Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Similar documents
Non-Interactive Zero-Knowledge Proofs of Non-Membership

Efficient Smooth Projective Hash Functions and Applications

Interactive and Non-Interactive Proofs of Knowledge

Smooth Projective Hash Function and Its Applications

Systèmes de preuve Groth-Sahai et applications

Disjunctions for Hash Proof Systems: New Constructions and Applications

Lecture Notes 20: Zero-Knowledge Proofs

Short Randomizable Signatures

Lecture 3: Interactive Proofs and Zero-Knowledge

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Lecture 10: Zero-Knowledge Proofs

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

March 19: Zero-Knowledge (cont.) and Signatures

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Implicit Zero-Knowledge Arguments and Applications to the Malicious Setting

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Notes on Zero Knowledge

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Protean Signature Schemes

Introduction to Cryptography Lecture 13

Practical Round-Optimal Blind Signatures in the Standard Model

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

1 Number Theory Basics

Lecture 15 - Zero Knowledge Proofs

Homework 3 Solutions

Entity Authentication

How many rounds can Random Selection handle?

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Essam Ghadafi CT-RSA 2016

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

On the Non-malleability of the Fiat-Shamir Transform

Interactive Zero-Knowledge with Restricted Random Oracles

Removing Erasures with Explainable Hash Proof Systems

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Commitment Schemes and Zero-Knowledge Protocols (2011)

Notes for Lecture 17

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

Divisible E-cash Made Practical

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

Lecture 2: Program Obfuscation - II April 1, 2009

Minimal Assumptions for Efficient Mercurial Commitments

Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials

Katz, Lindell Introduction to Modern Cryptrography

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Sub-linear Blind Ring Signatures without Random Oracles

Lecture 17: Constructions of Public-Key Encryption

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

George Danezis Microsoft Research, Cambridge, UK

Cryptography for Blockchains beyond ECDSA and SHA256

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11

Round-Efficient Multi-party Computation with a Dishonest Majority

A Novel Strong Designated Verifier Signature Scheme without Random Oracles

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Cryptographical Security in the Quantum Random Oracle Model

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

AUTHORIZATION TO LEND AND REPRODUCE THE THESIS

Malleable Signatures: New Definitions and Delegatable Anonymous Credentials

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Statistical WI (and more) in Two Messages

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Primary-Secondary-Resolver Membership Proof Systems

DATA PRIVACY AND SECURITY

CS 355: Topics in Cryptography Spring Problem Set 5.

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Cryptology. Vilius Stakėnas autumn

Lecture 18: Message Authentication Codes & Digital Signa

Accumulators with Applications to Anonymity-Preserving Revocation

Zero-Knowledge Proofs and Protocols

Authentication. Chapter Message Authentication

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors

Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs

Non-interactive Zaps and New Techniques for NIZK

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)

Ring Group Signatures

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

On the Impossibility of Batch Update for Cryptographic Accumulators

A Note on Negligible Functions

Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model

Anonymous Credentials Light

Distinguisher-Dependent Simulation in Two Rounds and its Applications

Introduction to Modern Cryptography. Benny Chor

Cryptographic Solutions for Data Integrity in the Cloud

Cryptography in the Multi-string Model

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

CPSC 467: Cryptography and Computer Security

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Transcription:

S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK, Graz University of Technology www.iaik.tugraz.at

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 2

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 3

Static Accumulators Finite set Accumulator 4

Static Accumulators Finite set Accumulator Witnesses wit x certifying membership of x in acc X Efficiently computable x X Intractable to compute x / X 4

A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n mod N 5

A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N 5

A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. 5

A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. Witness for y / X Would imply breaking strong RSA... unless factorization of N is known. 5

Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X 6

Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X Universal features Demonstrate non-membership Non-membership witness wit x Efficiently computable x / acc X Intractable to compute x acc X 6

Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability 7

Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability Thus, accumulators not usable as black-boxes Limited exchangeability when used in other constructions Relations to other primitives hard to study 7

Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability 8

Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc 8

Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets 8

Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets Exhaustive classification of existing schemes (see Paper) 8

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 9

Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify 10

Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit 10

Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit Dynamic Accumulators additionally provide Add Delete WitUpdate 10

Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type 11

Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) 11

Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) For dynamic accumulator schemes The same additionally applies to WitUpdate 11

Security Correctness Collision freeness Undeniability Indistinguishability 12

Security - Collision Freeness Experiment Exp cf κ ( ): 13

Security - Collision Freeness Experiment Exp cf κ ( ): A wins if wit x is membership witness for non-member, or wit x is non-membership witness for member 13

Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): 14

Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): A wins if verification succeeds for both wit x and wit x 14

Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud 15

Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud Other direction does not hold [BLL02] 15

Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators 16

Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators We provide formalization not suffering from shortcomings above 16

Security - Indistinguishability II Experiment Exp ind κ ( ): 17

Security - Indistinguishability II Experiment Exp ind κ ( ): A wins if guess correct 17

Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. 18

Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition 18

Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability 18

Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability We modify [Ngu05] to provide indistinguishability First indistinguishable t-bounded dynamic accumulator 18

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 19

Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X 20

Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators 20

Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators Algorithms compatible Security notions similar 20

Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability 21

Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) 21

Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability Other direction unclear, sim-based notion seems stronger 21

Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability 21 Other direction unclear, sim-based notion seems stronger First undeniable, unbounded, indistinguishable acc Nearly ZK sets t-bounded

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 22

Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m 23

Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward 23

Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m 23

Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m Hiding: For C to either m 0 or m 1. Intractable to decide whether C opens to m 0 or m 1 23

Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true 24

Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding 24

Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding 24

Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding Observe: cfw-indistinguishability not useful 24

Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set 25

Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set Trapdoor commitments Use sk acc as trapdoor 25

Conclusion Unified model for accumulators Covering all features existing to date 26

Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme 26

Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme Show relations to other primitives Commitments Zero-knowledge sets Yields first undeniable, unbounded, indistinguishable, universal accumulator Inspiration for new constructions 26

Thank you. david.derler@iaik.tugraz.at Extended version: http://eprint.iacr.org/2015/087

References I [BLL02] Ahto Buldas, Peeter Laud, and Helger Lipmaa. Eliminating counterevidence with applications to accountable certificate management. Journal of Computer Security, 10(3):273 296, 2002. [Ngu05] Lan Nguyen. Accumulators from bilinear pairings and applications. In Topics in Cryptology - CT-RSA 2005, The Cryptographers Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005, Proceedings, pages 275 292, 2005. 28

Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 2 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 3 / 22

Proof of Knowledge Alice Bob Interactive method for one party to prove to another the knowledge of a secret S. Classical Instantiations : Schnorr proofs, Sigma Protocols... O. Blazy (XLim) Negative-NIZK CT-RSA 2015 4 / 22

Proving that a statement is not satisfied Alice Bob Interactive method for one party to prove to another the knowledge of a secret S that does not belong to a language L. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 5 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 7 / 22

Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22

Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22

Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22

Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 9 / 22

Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 9 / 22

Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: S is true verifier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verifier that S is true 3 Zero-knowledge: S is true no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 10 / 22

Certification of Public Keys: SPHF [ACP09] A user can ask for the certification of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certificate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 11 / 22

Certification of Public Keys: SPHF [ACP09] A user can ask for the certification of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certificate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. Implicit proof of knowledge of sk O. Blazy (XLim) Negative-NIZK CT-RSA 2015 11 / 22

Smooth Projective Hash Functions [CS02] Definition Let {H} be a family of functions: X, domain of these functions L, subset (a language) of this domain such that, for any point x in L, H(x) can be computed by using either a secret hashing key hk: H(x) = Hash L (hk; x); or a public projected key hp: H (x) = ProjHash L (hp; x, w) [CS02,GL03] Public mapping hk hp = ProjKG L (hk, x) O. Blazy (XLim) Negative-NIZK CT-RSA 2015 12 / 22

SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22

SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22

SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22

SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 14 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22

From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22

From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22

From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22

Possible Instantiations Proof π Proof π Interactive Properties Groth Sahai Groth Sahai No Zero-Knowledge SPHF SPHF Yes Implicit Groth Sahai SPHF Depends ZK, Implicit O. Blazy (XLim) Negative-NIZK CT-RSA 2015 17 / 22

1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA 2015 18 / 22

Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22

Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22

Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22

Language Authenticated Key Exchange Alice C(M B ) C(M A ), hp B hp A Bob H B H A H B H A Same value iff languages are as expected, and users know witnesses. O. Blazy (XLim) Negative-NIZK CT-RSA 2015 20 / 22

Summing up Proposed a generic framework to prove negative statement * Gives several instantiation of this framework, allowing some modularity Works outside pairing environment Open Problems Be compatible with post-quantum cryptography Weaken the requirements, on the building blocks O. Blazy (XLim) Negative-NIZK CT-RSA 2015 21 / 22

Summing up Proposed a generic framework to prove negative statement * Gives several instantiation of this framework, allowing some modularity Works outside pairing environment Open Problems Be compatible with post-quantum cryptography Weaken the requirements, on the building blocks O. Blazy (XLim) Negative-NIZK CT-RSA 2015 21 / 22

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback