Zero Knowledge Accumulators and Set Operations
|
|
- Branden Park
- 6 years ago
- Views:
Transcription
1 Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios Papadopoulos 3 Roberto Tamassia 1 Nikos Triandopoulos 4 1 Brown University 2 Microsoft Research 3 University of Maryland 4 Stevens Institute of Technology Research supported in part by the US National Science Foundation
2 Data Outsourcing OWNER SERVER query answer CLIENTS
3 Verifiable data outsourcing (static) OWNER SERVER θ θ σ query answer, proof CLIENTS
4 Verifiable data outsourcing (dynamic) OWNER SERVER state σ Upd query answer, proof θ CLIENTS
5 Challenge: Proof Leaking Information r c a x Merkle tree with items stored in sorted order at the leaves. Proof of x: ((a, L), (b, R)). Verification: h(h(a, h(x), c) = r Proof leaks rank of item.
6 Zone enumeration attack Primary resolver Secondary resolver pk,h(.) Zone names: a.com b.com w.com θ θ H(a.com) H(b.com) H(w.com) a5bb 23ce fae1 23ce a5bb fae1 q.com answer, proof CLIENTS [GNPRVZ NDSS15, RFC 5155]
7 Zone enumeration attack Primary resolver Secondary resolver Zone names: a.com b.com w.com θ θ pk,h(.) H(a.com) H(b.com) H(w.com) a5bb 23ce fae1 23ce a5bb fae1 q.com, 23ce a5bb CLIENTS [Bernstein11 nsec3walker]
8 Cryptographic accumulator [Benaloh and del Mare93] σ acc(setx ). Efficient and succinct proof for x X, x / X. Proofs are publicly computable and verifiable. Soundness: Forging proof for an element is infeasible. Traditional proofs are leaky.
9 In this work Formal model for zero-knowledge universal dynamic accumulators. Efficient construction for zero-knowledge accumulators. Efficient construction for : 1. is-subset 2. difference 3. union 4. intersection
10 Our Model OWNER SERVER state σ Upd query answer, proof θ CLIENTS
11 Soundness Challenger Adversary pk Setup Repeat λ times { Set X0 Digests σ0, θ0 Update Ui σi+1, Updi j,query*, answer*, proof* Figure: Probability that Verify accepts but answer is not correct wrt query on X j is negligible
12 Zero-Knowledge Challenger pk Adversary Simulator pk Client σ0 query {answer,proof { Ui σi+1 Set X0 Guess { Client σ0 query answer,proof { σi+1 Notify Update Figure: Probability that Adversary guesses correctly if it is talking to a challenger or a simulator is negligible
13 Zero Knowledge Accumulator
14 Query X = {x 1,..., x N } = set of elements Client Query: Is element x X? Server Response: answer = 1 indication yes and answer = 0 indicating no + proof
15 Set Representation A set X = {x 1,..., x N } represented using its characteristic polynomial Ch X [z] = N i=1 (z + x i) Bilinear Map: λ N is the security parameter of the scheme G, G 1 multiplicative cyclic groups of prime order p p is a large k-bit prime g is a random generator of G e : G G G 1 is computable bilinear nondegenerate map e(g a, g b ) = e(g, g) ab.
16 Keygen and Setup (Owner) (sk, pk) KeyGen(1 λ ) Generate bilinear parameters pub = (p, G, G 1, e, g). O(poly(λ)) Choose s $ Z p. Set sk = s and pk = (g s, pub). (σ 0, θ 0, state 0 ) Setup(sk, X 0 ) Choose r $ Z p. Set σ 0 = g r Ch X (s).o(n) Set θ 0 = (g, g s, g s2,..., g sn, r). O(N) Set state 0 = X.
17 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N)
18 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x if query = x / X : = g r Ch X (s) (s+x). O(N log N)
19 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N)
20 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p
21 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p 3. Set q 1 [z] = q 1[z] + γ (z + x)
22 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p 3. Set q 1 [z] = q 1[z] + γ (z + x) 4. Set q 2 [z] = q 2[z] γ Ch X [z].
23 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p 3. Set q 1 [z] = q 1[z] + γ (z + x) 4. Set q 2 [z] = q 2[z] γ Ch X [z]. 5. Set W 1 := g q 1 (s)r 1, W 2 = g q 2 (s).
24 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p 3. Set q 1 [z] = q 1[z] + γ (z + x) 4. Set q 2 [z] = q 2[z] γ Ch X [z]. 5. Set W 1 := g q 1 (s)r 1, W 2 = g q 2 (s). 6. Set proof := (W 1, W 2 ) and answer = 0.
25 Verification (Client) (accept/reject) Verify(pk, σ j, query, answer, proof) Let query = x. If answer = 1, return accept if e(σ j, g) = e(proof, g x pk). O(1) if answer = 0, return accept if e(w 1, σ j )e(w 2, g x pk) = e(g, g). O(1) Return reject otherwise.
26 Update (X i+1, σ i+1, upd i, state i+1 ) Update(sk, state i, σ i, θ i, X i, u i ) Owner: Choose r $ Z p. If x is to be inserted: 1. Compute σ i+1 = σ (s+x)r i. O(1) If x is to be deleted: 1. Compute σ i+1 = σ r s+x.o(1) Set upd i = (r ) and state i+1 = X i+1. Server: i Store the inserted/deleted element and upd i = (r ).O(1)
27 Privacy comes almost for free [Nguyen05 No Privacy] This work Setup NMUL NMUL Update 1MUL 2MUL Witness (Member) NMUL + (N 1)ADD NMUL + (N 1)ADD Witness (Non-Member) NMUL + (N 1)ADD (N + 1)MUL + (N 1)ADD Verify (Member) 1(MUL + ADD + PAIR) 1(MUL + ADD + PAIR) Verify (Non-Member) 2(MUL + ADD + PAIR) 1(MUL + ADD + ADD 1 ) + 2PAIR Witness Update (Member) 1(MUL + ADD) 2MUL + 1ADD Witness Update (Non-Member) 2MUL + 1ADD (N + 1)MUL + (N 1)ADD Figure: ADD = point addition MUL = scalar multiplication in the elliptic curve group G, ADD 1 = point addition in G 1 and PAIR a pairing computation, whereas N is the size of the set.
28 Set Algebra : Union
29 Query {X 1,..., X m } = set collection Client Query: Return union of sets 2, 5, 9 Server Response: answer = X 2 X 5 X 9 + proof Let X 2 = {a, b, d}, X 5 = {d, f }, X 9 = {a, c} answer = {a, c, b, d, f }
30 Completeness Conditions Superset condition: X 2 answer X 5 answer X 9 answer. Technique: Generalization of set membership. Membership condition: answer Ũ where Ũ = X 2 X 5 X 9.
31 Proving membership Multiset union: Ũ = {a, a, c, c, b, d, d, f } 1. Compute σũ g (r 2r 5 r 9 )ChŨ(s) = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f )
32 Proving membership Multiset union: Ũ = {a, a, c, c, b, d, d, f } 1. Compute σũ g (r 2r 5 r 9 )ChŨ(s) = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f ) 2. Prove σũ is correctly computed
33 Proving membership Multiset union: Ũ = {a, a, c, c, b, d, d, f } 1. Compute σũ g (r 2r 5 r 9 )ChŨ(s) = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f ) 2. Prove σũ is correctly computed 3. Prove answer Ũ using σũ
34 Step 2: Server σũ = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f ) σ 2,5 = g r 2r 5 (s+a)(s+b)(s+d) 2 (s+f ) σ 9 = g r 9(s+a)(s+c) σ 2 = g r 2(s+a)(s+b)(s+d) σ 5 = g r 5(s+d)(s+f )
35 Step 2: Server σũ = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f ) σ 2,5 = g r 2r 5 (s+a)(s+b)(s+d) 2 (s+f ) σ 9 = g r 9(s+a)(s+c) σ 2 = g r 2(s+a)(s+b)(s+d) σ 5 = g r 5(s+d)(s+f )
36 Step 2: Client e(σ 2,5, σ 9 )? = e(σũ, g) e(σ 2, σ 5 )? = e(σ 2,5, g) σ 9 σ 2 σ 5
37 Step 3 r Server: W (answer, Ũ) g 2 r 5 r 9 ChŨ (s) Chanswer(s) = g r 2r 5 r 9 (s+a)(s+d) Client: e(w (answer, Ũ), g Chanswer(s) )? = e(σũ, g)
38 More in the paper: 1. Relation of Zero Knowledge Accumulator with the existing primitives (ZKS, PSR, Trapdoorless Acc). 2. Formal proof that Zero knowledge is stronger than indistinguishably notion [MLPP12, DHS15] of privacy. 3. First efficient construction for zero-knowledge verifiable set algebra queries (Is-subset, Intersection, Union, Difference) with no additional cost over the state-of-the art non-private construction [PTT11].
39 Thank you!
Primary-Secondary-Resolvers Membership Proof Systems and their Applications to DNSSEC
Primary-Secondary-Resolvers Membership Proof Systems and their Applications to DNSSEC Weizmann Institute Sharon Goldberg, Moni Naor, Dimitris Papadopoulos, Leonid Reyzin, Sachin Vasant, Asaf Ziv The (non)
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationVerification of Web-Content Searching Through Authenticated Web Crawler
Verification of Web-Content Searching Through Authenticated Web Crawler Project Report Duy Nguyen Department of Computer Science Brown University Abstract In this project, we study the security properties
More informationNSEC5: Provably Preventing DNSSEC Zone Enumeration
NSEC5: Provably Preventing DNSSEC Zone Enumeration Sharon Goldberg, Moni Naor, Dimitrios Papadopoulos, Leonid Reyzin, Sachin Vasant and Asaf Ziv Boston University, Department of Computer Science Email:
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig, IAIK,
More informationVerifiable Order Queries and Order Statistics on a List in Zero-Knowledge
Verifiable Order Queries and Order Statistics on a List in Zero-Knowledge Esha Ghosh 1, Olga Ohrimenko 2 and Roberto Tamassia 1 1 Department of Computer Science, Brown University 2 Microsoft Research Abstract
More informationKey Escrow free Identity-based Cryptosystem
Key Escrow free Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university, located in capital of Gujarat state in India. DA-IICT offers undergraduate and postgraduate
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationOn the Security of a Lightweight Cloud Data Auditing Scheme
On the Security of a Lightweight Cloud Data Auditing Scheme Reyhaneh Rabaninead a, Maryam Raabzadeh Asaar b, Mahmoud Ahmadian Attari a, Mohammad Reza Aref c a Department of Electrical Engineering, K. N.
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationVerifiable Set Operations over Outsourced Databases
Verifiable Set Operations over Outsourced Databases Ran Canetti 1,2, Omer Paneth 1, Dimitrios Papadopoulos 1, and Nikos Triandopoulos 3,1 1 Dept. of Computer Science, Boston University, USA 2 Dept. of
More informationIntegrity and Privacy in the Cloud: Efficient algorithms for secure and privacy-preserving processing of outsourced data.
Abstract of Integrity and Privacy in the Cloud: Efficient algorithms for secure and privacy-preserving processing of outsourced data by Esha Ghosh, Ph.D., Brown University, May 2018. An integral component
More informationFORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013
FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 FORMALIZING GROUP BLIND SIGNATURES... OUTLINE
More informationOutsourcing Graph Databases with Label-Constrain Query Verification
Outsourcing Graph Databases with Label-Constrain Query Verification Kalikinkar Mandal Department of Electrical Engineering University of Washington Seattle, USA 98195 Basel Alomair King Abdulaziz City
More informationVerifying Server Computation
Verifying Server Computation Lea Kissner 1 and Dawn Song 1 Carnegie Mellon University leak@cs.cmu.edu, dawnsong@cmu.edu Abstract. In many scenarios, clients receive the results of computation which has
More informationReal-World Performance of Cryptographic Accumulators
Real-World Performance of Cryptographic Accumulators Edward Tremel Spring 2013 Abstract Cryptographic accumulators have often been proposed for use in security protocols, and the theoretical runtimes of
More informationCryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies
Intro to Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public Keys and Identities Let s design us some Digital Cash! Intro to Cryptographic
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationUniversal designated multi verifier signature schemes
University of Wollongong esearch Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2005 Universal designated multi verifier signature schemes Ching Yu Ng
More informationOblivious Signature-Based Envelope
Oblivious Signature-Based Envelope Ninghui Li Department of Computer Sciences and CERIAS Purdue University 656 Oval Dr, West Lafayette, IN 47907-2086 ninghui@cs.purdue.edu Wenliang Du Department of Electrical
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationDelegatable Functional Signatures
Delegatable Functional Signatures Michael Backes MPI-SWS Saarland University Germany Sebastian Meiser Saarland University Germany October 10, 2013 Dominique Schröder Saarland University Germany Abstract
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationSecure digital certificates with a blockchain protocol
Secure digital certificates with a blockchain protocol Federico Pintore 1 Trento, 10 th February 2017 1 University of Trento Federico Pintore Blockchain and innovative applications Trento, 10 th February
More informationGroup Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings
International Journal of Network Security, Vol.5, No.3, PP.283 287, Nov. 2007 283 Group Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings Rongxing Lu and Zhenfu Cao (Corresponding
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationarxiv: v1 [cs.cr] 17 Apr 2017
Certificate Transparency with Enhancements and Short Proofs Abhishek Singh 1, Binanda Sengupta 2, and Sushmita Ruj 2 1 IBM Research Laboratory, New Delhi, India absingh0@in.ibm.com 2 Indian Statistical
More informationCompact and Anonymous Role-Based Authorization Chain
Compact and Anonymous Role-Based Authorization Chain DANFENG YAO Computer Science Department Brown University Providence, RI 02912 dyao@cs.brown.edu and ROBERTO TAMASSIA Computer Science Department Brown
More informationEfficient Content Authentication in Peer-to-peer Networks
Efficient Content Authentication in Peer-to-peer Networks Extended Abstract Roberto Tamassia 1 and Nikos Triandopoulos 2 1 Department of Computer Science, Brown University 2 Institute for Security Technology
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationEnhanced Privacy ID from Bilinear Pairing
Enhanced Privacy ID from Bilinear Pairing Ernie Brickell Intel Corporation ernie.brickell@intel.com Jiangtao Li Intel Corporation jiangtao.li@intel.com Abstract Enhanced Privacy ID (EPID) is a cryptographic
More informationA Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity
A Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity Shin-Jia Hwang Department of Computer Science and Information Engineering,Tamkang University, Tamsui, Taipei Hsien,
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationAdvances in Securely Outsourcing Computation
Advances in Securely Outsourcing Computation Xiaofeng Chen December, 2017 Agenda Cloud Computing Verifiable Computation Secure Outsourcing of Scientific Computations Secure Outsourcing of Cryptographic
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationAnonymous Signature Schemes
Anonymous Signature Schemes Guomin Yang 1, Duncan S. Wong 1, Xiaotie Deng 1, and Huaxiong Wang 2 1 Department of Computer Science City University of Hong Kong Hong Kong, China {csyanggm,duncan,deng}@cs.cityu.edu.hk
More informationVerifiable Dynamic Symmetric Searchable Encryption Optimality and Forward Security
Verifiable Dynamic Symmetric Searchable Encryption Optimality and Forward Security Raphaël Bost raphael_bost@alumni.brown.edu David Pointcheval david.pointcheval@ens.fr Pierre-Alain Fouque pierre-alain.fouque@ens.fr
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationIndistinguishable Proofs of Work or Knowledge
Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationDatabase Outsourcing with Hierarchical Authenticated Data Structures
Database Outsourcing with Hierarchical Authenticated Data Structures Mohammad Etemad and Alptekin Küpçü Koç University, İstanbul, Turkey {metemad, akupcu}@ku.edu.tr Abstract. In an outsourced database
More informationThe Exact Security of a Stateful IBE and New Compact Stateful PKE Schemes
The Exact Security of a Stateful IBE and New Compact Stateful PKE Schemes S. Sree Vivek, S. Sharmila Deva Selvi, C. Pandu Rangan Theoretical Computer Science Lab, Department of Computer Science and Engineering,
More informationElliptic Curve Cryptography (ECC) Elliptic Curve Cryptography. Elliptic Curves. Elliptic Curve Cryptography (ECC) Elliptic curve
Elliptic Curve Cryptography Gerardo Pelosi Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB) Politecnico di Milano gerardo.pelosi - at - polimi.it ECC was introduced by Victor Miller and
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationVERIFIABLE SYMMETRIC SEARCHABLE ENCRYPTION
VERIFIABLE SYMMETRIC SEARCHABLE ENCRYPTION DATE 09/03/2016 SÉMINAIRE EMSEC - RAPHAEL BOST Searchable Encryption Outsource data securely keep search functionalities Generic Solutions We can use generic
More informationShare-Deterring Public Key Cryptography
Share-Deterring Public Key Cryptography Aggelos Kiayias 1 and Qiang Tang 2 1 National and Kapodistrian University of Athens aggelos@di.uoa.gr 2 Cornell University qt44@cornell.edu Abstract. How is it possible
More informationA Novel Identity-based Group Signature Scheme from Bilinear Maps
MM Research Preprints, 250 255 MMRC, AMSS, Academia, Sinica, Beijing No. 22, December 2003 A Novel Identity-based Group Signature Scheme from Bilinear Maps Zuo-Wen Tan, Zhuo-Jun Liu 1) Abstract. We propose
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationInformation Security
SE 4472b Information Security Week 2-2 Some Formal Security Notions Aleksander Essex Fall 2015 Formalizing Security As we saw, classical ciphers leak information: Caeser/Vigenere leaks letter frequency
More informationDecentralized Blacklistable Anonymous Credentials with Reputation
Decentralized Blacklistable Anonymous Credentials with Reputation Rupeng Yang 1,2, Man Ho Au 2, Qiuliang Xu 1, and Zuoxia Yu 2 1 School of Computer Science and Technology, Shandong University, Jinan, 250101,
More informationVerification of Security Protocols
Verification of Security Protocols Chapter 12: The JFK Protocol and an Analysis in Applied Pi Christian Haack June 16, 2008 Exam When? Monday, 30/06, 14:00. Where? TUE, Matrix 1.44. Scheduled for 3 hours,
More informationPublicly Verifiable Secret Sharing for Cloud-based Key Management
Publicly Verifiable Secret Sharing for Cloud-based Key Management Roy D Souza, David Jao, Ilya Mironov and Omkant Pandey Microsoft Corporation and University of Waterloo December 13, 2011 Overview Motivation:
More informationSecure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity
Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity Ayman Jarrous 1 and Benny Pinkas 2,* 1 University of Haifa, Israel. 2 Bar Ilan University,
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationVerifiable Order Queries on a List in Zero-Knowledge
Verifiable Order Queries on a List in Zero-Knowledge Esha Ghosh Brown University Joint work with: Olga Ohrimenko, Microsoft Research Roberto Tamassia, Brown University January 13, 2015 Overview Motivation
More informationEnforcing Role-Based Access Control for Secure Data Storage in the Cloud
The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 19th February 2009 Outline Basics Constructing signature schemes Security of
More informationZero Knowledge Protocol
Akash Patel (SJSU) Zero Knowledge Protocol Zero knowledge proof or protocol is method in which a party A can prove that given statement X is certainly true to party B without revealing any additional information
More informationPanda: Public Auditing for Shared Data with Efficient User Revocation in the Cloud
IEEE TRANSACTIONS ON SERVICE COMPUTING NO:99 VOL:PP YEAR 2014 Panda: Public Auditing for Shared Data with Efficient User Revocation in the Cloud Boyang Wang, Baochun Li, Member, IEEE, and Hui Li, Member,
More informationIdentity-based remote data integrity checking with perfect data privacy preserving for cloud storage
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2017 Identity-based remote data integrity checking
More informationREMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM
REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM Zhaohui Cheng, Richard Comley Luminita Vasiu School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, United Kingdom
More informationThe need for secure cloud computing and cloud storage systems
1 A Generic Construction for Verifiable Attribute-based Keyword Search Schemes Mohammmad Hassan Ameri, Maryam Raabzadeh Assar, Javad Mohaeri, Mahmoud Salmasizadeh Abstract Cloud data owners encrypt their
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationDeniable Unique Group Authentication CS380S Project Report
Deniable Unique Group Authentication CS380S Project Report Matteo Pontecorvi, Subhashini Venugopalan Abstract Deniable unique authentication is desirable in a number of scenarios. Electronic voting would
More informationSecurity Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13
Security Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13 Payal Chaudhari, Manik Lal Das, Anish Mathuria DA-IICT, Gandhinagar, India {payal chaudhari, maniklal das, anish mathuria}@daiict.ac.in
More informationI certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?
RRSIG: I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist? NSEC: I certify that there are no DNS records (of type X) whose record
More informationTimed-Release Certificateless Encryption
Timed-Release Certificateless Encryption Toru Oshikiri Graduate School of Engineering Tokyo Denki University Tokyo, Japan Taiichi Saito Tokyo Denki University Tokyo, Japan Abstract Timed-Release Encryption(TRE)
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCross-Unlinkable Hierarchical Group Signatures
Cross-Unlinkable Hierarchical Group Signatures Julien Bringer 1, Hervé Chabanne 12, and Alain Patey 12 1 Morpho 2 Télécom ParisTech Identity & Security Alliance (The Morpho and Télécom ParisTech Research
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationAttribute-based encryption with encryption and decryption outsourcing
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationHierarchical Attribute-based Signatures
Hierarchical Attribute-based Signatures Constantin-Cǎtǎlin Drǎgan, Daniel Gardham and Mark Manulis Surrey Centre for Cyber Security, University of Surrey, UK c.dragan@surrey.ac.uk, d.gardham@surrey.ac.uk,
More informationOn the Revocation of U-Prove Tokens
On the Revocation of U-Prove Tokens Christian Paquin, Microsoft Research September nd 04 U-Prove tokens provide many security and privacy benefits over conventional credential technologies such as X.509
More informationFine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing
wwwijcsiorg 10 Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing Yinghui Zhang 12 1 National Engineering Laboratory for Wireless Security Xi'an University of Posts and Telecommunications
More informationALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability
More information1 Dynamic Provable Data Possession
1 Dynamic Provable Data Possession C. Chris Erway 1, AppNeta, Inc. Alptekin Küpçü 1, Koç University Charalampos Papamanthou 1, ECE and UMIACS, University of Maryland Roberto Tamassia, Brown University
More informationTrust negotiation with trust parameters
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2006 Trust negotiation with trust parameters Fuchun Guo Fujian Normal
More informationElliptic Curve Cryptography (ECC) Elliptic Curve Cryptography. Elliptic Curves. Elliptic Curve Cryptography (ECC) Elliptic curve
Elliptic Curve Cryptography Gerardo Pelosi Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB) Politecnico di Milano gerardo.pelosi - at - polimi.it ECC was introduced by Victor Miller and
More informationOn the Security of Group-based Proxy Re-encryption Scheme
On the Security of Group-based Proxy Re-encryption Scheme Purushothama B R 1, B B Amberker Department of Computer Science and Engineering National Institute of Technology Warangal Warangal, Andhra Pradesh-506004,
More informationTrust-Preserving Set Operations
Trust-Preserving Set Operations Ruggero Morselli Bobby Bhattacharjee Jonathan Katz Pete Keleher Department of Computer Science, University of Maryland, College Park, Maryland, USA {ruggero, bobby, jkatz,
More informationSecurity Analysis of Batch Verification on Identity-based Signature Schemes
Proceedings of the 11th WSEAS International Conference on COMPUTERS, Agios Nikolaos, Crete Island, Greece, July 26-28, 2007 50 Security Analysis of Batch Verification on Identity-based Signature Schemes
More informationSecure Multiparty Computation
Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions Yao s Millionnare
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationAn Exploration of Group and Ring Signatures
An Exploration of Group and Ring Signatures Sarah Meiklejohn February 4, 2011 Abstract Group signatures are a modern cryptographic primitive that allow a member of a specific group (e.g., the White House
More information