Computational Soundness of Symbolic Zero Knowledge Proofs

Similar documents
Identification Schemes

Plaintext Awareness via Key Registration

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Zero Knowledge Protocol

Security Protocol Verification: Symbolic and Computational Models

Cryptographic protocols

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Secure Multiparty Computation

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

A Computational Analysis of the Needham-Schröeder-(Lowe) Protocol

CS 395T. Formal Model for Secure Key Exchange

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Pseudorandomness and Cryptographic Applications

Multi-Theorem Preprocessing NIZKs from Lattices

New Constructions for UC Secure Computation using Tamper-proof Hardware

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Formal Methods and Cryptography

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Achieving Security Despite Compromise Using Zero-knowledge

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

l20 nov zero-knowledge proofs

Low-level Ideal Signatures and General Integrity Idealization

Introduction to Secure Multi-Party Computation

Introduction to Secure Multi-Party Computation

Chosen-Ciphertext Security (II)

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

The automatic security protocol verifier ProVerif

Secure Reactive Systems, Day 3: Reactive Simulatability Property Preservation and Crypto. Examples

1 A Tale of Two Lovers

Public-Key Cryptography

Formal Verification of the WireGuard Protocol

How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios

Efficient Round Optimal Blind Signatures

Implementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens

COMP4109 : Applied Cryptography

1 Defining Message authentication

Further Observations on Certificate-Base Encryption and its Generic Construction from Certificateless Public Key Encryption

Cryptography: More Primitives

UC Commitments for Modular Protocol Design and Applications to Revocation and Attribute Tokens

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Indistinguishable Proofs of Work or Knowledge

Notes for Lecture 24

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Constant-Round Concurrent Zero Knowledge in the Bounded Player Model

Achieving Security Despite Compromise Using Zero-knowledge

the Presence of Adversaries Sharon Goldberg David Xiao, Eran Tromer, Boaz Barak, Jennifer Rexford

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Other Topics in Cryptography. Truong Tuan Anh

Detectable Byzantine Agreement Secure Against Faulty Majorities

Secure Multiparty Computation

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Refining Computationally Sound Mech. Proofs for Kerberos

IND-CCA2 secure cryptosystems, Dan Bogdanov

Security Protocol Verification: Symbolic and Computational Models

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

Automated Security Proofs with Sequences of Games

Lecture 8 - Message Authentication Codes

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Introduction to Security Reduction

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Lecture 6: ZK Continued and Proofs of Knowledge

Universally Composable Two-Party and Multi-Party Secure Computation

Lecture Embedded System Security Introduction to Trusted Computing

Lecture 5: Zero Knowledge for all of NP

HOST Authentication Overview ECE 525

Verification of Security Protocols

CS 255: Intro to Cryptography

On Deniability in the Common Reference String and Random Oracle Model

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Delegatable Functional Signatures

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks

Stateless Cryptographic Protocols

CSC 5930/9010 Cloud S & P: Cloud Primitives

Secure Multi-party Computation

Message Authentication Codes and Cryptographic Hash Functions

Security and Composition of Cryptographic Protocols: A tutorial. Ran Canetti Tel Aviv University

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Round-Optimal Composable Blind Signatures in the Common Reference String Model

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

Direct Anonymous Attestation

Secure Multi-Party Computation Without Agreement

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

NEW FUNCTIONS FOR SECRECY ON REAL PROTOCOLS

Computationally Sound Verification of Source Code

CSE 565 Computer Security Fall 2018

Formal Methods for Assuring Security of Computer Networks

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Application to More Efficient Obfuscation

Chapter 9 Public Key Cryptography. WANG YANG

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Lecture Embedded System Security Introduction to Trusted Computing

Provably Secure On-demand Source Routing in Mobile Ad Hoc Networks

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Applied Cryptography and Computer Security CSE 664 Spring 2018

Transcription:

Computational Soundness of Symbolic Zero Knowledge Proofs Esfandiar Mohammadi Master Seminar Information Security and Cryptography Group Max-Planck Institute for Software Systems Saarland University Advisors: Prof. Dr. Michael Backes and Dr. Dominique Unruh June the 17th, 2008

Motivation Security Protocols are hard to verify by hand due to their complexity Automated verification is desirable Security Protocol Secure Insecure

Motivation Proofs are done in a "concrete" model (e.g. the turing machine model) Too complex for computers Simpler: Term model Abstract the cryptographic primitives as terms Restrict the adversary to useful actions Aim: Formulate and verify protocols in the abstract model Security Protocol CAD Abstract Security Protocol Abstractly Secure Abstractly Insecure

Motivation But, abstract security security in the concrete model? Computational Soundness Security Protocol CAD Abstract Security Protocol Abstractly Secure Comp. Soundness Secure Abstractly Insecure

Abstract Model terms e.g.: {m} ek(a), [m] sk(a) active attacker: adversary controls channels adversary sends messages and agents respond protocol: set of question-response patterns (q, r) Adversary Terms Agents

Concrete Model real cryptographic primitives again, protocol: set of question-response patterns (q, r) messages parsed to abstract terms answer of the agent constructed from abstract term parse/ construct Adversary parse/ construct Bitstrings parse/ construct Agents

Computational Soundness Secure in abstract model Secure in concrete Model In contraposition: For every concrete adversary there is a corresponding abstract adversary Translate the communication from the concrete model to the abstract model Bitstrings Terms

How Much Can the Adversary Learn? Public knowledge Knowledge from the corrupted agents The responses of the agents and what is deducible from it We need a set of deduction rules m e.g. {m} ek(b)

Zero-Knowledge Proof Systems Prover b Verifier a Proof of F(a;b) Public statement-formula F, private part a, public part b Zero-Knowledge Proof System fulfills Completeness Soundness Zero-Knowledge Proof of Knowledge in addition Extractability

Zero-Knowledge Proof Systems (cont d) Completeness Honest Prover a b Proof of F(a;b) Honest Verifier Completeness Honest provers convince honest verifiers of true statements (F(a;b) = true)

Zero-Knowledge Proof Systems (cont d) Soundness Malicious Prover a b Proof of F(a;b) Honest Verifier Soundness Malicious provers can hardly convince honest verifiers of false statements (F(a;b) = false)

Zero-Knowledge Proof Systems (cont d) Zero-Knowledge Honest Prover Malicious Verifier a Proof of F(a;b) Third Party Simulator Zero-Knowledge If F(a;b) is true, a third party cannot tell if the proof is real or simulated (without knowing a).

Zero-Knowledge Proof Systems (cont d) Extractability - Proof of Knowledge Adversary (Prover) Proof of F(a;b) Honest Verifier Accepts extp a Extractor F(a;b) = true Extractability If Proof of F(a;b) convinces the verifier and if a is extractible given extp, then F(a;b) is valid.

ZK-Proofs in the Abstract Model ZK-proof as term: ZK F (a; b) Public statement-formula F, private part a, public part b Statement-formulas F: boolean expressions over equations between terms e.g. ({a} ek(b1 ) = b 2) additional deduction rules: a b F (a; b) valid e.g. ZK F (a; b)

Computational Soundness of ZK Backes & Unruh: Computational Soundness of Symbolic Zero-Knowledge Proofs against active Attackers Strong requirements to the Zero-Knowledge Proof System I. Non-malleability II. Extractability

Computational Soundness of ZK (cont d) Problem I: Non-Malleability In the abstract model proofs are not malleable e.g. given ZK F (a; b) and ZK F (a ; b ) ZK F F (a, a ; b, b ) is not deducible without knowing a, a We need the ZK Proof System to be non-malleable

Computational Soundness of ZK (cont d) Problem II: Extract the Wittness Recall: We translate the communication in the concrete model to the abstract model When we parse the bitstring representing a zero-knowledge proof from the adversary: How to obtain the witness?

Computational Soundness of ZK (cont d) Problem II: Extract the Wittness Recall: We translate the communication in the concrete model to the abstract model When we parse the bitstring representing a zero-knowledge proof from the adversary: How to obtain the witness? ZK Proof System needs to fulfill Extractability Extraction algorithm is needed

What I Am Going to Do? I. Including malleable proofs Find appropriate deduction rules to combine known ZK-proofs II. Without Extractablity Already sketched: soundness proof for a simplified version with deterministic signatures instead of encryptions Next step: randomness, randomized encryptions

Thank you for your attention!

References [BackesUnruh08] Michael Backes, Dominique Unruh: Computational Soundness of Symbolic Zero-Knowledge Proofs Against Active Attackers. CSF 2008: 255-269 [CortierWarinschi] Véronique Cortier, Bogdan Warinschi: Computationally Sound, Automated Proofs for Security Protocols. ESOP 2005: 157-171

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback