Presentation is loading. Please wait.

Presentation is loading. Please wait.

TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University.

Published byOlivia Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University."— Presentation transcript:

1 TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University

2 In this talk: 3 simple ideas from  Jawurek, Kerschbaum, Orlandi  Zero-Knowledge from Garbled Circuits, CCS 2013  Frederiksen, Nielsen, Orlandi  Privacy-Free Garbled Circuits, EUROCRYPT 2015  Chuo, Orlandi  The Simplest OT Protocol, ePrint (next week?)

3 Jawurek, Ferschbaum, Orlandi CCS 2013 Zero-Knowledge from Garbled Circuits

4 Zero-Knowledge Protocols  IP/ZK – GMR85  Revolutionary idea in cryptography and CS  Soundness:  even a corrupted P cannot prove false statements  Zero-Knowledge:  even a corrupted V only learns that the statement is true (and not why)  Important in practice  Authentication  Essential component in complex protocols  What about efficiency?

5 Zero-Knowledge Protocols  Many examples of efficient ZK for algebraic languages  Discret Logarithm  RSA  Lattice ...  What about non-algebraic statements?  How do I prove ”I know x s.t. y=SHA(x)”?  This work tries to fill this gap!

6 Related Work  IKOS’07  ZK from (honest majority) MPC  First step towards the ”MPC in the head” approach  Efficient NIZK/SNARK (GOS06,GGPPR13,…)  Non-interactive  Require heavy public key operations per gate 

7 Zero-Knowledge vs Secure 2PC A B f,xf,y f(x,y) P V x,w R(x,w) = true x

8 Garbled Circuits Ev De Gb En f x [F] e d [X] [Z] z Correct if z=f(x) Values in a box are “garbled”

9 OT [F y ] x e [X] [Z][Z] ([F y ],e,d)  Gb( f(·,y) ) z  De([Z],d) [Z]  Ev([F y ],[X]) 2PC from GC (Yao’s protocol) Alice Bob Soundness: If A is corrupted and [Z*]  A([F],[X]), then De([Z*],d) is either f(x) or “  ” B could garble a “malicious” function g≠f e.g. g(x)= lsb(x)

10 2PC secure against active adversaries? How can Bob prove that he garbled f without revealing any extra information?  Plenty of (costly) solutions are known for 2PC  Zero-Knowledge  Cut-and-choose  Etc.  Can we do better for ZK?

11 ZK based on GC  The main idea:  In ZK the verifier (Bob) has no secrets!  After the protocol, Bob can reveal all his randomness.  Alice can simply check that Bob behaved honestly by redoing his entire computation.

12 OT [F] we [W] Com([Z]) ([F],e,d)  Gb( f,r ) z  De([Z],d) [Z]  Ev([F],[W]) Prover Verifier If [F]=Gb(f,r) (and check OTs) [Z] Prover work ~ 2x passive Yao (else abort) reveal r, e Verifier work ~ Passive Yao Communication ~ Passive Yao

13 CCS Implementations  Code not open-source, but easily reproducible  FastGC garbled circuits implementation  Smart-Tillich optimized circuits: AES, MD5, SHA…  GCParser to combine the two above  SCAPI for implementing OT (using elliptic curves)

14 Runtime (rough estimates)  Proof of “c=AES(k,m)” for secret k and public (c,m)  AES: 35k gates (7k ANDs/28k XORs)  Communication: 204kB (98% GC)  Runtime:  OT: 29.4ms (Using Chou-Orlandi OT) (|w|=128)  Garbling: 721µs (Using JustGarble GaXR)  Eval: 273 µs  Total (Garble+OT+Eval+Garble) ~ 31.2ms (+network)

15 Frederiksen, Nielsen, Orlandi EUROCRYPT 2015 Privacy-Free Garbled Circuits

16 Garbled Circuits Ev De Gb En f x [F] e d [X] [Z] z Correct if z=f(x)

17 Main idea  In 2PC GC ensure that evaluator does not learn internal values  In Yao garbled circuits evaluation must be oblivious  But in ZK the prover knows all the input bits!  He also knows all internal wires values  Can we optimize?  Yes!

18 Garbling Schemes without Privacy  Conceptual contribution:  Natural separation between privacy and authenticity  Concrete efficiency:  Better constants in garbled circuit Can we construct garbling schemes tailored to specific applications, which are more efficient than Yao’s original construction?

19

20 Garbling a Circuit ([F],e,d)  Gb(f) K 1 0,K 1 1  Choose 2 random keys K i 0,K i 1 for each input wire  For each gate compute  (Z 0,Z 1,gg)  Gb(L 0,L 1,R 0,R 1 )  Output  e=(K i 0,K i 1 ) for all input wires  d=(Z 0,Z 1 )  [F]=(gg i ) for all gates i K 2 0,K 2 1 Z 0,Z 1 K i 0,K i 1

21 Evaluating a GC [Z]  Ev([F],[X]) K1aK1a  Parse [X] as (K 1 x1,K 2 x2,…) for all input wires  Parse [F] as (gg 1,gg 2, …) for all gates  For each gate compute  Z g(a,b)  Ev(L a,R b,gg)  Output  [Z]=Z’ K2bK2b Z’ KicKic

22 Garbling a Gate AND/XOR L 0,L 1 R 0,R 1 Z 0,Z 1  A (privacy-free) garbled gate is a gadget that given two inputs keys gives you the right output key (and nothing else)  (Z 0,Z 1,gg)  Gb(L 0,L 1,R 0,R 1 )  Z g(a,b)  Ev(L a,R b,gg)  //and not Z 1-g(a,b)

23 Garbling w/o free-XOR (GRR1) Gb_AND(L 0,L 1,R 0,R 1 )  Output keys:  Z 1 = H(L 1,R 1 )  Z 0 = H(L 0 )  Send:  C = Z 0 ⊕ H(R 0 ) Ev_AND(L x, R y, C)  If(x = y = 1) output Z 1 = H(L x, R y )  If(x = 0) output Z 0 = H(L x )  If(y = 0) output Z 0 = C ⊕ H(R y )

24 Garbling w/o free-XOR (GRR1) Gb_XOR(L 0,L 1,R 0,R 1 )  Output keys:  Z 0 = L 0 ⊕ R 0  Z 1 = L 0 ⊕ R 1  Send:  C = L 0 ⊕ R 0 ⊕ L 1 ⊕ R 1 Ev_XOR(L a, R b, C)  If(a = 0) output Z (a ⊕ b) = L a ⊕ R b  If(a = 1) output Z (a ⊕ b) = C ⊕ L a ⊕ R b

25 Conclusions & Open Problems  Still a lot to be done with garbling schemes!  Other specific purpose garbling schemes?  Non-interactive ZK (w/o PKE/gate)?

26 Chou, Orlandi coming soon on ePrint The Simplest Oblivious Transfer Protocol

27 Diffie Hellman Key Exchange X = g x K = H(Y x ) m Y = g y C = E(K,m) K = H(X y ) m = D(K,C) There is another key K’ = H( (X/Y) x ) which Bob cannot compute!

28 X = g x The Simplest OT protocol K 0 = H(Y x ) K 1 = H((X/Y) x ) m 0,m 1 C 0 = E(K 0,m 0 ) C 1 = E(K 1,m 1 ) b=0 : Y = g y b=1 : Y = X/g y b Y K b = H(X y ) m b = D(K b,C b ) E(( α, β ), m) = ( α + m, ( α + m) β )

29 The Simplest OT Protocol  Complexity:  Communication: 1ge/OT + 2 ctxt/OT + 1ge  Computation: 3 exp/OT + 3 H/OT + 2 exp  Security:  UC vs. active adversary with programmable RO  Performances: ~5000 OT/s  Implementation based on Bernstein’s Curve25519

Download ppt "TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Similar presentations

Ads by Google