Non-Interactive Zero-Knowledge Proofs of Non-Membership

Similar documents
Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Efficient Smooth Projective Hash Functions and Applications

Interactive and Non-Interactive Proofs of Knowledge

Smooth Projective Hash Function and Its Applications

Systèmes de preuve Groth-Sahai et applications

Disjunctions for Hash Proof Systems: New Constructions and Applications

Lecture 10: Zero-Knowledge Proofs

Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting

Short Randomizable Signatures

Notes on Zero Knowledge

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 3: Interactive Proofs and Zero-Knowledge

Essam Ghadafi CT-RSA 2016

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Introduction to Cryptography Lecture 13

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Removing Erasures with Explainable Hash Proof Systems

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Cryptology. Vilius Stakėnas autumn

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Lecture Notes 20: Zero-Knowledge Proofs

Cryptography for Blockchains beyond ECDSA and SHA256

March 19: Zero-Knowledge (cont.) and Signatures

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Notes for Lecture 17

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Cryptographical Security in the Quantum Random Oracle Model

1 Number Theory Basics

How many rounds can Random Selection handle?

George Danezis Microsoft Research, Cambridge, UK

Divisible E-cash Made Practical

CPSC 467b: Cryptography and Computer Security

Interactive Zero-Knowledge with Restricted Random Oracles

Lecture 15 - Zero Knowledge Proofs

Zero-Knowledge Proofs and Protocols

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

ECS 189A Final Cryptography Spring 2011

Cryptography in the Multi-string Model

Strong Authenticated Key Exchange with Auxiliary Inputs

Katz, Lindell Introduction to Modern Cryptrography

Anonymous Credentials Light

Commuting Signatures and Verifiable Encryption

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

Primary-Secondary-Resolver Membership Proof Systems

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

Commitment Schemes and Zero-Knowledge Protocols (2011)

Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Accumulators and U-Prove Revocation

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Dr George Danezis University College London, UK

Lecture 28: Public-key Cryptography. Public-key Cryptography

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

DATA PRIVACY AND SECURITY

CPSC 467: Cryptography and Computer Security

Lattice-Based Non-Interactive Arugment Systems

Cryptographic Solutions for Data Integrity in the Cloud

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

AUTHORIZATION TO LEND AND REPRODUCE THE THESIS

Non-interactive Zaps and New Techniques for NIZK

Question: Total Points: Score:

Question 1. The Chinese University of Hong Kong, Spring 2018

Zero-Knowledge Against Quantum Attacks

1 Basic Number Theory

Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain

A survey on quantum-secure cryptographic systems

Winter 2011 Josh Benaloh Brian LaMacchia

Introduction to Modern Cryptography Lecture 11

Cryptographic Protocols FS2011 1

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

On the Non-malleability of the Fiat-Shamir Transform

How to Go Beyond the Black-Box Simulation Barrier

How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios

Zero-knowledge proofs of knowledge for group homomorphisms

Homework 3 Solutions

Automorphic Signatures and Applications

Cryptographic Protocols Notes 2

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11

Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes

On The (In)security Of Fischlin s Paradigm

Lecture 18: Message Authentication Codes & Digital Signa

III. Authentication - identification protocols

Oblivious Evaluation of Multivariate Polynomials. and Applications

Multiparty Computation

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

C C : A Framework for Building Composable Zero-Knowledge Proofs

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Transcription:

Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 2 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 3 / 22

Proof of Knowledge Alice Bob Interactive method for one party to prove to another the knowledge of a secret S. Classical Instantiations : Schnorr proofs, Sigma Protocols... O. Blazy (XLim) Negative-NIZK CT-RSA 2015 4 / 22

Proving that a statement is not satisfied Alice Bob Interactive method for one party to prove to another the knowledge of a secret S that does not belong to a language L. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 5 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 7 / 22

Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22

Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22

Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22

Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 9 / 22

Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 9 / 22

Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: S is true verifier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verifier that S is true 3 Zero-knowledge: S is true no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 10 / 22

Certification of Public Keys: SPHF [ACP09] A user can ask for the certification of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certificate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 11 / 22

Certification of Public Keys: SPHF [ACP09] A user can ask for the certification of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certificate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. Implicit proof of knowledge of sk O. Blazy (XLim) Negative-NIZK CT-RSA 2015 11 / 22

Smooth Projective Hash Functions [CS02] Definition Let {H} be a family of functions: X, domain of these functions L, subset (a language) of this domain such that, for any point x in L, H(x) can be computed by using either a secret hashing key hk: H(x) = Hash L (hk; x); or a public projected key hp: H (x) = ProjHash L (hp; x, w) [CS02,GL03] Public mapping hk hp = ProjKG L (hk, x) O. Blazy (XLim) Negative-NIZK CT-RSA 2015 12 / 22

SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22

SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22

SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22

SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 14 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22

From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22

From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22

Possible Instantiations Proof π Proof π Interactive Properties Groth Sahai Groth Sahai No Zero-Knowledge SPHF SPHF Yes Implicit Groth Sahai SPHF Depends ZK, Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 17 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 18 / 22

Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22

Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22

Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22

Language Authenticated Key Exchange Alice C(M B ) C(M A ), hp B hp A Bob H B H A H B H A Same value iff languages are as expected, and users know witnesses. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 20 / 22

Summing up Proposed a generic framework to prove negative statement * Gives several instantiation of this framework, allowing some modularity Works outside pairing environment Open Problems Be compatible with post-quantum cryptography Weaken the requirements, on the building blocks O. Blazy (XLim) Negative-NIZK CT-RSA 2015 21 / 22

Summing up Proposed a generic framework to prove negative statement * Gives several instantiation of this framework, allowing some modularity Works outside pairing environment Open Problems Be compatible with post-quantum cryptography Weaken the requirements, on the building blocks O. Blazy (XLim) Negative-NIZK CT-RSA 2015 21 / 22

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback