l20 nov zero-knowledge proofs
|
|
- Kristopher Gilmore
- 5 years ago
- Views:
Transcription
1 l0 nov 00 zero-knowledge proofs
2 what properties should an interactive proof system have?
3 Alice Bob if c= o.w.
4 quadratic equations prove that equation has a solution without revealing the solution! Alice Bob t c s check
5 completeness if a statement is true, then the prover should always be able to convince the verifier that it is so. what does it mean to be true? language is a set of strings x is true relative to if
6 completeness for a language L, and for all interaction with V accepting the proof
7 completeness for a language L, and for all Pr[ ] interaction with V accepting the proof
8 completeness for a language L, and for all Pr[ ] interaction with V accepting the proof
9 completeness for a language L, and for all Pr[ ] interaction with V accepting the proof
10 soundness if a statement is false, then the prover should never be able to convince the verifier that it is so.
11 soundness if a statement is false, then the prover should never be able to convince the verifier that it is so. for a language L, and for all
12 soundness if a statement is false, then the prover should never be able to convince the verifier that it is so. for a language L, and for all Pr[ ] where is a negligible function
13 Alice Bob
14 Alice Bob check
15 Alice Bob check if yes, send it is true
16 Alice Bob check if yes, send if no, send it is true it is not true
17 Alice Bob check if yes, send if no, send it is true it is not true ok.
18 Alice Bob check if yes, send if no, send it is true it is not true ok. for a language L, and for all Pr[ ] where is a negligible function
19 soundness if a statement is false, then no prover should ever be able to convince the verifier that it is so. for a language L, and for all Pr[ ] where is a negligible function
20 interactive protocols are powerful
21 can you prove that this equation has no solutions:
22 prove this equation has no solutions Alice Bob t if t is a square if not send s=0 send s= accept if s=b
23 prove this equation has no solutions if there are no solutions, then challenges are b= b=0
24 prove this equation has no solutions if there are solutions, then challenges are b= b=0 prover is caught / time
25 prove this equation has no solutions Alice Bob t if t is a square if not send s= send s=0 accept if s=b but is the protocol zero-knowledge?
26 zero-knowledge after seeing a zero-knowledge proof, a verifier should be unable to accomplish any new tasks.
27 verifier s view by interacting with the prover, the verifier was convinced the statement was true but the proof itself... verifier could have generated them himself!
28 verifier s view how to generate a transcript of a proof: first pick c then pick then set output
29 zero-knowledge after seeing a zero-knowledge proof, a verifier should be unable to accomplish any new tasks. there exists a p.p.t. machine S s.t. for all honest verifier zero-knowledge
30 is honest-v zk ok? Alice Bob if c= if c= otherwise
31 zero-knowledge after seeing a zero-knowledge proof, a verifier should be unable to accomplish any new tasks. for all verifiers V* there exists a p.p.t. machine S O s.t. for all
32 prove this equation has no solutions Alice Bob t if t is a square if not send s= send s=0 accept if s=b so is this protocol zero-knowledge?
33 prove this equation has no solutions Alice Bob t if t is a square if not send s= send s=0 accept if s=b so is this protocol zero-knowledge? NO. but can be fixed in two ways...
34 graph iso quadratic equations lets build a zk proof for more general problems.
35 -coloring of a graph np-complete
36 -coloring of a graph np-complete
37 zk-proof of -colorability lice Bob
38 zk-proof of -colorability lice Bob
39 zk-proof of -colorability lice Bob pick a color perm
40 zk-proof of -colorability lice Bob pick a color perm color the graph with new perm
41 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes
42 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes
43 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes pick a random edge
44 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes reveals chosen edge pick a random edge
45 zk-proof of -colorability lice Bob pick a color perm color the graph place cups over nodes reveals chosen edge pick a random edge check colors
46 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge completeness?
47 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness?
48 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness?
49 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness? repeat m times
50 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness? repeat m times
51 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge soundness? repeat m times
52 zk-proof of -colorability lice Bob pick a color perm color the graph pick a random edge place cups over nodes check colors reveals chosen edge zero-knowledge?
53 simulator for -col Bob* S(G)
54 simulator for -col Bob* S(G)
55 simulator for -col Bob* S(G) color a random edge e
56 simulator for -col Bob* S(G) color a random edge e place cups over nodes
57 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c
58 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e
59 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e else repeat
60 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e else repeat succeeds with pr
61 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e else repeat succeeds with pr
62 simulator for -col Bob* S(G) color a random edge e place cups over nodes ask bob for challenge c success if c=e else repeat succeeds with pr expected # iterations: m
63 sudoko puzzle before i start, can you prove that it has a solution?
64 sudoko puzzle before i start, can you prove that it has a solution? YES. sudoko is in NP!
65 sudoko puzzle before i start, can you prove that it has a solution? YES. sudoko is in NP! YES. there is even an efficient way.
66 sudoko puzzle 9 9 9
67 sudoko puzzle
68 sudoko puzzle
69 sudoko puzzle
70 sudoko puzzle
71 sudoko puzzle
72 sudoko puzzle shuffle
73 sudoko puzzle check each pile has all 9
74 sudoko puzzle do the same for the rows and each sub-square
75 how to make this protocol internet-ready? what function did the cups play? (binding) (hiding) prover could not change color verifier could not see color
76 commitment schemes Sender Receiver sender commits to a bit sender cannot change her mind receiver cannot learn the bit sender can open commitment
77 commitment schemes two protocols: commit() open() Sender c Receiver open Sender b,s Receiver
Lecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationLecture 5: Zero Knowledge for all of NP
600.641 Special Topics in Theoretical Cryptography February 5, 2007 Lecture 5: Zero Knowledge for all of NP Instructor: Susan Hohenberger Scribe: Lori Kraus 1 Administrative The first problem set goes
More informationZero Knowledge Protocol
Akash Patel (SJSU) Zero Knowledge Protocol Zero knowledge proof or protocol is method in which a party A can prove that given statement X is certainly true to party B without revealing any additional information
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationComputer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1
Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs 1 Readings for This Lecture Optional: Haveli and Micali: Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing
More informationLecture 6: ZK Continued and Proofs of Knowledge
600.641 Special Topics in Theoretical Cryptography 02/06/06 Lecture 6: ZK Continued and Proofs of Knowledge Instructor: Susan Hohenberger Scribe: Kevin Snow 1 Review / Clarification At the end of last
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationIndistinguishable Proofs of Work or Knowledge
Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK
More informationZero-Knowledge Proofs of Knowledge
Zero-Knowledge Proofs of Knowledge Stéphanie Delaune September 6, 2013 Stéphanie Delaune () Proofs of Knowledge September 6, 2013 1 / 16 Proofs of knowledge Proof of knowledge are often used to prove one
More informationZero-Knowledge Proofs. Zero-Knowledge Proofs. Slides from a Talk by Eric Postpischil
Slides from a Talk by Eric Postpischil Goals Alice wants to prove to Bob that she knows an identifying number X. Bob should not be able to figure out X. Dave observes all communications between Alice and
More informationENEE 459-C Computer Security. Security protocols
ENEE 459-C Computer Security Security protocols Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p and g public.
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationENEE 459-C Computer Security. Security protocols (continued)
ENEE 459-C Computer Security Security protocols (continued) Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p
More informationLecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak December 8, 2005 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Identification (User Authentication) Fiat-Shamir Scheme Lecture 12 Tel-Aviv University 4 January 2010 Model and Major Issues Alice wishes to prove to Bob
More informationCPSC 467b: Cryptography and Computer Security
Outline ZKIP Other IP CPSC 467b: Cryptography and Computer Security Lecture 19 Michael J. Fischer Department of Computer Science Yale University March 31, 2010 Michael J. Fischer CPSC 467b, Lecture 19
More informationHomework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08
Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08 1. Signatures and Attacks Recall that to use the ElGamal signature scheme, Alice randomly selects her private signing key x
More informationZero-Knowledge Proofs
Zero-Knowledge Proofs Yevgeniy Dodis New York University Special thanks: Salil Vadhan Zero-Knowledge Proofs [GMR85] Interactive proofs that reveal nothing other than the validity of assertion being proven
More informationDawn Song
1 Secret-Sharing & Zero-knowledge Proof Dawn Song dawnsong@cs.berkeley.edu Review DH key exchange protocol Password authentication protocol Random number generation 2 Lessons Learned Seeds must be unpredictable
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationZero-Knowledge Proof and Authentication Protocols
Zero-Knowledge Proof and Authentication Protocols Ben Lipton April 26, 2016 Outline Background Zero-Knowledge Proofs Zero-Knowledge Authentication History Example Protocols Guillou-Quisquater Non-zero-knowledge
More informationE-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)
Cryptography E-cash Professor: Marius Zimand e-cash Benefits of cash: anonymous difficult to copy divisible (you can get change) easily transferable There are several protocols for e-cash. We will discuss
More informationCS154, Lecture 18: PCPs, Hardness of Approximation, Approximation-Preserving Reductions, Interactive Proofs, Zero-Knowledge, Cold Fusion, Peace in
CS154, Lecture 18: PCPs, Hardness of Approximation, Approximation-Preserving Reductions, Interactive Proofs, Zero-Knowledge, Cold Fusion, Peace in the Middle East There are thousands of NP-complete problems
More informationSecure Multi-Party Computation. Lecture 13
Secure Multi-Party Computation Lecture 13 Must We Trust? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data
More informationLecture 9: Zero-Knowledge Proofs
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 9: Zero-Knowledge Proofs Lecturer: Kurt Mehlhorn & He Sun A zero-knowledge proof is an interactive protocol (game) between two parties, a
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationCSE200: Computability and complexity Interactive proofs
CSE200: Computability and complexity Interactive proofs Shachar Lovett January 29, 2018 1 What are interactive proofs Think of a prover trying to convince a verifer that a statement is correct. For example,
More informationLecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak November 29, 2007 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationOne-Shot Verifiable Encryption from Lattices. Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich
One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich Zero-Knowledge Proofs Zero-Knowledge Proofs Relation f(s)=t, and want to prove knowledge of s Zero-Knowledge
More informationCS549: Cryptography and Network Security
CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1 Notice This lecture note (Cryptography and Network Security) is prepared
More informationHomomorphic encryption (whiteboard)
Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs
More informationCryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies
Intro to Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public Keys and Identities Let s design us some Digital Cash! Intro to Cryptographic
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More informationSolution to Problem Set 8
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #24 Felipe Saint-Jean and Michael Fischer December 13, 2005 Solution to Problem Set 8 In the problems
More informationMultiparty Computation (MPC) protocols
Multiparty Computation (MPC) protocols Protocols where the users of the protocol don t trust each other, but nevertheless they want to achieve a common goal I don t trust Bob I don t trust Alice Alice
More informationAn efficient implementation of Monero subaddresses. 1 Introduction. Sarang Noether and Brandon Goodell Monero Research Lab October 3, 2017
RESEARCH BULLETIN MRL-0006 An efficient implementation of Monero subaddresses Sarang Noether and Brandon Goodell Monero Research Lab October 3, 2017 Abstract Users of the Monero cryptocurrency who wish
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationOn Deniability in the Common Reference String and Random Oracle Model
On Deniability in the Common Reference String and Random Oracle Model Rafael Pass Department of Numerical Analysis and Computer Science Royal Institute of Technology, Stockholm, Sweden rafael@nada.kth.se
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationComputer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Hashes & Macs Aggelos Kiayias University of Connecticut What is a hash function? A way to produce the fingerprint of a file what are the required properties: 1. Efficiency.
More informationUniversally Composable Multiparty Computation with Partially Isolated Parties
Universally Composable Multiparty Computation with Partially Isolated Parties Ivan Damgård 1, Jesper Buus Nielsen 1 and Daniel Wichs 2 1 University of Aarhus, Denmark 2 New York University, USA Abstract.
More informationCOIN FLIPPING BY TELEPHONE
COIN FLIPPING BY TELEPHONE A protocol for solving impossible problems Based on Manuel Blum's Paper from 1981 Proved useful for: - Mental poker - Certified Mail - Exchange of Secrets Table of Contents Application
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationPhysical Zero-Knowledge Proofs of Physical Properties
Physical Zero-Knowledge Proofs of Physical Properties Ben Fisch Joint work with: Moni Naor and Daniel Freund TCC Rump Session, February 2014 x w Typical Zero-Knowledge Scenario Alice and Bob receive input
More informationComputational Soundness of Symbolic Zero Knowledge Proofs
Computational Soundness of Symbolic Zero Knowledge Proofs Esfandiar Mohammadi Master Seminar Information Security and Cryptography Group Max-Planck Institute for Software Systems Saarland University Advisors:
More informationPublicly-verifiable proof of storage: a modular construction. Federico Giacon
Publicly-verifiable proof of storage: a modular construction Federico Giacon Ruhr-Universita t Bochum federico.giacon@rub.de 6th BunnyTN, Trent 17 December 2015 Proof of Storage Proof of Storage (PoS)
More informationZERO KNOWLEDGE PROOFS FOR EXACT COVER AND 0-1 KNAPSACK
Proceedings of the 6th Annual ISC Graduate Research Symposium ISC-GRS 01 April 13, 01, Rolla, Missouri ZERO KNOWLEDGE PROOFS FOR EXACT COVER AND 0-1 KNAPSACK ABSTRACT Zero Knowledge Proofs (ZKPs) are interactive
More informationYuval Ishai Technion
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Yuval Ishai Technion 1 Zero-knowledge proofs for NP [GMR85,GMW86] Bar-Ilan University Computational MPC with no honest
More informationAn abuse-free fair contract-signing protocol based on the RSA signature
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2010 An abuse-free fair contract-signing protocol based on the RSA signature
More informationImplementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens
Implementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens Nico Döttling, Thilo Mie, Jörn Müller-Quade, and Tobias Nilges Karlsruhe Institute of Technology, Karlsruhe, Germany
More informationAn Overview of Active Security in Garbled Circuits
An Overview of Active Security in Garbled Circuits Author: Cesar Pereida Garcia Supervisor: Pille Pullonen Department of Mathematics and Computer Science. University of Tartu Tartu, Estonia. December 15,
More informationMATH 111 QUADRATICS WORKSHEET. Solution. We can put f(x) into vertex form by completing the square:
MATH 111 QUADRATICS WORKSHEET BLAKE FARMAN UNIVERSITY OF SOUTH CAROLINA Name: Let f(x) = 3x 2 + 6x + 9. Use this function to answer questions Problems 1-3. 1. Write f(x) in vertex form. Solution. We can
More informationNature Sunday Academy Lesson Plan
Title Computer Security Description: Nature Sunday Academy Lesson Plan 2013-14 The objective of the lesson plan aims to help students to understand the general goals of security, the essential concerns
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationFast Optimistically Fair Cut-and-Choose 2PC
Fast Optimistically Fair Cut-and-Choose 2PC Alptekin Küpçü Koç University, TURKEY akupcu@ku.edu.tr Payman Mohassel Yahoo Labs, USA pmohassel@yahoo-inc.com February 25, 2016 Abstract Secure two party computation
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationFall 2005 Joseph/Tygar/Vazirani/Wagner Final
CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Final PRINT your name:, (last) SIGN your name: (first) PRINT your Unix account name: PRINT your TA s name: You may consult any books, notes,
More informationLanguage-Based Security on Android (call for participation) Avik Chaudhuri
+ Language-Based Security on Android (call for participation) Avik Chaudhuri + What is Android? Open-source platform for mobile devices Designed to be a complete software stack Operating system Middleware
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationEfficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials
Efficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials Melissa Chase 1, Chaya Ganesh 2, and Payman Mohassel 3 1 Microsoft Research,
More informationTimed Commitments. (Extended Abstract) Dan Boneh 1 and Moni Naor 2
Timed Commitments (Extended Abstract) Dan Boneh 1 and Moni Naor 2 1 Stanford University, dabo@cs.stanford.edu 2 Weizmann institute, naor@wisdom.weizmann.ac.il Abstract. We introduce and construct timed
More informationLecture Notes 14 : Public-Key Infrastructure
6.857 Computer and Network Security October 24, 2002 Lecture Notes 14 : Public-Key Infrastructure Lecturer: Ron Rivest Scribe: Armour/Johann-Berkel/Owsley/Quealy [These notes come from Fall 2001. These
More informationConcurrent Zero Knowledge in Polylogarithmic Rounds. 2 Concurrent Composable Zero Knowledge: The Construction
6.876/18.426: Advanced Cryptography 28.4.2003. Lecture 19: Concurrent Zero Knowledge in Polylogarithmic Rounds Scribed by: Nenad Dedić 1 Introduction The subject of these notes is concurrent zero knowledge,
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More information6.842 Randomness and Computation September 25-27, Lecture 6 & 7. Definition 1 Interactive Proof Systems (IPS) [Goldwasser, Micali, Rackoff]
6.84 Randomness and Computation September 5-7, 017 Lecture 6 & 7 Lecturer: Ronitt Rubinfeld Scribe: Leo de Castro & Kritkorn Karntikoon 1 Interactive Proof Systems An interactive proof system is a protocol
More informationEXAM Computer Science 1 Part 1
Maastricht University Faculty of Humanities and Science Department of Knowledge Engineering EXAM Computer Science 1 Part 1 Block 1.1: Computer Science 1 Code: KEN1120 Examiner: Kurt Driessens Date: Januari
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel. lindell@wisdom.weizmann.ac.il
More informationFinal report: Non-Interactive Zero Knowledge Protocol for Verifiable Computing
Final report: Non-Interactive Zero Knowledge Protocol for Verifiable Computing Part A abstract description of the project: In this project we implemented a zero knowledge protocol for verifiable computing.
More informationSecure Multi-party Computation
Secure Multi-party Computation What it is, and why you d care Manoj Prabhakaran University of Illinois, Urbana-Champaign SMC SMC SMC conceived more than 30 years back SMC SMC conceived more than 30 years
More informationActivity Guide - Public Key Cryptography
Unit 2 Lesson 19 Name(s) Period Date Activity Guide - Public Key Cryptography Introduction This activity is similar to the cups and beans encryption we did in a previous lesson. However, instead of using
More informationStep-out Ring Signatures
Marek Klonowski, Łukasz Krzywiecki, Mirosław Kutyłowski and Anna Lauks Institute of Mathematics and Computer Science Wrocław University of Technology MFCS 2008 25-29 August 2008, Toruń, Poland 1 2 Preliminaries
More informationSession Key Distribution
Session Key Distribution The TA shares secret keys with network users. The TA chooses session keys and distributes them in encrypted form upon request of network users. We will need to define appropriate
More informationLecture 7.1: Private-key Encryption. Lecture 7.1: Private-key Encryption
Private-key Encryption Alice and Bob share a secret s {0, 1} n Private-key Encryption Alice and Bob share a secret s {0, 1} n Encryption and Decryption algorithms are efficient Private-key Encryption Alice
More informationEntity Recognition for Sensor Network Motes (Extended Abstract)
Entity Recognition for Sensor Network Motes (Extended Abstract) Stefan Lucks 1, Erik Zenner 2, André Weimerskirch 3, Dirk Westhoff 4 1 Theoretische Informatik, University of Mannheim, Germany 2 Erik Zenner,
More informationAn Overview of Secure Multiparty Computation
An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden 2010-02-11 Outline Background 1 Background
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Exchanging keys and public key encryption Public Key Encryption pk sk Public Key Encryption pk cß Enc(pk,m) sk m Public
More informationConstant-Round Concurrent Zero Knowledge in the Bounded Player Model
Constant-Round Concurrent Zero Knowledge in the Bounded Player Model Vipul Goyal 1, Abhishek Jain 2, Rafail Ostrovsky 3, Silas Richelson 4, and Ivan Visconti 5 1 Microsoft Research, INDIA, vipul@microsoft.com
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationCS 251: Bitcoin and Crypto Currencies Fall 2015
CS 251: Bitcoin and Crypto Currencies Fall 2015 Final Exam The exam is open book and open notes. You have 2 hours. Please answer all five questions. All questions are weighted equally. You may use course
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationCOMP1730/COMP6730 Programming for Scientists. Algorithm and problem complexity
COMP1730/COMP6730 Programming for Scientists Algorithm and problem complexity Algorithm complexity * The time (memory) consumed by an algorithm: - Counting elementary operations (not μs). - Expressed as
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationZero-Knowledge proof of knowledge transfer. Perm summer school on blockchain 2018
Zero-Knowledge proof of knowledge transfer Teleport Teleport was born in 2016 from the idea to bring the power of peer-to-peer traffic distribution technology like BitTorrent to the solution of traffic
More informationBlum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator
BBS encryption scheme A prime p is called a Blum prime if p mod 4 = 3. ALGORITHM Alice, the recipient, makes her BBS key as follows: BBS encryption scheme A prime p is called a Blum prime if p mod 4 =
More informationDefining Multi-Party Computation
2 Defining Multi-Party Computation In this chapter, we introduce notations and conventions we will use throughout, define some basic cryptographic primitives, and provide a security definition for multi-party
More informationSAS-Based Group Authentication and Key Agreement Protocols
SAS-Based Group Authentication and Key Agreement Protocols Sven Laur 1,2 and Sylvain Pasini 3 2 University of Tartu 1 Helsinki University of Technology 3 Ecole Polytechnique Fédérale de Lausanne User-aided
More informationExercise Set Decide whether each matrix below is an elementary matrix. (a) (b) (c) (d) Answer:
Understand the relationships between statements that are equivalent to the invertibility of a square matrix (Theorem 1.5.3). Use the inversion algorithm to find the inverse of an invertible matrix. Express
More informationResettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way
Resettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way Rafail Ostrovsky 1 and Alessandra Scafuro 2 Muthuramakrishnan Venkitasubramanian 3 1 UCLA, USA 2 Boston University and Northeastern
More informationfrom circuits to RAM programs in malicious-2pc
from circuits to RAM programs in malicious-2pc Abstract: Secure 2-party computation (2PC) is becoming practical in some domains However, most approaches are limited by the fact that the desired functionality
More information