Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
|
|
- Beatrix Jackson
- 6 years ago
- Views:
Transcription
1 S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK, Graz University of Technology
2 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 2
3 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 3
4 Static Accumulators Finite set Accumulator 4
5 Static Accumulators Finite set Accumulator Witnesses wit x certifying membership of x in acc X Efficiently computable x X Intractable to compute x / X 4
6 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n mod N 5
7 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N 5
8 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. 5
9 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. Witness for y / X Would imply breaking strong RSA... unless factorization of N is known. 5
10 Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X 6
11 Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X Universal features Demonstrate non-membership Non-membership witness wit x Efficiently computable x / acc X Intractable to compute x acc X 6
12 Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability 7
13 Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability Thus, accumulators not usable as black-boxes Limited exchangeability when used in other constructions Relations to other primitives hard to study 7
14 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability 8
15 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc 8
16 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets 8
17 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets Exhaustive classification of existing schemes (see Paper) 8
18 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 9
19 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify 10
20 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit 10
21 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit Dynamic Accumulators additionally provide Add Delete WitUpdate 10
22 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type 11
23 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) 11
24 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) For dynamic accumulator schemes The same additionally applies to WitUpdate 11
25 Security Correctness Collision freeness Undeniability Indistinguishability 12
26 Security - Collision Freeness Experiment Exp cf κ ( ): 13
27 Security - Collision Freeness Experiment Exp cf κ ( ): A wins if wit x is membership witness for non-member, or wit x is non-membership witness for member 13
28 Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): 14
29 Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): A wins if verification succeeds for both wit x and wit x 14
30 Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud 15
31 Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud Other direction does not hold [BLL02] 15
32 Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators 16
33 Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators We provide formalization not suffering from shortcomings above 16
34 Security - Indistinguishability II Experiment Exp ind κ ( ): 17
35 Security - Indistinguishability II Experiment Exp ind κ ( ): A wins if guess correct 17
36 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. 18
37 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition 18
38 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability 18
39 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability We modify [Ngu05] to provide indistinguishability First indistinguishable t-bounded dynamic accumulator 18
40 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 19
41 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X 20
42 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators 20
43 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators Algorithms compatible Security notions similar 20
44 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability 21
45 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) 21
46 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability Other direction unclear, sim-based notion seems stronger 21
47 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability 21 Other direction unclear, sim-based notion seems stronger First undeniable, unbounded, indistinguishable acc Nearly ZK sets t-bounded
48 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 22
49 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m 23
50 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward 23
51 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m 23
52 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m Hiding: For C to either m 0 or m 1. Intractable to decide whether C opens to m 0 or m 1 23
53 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true 24
54 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding 24
55 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding 24
56 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding Observe: cfw-indistinguishability not useful 24
57 Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set 25
58 Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set Trapdoor commitments Use sk acc as trapdoor 25
59 Conclusion Unified model for accumulators Covering all features existing to date 26
60 Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme 26
61 Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme Show relations to other primitives Commitments Zero-knowledge sets Yields first undeniable, unbounded, indistinguishable, universal accumulator Inspiration for new constructions 26
62 Thank you. Extended version:
63 References I [BLL02] Ahto Buldas, Peeter Laud, and Helger Lipmaa. Eliminating counterevidence with applications to accountable certificate management. Journal of Computer Security, 10(3): , [Ngu05] Lan Nguyen. Accumulators from bilinear pairings and applications. In Topics in Cryptology - CT-RSA 2005, The Cryptographers Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005, Proceedings, pages ,
64 Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA / 22
65 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22
66 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22
67 Proof of Knowledge Alice Bob Interactive method for one party to prove to another the knowledge of a secret S. Classical Instantiations : Schnorr proofs, Sigma Protocols... O. Blazy (XLim) Negative-NIZK CT-RSA / 22
68 Proving that a statement is not satisfied Alice Bob Interactive method for one party to prove to another the knowledge of a secret S that does not belong to a language L. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
69 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22
70 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22
71 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22
72 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22
73 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22
74 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22
75 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA / 22
76 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA / 22
77 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA / 22
78 Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
79 Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
80 Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: S is true verifier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verifier that S is true 3 Zero-knowledge: S is true no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
81 Certification of Public Keys: SPHF [ACP09] A user can ask for the certification of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certificate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
82 Certification of Public Keys: SPHF [ACP09] A user can ask for the certification of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certificate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. Implicit proof of knowledge of sk O. Blazy (XLim) Negative-NIZK CT-RSA / 22
83 Smooth Projective Hash Functions [CS02] Definition Let {H} be a family of functions: X, domain of these functions L, subset (a language) of this domain such that, for any point x in L, H(x) can be computed by using either a secret hashing key hk: H(x) = Hash L (hk; x); or a public projected key hp: H (x) = ProjHash L (hp; x, w) [CS02,GL03] Public mapping hk hp = ProjKG L (hk, x) O. Blazy (XLim) Negative-NIZK CT-RSA / 22
84 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
85 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
86 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
87 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
88 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22
89 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22
90 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22
91 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22
92 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22
93 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22
94 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22
95 From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA / 22
96 From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA / 22
97 From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA / 22
98 Possible Instantiations Proof π Proof π Interactive Properties Groth Sahai Groth Sahai No Zero-Knowledge SPHF SPHF Yes Implicit Groth Sahai SPHF Depends ZK, Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22
99 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22
100 Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA / 22
101 Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA / 22
102 Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA / 22
103 Language Authenticated Key Exchange Alice C(M B ) C(M A ), hp B hp A Bob H B H A H B H A Same value iff languages are as expected, and users know witnesses. O. Blazy (XLim) Negative-NIZK CT-RSA / 22
104 Summing up Proposed a generic framework to prove negative statement * Gives several instantiation of this framework, allowing some modularity Works outside pairing environment Open Problems Be compatible with post-quantum cryptography Weaken the requirements, on the building blocks O. Blazy (XLim) Negative-NIZK CT-RSA / 22
105 Summing up Proposed a generic framework to prove negative statement * Gives several instantiation of this framework, allowing some modularity Works outside pairing environment Open Problems Be compatible with post-quantum cryptography Weaken the requirements, on the building blocks O. Blazy (XLim) Negative-NIZK CT-RSA / 22
Non-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationInteractive and Non-Interactive Proofs of Knowledge
Interactive and Non-Interactive Proofs of Knowledge Olivier Blazy ENS / CNRS / INRIA / Paris 7 RUB Sept 2012 O. Blazy (ENS RUB) INIPoK Sept 2012 1 / 63 1 General Remarks 2 Building blocks 3 Non-Interactive
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationShort Randomizable Signatures
SESSION ID: CRYP-W02 Short Randomizable Signatures David Pointcheval Senior Researcher ENS/CNRS/INRIA Paris, France Joint work with Olivier Sanders S C I E N C E P A S S I O N
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationImplicit Zero-Knowledge Arguments and Applications to the Malicious Setting
Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting Fabrice Benhamouda, Geoffroy Couteau, David Pointcheval, and Hoeteck Wee ENS, CNRS, INRIA, and PSL, Paris, France firstname.lastname@ens.fr
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationProtean Signature Schemes
Protean Signature Schemes Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig October 2, 2018 Cryptology And Network Security (CANS 2018), Naples, Italy 1 Digital Signatures 2 Digital Signatures
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationPractical Round-Optimal Blind Signatures in the Standard Model
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationOn the Non-malleability of the Fiat-Shamir Transform
An extended abstract of this paper is published in the proceedings of the 13th International Conference on Cryptology in India [21] Indocrypt 2012. This is the full version. On the Non-malleability of
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationRemoving Erasures with Explainable Hash Proof Systems
Removing Erasures with Explainable Hash Proof Systems Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France firstname.lastname@ens.fr www.di.ens.fr/~{abdalla,fbenhamo,pointche} October
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationCommitment Schemes and Zero-Knowledge Protocols (2011)
Commitment Schemes and Zero-Knowledge Protocols (2011) Ivan Damgård and Jesper Buus Nielsen Aarhus University, BRICS Abstract This article is an introduction to two fundamental primitives in cryptographic
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationPost-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler 1, Sebastian Ramacher 1, and Daniel Slamanig 2 1 IAIK, Graz University
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationDivisible E-cash Made Practical
Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris,
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationMinimal Assumptions for Efficient Mercurial Commitments
Minimal Assumptions for Efficient Mercurial Commitments Yevgeniy Dodis Abstract Mercurial commitments were introduced by Chase et al. [8] and form a key building block for constructing zero-knowledge sets
More informationMalleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials
Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials Melissa Chase Microsoft Research Redmond melissac@microsoft.com Markulf Kohlweiss Microsoft Research Cambridge
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More informationSub-linear Blind Ring Signatures without Random Oracles
Sub-linear Blind Ring Signatures without Random Oracles Essam Ghadafi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. United Kingdom. ghadafi@cs.bris.ac.uk
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationCryptography for Blockchains beyond ECDSA and SHA256
Cryptography for Blockchains beyond ECDSA and SHA256 S IGNATURES AND Z ERO K NOWLEDGE P ROOFS Benedikt Bünz Stanford University Overview 1. Signatures 1. ECDSA 2. BLS 3. Threshold Signatures 4. Ring Signatures
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationAUTHORIZATION TO LEND AND REPRODUCE THE THESIS
AUTHORIZATION TO LEND AND REPRODUCE THE THESIS As the sole author of this thesis, I authorize Brown University to lend it to other institutions or individuals for the purpose of scholarly research. Date:
More informationMalleable Signatures: New Definitions and Delegatable Anonymous Credentials
Malleable Signatures: New Definitions and Delegatable Anonymous Credentials Melissa Chase Microsoft Research Email: melissac@microsoft.com Markulf Kohlweiss Microsoft Research Email: markulf@microsoft.com
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationStatistical WI (and more) in Two Messages
Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationPrimary-Secondary-Resolver Membership Proof Systems
Primary-Secondary-Resolver Membership Proof Systems Moni Naor and Asaf Ziv Weizmann Institute of Science, Department of Computer Science and Applied Mathematics. {moni.naor,asaf.ziv}@weizmann.ac.il. Abstract.
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationAccumulators with Applications to Anonymity-Preserving Revocation
Accumulators with Applications to Anonymity-Preserving Revocation Foteini Baldimtsi 1, Jan Camenisch 2, Maria Dubovitskaya 2, Anna Lysyanskaya 3, Leonid Reyzin 4, Kai Samelin 2,5, and Sophia Yakoubov 4
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationZero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1, San Ling 2, Khoa Nguyen 2, and Huaxiong Wang 2 1 Ecole
More informationDelegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs
Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs Chunming Tang 1, Dingyi Pei 1,2 Zhuojun Liu 3 1 Institute of Information Security of Guangzhou University, P.R.China 2 State
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationSignatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)
Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version) Michael Backes 1,3, Lucjan Hanzlik 2,3, Kamil Kluczniak 4, and Jonas Schneider 2,3 1 CISPA Helmholtz
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationOn the Impossibility of Batch Update for Cryptographic Accumulators
for Philippe Camacho (pcamacho@dcc.uchile.cl) Alejandro Hevia (ahevia@dcc.uchile.cl) FMCrypto Workshop: Formal Methods in Cryptography University of Chile March 24, 2010 Introduction This work is about
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationDistinguisher-Dependent Simulation in Two Rounds and its Applications
Distinguisher-Dependent Simulation in Two Rounds and its Applications Abhishek Jain Yael Tauman Kalai Dakshita Khurana Ron Rothblum Abstract We devise a novel simulation technique that makes black-box
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19. Hard Core
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationSnarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017 How can
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More information