CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

Slides:



Advertisements
Similar presentations
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Advertisements

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Oblivious Transfer based on the McEliece Assumptions
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems ICS 555 Cryptography and Data Security Sultan Almuhammadi.
Computer Security CS 426 Lecture 3
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Lecture 12 Commitment Schemes and Zero-Knowledge Protocols Stefan Dziembowski University of Rome La Sapienza critto09.googlepages.com.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
8. Data Integrity Techniques
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
1 SC700 A2 Internet Information Protocols 3/20/2001 Paper Presentation by J. Chu How to Explain Zero-Knowledge Protocols to Your Children.
Topic 22: Digital Schemes (2)
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Topic 23: Zero-Knowledge Proof and Cryptographic Commitment
Modern Cryptographic Topics
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems ICS 555 Cryptography and Data Security Sultan Almuhammadi.
CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
11 Identification & ZKIP.  Introduction  Passwords  Challenge-Response  ZKIP 22.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 26 Review of Some Mid-Term Problems.
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
Cryptography CS Lecture 19 Prof. Amit Sahai.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:
Topic 36: Zero-Knowledge Proofs
Zero Knowledge Anupam Datta CMU Fall 2017
Topic 14: Random Oracle Model, Hashing Applications
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
Zero-Knowledge Proofs
Zero-Knowledge Proofs
Presentation transcript:

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs

CS426Fall 2010/Lecture 352 Readings for This Lecture Optional: –Haveli and Micali: “Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing”Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing Jean-Jacques et al.: How to explain Zero-Knowledge Protocols to Your ChildrenHow to explain Zero-Knowledge Protocols to Your Children This lecture’s topics won’t be in the final exam

3 Commitment schemes An electronic way to temporarily hide a value that cannot be changed –Stage 1 (Commit) Sender locks a message in a box and sends the locked box to another party called the Receiver –State 2 (Reveal) the Sender proves to the Receiver that the message in the box is a certain message Usage scenarios: flipping fair coins, bidding for a contract CS426Fall 2010/Lecture 35

4 Types of commitment Bit commitment Integer commitment String commitment CS426Fall 2010/Lecture 35

5 Security properties of commitment schemes Hiding –at the end of Stage 1, no adversarial receiver learns any information about the committed value Binding –at the end of Stage 1, no adversarial sender can successfully reveal two different values in Stage 2 CS426Fall 2010/Lecture 35

6 A broken commitment scheme Using encryption –Stage 1 (Commit) the Sender generates a key k and sends E k [M] to the Receiver –State 2 (Reveal) the Sender sends k to the Receiver, the Receiver can decrypt the message What is wrong using the above as a commitment scheme? Is it hiding? Is this binding? CS426Fall 2010/Lecture 35

7 Formalizing Security Properties of Commitment schemes Two kinds of adversaries –those with infinite computation power and those with limited computation power Unconditional hiding –the commitment phase does not leak any information about the committed message, in the information theoretical sense (similar to perfect secrecy) Computational hiding –an adversary with limited computation power cannot learn anything about the committed message (similar to semantic security) CS426Fall 2010/Lecture 35

8 Formalizing Security Properties of Commitment schemes Unconditional binding –after the commitment phase, an infinite powerful adversary sender cannot reveal two different values Computational binding –after the commitment phase, an adversary with limited computation power cannot reveal two different values No commitment scheme can be both unconditional hiding and unconditional binding CS426Fall 2010/Lecture 35

9 Another (also broken) commitment scheme Using a one-way function H –Stage 1 (Commit) the Sender sends c=H(M) to the Receiver –State 2 (Reveal) the Sender sends M to the Receiver, the Receiver verifies that c=H(M) What is wrong using this as a commitment scheme? Is it binding? Is it hiding? CS426Fall 2010/Lecture 35

Commitment Schemes Using Cryptographic Hash Functions A scheme likely secure enough in practice, but difficult to prove security (assuming only H is one-way and strongly collision-resistant) –To commit to message M, choose random, fixed- length r,send H(r || M) –To open commitment, send r, M –Receiver cannot fully recover M. Is this computational or information theoretic hiding? –Sender cannot find another M’ to open. Is this computational or information theoretic binding? CS426Fall 2010/Lecture 3510 Commitment must be randomized.

For Provably Secure Commitment Scheme based on Cryptogrpahic Hash See Haveli and Micali: –“Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing” –Uses Universal Hashing ( a family of hash functions with some properties) CS426Fall 2010/Lecture 3511

CS426Fall 2010/Lecture 3512 The Pederson Commitment Scheme Public parameters: (p,g,h) –p:large prime (1024 bit) –g:a number in [2, p-1] –h:another element such that log g h is unknown Protocol –To commit to x, committer chooses random r and sends (g x h r mod p) to the receiver. –To open, the committer sends x and r to the receiver Benefits: –One can prove many things about the committed value without opening it

13 Pedersen Commitment Scheme (cont.) Unconditionally hiding –Given a commitment c, every value x is equally likely to be the value committed in c. –For example, given x,r, and any x’, there exists r’ such that g x h r = g x’ h r’, in fact r = (x-x’)a -1 + r mod q. Computationally binding –Suppose the sender open another value x’ ≠ x. That is, the sender find x’ and r’ such that c = g x’ h r’ mod p. Now the sender knows x,r,x’, and r’ s.t., g x h r = g x’ h r’ (mod p), the sender can compute log g (h) = (x’-x)·(r-r’) -1. Assume DL is hard, the sender cannot open the commitment with another value. CS426Fall 2010/Lecture 35

14 Properties of Interactive Zero- Knowledge Proofs Zero-knowledge Proof of Knowledge –Proving knowing a secret, without revealing any information about the secret. Completeness –Given honest prover and honest verifier, the protocol succeeds with overwhelming probability Soundness –No one who doesn’t know the secret can convince the verifier with nonnegligible probability Zero knowledge –The proof does not leak any additional information CS426Fall 2010/Lecture 35

Intuitive Explanation of ZK CS426Fall 2010/Lecture 3515 See the paper “How to explain Zero-Knowledge Protocols to Your Children” – f08/readings/ZK-IntroPaper.pdf

16 Schnorr Protocol (ZK Proof of Knowing Discrete Log) System parameter: p, q, g –We have g q = 1 mod p Public identity: c = g a mod p Private authenticator: a Protocol 1. P: picks random r in [1..q], sends d = g r mod p, 2. V: sends random challenge e in [1..2 t ] 3. P: sends y=r- ea (mod q) 4. V: accepts if d = g y c e mod p CS426Fall 2010/Lecture 35

17 Security of Schnorr Protocol - Soundness Probability of forge: 1/2 t –The prover who does not know a can cheat by guess e –Set d= c e g y at the first step We build a knowledge extractor as follows. Suppose the prover is challenged twice with on same c, first with e1, second with e2. –Send e1, receive y1 such that g y1 c e1 = d –Send e2, receive y2 such that g y2 c e2 = d –g y1-y2 =c e2-e1, output log g (c) = (y1-y2)·(e2-e1) -1 CS426Fall 2010/Lecture 35

18 Pedersen Commitment – ZK Prove know how to open Public commitment c = g x h r (mod p) Private knowledge x,r Protocol: 1. P: picks random y, s in [1..q], sends d = g y h s mod p 2. V: sends random challenge e in [1..q] 3. P: sends u=y+ex, v=s+er (mod q) 4. V: accepts if g u h v = dc e (mod p) Security property – similar to Schnorr protocol CS426Fall 2010/Lecture 35

Other Things One Can Prove in ZK fashion with Pederson Commitments The committed value is a bit. The committed value is in a range. Two committed values equal Two committed values satisfy some linear relations And many more CS426Fall 2010/Lecture 3519

CS426Fall 2010/Lecture 3520 Coming Attractions … Network Security Defenses

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.