Homework 3 Solutions
|
|
- Jesse Logan
- 5 years ago
- Views:
Transcription
1 5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin is tossed 000 times independently. (a) Compute exactly the probability that at least two thirds of tosses are head. P r(x > 667) = 000 i=667 ( 000 ) i 0.5 i i = (b) Use the Chebyshev s inequality to estimate the probability that at least two thirds of tosses are head. Let S i be the random variable of the event that the i-th toss is head. We have E(S i ) = 0.5 and V (S i ) = = Let S = 000 i= S i. We have E(S) = np = 50 and V (S) = np( p) = By the Chebyshev s inequality, we have Pr[ S 50 57] Pr[S 667] = = (c) Use the Hoeffding s inequality to estimate the probability that at least two thirds of tosses are head. By the Hoeffding s inequality, we have Pr[S 667] = Pr[S ( ) 000] e = This problem is about proof of knowledge of x about given (n, y), where n = pq is a Blum integer, gcd(e, φ(n)) =, and y = x e mod n. -
2 (a) Give a (basic) zero-knowledge proof system for it. You need to show its completeness, soundness and zero-knowledge formally. Let P be the prover and V be the verifier. The basic zero-knowledge proof system is as follows i. Commitment P V A = r e mod n, where r R Z n. ii. Challenge V P h R Z 2. iii. Response P V B = x h r mod n. V accepts P if and only if B e y h A (mod n). Correctness of the zero-knowledge proof system is as follows Completeness If P knows y = x e mod n, he always convinces V by the protocol. Soundness Without knowing y = x e mod n, P can convince V by guessing V s challenge with probability 2 as follows i. Choose h R Z 2 and B R Z n, and compute A = B e /y h mod n. ii. Interact with V(A ) = h. iii. If h = h, respond B to convince V. If P convinces V with probability more than 2, we can extract the knowledge y = x e mod n by rewinding P to obtain two different accepting transcripts with the same commitment. For such two accepting transcripts (A, h, B) and (A, h, B ), we have { B e y h A (mod n) B e y h A (mod n) (B/B ) e y h h (mod n) y /e = (B/B ) h h mod n Since h h = ±, we can compute y /e = (B/B ) h h mod n. However, extracting the knowledge y = x e mod n implies solving the RSA problem, which contradicts the RSA assumption. Therefore, P without the knowledge m = c /e mod n cannot convince V with probability more than 2. Zero-Knowledge Define the accepting transcript function tr P,V (m) = {(A, h, B) Z n Z 2 Z n B e y h A (mod n)}. For any accepting transcript (A, h, B) tr P,V (m), we have Pr [tr P,V (m) = (A, h, B)] = Pr[V(A) = h] φ(n) On the other hand, we construct the probabilistic polynomial-time simulator S to simulate the accepting transcript tr P,V (m) by tr S,V (m) as follows i. Choose h R Z 2 and B R Z n, and compute A = B e /y h mod n. -2
3 ii. Invoke V(A ) = h. iii. If h = h, return (A, h, B ) as an accepting transcript. Otherwise, repeat the step i. For any accepting transcript (A, h, B ) tr S,V (m), we have Pr [ tr S,V (m) = (A, h, B ) ] = Pr[V(A ) = h ] 2 φ(n) The expected execution time of simulator S is t S = 2(t E + t V ), where t E is the execution time of the step i. and step iii., and t V is the execution time of verifier V. S is in polynomial time and the probability distributions of tr P,V (m) and tr S,V (m) are indistinguishable. Therefore, the proof system is zero-knowledge. (b) How to reduce the cheating probability by the prover? The cheating probability by P in the basic zero-knowledge proof system is 2. V can reduce the cheating probability to by asking P to prove himself for k 2 k times sequentially, where k is bounded by a polynomial of the security parameter. Let ZKPoK(P, V) denote the basic zero-knowledge proof system. The enhanced zero-knowledge proof system is as follows for (i=0; i<k; ++i) if (!ZKPoK(P, V)) return false; return true; (c) Give an (efficient) honest-verifier interactive zero-knowledge proof system for it. Let P be the prover and V be the verifier. The honest-verifier interactive zeroknowledge proof system is as follows i. Commitment P V A = r e mod n, where r R Z n. ii. Challenge V P h R Z n. iii. Response P V B = x h r mod n. V accepts P if and only if B e y h A (mod n). The challenge h is chosen randomly from Z n, although the group size is φ(n). 2 Therefore, P guesses h with probability at most φ(n). For honest verifier V, he chooses h R Z n as the definition of protocol. Therefore, the simulator S can choose h for himself and simulate in polynomial time without changing the probability distribution of accepting transcripts tr S,V (x). (d) Design a digital signature scheme based on the above honest-verifier interactive zero-knowledge proof system. 2-3
4 Fiat-Shamir gives a standard method for converting an interactive zero-knowledge proof system to a digital signature scheme. In doing so, we need to eliminate the communication between prover and verifier. We substitute the challenge part by a collision-resistance hash function which is publicly available to both prover and verifier. Let H {0, } Z n be such a secure hash function. The digital signature scheme is as follows i. KeyGen(π) = (sk, pk) Choose two safe primes p and q of π bits, and compute the RSA modulus n = pq. Choose e R Z φ(n), and compute d = e mod φ(n). Choose c R Z n, and compute k = c d mod n. Then sk = (n, d, k) and pk = (n, e, c). ii. Sign(sk, m) = (b, h) Compute a = r e mod n, h = H(n e c a m), and b = rk h mod n, where r R Z n. iii. Verify(pk, m, b, h) = {0, } Compute a = b e /c h mod n. Signature (m, b, h) is valid if and only if h = H(n e c a m). 3. Given (p, g, y, z, z 2 ), it is either log g y = log g z ( mod p) or log g y = log g z 2 ( mod p), but not both. (a) Assume that P knows x = log g y = log g z ( mod p). Give a zero-knowledge of proof P(x ), V of this knowledge without revealing which z i that y has the same exponent with. Show its completeness, soundness and zero-knowledge. Let P be the prover and V be the honest verifier. The honest-verifier zeroknowledge proof of knowledge of either x = log g z mod p or x 2 = log g z 2 mod p is as follows { i. Commitment P V A = g r mod p A 2 = g B 2 c 2, where (r, B 2 mod p 2, c 2 ) R (Z p ) 3. ii. Challenge V P c R Z { p iii. Response P V (c, B ) = (c c 2, c x + r) mod (p ). (c 2, B 2 ) c + c 2 c (mod (p )) V accepts P if and only if g B c A (mod p) g B 2 c 2 2 A 2 (mod p) Correctness of the above honest-verifier zero-knowledge proof system is as follows Completeness If P knows x = log g z mod p, he always convinces V by the above protocol. Soundness Without knowing x = log g z mod p and x 2 = log g z 2 mod p, P can convince V by guessing V s challenge with probability p as follows i. Choose (c, c 2, B, B 2 ) R (Z p ) 4 and compute A = gb c mod p and A 2 = gb 2 2 c 2 mod p. ii. Interact with V (A, A 2 ) = c. -4
5 iii. If c + c 2 = c, respond (c, c 2, B, B 2 ) to convince V. If P convinces V with probability more than p, there exists some commitments such that P can convince V for at least two different challenges with the same commitment. For such two accepting transcripts (A, A 2, c, c, c 2, B, B 2 ) and (A, A 2, c, c, c 2, B, B 2 ), i {, 2} such that c i c i ( c + c 2 c c c + c 2 (mod p )). Therefore, we can extract the knowledge x i = log g z i mod p for some i {, 2} as follows { g B i c i i A i (mod p) g B i i c i Ai (mod p) g B i B i i c i c i (mod p) B i B i c g i c i i (mod p) log g z i = B i B i c i c i mod (p ) However, extracting the knowledge x i = log g z i mod p implies solving the discrete logarithm problem, which contradicts the discrete logarithm assumption. Therefore, P without the knowledge x = log g z mod p and x 2 = log g z 2 mod p cannot convince V with probability more than p. Zero-Knowledge Suppose that V is an honest verifier. Define the accepting transcript function tr P,V (x i ) = {(A, A 2, c, c, c 2, B, B 2 ) (Z p) 2 (Z p ) 5 c + c 2 c (mod (p )), g B c A (mod p), g B 2 c 2 2 A 2 (mod p)}. For any accepting transcript (A R Z p, A 2 = g B 2 c 2 2, c R Z p, c = c c 2, c 2 R Z p, B = c x + r, B 2 R Z p ) tr P,V (x ), we have Pr [tr P,V (x ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 For any accepting transcript (A = g B c, A 2 R Z p, c R Z p, c R Z p, c 2 = c c, B R Z p, B 2 = c 2 x 2 + r) tr P,V (x 2 ), we have Pr [tr P,V (x 2 ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 Therefore, the zero-knowledge proof systems P (x ), V and P (x 2 ), V have the same distribution of transcripts. We construct the probabilistic polynomial-time simulator S to simulate the accepting transcript tr P,V (x i ) by tr S,V (x i ) as follows i. Choose (c, c 2, B, B 2 ) R (Z p ) 4. ii. Compute A = g B c mod p, A 2 = g B 2 c 2 2 mod p, and c = c + c 2 mod (p ). iii. Return (A, A 2, c, c, c 2, B, B 2 ) as an accepting transcript. For any accepting transcript (A, A 2, c, c, c 2, B, B 2 ) tr S,V (x i ), we have Pr [tr S,V (x i ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4-5
6 The expected execution time of simulator S is t S poly(k), where k is the security parameter. S is in polynomial time and the probability distributions of tr P,V (x i ) and tr S,V (x i ) are indistinguishable. Therefore, the honestverifier proof system is zero-knowledge. (b) Assume that P knows x 2 = log g y = log g z 2 ( mod p). Give a zero-knowledge of proof P(x 2 ), V of this knowledge without revealing which z i that y has the same exponent with. Let P be the prover and V be the honest verifier. The honest-verifier zeroknowledge proof of knowledge of either x = log g z mod p or x 2 = log g z 2 mod p is as follows { i. Commitment P V A = g B c mod p A 2 = g r, where (r, B mod p, c ) R (Z p ) 3. ii. Challenge V P c R Z { p iii. Response P V (c, B ) (c 2, B 2 ) = (c c, c 2 x 2 + r) mod (p ). c + c 2 c (mod (p )) V accepts P if and only if g B c A (mod p) g B 2 c 2 2 A 2 (mod p) (c) Show that the distributions of transcripts of P(x ), V and P(x 2 ), V are identical. Define the accepting transcript function tr P,V (x i ) = {(A, A 2, c, c, c 2, B, B 2 ) (Z p) 2 (Z p ) 5 c +c 2 c (mod (p )), g B c A (mod p), g B 2 2 c 2 A 2 (mod p)}. For any accepting transcript (A R Z p, A 2 = g B 2 /y 2 c 2, c, c = c c 2, c 2 R Z p, B = c x + r, B 2 R Z p ) tr P,V (x ), we have Pr [tr P,V (x ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 For any accepting transcript (A = g B c, A 2 R Z p,, c R Z p, c 2 = c c, B R Z p, B 2 = c 2 x 2 + r) tr P,V (x 2 ), we have Pr [tr P,V (x 2 ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 Therefore, the zero-knowledge proof systems P (x ), V and P (x 2 ), V have the same distribution of transcripts. -6
7 4. We consider the multi-authority secure electronic voting scheme without a trusted center, discussed in classes. How does the authority A i assures A j that the sent share s i,j = f i (x j ) is indeed consistent with all other shares sent to the other authorities? Let p = kq + be a large prime, where q is also a large prime, and G q = g be a cyclic multiplicative group of order q. Suppose that (A, A 2,, A n ) are the n authorities and any t-out-of-n authorities can tally votes. Each authority A i selects x i and a (t )-degree polynomial f i (x) = t k=0 b i,kx k with f i (0) = x i and publishes h i = g x i and B i,k = g b i,k for 0 k t. Then the public key is h = t i= h i and the secret key is x = t i= x i = t i= f i(0) = f(0), where f(x) = t i= f i(x). Each A i sends s i,j = f i (j) to A j via a secure channel. Each A j checks whether g s i,j t k=0 (B i,k) jk (mod p) and computes share s j = t i= s i,j = t i= f i(j) = f(j). -7
Cryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationStatistically Secure Sigma Protocols with Abort
AARHUS UNIVERSITY COMPUTER SCIENCE MASTER S THESIS Statistically Secure Sigma Protocols with Abort Author: Anders Fog BUNZEL (20112293) Supervisor: Ivan Bjerre DAMGÅRD September 2016 AARHUS AU UNIVERSITY
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationImpossibility and Feasibility Results for Zero Knowledge with Public Keys
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen 1, Giuseppe Persiano 2, and Ivan Visconti 2 1 Technical University of Vienna A-1010 Vienna, Austria. e9926980@stud3.tuwien.ac.at
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More informationLecture 3,4: Universal Composability
6.897: Advanced Topics in Cryptography Feb 5, 2004 Lecture 3,4: Universal Composability Lecturer: Ran Canetti Scribed by: Yael Kalai and abhi shelat 1 Introduction Our goal in these two lectures is to
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationTheoretical Cryptography, Lectures 18-20
Theoretical Cryptography, Lectures 18-20 Instructor: Manuel Blum Scribes: Ryan Williams and Yinmeng Zhang March 29, 2006 1 Content of the Lectures These lectures will cover how someone can prove in zero-knowledge
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationLecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008
Lecture Notes ee (electronic money/cash) Michael Nüsken b-it (Bonn-Aachen International Center for Information Technology) IPEC winter 2008 c 2008 Michael Nüsken Workshop
More informationOn the Security of Classic Protocols for Unique Witness Relations
On the Security of Classic Protocols for Unique Witness Relations Yi Deng 1,2, Xuyang Song 1,2, Jingyue Yu 1,2, and Yu Chen 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols Mihir Bellare and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive,
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationCommitment Schemes and Zero-Knowledge Protocols (2011)
Commitment Schemes and Zero-Knowledge Protocols (2011) Ivan Damgård and Jesper Buus Nielsen Aarhus University, BRICS Abstract This article is an introduction to two fundamental primitives in cryptographic
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationComplexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München
Complexity Theory Jörg Kreiker Chair for Theoretical Computer Science Prof. Esparza TU München Summer term 2010 2 Lecture 15 Public Coins and Graph (Non)Isomorphism 3 Intro Goal and Plan Goal understand
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More information1 Rabin Squaring Function and the Factoring Assumption
COMS W461 Introduction to Cryptography October 11, 005 Lecture 11: Introduction to Cryptography Lecturer: Tal Malkin Scribes: Kate McCarthy, Adam Vartanian Summary In this lecture we will prove that Rabin
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationLecture 12: Interactive Proofs
princeton university cos 522: computational complexity Lecture 12: Interactive Proofs Lecturer: Sanjeev Arora Scribe:Carl Kingsford Recall the certificate definition of NP. We can think of this characterization
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationInteractive proof and zero knowledge protocols
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationBatch Range Proof For Practical Small Ranges
Batch Range Proof For Practical Small Ranges Kun Peng and Feng Bao dr.kun.peng@gmail.com Institute for Inforcomm Research (I 2 R), Singapore 1 Agenda 1. Introduction 2. Range proof 3. Batch proof 4. Extended
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationUniversity of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:
University of Tokyo: Advanced Algorithms Summer 2010 Lecture 6 27 May Lecturer: François Le Gall Scribe: Baljak Valentina As opposed to prime factorization, primality testing is determining whether a given
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More information