G /G Advanced Cryptography 12/9/2009. Lecture 14

Similar documents
Black-Box Constructions of Two-Party Protocols from One-Way Functions

Constructing Non-Malleable Commitments: A Black-Box Approach

Lecture 4. Instructor: Haipeng Luo

Leakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

Provable Security Signatures

Aggregate Message Authentication Codes

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00

Edge Isoperimetric Inequalities

6.842 Randomness and Computation February 18, Lecture 4

Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares

Information-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes

CS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016

Decentralized Multi-Client Functional Encryption for Inner Product

1 The Mistake Bound Model

Short Pairing-based Non-interactive Zero-Knowledge Arguments

A Threshold Digital Signature Issuing Scheme without Secret Communication

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards

COS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013

Lecture 4: November 17, Part 1 Single Buffer Management

Cryptographic Protocols

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages

princeton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg

Outline. Communication. Bellman Ford Algorithm. Bellman Ford Example. Bellman Ford Shortest Path [1]

Homomorphic Trapdoor Commitments to Group Elements

ECE559VV Project Report

Feature Selection: Part 1

Classical Encryption and Authentication under Quantum Attacks

Lecture 10: May 6, 2013

Proactive Linear Integer Secret Sharing

Economics 101. Lecture 4 - Equilibrium and Efficiency

} Often, when learning, we deal with uncertainty:

Anonymous Identity-Based Broadcast Encryption with Revocation for File Sharing

Improving the Round Complexity of VSS in Point-to-Point Networks

Forward Secure Efficient Group Signature in Dynamic Setting using Lattices

Post-Quantum EPID Group Signatures from Symmetric Primitives

Anonymous identity-based broadcast encryption with revocation for file sharing

An Optimally Fair Coin Toss

arxiv: v1 [cs.cr] 24 Jan 2019

Problem Set 9 Solutions

Section 8.3 Polar Form of Complex Numbers

The Order Relation and Trace Inequalities for. Hermitian Operators

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix

Practical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption

Secure and practical identity-based encryption

More metrics on cartesian products

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016

Fair and Robust Multi-Party Computation using a Global Transaction Ledger

Recover plaintext attack to block ciphers

Online Classification: Perceptron and Winnow

Algebraic partitioning: Fully compact and (almost) tightly secure cryptography

Introduction to information theory and data compression

Round and Communication Efficient Unconditionally-secure MPC with t < n/3 in Partially Synchronous Network

THE SUMMATION NOTATION Ʃ

A New Biometric Identity Based Encryption Scheme

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 2/21/2008. Notes for Lecture 8

Lecture 4: Universal Hash Functions/Streaming Cont d

Improving the Round Complexity of VSS in Point-to-Point Networks

Department of Statistics University of Toronto STA305H1S / 1004 HS Design and Analysis of Experiments Term Test - Winter Solution

Bounded Memory Leakage

arxiv: v1 [quant-ph] 6 Sep 2007

Notes on Frequency Estimation in Data Streams

Augmented Broadcaster Identity-based Broadcast Encryption

A Commitment-Consistent Proof of a Shuffle

Lecture 5 Decoding Binary BCH Codes

Lecture 3: Shannon s Theorem

Utility Dependence in Correct and Fair Rational Secret Sharing

Black-Box Constructions for Secure Computation

Affine transformations and convexity

Resource Allocation with a Budget Constraint for Computing Independent Tasks in the Cloud

( 1) i [ d i ]. The claim is that this defines a chain complex. The signs have been inserted into the definition to make this work out.

Lai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)

Communication Complexity 16:198: February Lecture 4. x ij y ij

Lecture Space-Bounded Derandomization

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

2.3 Nilpotent endomorphisms

Assortment Optimization under MNL

Separable Linkable Threshold Ring Signatures

Basic Regular Expressions. Introduction. Introduction to Computability. Theory. Motivation. Lecture4: Regular Expressions

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Non-Malleable Extractors and Symmetric Key Cryptography from Weak Secrets

Strongly Unforgeable Signatures Resilient to Polynomially Hard-to-Invert Leakage under Standard Assumptions

Tightly CCA-Secure Encryption without Pairings

Difference Equations

Excess Error, Approximation Error, and Estimation Error

(1 ) (1 ) 0 (1 ) (1 ) 0

20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness.

12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product

Grover s Algorithm + Quantum Zeno Effect + Vaidman

On a CCA2-secure variant of McEliece in the standard model

The Second Anti-Mathima on Game Theory

Practical Attribute-Based Encryption: Traitor Tracing, Revocation, and Large Universe

Strongly Unforgeable Proxy Re-Signature Schemes in the Standard model

Structure and Drive Paul A. Jensen Copyright July 20, 2003

Basically, if you have a dummy dependent variable you will be estimating a probability.

Lecture Notes 7: The Unruh Effect

Spectral Graph Theory and its Applications September 16, Lecture 5

Amortizing Secure Computation with Penalties

Transcription:

G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we saw some UC secure ZK protocols and NIZKs. 1 Ideal/Real paradgm One of the man objectves of cryptography s to construct protocols, whch are secure even n the presence of corrupted partes. But, frst of all, we have to defne what secure means. In order to do so magne what propertes we would have n an deal world and then we call a protocol secure f the real (the constructed) protocol has smlar propertes. Ths s the basc dea of the Ideal/Real paradgm. There are two man knds of adversares: statc and adaptve. In the frst case, the adversary chooses whch party t corrupts before the protocol begns. In the latter case, the adversary chooses the party to be corrupted durng the executon of the protocol. The network, whch s used mght be ether authentcated, whch means that the recever always knows who the sender was, or not. It mght also have secure or publc channels. The former ensure that the transmtted messages reveal useful nformaton only to the recever, whle the latter do not. Here, for smplcty, we may assume statc adversares and a network wth secure, authentcated channels. For example let us see a ZK protocol for some relaton R, where generally the verfer V has as nput some y and the prover P wants to prove to V that there exsts some x such that (x, y) R. In an deal world we can magne a thrd party, whch s honest and trustful and can communcate wth both P and V. In ths deal scenaro, P could gve (x, y) to ths trusted party the latter would check f (x, y) R and then tell V f ths s true or false. However, n the real world we do not have such trusted partes and we have to substtute them wth a cryptographc protocol π between P and V. Roughly speakng, the Ideal/Real paradgm requres that for whatever nformaton an adversary A (whch plays the role of ether P or V ) could retreve n the Real world, there s a way to retreve t n the Ideal world as well. The trusted thrd party can be vewed as the functonalty we want to acheve and we denote t by F ZK. If some protocol satsfes the above property regardng ths functonalty, we call t secure. The formal defnton of securty follows: L14-1

Defnton 1 A protocol π realzes F ZK f for all ppt A, there exsts a ppt S such that Real π A c Ideal F ZK S. Now let us see what s the role of smulator S n each case of corrupton. In the case where the adversary A corrupts the verfer V, the smulator S only learns n the deal world whether the statement s true or not, whle n the real world A also sees a proof for that. Thus, S must be able to smulate an acceptng proof, whle only knowng that the statement s true. On the other hand, f A corrupts P, S must be able to provde the wtness x to the functonalty F ZK n the Ideal world. Observng that S can smulate V we see that S must be able to extract the wtness from P (whch s corrupted). The next theorem must be ntutvely clear: Theorem 2 Any ZKPoK protocol π realzes F ZK. 2 Unversal Composablty The above noton of securty s qute strong, but stll not enough. In some cases we want the protocols to be securely composable. That s, we want the protocols to be secure even f we use them as subroutnes n larger protocols or n cases where other protocols (related or not) are runnng concurrently. Therefore, we have to take nto consderaton any envronment n whch the nteracton takes place. The envronment can be vewed as an nteractve ppt Turng Machne, whch nteracts wth both P and V, and s denoted by Z. L14-2

Defnton 3 A protocol π UC-realzes F ZK f for all ppt A, there exsts a ppt S such that for all ppt Z Real π A,Z c Ideal F ZK S,Z. A negatve result s that ths noton of securty s too strong. Theorem 4 No protocol π UC-realzes F ZK. The ntuton s that the envronment Z does not allow the smulator to do rewndng. That s, n the case of corrupted prover P, the smulator must extract onlne, but f there s no set up the extracton could be done by a malcous verfer V, whch would contradct ZK. On the other hand f we assume an extended settng, we can have UC-realzable ZK protocols n the CRS model. The two models we assume are: Fresh CRS model. For every nteracton we use a new CRS. Reusable CRS model. For every nteracton we use the same CRS. Theorem 5 1. Any NIZKPoK π UC-realzes F ZK n the fresh CRS model. 2. Any wse-nizk wth labels π UC-realzes F ZK n the reusable CRS model 1. 2.1 Ω-protocols To construct protocols whch UC-realze F ZK based on weaker assumptons, we are gong to use Ω-protocols. Let us recall Ω-protocols, whch we saw n lecture 8: Defnton 6 Let π be a Σ-protocol. We call π an Ω-protocol, f there exsts a ppt extractor E such that for any prover P and statement y we have that: Pr[π (P (y) V (y));x E(π, TK) : Accept(π) (x, y) / R] = negl where TK s the trapdoor key of FakeCRS. 1 Every nteracton s labeled wth a dfferent dentfcaton number called sd (sesson dentfcaton number). If we use ths sd as label, then every new proof s fresh and cannot be used agan. L14-3

The dfference wth the prevous lecture s that here there s a CRS wth a trapdoor nstead of a (non-programmable) random oracle. Therefore, the extractor s gven the trapdoor oof the CRS nstead of the queres. Now let us see two constructons of Ω-protocols for a relaton R: Constructon 1 (from CPA+Σ-protocol wth large challenge space) The CRS s the publc key pk and the trapdoor of the CRS s the decrypton key dk for the CPA secure encrypton scheme. Durng the frst round the prover P computes c Enc pk (x) and sends t to the verfer V. Then P and V run a Σ-protocol of the statement: Dec sk (c) = x and (x, y) R. The extractor E smply uses the secret key to compute x = Dec sk (c). By soundness of the underlyng Σ-protocol x must be a wtness. A dsadvantage of ths constructon s that even f R has an effcent Σ-protocol, the relaton of the statements Dec sk (c) = x and (x, y) R mght not. Theorem 7 The above constructon s a secure Ω-protocol f Σ has a superlogarthmc challenge space. Constructon 2 (from CPA+Σ-protocol wth small challenge space) If the challenge space s bnary (small) then we can do the followng: P (a, z 0, z1 ) Σ-protocol γ 0 = Enc pk(z 0, r0 ) γ 1 = Enc pk(z 1, r1 ) (a,γ 0,γ1 ) (c 1,...,c n) z c,rc V c R {0, 1} Theorem 8 The above constructon s a secure Ω-protocol. Ths constructon s very smlar to that of lecture 8 for the case of non-programmable random oracle. The extractor here uses the secret key (trapdoor of CRS) to compute z 1 c and use specal soundness to compute the wtness from a, z c, z1 c. Wth overwhelmng probablty there exsts some whch gves a vald wtness. The advantage of ths protocol s that t s qute generc and only needs a Σ-protocol for relaton R tself (and not another relaton as before). The dsadvantage s that there s a great loss of effcency as t s lke runnng many protocols n parallel. L14-4

2.2 Constructon of a UC-secure ZK protocol n the fresh CRS model Suppose that we have a trapdoor commtment scheme. The CRS wll be the CRS of both the trapdoor commtment scheme and the Ω-protocol, namely CRS = (Ω-CRS, Com-CRS). P (γ, d) Com(a) γ c z,d,a V As we can see ths constructon s very smlar to that of concurrent ZK of lecture 7. However, here we not only need straghtlne smulatablty, but straghtlne extractablty as well. Ths s exactly the reason why we use Ω-protocols. 2.3 Constructon of a UC-secure ZK protocol n the reusable CRS model The above protocol s only secure f every tme there s a fresh CRS. However, f the CRS remans the same an adversary mght nteract wth some prover P and then use what P sent hm to break bndng and then nteract wth some verfer V. Therefore, here we are gong to use a tool called Identty Based Trapdoor Commtment Scheme (IBTC). It s almost the same wth a Trapdoor Commtment Scheme, but every recever has an dentty and each dentty has a dfferent trapdoor. More specfcally, there exsts a master secret key MSK and a publc key PK. Usng MSK we can compute for any ID ts trapdoor key TK ID. The property of equvocaton s the same wth that of regular Trapdoor Commtments wth respect to each dentty ID. Namely, havng TK ID, we can produce an equvocable commtment, whch can be opened to any message. Constructon of IBTC (from OWF+Σ-protocol) The constructon s very smlar to that of regular Trapdoor Commtments, whch we saw n lecture 4. There we used a Σ-protocol for a relaton R f such that (x, y) = 1 ff f(x) = y, wth f a OWF, the publc key was y and the trapdoor key x. Here we just use a dfferent relaton. Suppose that Γ = (Gen, Sg, V er) s a sgnature scheme, let R ID be a relaton such that (x, y) R ID ff y = (V K, ID) and x = σ s.t. V er(v K, ID, σ) = 1, and suppose that there s a Σ-protocol for ths relaton. Frstly, we choose a random strng r and compute (V K, SK) Gen(r). Then, we set MSK = r and PK = V K. The trapdoor key TK ID for dentty ID s σ ID = Sg SK (ID). Commtment and Equvocaton are the same as n the based on Σ- protocols Trapdoor Commtments. The ZK protocol s the same as before, but nstead of usng regular trapdoor commtments we use IBTC. Namely, L14-5

P (γ, d) Com V (a) γ c z,d,a V The usefulness of IBTC reles on the fact that every ID has a dfferent trapdoor and breakng bndng for one ID does not mply breakng bndng for other ID s. 3 Generalzed Unversal Composablty Although UC-securty s a very strong noton, t does not capture all securty propertes we want n the case of protocols whch use a global setup (CRS,PKI,etc.). That s, n cases where many protocols may use the same setup, there are ssues such as denablty and malleablty whch are not guaranteed wth UC-securty. Therefore, an even stronger noton of securty s requred, whch s called Generalzed Unversal Composablty (GUC). Roughly speakng, n the case of CRS model n UC framework the common reference strng s only gven to the adversary and the partes runnng the actual protocol (n the real world), but n the GUC framework the reference strng s gven to everyone ncludng the envronment. In a more techncal level the smulator s not allowed to choose ts own CRS, namely the CRS s non-programmable. What we acheve wth GUC secure protocols s that they can be securely composed wth other protocols whch use the same setup. L14-6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback