Zero-knowledge Argument for Polynomial Evaluation with Application to Blacklists

Verification of a polynomial’s evaluation in a secret committed value plays a role in cryptographic applications such as non-membership or membership proofs. We construct a novel special honest verifier zero-knowledge argument for correct polynomial evaluation. The argument has logarithmic communication cost in the degree of the polynomial, which is a significant improvement over the state of the art with cubic root complexity at best. The argument is relatively efficient to generate and very fast to verify compared to previous work. The argument has a simple public-coin 3-move structure and only relies on the discrete logarithm assumption. The polynomial evaluation argument can be used as a building block to construct zero-knowledge membership and non-membership arguments with communication that is logarithmic in the size of the blacklist. Non-membership proofs can be used to design anonymous blacklisting schemes allowing online services to block misbehaving users without learning the identity of the user. They also allow the blocking of single users of anonymization networks without blocking the whole network

Zero-Knowledge Argument for Polynomial Evaluation with Application to Blacklists

Verification of a polynomial’s evaluation in a secret committed value plays a role in cryptographic applications such as non-membership or membership proofs. We construct a novel special honest verifier zero-knowledge argument for correct polynomial evaluation. The argument has logarithmic communication cost in the degree of the polynomial, which is a significant improvement over the state of the art with cubic root complexity at best. The argument is relatively efficient to generate and very fast to verify compared to previous work. The argument has a simple public-coin 3-move structure and only relies on the discrete logarithm assumption. The polynomial evaluation argument can be used as a building block to construct zero-knowledge membership and non-membership arguments with communication that is logarithmic in the size of the blacklist. Non-membership proofs can be used to design anonymous blacklisting schemes allowing online services to block misbehaving users without learning the identity of the user. They also allow the blocking of single users of anonymization networks without blocking the whole network

Minimal deployable endpoint-driven network forwarding: principle, designs and applications

Networked systems now have significant impact on human lives: the Internet, connecting the world globally, is the foundation of our information age, the data centers, running hundreds of thousands of servers, drive the era of cloud computing, and even the Tor project, a networked system providing online anonymity, now serves millions of daily users. Guided by the end-to-end principle, many computer networks have been designed with a simple and flexible core offering general data transfer service, whereas the bulk of the application-level functionalities have been implemented on endpoints that are attached to the edge of the network. Although the end-to-end design principle gives these networked systems tremendous success, a number of new requirements have emerged for computer networks and their running applications, including untrustworthy of endpoints, privacy requirement of endpoints, more demanding applications, the rise of third-party Intermediaries and the asymmetric capability of endpoints and so on. These emerging requirements have created various challenges in different networked systems. To address these challenges, there are no obvious solutions without adding in-network functions to the network core. However, no design principle has ever been proposed for guiding the implementation of in-network functions. In this thesis, We propose the first such principle and apply this principle to propose four designs in three different networked systems to address four separate challenges. We demonstrate through detailed implementation and extensive evaluations that the proposed principle can live in harmony with the end-to-end principle, and a combination of the two principle offers more complete, effective and accurate guides for innovating the modern computer networks and their applications.Ope

Efficient Zero-Knowledge Proofs and Applications

Zero-knowledge proofs provide a means for a prover to convince a verifier that some claim is true and nothing more. The ability to prove statements while conveying zero information beyond their veracity has profound implications for cryptography and, especially, for its applicability to privacy-enhancing technologies. Unfortunately, the most common zero-knowledge techniques in the literature suffer from poor scalability, which limits their usefulness in many otherwise promising applications. This dissertation addresses the problem of designing communication- and computation-efficient protocols for zero-knowledge proofs and arguments of propositions that comprise many "simple" predicates. In particular, we propose a new formal model in which to analyze batch zero-knowledge protocols and perform the first systematic study of systems for batch zero-knowledge proofs and arguments of knowledge. In the course of this study, we suggest a general construction for batch zero-knowledge proof systems and use it to realize several new protocols suitable for proving knowledge of and relationships among large batches of discrete logarithm (DL) representations in prime-order groups. Our new protocols improve on existing protocols in several ways; for example, among the new protocols is one with lower asymptotic computation cost than any other such system in the literature. We also tackle the problem of constructing batch proofs of partial knowledge, proposing new protocols to prove knowledge of a DL that is equal to at least k-out-of-n other DLs, at most k-out-of-n other DLs, or exactly k-out-of-n other DLs. These constructions are particularly interesting as they prove some propositions that appear difficult to prove using existing techniques, even when efficiency is not a primary consideration. We illustrate the applicability of our new techniques by using them to construct efficient protocols for anonymous blacklisting and reputation systems

Design and implementation of secure protocols for practical authentication and fair anonymity systems

Tesis doctoral inédita leída en la Universidad Autónoma de Madrid, Escuela Politécnica Superior, Departamento de Ingeniería Informática. Fecha de lectura, mayo de 2015With the huge growth of information and communication systems, as well as the computing power, privacy has become a main concern for Internet users. Certainly, nowadays users tend to prefer privacy respectful systems and, consequently, companies providing software solutions also need to worry about it. Nevertheless, the privacy provided by current systems many times reduces to the need of placing too much trust into legal protections. Conversely, the contributions by the research community in this directionmany times fail to produce realistic enough solutions, hardly flexible, scalable or deployable in current systems, and thus, impractical. In this thesis, we attempt to bridge this gap between the practical but barely robust systems in the “real world” and the robust but barely practical ones of the “academic counterpart”. Specifically, we base our proposals in currently deployed protocols and systems, but extend them for making them suitable to implement privacy, mainly through fair anonymity. Moreover, our approach for incorporating privacyby- design grows from addressing less complex tasks towards tackling more complex issues based on the composition of the simple ones. This also allows us to establish a flexible framework from which solutions applicable for contexts other than those explored here may be derived. In turn, this helps to reduce the complexity of deploying new systems from scratch which, as stated, is our initial objective. In more detail, in order to ease the design and deployment of privacy respectful systems, we proceed as follows. We first propose a methodology for designing protocols and systems and verifying that they meet the required security properties. This methodology is used to create and verify the protocols and systems proposed afterwards. On the other hand, since we make important use of group signatures for providing privacy through anonymity, and we aim to ease the costs of deploying new systems, we describe an extensible C library that we have implemented and released in an alpha stage, offering a unified API for group signatures. Subsequently, we make use of these global building blocks for creating technology that would most probably be necessary in every privacy respectful system. Specifically, given that the initial problem in any online platform requiring personalized interaction or some kind of authentication is to actually distribute digital identities, we propose SEBIA, a protocol based on EBIA (the typical email-based registration system) that ensures a reasonable level of security for many contexts. Specifically, it allows the distribution of anonymous identities like the ones that are used as a base to create privacy systems in subsequent chapters, and that are based in group signatures. Once having addressed the distribution problem, we extend the widely deployed X.509 PKI in order for it to be suitable for managing anonymous identities. Specifically, we propose extensions to the OCSP and CRLmechanisms, and create a new X.509-like protocol for communicating evidences of misbehavior (which, regrettably, is a problemsometimes derived fromanonymity). With this contributions, we allow the creation of advanced privacy respectful systems based on anonymity. In fact, with the aim of showing it, we design two systems. First, a comprehensive online shopping system that allows anonymous purchases while being also compatible with typical e-commerce benefits, like customer-specific marketing techniques. Secondly, we define an extension to the Tor network which, also based on the same mechanisms for managing anonymity, would allow to shift from full anonymity to fair anonymity. Moreover, for several of the proposals made in this thesis, we have implemented actual prototypes that have enabled us to perform initial profiling tasks. Despite being preliminary versions lacking optimization, the results indicate that our proposals incur in acceptable costsCon el gran auge de los sistemas de la información y las comunicaciones, junto con la capacidad de cómputo, los usuarios han empezado a preocuparse por su privacidad. Por ello, cada vez prefieren más los sistemas que son respetuosos con su información personal, lo cual está llevando a las compañías desarrolladoras de software a preocuparse también por la privacidad de los usuarios. No obstante, las garantías de privacidad en los sistemas actuales normalmente se reducen a mecanismos de protección legal, en los que los usuarios deben confiar. Por el contrario, las contribuciones hechas desde la comunidad académica normalmente consisten en sistemas poco prácticos o realistas y poco adaptables a las infraestructuras actuales. En esta tesis, intentamos reducir esta brecha entre los sistemas prácticos pero poco robustos del “mundo real” y los sistemas robustos pero poco prácticos del “mundo académico”. Para ello, nos basamos en protocolos y sistemas actualmente utilizados en la industria, pero adaptándolos de forma que sean respetuosos con la privacidad a través de primitivas criptográficas avanzadas, proporcionando anonimato justo. En concreto, empezamos abordando tareas más sencillas para luego crear sistemas más complejos. Esto nos permite crear un marco de trabajo flexible, a partir del cual se pueden derivar soluciones aplicables a contextos distintos de los que aquí se muestran. Al mismo tiempo, esto ayuda a reducir la complejidad de desplegar nuevos sistemas desde cero, cumpliendo con nuestro objetivo. Con algo más de detalle, para facilitar el diseño e implementación de sistemas respetuosos con la privacidad, procedemos de la siguiente manera. Primero, proponemos unametodología para diseñar protocolos y sistemas, verificando que cumplen los requisitos de seguridad establecidos. Esta metodología la utilizamos para crear y verificar los protocolos y sistemas propuestos más adelante. Por otro lado, dado que hacemos un uso importante de firmas grupales para proporcionar privacidad a través de anonimato, y nuestra intención es facilitar la creación de nuevos sistemas, presentamos una librería para firmas grupales, escrita en C. Esta librería, aún en fase alfa, es fácilmente extensible, de forma que se pueden añadir nuevos esquemas en caso de ser necesario, manteniendo una API unificada. A continuación, hacemos uso de estos pilares básicos para crear componentes tecnológicos que cualquier sistema respetuoso con la privacidad probablemente requerirá. En concreto, dado que en toda plataforma online la primera operación necesaria es registrarse en la misma, proponemos SEBIA, un protocolo basado en EBIA (el típico sistema de registro basado en emails), pero que proporciona un nivel de seguridad suficiente para muchos escenarios. Este protocolo, concretamente, permite la distribución de identidades digitales anónimas como las usadas en los siguientes capítulos y basadas en firmas grupales. De hecho, una vez distribuidas las identidades, es necesario disponer de mecanismos eficientes para gestionarlas. Para ello, extendemos la infraestructura de clave pública X.509 con el fin de adaptarla para la gestión de identidades anónimas. En concreto, extendemos los mecanismos OCSP y CRL, además de crear un nuevo protocolo que, siguiendo losmismos principios de diseño de X.509, permite la distribución de evidencias de comportamientos ilegítimos (lo cual, desgraciadamente, es un problema que suele acompañar al anonimato). Con estas contribuciones, facilitamos la creación de sistemas avanzados y respetuosos con la privacidad, basados en el anonimato, y al mismo tiempo compatibles con tecnologías actuales. Paramostrarlo, diseñamos un sistema de compras online que permite la realización de compras anónimas y que es además compatible con las técnicas de marketing actuales. Además, proponemos una extensión para la red Tor que, también basándose en los mecanismos presentados, podría permitir la migración de dicha red a un sistema de anonimato justo. Por último, para varias de las propuestas hechas en esta tesis, se han implementado prototipos que nos han permitido realizar un análisis inicial. A pesar de ser versiones preliminares sin optimizar, los resultados indican que nuestras propuestas introducen sobrecostes aceptable

Practical zero-knowledge Protocols based on the discrete logarithm Assumption

Zero-knowledge proofs were introduced by Goldwasser, Micali, and Rackoff. A zero-knowledge proof allows a prover to demonstrate knowledge of some information, for example that they know an element which is a member of a list or which is not a member of a list, without disclosing any further information about that element. Existing constructions of zero-knowledge proofs which can be applied to all languages in NP are impractical due to their communication and computational complexity. However, it has been known since Guillou and Quisquater's identification protocol from 1988 and Schnorr's identification protocol from 1991 that practical zero-knowledge protocols for specific problems exist. Because of this, a lot of work was undertaken over the recent decades to find practical zero-knowledge proofs for various other specific problems, and in recent years many protocols were published which have improved communication and computational complexity. Nevertheless, to find more problems which have an efficient and practical zero-knowledge proof system and which can be used as building blocks for other protocols is an ongoing challenge of modern cryptography. This work addresses the challenge, and constructs zero-knowledge arguments with sublinear communication complexity, and achievable computational demands. The security of our protocols is only based on the discrete logarithm assumption. Polynomial evaluation arguments are proposed for univariate polynomials, for multivariate polynomials, and for a batch of univariate polynomials. Furthermore, the polynomial evaluation argument is applied to construct practical membership and non-membership arguments. Finally, an efficient method for proving the correctness of a shuffle is proposed. The proposed protocols have been tested against current state of the art versions in order to verify their practicality in terms of run-time and communication cost. We observe that the performance of our protocols is fast enough to be practical for medium range parameters. Furthermore, all our verifiers have a better asymptotic behavior than earlier verifiers independent of the parameter range, and in real life settings our provers perform better than provers of existing protocols. The analysis of the results shows that the communication cost of our protocols is very small; therefore, our new protocols compare very favorably to the current state of the art

Extending Nymble-like Systems 1

Abstract—We present several extensions to the Nymble framework for anonymous blacklisting systems. First, we show how to distribute the Verinym Issuer as a threshold entity. This provides liveness against a threshold Byzantine adversary and protects against denial-of-service attacks. Second, we describe how to revoke a user for a period spanning multiple linkability windows. This gives service providers more flexibility in deciding how long to block individual users. We also point out how our solution enables efficient blacklist transferability among service providers. Third, we augment the Verinym Acquisition Protocol for Tor-aware systems (that utilize IP addresses as a unique identifier) to handle two additional cases: 1) the operator of a Tor exit node wishes to access services protected by the system, and 2) a user’s access to the Verinym Issuer (and the Tor network) is blocked by a firewall. Finally, we revisit the objective blacklisting mechanism used in Jack, and generalize this idea to enable objective blacklisting in other Nymble-like systems. We illustrate the approach by showing how to implement it in Nymble and Nymbler. I