Multi-Theorem Preprocessing NIZKs from Lattices
|
|
- Nancy Dawson
- 5 years ago
- Views:
Transcription
1 Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University
2 Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems and Argument Systems [GMR85] x 0,1 NP language L 0,1 accept if x L prover verifier Completeness: x L Pr P, V (x) = accept = 1 Honest prover convinces honest verifier of true statements
3 Soundness: x L, P Pr P, V x = accept = 0 No prover can convince honest verifier of false statement Proof Systems and Argument Systems [GMR85] x 0,1 NP language L 0,1 accept if x L prover verifier In an argument system, we relax soundness to only consider computationally-bounded (i.e., polynomial-time) provers P Completeness: x L Pr P, V (x) = accept = 1 Honest prover convinces honest verifier of true statements
4 Zero-Knowledge Proofs for NP NP language L 0,1 [GMR85] P, V x c S(x) real distribution ideal distribution Zero-Knowledge: for all efficient verifiers V, there exists an efficient simulator S such that: x L P, V x c S(x)
5 Non-Interactive Zero-Knowledge (NIZK) Proofs NP language L 0,1 [BFM88] π c S(x) real distribution ideal distribution In the standard model, this is only achievable for languages L BPP
6 Which Assumptions give NIZKs for NP? σ σ π π prover Random Oracle Model [FS86, PS96] verifier prover verifier Common Reference String (CRS) Model Quadratic Residuosity [BFM88, DMP87, BDMP91] Trapdoor Permutations [FLS90, DDO+01, Gro10] Pairings [GOS06] Indistinguishability Obfuscation + OWFs [SW14]
7 Which Assumptions give NIZKs for NP? π Several major classes of assumptions missing: Discrete-log based assumptions (e.g., CDH, DDH) Lattice-based assumptions (e.g., SIS, LWE) prover Random Oracle Model [FS86, PS96] verifier Common Reference String (CRS) Model Quadratic Residuosity [BFM88, DMP87, BDMP91] Trapdoor Permutations [FLS90, DDO+01, Gro10] Pairings [GOS06] Indistinguishability Obfuscation + OWFs [SW14]
8 Which Assumptions give NIZKs for NP? π Several major classes of assumptions missing: Discrete-log based assumptions (e.g., CDH, DDH) Lattice-based assumptions (e.g., SIS, LWE) prover Random Oracle Model [FS86, PS96] verifier Common Reference String (CRS) Model Quadratic Residuosity [BFM88, DMP87, BDMP91] Trapdoor Permutations [FLS90, DDO+01, Gro10] Pairings [GOS06] Indistinguishability Obfuscation + OWFs [SW14]
9 NIZKs in the Preprocessing Model (Trusted) setup algorithm generates both proving key k P and a verification key k V [DMP88] k P k V prover π = Prove(k P, x, w) Prover algorithm takes proving key k P, NP statement x, and NP witness w verifier Verify(k V, x, π)
10 NIZKs in the Preprocessing Model [DMP88] k P k V π = Prove(k P, x, w) Simpler model than CRS model: Soundness holds assuming k V is hidden Zero-knowledge holds assuming k P is hidden If only k V is private (i.e., k P is public), then the NIZK is designated-verifier
11 NIZKs in the Preprocessing Model [DMP88] k P k V Preprocessing NIZKs One-Way Functions [DMP88, LS90, Dam92, IKOS09] Oblivious Transfer [KMO89] π = Prove(k P, x, w) Simpler model than CRS model: Soundness holds assuming k V is hidden Zero-knowledge holds assuming k P is hidden Designated-Verifier NIZKs Additively-homomorphic encryption [CD04, DFN06, CG15]
12 NIZKs in the Preprocessing Model [DMP88] k P k V Preprocessing NIZKs One-Way Functions [DMP88, LS90, Dam92, IKOS09] Oblivious Transfer [KMO89] π = Prove(k P, x, w) Designated-Verifier NIZKs Additively-homomorphic encryption [CD04, DFN06, CG15] Existing constructions only provide bounded-theorem soundness or bounded-theorem zero-knowledge
13 NIZKs in the Preprocessing Model [DMP88] Bounded-theorem soundness: Soundness holds in a setting where prover can see verifier s response on an a priori bounded number of queries verifier rejection problem Bounded-theorem zero-knowledge: Zero-knowledge holds in a setting where verifier can see proofs on an a priori bounded number of statements Preprocessing NIZKs One-Way Functions [DMP88, LS90, Dam92, IKOS09] Oblivious Transfer [KMO89] Designated-Verifier NIZKs Additively-homomorphic encryption [CD04, DFN06, CG15] Existing constructions only provide bounded-theorem soundness or bounded-theorem zero-knowledge
14 NIZKs in the Preprocessing Model [DMP88] Only known constructions of multi-theorem NIZKs in the preprocessing model are those in the CRS model Can we realize multi-theorem NIZKs in the preprocessing model from standard lattice assumptions? Hope: Preprocessing NIZKs is a stepping stone towards NIZKs from standard lattice assumptions
15 Our Results Can we realize multi-theorem NIZKs in the preprocessing model from standard lattice assumptions? First multi-theorem preprocessing NIZK from LWE (in fact, a designated-prover NIZK) Preprocessing step can be efficiently implemented using OT Several new MPC protocols from lattices: Succinct version of GMW compiler from lattices Two-round, succinct MPC from lattices in a reusable preprocessing model
16 Starting Point: Homomorphic Signatures [BF11, GVW15, ABC+15] ] x sk x σ x σ x is a signature on x with respect to a verification key vk x σ x public operation f(x) σf,f(x) σ f,f(x) is a signature on f(x) with respect to the function f and the verification key vk Homomorphic signatures enable computations on signed data
17 Starting Point: Homomorphic Signatures [BF11, GVW15, ABC+15] x σ x public operation f(x) σf,f(x) σ f,f(x) is a signature on f(x) with respect to the function f and the verification key vk ] (One-Time) Unforgeability: vk x sk σ x σ x Sign(sk, x) Adversary wins if σ f,y is a valid signature on y with respect to function f, but y f(x) y σ f,y Unforgeable if no efficient adversary can win
18 Starting Point: Homomorphic Signatures [BF11, GVW15, ABC+15] x σ x public operation f(x) σf,f(x) σ f,f(x) is a signature on f(x) with respect to the function f and the verification key vk ] Context-Hiding: x σ x sk f, f(x) Looks like a zeroknowledge property! f(x) σf,f(x) c f(x) σf,f(x) σ f,f(x) hides the original input x (up to what is revealed by f, f(x)) real distribution ideal distribution [Generalizes to multiple signatures]
19 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 prover x, w verifier x Goal: Convince verifier that there exists w such that R x, w = 1
20 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 prover x, w verifier x Verifier checks that σ Rx,1 is a signature on 1 with respect to function R x
21 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 Soundness: Follows from unforgeability; if verifier accepts, then σ Rx,1 is a signature on 1 with respect to function R x, but R x w = 0
22 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 Zero-Knowledge: Follows from context-hiding; signature σ Rx,1 can be simulated given sk, R x and R x w = 1
23 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 Problem: Prover needs signature on w, which depends on the statement being proven (cannot be generated in preprocessing phase)
24 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key (unknown to the verifier) Solution: Add one layer of indirection!
25 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key C(unknown x,ct k = Rto x, the Decrypt verifier) k, ct [Checks that ct encrypts a valid witness] w k C x,ct (k) σcx,ct,1 ct Encrypt(k, w) [ct is an encryption of the witness w] Solution: Add one layer of indirection!
26 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key C(unknown x,ct k = Rto x, the Decrypt verifier) k, ct [Checks that ct encrypts a valid witness] w k C x,ct (k) σcx,ct,1 ct Encrypt(k, w) [ct is an encryption of the witness w] Verifier checks that σ Cx,ct,1 is a signature on 1 with respect to function C x,ct
27 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key C(unknown x,ct k = Rto x, the Decrypt verifier) k, ct [Checks that ct encrypts a valid witness] w k C x,ct (k) σcx,ct,1 ct Encrypt(k, w) [ct is an encryption of the witness w] Soundness: Follows from unforgeability; if verifier accepts, then σ Cx,ct,1 is a signature on 1 with respect to function C x,ct, but C x,ct k = 0 for all k
28 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key C(unknown x,ct k = Rto x, the Decrypt verifier) k, ct [Checks that ct encrypts a valid witness] w k C x,ct (k) σcx,ct,1 ct Encrypt(k, w) [ct is an encryption of the witness w] Zero-Knowledge: Follows from context-hiding and semantic security; signature σ Cx,ct,1 can be simulated given sk, C x,ct and C x,ct k = 1 and so, ct hides w
29 Homomorphic Signatures to Preprocessing NIZKs (also publishes vk) k σ k k P π = Prove(k P, x, w) Designated-prover NIZK from context-hiding homomorphic signatures Verify(vk, x, π)
30 Homomorphic Signatures to Preprocessing NIZKs (also publishes vk) k σ k k P π = Prove(k P, x, w) Can instantiate context-hiding homomorphic signatures with lattice-based scheme from [GVW15] [Need some additional properties, but [GVW15] satisfies all properties with some modification] Designated-prover NIZK from context-hiding homomorphic signatures Verify(vk, x, π)
31 Homomorphic Signatures to Preprocessing NIZKs k σ k w Prover is given signature on an encryption key (unknown to the verifier) Homomorphic signatures: unforgeability against computationallybounded adversaries; yields NIZK argument C x,ct (k) σcx,ct,1 Homomorphic commitments: k unforgeability holds against unbounded adversaries; yields NIZK proof Unclear how to implement preprocessing efficiently, so focus will be on homomorphic signature construction Soundness: Follows from unforgeability; if verifier accepts, then σ Cx,ct,1 is a signature on 1 with respect to function C x,ct, but C x,ct k = 0 for all k
32 Constructing Homomorphic Signatures [GVW15] x x 1 x 2 x l Message space: will sign message bit-by-bit Verification key: A Z q n m target matrix for each bit of message: B 1 Z q n m B l Z q n m gadget matrix G Z q n m Signing key: T A Z q m m Trapdoor T A allows sampling short R Z q m m such that AR = B for any B Z q n m [T A is an SIS trapdoor for A]
33 Constructing Homomorphic Signatures [GVW15] x x 1 x 2 x l Message space: will sign message bit-by-bit Verification key: A, B 1,, B l, G Z q n m Signing key: T A Z q m m Sign message x bit-by-bit: A x 1 G B 1 R 1 Signature on x 1 is short R 1 that satisfy this relation (computed using trapdoor T A )
34 Constructing Homomorphic Signatures [GVW15] x x 1 x 2 x l Message space: will sign message bit-by-bit Verification key: A, B 1,, B l, G Z q n m Signing key: T A Z q m m Sign message x bit-by-bit: AR 1 + x 1 G = B 1 AR 2 + x 2 G = B 2 AR l + x l G = B l σ x = R 1,, R l Verification consists of checking that R 1,, R l satisfy these relations
35 Constructing Homomorphic Signatures [GVW15] x x 1 x 2 x l Message space: will sign message bit-by-bit Verification key: A, B 1,, B l, G Z q n m Signing key: T A Z q m m Sign message x bit-by-bit: AR 1 + x 1 G = B 1 AR 2 + x 2 G = B 2 AR l + x l G = B l Function of f, R 1,, R l and x 1,, x l GSW homomorphic operations Function of f, B1,, Bl AR f + f(x) G = B f Additional techniques needed for context-hiding
36 Homomorphic Signatures to Preprocessing NIZKs (also publishes vk) k σ k k P π = Prove(k P, x, w) Designated-prover NIZK from context-hiding homomorphic signatures Verify(vk, x, π)
37 Implementing the Preprocessing Phase k σk π = Prove(k P, x, w) (also publishes vk) Can use generic MPC protocols, but can do this more efficiently using a specialized protocol Verify(vk, x, π) k sk Prover chooses encryption key Goal: prover obtains signature on k without revealing k to verifier Verifier chooses signing key
38 Implementing the Preprocessing Phase Desired notion is a blind homomorphic signature k sk Prover chooses encryption key Goal: prover obtains signature on k without revealing k to verifier Verifier chooses signing key
39 Blind Homomorphic Signatures Recall that signature on the encryption key k consists of k signatures on the bits of k Prover can use oblivious transfer (OT) to obtain signatures on each bit of k Some additional work needed for malicious security [See paper for details] signatures on bits of k k Prover chooses encryption key OT for signatures on bits of k Goal: prover obtains signature on k without revealing k to verifier sk Verifier chooses signing key
40 Blind Homomorphic Signatures Recall that signature on the encryption key k consists of Takeaway: k signatures Preprocessing on the bits of k can be implemented Prover can then using OT for the poly signatures λ parallel on each OT bit of k Some additional work needed for malicious security invocations [See paper for details] signatures on bits of k k Prover chooses encryption key OT for signatures on bits of k Goal: prover obtains signature on k without revealing k to verifier sk Verifier chooses signing key
41 Proof Size and Amortization k σ k Recall: proof consists of an encryption of the witness and a signature w k C x,ct (k) σcx,ct,1 ct = w + poly(λ) σ = poly λ, d C, where d C is the depth of C x,ct Length of NIZK is typically proportional to the size of the NP relation (rather than the depth), and moreover, the overhead is multiplicative in λ (rather than additive)
42 Proof Size and Amortization k σ k Observation: If same witness used for multiple proofs, ciphertext only needs to be included once w k C x,ct (k) σcx,ct,1 Suppose same witness w used to prove statements x 1,, x n (with respect to C 1,, C n ): π i = w + poly(λ, d i ) i [n] i [n] Depth of C 1,, C n
43 A Succinct GMW Compiler Classic GMW compiler (semi-honest to malicious compiler): 1. Each party broadcasts commitment to their local input and randomness 2. Parties run a coin-flipping protocol to determine parties randomness used for computation 3. Parties run semi-honest MPC protocol and attach a NIZK proof that each message is consistent with committed values and randomness MPC: multiple parties seek to compute a joint function of their private inputs Key observation: NIZK proofs share common witness (the committed inputs and randomness)
44 A Succinct GMW Compiler Classic GMW compiler (semi-honest to malicious compiler): 1. Each party broadcasts commitment to their local input Communication overhead is and randomness 2. Parties run a coin-flipping n x + poly protocol n, λ, to ddetermine where parties x randomness is length of used parties for computation input and d is depth 3. Parties (rather run semi-honest than size) MPC of the protocol computation and attach a NIZK proof that each message is consistent with committed values and randomness MPC: multiple parties seek to compute a joint function of their private inputs Key observation: NIZK proofs share common witness (the committed inputs and randomness)
45 Summary Can we realize multi-theorem NIZKs in the preprocessing model from standard lattice assumptions? New multi-theorem designated-prover (public-verifier) NIZKs from homomorphic signatures (based on LWE) New notion of blind homomorphic signatures (formalized in the UC model) for efficient implementation of preprocessing (from OT) New UC-secure NIZK in the preprocessing model from lattices Succinct MPC protocol and succinct GMW compiler [See paper for details]
46 Open Problems NIZKs from lattices in the CRS model Publishing prover state in our preprocessing NIZK compromises zero-knowledge (reveals secret key prover uses to encrypt witnesses) Multi-theorem preprocessing NIZKs from discrete log assumptions (e.g., CDH, DDH) Weaker primitive of homomorphic MAC suffices (will also require secret key to verify proofs) Thank you!
Application to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationFunctional Signatures and Pseudorandom Functions
Functional Signatures and Pseudorandom Functions The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Boyle,
More informationYuval Ishai Technion
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Yuval Ishai Technion 1 Zero-knowledge proofs for NP [GMR85,GMW86] Bar-Ilan University Computational MPC with no honest
More informationThe Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University) Background:
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationFunctional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel. lindell@wisdom.weizmann.ac.il
More informationLecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak December 8, 2005 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationUniversally Composable Two-Party and Multi-Party Secure Computation
Universally Composable Two-Party and Multi-Party Secure Computation Ran Canetti Yehuda Lindell Rafail Ostrovsky Amit Sahai July 14, 2003 Abstract We show how to securely realize any two-party and multi-party
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationSecure Computation Against Adaptive Auxiliary Information
Secure Computation Against Adaptive Auxiliary Information Elette Boyle 1, Sanjam Garg 2, Abhishek Jain 3, Yael Tauman Kalai 4, and Amit Sahai 2 1 MIT, eboyle@mit.edu 2 UCLA, {sanjamg,sahai}@cs.ucla.edu
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationAccess Control Encryption for General Policies from Standard Assumptions
Access Control Encryption for General Policies from Standard Assumptions Sam Kim Stanford University skim13@cs.stanford.edu David J. Wu Stanford University dwu4@cs.stanford.edu Abstract Functional encryption
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationLecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak November 29, 2007 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationRecursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data
Recursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data Nir Bitansky nirbitan@tau.ac.il Tel Aviv University Alessandro Chiesa alexch@csail.mit.edu MIT Ran Canetti canetti@tau.ac.il Boston
More informationRecursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data
Recursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data Nir Bitansky nirbitan@tau.ac.il Tel Aviv University Alessandro Chiesa alexch@csail.mit.edu MIT Ran Canetti canetti@tau.ac.il Boston
More informationImplementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens
Implementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens Nico Döttling, Thilo Mie, Jörn Müller-Quade, and Tobias Nilges Karlsruhe Institute of Technology, Karlsruhe, Germany
More informationLaconic Zero Knowledge to. Akshay Degwekar (MIT)
Laconic Zero Knowledge to Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] sk pk Public Key Encryption ct = Enc
More informationBounded-Concurrent Secure Two-Party Computation Without Setup Assumptions
Bounded-Concurrent Secure Two-Party Computation Without Setup Assumptions Yehuda Lindell IBM T.J.Watson Research 19 Skyline Drive, Hawthorne New York 10532, USA lindell@us.ibm.com ABSTRACT In this paper
More informationBounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority
Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority Rafael Pass Massachusetts Institute of Technology pass@csail.mit.edu June 4, 2004 Abstract We show how to securely realize any
More informationA Unified Approach to Constructing Black-box UC Protocols in Trusted Setup Models
A Unified Approach to Constructing Black-box UC Protocols in Trusted Setup Models Susumu Kiyoshima 1, Huijia Lin 2, and Muthuramakrishnan Venkitasubramaniam 3 1 NTT Secure Platform Laboratories, Tokyo,
More informationZero-Knowledge Proofs
Zero-Knowledge Proofs Yevgeniy Dodis New York University Special thanks: Salil Vadhan Zero-Knowledge Proofs [GMR85] Interactive proofs that reveal nothing other than the validity of assertion being proven
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationOn Deniability in the Common Reference String and Random Oracle Model
On Deniability in the Common Reference String and Random Oracle Model Rafael Pass Department of Numerical Analysis and Computer Science Royal Institute of Technology, Stockholm, Sweden rafael@nada.kth.se
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationOne-Shot Verifiable Encryption from Lattices. Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich
One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich Zero-Knowledge Proofs Zero-Knowledge Proofs Relation f(s)=t, and want to prove knowledge of s Zero-Knowledge
More informationRound-Optimal Secure Multi-Party Computation
TPMPC 2018 Round-Optimal Secure Multi-Party Computation WITHOUT Setup C R Y P T O Shai Halevi, IBM Carmit Hazay, Bar Ilan University Antigoni Polychroniadou, Cornell Tech Muthuramakrishnan Venkitasubramaniam,
More informationAdaptively Secure Computation with Partial Erasures
Adaptively Secure Computation with Partial Erasures Carmit Hazay Yehuda Lindell Arpita Patra Abstract Adaptive security is a strong corruption model that captures hacking attacks where an external attacker
More informationSecure Multi-Party Computation Without Agreement
Secure Multi-Party Computation Without Agreement Shafi Goldwasser Department of Computer Science The Weizmann Institute of Science Rehovot 76100, Israel. shafi@wisdom.weizmann.ac.il Yehuda Lindell IBM
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationHomomorphic encryption (whiteboard)
Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs
More informationOptimal-Rate Non-Committing Encryption in a CRS Model
Optimal-Rate Non-Committing Encryption in a CRS Model Ran Canetti Oxana Poburinnaya Mariana Raykova May 24, 2016 Abstract Non-committing encryption (NCE) implements secure channels under adaptive corruptions
More informationBounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority
Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority Rafael Pass Royal Institute of Technology Stockholm, Sweden rafael@nada.kth.se ABSTRACT We show how to securely realize any multi-party
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationCryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data
Cryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data Shashank Agrawal 1, Shweta Agrawal 2, and Manoj Prabhakaran 1 University of Illinois Urbana-Champaign {sagrawl2,mmp}@illinois.edu
More informationThe Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)
The Magic of ELFs Mark Zhandry Princeton University (Work done while at MIT) Prove this secure: Enc(m) = ( TDP(r), H(r) m ) (CPA security, many- bit messages, arbitrary TDP) Random Oracles Random Oracle
More informationConstant-Round Concurrent Zero Knowledge in the Bounded Player Model
Constant-Round Concurrent Zero Knowledge in the Bounded Player Model Vipul Goyal 1, Abhishek Jain 2, Rafail Ostrovsky 3, Silas Richelson 4, and Ivan Visconti 5 1 Microsoft Research, INDIA, vipul@microsoft.com
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationFairness in an Unfair World: Fair Multiparty Computation from Public Bulletin Boards
Fairness in an Unfair World: Fair Multiparty Computation from Public Bulletin Boards Arka Rai Choudhuri achoud@cs.jhu.edu Johns Hopkins University Matthew Green mgreen@cs.jhu.edu Johns Hopkins University
More informationAsynchronous Secure Multiparty Computation in Constant Time
Asynchronous Secure Multiparty Computation in Constant Time Ran Cohen December 30, 2015 Abstract In the setting of secure multiparty computation, a set of mutually distrusting parties wish to securely
More informationEvaluating Branching Programs on Encrypted Data
Evaluating Branching Programs on Encrypted Data Yuval Ishai and Anat Paskin Computer Science Department, Technion yuvali@cs.technion.ac.il, anps83@gmail.com Abstract. We present a public-key encryption
More informationPrivately Constraining and Programming PRFs, the LWE Way PKC 2018
Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ 13,BW 13,BGI 14] 1 Ordinary evaluation algorithm Eval(msk,
More informationTwo-round Secure MPC from Indistinguishability Obfuscation
Two-round Secure MPC from Indistinguishability Obfuscation Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Mariana Raykova 2 1 IBM T. J. Watson 2 SRI International Abstract. One fundamental complexity
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationFORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013
FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 FORMALIZING GROUP BLIND SIGNATURES... OUTLINE
More informationZero-Knowledge from Secure Multiparty Computation
Zero-Knowledge from Secure Multiparty Computation Yuval Ishai Computer Science Dept. Technion, Haifa, Israel yuvali@cs.technion.ac.il Rafail Ostrovsky CS and Math Dept. UCLA, Los Angeles, CA rafail@cs.ucla.edu
More informationEfficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials
Efficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials Melissa Chase 1, Chaya Ganesh 2, and Payman Mohassel 3 1 Microsoft Research,
More informationEfficient Round Optimal Blind Signatures
Efficient Round Optimal Blind Signatures Sanjam Garg IBM T.J. Watson Divya Gupta UCLA Complexity Leveraging Highly theoretical tool Used to obtain feasibility results Gives inefficient constructions Is
More informationOverview of Verifiable Computing Techniques Providing Private and Public Verification
Overview of Verifiable Computing Techniques Providing Private and Public D5.8 Document Identification Date May 4, 2016 Status Final Version 1.0 Related WP WP5 Document Reference Related Deliverable(s)
More informationIntroduction to Secure Multi-Party Computation
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation
More informationChosen-Ciphertext Security (II)
Chosen-Ciphertext Security (II) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (II) Fall 2018 1 / 13 Recall: Chosen-Ciphertext Attacks (CCA) Adversary
More informationResettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way
Resettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way Rafail Ostrovsky 1 and Alessandra Scafuro 2 Muthuramakrishnan Venkitasubramanian 3 1 UCLA, USA 2 Boston University and Northeastern
More informationCommunication Locality in Secure Multi-Party Computation
Communication Locality in Secure Multi-Party Computation How to Run Sublinear Algorithms in a Distributed Setting Elette Boyle 1, Shafi Goldwasser 2, and Stefano Tessaro 1 1 MIT CSAIL, eboyle@mit.edu,
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationIndistinguishable Proofs of Work or Knowledge
Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More informationRe-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security
Re-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security and instantiations from lattices Nishanth Chandran 1, Melissa Chase 1, Feng-Hao
More informationTimed-Release Certificateless Encryption
Timed-Release Certificateless Encryption Toru Oshikiri Graduate School of Engineering Tokyo Denki University Tokyo, Japan Taiichi Saito Tokyo Denki University Tokyo, Japan Abstract Timed-Release Encryption(TRE)
More informationConcurrent Zero Knowledge in Polylogarithmic Rounds. 2 Concurrent Composable Zero Knowledge: The Construction
6.876/18.426: Advanced Cryptography 28.4.2003. Lecture 19: Concurrent Zero Knowledge in Polylogarithmic Rounds Scribed by: Nenad Dedić 1 Introduction The subject of these notes is concurrent zero knowledge,
More informationMultiparty Computation Secure Against Continual Memory Leakage
Multiparty Computation Secure Against Continual Memory Leakage Elette Boyle MIT eboyle@mit.edu Shafi Goldwasser MIT and Weizmann shafi@mit.edu Abhishek Jain UCLA abhishek@cs.ucla.edu Yael Tauman Kalai
More informationPost-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives
Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives Sebastian Ramacher Joint work with Melissa Chase, David Derler, Steven Goldfeder, Claudio Orlandi, Christian Rechberger, Daniel
More informationNew Notions of Security: Achieving Universal Composability without Trusted Setup
New Notions of Security: Achieving Universal Composability without Trusted Setup Manoj Prabhakaran Princeton University Amit Sahai Princeton University ABSTRACT We propose a modification to the framework
More informationLecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption
Lecture 20: & Hybrid Encryption Lecture 20: & Hybrid Encryption Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Exchanging keys and public key encryption Public Key Encryption pk sk Public Key Encryption pk cß Enc(pk,m) sk m Public
More informationSomewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer
Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Juan A. Garay Daniel Wichs Hong-Sheng Zhou April 15, 2009 Abstract Designing efficient cryptographic protocols tolerating
More informationSomewhat Homomorphic Encryption
Somewhat Homomorphic Encryption Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Part 1: Homomorphic Encryption: Background, Applications, Limitations Computing
More informationLecture 5: Zero Knowledge for all of NP
600.641 Special Topics in Theoretical Cryptography February 5, 2007 Lecture 5: Zero Knowledge for all of NP Instructor: Susan Hohenberger Scribe: Lori Kraus 1 Administrative The first problem set goes
More information6.842 Randomness and Computation September 25-27, Lecture 6 & 7. Definition 1 Interactive Proof Systems (IPS) [Goldwasser, Micali, Rackoff]
6.84 Randomness and Computation September 5-7, 017 Lecture 6 & 7 Lecturer: Ronitt Rubinfeld Scribe: Leo de Castro & Kritkorn Karntikoon 1 Interactive Proof Systems An interactive proof system is a protocol
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationThe IPS Compiler: Optimizations, Variants and Concrete Efficiency
The IPS Compiler: Optimizations, Variants and Concrete Efficiency Yehuda Lindell, Eli Oxman, and Benny Pinkas Dept. of Computer Science, Bar Ilan University, Ramat Gan, Israel. lindell@cs.biu.ac.il, eli.oxman@gmail.com,
More informationExploring the Boundaries of Topology-Hiding Computation
Exploring the Boundaries of Topology-Hiding Computation Marshall Ball 1, Elette Boyle 2, Tal Malkin 3, and Tal Moran 2 1 Columbia University and IDC Herzliya. marshall@cs.columbia.edu 2 IDC Herzliya, Israel.
More informationCS 151 Complexity Theory Spring Final Solutions. L i NL i NC 2i P.
CS 151 Complexity Theory Spring 2017 Posted: June 9 Final Solutions Chris Umans 1. (a) The procedure that traverses a fan-in 2 depth O(log i n) circuit and outputs a formula runs in L i this can be done
More informationUniversally Composable Protocols with Relaxed Set-up Assumptions
Universally Composable Protocols with Relaxed Set-up Assumptions Boaz Barak Inst. for Advanced Study boaz@ias.edu Ran Canetti IBM Research canetti@us.ibm.com Jesper Buus Nielsen ETH Zürich jnielsen@inf.ethz.ch
More informationLeakage-Tolerant Interactive Protocols
Leakage-Tolerant Interactive Protocols Nir Bitansky 1,2, Ran Canetti 1,2, and Shai Halevi 3 1 Tel Aviv University 2 Boston University 3 IBM T.J. Watson Research Center Abstract. We put forth a framework
More informationCryptographically Secure Bloom-Filters
131 139 Cryptographically Secure Bloom-Filters Ryo Nojima, Youki Kadobayashi National Institute of Information and Communications Technology (NICT), 4-2-1 Nukuikitamachi, Koganei, Tokyo, 184-8795, Japan.
More informationSimple, Black-Box Constructions of Adaptively Secure Protocols
Simple, Black-Box Constructions of Adaptively Secure Protocols Seung Geol Choi 1, Dana Dachman-Soled 1, Tal Malkin 1, and Hoeteck Wee 2 1 Columbia University {sgchoi,dglasner,tal}@cs.columbia.edu 2 Queens
More informationActively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model
Actively Secure Garbled Circuits with Constant Communication Overhead in the Plain Model Carmit Hazay 1, Yuval Ishai 2, and Muthuramakrishnan Venkitasubramaniam 3 1 Bar-Ilan University carmit.hazay@biu.ac.il,
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationSecure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity
Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity Ayman Jarrous 1 and Benny Pinkas 2,* 1 University of Haifa, Israel. 2 Bar Ilan University,
More informationIntroduction to Secure Multi-Party Computation
CS 380S Introduction to Secure Multi-Party Computation Vitaly Shmatikov slide 1 Motivation General framework for describing computation between parties who do not trust each other Example: elections N
More informationLecture 6: ZK Continued and Proofs of Knowledge
600.641 Special Topics in Theoretical Cryptography 02/06/06 Lecture 6: ZK Continued and Proofs of Knowledge Instructor: Susan Hohenberger Scribe: Kevin Snow 1 Review / Clarification At the end of last
More informationThreshold Cryptosystems from Threshold Fully Homomorphic Encryption
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Sam Kim Stanford University Joint work with Dan Boneh, Rosario Gennaro, Steven Goldfeder, Aayush Jain, Peter M. R. Rasmussen, and Amit
More informationSecure Multiparty RAM Computation in Constant Rounds,
Secure Multiparty RAM Computation in Constant Rounds, Sanjam Garg 1, Divya Gupta 1, Peihan Miao 1, and Omkant Pandey 2 1 University of California, Berkeley {sanjamg,divyagupta2016,peihan}@berkeley.edu
More informationResolving the Simultaneous Resettability Conjecture and a New Non-Black-Box Simulation Strategy
Resolving the Simultaneous Resettability Conjecture and a New Non-Black-Box Simulation Strategy Vipul Goyal UCLA and MSR India Email: vipul.goyal@gmail.com Amit Sahai UCLA Email: sahai@cs.ucla.edu October
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig, IAIK,
More informationOn Concurrently Secure Computation in the Multiple Ideal Query Model
On Concurrently Secure Computation in the Multiple Ideal Query Model Vipul Goyal Abhishek Jain Abstract The multiple ideal query (MIQ) model was introduced by Goyal, Jain and Ostrovsky [Crypto 10] as a
More informationStateless Cryptographic Protocols
Stateless Cryptographic Protocols Vipul Goyal Microsoft Research, India. Email: vipul@microsoft.com Hemanta K. Maji Department of Computer Science, University of Illinois at Urbana-Champaign. Email: hmaji2@uiuc.edu
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationNon-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers
Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers Rosario Gennaro Craig Gentry Bryan Parno February 1, 2010 bstract Verifiable Computation enables a computationally weak
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationOn the Composition of Authenticated Byzantine Agreement
On the Composition of Authenticated Byzantine Agreement Yehuda Lindell Anna Lysyanskaya Tal Rabin July 28, 2004 Abstract A fundamental problem of distributed computing is that of simulating a secure broadcast
More informationDECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES
DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol, 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA
More information