Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Published byRoy Gardner Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer."— Presentation transcript:

1 Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer Engineering ZK & ROM Author & Instructor: Mohammad Sadeq Dousti 1 / 28

2 Introduction to Modern Cryptography Sharif University Spring 2015  These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0.  Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. They credit the original author(s); 2. Their work is used non-commercially; 3. They license their work under CC BY-NC-SA 4.0.  For further information, please consult: o https://creativecommons.org/licenses/by-nc-sa/4.0 https://creativecommons.org/licenses/by-nc-sa/4.0 o https://creativecommons.org/licenses/by-nc- sa/4.0/legalcode https://creativecommons.org/licenses/by-nc- sa/4.0/legalcode Copyright Notice 2 / 28

3 Introduction to Modern Cryptography Sharif University Spring 2015  Some ZK Proofs o Proofs for GNI o Witness Independence o Witness Hiding o Proofs of Knowledge o Secure Identification  Random Oracle Model o Definition o Construction of Signature from Identification o Construction of Encryption from TDP Outline 3 / 28

4 Introduction to Modern Cryptography Sharif University Spring 2015 Some ZK Proofs 4 / 28

5 Introduction to Modern Cryptography Sharif University Spring 2015 Current state of complexity classes Graph Isomorphism (GI) Graph Non- Isomorphism (GNI) 5 / 28

6 Introduction to Modern Cryptography Sharif University Spring 2015 Graph Non-Isomorphism (GNI) 6 / 28

7 Introduction to Modern Cryptography Sharif University Spring 2015  Common Input: x = (G 0, G 1 ). o Let Vert = {1,…,n} be the set of vertices of G 0 and G 1.  Verifier (V): Pick a random bit b and a random permutation  over Vert. Send H =  (G b ) to P.  Prover (P): Send c to V, such that H ≅ G c.  Verification: c = b?  The above interactive protocol is an IPS: o Perfect completeness o Soundness error = ½. IPS #1 for GNI 7 / 28

8 Introduction to Modern Cryptography Sharif University Spring 2015  If V acts honestly (picks b and  randomly), the following algorithm is a simulator for IPS #1: S(x): 1. Pick a random tape r for V. 2. Use r to pick b and  randomly. 3. Compute H =  (G b ). 4. Output (x, r, H, b).  Such proofs are called HVZK (Honest-Verifier ZK). IPS #1 is ZK for honest verifiers Assignment: Prove that the output of S is identically distributed with the view of (honest) V when x  GNI. 8 / 28

9 Introduction to Modern Cryptography Sharif University Spring 2015  What if V* acts maliciously?  For instance, V* can select an arbitrary graph H whose vertices is Vert.  Two possible cases: 1. H is isomorphic neither with G 0 nor with G 1. 2. H is isomorphic either with G 0 or with G 1.  In case 1, P aborts the protocol. o V* obtains knowledge: “H ≇ G 0 ⋀ H ≇ G 1 ”.  In case 2, P sends a bit c. o V* obtains knowledge: “H ≅ G c ”. IPS #1 is not ZK in general Assignment: Explain why there exists no simulator for IPS #1 with the general verifier. 9 / 28

10 Introduction to Modern Cryptography Sharif University Spring 2015  The verifier should prove that she acted honestly.  The verifier’s proof should satisfy two properties: 1. Show that the verifier “knows” whether H is isomorphic to G 0 or G 1. 2. Does not reveal which of G 0 or G 1 is isomorphic to H.  PROPERTY 1: The proof must be a proof of knowledge (PoK).  PROPERTY 2: The proof must be a witness independent (WI) proof. o The distribution of the proof is identical regardless of whether the witness is G 0 or G 1. o Any (perfect) ZK proof is WI, too. How to make IPS #1 zero knowledge? 10 / 28

11 Introduction to Modern Cryptography Sharif University Spring 2015 IPS #2: A ZK IPS for GNI P P V V Common input: x = (G 0, G 1 ) WI-PoK for (H ≅ G 0 ⋁ H ≅ G 1 ) Sub-proof: H c 11 / 28

12 Introduction to Modern Cryptography Sharif University Spring 2015  Up until now, we saw proofs of language membership. o The prover proves that the common input has a special property, making it eligible to belong to some language L. o Examples:  Input is a Blum integer.  Input is a pair of isomorphic graphs. ……  We can conceive of proofs of knowledge too, where an machine proves that it “knows” something. o Example: Machine M knows the factorization of N. o What does it mean for an machine to know something? What is a proof of knowledge (PoK)? 12 / 28

13 Introduction to Modern Cryptography Sharif University Spring 2015  1 st attempt: Machine M knows s if it can output s. o Problem: The program of M is fixed. o M can know s during its internal computations. o The program of M may never be meant to output s.  Example: In the ZK proof for GI, the prover knows an isomorphism f between G 0 and G 1. o However, P never outputs f. Formalizing the knowledge of a machine 13 / 28

14 Introduction to Modern Cryptography Sharif University Spring 2015  2 nd attempt: Machine M knows s if there exists a PPT machine K such that K M outputs s. o K has black-box access to M. o M is stateful. o K can set input/random tapes of M. o K can reset M to its initial state, or rewind it to an earlier stage. o K is called the “knowledge extractor”.  The above definition is very informal! o Specially, the existential quantifier is misplaced! o The formal definition can be found in [BG93]. o We try to exemplify the concept. Formalizing the knowledge of a machine (Cont’d) 14 / 28

15 Introduction to Modern Cryptography Sharif University Spring 2015 Knowledge extractor for the ZK proof of GI 15 / 28

16 Introduction to Modern Cryptography Sharif University Spring 2015 WI-PoK for (H ≅ G 0 ⋁ H ≅ G 1 ) 16 / 28 Prover’s Verification: d = 0: for some i  {0,1} J 0 =  0 (G i ) and J 1 =  1 (G 1  i ) d = 1: for some i  {0,1} J i =  (H) Prover’s Verification: d = 0: for some i  {0,1} J 0 =  0 (G i ) and J 1 =  1 (G 1  i ) d = 1: for some i  {0,1} J i =  (H) Assignment: 1.Show that this is an IPS for GI with soundness error ½. 2.Present the knowledge extractor for PoK. 3.Show that the protocol is PZK for GI. 4.Show that the protocol is WI for GI. Assignment: 1.Show that this is an IPS for GI with soundness error ½. 2.Present the knowledge extractor for PoK. 3.Show that the protocol is PZK for GI. 4.Show that the protocol is WI for GI.

17 Introduction to Modern Cryptography Sharif University Spring 2015 Parallel repetition ZK property is not preserved under parallel repetitions. In particular, this protocol is not ZK. 17 / 28

18 Introduction to Modern Cryptography Sharif University Spring 2015 ZK Identification 18 / 28

19 Introduction to Modern Cryptography Sharif University Spring 2015 ZK PoK for knowing a square root of I modulo N 19 / 28

20 Introduction to Modern Cryptography Sharif University Spring 2015 Parallel repetition for t times This protocol is called the Fiat – Shamir or Feige – Fiat – Shamir (FFS) protocol. FFS also present a much more efficient version of this protocol. This protocol is called the Fiat – Shamir or Feige – Fiat – Shamir (FFS) protocol. FFS also present a much more efficient version of this protocol. 20 / 28

21 Introduction to Modern Cryptography Sharif University Spring 2015 Random Oracles And Their Application 21 / 28

22 Introduction to Modern Cryptography Sharif University Spring 2015 What are random oracles? 22 / 28

23 Introduction to Modern Cryptography Sharif University Spring 2015 Application #1: From ID to Signature 23 / 28

24 Introduction to Modern Cryptography Sharif University Spring 2015 Application #2: From TDP to Encryption 24 / 28 Assignment: Prove that this construction is an IND-CPA secure encryption. To this end, present a reduction from an adversary who breaks IND-CPA security to an adversary who inverts the family of TDP. Hint: See THEOREM 13.2 of [KL08, p. 470]. Assignment: Prove that this construction is an IND-CPA secure encryption. To this end, present a reduction from an adversary who breaks IND-CPA security to an adversary who inverts the family of TDP. Hint: See THEOREM 13.2 of [KL08, p. 470].

25 Introduction to Modern Cryptography Sharif University Spring 2015 Application #2: From TDP to Encryption (Cont’d) 25 / 28 Assignment: Prove that this construction is an IND-CCA secure encryption. To this end, present a reduction from an adversary who breaks IND-CCA security to an adversary who inverts the family of TDP or breaks the private-key encryption. Hint: See THEOREM 13.6 of [KL08, p. 474]. Assignment: Prove that this construction is an IND-CCA secure encryption. To this end, present a reduction from an adversary who breaks IND-CCA security to an adversary who inverts the family of TDP or breaks the private-key encryption. Hint: See THEOREM 13.6 of [KL08, p. 474].

26 Introduction to Modern Cryptography Sharif University Spring 2015 OAEP 26 / 28

27 Introduction to Modern Cryptography Sharif University Spring 2015 OAEP (Cont’d) [Wikipedia, User Ozga] 27 / 28

28 Introduction to Modern Cryptography Sharif University Spring 2015  [BG93] M. Bellare and O. Goldreich. On Defining Proofs of Knowledge, CRYPTO ’92, 1993.  [GMW91] O. Goldreich, S. Micali, A. Wigderson. Proofs that Yield Nothing but Their Validity or All Languages in NP Have Zero- Knowledge Proof Systems, JACM, 1991.  [FFS88] U. Feige, A. Fiat and A. Shamir. Zero-Knowledge Proofs of Identity, J. Cryptology, 1988.  [FOPS01] E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern. RSA–OAEP is Secure under the RSA Assumption. CRYPTO ’01, 2001.  [FS90] U. Feige and A. Shamir. Witness Indistinguishable and Witness Hiding Protocols. STOC ‘90, 1991.  [KL08] J. Katz and Y. Lindell. Introduction to Modern Cryptography: Principles and Protocols, CRC Press, 2008. References 28 / 28

Download ppt "Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer."

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 The 29th Annual ACM-ICPC World Finals 1. Shanghai Jiaotong University 2. Moscow State University 3. St. Petersburg Institute of Fine Mechanics and Optics.

1 The 29th Annual ACM-ICPC World Finals 1. Shanghai Jiaotong University 2. Moscow State University 3. St. Petersburg Institute of Fine Mechanics and Optics.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Nir Bitansky and Omer Paneth. Interactive Proofs.

Nir Bitansky and Omer Paneth. Interactive Proofs.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

Similar presentations

Ads by Google