1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

Slides:

Advertisements

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Advertisements

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Universal Communication Brendan Juba (MIT) With: Madhu Sudan (MIT)

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

1 Adapted from Oded Goldreich’s course lecture notes.

The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.

Perfect and Statistical Secrecy, probabilistic algorithms, Definitions of Easy and Hard, 1-Way FN -- formal definition.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Position Based Cryptography* Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA CRYPTO ‘09.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

1/48 Round-Optimal Secure Two-Party Computation Jonathan Katz U. Maryland Rafail Ostrovsky U.C.L.A.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.

Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

How to play ANY mental game

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Blind Signatures: Definitions and Constructions Carmit Hazay Yehuda Lindell Bar-Ilan University Jonathan Katz Chiu-Yuen Koo University of Maryland.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

On the work of Shafi Goldwasser and Silvio Micali By Oded Goldreich WIS, Dec 2013.

Statistical Zero-Knowledge:

New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.

On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.

6.897: Selected Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest Scribe?

Non-interactive quantum zero-knowledge proofs

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.

Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.

 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.

Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University.

Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.

Topic 36: Zero-Knowledge Proofs

Topic 14: Random Oracle Model, Hashing Applications

cryptographic protocols 2014, lecture 12 Getting full zero knowledge

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Fiat-Shamir for Highly Sound Protocols is Instantiable

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Post-Quantum Security of Fiat-Shamir

Leakage-resilient Signatures

Cryptography Lecture 26.

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Presentation transcript:

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

2 History: recall original ZK motivation of GMR Prover can interactively convince verifier that x is in L Later, verifier can not convince someone else This prevents off-line plagiarism (i.e. Verifier later claiming the proof as his own).

3 What about on-line Adv? Verifier can play man-in-the-middle Handled by the “designated verifier proofs” –[Jackobson,Sako, Impagliazzo], others This LIMITS the dissemination of proofs!

4 What we want… To publish the proofs as widely as possible with the authors names Prevent plagiarism So, why not use NIZK?

5 NIZK reminder [BFM] Common reference string (R.S.) Prover sends a single message Its transferable Its ZK: –Can simulate the same view [BDPM] –Can simulate with the same R.S. [DDOPS]

6 So are we done? Any verifier can take a NIZK proof, and either change it a bit, but still keep it valid or (The first point can be addressed with non- malleable NIZK [DDN][S][DDPOS]) claim it as his own and simply copy

7 Non-Malleable NIZK Non-malleability [DDN] “can not constructed related encrypted msg” Non-malleability for NIZK [S][DDOPS] “whatever the verifier can prove after seeing a prove, it can do without seeing the proof” Technical points: (1) generation of CRS; (2) 1 thm vs. many theorems; (3) adaptivity; (4) adv. challenges and the guarantees So, use the strongest def, are we done?

8 What is the def. of preventing plagiarism? You have an NP theorem and a witness You want is transferable You have your name (id) as part of it… Want to “bind” the proof to your name (id) such that nobody can change the proof to a different id’

9 ID-ZK This talk we concentrate on NIZK (but the notion applies to interactive setting as well) A new notion: NIZK with extractable identity: Prover(id,x,w,CRS)  proof 2 public algs: –check correctness –extract id from proof ZK: for all x in L, and all id, can generate comp indist. View. (1 thm or multiple thms). Sound (w.h.p. can not “cheat”)

10 Security of ID-ZK Sound Can not change identities Informally: no poly-time Adv. Can take one or several ID-ZK proofs, and construct a proof for a new id of an “interesting” theorem Interesting  something can Adv. Could not do without any help.

11 Security of ID-ZK (cont.) NIZK with extractable identity is ID-ZK if: Adv asks for ID-ZK proofs of different theorems, and different id’s Adv comes up with a proof of a thm with a new id Simulator can output comp. indist. Distribution of thms with new id without any ID-ZK proofs. again several variants of what Adv can ask, the strongest is simulation-soundness

12 Remarks about the model PK-infrastructure – does it help? (i.e. what if the prover “signs” his proof?) No, the adv can just get rid of the signature and substitute his own!

13 Remarks about the model (cont.) NIZK with a single random string – what does security mean? (since simulator must have a trapdoor info) The point is that we can do the proof without the trapdoor – if there is an adv who can cheat, the proof implies that we can use it to derive the contradiction!

14 How easy is it to construct? Also, what is the connection to NIZK in the non-interactive setting?

15 Why not use non-mall NIZK? Claim 1: there exists non-malleable NIZK proofs which are not ID-ZK. Claim2: there exists ID-ZK NIZK proofs that are not non-malleable NIZK.

16 Why not use non-mall NIZK? Claim 1: there exists non-malleable NIZK proofs which are not ID-ZK. Standard non-mall NIZK do not have any ID. I can simply copy the proof and claim it as my own Remark: [DDN] showed how with ID’s non-mall NIZK is easier to build, this is different!

17 Why not use non-mall NIZK? Claim2: there exists ID-ZK proofs that are not non-malleable. Proof idea: take ID-ZK proof, where we attach the first (undetermined) bit. This is malleable, but can still be shown to be ID-ZK!

18 ID-ZK are closely related to non-mall NIZK Claim 3: assuming any non-mall NIZK we can construct ID-ZK NIZK. Claim 4: assuming any ID-ZK NIZK, we can construct non-mall NIZK

19 ID-ZK are closely related to non-mall NIZK Claim 3: assuming any non-mall NIZK we can construct ID-ZK given (x,w,id) we construct ID-ZK: as follows: Define langue L’(x,id): “either x in L or (a new portion) of CRS is a commitment to id”. Send is ID-ZK (id, non-mall-NIZK for L’). Intuition: if can create new id, violates non- malleability!

20 ID-ZK are closely related to non-mall NIZK Claim 4: assuming any ID-ZK we can construct non-mall NIZK Proof idea: use as ID a signature public- key, i.e. id = PK. Let B = id-zk(id,x in L) Send (id; B; sign pk (B)) Note: same proof-structure works for interactive case.

21 CONCLUSIONS Many previous works (including DDN) used identities in constructions but this is the first formal definition of binding names to proofs. Our definition is the most interesting part, seems to be a useful building block. What about application-specific efficient implementations?