Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Similar documents
A General Framework for Redactable Signatures and New Constructions

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

Cryptographic protocols

MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Lecture 10, Zero Knowledge Proofs, Secure Computation

Blank Digital Signatures: Optimization and Practical Experiences

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Delegatable Functional Signatures

Direct Anonymous Attestation

Computer Security CS 526

CS408 Cryptography & Internet Security

On the Security of a Certificateless Public-Key Encryption

Lecture 2: Symmetric Key Encryption. Security Notions for Symmetric Key Encryption

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Cryptology complementary. Symmetric modes of operation

STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Chaum s Designated Confirmer Signature Revisited

On Symmetric Encryption with Distinguishable Decryption Failures

UC Commitments for Modular Protocol Design and Applications to Revocation and Attribute Tokens

Lecture 5: Zero Knowledge for all of NP

On Deniability in the Common Reference String and Random Oracle Model

Definitions and Notations

More crypto and security

Identification Schemes

Digital Signatures. Sven Laur University of Tartu

Cryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data

Zero Knowledge Protocol

Zero Knowledge Accumulators and Set Operations

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

Cryptography: More Primitives

Lecture 6: ZK Continued and Proofs of Knowledge

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Multi-Theorem Preprocessing NIZKs from Lattices

Proofs for Key Establishment Protocols

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

Indistinguishable Proofs of Work or Knowledge

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Oblivious Signature-Based Envelope

Lecture 15: Public Key Encryption: I

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

A Unified Approach to Constructing Black-box UC Protocols in Trusted Setup Models

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Public-Key Encryption

Information Security CS526

FORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

Hash Proof Systems and Password Protocols

MTAT Graduate Seminar in Cryptography Duality Between Encryption and Commitments

A Two-level Time-Stamping System

Notes for Lecture 24

Security of Cryptosystems

Analyzing Security Protocols using Probabilistic I/O Automata

NSEC5: Provably Preventing DNSSEC Zone Enumeration

An Exploration of Group and Ring Signatures

Watermarking Public-key Cryptographic Functionalities and Implementations

Crypto Background & Concepts SGX Software Attestation

Lectures 4+5: The (In)Security of Encrypted Search

Evaluating Branching Programs on Encrypted Data

l20 nov zero-knowledge proofs

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Zero-Knowledge Proofs

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures

Efficient Quantum-Immune Keyless Signatures with Identity

Introduction to Security Reduction

Refining Computationally Sound Mech. Proofs for Kerberos

Chosen-Ciphertext Security (II)

Applied Cryptography and Computer Security CSE 664 Spring 2018

On the Revocation of U-Prove Tokens

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

A Framework for Universally Composable Diffie-Hellman Key Exchange

IND-CCA2 secure cryptosystems, Dan Bogdanov

Securely Combining Public-Key Cryptosystems

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Resettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way

Decentralized Blacklistable Anonymous Credentials with Reputation

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Lecture 18 - Chosen Ciphertext Security

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

Publicly Verifiable Secret Sharing for Cloud-based Key Management

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks

CSC 5930/9010 Modern Cryptography: Digital Signatures

Contributions to pairing-based cryptography

Plaintext Awareness via Key Registration

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

SAS-Based Group Authentication and Key Agreement Protocols

Computationally Sound Mechanized Proof of PKINIT for Kerberos

Transcription:

S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK, Graz University of Technology www.iaik.tugraz.at

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 2

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 3

Static Accumulators Finite set Accumulator 4

Static Accumulators Finite set Accumulator Witnesses wit x certifying membership of x in acc X Efficiently computable x X Intractable to compute x / X 4

A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n mod N 5

A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N 5

A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. 5

A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. Witness for y / X Would imply breaking strong RSA... unless factorization of N is known. 5

Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X 6

Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X Universal features Demonstrate non-membership Non-membership witness wit x Efficiently computable x / acc X Intractable to compute x acc X 6

Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability 7

Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability Thus, accumulators not usable as black-boxes Limited exchangeability when used in other constructions Relations to other primitives hard to study 7

Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability 8

Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc 8

Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets 8

Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets Exhaustive classification of existing schemes (see Paper) 8

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 9

Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify 10

Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit 10

Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit Dynamic Accumulators additionally provide Add Delete WitUpdate 10

Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type 11

Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) 11

Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) For dynamic accumulator schemes The same additionally applies to WitUpdate 11

Security Correctness Collision freeness Undeniability Indistinguishability 12

Security - Collision Freeness Experiment Exp cf κ ( ): 13

Security - Collision Freeness Experiment Exp cf κ ( ): A wins if wit x is membership witness for non-member, or wit x is non-membership witness for member 13

Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): 14

Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): A wins if verification succeeds for both wit x and wit x 14

Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud 15

Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud Other direction does not hold [BLL02] 15

Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators 16

Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators We provide formalization not suffering from shortcomings above 16

Security - Indistinguishability II Experiment Exp ind κ ( ): 17

Security - Indistinguishability II Experiment Exp ind κ ( ): A wins if guess correct 17

Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. 18

Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition 18

Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability 18

Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability We modify [Ngu05] to provide indistinguishability First indistinguishable t-bounded dynamic accumulator 18

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 19

Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X 20

Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators 20

Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators Algorithms compatible Security notions similar 20

Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability 21

Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) 21

Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability Other direction unclear, sim-based notion seems stronger 21

Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability 21 Other direction unclear, sim-based notion seems stronger First undeniable, unbounded, indistinguishable acc Nearly ZK sets t-bounded

Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 22

Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m 23

Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward 23

Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m 23

Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m Hiding: For C to either m 0 or m 1. Intractable to decide whether C opens to m 0 or m 1 23

Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true 24

Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding 24

Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding 24

Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding Observe: cfw-indistinguishability not useful 24

Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set 25

Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set Trapdoor commitments Use sk acc as trapdoor 25

Conclusion Unified model for accumulators Covering all features existing to date 26

Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme 26

Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme Show relations to other primitives Commitments Zero-knowledge sets Yields first undeniable, unbounded, indistinguishable, universal accumulator Inspiration for new constructions 26

Thank you. david.derler@iaik.tugraz.at Extended version: http://eprint.iacr.org/2015/087

References I [BLL02] Ahto Buldas, Peeter Laud, and Helger Lipmaa. Eliminating counterevidence with applications to accountable certificate management. Journal of Computer Security, 10(3):273 296, 2002. [Ngu05] Lan Nguyen. Accumulators from bilinear pairings and applications. In Topics in Cryptology - CT-RSA 2005, The Cryptographers Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005, Proceedings, pages 275 292, 2005. 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback