Presentation is loading. Please wait.

Presentation is loading. Please wait.

Online/Offline OR Composition of ∑-Protocols

Published byChristopher Lawrence Modified over 6 years ago

Similar presentations

Presentation on theme: "Online/Offline OR Composition of ∑-Protocols"— Presentation transcript:

1 Online/Offline OR Composition of ∑-Protocols
Michele Ciampi DIEM Università di Salerno ITALY Giuseppe Persiano DISA-MIS Università di Salerno ITALY Alessandra Scafuro Boston University and Northeastern University USA Luisa Siniscalchi DIEM Università di Salerno ITALY Ivan Visconti DIEM Università di Salerno ITALY

2 Proofs of Knowledge (PoKs)
A fundamental crypto tool with many applications Identification Schemes Simulation-Based Security E-Voting Systems Useful in cryptography when the witness is protected: Witness Indistinguishable (WI), Witness Hiding (WH), Zero Knowledge (ZK) e.g., prove knowledge of one thing OR another thing OR …

3 Proofs of Knowledge (PoKs)
Observation: neither [LS90] nor [Schnorr89] need theorem+ witness Observation: [LS90] and [Schnorr89] need the theorem and witness only in the last round In theory In practice x∈L ∑-protocol for R x= gy P V gr c r+cy e.g. Discret Log [Schnorr89]) “(x, y) in RDlog” G NP-reduction x “(G, C) in RHAM” WI Proof of Knowledge of Hamiltonicity [Blum86, LapidotShamir90] P V m1 m2 m3

4 ∑-protocol for relation R
x P(w) V Completeness SHVZK Sim(x,c)⇒ Special Soundness a c z a’ c z’ x, (a c z) x, (a c’ z’) w: (x,w)∈ R

5 WI Proof of Knowledge of Hamiltonicity
R0 OR R1 Consider the ∑-protocols 𝛴0 and 𝛴1 for R0 and R1 and compile them using [CramerDamgardSchoenmakers94] G NP-reduction (x0 V x1) WI Proof of Knowledge of Hamiltonicity [Blum86, LS90] P In theory In practice In both cases you get 3 rounds, WI and PoK “(G, C) in RHAM”

6 x0 and x1 are needed already No need to know any theorem
R0 OR R1: The Gap In theory In practice G NP-reduction (x0 V x1) WI Proof of Knowledge of Hamiltonicity [Blum86, LS90] P Consider the ∑-protocols 𝛴0 and 𝛴1 for R0 and R1 and compile them using [CramerDamgardSchoenmakers94] “(G, C) in RHAM” x0 and x1 are needed already at the 1rd round No need to know any theorem already at the 1rd round

7 R0 OR R1: The Gap In theory In practice [LS90] [CDS94]
Delayed-Input Completeness Completeness

8 Delayed-Input Completeness
x (w) P V a c z

9 R0 OR R1: The Gap In theory In practice [LS90] [CDS94]
Delayed-Input Completeness Adaptive-Input Proof of Knowledge Completeness Proof of Knowledge

10 Adaptive-Input PoK P* Extractor x x’ a x (a,c,z) c’ c x’ (a,c’,z’) z
w witness for x

11 R0 OR R1: The Gap In theory In practice [LS90] [CDS94]
Delayed-Input Completeness Adaptive-Input Proof of Knowledge Adaptive-Input Witness Indistinguishable Completeness Proof of Knowledge Witness Indistinguishable

12 Adaptive-Input WI (x,w1,w2) P (wb) V* a c z w1,w2 witnesses for x

13 R0 OR R1: The Gap In theory In practice [LS90] [CDS94]
Delayed-Input Completeness Adaptive-Input Proof of Knowledge Adaptive-Input Witness Indistinguishable Assumption: OWP Completeness Proof of Knowledge Witness Indistinguishable Assumption: none

14 R0 OR R1: The Gap In theory In practice [LS90] [CDS94]
Delayed-Input Completeness Adaptive-Input Proof of Knowledge Adaptive-Input Witness Indistinguishable Assumption: OWP Requires NP-reduction and gives Computational WI Completeness Proof of Knowledge Witness Indistinguishable Assumption: none No NP-reduction and gives Perfect WI

15 R0 OR R1: The Gap In theory In practice [LS90] [CDS94]
Delayed-Input Completeness Adaptive-Input Proof of Knowledge Adaptive-Input Witness Indistinguishable Assumption: OWP Requires NP-reduction and gives Computational WI Applicable to All NP Completeness Proof of Knowledge Witness Indistinguishable Assumption: none No NP-reduction and gives Perfect WI Restricted to ∑-protocols

16 R0 OR R1 The Gap Recently Delayed-Input completeness is widely used
A larger protocols using [CDS94] instead of [LS90] may have a worse round complexity e.g. [Pass – Eurocrypt 03], [KaOs – Crypto 04], [YuZh – Eurocrypt 07][ScVi – Eurocrypt 12][GRRV – FOCS 14]… [GMPP16 – tomorrow], [Kiayias0Z15 – CCS15], [BBKPV16 – eprint]… Recently Delayed-Input completeness is widely used

17 1) From PoK to Adaptive-Input PoK
Our Results 1) From PoK to Adaptive-Input PoK 2) Bridging the gap

18 Our First Result: from PoK to Adaptive-Input PoK
∑-Protocols (in general) are not Adaptive-Input PoK x= gy P* gr c z=r+cy Extractor c’ x’= gy’ z’=r+c’y’ Issue observed in [BernhardPereiraWarinschi12] about weak Fiat-Shamir transform

19 Our Transform From PoK to Adaptive-Input PoK P V gr’ gr c z=r’+cr
x= gy P gr c z=r+cy V gr’ z=r’+cr Our transform applies to the class described in [Cramer96, Maurer15, CramerDamgard98] e.g. Schnorr, Guillou–Quisquater, Diffie–Hellman, Multiplication proof for pedersen commitments, …

20 1) From PoK to Adaptive-Input PoK
Our Results 1) From PoK to Adaptive-Input PoK 2) Bridging the gap

21 R0 OR R1: Bridging the Gap In theory In practice [LS90] [CDS94]
Delayed-Input Completeness Adaptive-Input PoK Adaptive-Input WI Assumption: OWP Works with multiple OR compositions Requires NP-reduction and gives Computational WI Applicable to All NP Completeness Proof of Knowledge Witness Indistinguishable Assumption: none Works with multiple OR compositions No NP-reduction and gives Perfect WI Restricted to ∑-protocols [CPS+ TCC 2016-A] This work Semi-Delayed Input Completeness Proof of Knowledge Semi-Adaptive Input WI: one of two instances is adaptively chosen by V* Assumption: none Works with only one OR composition No NP-reduction and gives Perfect WI Restricted to (a large class of) ∑-protocols Delayed-Input Completeness: All input ∑-protocols have to be Delayed-Input Proof of Knowledge Adaptive-Input WI Assumption: DDH Works with multiple OR compositions No NP-reduction and gives Computational WI Restricted to (a large class of) ∑-protocols

22 Comparison: Summary Adaptive WI OWP Delayed-Input (all adaptive)
Assumption Completeness Adaptive WI Adaptive PoK Online Efficiency [LS90] OWP Delayed-Input (all adaptive) k out of n NP-reduction [CDS94] / k out of n* Entire protocol [CPSSV16] Semi-Delayed Input (1 adaptive) This work DDH <=CDS94

23 Our Construction: Tools
At least k are perfectly binding Sen Rec com=((com1, com2, …, comn), 𝚷) n-k commitments can be equivocated (K,N) Trapdoor Commitment ⅀: Delayed-Input ∑-protocol for the relation R Sim⅀: SHVZK simulator for ⅀ ComKN(m1, m2, …, mn) OpenKN(m1*, m2*, …, mn-k*) com dec

24 Our Construction: Main Idea
e.g. k=1, n=2 R OR R P V x1,x2 P⅀ a1, a2 com=ComKN(a1, a2) c wb P⅀(xb,wb,a1, c) z1 Sim⅀(x1-b,c) a* z* a1 OpenKN(com, a*) dec -Is dec a valid opening for a* and a1 w.r.t com? -Is (a*, c ,z*) accepting for ⅀? -Is (a1, c ,z1) accepting for ⅀?

25 How to Construct an Efficient (K,N) Trapdoor Commitment
(ga,gb,gab) ≈ (ga,gb,gc) How to Construct an Efficient (K,N) Trapdoor Commitment Ingredient 1: DDH DH tuple non-DH tuple

26 How to Construct an Efficient (K,N) Trapdoor Commitment
Ingredient 2: Instance dependent trapdoor commitment (IDTC) from DDH Given T=(ga,gb,gc) Com(T,m) ⇒ dec, com Binding Perfect Hiding Computational If T is NDH Binding Computational Equivocal If T is DH Constructions of IDTC follow directly from known constructions of Trapdoor Commitments from ∑-Protocols [Dam10, HL10, DN02]

27 How to Construct an Efficient (K,N) Trapdoor Commitment
At least k are perfectly binding Select T1, T2, …, Tn Run Com(Ti,mi) ⇒ (deci,comi) for i=1,…,n and send (com1, com2, …, comn) Prove with 𝚷 that at least k of the n tuples T1, T2, …, Tn are non-DH (prove with [CDS94]) Sen Rec (com1, com2, …, comn), 𝚷

28 Prove with 𝚷 that at least k of the n tuples T1, T2, …, Tn are non-DH
e.g. k=1, n=2 T1=(ga1,gb1,gc1) T1’=(ga1,gb1,ga1・b1) T2’=(ga2,gb2,gc3) T2=(ga2,gb2,gc2) P V 𝚷CDS94: “T1’ is DH OR T2’ is DH” V accept ⇔ One out of T1, T2 is a non-DH tuple

29 More Results of Our Work
Our previous construction woks for any (k,n) In the paper you can also find a construction that works for different NP-relations (e.g. RDlog or RDH) (This construction is non-trivial ad uses as a sub-protocol the construction showed before) We give also a compiler that transform a ∑-Protocol (belonging to the class described in [Cra96, Mau15, CD98]) in an Adaptive-Input PoK Open problem Is it possible to extend adaptive PoK to a larger class of ∑- Protocols?

30 thanks

Download ppt "Online/Offline OR Composition of ∑-Protocols"

Similar presentations

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Nir Bitansky and Omer Paneth. Interactive Proofs.

Nir Bitansky and Omer Paneth. Interactive Proofs.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Similar presentations

Ads by Google