Zero-Knowledge for Multivariate Polynomials
|
|
- Jean Short
- 5 years ago
- Views:
Transcription
1 Zero-Knowledge for Multivariate Polynomials Valérie Nachef, Jacques Patarin 2, Emmanuel Volte Department of Mathematics, University of Cergy-Pontoise, CNRS UMR avenue Adolphe Chauvin, 95 Cergy-Pontoise Cedex, France 2 PRISM, University of Versailles 45 avenue des Etats-Unis, 7835 Versailles Cedex, France valerie.nachef@u-cergy.fr, emmanuel.volte@u-cergy.fr jacques.patarin@prism.uvsq.fr Abstract. In [2] a Zero-Knowledge scheme ZK2 was designed from a solution of a set of multivariate quadratic equations over a finite field. In this paper we will give two methods to generalize this construction for polynomials of any degree d, i.e. we will design two Zero-Knowledge schemes ZKd and ZKd from a set of polynomial equations of degree d. We will show that ZKd is optimal in term of the number of computations to be performed and that ZKd is optimal in term of the number of bits to be send. Moreover this property is still true for all kinds of polynomials: for example if the polynomials are sparse or dense. Finally, we will present two examples of applications: with Brent equations, or with morphisms of polynomials. Key words: Authentication scheme, Zero-Knowledge, Multivariate polynomials. Introduction The first Zero-Knowledge schemes were based on the factorization problem for example Fischer-Micali-Rackoff in 984, or Fiat-Shamir in 986 or the Graph Isomorphism Problem. However the factorization problem is not expected to be a NP complete problem since it is in NP and Co NP and it has sub-exponential algorithms such as NFS and even polynomial algorithms on quantum computers Shor algorithm. Then, it was proved in 99 by O. Goldreich, S. Micali and A. Widgerson that any problem of NP has a Zero-Knowledge proof [4]. But the general construction cf [4] of Zero-Knowledge proofs from any problem of NP is usually not very efficient. This is why various Zero-Knowledge schemes have been specifically designed from some well suited and well chosen NP complete schemes based on simple combinatorial problems expected to be exponentially difficult, such as PKP of Adi Shamir [3], PP of David Pointcheval [] or CLE [5] or SD [4] of Jacques Stern for example. Recently [2] such a scheme was designed from the MQ problem, i.e. the problem of finding a solution from a set of multivariate quadratic equations over a finite field. This MQ problem is related to various primitives in cryptography [2, 7 9], and is NP-complete over any finite field [3, ].
2 In this paper, we will generalize the construction of [2] in order to design a Zero-Knowledge authentication from a solution of any set of multivariate polynomials of degree d over a finite field i.e. not only d = 2. We will describe two schemes extending the results of [2]. The Zkd scheme is optimal if we focus on the number of bits to be sent and the ZKd scheme is optimal if we consider the number of computations. This is true for any kind of polynomials dense or sparse. For practical applications the case d = 3 i.e. cubic equations is particularly important, since from these polynomials we will be able to design Zero-Knowledge schemes based on the NP-complete Morphism problem MP or from the Brent equations related to the optimal way to solve sets of linear equations i.e. improvements of the Gauss elimination. We will explain in this paper why these two problems are really interesting for cryptography. We can notice that MP morphism of Polynomial is NP hard while IP isomorphism of Polynomials is expected not to be NP hard since it has an Arthur-Merlin game for yes or no answers. We will detail the case d = 3 and give only the features of the general schemes ZKd and ZKd. 2 Zero-Knowledge Protocols and Commitments In an interactive Protocol, there are two entities: the prover and the verifier. The Prover wants to convince the verifier that she knows a secret. Both interact and at the end, the verifier accepts or refuses. In Zero-Knowledge Protocols there is a possibility of fraud. A cheater will be able to answer some of the questions but not all of them. The protocol must be designed such that an answer to one of the question does not give any indication on the secret but if someone is able to answer all the questions then this will reveal the Prover s secret. We will use the following definitions in order to describe the properties that we want to be satisfied by our protocols:. The protocol has perfect correctness is a legitimate prover is always accepted. 2. The protocol is statistically zero knowledge if there exists an efficient simulating algorithm U such that for every feasible Verifier strategy V, the distributions produced by the simulator and the proof protocol are statistically indistinguishable. 3. The protocol is proof of zero knowledge with error knowledge α if there is a knowledge extractor K and a polynomial Q such that if p denotes the probability that K finds a valid witness for x using its access to a prover P and p x denotes the probability that P convinces the honest verifier on x, and p x > α, then we have p Qp x α. In our protocols, we will need string commitment schemes. A string commitment function is denoted by Com. The commitment scheme runs in two phases. In the first phase, the sender computes a commitment value c = Coms; ρ and sends c to the receiver, where s is the committed string and ρ is a random string. In the second phase, the sender gives s, ρ and the receiver verifies if c = Coms; ρ. we require the two following properties of Com.
3 . The commitment scheme is statistically hiding if for uniform x, ρ and x, ρ the distributions Coms, ρ and Comx, ρ are statistically indistinguishable. This means that the commitment to x reveals almost no information on x even to an infinitely powerful Verifier. 2. The commitment scheme is computationally binding if the probability to that two different values x, ρ and x, ρ produce the same c = Comx, ρ = Comx, ρ is negligible in polynomial time, i.e. the chances to change the committed value after the first phase are very small. A practical construction of such a commitment is given in [5]. 3 Systems of Multivariate equations of degree d We consider the following function of degree d from F n q to F m q : F x = f x, f 2 x,..., f m x where l, l m, and x = x,..., x n : f l x = i... i d n γ l i...i d x i x i2... x id i i 2 n We omit the constant term. Let Gr, r,..., r d = γ l i i 2 x i x i2 + d d i i= i... i d n i n S {,...,d } S =i γ l i...i d x i x i2... x id γ l i x i F j S r j Then G is d-linear. For F, a multivariate function of degree d, we define a binary relation R F = {v, x F m q F n q ; v = F x}. The problem is: Given F and v F m q find s F n q such that F s = v, i.e. s R F v. 4 ZK3 Schemes We consider the following cubic functions: F x = f x, f 2 x,..., f m x where l, l m and x = x,..., x n f l x = γijkx l i x j x k + γijx l i x j + γi l x i i j k n i j n i n We omit the constant term. Let Gx, y, z = F x + y + z F x + y F x + z F y + z + F x + F y + F z
4 We have: Gx, y, z = g x, y, z, g 2 x, y, z,..., g m x, y, z where l, l m, x = x,..., x n, y = y,..., y n and z = z,..., z n g l x, y, z = i j k n γ l ijkx i y j z k + x i y k z j + x j y i z k + x j y k z i + x k y i z j + x k y j z i Then G is trilinear. The problem is: Given F and v F m q find s F n q such that F s = v. The public key is F, v. The secret is s such that F s = v. The Prover is going to convince the Verifier of his knowledge of s pass scheme For simplicity, the random string in Com is not written explicitly. If X is a set, x R E means that x is randomly chosen in X with the uniform distribution.. The Prover picks up r, r, t R F n q and e, f, h R F m q. Then she computes r 2 = s r r, t = r t e = F r e, f = F r + r f, h = F r + r 2 h The Prover sends to the Verifier c = Comr, r 2, Gt, r, r 2 e + f + h c = Comr, t, e, f, c 2 = Comr, t, e, f c 3 = Comr 2, t, e, h, c 4 = Comr 2, t, e, h 2. The verifier chooses a query Q R {,, 2, 3} and sends Q to the prover. 3. a If Q = then the Prover sends r, r, t, e, f. The Verifier checks if c = Comr, r t, F r e, F r +r f, c 2 = Comr, t, e, f b If Q = then the Prover sends r, r 2, t, e, h. The Verifier checks if c 3 = Comr 2, r t, F r e, F r +r 2 h, c 4 = Comr 2, t, e, h c If Q = 2 then the Prover sends r, r 2, t, e, f, h. The Verifier checks if c = Comr, r 2, v Gt, r, r 2 +e f h F r +r 2 +F r +F r 2, c 2 = Comr, t, e, f, c 4 = Comr 2, t, e, h d If Q = 3 then the Prover sends r, r 2, t, e, f, h. The Verifier checks if c = Comr, r 2, Gt, r, r 2 e + f + h, c = Comr, t, e, f, c 3 = Comr 2, t, e, h The verifier outputs if the she gets the correct value in the commitments, otherwise. 4.2 Properties of the 3-pass scheme It is easy to see that the verifier always accepts an interaction with the honest prover. Thus the 3-pass scheme has perfect correctness.
5 Theorem The 3-pass protocol is statistically zero knowledge when the commitment scheme Com is statistically hiding. Proof. We construct a black-box simulator S which have oracle access to a cheating verifier CV takes F and v, and outputs a simulated transcripts with probability 3/4 as follows. The simulator randomly chooses a value Q R {,, 2, 3} and vectors s, r, r, t R F n q and e, f, h R F m q, where Q is a prediction what value the cheating verifier CV will not choose. Then it computes Moreover it sets: r 2 = s r + r, t r t, e F r e. If Q =, f = v F s + F r + r f, else f = F r + r f. 2. If Q =, h = v F s + F r + r 2 f, else h = F r + r 2 h. 3. If Q = 3, c = Comr, r 2, v Gt, r, r 2 f h + e F r + r 2 + F r + F r 2, else c = Comr, r 2, Gt, r, r 2 f h + e It also computes: c = Comr, t, e, f, c 2 = Comr, t, e, f c 3 = Comr 2, t, e, h, c 4 = Comr 2, t, e, h and sends c, c, c 2, c 3, c 4 to CV. Receiving a query Q from CV the simulator outputs if Q = Q and stops. If S does not output, it produces a transcript as follows: If Q =, it outputs c, c, c 2, c 3, c 4,, r, r, t, e, f If Q =, it outputs c, c, c 2, c 3, c 4,, r, r 2, t, e, h If Q = 2, it outputs c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h If Q = 3, it outputs c, c, c 2, c 3, c 4, 3, r, r 2, t, e, f, h We can check that if S does not output, the transcript is accepted. For example, we consider the case where Q = and Q = 2. The output is c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h. Thus, we have the right values for c 2 and c 4. Now, c is computed as follows: c = Comr, r 2, v Gt, r, r 2 + e f h F r + r 2 + F r + fr 2. Here f = v F s + F r + r f. Thus we obtain c = Comr, r 2, Gt, r, r 2 f h + e and the transcript is accepted. The other cases are checked similarly. We now show that the distribution of the output S is statistically close to the distribution of a real transcript since the commitment is statistically hiding. A real transcript between the the legitimate prover P and a cheating verifier CV on F, v, s is denoted by P s, CV F, v. The simulator output is denoted by S, CV F, v. We analyze the output distribution. First first we consider the case where Q =. Then P s, CV F, v = c, c, c 2, c 3, c 4,, r, r, t, e, f S, CV F, v = c, c, c 2, c 3, c 4,, r, r, t, e, f
6 Assume that r, r, t, e, f = r, r, t, e, f. Then we obtain t = t, e = e, f = f and c = c, c 2 = c 2 in all cases Q =, 2, 3. The second case is when Q =. Then P s, CV F, v = c, c, c 2, c 3, c 4,, r, r 2, t, e, h S, CV F, v = c, c, c, c 3, c 4,, r, r 2, t, e, h This case is very similar to the previous one. We get t = t, e = e, h = h and c 3 = c 3, c 4 = c 4 in all cases Q =, 2, 3. The third case is Q = 2. Then P s, CV F, v = c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h S, CV F, v = c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h When Q =, assume that r, r, t, e, f, h = r + s s, r, t + s s, e F r +F r +s s, f F r +r +v F s +F r +r +s s, h F r + r 2 + F r + r 2 + s s. When Q =, assume that r, r, t, e, f, h = r +s s, r, t +s s, e F r +F r +s s, f F r +r +F r +r + s s, h F r + r 2 + v F s + F r + r 2 + s s. When Q =, assume that r, r, t, e, f, h = r + s s, r, t + s s, e F r + F r + s s, f F r + r + F r + r + s s, h F r + r 2 + F r + r 2 + s s. We can check that for all these cases we obtain: r 2 = r 2, t = t, e = e, f = f, h = h and then c = c, c 2 = c 2, c 4 = c 4. The last case is Q = 2. Then P s, CV F, v = c, c, c 2, c 3, c 4, 3, r, r 2, t, e, f, h 3 S, CV F, v = c, c, c 2, c 3, c 4, 2, r, r 2, t, e, f, h Assume that r, r, t, e, f, h = r s s, r, t, e, f, h, then we obtain r 2 = r 2, c = c, c = c and c 3 = c 3. Since the commitment is statistically hiding, we get that when S does not output, the distribution of the output of S is statistically close to the distribution of the real transcript. Theorem 2 The 3-pass protocol is proof of zero knowledge with zero knowledge error 3/4 when the commitment scheme Com is computationally binding. Proof. Suppose that there exists a false prover C that can answer all the questions. Then either C will compute a collision for Com or will extract a solution for F, v. Let c, c, c 2, c 3, c 4, Q, Rsp, c, c, c 2, c 3, c 4, Q, Rsp, c, c, c 2, c 3, c 4, Q 2, Rsp 2, c, c, c 2, c 3, c 4, Q 3, Rsp 3, be four transcripts such that Q i = i and all the responses are accepted. Consider the situation where the responses are parsed as Rsp = r, r, t, e, f, Rsp = r, r 2, t, e, h, Rsp 2 = r 2, r2 2, t2, e2, f 2, h2, Rsp 3 = r 3, r3 2, t, e, f, h. We obtain: c = Com r 2, r2 2, v Gt2, r2, r2 2 f 2 h 2 + e 2 F r 2 + r 2 + F r2 + F r2 2 = Com r 3, r3 2, Gt, r 3, r3 2 + f + h e
7 c = Com r, r t, F r e, F r + r f = Com r 3, t, e, f 2 c 2 = Comr, t, e, f = Comr2, t2, e2, f 2 3 c 3 = Com r 2, r t, F r e, F r + r 2 h = Com r 3 2, t, e, h 4 c 4 = Comr 2, t, e, h = Comr2 2, t2, e2, h2 5 If two tuples of the arguments of Com are are distinct on either of the above equations, then we have a collision for Com. Otherwise, these equalities give: h 5 = h 2, r 2 = r 3 = r 2, t 3 = t 5 = t 2, r 3,4 = r and r 2 2 = r = r 2, e2 3 = e 2,4 = e, f 3 = f 2 So, all upper scripts are useless and from we have: v = Gt + t, r, r 2 + f + h e + F r + r 2 F r F r 2 + f + h e Then, from 2 and 4 we have r = t +t, F r = e +e, F r +r = f +f and F r + r 2 = h + h, so if we replace these values in the previous equality, we obtain: v = Gr, r, r 2 + F r + r + F r + r 2 + F r + r 2 F r F r F r 2 = F r + r + r 2 This means that a solution r + r + r 2 for v is extracted. Let p s be the probability that P convinces the honest verifier on s and p the probability that all the 3 transcripts are accepted. Suppose that p s > 3 4. Depending on the fact that the 4 transcripts are accepted or not, we get p s p p. This implies that p 4p s 3 4. Thus the proof of Theorem 2 is complete. 4.3 Computations in the 3-pass scheme We give the maximum number of computations that have to be done either by the prover or by the receiver in the case of F 2. We must calculate the number of computations for F and for G. Moreover we see that F is computed at most 3 times and G is computed just one time. We only count multiplications. In F 2, we have: x 3 i = x2 i = x i. We can write: f l x = n [ x i γ l i + γii l + γiii l + i= n j=i+ x j γ l ij + γ l ijj + n k=j+ γ l ijkx k ] Let M denotes the number of multiplications needed to compute F. Using the above expression for F, we obtain M n3 6 m. In the following table, we give the characteristics of the scheme ZK3 and the values that we obtain when we
8 choose n = 84, m = 8, in order to have 8-bit security cf. [2]. Moreover if we want an impersonation probability less than 2 3, we need to perform at least 73 rounds. R stands for the number of rounds and C for the maximum number of computations that have to be done either by the prover or by the receiver. The values are given in Table. Remark. We may need less computations. It depends on the number of non Table. ZK3 Scheme Formulas Parameters for 2 8 security Public key bit m 8 Secret key bit n 84 n M n + 2m R Communication bit or n + 3m R 72 Number of multiplications C=9MR 2 33 zero coefficients. This is the case for Brent equations as explain in Section pass scheme Here we describe briefly a 5-pass scheme. Proofs are sketched in Appendix A.. The Prover picks up at random r, r, t F n q and e, f, h F m q. Then she computes r 2 = s r r. The Prover sends to the Verifier c = Comr, r 2, Gt, r, r 2 e + f + h c = Comr, t, e, f c 2 = Comr, t, e, f c 3 = Comr 2, t, e, h c 4 = Comr 2, t, e, h 2. The verifier picks α R F q and sends α to the prover. 3. The prover computes: t, e f, h = αr t, αf r e, αf r + r f, αf r + r 2 h and sends t, e f, h to the verifier. 4. The verifier picks Q R {,, 2} and sends Q to the prover. 5. a If Q =, then the prover sends r, r. The verifier checks if c = Comr, r, αr t, αf r e, αf r + r f. b If Q =, then the prover sends r, r 2. The verifier checks if c = Comr, r 2, αr t, αf r e, αf r + r 2 h. c If Q = 2, then the prover sends r, r 2. The verifier checks if c 2 = Comr, r 2, αv F r +r 2 +F r +F r 2 Gt, r, r 2 f h +e.
9 As for the 3-pass scheme, we have perfect correctness and the following results: Theorem 3 The 5-pass protocol is statistically zero knowledge when the commitment scheme Com is statistically hiding. Theorem 4 The 5-pass protocol is proof of zero knowledge with zero knowledge error 2/3 + /3q when the commitment scheme Com is computationally binding. 5 The ZK3 Scheme. In this section, we propose another scheme inspired from [2]. The idea is to transform the cubic system into a quadratic one and the to use the scheme given in [2]. As we will see, the number of computations is smaller, but the number of communication bits is more important. We investigate the transformation of a system with cubic equations to a system with quadratic equations. We will introduce new variables. Once we have obtained a system of equations with quadratic polynomials, we can apply the identification scheme of [2]. We will calculate the number of multiplications in this case. In our system, we have F x = f x, f 2 x,..., f m x where l, l m, f l x = γijkx l i x j x k + γijx l i x j + γi l x i i j k n i j n i n and x = x,..., x n. We introduce the new variables i, j, i j n, X ij = x i x j. The number of new variables is nn 2, if q = 2, and nn+ 2, if q 2. In our new system, we have F = f,..., f m, f ij i j n where for x = x,..., x n, X ij i j n and l m, f l x = i j k n γ l ijkx ij x k + i j n γ l ijx ij + i n γ l i x i and for i j n, f ij x = X ij x i x j. Here the number of variables is ñ n + n2 2 and the number of equations is m = m + n2 2. As before, M denotes the number of multiplications needed to compute F. M denotes the number of multiplications for the computation of F. We choose q = 2. Then M = M + nn 2. Thus M M n3 6. C stands for the maximum number of computations that have to be done either by the prover or by the receiver. If R denotes the number of rounds performed in order to have an impersonation probability less than 2 3, then R = 52 cf. [2]. The following table gives the characteristics of the ZK3 Scheme and the values we get when n = 84 and m = 8.
10 Table 2. ZK3 Scheme Formulas Parameters for 2 8 security Public key bit m 3483 Secret key bit n 84 n M 6 Communication bit ñ + m R 5658 Number of multiplications C = 3 M R ZKd and ZKd Schemes for any d 6. The ZKd Scheme We will design a 3-pass scheme We consider the following function of degree d from F n q to F m q : where l, l m, i i... i d n f l x = F x = f x, f 2 x,..., f m x i i... i d n γ l i...i d x i x i2... x id γ l i...i d x i x i2... x id + i i i 2 n and x = x,..., x n. We omit the constant term. Let Gr, r,..., r d = d d i i= S {,...,d } S =i γ l i i 2 x i x i2 + F j S r j i i n Then G is d-linear. The problem is: Given F and v F m q find s F n q such that F s = v The public key is F, v. The secret is s such that F s = v. γ l i x i. The Prover picks up at random r, r,..., r d 2, t R F n q, f R F m q, and p, p d 2, i,... i p, i < i 2 <... i p d, f i...ip, R F m q. Then she computes r d = s d 2 i= r i t = r t f = F r f and p, p d 2, i,... i p, i < i 2 <... i p d f i...ip = F r + r i r ip f i...ip
11 Then the Prover sends to the Verifier c Com r,..., r d, Gt, r,..., r d + d 2 d p f i...ip p= i <...<i p d + d f i, i d c 2i Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip c 2i Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j i j i, f i...ip The verifier chooses a query Q R {,,..., d} and sends Q to the prover. 2. a If Q =, then the Prover sends r, r 2,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, f i...ip. The Verifier checks if c = Com r,..., r d, Gt, r,..., r d + i <...<i p d f i...ip + d f d 2 d p p= and i, i d, c 2i = Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip b If Q = d, then the Prover sends r, r 2,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, f i...ip. i, i d, The Verifier checks if c = Com r,..., r d, v Gt, r,..., r d d 2 d p p=
12 d f + i <...<i p d d d i i= f i...ip S {,...,d } S =i F r j j S and i, i d, c 2i = Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip c if Q = i, then the prover sends r, r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip The Verifier checks if c 2i = Com r,..., r i, r i+,..., r d, r t, F r f, and p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, F r + r i r ip f i...ip c 2i = Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...ip As for the the case d = 3, we have perfect correctness and the following results see Appendix B for details: Theorem 5 The 3-pass protocol ZKd is statistically zero knowledge when the commitment scheme Com is statistically hiding. Theorem 6 The 3-pass protocol is proof of zero knowledge with zero knowledge error when the commitment scheme Com is computationally binding. d d+ Remark. As for the case d = 3, it is possible to design a 5-pass scheme. 6.2 The ZKd Scheme Here we explain how it is possible to design the ZKd Scheme. Again there are two functions F and F. If M resp. M denotes the number of computations for F resp. F, then M n d /d! and M nd d! + n d 2 / d 2! M. For ZKd, there are n variables and m equations. For ZKd, there are ñ n + n d 2 / d 2! variables and m m + n d 2 / d 2! equations. There are more multiplications in ZKd and more communication bits in ZKd. The values for both schemes are given in Table 3. Here we have an impersonation probability less than 2 3.
13 Table 3. ZKd and ZKd Schemes ZKd scheme ZKd scheme Public key bits m m m + n d 2 / d 2! Secret key bits n n M Rounds n d d! R = m 3 ln2 ln+/d n d d! m R = 52 Number of 5dn + ln d + 2 2d R Communication or n + m + 3n d 2 / d! R 2 bits 3dn + ln d + 2 2d 2 R Multiplications C = 92 d + d!mr C = 3 M R 6.3 Relations for sparse systems In the previous computations, we have supposed that we have the maximum number of coefficients. Then we obtained that in both cases, M M nd d!. Then the total number of multiplications is a function of M or M and the number of rounds. For sparse systems, M or M will be smaller but we will still have the same relations between C, M and R and similarly C, M and R. Here again, we can see that there are more variables and more communications bits in the ZKd schemes and more computations in the ZKd schemes. 7 Relations between the number of computations and the number of coefficients We begin with the ZKd scheme. We have: f l x, x 2,..., x n = γ l i...i d x i x i2... x id + i,...,i d S l d γ l i...i d x i x i2... x id i i,...,i d S l d γ l i i 2 x i x i2 + γ l i x i i i,i 2 S2 l i i S2 l The number of multiplications for f l is given by d Sd l + d Sd l + d 2 Sd 2 l S2 l + S l and for F the number M of multiplications is m [ ] M = d Sd l + d Sd l + d 2 Sd 2 l S2 l + S l l=
14 Moreover, F is computed at most 2 d times during the process. For g l we have d!d + m Sd l multiplications and for G, d!d + S l d multiplications and G is computed one time. Finally, for one round, the number of multiplications is given by m [ d2 d + d!d + Sd l + d Sd l + d 2 Sd 2 l l= l= ] 2 S2 l + S l and then we have to multiply by the number of rounds R to get C. For the ZKd scheme, we have M = M + n d 2 / d 2!. Then C = 3 M R. 8 The particular case of Brent equations In this section, we introduce the Brent equations. Suppose we want to multiply two N N matrices. The naive method will use N 2 multiplications. In fact for N = 2, Strassen s algorithm [6] requires 7 multiplications instead of 8 multiplications and Laderman showed that when N = 3 it is possible to use 23 multiplications instead of 3 3 = 27 [6]. For N = 2, 7 is the least number we can obtain. For N = 3, it is not known if 23 is the least number in the non-commutative case. In [], it is shown that obtaining the product of two matrices N N can be done using s multiplications is equivalent to solve the following system of cubic s equations: γ ijk α abk β cdk = δ bc δ ia δ jd a, b, c, d, i, j {, 2,..., n} k= Here we have n = 3sN 2, m = N 6. If we use formula, we obtain that the number of multiplications is 22 s N 6 if we use the ZK3 scheme. It is also interesting to design an authentication public key cryptographic scheme as close as possible to Brent equations. In order to do this, we choose a system similar to Brent equations but for which we know a particular solution. It is possible to proceed as follows:. We consider the finite field Z/2Z 2. We take the Brent equations with s = 22 in order obtain an open problem in the non-commutative case 3. We pick randomly variables α, β, γ in Z/2Z 4. We deduce the corresponding constants 5. We then use either ZK3 or ZK3 to have a zero-knowledge protocol.
15 9 Morphisms of polynomials and systems of cubic equations 9. The MP Problem The IP problem Isomorphism of Polynomials has been used to construct pubic key schemes cf [9]. On one hand, this is not a NP-complete problem since it admits an Arthur-Merlin game when the answer is yes and when the answer is no. On the other hand, the MP problem morphisms of polynomials where matrices are not supposed to be invertible is proved to be NP-complete [3, ] and thus is much more difficult. So it is interesting to design a public key authentication scheme based on MP. We explain briefly below how it is possible to construct such a scheme by transforming MP very efficiently into a system of equations of degree 3 and then applying our ZK3 or ZK3 protocols. 9.2 From MP to polynomials of degree 3 We consider the two following systems: A c k = B z t = i n, j n i p, j p γ k ija i a j + α t ijx i x j + We want to find 2 matrices M = m rs r v s u M c. c u = z. z v n µ k i a i, k u i= p βix t i, i= and H For all t, t v, on one hand, we have: u n z t = m ts γija s i a j + µ s i a i z t = z t = s= i n j n u m ts s= p i n j n p [ u γ s ij f= b= s= i n j n i= t v and H = h df d n f p x. x p p p n h if x f h jb x b + f= other hand, we have: z t = b= γ s ijm ts h if h jb ]x f x b + i p j p α t ijx i x j + f= i= = µ s i a. a n p h if x f f= s= i= such that p [ u n µ s i m ts h if ]x f. On the p βix t i. This gives t t i=
16 v, f, f p, b, b p, α t fb + β t f = u s= i= u s= i n j n γ s ijm ts h if h jb + n µ s i m ts h if. Thus we obtain vp 2 cubic equations and np + vu unknowns. Conclusion In [2], a very efficient zero-knowledge proof based on the MQ problem multivariate quadratic polynomials is given. In this paper we proved that this construction can be generalized to polynomials of degree d for any d 3. We studied several constructions and we presented here the two most efficient ones denoted by ZKd and ZKd. ZKd is quasi optimal in term of communication bits and ZKd is quasi optimal in term of number of computations. This result is true for dense or sparse systems. We also presented two important specific problems Brent equations and morphisms of polynomials that can be transformed into efficient public key schemes using ZKd and ZKd. References. Gregory V. Bard. New Practical Strassen-like Approximate Matrixmultiplication Algorithms found via solving a system of cubic equations Come Berbain, Henri Gilbert, and Jacques Patarin. QUAD: A Practical Cipher with Provable Security. In Serge Vaudenay, editor, Advances in Cryptology EUROCRYPT 26, volume 444 of Lecture Notes in Computer Science, pages Springer-Verlag, Michael R. Garey and David S. Johnson. Computers and Intractability; A Guide to the Theory of NP-Completness. W.H. Freeman and Co, Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems. J. ACM, 38:69 728, July Shai Halevi and Silvio Micali. Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing. In Neal Koblitz, editor, Advances in Cryptology CRYPTO 996, volume 9 of Lecture Notes in Computer Science, pages Springer-Verlag, J.Laderman. A noncomuutative algorithm for multiplying 3 x3 matrices using 23 multiplication. Bulletin of the American Mathematical Society, 82:26 28, Aviad Kipnis, Jacques Patarin, and Louis Goubin. Unbalanced Oil and Vinegar Signature Schemes. In Jacques Stern, editor, Advances in Cryptology EURO- CRYPT 999, volume 492 of Lecture Notes in Computer Science, pages Springer-Verlag, Tsutomu Matsumo and Hideki Imai. Public Quadratic polynomial-tuples for Efficient Signature-Verification and Message-Encryption. In C.G. Gunther, editor, Advances in Cryptology EUROCRYPT 988, volume 33 of Lecture Notes in Computer Science, pages Springer-Verlag, 988.
17 9. Jacques Patarin. Hidden Fields Equations HFE and Isomorphims of Polynomials IP: Two New Families of Asymmetric Algorithms. In Ueli Maurer, editor, Advances in Cryptology EUROCRYPT 996, volume 7 of Lecture Notes in Computer Science, pages Springer-Verlag, Jacques Patarin and Louis Goubin. Trapdoor one-way permutations and multivariate polynomials. In Yongfei Han, Tatsuaki Okamoto, and Sihan Qing, editors, ICICS, volume 334 of LNCS, pages Springer, David Poincheval. A New Identification Scheme based on the Perceptrons Problem. In Alfredo de Santis, editor, Advances in Cryptology EUROCRYPT 995, volume 95 of Lecture Notes in Computer Science, pages Springer-Verlag, Koichi Sakumuto, Taizo Shirai, and Harunaga Hiwatari. Public-Key Identification Schemes based on Multivariate Quadratic Polynomials. In Philip Rogaway, editor, Advances in Cryptology CRYPTO 2, volume 684 of Lecture Notes in Computer Science, pages Springer-Verlag, Adi Shamir. An Efficient Identification Scheme Based on Permuted Kernels Extended Abstract. In Gilles Brassard, editor, Advances in Cryptology CRYPTO 989, volume 435 of LNCS, pages Springer-Verlag, Jacques Stern. A New Identification Scheme based on Syndrome Decoding. In Douglas R. Stinson, editor, Advances in Cryptology CRYPTO 993, volume 773 of Lecture Notes in Computer Science, pages 3 2. Springer, Jacques Stern. Designing Identification Schemes with Keys of Short Size. In Yvo G. Desmedt, editor, Advances in Cryptology CRYPTO 994, volume 839 of Lecture Notes in Computer Science, pages Springer, Volker Strassen. Gaussion Elimination is not optimal. Numerische Mathematik, 33: , 969. A 5-pass scheme for ZK3 In this appendix, we give sketches of proof for the 5-passes scheme.. The Prover picks up at random r, r, t F n q and e, f, h F m q. Then she computes r 2 = s r r. The Prover sends to the Verifier c = Comr, r 2, Gt, r, r 2 e + f + h c = Comr, t, e, f c 2 = Comr, t, e, f c 3 = Comr 2, t, e, h c 4 = Comr 2, t, e, h 2. The verifier picks α R F q and sends α to the prover. 3. The prover computes: t, e f, h = αr t, αf r e, αf r + r f, αf r + r 2 h and sends t, e f, h to the verifier. 4. The verifier picks Q R {,, 2} and sends Q to the prover. 5. a If Q =, then the prover sends r, r. The verifier checks if c = Comr, r, αr t, αf r e, αf r + r f.
18 b If Q =, then the prover sends r, r 2. The verifier checks if c = Comr, r 2, αr t, αf r e, αf r + r 2 h. c If Q = 2, then the prover sends r, r 2. The verifier checks if c 2 = Comr, r 2, αv F r +r 2 +F r +F r 2 Gt, r, r 2 f h +e. As for the 3-pass scheme, we have perfect correctness and the following resultsproofs are sketched in Appendix A: Theorem 7 The 5-pass protocol is statistically zero knowledge when the commitment scheme Com is statistically hiding. Proof sketch. Let S be a simulator which takes F and v without knowing s, and interacts with a cheating verifier CV. We show that the simulator can impersonate the honest prover with probability 2/3. The simulator randomly chooses a value Ch R {,, 2} and vectors s, r, r, t R F n q and e, f, h R F m q, where Ch is a prediction what value the cheating verifier CV will not choose. Then it computes r 2 s r + r c Comr, r, t, e, f c Comr, r 2, t, e, h c 2 Comr, r 2, Gt, r, r 2 + f + h e and sends c, c, c 2 to CV. Then receiving a challenge α from CV, it computes: t = αr t e = αf r e Now if Ch = it sets f = αv F s +F r +r f, else f = αf r +r f if Ch = it sets h = αv F s +F r +r 2 h, else f = αf r +r 2 h Then it sends t, e f, h to CV Due to the statistically hiding property of Com, a challenge Ch from CV is different from Ch with probability 2/3. If Ch Ch, then r, r, r, r 2, and r, r 2 are accepted responses to Ch =, and 2 respectively. Theorem 8 The 5-pass protocol is proof of zero knowledge with zero knowledge error 2/3+/3q when the commitment scheme Com is computationnaly binding., h i, Ch j, Rsp i,j be six tran- Proof sketch. Let c, c, c 2, α i, t i, ẽi i, f scripts for i {, } and j {,, 2} such that DecF, v, c, c, c 2, α i, t i, ẽi, f i, h i, Ch j, Rsp i,j p =, α α, and Ch j = j. Then, by using the six transcripts, we show that we are able either to break the binding property of Com or extract a solution for v. Consider the situation where the responses are parsed as Rsp, = r, r
19 Then we have: Rsp, = r, r 2 Rsp,2 = r, r 2 Rsp, = r, r Rsp, = r, r 2 Rsp,2 = r, r 2 c = Com r, r, α r t, α F r ẽ, α F r = Com r, r, α r t, α F r ẽ, α F r + r + r f f 6 c = Com r, r 2, α r t, α F r ẽ, α F r = Com r, r 2, α r t, α F r ẽ, α F r + r 2 + r 2 h h 7 c 2 = Com r, r 2, α v F r + r 2 + F r f h + ẽ = Com r, r 2, α v F r + r 2 + F r + F r 2 + F r 2 f h + ẽ 8 G t, r, r 2 G t, r, r 2 If two tuples of the arguments of Com are are distinct on either of the above equations, the binding property of Com is broken. Otherwise, 6 gives: r = r, r = r This implies: α α r = t + t α α F r = ẽ + ẽ α α F r + r = f + f If we use 7, we obtain two more equations: Now 8 gives r 2 = r 2 and α α F r α v F r + r 2 + F r = α v F r + r 2 + F r + F r 2 + F r 2 + r 2 G t, r = h + h, r 2 G t, r, r 2 f h + ẽ f h + ẽ
20 This implies that [ α α v = α α F r + r 2 F r F r 2 + G r, r, r Thus we obtain v = F r + r for v is extracted. ] +F r + r + F r + r 2 F r + r 2 2. This means that a solution r + r + r 2 B Proofs for the ZKd Scheme Theorem 9 The 3-pass protocol is statistically zero knowledge when the commitment scheme Com is statistically hiding. Proof sketch. Let S be a simulator which takes F and v without knowing s, and interacts with a cheating verifier CV. We show that the simulator can impersonate the honest prover with probability d d+. The simulator randomly chooses a value Ch R {,,..., d} and vectors s, r, r,..., r d 2, t R F n q, f R F m q, and p, p d 2, i,... i p, i < i 2 <... i p d, f...i p, R F m q, where Ch is a prediction what value the cheating verifier CV will not choose. Then it computes d 2 r d s Moreover it sets: i= t r t f F r f p, p d 2, i,... i p, i < i 2 <... i p d, f i...i p F r + r i r i p f i...i p. If Ch =, c = v Gt, r,..., r d d 2 p= d p i f i...i p <...<i p d d f d i= d i S {,...,d } F j S r j, S =i else c = Gt, r,..., r d + d 2 p= d p i f i...i p <...<i p d + d f 2. If Ch = i, i d, f 2...i i+...d = v F s + F r + r r i + r i r d f 2...i i+...d, else f 2...i i+...d = F r + r r i + r i r d f 2...i i+...d, r i
21 It also computes: i, i d c 2i Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i...i p c 2i Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j i j i, f i...i p and sends c, c, c 2,..., c 2d 2 to tcv. Due to the statistically hiding property of Com, a challenge Ch from CV is different from Ch with probability d d+. If Ch Ch, then r, r 2,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, f i...ip, and i, i d, r, r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j i j i, f i...ip are accepted responses to Ch =,,... d. Theorem The 3-pass protocol is proof of zero knowledge with zero knowledge error when the commitment scheme Com is computationnaly binding. d d+ Proof sketch. Let i, i d, let c, c, c 2,..., c 2d 2, Ch i, Rsp i be d + transcripts such that Ch i = i and DecF, v; c, c, c 2,..., c 2d 2, Ch i, Rsp i = for i {,, 2,..., d}. Then, by using the four transcripts, we show that we are able either to break the binding property of Com or extract a solution for v. Consider the situation where the responses are parsed as Rsp = r, r 2,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d, f,i...i p i, i d, Rsp i = r i, ri,..., ri i, ri i+,..., ri d, t i, f i, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i,i...i p Rsp d = r d, rd 2,..., rd d, t d, f, p, p d 2, i,... i p, i < i 2 <... i p d, f d,i...i p
22 We obtain: d 2 c = Com r d,..., rd d d, v G t, rd,..., rd d d p d f d + i <...<i p d d d i i= f d,i...ip S {,...,d } S =i F j S p= r d j d 2 = Com r,..., r d, G t, r,..., r d + d p i <...<i p d p= f,i...ip + d f i, i d, c 2i = Com r i,..., ri i, ri i+,..., ri d, ri t i, F ri i f, p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, F r i + r i i r i i,i...ip i p f = Com r,..., r i, r i+,..., r d, t, f, p, p d 2, i,... i p, i < i 2 <... i p d,,i such that j, i j i, f...i p c 2i = Com r i,..., ri i, ri i+,..., ri d, t i i, f, p, p d 2, i,... i p, i < i 2 <... i p d, i,i such that j, i j i, f...i p = Com r d,..., rd i, rd i+,..., rd d, t d d, f, p, p d 2, i,... i p, i < i 2 <... i p d, d,i such that j, i j i, f...i p If two tuples of the arguments of Com are are distinct on either of the above equations, the binding property of Com is broken. Otherwise the conditions on c give: r = r d,..., r d = rd d
23 d 2 v = G t + t d, rd,..., rd d + d p i <...<i p d + d d f + f The conditions on c 2i give:,i...ip f + d d i i= p= f d,i...ip S {,...,d } S =i F j S r d j r i = r,..., ri i = r i, ri i+ = r i+,... ri d = r d t i = t f i = f p, p d 2, i,... i p, i < i 2 <... i p d, The conditions on c 2i give: such that j, i j i, f i,i...i p = f,i...ip We obtain: r i = r d,..., ri i = rd i, ri i+ = rd i+,... ri d = rd d t i = t d f i = f d p, p d 2, i,... i p, i < i 2 <... i p d, such that j, i j i, f i,i...i p = t + t d = t + t = r F r = f + f = i, i d, F r + r d i = F r + r i = More generally f d,i...ip d f + f,i,i f + f = F r + r d i r d i p = F r + r i r i p =,i d,i f + f Finally, we obtain f,i...ip,i...ip + f =,i...ip d,i...ip f + f v = F r + r d r d d This means that a solution r + r d r d d for v is extracted.
Zero Knowledge with Rubik s Cubes and Non-Abelian Groups
Zero Knowledge with Rubik s Cubes and Non-Abelian Groups Emmanuel Volte 1, Jacques Patarin 2, and Valérie Nachef 1 1 Department of Mathematics, University of Cergy-Pontoise, CNRS UMR 8088 2 avenue Adolphe
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationPublic-Key Identification Schemes Based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari Sony Corporation 5-1-12 Kitashinagawa Shinagawa-ku, Tokyo 141-0001, Japan
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationPublic-Key Identification Schemes Based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari Sony Corporation 5-1-12 Kitashinagawa Shinagawa-ku, Tokyo 141-0001, Japan
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationA New Identification Scheme Based on the Perceptrons Problem
Advances in Cryptology Proceedings of EUROCRYPT 95 (may 21 25, 1995, Saint-Malo, France) L.C. Guillou and J.-J. Quisquater, Eds. Springer-Verlag, LNCS 921, pages 319 328. A New Identification Scheme Based
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1, Alon Rosen 2, and Ronen Shaltiel 3 1 Microsoft Research, New England Campus. iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationDesigning Identification Schemes with Keys of Short Size *.
Designing Identification Schemes with Keys of Short Size *. Jacques Stern Laboratoire d hformatique, kcole Normale SupCrieure Abstract. In the last few years, therc have been several attempts to build
More informationA new zero-knowledge code based identification scheme with reduced communication
A new zero-knowledge code based identification scheme with reduced communication Carlos Aguilar, Philippe Gaborit, Julien Schrek Université de Limoges, France. {carlos.aguilar,philippe.gaborit,julien.schrek}@xlim.fr
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationCryptanalysis of the Oil & Vinegar Signature Scheme
Cryptanalysis of the Oil & Vinegar Signature Scheme Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Dept. of Applied Math, Weizmann Institute, Israel Abstract. Several multivariate algebraic
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationAbstract. Often the core diculty in designing zero-knowledge protocols arises from having to
Interactive Hashing Simplies Zero-Knowledge Protocol Design Rafail Ostrovsky Ramarathnam Venkatesan y Moti Yung z (Extended abstract) Abstract Often the core diculty in designing zero-knowledge protocols
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present constant-round
More informationEfficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank
Efficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank Nicolas T. Courtois 1,2,3 1 CP8 Crypto Team, SchlumbergerSema, BP 45 36-38 rue de la Princesse, 78430Louveciennes Cedex,
More informationMQ -IP: An Identity-based Identification Scheme without Number-theoretic Assumptions 1
MQ -IP: An Identity-based Identification Scheme without Number-theoretic Assumptions 1 Christopher Wolf and Bart Preneel Christopher.Wolf@ruhr-uni-bochum.de or chris@christopher-wolf.de, Horst Görtz Institut
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationTransfinite Cryptography
Transfinite Cryptography Jacques Patarin Université de Versailles 45 avenue des Etats-Unis, 78035 Versailles Cedex, France jacques.patarin@prism.uvsq.fr Abstract. Let assume that Alice, Bob, and Charlie,
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationNotes for Lecture 27
U.C. Berkeley CS276: Cryptography Handout N27 Luca Trevisan April 30, 2009 Notes for Lecture 27 Scribed by Madhur Tulsiani, posted May 16, 2009 Summary In this lecture we begin the construction and analysis
More informationA Fast Provably Secure Cryptographic Hash Function
A Fast Provably Secure Cryptographic Hash Function Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier Projet Codes, INRIA Rocquencourt BP 15, 78153 Le Chesnay - Cedex, France [DanielAugot,MatthieuFiniasz,NicolasSendrier]@inriafr
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1,,AlonRosen 2,, and Ronen Shaltiel 3, 1 Microsoft Research, New England Campus iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationSecurity Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Ecole Normale Superieure Laboratoire d'informatique 45, rue d'ulm 75230 Paris Cedex 05
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationPublic Key Authentication with One (Online) Single Addition
Public Key Authentication with One (Online) Single Addition Marc Girault and David Lefranc France Télécom R&D 42 rue des Coutures F-14066 Caen, France {marc.girault,david.lefranc}@francetelecom.com Abstract.
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationA Practical Multivariate Blind Signature Scheme
A Practical Multivariate Blind Signature Scheme Albrecht Petzoldt 1, Alan Szepieniec 2, Mohamed Saied Emam Mohamed 3 albrecht.petzoldt@nist.gov, alan.szepieniec@esat.kuleuven.be, mohamed@cdc.informatik.tu-darmstadt.de
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationOn the (In)security of the Fiat-Shamir Paradigm
On the (In)security of the Fiat-Shamir Paradigm Shafi Goldwasser Yael Tauman February 2, 2004 Abstract In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationImpossibility and Feasibility Results for Zero Knowledge with Public Keys
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen 1, Giuseppe Persiano 2, and Ivan Visconti 2 1 Technical University of Vienna A-1010 Vienna, Austria. e9926980@stud3.tuwien.ac.at
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Andreas Hülsing, Joost Rijneveld, Simona Samardjiska, and Peter Schwabe 30 June 2016 1 / 31 Our take on PQ-Crypto Prepare for actual use Reliable
More informationHow to Go Beyond the Black-Box Simulation Barrier
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak December 30, 2008 Abstract The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationThe Polynomial Composition Problem in (Z/nZ)[X]
The Polynomial Composition Problem in (Z/nZ)[X] Marc Joye 1, David Naccache 2, and Stéphanie Porte 1 1 Gemplus Card International Avenue du Jujubier, ZI Athélia IV, 13705 La Ciotat Cedex, France {marc.joye,
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationA Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System
A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System Zhengjun Cao 1, Lihua Liu 2, Abstract. In 2006, Groth, Ostrovsky and Sahai designed one non-interactive zero-knowledge (NIZK
More informationZero-knowledge Identification based on Lattices with Low Communication Costs
Zero-knowledge Identification based on Lattices with Low Communication Costs Rosemberg Silva 1, Pierre-Louis Cayrel 2, Richard Lindner 3 1 State University of Campinas (UNICAMP) Institute of Computing
More informationRound-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations
Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations Carmit Hazay 1 and Muthuramakrishnan Venkitasubramaniam 2 1 Bar-Ilan University 2 University of Rochester Abstract. In this
More informationPractical and Provably-Secure Commitment Schemes from Collision-Free Hashing
Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing Shai Halevi Silvio Micali MIT Laboratory for Computer Science, 545 Technology Square, Cambridge, MA 02139 Abstract. We present
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationA short proof of the unpredictability of cipher block chaining
A short proof of the unpredictability of cipher block chaining Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago Chicago, IL
More informationZero-Knowledge Proofs 1
Zero-Knowledge Proofs 1 CS 702 SEMINAR Theme : Cryptography Instructor : Prof. C. Pandu Rangan ZERO-KNOWLEDGE PROOFS G. Venkatesan CS 93133 Dept. of C.S & E I.I.T Madras Zero-Knowledge Proofs 2 Outline
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationHonest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs
Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs van Damgård Oded Goldreich y Tatsuaki Okamoto z Avi Wigderson x September 12, 1995 Abstract This paper presents two transformations
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationOn Constant-Round Concurrent Zero-Knowledge
On Constant-Round Concurrent Zero-Knowledge Rafael Pass and Muthuramakrishnan Venkitasubramaniam Cornell University, {rafael,vmuthu}@cs.cornell.edu Abstract. Loosely speaking, an interactive proof is said
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More information