From Secure MPC to Efficient Zero-Knowledge
|
|
- Della Hines
- 5 years ago
- Views:
Transcription
1 From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017
2 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time verifier R such that x L w 0,1 poly x R x, w = 1
3 Interactive Proof Systems [GMR85] NP admits efficient non-interactive proofs G is 3- colorable G = public graph prover verifier
4 Interactive Proof Systems [GMR85] IP: class of languages that have an interactive proof system G is not 3- colorable prover and verifier exchange a sequence of messages accept prover verifier
5 Interactive Proof Systems [GMR85] Interactive proof system modeled by two algorithms P, V with following properties: Completeness: x L Pr P, V (x) = 1 = 1 Soundness: x L, P Pr P, V (x) = 0 = 1 prover verifier
6 Interactive Proof Systems [GMR85] Interactive proof system modeled by two algorithms P, V with following properties: Completeness: x L Pr P, V (x) = 1 = 1 Soundness: x L, P Pr P, V (x) = 0 = 1 can also allow soundness error ε prover verifier
7 Interactive Proof Systems [GMR85] Interactive proof system modeled by two algorithms P, V with following properties: Completeness: x L Pr P, V (x) = 1 = 1 Soundness: x L, P Pr P, V (x) = 0 = 1 Efficiency: V runs in polynomial time (in x ) computationally unbounded randomized, efficient prover verifier
8 Interactive Proof Systems [GMR85] IP: class of languages that have an interactive proof system dip = NP (dip: interactive proofs with deterministic verifier) IP = PSPACE [LFKN90, Sha90] prover verifier
9 Zero-Knowledge Proofs [GMR85] G is 3- colorable G = The proof reveals the witness! Can we prove to a verifier that a statement x is in a language L without revealing anything more about x other than the fact that x L?
10 Zero-Knowledge Proofs [GMR85] common input: statement x L P, V x c S(x) real distribution ideal distribution Zero-Knowledge: for all efficient verifiers V, there exists an efficient simulator S such that: x L P, V x c S(x)
11 Zero-Knowledge Proofs [GMR85] common input: statement x L P, V x c S(x) honest verifier zero-knowledge (HVZK): simulator exists only for honest verifier real distribution ideal distribution Zero-Knowledge: for all efficient verifiers V, there exists zero-knowledge an efficient simulator S such that: x L P, V x c S(x) can also consider statistical zero-knowledge and perfect
12 Zero-Knowledge Proofs [GMR85] common input: statement x L P, V x c S(x) real distribution ideal distribution Assuming the existence of one-way functions (OWFs), every NP (in fact, IP) language has a computational zero-knowledge proof system [GMW86]
13 Two-Party Computation Zero knowledge is special case of two-party computation w 1 w 2 r 1 r 2 P 1 P 2 f
14 Two-Party Computation Every message is a deterministic function of the party s input, its internal randomness, and the set of messages it has received Zero knowledge is special case of two-party computation w 1 w 2 m 1 m 2 r 1 r 2 m 3 P 1 P 2 f
15 Two-Party Computation Zero knowledge is special case of two-party computation w 1 w 2 m 1 m 2 r 1 r 2 m 3 P 1 P 2 y 1 y 2 Correctness: y 1 = f w 1, w 2 = y 2 f
16 Two-Party Computation Zero knowledge is special case of two-party computation w 1 w 2 m 1 m 2 r 1 r 2 m 3 P 1 P 2 y 1 y 2 f View Pi w 1, w 2 ; r 1, r 2 = w i, r i, m i
17 Two-Party Computation Zero knowledge is special case of two-party computation w 1 w 2 m 1 m 2 r 1 r 2 m 3 P 1 P 2 y 1 y 2 f View Pi w 1, w 2 ; r 1, r 2 = w i, r i, m i y i = Π f,i View Pi w ; r
18 Multiparty Computation (MPC) Correctness: For all inputs w and all i n Pr Π f,i View Pi w ; r = f w = 1 w 1 w 5 w 2 w 4 w 3
19 Multiparty Computation (MPC) Correctness: For all inputs w and all i n Pr Π f,i View Pi w ; r = f w = 1 y 1 = f(w) y 5 = f(w) y 2 = f(w) y 4 = f(w) y 3 = f(w)
20 Multiparty Computation (MPC) t-privacy: For all T [n] where T t, there exists an efficient simulator S T such that for all inputs w: View Pi w ; r S i T T f, w i i A, f w w 1 w 5 w 2 w 4 w 3
21 Multiparty Computation (MPC) t-privacy: For all T [n] where T t, there exists an efficient simulator S T such that for all inputs w: View Pi w ; r S i T T f, w i i A, f w w 1 w 5 w 2 Views of any t-subset of the parties do not reveal anything more about the private inputs of any other party w 4 w 3
22 Multiparty Computation (MPC) t-robustness: For all T [n] where T t, and for all f where f w = 0 for all w, then Pr Π f,i View Pi w ; r = 1 = 0 for all i [n] T even if the players in T have been arbitrarily corrupted w 1 w 5 w 2 w 4 w 3
23 Multiparty Computation (MPC) t-robustness: For all T [n] where T t, and for all f where f w = 0 for all w, then Pr Π f,i View Pi w ; r = 1 = 0 for all i [n] T even if the players in T have been arbitrarily corrupted y 1 = 0 y 5 = 0 y 4 = 0 If there are no inputs w to f where f w = 1, then a malicious adversary corrupting up to t parties cannot cause an honest party to output 1
24 Zero-Knowledge from Two-Party Computation Zero knowledge is special case of two-party computation Given a statement x for an NP relation R, define the function f x w = R(x, w) We require a 1-private, 1-robust two-party computation protocol Π fx for f x The prover and verifier execute Π fx Prover s input: the witness w Verifier s input: none The verifier accepts if the output of Π fx is 1
25 Zero-Knowledge from Two-Party Computation Zero knowledge is special case of two-party computation General two-party computation with robustness against malicious adversaries requires oblivious transfer (OT) [Yao86, GMW87] and thus, cannot be instantiated from one-way functions On the other hand, zero knowledge for NP is known from one-way functions (OWFs) [GMW86] Constructions very inefficient relies on running a Karp reduction to an NPcomplete problem (e.g., 3-coloring) This talk: constructing zero-knowledge for NP from OWFs + black-box use of any (semi-honest) MPC protocol
26 MPC in the Head [IKOS07] Let R(x, w) be an NP relation and define the function f x w 1,, w n = R x, w 1 w n, where n 3 Key idea: Prover simulates an n-party MPC protocol Π fx for the function f x Verifier checks that the simulation is correct Key advantage: relies only on OWFs and semi-honest secure MPC
27 MPC in the Head [IKOS07] Key cryptographic primitive: commitment scheme Commit m; r c m Open c, r m m
28 MPC in the Head [IKOS07] Key cryptographic primitive: commitment scheme Perfectly binding: each commitment can be opened in exactly one way r 0, r 1 Commit m 0 ; r 0 = Commit m 1 ; r 1 m 0 = m 1 Computationally hiding: commitment hides committed value to any bounded adversary: Commit m 0 ; r c Commit(m 1 ; r) Non-interactive commitments can be constructed from any injective OWF [Blu81] Interactive commitments can be constructed from any OWF
29 MPC in the Head [IKOS07] f x w 1,, w n = R x, w 1 w n (x, w) R(x, w) is an NP relation Π fx
30 MPC in the Head [IKOS07] f x w 1,, w n = R x, w 1 w n w = w 1 w 2 w 3 w 4 w 5 uniformly random strings Step 1: Secret share the witness Π fx
31 MPC in the Head [IKOS07] f x w 1,, w n = R x, w 1 w n w 1 w = w 1 w 2 w 3 w 4 w 5 w 5 w 2 uniformly random strings Step 2: Simulate Π fx using randomness r w 4 w 3 Π fx
32 MPC in the Head [IKOS07] f x w 1,, w n = R x, w 1 w n w 1 w 5 w 2 c 1 = Commit View P1 w; r ; r 1 c n = Commit View Pn w; r ; r n Step 3: Commit to the view of each party w 4 w 3 Π fx
33 MPC in the Head [IKOS07] public input: statement x (x, w) c 1, c 2,, c n Step 4: Prover sends the commitments to the verifier
34 MPC in the Head [IKOS07] public input: statement x (x, w) c 1, c 2,, c n 1 i < j n Step 5: Verifier challenges prover to open two of the views (at random)
35 MPC in the Head [IKOS07] public input: statement x (x, w) c 1, c 2,, c n 1 i < j n Open c i, r i, Open(c j, r j ) Step 6: Prover opens up commitments to requested views
36 MPC in the Head [IKOS07] Verification conditions: 1. Commitments are correctly opened 2. The outputs of both P i and P j is 1 3. The views View Pi and View Pj are consistent with an honest execution of Π fx (x, w) c 1, c 2,, c n 1 i < j n Open c i, r i, Open(c j, r j ) Step 7: Verifier checks the proof
37 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Completeness: Suppose R x, w = 1 Prover is honest so w = w 1 w n By construction, f x w 1,, w n = R x, w = 1 Perfect correctness of Π fx implies that all parties in honest execution output f x w 1,, w n = 1
38 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Soundness: Suppose R x, w = 0 for all w By perfect correctness of Π fx, for all choices of w 1,, w n, parties in an honest execution of Π fx will output 0 Either all outputs are 0 or there is at least one pair of views that are inconsistent Verifier rejects with probability at least 1/n 2 (commitments are perfectly binding)
39 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Can be amplified by running the protocol multiple times (κn 2 Soundness: Suppose R x, w = 0 for all w times to achieve negligible By perfect correctness of Π fx, for all choices of w 1,, w n, parties in an honest soundness error 2 κ ) execution of Π fx will output 0 Either all outputs are 0 or there is at least one pair of views that are inconsistent Verifier rejects with probability at least 1/n 2 (commitments are perfectly binding)
40 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Zero-Knowledge: Suppose that R x, w = 1 View of verifier consists of committed views to all parties, and views View Pi (w; r) and View Pj (w; r) (which include w i and w j ) for two of the parties When n 3, w i, w j are uniformly random strings By 2-privacy of Π fx, View Pi (w; r) and View Pj (w; r) can be simulated given just f x, w i, w j, f x w = 1
41 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Zero-Knowledge: Since prover is honest here, Suppose the that proof R x, w only = 1requires privacy against semi-honest parties View of verifier consists of committed views to all parties, and views View Pi (w; r) and View Pj (w; r) (which include w i and w j ) for two of the parties When n 3, w i, w j are uniformly random strings By 2-privacy of Π fx, View Pi (w; r) and View Pj (w; r) can be simulated given just f x, w i, w j, f x w = 1
42 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose the commitment scheme is perfectly binding and computationally hiding and that Π fx is perfectly correct and is 2-private (against semihonest adversaries), then this protocol is a zero-knowledge proof for the NP-relation R. Concrete instantiations: Information-theoretic: 5-party BGW protocol [BGW88] Computational (based on OT): 3-party GMW protocol [GMW87] and many more
43 MPC in the Head [IKOS07] Using an n-party MPC protocol, the soundness error is 1 1/n 2 Consequence: achieving negligible soundness 2 κ requires Ω(κ) repetitions of the protocol Can we obtain negligible soundness error without performing the Ω(κ) repetitions of the protocol?
44 MPC in the Head [IKOS07] Using an n-party MPC protocol, the soundness error is 1 1/n 2 Soundness error is large because verifier checks only a single view Can reduce the soundness error by having the prover open up more views (e.g., t = Θ(κ) views) Zero-knowledge maintained as long as Π fx is t-private Soundness amplification will rely on leveraging robustness of Π fx
45 MPC in the Head [IKOS07] Using an n-party MPC protocol, the soundness error is 1 1/n 2 Soundness error is large because verifier Without checks robustness, only a single even view if the prover open n 1 views, the Can reduce the soundness error by having the prover open up more views (e.g., t = Θ(κ) views) soundness error can still be O 1 n Zero-knowledge maintained as long as Π fx is t-private Soundness amplification will rely on leveraging robustness of Π fx
46 MPC in the Head [IKOS07] n = Θ(κ) t = Θ(n) Suppose Π fx is an n-party MPC protocol that is t-private and t-robust (x, w) c 1, c 2,, c n T [n] where T = t Open c i, r i i [T] Verifier can now ask for t openings without compromising zero-knowledge
47 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust To analyze soundness, define the inconsistency graph G for the prover s simulated MPC protocol: 1 Nodes correspond to parties An edge between i and j denotes an inconsistency between View Pi and View Pj
48 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust To analyze soundness, define the inconsistency graph G for the prover s simulated MPC protocol: Verifier chooses some subset of nodes and rejects if induced subgraph on those nodes contains an edge Verifier rejects
49 Verifier may accept MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust To analyze soundness, define the inconsistency graph G for the prover s simulated MPC protocol: Verifier chooses some subset of nodes and rejects if induced subgraph on those nodes contains an edge
50 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Case 1: Suppose G contains a vertex cover B of size at most t small number of corrupted parties most parties are honest and will output 0 by robustness B = 4,5
51 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Case 1: Suppose G contains a vertex cover B of size at most t corrupted nodes 5 B By definition, views of all nodes not in B are consistent (i.e., correspond to an honest protocol execution) Π fx is t-robust, so all nodes not in B output 0 on a false statement honest nodes
52 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Failure only if all nodes chosen by verifier fall in B Case 1: Suppose G contains a vertex cover B of size at most t corrupted nodes 5 B honest nodes By definition, views of all nodes not in B are consistent (i.e., correspond to an honest protocol execution) Π fx is t-robust, so all nodes not in B output 0 on a false statement Verifier can only accept if T B, so soundness error is bounded by t n t Ω n Ω κ = 2 = 2
53 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Case 2: Suppose the minimum vertex cover of G has size greater than t large number of corrupted parties likely to be detected by verifier 4 3
54 MPC in the Head [IKOS07] Suppose Π fx is an n-party MPC protocol that is t-private and t-robust Case 2: Suppose the minimum vertex cover of G has size greater than t Then G has a matching of size greater than t/2 Verifier accepts only if no edges in G between any of the nodes in T, and in particular, no edges in the matching Since t = Θ(n), the verifier misses all edges in the matching with probability 2 Ω n = 2 Ω κ
55 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose that the following holds: the commitment scheme is perfectly binding and computationally hiding, Π fx is t-private (against semi-honest adversaries), and t-robust (against malicious adversaries) n-party protocol for f x. If t = Θ(κ) and n = Θ(t), then this protocol is an honest-verifier zeroknowledge proof for the NP-relation R with soundness error 2 κ. Relies only on OWFs (for the commitments) and black-box access to Π fx.
56 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose that the following holds: the commitment scheme is perfectly binding and computationally Can be boosted to zero-knowledge hiding, by having the verifier commit to its Π fx is t-private (against semi-honest queries adversaries), using a statistically-hiding and t-robust commitment scheme [Ros04] (against malicious adversaries) n-party protocol for f x. If t = Θ(κ) and n = Θ(t), then this protocol is an honest-verifier zeroknowledge proof for the NP-relation R with soundness error 2 κ. Relies only on OWFs (for the commitments) and black-box access to Π fx.
57 MPC in the Head [IKOS07] Theorem [IKOS07]. Suppose that the following holds: the commitment scheme is perfectly binding and computationally hiding, Concrete parameters: for Π fx is t-private (against semi-honest adversaries), 2 80 soundness and error, t-robust can use (n, t, r) = 92,64,64 (against malicious adversaries) n-party protocol for f x. If t = Θ(κ) and n = Θ(t), then this protocol is an honest-verifier zeroknowledge proof for the NP-relation R with soundness error 2 κ. Relies only on OWFs (for the commitments) and black-box access to Π fx.
58 ZKBoo [GMO16] c 1, c 2,, c n S [n] where S = t 1 Open c i, r i i [S] For concrete soundness targets (e.g., 2 80 ), most efficient instantiation of IKOS is to use simple, non-robust multiparty computation protocol and amplify soundness by repeating the protocol
59 ZKBoo [GMO16] c 1, c 2,, c n S [n] where S = t 1 n-party BGW protocol obtaining soundness error 2 80 requires n = 1122, t = 374 Open c i, r i i [S] iterating a 3-party protocol with 2- privacy yields proofs which contain 274 bits per multiplication gate for 2 80 soundness For concrete soundness targets (e.g., 2 80 ), most efficient instantiation of IKOS is to use simple, non-robust multiparty computation protocol and amplify soundness by repeating the protocol
60 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model w 1 m w 5 w 2 point-to-point channel m w 4 w 3
61 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model w 1 m 0, m 1 b 0,1 w 5 w 2 OT channel m b w 4 w 3
62 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model w 1 x y w 5 w 2 arbitrary channel f(x, y) w 4 w 3
63 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model In MPC setting, channels are implemented using secure two-party computation In MPC-in-the-head, can model them as ideal functionalities (e.g., as an oracle to the function f) x arbitrary channel y f(x, y)
64 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model In MPC does setting, not trivialize channels the are implemented problem since using protocol secure must two-party computation still provide privacy In MPC-in-the-head, can model them as ideal functionalities (e.g., as an oracle to the function f) x arbitrary channel y f(x, y)
65 ZKBoo [GMO16] Emulating an MPC protocol cheaper than running the MPC protocol in the standard model In MPC setting, channels are implemented using secure two-party computation In MPC-in-the-head, can model them as ideal functionalities (e.g., as an oracle to the function f) New design space for MPC protocols x arbitrary channel y f(x, y)
66 ZKBoo [GMO16] f x w 1,, w n = R x, w 1 w n w 1 (x, w) w 5 w 2 How to construct Π fx? w 4 w 3 Π fx
67 (2, 3)-Function Decompositions [GMO16] A variant of the GMW protocol (can also be viewed as a function decomposition) w 1 0 w 2 0 w 3 0 w = w 1 + w 2 + w 3 Function evaluation on secret sharedinputs
68 (2, 3)-Function Decompositions [GMO16] A variant of the GMW protocol (can also be viewed as a function decomposition) protocol execution proceeds in a series of rounds gate-by-gate evaluation of f w 1 1 w 1 0 f 1 (1) f 1 (2) w 2 1 w 2 0 f 2 (1) f 2 (2) w 3 1 w 3 0 f 3 (1) f 3 (2) w = w 1 + w 2 + w 3 Each party communicates with one other party y 1 y 2 y 3 y = y 1 + y 2 + y 3
69 (2, 3)-Function Decompositions [GMO16] A variant of the GMW protocol (can also be viewed as a function decomposition) w 1 0 w 2 0 w 3 0 f 1 (1) f 2 (1) f 3 (1) View Pi w ; r = w i 0,, w i N w 1 1 w 2 1 w 3 1 f 1 (2) f 2 (2) f 3 (2) y 1 y 2 y 3 protocol is 2-private
70 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x Add α x + α x y Add x + y x Multiply α αx x y Multiply xy
71 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F no interaction needed x = x 1 + x 2 + x 3 x 1 x 2 x 3 x Add α x + α f 1 f 2 f 3 x 1 + α x 2 x 3 x 1 + α + x 2 + x 3 = x + α
72 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F no interaction needed x = x 1 + x 2 + x 3 x 1 x 2 x 3 x Multiply α αx f 1 f 2 f 3 αx 1 αx 2 αx 3 αx 1 + αx 2 + αx 3 = αx
73 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x y no interaction needed Add x + y x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 f 1 f 2 f 3 x 1 + y 1 x 2 + y 2 x 3 + y 3 x 1 + y 1 + x 2 + y 2 + x 3 + y 3 = x + y
74 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 x y Multiply xy only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy
75 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 x y Multiply xy f 1 f 2 f 3 x 1 y 1 + x 2 y 1 + x 1 y 2 x 2 y 2 + x 3 y 2 + x 2 y 3 x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy
76 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 x y Multiply xy cannot be 2-private: information about x 3, y 3 revealed x 1 y 1 + x 2 y 1 + x 1 y 2 x 2 y 2 + x 3 y 2 + x 2 y 3 x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy
77 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F similar to GMW, blind each intermediate product x y Multiply xy x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 f 1 f 2 f 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + R 1 c R 2 (c) x 3 y 3 + x 1 y 3 + x 3 y 1 + R 3 c R 1 (c) x 2 y 2 + x 3 y 2 + x 2 y 3 + R 2 c R 3 (c) only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy
78 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F similar to GMW, blind each intermediate product x y Multiply xy x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 random blinding factors (R i (c) is randomness used by i th party on gate c) f 1 f 2 f 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + R 1 c R 2 (c) x 3 y 3 + x 1 y 3 + x 3 y 1 + R 3 c R 1 (c) x 2 y 2 + x 3 y 2 + x 2 y 3 + R 2 c R 3 (c) only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy
79 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F similar to GMW, blind each intermediate product x y Multiply xy x = x 1 + x 2 + x 3 y = y 1 + y 2 + y 3 x 1, y 1 x 2, y 2 x 3, y 3 f 1 f 2 f 3 1 bit per multiplication x 1 y 1 + x 2 y 1 + x 1 y 2 + R 1 c R 2 (c) x 3 y 3 + x 1 y 3 + x 3 y 1 + R 3 c R 1 (c) x 2 y 2 + x 3 y 2 + x 2 y 3 + R 2 c R 3 (c) only depends on x 1,y 1,x 2,y 2 only depends on x 2,y 2,x 3,y 3 x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 + x 3 y 2 + x 2 y 3 + x 3 y 3 + x 1 y 3 + x 3 y 1 only depends on x 1,y 1,x 3,y 3 = x 1 + x 2 + x 3 y 1 + y 2 + y 3 = xy
80 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x Add α x + α x y Add x + y x Multiply α αx x y Multiply xy Computation on local shares Two-party computation
81 (2, 3)-Function Decompositions [GMO16] Express f x as an arithmetic circuit over finite field F x Add α x + α x y Add x + y x Multiply α αx x y xy 137 iterations + open 2 views = Multiply 274 bits of communication per multiplication gate in ZKBoo Computation on local shares Two-party computation
82 Summary MPC in the head gives new paradigm for constructing efficient zero-knowledge proof systems New directions in designing efficient MPC protocols for zero-knowledge can be quite efficient in practice Zero-knowledge protocols can also be used for signature schemes (Fiat-Shamir) including postquantum signatures!
83 Open Directions Designing new MPC protocols for more efficient zeroknowledge Many theoretical MPC protocols with better communication complexity shorter proofs and (postquantum) signatures Alternative viewpoints: MPC in the head as a PCP with large alphabet (i.e., each party s view)
Lecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationRound-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations
Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations Carmit Hazay 1 and Muthuramakrishnan Venkitasubramaniam 2 1 Bar-Ilan University 2 University of Rochester Abstract. In this
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationOn the Cryptographic Complexity of the Worst Functions
On the Cryptographic Complexity of the Worst Functions Amos Beimel 1, Yuval Ishai 2, Ranjit Kumaresan 2, and Eyal Kushilevitz 2 1 Dept. of Computer Science, Ben Gurion University of the Negev, Be er Sheva,
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationSecure Multi-Party Computation. Lecture 17 GMW & BGW Protocols
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party
More informationEfficient General-Adversary Multi-Party Computation
Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate
More informationCS151 Complexity Theory. Lecture 13 May 15, 2017
CS151 Complexity Theory Lecture 13 May 15, 2017 Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationRound-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols
Round-Preserving Parallel Composition o Probabilistic-Termination Cryptographic Protocols [ICALP 17] Ran Cohen (TAU) Sandro Coretti (NYU) Juan Garay (Yahoo Research) Vassilis Zikas (RPI) 2 Secure Multiparty
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationStatistical WI (and more) in Two Messages
Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationLecture 12: Interactive Proofs
princeton university cos 522: computational complexity Lecture 12: Interactive Proofs Lecturer: Sanjeev Arora Scribe:Carl Kingsford Recall the certificate definition of NP. We can think of this characterization
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More informationPoint Obfuscation and 3-round Zero-Knowledge
Point Obfuscation and 3-round Zero-Knowledge Nir Bitansky and Omer Paneth Tel Aviv University and Boston University September 21, 2011 Abstract We construct 3-round proofs and arguments with negligible
More informationInteractive PCP. Yael Tauman Kalai Georgia Institute of Technology Ran Raz Weizmann Institute of Science
Interactive PCP Yael Tauman Kalai Georgia Institute of Technology yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract A central line of research in the area of PCPs
More informationMaking the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits
Making the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits Yuval Ishai Mor Weiss Guang Yang Abstract A Probabilistically Checkable Proof PCP) allows a randomized verifier,
More information6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturer: Ran Canetti Highlights of last week s lectures Formulated the ideal commitment functionality for a single instance, F com. Showed that
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationA Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles
A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles Michele Ciampi DIEM University of Salerno ITALY mciampi@unisa.it Giuseppe Persiano
More informationInteractive and Noninteractive Zero Knowledge Coincide in the Help Model
Interactive and Noninteractive Zero Knowledge Coincide in the Help Model Dragos Florin Ciocan and Salil Vadhan School of Engineering and Applied Sciences Harvard University Cambridge, MA 02138 ciocan@post.harvard.edu,
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationA Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness
A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness Gilad Asharov Yehuda Lindell Tal Rabin February 25, 2013 Abstract It is well known that it is impossible
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationVerifiable Computing: Between Theory and Practice. Justin Thaler Georgetown University
Verifiable Computing: Between Theory and Practice Justin Thaler Georgetown University Talk Outline 1. The VC Model: Interactive Proofs and Arguments 2. VC Systems: How They Work 3. Survey and Comparison
More informationPerfect Secure Computation in Two Rounds
Perfect Secure Computation in Two Rounds Benny Applebaum Tel Aviv University Joint work with Zvika Brakerski and Rotem Tsabary Theory and Practice of Multiparty Computation Workshop, Aarhus, 2018 The MPC
More informationCS151 Complexity Theory. Lecture 14 May 17, 2017
CS151 Complexity Theory Lecture 14 May 17, 2017 IP = PSPACE Theorem: (Shamir) IP = PSPACE Note: IP PSPACE enumerate all possible interactions, explicitly calculate acceptance probability interaction extremely
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationHow to Go Beyond the Black-Box Simulation Barrier
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak December 30, 2008 Abstract The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction
More informationZero Knowledge and Soundness are Symmetric
Zero Knowledge and Soundness are Symmetric Shien Jin Ong and Salil Vadhan School of Engineering and Applied Sciences Harvard University Cambridge, Massachusetts, USA {shienjin,salil}@eecs.harvard.edu Abstract.
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationIntroduction to Interactive Proofs & The Sumcheck Protocol
CS294: Probabilistically Checkable and Interactive Proofs January 19, 2017 Introduction to Interactive Proofs & The Sumcheck Protocol Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Pratyush Mishra
More informationComplexity of Multi-Party Computation Functionalities
Complexity of Multi-Party Computation Functionalities Hemanta K. Maji Manoj Prabhakaran Mike Rosulek October 16, 2012 Abstract The central objects of secure multiparty computation are the multiparty functions
More information198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007
198:538 Complexity of Computation Lecture 16 Rutgers University, Spring 2007 8 March 2007 In this lecture we discuss Shamir s theorem that PSPACE is the set of languages that have interactive proofs with
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationExecutable Proofs, Input-Size Hiding Secure Computation and a New Ideal World
Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World Melissa Chase 1(B), Rafail Ostrovsky 2, and Ivan Visconti 3 1 Microsoft Research, Redmond, USA melissac@microsoft.com 2 UCLA,
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1, Alon Rosen 2, and Ronen Shaltiel 3 1 Microsoft Research, New England Campus. iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationCounterexamples to Hardness Amplification Beyond Negligible
Counterexamples to Hardness Amplification Beyond Negligible Yevgeniy Dodis Abhishek Jain Tal Moran Daniel Wichs January 31, 2012 Abstract If we have a problem that is mildly hard, can we create a problem
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationUnconditionally Secure Multiparty Set Intersection Re-Visited
Unconditionally Secure Multiparty Set Intersection Re-Visited Arpita Patra 1, Ashish Choudhary 1, and C. Pandu Rangan 1 Dept of Computer Science and Engineering IIT Madras, Chennai India 600036 arpita@cse.iitm.ernet.in,
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationAbstract. Often the core diculty in designing zero-knowledge protocols arises from having to
Interactive Hashing Simplies Zero-Knowledge Protocol Design Rafail Ostrovsky Ramarathnam Venkatesan y Moti Yung z (Extended abstract) Abstract Often the core diculty in designing zero-knowledge protocols
More informationLecture 26: Arthur-Merlin Games
CS 710: Complexity Theory 12/09/2011 Lecture 26: Arthur-Merlin Games Instructor: Dieter van Melkebeek Scribe: Chetan Rao and Aaron Gorenstein Last time we compared counting versus alternation and showed
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationFounding Cryptography on Smooth Projective Hashing
Founding Cryptography on Smooth Projective Hashing Bing Zeng a a School of Software Engineering, South China University of Technology, Guangzhou, 510006, China Abstract Oblivious transfer (OT) is a fundamental
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationNotes for Lecture 27
U.C. Berkeley CS276: Cryptography Handout N27 Luca Trevisan April 30, 2009 Notes for Lecture 27 Scribed by Madhur Tulsiani, posted May 16, 2009 Summary In this lecture we begin the construction and analysis
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationFundamental MPC Protocols
3 Fundamental MPC Protocols In this chapter we survey several important MPC approaches, covering the main protocols and presenting the intuition behind each approach. All of the approaches discussed can
More informationWeak Zero-Knowledge Beyond the Black-Box Barrier
Weak Zero-Knowledge Beyond the Black-Box Barrier Nir Bitansky Dakshita Khurana Omer Paneth November 9, 2018 Abstract The round complexity of zero-knowledge protocols is a long-standing open question, yet
More informationSecure Multiparty Computation from Graph Colouring
Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Acknowledgements Based on joint
More informationResource-efficient OT combiners with active security
Resource-efficient OT combiners with active security Ignacio Cascudo 1, Ivan Damgård 2, Oriol Farràs 3, and Samuel Ranellucci 4 1 Aalborg University, ignacio@math.aau.dk 2 Aarhus University, ivan@cs.au.dk
More informationEssentially Optimal Robust Secret Sharing with Maximal Corruptions
Essentially Optimal Robust Secret Sharing with Maximal Corruptions Allison Bishop 1, Valerio Pastro 1, Rajmohan Rajaraman 2, and Daniel Wichs 2 1 Columbia University 2 Northeastern University November
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationEfficient Adaptively Secure Zero-knowledge from Garbled Circuits
Efficient Adaptively Secure Zero-knowledge from Garbled Circuits Chaya Ganesh 1, Yashvanth Kondi 2, Arpita Patra 3, and Pratik Sarkar 4 1 Department of Computer Science, Aarhus University. ganesh@cs.nyu.edu
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationElectronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP
Electronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP Yael Tauman Kalai Weizmann Institute of Science yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationAn Epistemic Characterization of Zero Knowledge
An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. e-mail: {halpern, rafael, vraman}@cs.cornell.edu
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1,,AlonRosen 2,, and Ronen Shaltiel 3, 1 Microsoft Research, New England Campus iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationA New Approach to Round-Optimal Secure Multiparty Computation
A New Approach to Round-Optimal Secure Multiparty Computation Prabhanjan Ananth University of California Los Angeles Abhiek Jain Johns Hopkins University Arka Rai Choudhuri Johns Hopkins University Abstract
More informationEfficient Zero-Knowledge for NP from Secure Two-Party Computation
Efficient Zero-Knowledge for NP from Secure Two-Party Computation Hongda Li 1,2, Dongxue Pan 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication Security Research Center, Chinese Academy of Sciences,
More informationOblivious Transfer in Incomplete Networks
Oblivious Transfer in Incomplete Networks Varun Narayanan and Vinod M. Prabahakaran Tata Institute of Fundamental Research, Mumbai varun.narayanan@tifr.res.in, vinodmp@tifr.res.in bstract. Secure message
More informationOblivious Transfer from Weak Noisy Channels
Oblivious Transfer from Weak Noisy Channels Jürg Wullschleger University of Bristol, UK j.wullschleger@bristol.ac.uk April 9, 009 Abstract Various results show that oblivious transfer can be implemented
More informationClassical Verification of Quantum Computations
Classical Verification of Quantum Computations Urmila Mahadev UC Berkeley September 12, 2018 Classical versus Quantum Computers Can a classical computer verify a quantum computation? Classical output (decision
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationInteractive Locking, Zero-Knowledge PCPs, and Unconditional Cryptography
Interactive Locking, Zero-Knowledge PCPs, and Unconditional Cryptography Vipul Goyal Yuval Ishai Mohammad Mahmoody Amit Sahai February 18, 2010 Abstract Motivated by the question of basing cryptographic
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction
More informationHow to Construct a Leakage-Resilient (Stateless) Trusted Party
How to Construct a Leakage-Resilient Stateless Trusted Party Daniel Genkin UPenn and UMD danielg3@seas.upenn.edu Yuval Ishai Technion and UCLA yuvali@cs.technion.ac.il Mor Weiss Northeastern m.weiss@northeastern.onmicrosoft.com
More informationOn the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations
On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations Ronald Cramer, Ivan Damgård and Valerio Pastro CWI Amsterdam and Dept. of Computer Science, Aarhus University Abstract.
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More informationRate-Limited Secure Function Evaluation: Definitions and Constructions
An extended abstract of this paper is published in the proceedings of the 16th International Conference on Practice and Theory in Public-Key Cryptography PKC 2013. This is the full version. Rate-Limited
More information