Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Published byAngelo Bentley Modified over 9 years ago

Similar presentations

Presentation on theme: "Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge."— Presentation transcript:

1 Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge

2  What is zero-knowledge? Preuve à divulgation nulle de connaissance: “un protocole […] dans lequel une entité […] prouve […] à une autre entité […] qu’une pro- position est vraie sans […] révéler une autre information.” Wikipedia, fr.wikipedia.org Zero-knowledge proof: “a method by which one party […] can prove to another party […] that a […] statement is true, without conveying any [further] information” Wikipedia, en.wikipedia.org Cristina Onete || 24/10/2014 || 2

3  So far ProverVerifier chg resp  No anonymity:  Anonymity in a ring:  Anonymity and traceability:  Now: Deniability/Zero-Knowledge! Cristina Onete || 24/10/2014 || 3

4  Prover Verifier without revealing anything else  Example 1: finite fields Cristina Onete || 24/10/2014 || 4

5  Prover Verifier  Example 2: RSA Cristina Onete || 24/10/2014 || 5

6  Prover Verifier  Example 3: Composition Cristina Onete || 24/10/2014 || 6

7  Contents  Sigma Protocols Structure Properties  Composition of Sigma Protocols Schnorr’s protocol Parallel composition AND composition EQ and OR compositions  The Fiat-Shamir heuristic  Commitment Schemes

8  Commitment Schemes AliceBob  Example : Alice and Bob must agree who will clean tonight They are at their offices. Each tosses a coin & they call:  If tosses are the same, then Alice cleans  If tosses are different, then Bob cleans Who talks first? Bob Alice Cristina Onete || 24/10/2014 || 8

9  Commitment Schemes Alice Bob  Alice and Bob toss Alice talks first Bob talks first Bob Alice  How can we avoid this? Bob says he tossed the same value Alice says she tossed the opposite value Cristina Onete || 24/10/2014 || 9

10  Commitment Schemes AliceBob  Commitment: an envelope with a strange seal Alice talks first Commit phase: she hides toss in envelope, gives it to Bob Reveal phase: Alice tells Bob how to unseal envelope Bob reveals toss Bob cleans Cristina Onete || 24/10/2014 || 10

11  Commitment Schemes AliceBob  Properties: Hiding: The content of the envelope is not visible Bob doesn’t know anything about Alice’s toss Binding: Alice can’t change the content in the envelope Alice can’t cheat after getting Bob’s toss Cristina Onete || 24/10/2014 || 11

12  Commitment Schemes Alice Bob  Formally:  Commitment hiding: ……………………  Commitment binding: Cristina Onete || 24/10/2014 || 12

13  Pedersen Commitments AliceBob …………………… Impossible Cristina Onete || 24/10/2014 || 13

14  Pedersen Commitments AliceBob ……………………  Hiding: Cristina Onete || 24/10/2014 || 14

15  DLog-based Commitments AliceBob ……………………  Computationally hiding: DLog  Perfectly binding by construction Cristina Onete || 24/10/2014 || 15

16  Contents  Sigma Protocols Structure Properties  Composition of Sigma Protocols Schnorr’s protocol Parallel composition AND composition EQ and OR compositions  The Fiat-Shamir heuristic  Commitment Schemes

17  Sigma Protocols: Structure Prover Verifier Cristina Onete || 24/10/2014 || 17

18  Sigma Protocols: Properties Prover Verifier  Completeness:  (Special) soundness:  Honest verifier zero-knowledge (HVZK): Cristina Onete || 24/10/2014 || 18

19  Schnorr’s Protocol Prover Verifier  Completeness: Cristina Onete || 24/10/2014 || 19

20  Schnorr’s Protocol Prover Verifier  Special Soundness: Cristina Onete || 24/10/2014 || 20

21  Schnorr’s Protocol Prover Verifier  HVZK: The conversation is valid and identically distributed Cristina Onete || 24/10/2014 || 21

22  Contents  Sigma Protocols Structure Properties  Composition of Sigma Protocols Schnorr’s protocol Parallel composition AND composition EQ and OR compositions  The Fiat-Shamir heuristic  Commitment Schemes

23  Parallel Composition  Goal: larger challenge space Prover Verifier  Verification is done in parallel: Cristina Onete || 24/10/2014 || 23

24  AND Composition  Goal: Proof for more than 1 witness Prover Verifier  Verification is done as follows: Cristina Onete || 24/10/2014 || 24

25  EQ-Composition  Goal: Prove your witness fulfills two conditions Prover Verifier  Verification is done as follows: Cristina Onete || 24/10/2014 || 25

26  OR-Composition  Goal: the witness fulfills one of two conditions We won’t reveal which, however Prover Verifier  Idea: split challenge in two, do one proof, simulate other  Verification is done as follows: Cristina Onete || 24/10/2014 || 26

27  OR-Composition of Schnorr Prover Verifier Real Simulated Simulation as in HVZK ? ? ? Real Schnorr protocol run Cristina Onete || 24/10/2014 || 27

28  Contents  Sigma Protocols Structure Properties  Composition of Sigma Protocols Schnorr’s protocol Parallel composition AND composition EQ and OR compositions  The Fiat-Shamir heuristic  Commitment Schemes

29  The Fiat-Shamir Heuristic  So far: interactive protocols, need random challenge Prover Verifier Prover Verifier Fiat-Shamir heuristic  Choose clever way to control challenge! Cristina Onete || 24/10/2014 || 29

30   Recall: SScheme = (KGen, Sign, Vf)  Correctness: honest signatures should always verify  Unforgeability: cannot sign fresh message without sk  Secure if H outputs pseudorandom strings! Cristina Onete || 24/10/2014 || 30

31  Further reading  Zero-Knowledge Proofs of Knowledge: S. Brands, ‘97: “Rapid Demonstration of Linear Relations Connec- ted by Boolean Operators”  Trapdoor commitment schemes Di Crescenzo, Ishai, Ostrovsky, ‘98: “Non-interactive and Non- Malleable Commitment” U. Feige, A. Fiat, A. Shamir, ‘88: “Zero Knowledge Proofs of Identity” Fischlin, Fischlin, 2000: “Efficient Non-Malleable Commitment Schemes” Cristina Onete || 24/10/2014 || 31

32  Some exercises:  Commitment schemes:  Sigma protocols: Show that the following protocol is a Sigma protocol: Prover Verifier Cristina Onete || 24/10/2014 || 32

33  Some more exercises: Is the following protocol a Sigma protocol? Prover Verifier Cristina Onete || 24/10/2014 || 33

34 CIDRE Thanks!

Download ppt "Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge."

Similar presentations

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.

Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA Controlled malleability. Sanitizable Signatures.

Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA Controlled malleability. Sanitizable Signatures.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

Similar presentations

Ads by Google