384 research outputs found
Augmented Black-Box Simulation and Zero Knowledge Argument for NP
The standard zero knowledge notion is formalized by requiring that for any probabilistic polynomial-time (PPT) verifier , there is a PPT algorithm (simulator) , such that the outputs of is indistinguishable from real protocol views. The simulator is not permitted to access the verifier \u27s private state. So the power of is, in fact, inferior to that of .
In this paper, a new simulation method, called augmented black-box simulation, is presented by permitting the simulator to have access to the verifier\u27s current private state in a special manner. The augmented black-box simulator only has the same computing power as the verifier although it is given access to the verifier\u27s current private state. Therefore, augmented black-box simulation is a reasonable method to prove zero knowledge property, and brings results that hard to obtain with previous simulation techniques. Zero knowledge property, proved by means of augmented black-box simulation, is called augmented black-box zero-knowledge.
We present a 5-round statistical augmented black-box zero-knowledge argument for Exact Cover Problem under the Decision Multilinear No-Exact-Cover Assumption. In addition, we show a 2-round computational augmented black-box zero-knowledge argument protocol for Exact Cover problem under the Decision Multilinear No-Exact-Cover Assumption and the assumption of the existence of hash functions. It is well known that 2-round zero knowledge protocols does not exist under general zero knowledge notion. Besides, following [19], we consider leakage-resilient property of augmented black-box zero knowledge, and prove that the presented statistical zero-knowledge protocol has optimal leakage-resilient property
The Hunting of the SNARK
The existence of succinct non-interactive arguments for NP (i.e.,
non-interactive computationally-sound proofs where the verifier\u27s
work is essentially independent of the complexity of the NP
nondeterministic verifier) has been an intriguing question for the
past two decades. Other than CS proofs in the random oracle model
[Micali, FOCS \u2794], the only existing candidate construction is
based on an elaborate assumption that is tailored to a specific
protocol [Di Crescenzo and Lipmaa, CiE \u2708].
We formulate a general and relatively natural notion of an
\emph{extractable collision-resistant hash function (ECRH)} and show
that, if ECRHs exist, then a modified version of Di Crescenzo and
Lipmaa\u27s protocol is a succinct non-interactive argument for
NP. Furthermore, the modified protocol is actually a succinct
non-interactive \emph{adaptive argument of knowledge (SNARK).} We
then propose several candidate constructions for ECRHs and
relaxations thereof.
We demonstrate the applicability of SNARKs to various forms of delegation of computation, to succinct non-interactive zero knowledge arguments, and to succinct two-party secure computation. Finally, we show that SNARKs essentially imply the existence of ECRHs, thus demonstrating the necessity of the assumption.
Going beyond \ECRHs, we formulate the notion of {\em extractable
one-way functions (\EOWFs)}. Assuming the existence of a natural
variant of \EOWFs, we construct a -message
selective-opening-attack secure commitment scheme and a 3-round
zero-knowledge argument of knowledge. Furthermore, if the \EOWFs are
concurrently extractable, the 3-round zero-knowledge protocol is also
concurrent zero-knowledge.
Our constructions circumvent previous black-box impossibility
results regarding these protocols by relying on \EOWFs as the non-black-box component in the security reductions
Fully Leakage-Resilient Codes
Leakage resilient codes (LRCs) are probabilistic encoding schemes that guarantee message hiding even under some bounded leakage on the codeword.
We introduce the notion of \emph{fully} leakage resilient codes (FLRCs), where the adversary can leak some bits from the encoding process, i.e., the message and
the randomness involved during the encoding process. In addition the adversary can as usual leak from the codeword.
We give a simulation-based definition requiring that the adversary\u27s leakage from the encoding process and the codework can be simulated given just bits of leakage from the message. For our new simulation-based notion is equivalent to the usual game-based definition. A FLRC would be interesting in its own right and would be useful in building other leakage-resilient primitives in a composable manner.
We give a fairly general impossibility result for FLRCs in the popular split-state model, where the codeword is broken into independent parts and where the leakage occurs independently on the parts. We show that if the leakage is allowed to be any poly-time function of the secret and if collision-resistant hash functions exist,
then there is no FLRC for the split-state model. The result holds only when the message length can be linear in the security parameter. However,
we can extend the impossibility result to FLRCs for constant-length messages under assumptions related to differing-input obfuscation. These results show that it is highly unlikely that we can build FLRCs for the split-state model when the leakage can be any poly-time function of the secret state.
We then give two feasibility results for weaker models.
First, we show that for \NC^0-bounded leakage from the randomness and arbitrary poly-time leakage from the parts of the codeword the inner-product construction proposed by Davà \etal (SCN\u2710) and successively improved by Dziembowski and Faust (ASIACRYPT\u2711) is a FLRC for the split-state model. Second, we provide a compiler from any LRC to a FLRC in the common reference string model for any fixed leakage family of small cardinality. In particular, this compiler applies to the split-state model but also to many other models
Witness Maps and Applications
We introduce the notion of Witness Maps as a cryptographic notion of
a proof system. A Unique Witness Map (UWM) deterministically maps all
witnesses for an statement to a single representative witness, resulting
in a computationally sound, deterministic-prover, non-interactive witness
independent proof system. A relaxation of UWM, called Compact Witness Map
(CWM), maps all the witnesses to a small number of witnesses, resulting in a
``lossy\u27\u27 deterministic-prover, non-interactive proof-system. We also define
a Dual Mode Witness Map (DMWM) which adds an ``extractable\u27\u27 mode to
a CWM.
\medskip
Our main construction is a DMWM for all relations, assuming
sub-exponentially secure indistinguishability obfuscation (), along with
standard cryptographic assumptions. The DMWM construction relies on a CWM
and a new primitive called Cumulative All-Lossy-But-One Trapdoor
Functions (C-ALBO-TDF),
both of which are in turn instantiated based on and other primitives.
Our instantiation of a CWM is in fact a UWM; in turn, we show that a UWM
implies Witness Encryption. Along the way to constructing UWM and
C-ALBO-TDF, we also construct, from standard assumptions, Puncturable
Digital Signatures and a new primitive called Cumulative Lossy
Trapdoor Functions (C-LTDF). The former improves up on a construction of
Bellare et al. (Eurocrypt 2016), who relied on sub-exponentially secure
and sub-exponentially secure OWF.
\medskip
As an application of our constructions, we show how to use a DMWM to
construct the first leakage and tamper-resilient signatures
with a deterministic signer, thereby solving a decade old open
problem posed by Katz and Vaikunthanathan (Asiacrypt 2009), by Boyle, Segev
and Wichs (Eurocrypt 2011), as well as by Faonio and Venturi (Asiacrypt
2016). Our construction achieves the optimal leakage rate of
Recommended from our members
Cryptography
The Oberwolfach workshop Cryptography brought together scientists from cryptography with mathematicians specializing in the algorithmic problems underlying cryptographic security. The goal of the workshop was to stimulate interaction and collaboration that enables a holistic approach to designing cryptography from the mathematical foundations to practical applications. The workshop covered basic computational problems such as factoring and computing discrete logarithms and short vectors. It addressed fundamental research results leading to innovative cryptography for protecting security and privacy in cloud applications. It also covered some practical applications
Non-Malleable Codes with Split-State Refresh
Non-Malleable Codes for the split state model allow to encode a mes-
sage into two parts such that arbitrary independent tampering on the parts either destroys completely the content or maintains the message untouched.
If the code is also leakage resilient it allows limited independent leakage from the two parts. We propose a model where the two parts can be refreshed independently. We give an abstract framework for building codes for this model, instantiate the construc-
tion under the external Diffie-Hellman assumption and give applications of such split-state refreshing. An advantage of our new model is that it allows arbitrarily many tamper attacks and arbitrarily large leakage over the life-time of the systems
as long as occasionally each part of the code is refreshed. Our model also tolerates that the refreshing occasionally is leaky or tampered with
Practical Non-Malleable Codes from -more Extractable Hash Functions
In this work, we significantly improve the efficiency of non-malleable codes in the split state model, by constructing a code with codeword length , where is the length of the message, and is the security parameter. This is a substantial improvement over previous constructions, both asymptotically and concretely.
Our construction relies on a new primitive which we define and study, called
-more extractable hash functions. This notion, which may be of
independent interest, guarantees that any adversary that is given access to
precomputed hash values , and
produces a new valid hash value , then it must know a pre-image of
. This is a stronger notion that the one by Bitansky et al. (Eprint
\u2711) and Goldwasser et al. (ITCS \u2712, Eprint \u2714), which considers adversaries
that get no access to precomputed hash values prior to producing their own
value. By appropriately relaxing the extractability requirement
(without hurting the applicability of the primitive)
we instantiate -more extractable hash functions under the same
assumptions used for the previous extractable hash functions by Bitansky et al. and Goldwasser et al. (a variant of the
Knowledge of Exponent Assumption)
Separating Succinct Non-Interactive Arguments From All Falsifiable Assumptions
In this paper, we study succinct computationally sound proofs (arguments) for NP, whose communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian \u2792 and Micali \u2794 show that such arguments can be constructed under standard cryptographic hardness assumptions with four rounds of interaction, and that they be made non-interactive in the random-oracle model. The latter construction also gives us some evidence that succinct non interactive arguments (SNARGs) may exist in the standard model with a common reference string (CRS), by replacing the oracle with a sufficiently complicated hash function whose description goes in the CRS. However, we currently do not know of any construction of SNARGs with a formal proof of security under any simple cryptographic assumption.
In this work, we give a broad black-box separation result, showing that black-box reductions cannot be used to prove the security of any SNARG construction based on any falsifiable cryptographic assumption. This includes essentially all common assumptions used in cryptography (one-way functions, trapdoor permutations, DDH, RSA, LWE etc.). More generally, we say that an assumption is falsifiable if it can be modeled as an interactive game between an adversary and an efficient challenger that can efficiently decide if the adversary won the game. This is similar, in spirit, to the notion of falsifiability of Naor \u2703, and captures the fact that we can efficiently check if an adversarial strategy breaks the assumption.
Our separation result also extends to designated verifier SNARGs, where the verifier needs a trapdoor associated with the CRS to verify arguments, and slightly succinct SNARGs, whose size is only required to be sublinear in the statement and witness size
- …