13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

Slides:



Advertisements
Similar presentations
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Advertisements

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
ElGamal Security Public key encryption from Diffie-Hellman
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Nir Bitansky and Omer Paneth. Interactive Proofs.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Theory and Application of Extractable Functions Ramzi Ronny Dakdouk.
Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications Lecturer: Moni Naor.

1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
8. Data Integrity Techniques
Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
1 Information Security – Theory vs. Reality , Winter Lecture 9: Integrity on untrusted platforms: Proof-Carrying Data (cont.) Eran.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
6.897: Selected Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest Scribe?
Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.
Non-interactive quantum zero-knowledge proofs
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Compact CCA-Secure Encryption for Messages of Arbitrary Length Presentation By: D. Vamsi Krishna CS09B006.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin.
Topic 36: Zero-Knowledge Proofs
Digital signatures.
Efficient Public-Key Distance Bounding
Digital Signature Schemes and the Random Oracle Model
Topic 11: Authenticated Encryption + CCA-Security
Digital Signature Schemes and the Random Oracle Model
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Cryptographic protocols 2016, Lecture 12 Sigma protocols
Topic 7: Pseudorandom Functions and CPA-Security
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
Masayuki Fukumitsu Hokkaido Information University, Japan
Fiat-Shamir for Highly Sound Protocols is Instantiable
Post-Quantum Security of Fiat-Shamir
The “Modular” Approach
Jens Groth and Mary Maller University College London
Presentation transcript:

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work with David Bernhard, Bogdan Warinschi

April 1st, 2015 | Marc Fischlin | PKC 2015 | 2 (Interactive) Proofs of Knowledge extractor (malicious) prover theorem witness interactive proof extraction usually through rewinding

April 1st, 2015 | Marc Fischlin | PKC 2015 | 3 Non-interactive Proofs of Knowledge in the Random Oracle (RO) Model… extractor (malicious) prover non-interactive RO …still require rewinding for extraction RO * [Fiat-Shamir]

April 1st, 2015 | Marc Fischlin | PKC 2015 | 4 RO Extraction is easy in the RO model… [Pointcheval-Stern] RO* Example: Fiat-Shamir-Schnorr signatures

April 1st, 2015 | Marc Fischlin | PKC 2015 | 5 …or is it? Extraction is easy in the RO model…

April 1st, 2015 | Marc Fischlin | PKC 2015 | 6 adaptive zero-knowledge proofs of knowledge in random oracle model (ROM) [Shoup-Gennaro] adversary RO …

April 1st, 2015 | Marc Fischlin | PKC 2015 | 7 RO simulation-sound adaptive zero-knowledge proofs of knowledge in the ROM ZK simulator extractor needs to program RO ?

April 1st, 2015 | Marc Fischlin | PKC 2015 | 8 This work here: Model for simulation-sound adaptive ZK PoKs in ROM Show that one can work with it Show that one can achieve it Discuss that some approaches fail

April 1st, 2015 | Marc Fischlin | PKC 2015 | 9 RO same coins list of queries main execution (non-rewinding) local branches adversary wins if extractor at some point fails to compute witness  PPT adversaries  extractor: Pr [ adversary wins ] is negligible

April 1st, 2015 | Marc Fischlin | PKC 2015 | 10 Result #1 (applicability): CPA-secure encryption + simulation-sound adaptive zero-knowledge proof of knowledge in ROM  CCA-secure encryption in ROM so far: common reference string model [Groth, Chase-Lysanskaya, Dodis et al.] „I know message and randomness encrypted under CPA scheme“

April 1st, 2015 | Marc Fischlin | PKC 2015 | 11 Result #2 (feasibility): Fischlin‘s transformation with straightline extractor for ∑ protocols with special soundness is simulation-sound adaptive zero-knowledge proof of knowledge in the ROM so far: only shown for adaptive scenario in [Fischlin]

April 1st, 2015 | Marc Fischlin | PKC 2015 | 12 RO Idea: straightline extractor in Fischlin‘s scheme only needs hash queries of adversary

April 1st, 2015 | Marc Fischlin | PKC 2015 | 13 Result #3 (limitations): Fiat-Shamir-Schnorr transformation is not adaptive proof of knowledge under one-more DL assumption (for black-box extractors). so far: certain extractor strategy fails [Shoup-Gennaro] here: any efficient extractor strategy fails

April 1st, 2015 | Marc Fischlin | PKC 2015 | 14 One-More-DL Problem A Ch DL output more solutions to challenges than DL queries [Bellare et al.]

April 1st, 2015 | Marc Fischlin | PKC 2015 | 15 RO Metareduction Ch DL output more solutions to challenges than DL queries

April 1st, 2015 | Marc Fischlin | PKC 2015 | 16 RO Ch DL output more solutions to challenges than DL queries Metareduction use [Shoup-Gennaro] adversary here

April 1st, 2015 | Marc Fischlin | PKC 2015 | 17 RO Ch DL output more solutions to challenges than DL queries if extractor requires less than 2 executions to extract for some, then metareduction solves OMDL problem Metareduction use [Shoup-Gennaro] adversary here make at most 2 calls to DL for each

April 1st, 2015 | Marc Fischlin | PKC 2015 | 18 Final step in the proof (not here): If extractor requires 2 executions to extract for each then Shoup-Gennaro adversary forces exponential number of executions combinatorial, via execution tree

April 1st, 2015 | Marc Fischlin | PKC 2015 | 19 Take-home Message

April 1st, 2015 | Marc Fischlin | PKC 2015 | 20 RO 1.CPA + ss-adaptive PoK  CCA in ROM 2.Fischlin‘s transformation is an example for ss-adaptive PoK 3.Fiat-Shamir transformation in general is (presumably) not

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.