Cryptology. Vilius Stakėnas autumn

Similar documents
Homework 3 Solutions

Notes on Zero Knowledge

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Security Protocols and Application Final Exam

Lecture 10: Zero-Knowledge Proofs

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

Introduction to Cryptography Lecture 13

Blind Collective Signature Protocol

Question: Total Points: Score:

Notes for Lecture 17

Cryptographic Protocols. Steve Lai

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Lecture 1: Introduction to Public key cryptography

George Danezis Microsoft Research, Cambridge, UK

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Threshold Undeniable RSA Signature Scheme

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

March 19: Zero-Knowledge (cont.) and Signatures

Lecture 15 - Zero Knowledge Proofs

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Cryptanalysis of Threshold-Multisignature Schemes

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Lecture Notes 20: Zero-Knowledge Proofs

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Public Key Cryptography

Entity Authentication

III. Authentication - identification protocols

MATH 158 FINAL EXAM 20 DECEMBER 2016

CPSC 467b: Cryptography and Computer Security

Batch Range Proof For Practical Small Ranges

Public-Key Cryptosystems CHAPTER 4

Cryptographic Protocols Notes 2

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture 7: ElGamal and Discrete Logarithms

Cryptography IV: Asymmetric Ciphers

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

ECash and Anonymous Credentials

Lecture 17: Constructions of Public-Key Encryption

Security Arguments for Digital Signatures and Blind Signatures

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Public Key Algorithms

Winter 2011 Josh Benaloh Brian LaMacchia

CPSC 467: Cryptography and Computer Security

Practical Verifiable Encryption and Decryption of Discrete Logarithms

CPSC 467: Cryptography and Computer Security

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Dr George Danezis University College London, UK

PAPER An Identification Scheme with Tight Reduction

CRYPTOGRAPHY AND NUMBER THEORY

Cryptography and Security Final Exam

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Asymmetric Encryption

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Security Analysis of Some Batch Verifying Signatures from Pairings

Introduction to Modern Cryptography Lecture 11

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

1 Number Theory Basics

Fairness realized with Observer

Pairing-Based Identification Schemes

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Digital Signature Scheme Based on a New Hard Problem

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

CPSC 467b: Cryptography and Computer Security

Introduction to Modern Cryptography. Benny Chor

Chapter 8 Public-key Cryptography and Digital Signatures

Cryptographical Security in the Quantum Random Oracle Model

Lecture V : Public Key Cryptography

An Identification Scheme Based on KEA1 Assumption

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

A Small Subgroup Attack on Arazi s Key Agreement Protocol

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Overview. Public Key Algorithms II

Practice Assignment 2 Discussion 24/02/ /02/2018

Cryptography and Security Final Exam

Lecture 38: Secure Multi-party Computation MPC

Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes

ECS 189A Final Cryptography Spring 2011

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Group Undeniable Signatures

Lecture Notes, Week 10

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

An Introduction to Probabilistic Encryption

Foundations of Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Transcription:

Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept............................................. 5 How is it possible?.......................................... 6 Requirements for ZKP....................................... 7 Proving knowledge about congruences.......................... 8 The Gouillou-Quisquater protocol.............................. 9 Proving knowledge about discret logarithm...................... 10 General setting for ZKP..................................... 11 General setting for ZKP..................................... 12 General setting for ZKP without interactivity..................... 13 ZKP for the discret logarithm without interactivity................. 14 ZKP for the discret logarithm without interactivity................. 15 The coin tossing protocol.................................... 16 2.23 Digital money 17 Requirements for digital money............................... 18 ECash system created be DigiCash........................... 19 Protocol for creating digital notes............................. 20 Protocol for creating digital notes............................. 21 Spending digital notes...................................... 22 Against multiple spending................................... 23 1

2.22 Cryptographic protocols 2 / 23 Key distribution Diffie-Hellman key exchange protocol g is generating element mod p. 3 / 23 Zero-knowledge proofs Sometimes it is needed that before the beginning of interactive protocol the participant should provide some proof of his rights to enter the protocol. The secret information can not be send over insecure channel! 4 / 23 ZKP concept Participants of the ZKP protocol: P prover, V verifier. P wants to prove having some knowledge without revealing it. 5 / 23 2

How is it possible? 6 / 23 Requirements for ZKP Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover. Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability. Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. 7 / 23 3

Proving knowledge about congruences P : I know the solution u of x 2 c mod n. The protocol: P chooses r randomly and sends y r 2 mod n to V. V chooses i {0, 1} randomly and sends to P. P computes z u i r mod n and sends to V. V checks whether z 2 c i y mod n The protocol is repeated. 8 / 23 The Gouillou-Quisquater protocol P : I know the solution u of x e c mod n. The protocol: P chooses r randomly and sends y r e mod n to V. T chooses i {0, 1,..., e 1} and sends to P. P computes z u i r mod n and sends to V. V verifies the congruence z e c i y mod n The protocol is repeated. 9 / 23 4

Proving knowledge about discret logarithm Public knowledge: the prime number p, generating element g and y. P knows the value of discret logarithm x, i.e. y g x mod p. The protocol: P chooses r randomly, computes t g r mod p and sends to V. V chooses a random c and sends to P. P computes s r + cx mod and sends to V; V verifies whether g s ty c mod p. General setting for ZKP P wants to prove to V that P knows how the solution of some difficult problem U without showing this solution itself. 10 / 23 P using a randomly chosen number r creates the new problem U(r) equivalent to U, solves it. P sends the problem U(r) to V. V chooses randomly the value b {0, 1} and sends to P. If b=0, P sends to V the proof that the problems U and U(r) are equivalent; if b = 1, P sends the solution of U(r); V checks if P has fulfilled the requirement. The protocol is repeated n times. 11 / 23 5

General setting for ZKP All date for repeating the protocol can be send at once: P wants to prove to V that P knows how the solution of some difficult problem U without showing this solution itself. P uses randomly chosen numbers r 1,..., r n, creates the problems U(r i ) equivalent to U and solves them. P sends to V the problems U(r i ); V chooses b 1,..., b n {0, 1} and sends to P; If b i = 0, P sends to V the proof, that U and U(r i ) are equivalent; if b i = 1, P sends the solution of U(r i ). V verifies if the requirements are fulfilled. General setting for ZKP without interactivity P wants to prove to V that P knows how the solution of some difficult problem U without showing this solution itself. The public hash function is used, the digest is the string of n bits. santraukas. 12 / 23 P uses randomly chosen numbers r 1,..., r n, creates the problems U(r i ) equivalent to U and solves them. P computes h(u(r 1 ),..., U(r n )) = (b 1,..., b n ); P publishes U(r i ); If b i = 0, P publishes the proof that U and U(r i ) are equivalent; if b i = 1, P publishes the solution of U(r i ). V can verify the proof without attending P. 13 / 23 6

ZKP for the discret logarithm without interactivity Public knowledge: ciklinė the prime number p, the generating element g, the hash function h-funkcija h(u, v, w) Z p 1 and y. P knows the discret logarithm x, g x y mod p. P wants to publish non-interactive proof of knowledge of x. P computes the proof: choses v randomly, computes t g v mod p. computes c = h(g, y, t); computes r v cx mod p 1. The proof of x is (c, r). 14 / 23 ZKP for the discret logarithm without interactivity Verification of the the proof: t g r y c mod p; check if c = h(g, y, t )? 15 / 23 7

The coin tossing protocol There are two participants A and B communicating over telephone ore e-mail. A and B agree over a value of large prime number p and choose two generating elements h and t. A chooses x randomly, computes y h x mod p (or y t x mod p) and sends to B. B guesses whether h (head) or t (tail) was used. A says to B whether the guess was correct and sends x for B could check the guess itself. 16 / 23 2.23 Digital money 17 / 23 Requirements for digital money authenticity: only the owner of the account can get the digital money; integrity: the digital note can not be changed; direct payment: the digital money can be spend without contacting the bank issued it; security: the same digital note can not be spend repeatedly; anonimity: no personal information is required for spending the money. 18 / 23 8

ECash system created be DigiCash A wants to have digital money. A must have non-empty account at the bank B for to digitize" some of its real" money. When A asks B for digital money some authetification system of users should be used, for example, some digital signature scheme. The bank B should use a secure system of digital signatures, say RSA. 19 / 23 Protocol for creating digital notes Suppose A wants to get a digital note for 100 EU. A prepares n (as required by B, say, n = 100) sequences of strings (n strings in each sequence) S j = (I j1, I j2,..., I jn ), j = 1,..., n; each string I jk contains the informaton identifying A. Each string I jk as a secret is divided into two shares (L jk, R jk ). A prepares n notes for 100 EU each: M j = (m j, (L jk, R jk ) k=1,...,n ), here m j contains the number of the note (different numbers for different notes) and the value of the note. A masks the notes and sends M j = (z e j m j, (L jk, R jk ) k=1,...,n ), here e is the public key of the bank B and z j a number chosen randomly. 20 / 23 9

Protocol for creating digital notes The bank B chooses n 1 notes (for example, M 1,..., M 99) and requires that A must send the masking numbers z j. B gets the numbers z j, and verifies whether of notes chosen are created correctly: the same values, the different serial numbers. If all the notes are created according to rules, B believes that the last one is correct too. signs and sends to A ((z e 100m 100 ) d, (L 100,k, R 100,k ) k=1,...,n ). A removes the masking factor and has a digital note (m 100, (m 100 ) d ) with some attachment I 100 = (L 100,k, R 100,k ) k=1,...,n. Spending digital notes A gives the digital note to the vendor V (m 100, (m 100 ) d ) V checks the digital signature of B m 100 = ((m 100 ) d ) e. V generates the random bit string b 1 b 2... b 100 and gives to A. If b i = 0, A must convey L 100,i ; if b i = 1, A conveys R 100,i. V sends to B (m 100, (m 100 ) d ) and the revealed shares of I 100,i. 21 / 23 B verifies its signature and checks in its database whether the note with the serial number of m 100 was not spend earlier. If not the bank transfers the appropriate sum to the account of the vendor and inputs into database the information received. Against multiple spending If B finds out that the note is being spent repeatedly, it compares the shares of secret with that ones already in the database. 22 / 23 If all shares received are the same as in the database, the bank accuses the vendor. If some shares are different, then the bank can reveal the identity of A (computes the secret from two shares, say, L 100,k and R 100,k ). 23 / 23 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback