Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Slides:



Advertisements
Similar presentations
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Advertisements

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA Controlled malleability. Sanitizable Signatures.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
1 Deniable Ring Authentication Moni Naor Weizmann Institute of Science.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Lecture 12 Commitment Schemes and Zero-Knowledge Protocols Stefan Dziembowski University of Rome La Sapienza critto09.googlepages.com.
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols.
Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study.
Rennes, 23/10/2014 Cristina Onete Graded Exercises & Authentication.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Topic 23: Zero-Knowledge Proof and Cryptographic Commitment
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830.
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
Non-interactive quantum zero-knowledge proofs
Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:
Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.
IP, (NON)ISOGRAPH and Zero Knowledge Protocol COSC 6111 Advanced Algorithm Design and Analysis Daniel Stübig.
Topic 36: Zero-Knowledge Proofs
On the Size of Pairing-based Non-interactive Arguments
Helger Lipmaa University of Tartu, Estonia
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
Enabling Full Transactional Privacy with
Fiat-Shamir for Highly Sound Protocols is Instantiable
Post-Quantum Security of Fiat-Shamir
Short Pairing-based Non-interactive Zero-Knowledge Arguments
Presentation transcript:

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge

 What is zero-knowledge? Preuve à divulgation nulle de connaissance: “un protocole […] dans lequel une entité […] prouve […] à une autre entité […] qu’une pro- position est vraie sans […] révéler une autre information.” Wikipedia, fr.wikipedia.org Zero-knowledge proof: “a method by which one party […] can prove to another party […] that a […] statement is true, without conveying any [further] information” Wikipedia, en.wikipedia.org Cristina Onete || 24/10/2014 || 2

 So far ProverVerifier chg resp  No anonymity:  Anonymity in a ring:  Anonymity and traceability:  Now: Deniability/Zero-Knowledge! Cristina Onete || 24/10/2014 || 3

 Prover Verifier without revealing anything else  Example 1: finite fields Cristina Onete || 24/10/2014 || 4

 Prover Verifier  Example 2: RSA Cristina Onete || 24/10/2014 || 5

 Prover Verifier  Example 3: Composition Cristina Onete || 24/10/2014 || 6

 Contents  Sigma Protocols Structure Properties  Composition of Sigma Protocols Schnorr’s protocol Parallel composition AND composition EQ and OR compositions  The Fiat-Shamir heuristic  Commitment Schemes

 Commitment Schemes AliceBob  Example : Alice and Bob must agree who will clean tonight They are at their offices. Each tosses a coin & they call:  If tosses are the same, then Alice cleans  If tosses are different, then Bob cleans Who talks first? Bob Alice Cristina Onete || 24/10/2014 || 8

 Commitment Schemes Alice Bob  Alice and Bob toss Alice talks first Bob talks first Bob Alice  How can we avoid this? Bob says he tossed the same value Alice says she tossed the opposite value Cristina Onete || 24/10/2014 || 9

 Commitment Schemes AliceBob  Commitment: an envelope with a strange seal Alice talks first Commit phase: she hides toss in envelope, gives it to Bob Reveal phase: Alice tells Bob how to unseal envelope Bob reveals toss Bob cleans Cristina Onete || 24/10/2014 || 10

 Commitment Schemes AliceBob  Properties: Hiding: The content of the envelope is not visible Bob doesn’t know anything about Alice’s toss Binding: Alice can’t change the content in the envelope Alice can’t cheat after getting Bob’s toss Cristina Onete || 24/10/2014 || 11

 Commitment Schemes Alice Bob  Formally:  Commitment hiding: ……………………  Commitment binding: Cristina Onete || 24/10/2014 || 12

 Pedersen Commitments AliceBob …………………… Impossible Cristina Onete || 24/10/2014 || 13

 Pedersen Commitments AliceBob ……………………  Hiding: Cristina Onete || 24/10/2014 || 14

 DLog-based Commitments AliceBob ……………………  Computationally hiding: DLog  Perfectly binding by construction Cristina Onete || 24/10/2014 || 15

 Contents  Sigma Protocols Structure Properties  Composition of Sigma Protocols Schnorr’s protocol Parallel composition AND composition EQ and OR compositions  The Fiat-Shamir heuristic  Commitment Schemes

 Sigma Protocols: Structure Prover Verifier Cristina Onete || 24/10/2014 || 17

 Sigma Protocols: Properties Prover Verifier  Completeness:  (Special) soundness:  Honest verifier zero-knowledge (HVZK): Cristina Onete || 24/10/2014 || 18

 Schnorr’s Protocol Prover Verifier  Completeness: Cristina Onete || 24/10/2014 || 19

 Schnorr’s Protocol Prover Verifier  Special Soundness: Cristina Onete || 24/10/2014 || 20

 Schnorr’s Protocol Prover Verifier  HVZK: The conversation is valid and identically distributed Cristina Onete || 24/10/2014 || 21

 Contents  Sigma Protocols Structure Properties  Composition of Sigma Protocols Schnorr’s protocol Parallel composition AND composition EQ and OR compositions  The Fiat-Shamir heuristic  Commitment Schemes

 Parallel Composition  Goal: larger challenge space Prover Verifier  Verification is done in parallel: Cristina Onete || 24/10/2014 || 23

 AND Composition  Goal: Proof for more than 1 witness Prover Verifier  Verification is done as follows: Cristina Onete || 24/10/2014 || 24

 EQ-Composition  Goal: Prove your witness fulfills two conditions Prover Verifier  Verification is done as follows: Cristina Onete || 24/10/2014 || 25

 OR-Composition  Goal: the witness fulfills one of two conditions We won’t reveal which, however Prover Verifier  Idea: split challenge in two, do one proof, simulate other  Verification is done as follows: Cristina Onete || 24/10/2014 || 26

 OR-Composition of Schnorr Prover Verifier Real Simulated Simulation as in HVZK ? ? ? Real Schnorr protocol run Cristina Onete || 24/10/2014 || 27

 Contents  Sigma Protocols Structure Properties  Composition of Sigma Protocols Schnorr’s protocol Parallel composition AND composition EQ and OR compositions  The Fiat-Shamir heuristic  Commitment Schemes

 The Fiat-Shamir Heuristic  So far: interactive protocols, need random challenge Prover Verifier Prover Verifier Fiat-Shamir heuristic  Choose clever way to control challenge! Cristina Onete || 24/10/2014 || 29

  Recall: SScheme = (KGen, Sign, Vf)  Correctness: honest signatures should always verify  Unforgeability: cannot sign fresh message without sk  Secure if H outputs pseudorandom strings! Cristina Onete || 24/10/2014 || 30

 Further reading  Zero-Knowledge Proofs of Knowledge: S. Brands, ‘97: “Rapid Demonstration of Linear Relations Connec- ted by Boolean Operators”  Trapdoor commitment schemes Di Crescenzo, Ishai, Ostrovsky, ‘98: “Non-interactive and Non- Malleable Commitment” U. Feige, A. Fiat, A. Shamir, ‘88: “Zero Knowledge Proofs of Identity” Fischlin, Fischlin, 2000: “Efficient Non-Malleable Commitment Schemes” Cristina Onete || 24/10/2014 || 31

 Some exercises:  Commitment schemes:  Sigma protocols: Show that the following protocol is a Sigma protocol: Prover Verifier Cristina Onete || 24/10/2014 || 32

 Some more exercises: Is the following protocol a Sigma protocol? Prover Verifier Cristina Onete || 24/10/2014 || 33

CIDRE Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.