Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Generic Approach for Constructing Verifiable Random Functions

Published byYulia Tedjo Modified over 5 years ago

Similar presentations

Presentation on theme: "A Generic Approach for Constructing Verifiable Random Functions"β€” Presentation transcript:

1 A Generic Approach for Constructing Verifiable Random Functions
Rishab Goyal Susan Hohenberger Venkata Koppula Brent Waters Nir Bitansky Title of talk Joint talk on two closely related papers First one by Rishab, Susan, Brent and myself, and the second one by Nir Thanks to Nir for the slides. Thanks to Nir for the slides.

2 Verifiable Random Functions (VRFs)
[Micali-Rabin-Vadhan 99] π‘ π‘˜ π‘£π‘˜ 𝐹 π‘ π‘˜ (π‘₯) πœ‹ , 𝑉 We all know what pseudorandom functions are. In a general setting where PRFs are used, we have an owner that has a PRF key, and the owner can produce PRF evaluations to different parties on inputs of their choice. While that suffices for a lot of applications, there are scenarios where the parties might want a proof that the evaluation was computed correctly, without any interaction or setup assumptions. To address this problem, Micali, Rabin and Vadhan introduced the notion of verifiable random functions. In this setting, the secret key owner can produce the PRF evaluation, as well as a proof that the evaluation is correct. There is also a verification key that is a commitment to the secret key. This verification key is public, and together with the proof, can be used to verify that the evaluation is correct. For now, I will informally describe the properties required for a secure VRF. First, we require that the verification key uniquely determines the PRF evaluation on all points. In particular, even for a maliciously generated verification key, it should not be possible to prove two different evaluations on some input. Secondly, we require that even if an adversary sees evaluations and proofs at many points, PRF evaluation on a fresh point must look uniformly random. Usually in a PRF, owner of the seed can compute the function Owner of sk also generates proof of correctness What does correctness mean? The function is generated with a vk and correctness means consistency with the key vk can be thought of as a commitment to the function that is binding in the sense that… In terms of security, and for now very informally, you don’t have to completely open the commitment and reveal the function… maybe you reveal some values and proofs, and you want the function to remain PR at other points. We’ll define this more formally later on. Binding: π‘£π‘˜ uniquely determines function Pseudorandomness

3 . . . VRFs Pretty Useful unique signatures NIZKs O(1)-round
[Goldwasser-Ostrovsky 92] NIZKs [Feige-Lapidot-Shamir 90, GO 92] O(1)-round resettable ZK [Micali-Reyzin 01] VRFs . . . VRFs are a powerful primitive, and have proven to be quite useful. They can be used to build non interactive zero knowledge proofs, constant round resettable zero knowledge protocols, public ledgers and so on. What do we know about constructions of VRFs? Owner of sk also generates proof of correctness What does correctness mean. The function is generated with a vk. Correctness is consistency public ledgers [Micali 16, Pass-Shi 16] verifiable lotteries [Micali-Rivest 02]

4 Existing Constructions
RSA [Micali-Rabin-Vadhan 99] Bilinear Maps [Lysyanskaya 02] [Dodis 03] [Boneh-Boyen 04] Adventure Time Finn & Jake (CN) [Dodis-Yampolskiy 05] [Abdalla-Catalano-Fiore 10] IO [Sahai-Waters 14] [Hohenberger-Waters 10] Two types of constructions. One from the RSA assumption, shown by Micali, Rabin and Vadhan. Another type is constructions from Bilinear maps, and here there’s been considerable work in weakening the concrete assumptions on bilinear maps that are needed. By now it is known from simple assumptions like Decision-Linear, and this is actually quite recent. In any case, the constructions that we have are algebraic in nature. They’re not really general, but rather tailored around specific algebraic problems. [Boneh-Montgomery-Raghunathan 10] [Jager 15] [Hofeinz-Jager 16] DLIN [

5 VRFs from General Assumptions?
OWFs? NIZKs from OWFs… Trapdoor permutations? Not via Black-Box Reductions… [Fiore-Schroder 12] A very basic and natural question here: can we come up with constructions from general assumptions. We know that one can construct PRFs, commitments, verifiable creatures like signatures, from general assumptions like one-way functions. Maybe we should be able to do the same with VRFs. However, that would imply NIZKs from OWFs, which would be very interesting, and seems like a hard problem at the moment. What about TDPs? We know how to construct NIZKs from doubly enhanced trapdoor permutations, so maybe we can get VRFs also from TDPs? Unfortunately, Fiore and Schroder showed that it is not possible via black box reductions. Let me mentioned though that you can construct certain weak forms of VRFs from TDPs, like in the CRS model, or weak VRFs where you can see evaluations on random inputs. Yes in weaker models (CRS, weak-VRF) [Goldwasser-Ostrovsky 92, Brakerski-Goldwasser-Rothblum-Vaikuntanathan 09]

6 This Work: General Construction
Result 1: VRFs NIWIs Commitments Puncturable PRFs selective That brings me to our results. We show a generic construction of VRFs from commitments, non-interactive witness indistinguishability proof systems and puncturable PRFs. This construction achieves a weaker notion of security called selective security.

7 This Work: General Construction
Result 2: VRFs adaptive Commitments NIWIs Constrained PRFs (simple constraints) We also show how to achieve full security. This construction is similar to the selective one, except we use constrained PRFs instead of puncturable PRFs. I would like to point out that other than NIWIs, the other primitives are fairly simply primitives. Simple in the sense that we know constructions from many different assumptions. Puncturable PRFs can be constructed from OWFs, the constrained PRFs we require in this work can be constructed from DDH, LWE and the Phi Hiding assumption. The commitment schemes we require in this work can be constructed from injective OWFs, and we also show LWE and LPN based constructions. Inj. OWF [Blum 81] LWE/LPN [GHKW17] Phi-hiding DDH LWE TDP/OWF? [ Brakerski - Vaikuntanathan 15 ] [GHKW17] [B17]

8 This Work: General Construction
Result 2: VRFs adaptive Commitments NIWIs Constrained PRFs (simple constraints) Additionally, all of these primitives can be constructed using bilinear groups under the decision linear assumption. And as a result, this gives us a construction of VRFs from the decision linear assumption. DLIN [Groth-Ostrovsky-Sahai 06] TDP/OWF?

9 Matching the State-of-Art
[Lysyanskaya 02] VRFs DLIN [Dodis 03] [Boneh-Boyen 04] [Dodis-Yampolskiy 05] [Abdalla-Catalano-Fiore 10] [Hohenberger-Waters 10] This matches the state of the art as far as bilinear group based constructions are concerned. [Boneh-Montgomery-Raghunathan 10] [Jager 15] [Hofeinz-Jager 16] DLIN TDP/OWF?

10 REST OF THE TALK selective VRFs NIWIs adaptive VRFs Commitments
Puncturable PRFs So that was a high level overview of our results. The rest of the talk is roughly organized as follows. I will first formally define selectively secure VRFs. Next, I will define the three ingredients required for our construction. Finally, I will briefly talk about adaptively secure VRFs. adaptive VRFs

11 VRFs : A Closer Look (F, P, V) (π‘ π‘˜,π‘£π‘˜)←𝐺𝑒𝑛( 1 𝑛 ) 𝑦=𝐹 π‘ π‘˜ (π‘₯)
πœ‹= 𝑃 π‘ π‘˜ (π‘₯) 𝑉 π‘£π‘˜ π‘₯,𝑦,πœ‹ =1 Completeness: First, a closer look at VRFs. A VRF scheme consists of the following algorithms. It has a function F which defines the actual PRF function, a prover function P, a verifier V and a key generation algorithm that chooses the public/secret keys. Function evaluation uses the secret key, prover uses the secret key to compute a proof, and the verifier uses the verification key to check the validity of a proof on input x and output y. For completeness, we require that if y is the PRF output on input x, and pi is the corresponding proof, then the verification algorithm must accept this proof for x,y. The binding property states that for any verification key vk* and any input x*, there is at most one output y* that the verification algorithm will accept. Note, this should hold even for maliciously generated verification keys. Owner of sk also generates proof of correctness What does correctness mean. The function is generated with a vk. Correctness is consistency Binding: for any (malicious) 𝑣 π‘˜ βˆ— , π‘₯ βˆ— : at most single 𝑦 βˆ— accepted

12 𝐴 𝐴 β‰ˆ 𝐹 π‘ π‘˜ , 𝑃 π‘ π‘˜ 𝐹 π‘ π‘˜ , 𝑃 π‘ π‘˜ 𝐹 π‘ π‘˜ $ (π‘£π‘˜) (π‘£π‘˜) VRFs : A Closer Look
Pseudorandomness 𝐴 𝐹 π‘ π‘˜ , 𝑃 π‘ π‘˜ 𝐹 π‘ π‘˜ (π‘£π‘˜) 𝐴 β‰ˆ 𝐹 π‘ π‘˜ , 𝑃 π‘ π‘˜ $ (π‘£π‘˜) Next, we have the pseudorandomness property. This is captured by the following security game. The adversary is given the verification key and access to two oracles. The first oracle, shown in white, is the query oracle. The adversary can send queries, and for each query, it receives the PRF evaluation on that query, together with a proof that the evaluation is correct. The next oracle is the challenge oracle, which, in this scenario, takes challenge inputs, and outputs the PRF evaluation on the challenge input. In the second scenario, the adversary is again given the verification key and access to two oracles. The query oracle is same as before, the challenge oracle now is a uniformly random function. For each challenge input, it outputs a uniformly random string. Clearly, the adversary is not allowed to send the same input as query and challenge. We say that the VRF is secure if no polynomial time adversary can distinguish between these two scenarios.

13 𝐴 β‰ˆ 𝐹 π‘ π‘˜ , 𝑃 π‘ π‘˜ (π‘£π‘˜, $) VRFs : A Closer Look (π‘£π‘˜, 𝐹 π‘ π‘˜ ( π‘₯ βˆ— ))
Selective Security 𝐴 𝐹 π‘ π‘˜ , 𝑃 π‘ π‘˜ β‰ˆ (π‘£π‘˜, 𝐹 π‘ π‘˜ ( π‘₯ βˆ— )) (π‘£π‘˜, $) π‘₯ βˆ— chosen upfront queries π‘₯β‰  π‘₯ βˆ— A weaker notion of security is that of selective security. Here, the adversary must specify its challenge input upfront. The adversary sends its challenge input x*, receives the verification key, together with either the PRF evaluation on x* or a uniformly random string. It is then allowed to make queries to the query oracle, and after polynomially many queries, it must be able to distinguish between the two scenarios. Now that we have the formal definition of VRF, let us quickly look at the primitives required for our construction.

14 (𝑃, 𝑉) πœ‹β†π‘ƒ(π‘₯,𝑀) 𝑉 π‘₯, πœ‹ =0/1 TDP + derand. DLIN iO+OWPs
Non-Interactive Witness-Indistinguishable Proofs [Feige-Shamir 90, Barak-Ong-Vadhan 03] (𝑃, 𝑉) πœ‹β†π‘ƒ(π‘₯,𝑀) 𝑉 π‘₯, πœ‹ =0/1 Completeness: If π‘₯∈𝐿, then 𝑉 accepts πœ‹ Soundness: no accepting proofs for π‘₯βˆ‰πΏ WI: 𝑃 π‘₯, 𝑀 0 β‰ˆπ‘ƒ(π‘₯, 𝑀 1 ) for any two wit’s TDP + derand. [BOV 03] DLIN [GOS 06] iO+OWPs [ Bitansky- Paneth 15 ]

15 PERFECTLY BINDING COMMITMENTS
Perfect binding: com cannot be opened to two different messages Finally, we have the third ingredient : perfectly binding commitment schemes. Here, we have an algorithm called β€˜commit’ that takes as input a message m, and outputs a commitment. Hiding: m m' β‰ˆ Injective OWFs Blum 81

16 K Construction K ; π‘Ÿ 1 π‘£π‘˜: K ; π‘Ÿ 2 π‘ π‘˜=π‘£π‘˜, 𝐾, π‘Ÿ 1 , π‘Ÿ 2 K ; π‘Ÿ 3
com π‘ π‘˜=π‘£π‘˜, 𝐾, π‘Ÿ 1 , π‘Ÿ 2 π‘£π‘˜: K VRF eval : 𝑦 = 𝐹 𝐾 (π‘₯)

17 Construction π‘£π‘˜: π‘ π‘˜=π‘£π‘˜, 𝐾, π‘Ÿ 1 , π‘Ÿ 2 Prove 𝑦 is correct eval on π‘₯
π‘πΌπ‘ŠπΌ: β€œπ‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€

18 Construction π‘£π‘˜: π‘ π‘˜=π‘£π‘˜, 𝐾, π‘Ÿ 1 , π‘Ÿ 2 Prove 𝑦 is correct eval on π‘₯
π‘πΌπ‘ŠπΌ: β€œπ‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€ 𝐹 𝐾 π‘₯ = 𝐹 𝐾 β€² π‘₯ =𝑦 K; r K’; r’ Prove 𝑦= 𝐹 𝐾 (π‘₯) is correct eval on π‘₯ Witness = ((1,2), (K, K), ( π‘Ÿ 1 , π‘Ÿ 2 ))

19 BINDING PROPERTY 𝑣 π‘˜ βˆ— π‘₯ βˆ— (𝑦 1 , πœ‹ 1 ) (𝑦 2 , πœ‹ 2 )

20 BINDING PROPERTY 𝑣 π‘˜ βˆ— π‘₯ βˆ— (𝑦 1 , πœ‹ 1 ) (𝑦 2 , πœ‹ 2 ) 𝐾 1 𝐾 2 𝐾 3
, πœ‹ 1 ) (𝑦 2 , πœ‹ 2 ) com : perfectly binding NIWI : statistically sound Contradiction if 𝑦 1 β‰  𝑦 2

21 PSEUDORANDOMNESS Step 1: Replace PRF key in com’s
with punctured PRF key Step 2: Use PRF security

22 β‰ˆ 𝐹 π‘ π‘˜ , 𝑃 π‘ π‘˜ 𝐴 AFTER STEP 1 (π‘£π‘˜, 𝐹 π‘ π‘˜ ( π‘₯ βˆ— )) (π‘£π‘˜, $)
Use punctured key 𝐴 𝐹 π‘ π‘˜ , 𝑃 π‘ π‘˜ β‰ˆ (π‘£π‘˜, 𝐹 π‘ π‘˜ ( π‘₯ βˆ— )) (π‘£π‘˜, $) π‘₯ βˆ— chosen upfront queries π‘₯β‰  π‘₯ βˆ— Has punctured key

23 "π‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€œ
Hybrids FOR STEP 1 HYBRID 0 𝑣 π‘˜ βˆ— K ; π‘Ÿ 1 K ; π‘Ÿ 2 K ; π‘Ÿ 3 πœ‹ π‘₯,𝑦 =π‘πΌπ‘ŠπΌ "π‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€œ 𝑀𝑖𝑑𝑛𝑒𝑠𝑠 ( 1,2 , 𝐾,𝐾 , π‘Ÿ 1 , π‘Ÿ 2 )

24 "π‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€œ
Hybrids FOR STEP 1 HYBRID 1 𝑣 π‘˜ βˆ— K ; π‘Ÿ 1 K ; π‘Ÿ 2 K{ π‘₯ βˆ— } ; π‘Ÿ 3 πœ‹ π‘₯,𝑦 =π‘πΌπ‘ŠπΌ "π‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€œ 𝑀𝑖𝑑𝑛𝑒𝑠𝑠 ( 1,2 , 𝐾,𝐾 , π‘Ÿ 1 , π‘Ÿ 2 ) π‘π‘œπ‘š is hiding

25 "π‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€œ
Hybrids FOR STEP 1 HYBRID 2 𝑣 π‘˜ βˆ— K ; π‘Ÿ 1 K ; π‘Ÿ 2 K{ π‘₯ βˆ— } ; π‘Ÿ 3 πœ‹ π‘₯,𝑦 =π‘πΌπ‘ŠπΌ "π‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€œ 𝑀𝑖𝑑𝑛𝑒𝑠𝑠 (1,3 , 𝐾,𝐾 π‘₯ βˆ— , π‘Ÿ 1 , π‘Ÿ 3 ) Witness ind. For queries, PRF evals using 𝐾, 𝐾 π‘₯ βˆ— are equal

26 "π‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€œ
Hybrids FOR STEP 1 HYBRID 3 𝑣 π‘˜ βˆ— K ; π‘Ÿ 1 K{ π‘₯ βˆ— } ; π‘Ÿ 2 K{ π‘₯ βˆ— } ; π‘Ÿ 3 πœ‹ π‘₯,𝑦 =π‘πΌπ‘ŠπΌ "π‘₯,𝑦 π‘π‘œπ‘›π‘ π‘–π‘ π‘‘π‘’π‘›π‘‘ π‘€π‘–π‘‘β„Ž π‘Žπ‘‘ π‘™π‘’π‘Žπ‘ π‘‘ 2 π‘π‘œπ‘šβ€²π‘ β€œ 𝑀𝑖𝑑𝑛𝑒𝑠𝑠 (1,3 , 𝐾,𝐾 π‘₯ βˆ— , π‘Ÿ 1 , π‘Ÿ 3 ) …. π‘π‘œπ‘š is hiding

27 From Selective to Adaptive
Partitioning strategy

28 PARTITIONING STRATEGY [Boneh-Boyen 04, Waters 05]
Introduced in the context of IBE Input Space

29 PARTITIONING STRATEGY [Boneh-Boyen 04, Waters 05]
Introduced in the context of IBE Query Partition ~ (1-1/q) fraction Challenge Partition ~ 1/q fraction Input Space

30 From Selective to Adaptive
Partitioning strategy Constrained PRF for `partitioning’ constraints LWE DDH Phi-hiding [BV15] [GHKW17] [B17]

31 Follow up : VRFs from Verifiable FE [Badrinarayanan-Goyal-Jain-Sahai 17]
Constrained PRFs Injective OWFs NIWIs

32 THANKS! CONCLUSIONS Generic construction of VRFs from NIWIs,
commitments and constrained PRF New constructions for commitments and constrained PRFs NIWIs – the bottleneck Perfectly Binding commitments from LPN? Techniques from Obfustopia THANKS!

Download ppt "A Generic Approach for Constructing Verifiable Random Functions"

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan DamgΓ₯rd, Γ…rhus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan DamgΓ₯rd, Γ…rhus University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

Similar presentations

Ads by Google