non-Interactive Arguments From All Falsifiable Assumptions Craig Gentry Daniel Wichs June 6, 2013 Abstract An argument system (computationally sound proof) for N P is succinct, if its
More informationSignatures of Correct Computation
Signatures of Correct Computation Charalampos Papamanthou UC Berkeley cpap@cs.berkeley.edu Elaine Shi University of Maryland elaine@cs.umd.edu January 22, 2013 Roberto Tamassia Brown University rt@cs.brown.edu
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationIndistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption
Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry Allison ewko Amit Sahai Brent Waters November 4, 2014 Abstract We revisit the question of constructing
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationElectronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP
Electronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP Yael Tauman Kalai Weizmann Institute of Science yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationExecutable Proofs, Input-Size Hiding Secure Computation and a New Ideal World
Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World Melissa Chase 1(B), Rafail Ostrovsky 2, and Ivan Visconti 3 1 Microsoft Research, Redmond, USA melissac@microsoft.com 2 UCLA,
More informationCircuits Resilient to Additive Attacks with Applications to Secure Computation
Circuits Resilient to Additive Attacks with Applications to Secure Computation Daniel Genkin Technion danielg3@cs.technion.ac.il Yuval Ishai Technion yuvali@cs.technion.ac.il Manoj M. Prabhakaran University
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationMulti-Key Homomorphic Signatures Unforgeable under Insider Corruption
Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2, Raymond K. H. Tai 1, Harry W. H. Wong 1, and Sherman S. M. Chow 1 1 Chinese University of Hong Kong, Hong Kong
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationProjective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationEfficient Fully-Leakage Resilient One-More Signature Schemes
Efficient Fully-Leakage Resilient One-More Signature Schemes Antonio Faonio IMDEA Software Institute, Madrid, Spain In a recent paper Faonio, Nielsen and Venturi (ICALP 2015) gave new constructions of
More informationStatistically Secure Sigma Protocols with Abort
AARHUS UNIVERSITY COMPUTER SCIENCE MASTER S THESIS Statistically Secure Sigma Protocols with Abort Author: Anders Fog BUNZEL (20112293) Supervisor: Ivan Bjerre DAMGÅRD September 2016 AARHUS AU UNIVERSITY
More information