565 research outputs found
Efektiivsed mitteinteraktiivsed nullteadmusprotokollid referentssÔne mudelis
VĂ€itekirja elektrooniline versioon ei sisalda publikatsioone.Koos digitaalse ajastu vĂ”idukĂ€iguga on interneti vahendusel vĂ”imalik sooritada ĂŒha ulmelisemana nĂ€ivaid tegevusi.
TĂ€ielikule krĂŒpteeringule ehitatud mobiilsed rakendused, nagu nĂ€iteks WhatsApp, suudavad tagada, et kĂ”ne vĂ”i sĂ”num jĂ”uaksid ĂŒksnes Ă”ige adressaadini.
Enamik pangasĂŒsteeme garanteerivad TLS protokolli kasutades, et arvete maksmisel ja ĂŒlekannete tegemisel poleks nende andmeid kellelgi vĂ”imalik lugeda ega muuta.
MĂ”ned riigid pakuvad vĂ”imalust elektroonilisel teel hÀÀletada (nĂ€iteks Eesti) vĂ”i referendumeid lĂ€bi viia (nĂ€iteks Ć veits), tagades sealjuures traditsioonilise paberhÀÀletuse tasemel turvalisuse kriteeriumid.
KĂ”ik eelnevalt kirjeldatud tegevused vajavad kasutajate turvalisuse tagamiseks krĂŒptograafilist protokolli.
Tegelikkuses ei saa me kunagi eeldada, et kÔik protokolli osapooled jÀrgivad protokolli spetsifikatsiooni.
Reaalses elus peab protokolli turvalisuseks iga osapool tÔestama, et ta seda jÀrgis ilma privaatsuse ohverdamiseta.
Ăks viis seda teha on nullteadmusprotokolli abil. Nullteadmusprotokoll on tĂ”estus, mis ei lekita mingit informatsiooni peale selle, et vĂ€ide on tĂ”ene.
Tihti tahame, et nullteadmusprotokoll oleks mitteinteraktiivne. Sellisel juhul piisab, kui tĂ”estus on arvutatud ainult ĂŒhe korra ning verifitseerijatel on igal ajal vĂ”imalik seda kontrollida.
On kaks peamist mudelit, mis vÔimaldavad mitteinteraktiivsete nullteadmusprotokollide loomist: juhusliku oraakli (JO) mudel ja referentssÔne mudel.
JO mudeli protokollid on vÀga efektiivsed, kuid mÔningate piirangute tÔttu eelistame referentssÔne mudelit.
Selles töös esitleme kolme stsenaariumit, milles mitteinteraktiivne nullteadmus on asjakohane: verifitseeritav arvutamine, autoriseerimine ja elektrooniline hÀÀletamine.
Igas stsenaariumis pakume vÀlja nullteadmusprotokolli referentssÔne mudelis, mis on seni efektiivseim ning vÔrreldava efektiivsusega protokollidega JO mudelis.In the current digital era, we can do increasingly astonishing activities remotely using only our electronic devices.
Using mobile applications such as WhatsApp, we can contact someone with the guarantee, using an end-to-end encryption protocol, that only the recipient can know the conversation's contents.
Most banking systems enable us to pay our bills and perform other financial transactions, and use the TLS protocol to guarantee that no one can read or modify the transaction data.
Some countries provide an option to vote electronically in an election (e.g. Estonia) or referendum (e.g. Switzerland) with similar privacy guarantees to traditional paper voting.
In all these activities, a cryptographic protocol is required to ensure users' privacy.
In reality, some parties participating in a protocol might not act according to what was agreed in the protocol specification.
Hence, for a real world protocol to be secure, we also need each party to prove that it behaves honestly, but without sacrificing privacy of its inputs.
This can be done using a zero-knowledge argument: a proof by a polynomial-time prover that gives nothing else away besides its correctness.
In many cases, we want a zero-knowledge argument to be non-interactive and transferable, so that it is computed only once, but can be verified by many verifiers at any future time.
There are two main models that enable transferable non-interactive zero-knowledge (NIZK) arguments: the random oracle (RO) model and the common reference string (CRS) model.
Protocols in the RO model are very efficient, but due to some of its limitations, we prefer working in the CRS model.
In this work we provide three scenarios where NIZK arguments are relevant: verifiable computation, authorization, and electronic voting.
In each scenario, we propose NIZK arguments in the CRS model that are more efficient than existing ones, and are comparable in efficiency to the best known NIZK arguments in the RO model
Lattice-Based proof of a shuffle
In this paper we present the first fully post-quantum proof of a shuffle for RLWE encryption schemes. Shuffles are commonly used to construct mixing networks (mix-nets), a key element to ensure anonymity in many applications such as electronic voting systems. They should preserve anonymity even against an attack using quantum computers in order to guarantee long-term privacy. The proof presented in this paper is built over RLWE commitments which are perfectly binding and computationally hiding under the RLWE assumption, thus achieving security in a post-quantum scenario. Furthermore we provide a new definition for a secure mixing node (mix-node) and prove that our construction satisfies this definition.Peer ReviewedPostprint (author's final draft
Efficient Culpably Sound NIZK Shuffle Argument without Random Oracles
One way to guarantee security against malicious voting servers is to use NIZK shuffle arguments. Up to now, only two NIZK shuffle arguments in the CRS model have been proposed. Both arguments are relatively inefficient compared to known random oracle based arguments. We propose a new, more efficient, shuffle argument in the CRS model. Importantly, its online prover\u27s computational complexity is dominated by only two -wide multi-exponentiations, where is the number of ciphertexts. Compared to the previously fastest argument by Lipmaa and Zhang, it satisfies a stronger notion of soundness
An Efficient Pairing-Based Shuffle Argument
We construct the most efficient known pairing-based NIZK shuffle argument.
It consists of three subarguments that were carefully chosen to obtain optimal
efficiency of the shuffle argument:
* A same-message argument based on the linear subspace QANIZK argument of
Kiltz and Wee,
* A (simplified) permutation matrix argument of Fauzi, Lipmaa, and
ZajÄ
c,
* A (simplified) consistency argument of Groth and Lu.
We prove the knowledge-soundness of the first two subarguments in the generic bilinear group model, and the culpable soundness of the third subargument under a KerMDH assumption. This proves the soundness of the shuffle argument. We also discuss our partially optimized implementation that allows one to prove a shuffle of ciphertexts in less than a minute and verify it in less than minutes
Verifiable Elections That Scale for Free
In order to guarantee a fair and transparent voting process, electronic voting schemes must be verifiable. Most of the time, however, it is important that elections also be anonymous. The notion of a verifiable shuffle describes how to satisfy both properties at the same time: ballots are submitted to a public bulletin board in encrypted form, verifiably shuffled by several mix servers (thus guaranteeing anonymity), and then verifiably decrypted by an appropriate threshold decryption mechanism. To guarantee transparency, the intermediate shuffles and decryption results, together with proofs of their correctness, are posted on the bulletin board throughout this process.
In this paper, we present a verifiable shuffle and threshold decryption scheme in which, for security parameter k, L voters, M mix servers, and N decryption servers, the proof that the end tally corresponds to the original encrypted ballots is only O(k(L + M + N)) bits long. Previous verifiable shuffle constructions had proofs of size O(kLM + kLN), which, for elections with thousands of voters, mix servers, and decryption servers, meant that verifying an election on an ordinary computer in a reasonable amount of time was out of the question.
The linchpin of each construction is a controlled-malleable proof (cm-NIZK), which allows each server, in turn, to take a current set of ciphertexts and a proof that the computation done by other servers has proceeded correctly so far. After shuffling or partially decrypting these ciphertexts, the server can also update the proof of correctness, obtaining as a result a cumulative proof that the computation is correct so far. In order to verify the end result, it is therefore sufficient to verify just the proof produced by the last server
Usalduse vÀhendamine ja turvalisuse parandamine zk-SNARK-ides ja kinnitusskeemides
VĂ€itekirja elektrooniline versioon ei sisalda publikatsioonezk-SNARK-id on tĂ”husad ja praktilised mitteinteraktiivsed tĂ”estussĂŒsteemid, mis on konstrueeritud viitestringi mudelis ning tĂ€nu kompaktsetele tĂ”estustele ja vĂ€ga tĂ”husale verifitseeritavusele on need laialdaselt kasutusele vĂ”etud suuremahulistes praktilistes rakendustes.
Selles töös uurime zk-SNARK-e kahest vaatenurgast: nende usalduse vĂ€hendamine ja turvalisuse tugevdamine. Esimeses suunas uurime kui palju saab vĂ€hendada usaldust paaristuspĂ”histe zk-SNARK-ide puhul ilma nende tĂ”husust ohverdamata niiviisi, et kasutajad saavad teatud turvataseme ka siis kui seadistusfaas tehti pahatahtlikult vĂ”i kui avalikustati seadistusfaasi salajane teave. Me pakume vĂ€lja mĂ”ned tĂ”husad konstruktsioonid, mis suudavad takistada zk-SNARK-i seadistusfaasi rĂŒndeid ja mis saavutavad senisest tugevama turvataseme. NĂ€itame ka seda, et sarnased tehnikad vĂ”imaldavad leevendada usaldust tagauksega kinnitusskeemides, mis on krĂŒptograafiliste primitiivide veel ĂŒks silmapaistev perekond ja mis samuti nĂ”ub usaldatud seadistusfaasi. Teises suunas esitame mĂ”ned tĂ”husad konstruktsioonid, mis tagavad parema turvalisuse minimaalsete lisakuludega. MĂ”ned esitatud konstruktsioonidest vĂ”imaldavad lihtsustada praegusi TK-turvalisi protokolle, nimelt privaatsust sĂ€ilitavate nutilepingusĂŒsteemide Hawk ja Gyges konstruktsiooni, ja parandada nende tĂ”husust. Uusi konstruktsioone saab aga otse kasutada uutes protokollides, mis soovivad kasutada zk-SNARK-e.
Osa vÀljapakutud zk-SNARK-e on implementeeritud teegis Libsnark ja empiirilised tulemused kinnitavad, et usalduse vÀhendamiseks vÔi suurema turvalisuse saavutamiseks on arvutuslikud lisakulud vÀikesed.Zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs) are an efficient family of NIZK proof systems that are constructed in the Common Reference String (CRS) model and due to their succinct proofs and very efficient verification, they are widely adopted in large-scale practical applications.
In this thesis, we study zk-SNARKs from two perspectives, namely reducing trust and improving security in them. In the first direction, we investigate how much one can mitigate trust in pairing-based zk-SNARKs without sacrificing their efficiency. In such constructions, the parties of protocol will obtain a certain level of security even if the setup phase was done maliciously or the secret information of the setup phase was revealed. As a result of this direction, we present some efficient constructions that can resist against subverting of the setup phase of zk-SNARKs and achieve a certain level of security which is stronger than before. We also show that similar techniques will allow us to mitigate the trust in the trapdoor commitment schemes that are another prominent family of cryptographic primitives that require a trusted setup phase. In the second direction, we present some efficient constructions that achieve more security with minimal overhead. Some of the presented constructions allow to simplify the construction of current UC-secure protocols and improve their efficiency. New constructions can be directly deployed in any novel protocols that aim to use zk-SNARKs.
Some of the proposed zk-SNARKs are implemented in Libsnark, the state-of-the-art library for zk-SNARKs, and empirical experiences confirm that the computational cost to mitigate the trust or to achieve more security is practical.https://www.ester.ee/record=b535927
More Efficient Shuffle Argument from Unique Factorization
Efficient shuffle arguments are essential in mixnet-based e-voting
solutions. Terelius and Wikström (TW) proposed a 5-round shuffle
argument based on unique factorization in polynomial rings. Their argument
is available as the Verificatum software solution for real-world
developers, and has been used in real-world elections. It is also the
fastest non-patented shuffle argument. We will use the same basic idea as
TW but significantly optimize their approach. We generalize the TW
characterization of permutation matrices; this enables us to reduce the
communication without adding too much to the computation. We make the TW
shuffle argument computationally more efficient by using Groth\u27s
coefficient-product argument (JOC, 2010). Additionally, we use batching
techniques. The resulting shuffle argument is the fastest known -message shuffle argument, and, depending on the implementation, can be
faster than Groth\u27s argument (the fastest 7-message shuffle argument)
A Shuffle Argument Secure in the Generic Model
We propose a new random oracle-less NIZK shuffle argument. It has a simple structure, where the first verification equation ascertains that the prover has committed to a permutation matrix, the second verification equation ascertains that the same permutation was used to permute the ciphertexts, and the third verification equation ascertains that input ciphertexts were ``correctly\u27\u27 formed. The new argument has times more efficient verification than the up-to-now most efficient shuffle argument by Fauzi and Lipmaa (CT-RSA 2016). Compared to the Fauzi-Lipmaa shuffle argument, we (i) remove the use of knowledge assumptions and prove our scheme is sound in the generic bilinear group model, and (ii) prove standard soundness, instead of culpable soundness
Arya: Nearly linear-time zero-knowledge proofs for correct program execution
There have been tremendous advances in reducing interaction, communication and verification time in zero-knowledge proofs but it remains an important challenge to make the prover efficient. We construct the first zero-knowledge proof of knowledge for the correct execution of a program on public and private inputs where the prover computation is nearly linear time. This saves a polylogarithmic factor in asymptotic performance compared to current state of the art proof systems.
We use the TinyRAM model to capture general purpose processor computation. An instance consists of a TinyRAM program and public inputs. The witness consists of additional private inputs to the program. The prover can use our proof system to convince the verifier that the program terminates with the intended answer within given time and memory bounds. Our proof system has perfect completeness, statistical special honest verifier zero-knowledge, and computational knowledge soundness assuming linear-time computable collision-resistant hash functions exist. The main advantage of our new proof system is asymptotically efficient prover computation. The proverâs running time is only a superconstant factor larger than the programâs running time in an apples-to-apples comparison where the prover uses the same TinyRAM model. Our proof system is also efficient on the other performance parameters; the verifierâs running time and the communication are sublinear in the execution time of the program and we only use a log-logarithmic number of rounds
Efficient Perfectly Sound One-message Zero-Knowledge Proofs via Oracle-aided Simulation
In this paper we put forth new efficient one-message proof systems for several practical applications, like proving that an El Gamal ciphertext (over a multiplicative group) decrypts to a given value and correctness of a shuffle. Our proof systems are built from multiplicative groups of hidden order, are not based on any setup/trust assumption like the RO or the common reference string model and are perfectly sound, that is they are written proofs in the sense of mathematics.
Our proof systems satisfy a generalization of zero-knowledge (ZK) that we call harmless zero-knowledge (HZK).
The simulator of an -HZK proof for a relation over a language is given the additional capability of invoking an oracle relative to which is hard to decide. That is, the proof does not leak any knowledge that an adversary might not compute by itself interacting with an oracle that does not help to decide the language.
Unlike ZK, non-interactivity and perfect soundness do not contradict HZK and HZK can replace ZK in any application in which, basically, the computational assumptions used in the application hold even against adversaries with access to . An -HZK proof is witness hiding (WH) for distributions hard against adversaries with access to , and strong-WI when quantifying over distributions that are indistinguishable by adversaries with access to . Moreover, an -HZK proof is witness indistinguishable (and the property does not depend on the oracle).
We provide a specific oracle DHInvO that is enough powerful to make our main proof systems DHInvO-HZK but not trivial: indeed, we show concrete and practical cryptographic protocols that can be proven secure employing a DHInvO-HZK proof in the reduction and that are instead not achievable using traditional ZK (unless resorting to the CRS/RO models).
Efficient one-message proof systems with perfect soundness were only known for relations over bilinear groups and were proven only witness indistinguishable.
As byproduct, we also obtain a perfectly sound non-interactive ZAP, WH and HZK proof system for relations from number-theoretic assumptions over multiplicative groups of hidden order. No non-interactive WH proof system for (neither for simpler non-trivial relations) was previously known
- âŠ