Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:

Slides:



Advertisements
Similar presentations
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Advertisements

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Complexity Theory Lecture 3 Lecturer: Moni Naor. Recap Last week: Non deterministic communication complexity Probabilistic communication complexity Their.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Short course on quantum computing Andris Ambainis University of Latvia.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Oblivious Transfer based on the McEliece Assumptions
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Lecture 12 Commitment Schemes and Zero-Knowledge Protocols Stefan Dziembowski University of Rome La Sapienza critto09.googlepages.com.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
How to play ANY mental game
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
CS151 Complexity Theory Lecture 13 May 11, Outline proof systems interactive proofs and their power Arthur-Merlin games.
Topic 23: Zero-Knowledge Proof and Cryptographic Commitment
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.
IP, (NON)ISOGRAPH and Zero Knowledge Protocol COSC 6111 Advanced Algorithm Design and Analysis Daniel Stübig.
Topic 36: Zero-Knowledge Proofs
Information Complexity Lower Bounds
Randomness.
Randomness and Computation
Zero Knowledge Anupam Datta CMU Fall 2017
Homework 5 Statistics Minimum Value 40 Maximum Value Range
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Fiat-Shamir for Highly Sound Protocols is Instantiable
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs and Secure Multi-Party Computation
09 Zero Knowledge Proof Hi All, One more topic to go!
Impossibility of SNARGs
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:  Completeness – honest verifier convinced by honest prover  Correctness – dishonest prover can’t convince verifier of false statement (except with negligible probability)  Zero knowledge – verifier doesn’t learn anything besides the correctness of the statement 1

Proving Zero Knowledge r By simulation  Every cheating verifier has a simulator that outputs Perfect zero knowledge - the same distribution as the verifier’s view in the protocol Computational zero knowledge – indistinguishable distribution from the verifier’s view in the protocol r Bad example – challenge-response password protocol r Example – proving knowledge of discrete log 2

Commitment r Two player protocol r Alice commits to a value b  Binding - Alice can’t change the value after the commitment  Concealing – Bob can’t discover b  Alice can reveal b at some point r Example – f(x) one-way permutation, B(x) hardcore for f(x)  Commitment – (f(x),b  B(x))  Revealing - x 3

Commitment (cont.) r Naor’s scheme – using the indistinguishability property of a PRG G.  Commitment Bob sends random string r of length G(x). Alice chooses random x and sends G(x)  br  Revealing – Alice sends x r Claim – if Bob can find b before Alice reveals it, then Bob can distinguish G(x) from random string r Claim – Alice has low probability of success in cheating (finding y such that G(y)=r  G(x) 4

Zero Knowledge for GI r GI – Graph homomorphism r Two graphs G 1, G 2 are homomorphic if there is a re-labeling of the nodes of G that gives the nodes of H r Hard problem  No known polynomial algorithm  Not known if it is NP-hard r Prover commits to m graphs H 1,…,H m r Verifier sends m choices a 1,…,a m, a i  {1,2} r Prover reveals homomorphism between H i and G a i for every i. 5

SRP r Client authenticated by short password r Motivated by ZK, although not the same r Server and client agree on p, g and hash function h r Server sends random salt r Client sends g a mod p r Server computes x=h(password, salt), B=g b +g x mod p. Server sends B. r Client computes g x mod p, both sides compute u=h(B) r Client computes shared=(B-g x ) a+ux mod p r Server computes shared=(g a g xu ) b mod p 6

Special attacks to conclude r Fault attack – induce some fault in operation of target and hope for good results r Examples  Original hardware jailbreak of iPhone  Power spike during access control run  RSA-CRT computation – error in computation on p, but not on q r Side channel attacks - overview r Power analysis  Simple power analysis of exponentiation 7

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.