Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Slides:

Advertisements

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Advertisements

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.

ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.

K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.

Dominique Unruh 3 September 2012 Quantum Cryptography Dominique Unruh.

How to play ANY mental game

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.

A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Topic 23: Zero-Knowledge Proof and Cryptographic Commitment

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

Introduction to Quantum Key Distribution

Signatures, etc. Network Security Gene Itkis Signature scheme: Formal definition GenKey Generation: Gen(1 k )   PK, SK  SignSigning: Sign(SK, M) 

New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Copyright (c) 2012 NTT Secure Platform Labs. Group to Group Commitments Do Not Shrink Masayuki ABE Kristiyan Haralambiev Miyako Ohkubo 1.

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol.

Non-interactive quantum zero-knowledge proofs

CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.

Formal Verification of Quantum Cryptography Dominique Unruh University of Tartu.

Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai.

Cryptography CS Lecture 19 Prof. Amit Sahai.

Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.

Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.

On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin.

IP, (NON)ISOGRAPH and Zero Knowledge Protocol COSC 6111 Advanced Algorithm Design and Analysis Daniel Stübig.

Topic 36: Zero-Knowledge Proofs

On the Size of Pairing-based Non-interactive Arguments

Efficient Public-Key Distance Bounding

Topic 14: Random Oracle Model, Hashing Applications

Digital Signature Schemes and the Random Oracle Model

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

Cryptographic protocols 2016, Lecture 12 Sigma protocols

cryptographic protocols 2014, lecture 12 Getting full zero knowledge

Masayuki Fukumitsu Hokkaido Information University, Japan

Quantum-security of commitment schemes and hash functions

Fiat-Shamir for Highly Sound Protocols is Instantiable

Post-Quantum Security of Fiat-Shamir

Short Pairing-based Non-interactive Zero-Knowledge Arguments

Impossibility of SNARGs

Collapse-binding quantum commitments without random oracles

Jens Groth and Mary Maller University College London

Presentation transcript:

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian Theory Days WORK IN PROGRESS!

Dominique Unruh Non-interactive ZK with Quantum Random Oracles2 Classical Crypto (Quick intro.)

Dominique Unruh Non-interactive zero-knowledge (NIZK) Non-interactive ZK with Quantum Random Oracles3 Statement x (math. fact) Witness w (proof of fact) P ZK proof of x Zero-knowledge Proof leaks nothing about witness Soundness Hard to prove wrong statements Uses: Proving honest behavior, signatures, …

Dominique Unruh Towards efficient NIZK: Sigma protocols Non-interactive ZK with Quantum Random Oracles commitment challenge response Prover “Special soundness”:Two different responses allow to compute witness ⇒ For wrong statement, prover fails w.h.p. Verifier

Dominique Unruh Toward efficient NIZK: Random Oracles Model hash function as random function H Many useful proof techniques 5 H x H(x) Learn queries Insert “special” answers (“programming”) Rewind and re-answer

Dominique Unruh NIZK with random oracles Non-interactive ZK with Quantum Random Oracles6 Fiat-Shamir Fischlin com chal resp Prover H(com) NIZK consists of com,chal,resp Prover can’t cheat: H is like a verifier Security-proof: Rewinding Fix com Try different chal, resp until H(chal,resp)=xxx000 Proof := com,chal,resp Need to query several chal,resp Implies existence of witness

Dominique Unruh Non-interactive ZK with Quantum Random Oracles7 Quantum! Classical security easy. But if adversary has a quantum computer?

Dominique Unruh The “pick-one trick” (simplified) Given a set S can encode it as a quantum state |Ψ 〉 s.t. for any set Z you find one x 1 ∈ S∩Z but not two x 1,x 2 ∈ S Non-interactive ZK with Quantum Random Oracles8 S Z x1x1 x2x2

Dominique Unruh Attacking Fischlin Non-interactive ZK with Quantum Random Oracles9 Fix com Try different chal, resp until H(chal,resp)=xxx000 Proof = com,chal,resp S={chal,resp} Z={H(·)=xxx000} Valid fake NIZK Without knowing witness! (Because we have only one S-element) [Fiat-Shamir attacked similarly]

Dominique Unruh How does “one-pick trick” work? Grover: Quantum algorithm for searching Observation: – First step of Grover produces a state encoding the search space This state (plus modified Grover) implements “one-pick trick” Hard part: Prove “can’t find two x 1,x 2 ∈ S ” Non-interactive ZK with Quantum Random Oracles10

Dominique Unruh No efficient quantum NIZK? Non-interactive ZK with Quantum Random Oracles11 All random oracle NIZK broken? No: under extra conditions, Fiat-Shamir and Fischlin might work (no proof idea) We found a provable new construction (less efficient)

Dominique Unruh I thank for your attention This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa