1,558 research outputs found
An Efficient Pairing-Based Shuffle Argument
We construct the most efficient known pairing-based NIZK shuffle argument.
It consists of three subarguments that were carefully chosen to obtain optimal
efficiency of the shuffle argument:
* A same-message argument based on the linear subspace QANIZK argument of
Kiltz and Wee,
* A (simplified) permutation matrix argument of Fauzi, Lipmaa, and
ZajÄ
c,
* A (simplified) consistency argument of Groth and Lu.
We prove the knowledge-soundness of the first two subarguments in the generic bilinear group model, and the culpable soundness of the third subargument under a KerMDH assumption. This proves the soundness of the shuffle argument. We also discuss our partially optimized implementation that allows one to prove a shuffle of ciphertexts in less than a minute and verify it in less than minutes
On Money as a Means of Coordination between Network Packets
In this work, we apply a common economic tool, namely money, to coordinate
network packets. In particular, we present a network economy, called
PacketEconomy, where each flow is modeled as a population of rational network
packets, and these packets can self-regulate their access to network resources
by mutually trading their positions in router queues. Every packet of the
economy has its price, and this price determines if and when the packet will
agree to buy or sell a better position. We consider a corresponding Markov
model of trade and show that there are Nash equilibria (NE) where queue
positions and money are exchanged directly between the network packets. This
simple approach, interestingly, delivers improvements even when fiat money is
used. We present theoretical arguments and experimental results to support our
claims
Efektiivsed mitteinteraktiivsed nullteadmusprotokollid referentssÔne mudelis
VĂ€itekirja elektrooniline versioon ei sisalda publikatsioone.Koos digitaalse ajastu vĂ”idukĂ€iguga on interneti vahendusel vĂ”imalik sooritada ĂŒha ulmelisemana nĂ€ivaid tegevusi.
TĂ€ielikule krĂŒpteeringule ehitatud mobiilsed rakendused, nagu nĂ€iteks WhatsApp, suudavad tagada, et kĂ”ne vĂ”i sĂ”num jĂ”uaksid ĂŒksnes Ă”ige adressaadini.
Enamik pangasĂŒsteeme garanteerivad TLS protokolli kasutades, et arvete maksmisel ja ĂŒlekannete tegemisel poleks nende andmeid kellelgi vĂ”imalik lugeda ega muuta.
MĂ”ned riigid pakuvad vĂ”imalust elektroonilisel teel hÀÀletada (nĂ€iteks Eesti) vĂ”i referendumeid lĂ€bi viia (nĂ€iteks Ć veits), tagades sealjuures traditsioonilise paberhÀÀletuse tasemel turvalisuse kriteeriumid.
KĂ”ik eelnevalt kirjeldatud tegevused vajavad kasutajate turvalisuse tagamiseks krĂŒptograafilist protokolli.
Tegelikkuses ei saa me kunagi eeldada, et kÔik protokolli osapooled jÀrgivad protokolli spetsifikatsiooni.
Reaalses elus peab protokolli turvalisuseks iga osapool tÔestama, et ta seda jÀrgis ilma privaatsuse ohverdamiseta.
Ăks viis seda teha on nullteadmusprotokolli abil. Nullteadmusprotokoll on tĂ”estus, mis ei lekita mingit informatsiooni peale selle, et vĂ€ide on tĂ”ene.
Tihti tahame, et nullteadmusprotokoll oleks mitteinteraktiivne. Sellisel juhul piisab, kui tĂ”estus on arvutatud ainult ĂŒhe korra ning verifitseerijatel on igal ajal vĂ”imalik seda kontrollida.
On kaks peamist mudelit, mis vÔimaldavad mitteinteraktiivsete nullteadmusprotokollide loomist: juhusliku oraakli (JO) mudel ja referentssÔne mudel.
JO mudeli protokollid on vÀga efektiivsed, kuid mÔningate piirangute tÔttu eelistame referentssÔne mudelit.
Selles töös esitleme kolme stsenaariumit, milles mitteinteraktiivne nullteadmus on asjakohane: verifitseeritav arvutamine, autoriseerimine ja elektrooniline hÀÀletamine.
Igas stsenaariumis pakume vÀlja nullteadmusprotokolli referentssÔne mudelis, mis on seni efektiivseim ning vÔrreldava efektiivsusega protokollidega JO mudelis.In the current digital era, we can do increasingly astonishing activities remotely using only our electronic devices.
Using mobile applications such as WhatsApp, we can contact someone with the guarantee, using an end-to-end encryption protocol, that only the recipient can know the conversation's contents.
Most banking systems enable us to pay our bills and perform other financial transactions, and use the TLS protocol to guarantee that no one can read or modify the transaction data.
Some countries provide an option to vote electronically in an election (e.g. Estonia) or referendum (e.g. Switzerland) with similar privacy guarantees to traditional paper voting.
In all these activities, a cryptographic protocol is required to ensure users' privacy.
In reality, some parties participating in a protocol might not act according to what was agreed in the protocol specification.
Hence, for a real world protocol to be secure, we also need each party to prove that it behaves honestly, but without sacrificing privacy of its inputs.
This can be done using a zero-knowledge argument: a proof by a polynomial-time prover that gives nothing else away besides its correctness.
In many cases, we want a zero-knowledge argument to be non-interactive and transferable, so that it is computed only once, but can be verified by many verifiers at any future time.
There are two main models that enable transferable non-interactive zero-knowledge (NIZK) arguments: the random oracle (RO) model and the common reference string (CRS) model.
Protocols in the RO model are very efficient, but due to some of its limitations, we prefer working in the CRS model.
In this work we provide three scenarios where NIZK arguments are relevant: verifiable computation, authorization, and electronic voting.
In each scenario, we propose NIZK arguments in the CRS model that are more efficient than existing ones, and are comparable in efficiency to the best known NIZK arguments in the RO model
Verifiable Elections That Scale for Free
In order to guarantee a fair and transparent voting process, electronic voting schemes must be verifiable. Most of the time, however, it is important that elections also be anonymous. The notion of a verifiable shuffle describes how to satisfy both properties at the same time: ballots are submitted to a public bulletin board in encrypted form, verifiably shuffled by several mix servers (thus guaranteeing anonymity), and then verifiably decrypted by an appropriate threshold decryption mechanism. To guarantee transparency, the intermediate shuffles and decryption results, together with proofs of their correctness, are posted on the bulletin board throughout this process.
In this paper, we present a verifiable shuffle and threshold decryption scheme in which, for security parameter k, L voters, M mix servers, and N decryption servers, the proof that the end tally corresponds to the original encrypted ballots is only O(k(L + M + N)) bits long. Previous verifiable shuffle constructions had proofs of size O(kLM + kLN), which, for elections with thousands of voters, mix servers, and decryption servers, meant that verifying an election on an ordinary computer in a reasonable amount of time was out of the question.
The linchpin of each construction is a controlled-malleable proof (cm-NIZK), which allows each server, in turn, to take a current set of ciphertexts and a proof that the computation done by other servers has proceeded correctly so far. After shuffling or partially decrypting these ciphertexts, the server can also update the proof of correctness, obtaining as a result a cumulative proof that the computation is correct so far. In order to verify the end result, it is therefore sufficient to verify just the proof produced by the last server
A structure theorem for streamed information
We identify the free half shuffle algebra of SchĂŒtzenberger [31] with an algebra of real-valued functionals on paths, where the half shuffle emulates the integration of a functional against another. We then provide two, to our knowledge, new identities in arity 3 involving its commutator (area), and show that these are sufficient to recover the Zinbiel and Tortkara identities introduced by Dzhumadil'daev [11]. We then use these identities to provide a simple proof of the main result of Diehl et al. [8], namely that any element of the free half shuffle algebra can be expressed as a polynomial over iterated areas.
Moreover, we consider minimal sets of Hall iterated integrals defined through the recursive application of the half shuffle product to Hall trees. Leveraging the duality between this set of Hall integrals and classical Hall bases of the free Lie algebra, we prove using combinatorial arguments that any element of the free half shuffle algebra can be written uniquely as a polynomial over Hall integrals. We interpret this result as a structure theorem for streamed information, loosely analogous to the unique prime factorisation of integers, allowing to split any real valued function on streamed data into two parts: a first that extracts and packages the streamed information into recursively defined atomic objects (Hall integrals), and a second that evaluates a polynomial function in these objects without further reference to the original stream. The question of whether a similar result holds if Hall integrals are replaced by Hall areas is left as an open conjecture.
Finally, we construct a canonical, but to our knowledge, new decomposition of the free half shuffle algebra as shuffle power series in the greatest letter of the original alphabet with coefficients in a sub-algebra freely generated by a new alphabet with an infinite number of letters. We use this construction to provide a second proof of our structure theorem
A Shuffle Argument Secure in the Generic Model
We propose a new random oracle-less NIZK shuffle argument. It has a simple structure, where the first verification equation ascertains that the prover has committed to a permutation matrix, the second verification equation ascertains that the same permutation was used to permute the ciphertexts, and the third verification equation ascertains that input ciphertexts were ``correctly\u27\u27 formed. The new argument has times more efficient verification than the up-to-now most efficient shuffle argument by Fauzi and Lipmaa (CT-RSA 2016). Compared to the Fauzi-Lipmaa shuffle argument, we (i) remove the use of knowledge assumptions and prove our scheme is sound in the generic bilinear group model, and (ii) prove standard soundness, instead of culpable soundness
- âŠ