March 19: Zero-Knowledge (cont.) and Signatures

Similar documents
Lecture 10: Zero-Knowledge Proofs

CPSC 467b: Cryptography and Computer Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Exam Security January 19, :30 11:30

Katz, Lindell Introduction to Modern Cryptrography

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Digital Signatures. p1.

Cryptographical Security in the Quantum Random Oracle Model

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

George Danezis Microsoft Research, Cambridge, UK

Lecture 28: Public-key Cryptography. Public-key Cryptography

Question 1. The Chinese University of Hong Kong, Spring 2018

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lecture 1: Introduction to Public key cryptography

Authentication. Chapter Message Authentication

Dr George Danezis University College London, UK

Digital Signatures. Adam O Neill based on

Cryptographic Protocols Notes 2

Interactive Zero-Knowledge with Restricted Random Oracles

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

1 Number Theory Basics

Foundations of Network and Computer Security

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

CPSC 467b: Cryptography and Computer Security

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Homework 3 Solutions

CPSC 467: Cryptography and Computer Security

Winter 2011 Josh Benaloh Brian LaMacchia

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Schnorr Signature. Schnorr Signature. October 31, 2012

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Lecture 15 - Zero Knowledge Proofs

Overview. Public Key Algorithms II

RSA and Rabin Signatures Signcryption

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

CPSC 467: Cryptography and Computer Security

Lecture Notes, Week 10

Chapter 8 Public-key Cryptography and Digital Signatures

Introduction to Cryptography Lecture 13

On the CCA1-Security of Elgamal and Damgård s Elgamal

Perfectly-Crafted Swiss Army Knives in Theory

ASYMMETRIC ENCRYPTION

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Lecture 9 - Symmetric Encryption

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Math.3336: Discrete Mathematics. Mathematical Induction

Entity Authentication

ECash and Anonymous Credentials

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Question: Total Points: Score:

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

9 Knapsack Cryptography

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

CPSC 467: Cryptography and Computer Security

An Identification Scheme Based on KEA1 Assumption

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Public Key Cryptography

VI. The Fiat-Shamir Heuristic

CRYPTANALYSIS OF COMPACT-LWE

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Lecture 18: Message Authentication Codes & Digital Signa

On The (In)security Of Fischlin s Paradigm

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Lecture Notes, Week 6

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11

Additive Conditional Disclosure of Secrets

Lecture 22: RSA Encryption. RSA Encryption

and Other Fun Stuff James L. Massey

Zero-Knowledge Proofs and Protocols

Introduction to Cybersecurity Cryptography (Part 4)

Quantum Entanglement and Cryptography. Deepthi Gopal, Caltech

Post-quantum security models for authenticated encryption

8 Elliptic Curve Cryptography

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Commitment Schemes and Zero-Knowledge Protocols (2011)

Asymmetric Encryption

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Introduction to Cybersecurity Cryptography (Part 4)

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture V : Public Key Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Transcription:

March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o revealing x. No information leakage. How? Zeroknowledge proof. Malicious Alice (A ): wants to prove x even though she doesn t know x. IFF Alice can guess a challenge value correctly, she can cheat. A s method: 1. Guess that c = c. Needs g d = y c b Knows g, y. Only knows c if guess is correct. Left with b & d; gets to choose values. g d = y c b holds. Choose b & d such that If A chooses b first, she can t compute d. Why? Discrete log problem. Should choose d, then compute b: g d = y c b b = g d y c If Alice guesses c correctly here, she wins. Otherwise loses. 1

Note: The above is just a generalization of what we saw last week. 1.2 Main Points This is really a challenge-response protocol. 3-way protocol, i.e. Sigma protocol (Σ has 3 points) 1. Alice commits some data. 2. Bob challenges Alice 3. Alice opens up some data in a way that is consistent w/ the commitment and the challenge. This challenge must be unpredictable before Alice completes the first step. 1.3 About the Challenge We have c ɛ{0, 1}. But c doesn t have to be {0,1}... Can be any set of numbers. When c ɛ{o, 1}, P (Alice cheats) = 1 2. To avoid this (high success probability), when c is t bits long note that P (Alice cheats) = 1 2 t... So choose a cryptographically large t. Technical note: Not important for exam. When you extend challenge to t bits, it is no longer technically zero-knowledge. This has to do with strict security definitions. It is still a sigma protocol, though. 2

MAIN POINT: Malicious Alice locks in some value based on a challenge. She will have a hard time if she doesn t know b. 2 Fiat-Shamir Heuristic Note: y = g x mod p has same form as public/private key encryption. Note that protocol from the previous section was called the Schnorr protocol. Drawback: it is interactive. Enter Fiat-Shamir Heuristic. Let {{p, g, y}, {b, c, d}} be a transcript for a run of Schnorr. Unconvincing because there s no guarantee that b was generated before c. To verify, it is sufficient to show that b is chosen before c. Set c = the hash of b. That is: {{p, g, y}, {b, H(b), d}} The fine print: 1. b before c relies on preimage resistance 2. c needs to be unpredictable. For example if you use challenge ɛ{0, 1}, you could just try a couple values until condition is met. Assume output of hash is random, i.e. random oracle assumption holds. 3. c needs to be large so that faked< b, c, d > values do not by coincidence have c = H(b). 4. Could actually do c = H(b, {p, g, y}) 3 Digital Signatures 3.1 Overview Alice has a public key y and a secret key x. Alice signs a message m as: s = SIG x (m, r) Sometimes we have a random I (initialization vector), too. Bob or anyone else can easily verify < m, s >: T rue/f alse = V ERIF Y y (m, s) 3

Note on signature vs. MAC: Main difference is signature convinces anyone, whereas a MAC convinces only a person you share the key with. MACs do not work gor 2 parties. Signatures are slower than MACs. 3.2 Constructing signatures Two primary ways: 1. Built from public-key decryption 2. Built from zero-knowledge proofs (e.g. Fiat-Shamir or non-interactive zero-knowledge) 3.2.1 Constructing w/ public key encryption Intuition: Say you have a public-key encryption: c = ENC pk (m) m = DEC sc (c) Build a sugnature SIG where: SIG sk (m) DEC sk (m) = s Then send (m, s). To verify: ENC pk (s) = m Note this doesn t work for Elgamal or other CPA-secure encryptions) Because ENC is randomized, you won t necessarily get m back when you do ENC pk (s) m RSA is usable as a signature scheme, since it s not based on DLP. We ll revisit when we see RSA. 3.2.2 Constructing w/ Fiat-Shamir Schnorr proves that a transcript was generated by a person who knows x such that y = g x mod p. x can be secret key. y can be public key. If there were a way to bind a message to one of these transcripts, we d have a signature scheme. So how to bind such a message? Answer: Schnorr sigature. 4

4 Schorr Signature 4.1 Overview {{p, y, g}, {b, c = H(b, m), d}} where y = publickey, H(b, m) = hashedmessagew/challenge. Only person who knows x can generate a valid d here. 4.2 Sign Function We have: s = SIG x (m, r) = {s 1, s 2, s 3 } = {g r, h(g r m), r + H(g r m) x mod p {b, c, b + cx} = {s 1, s 2, s 3 } Verify using: V ERIF Y (m, s) : g s3 = y s2 s q. Also s 2 = H(s 1, m). Signatures should prevent forgeries. MEaning, it should be infeasible to sign a message m without knowledge of private key. Assumptions we ve made for Schnorr: 1. Secure because of the discrete log problem. 2. Preimage resistance of involved hash functions. 3. Random oracle assumption holds (not covered in class) 4. Collision resistance for invomved hash functions. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback