Predictable arguments of knowledge

We initiate a formal investigation on the power of predictability for argument of knowledge systems for NP. Specifically, we consider private-coin argument systems where the answer of the prover can be predicted, given the private randomness of the verifier; we call such protocols Predictable Arguments of Knowledge (PAoK). Our study encompasses a full characterization of PAoK, showing that such arguments can be made extremely laconic, with the prover sending a single bit, and assumed to have only one round (i.e., two messages) of communication without loss of generality. We additionally explore PAoK satisfying additional properties (including zero-knowledge and the possibility of re-using the same challenge across multiple executions with the prover), present several constructions of PAoK relying on different cryptographic tools, and discuss applications to cryptography

On Privacy Preserving Blockchains and zk-SNARKs

Viimastel aastatel on krüptoraha ja plokiahela tehnoloogia leidnud suurt tähelepanu nii kaubanduslikust kui ka teaduslikust vaatenurgast. Krüptoraha kujutab endast digitaalseid münte, mis kasutades krüptograafilisi vahendeid võimaldab turvalisi tehinguid võrdvõrkudes. Bitcoin on kõige tuntum krüptoraha, mis võimaldab otsetehinguid kasutajate pseudonüümide vahel ilma, et oleks vaja kolmandaid osapooli. Paraku kui kasutaja pseudonüüm on seotud tema identiteediga, on kõik tema tehingud jälgitavad ning kaob privaatsus.Selle lahendamiseks on välja pakutud erinevaid privaatsust säilitavaid krüptorahasi, mis kasutavad anonüümsete tehingute saavutamiseks krüptograafilisi tööriistu. Zerocash on üks populaarseimatest privaatsetest krüptorahadest, mis kasutab iga tehingu allika, sihtkoha ja väärtuse varjamiseks nullteadmustõestust.Antud töö koosneb kahest peamisest osast.Esimeses osas kirjeldame, pärast lühikest ülevaadet mõnest privaatsest krüptorahast (Bitcoin, Monero ja Zerocoin), Zerocashi konstruktsiooni ja anname intuitsiivse seletuse selle tööpõhimõttele. Me tutvustame kasutuselevõetud primitiive ja arutleme iga primitiivi rolli üle mündi konstruktsioonis. Erilist tähelepanu pöörame kompaktsetele nullteadmustõestusetele (zk-SNARKidele), millel on peamine roll Zerocashis.Kuna nullteadmustõestus on niivõrd olulisel kohal Zerocashis (ja teistes privaatsetes rakendustes) siis töö teises osas pakume välja uue variatsiooni Grothi 2016. aasta zk-SNARKile, mis on seni kõige tõhusam.Erinevalt Grothi konstruktsioonist, meie variatsioonis ei ole võimalik tõestusi modifitseerida.Muudatused mõjutavad nullteadmustõestuse tõhusust vaid minimaalselt ning meie konstruktsioon on kiirem kui Grothi ja Malleri 2017. nullteadmustõestus, mis samuti välistab muudetavuse.During last few years, along with blockchain technology, cryptocurrencies have found huge attention from both commercial and scientific perspectives. Cryptocurrencies are digital coins which use cryptographic tools to allow secure peer-to-peer monetary transactions. Bitcoin is the most well-known cryptocurrency that allows direct payments between pseudonyms without any third party. If a user's pseudonym is linked to her identity, all her transactions will be traceable, which will violate her privacy. To address this, various privacy-preserving cryptocurrencies have been proposed that use different cryptographic tools to achieve anonymous transactions. Zerocash is one of the most popular ones that uses zero-knowledge proofs to hide the source, destination and value of each transaction. This thesis consists of two main parts. In the first part, after a short overview of some cryptocurrencies (precisely Bitcoin, Monero and Zerocoin), we will explain the construction of Zerocash cryptocurrency and discuss the intuition behind the construction. More precisely, we will introduce the deployed primitives and will discuss the role of each primitive in the construction of the coin. In particular, we explain zero-knowledge Succinct Non-Interactive Arguments of Knowledge (a.k.a. zk-SNARKs) that play the main role in achieving strong privacy in Zerocash. Due to the importance of zk-SNARKs in privacy-preserving applications, in the second part of the thesis, we will present a new variation of Groth's 2016 zk-SNARK that currently is the most efficient pairing-based scheme. The main difference between the proposed variation and the original one is that unlike the original version, new variation guarantees non-malleability of generated proofs. Our analysis shows that the proposed changes have minimal effects on the efficiency of the original scheme and particularly it outperforms Groth and Maller's 2017 zk-SNARK that also guarantees non-malleability of proofs

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

We construct a pairing based simulation-extractable SNARK (SE-SNARK) that consists of only 3 group elements and has highly efficient verification. By formally linking SE-SNARKs to signatures of knowledge, we then obtain a succinct signature of knowledge consisting of only 3 group elements. SE-SNARKs enable a prover to give a proof that they know a witness to an instance in a manner which is: (1) succinct - proofs are short and verifier computation is small; (2) zero-knowledge - proofs do not reveal the witness; (3) simulation-extractable - it is only possible to prove instances to which you know a witness, even when you have already seen a number of simulated proofs. We also prove that any pairing based signature of knowledge or SE-NIZK argument must have at least 3 group elements and 2 verification equations. Since our constructions match these lower bounds, we have the smallest size signature of knowledge and the smallest size SE-SNARK possible

Online-Extractability in the Quantum Random-Oracle Model

We show the following generic result. Whenever a quantum query algorithm in the quantum random-oracle model outputs a classical value $t$ that is promised to be in some tight relation with $H(x)$ for some $x$, then $x$ can be efficiently extracted with almost certainty. The extraction is by means of a suitable simulation of the random oracle and works online, meaning that it is straightline, i.e., without rewinding, and on-the-fly, i.e., during the protocol execution and without disturbing it. The technical core of our result is a new commutator bound that bounds the operator norm of the commutator of the unitary operator that describes the evolution of the compressed oracle (which is used to simulate the random oracle above) and of the measurement that extracts $x$. We show two applications of our generic online extractability result. We show tight online extractability of commit-and-open $\Sigma$-protocols in the quantum setting, and we offer the first non-asymptotic post-quantum security proof of the textbook Fujisaki-Okamoto transformation, i.e, without adjustments to facilitate the proof

Mitte-interaktiivsed nullteadmusprotokollid nõrgemate usalduseeldustega

Väitekirja elektrooniline versioon ei sisalda publikatsiooneTäieliku koosluskindlusega (TK) kinnitusskeemid ja nullteadmustõestused on ühed põhilisemad krüptograafilised primitiivid, millel on hulgaliselt päriselulisi rakendusi. (TK) Kinnitusskeem võimaldab osapoolel arvutada salajasest sõnumist kinnituse ja hiljem see verifitseeritaval viisil avada. Täieliku koosluskindlusega protokolle saab vabalt kombineerida teiste täieliku koosluskindlusega protokollidega ilma, et see mõjutaks nende turvalisust. Nullteadmustõestus on protokoll tõestaja ja verifitseerija vahel, mis võimaldab tõestajal veenda verifitseerijat mingi väite paikapidavuses ilma rohkema informatsiooni lekitamiseta. Nullteadmustõestused pakuvad suurt huvi ka praktilistes rakendustes, siinkohal on olulisemateks näideteks krüptorahad ja hajusandmebaasid üldisemalt. Siin on eriti asjakohased just lühidad mitteinteraktiivsed nullteadmustõestused (SNARKid) ning kvaasiadaptiivsed mitteinteraktiivsed nullteadmustõestused (QA-NIZKid). Mitteinteraktiivsetel nullteadmustõestustel juures on kaks suuremat praktilist nõrkust. Esiteks on tarvis usaldatud seadistusfaasi osapoolte ühisstringi genereerimiseks ja teiseks on tarvis täielikku koosluskindlust. Käesolevas doktoritöös me uurime neid probleeme ja pakume välja konkreetseid konstruktsioone nende leevendamiseks. Esmalt uurime me õõnestuskindlaid SNARKe juhu jaoks, kus seadistusfaasi ühisstring on õõnestatud. Me konstrueerime õõnestuskindla versiooni seni kõige tõhusamast SNARKist. Samuti uurime me QA-NIZKide õõnestuskindlust ja konstrueerime kõige efektiivsemate QA-NIZKide õõnestuskindla versiooni. Mis puutub teise uurimissuunda, nimelt täielikku koosluskindlusesse, siis sel suunal kasutame me pidevaid projektiivseid räsifunktsioone. Me pakume välja uue primitiivi, kus eelmainitud räsifunktsioonid on avalikult verifitseeritavad. Nende abil me konstrueerime seni kõige tõhusama mitteinteraktiivse koosluskindla kinnitusskeemi. Lõpetuseks me töötame välja uue võtte koosluskindlate kinnitusskeemide jaoks, mis võimaldab ühisarvutuse abil luua nullteadmustõestuste ühisstringe.Quite central primitives in cryptographic protocols are (Universally composable (UC)) commitment schemes and zero-knowledge proofs that getting frequently employed in real-world applications. A (UC) commitment scheme enables a committer to compute a commitment to a secret message, and later open it in a verifiable manner (UC protocols can seamlessly be combined with other UC protocols and primitives while the entire protocol remains secure). A zero-knowledge proof is a protocol usually between a prover and a verifier that allows the prover to convince the verifier of the legality of a statement without disclosing any more information. Zero-knowledge proofs and in particular Succinct non-interactive zero-knowledge proofs (SNARKs) and quasi adaptive NIZK (QA-NIZK) are of particular interest in the real-world applications, with cryptocurrencies or more generally distributed ledger technologies being the prime examples. The two serious issues and the main drawbacks of the practical usage of NIZKs are (i) the demand for a trusted setup for generating the common reference string (CRS) and (ii) providing the UC security. In this thesis, we essentially investigate the aforementioned issues and propose concrete constructions for them. We first investigate subversion SNARKs (Sub zk-SNARKs) when the CRS is subverted. In particular, we build a subversion of the most efficient SNARKs. Then we initiate the study of subversion QA-NIZK (Sub-QA-NIZK) and construct subversion of the most efficient QA-NIZKs. For the second issue, providing UC-security, we first using hash proof systems or smooth projective hash functions (SPHFs), we introduce a new cryptographic primitive called publicly computable SPHFs (PC-SPHFs) and construct the currently most efficient non-interactive UC-secure commitment. Finally, we develop a new technique for constructing UC-secure commitments schemes that enables one to generate CRS of NIZKs by using MPC in a UC-secure mannerhttps://www.ester.ee/record=b535926

Fully leakage-resilient signatures revisited: Graceful degradation, noisy leakage, and construction in the bounded-retrieval model

We construct new leakage-resilient signature schemes. Our schemes remain unforgeable against an adversary leaking arbitrary (yet bounded) information on the entire state of the signer (sometimes known as fully leakage resilience), including the random coin tosses of the signing algorithm. The main feature of our constructions is that they offer a graceful degradation of security in situations where standard existential unforgeability is impossible

The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More

We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and Zhandry on the security of the Fiat-Shamir transformation of $\Sigma$-protocols in the quantum random oracle model (QROM). Two natural questions that arise in this context are: (1) whether the results extend to the Fiat-Shamir transformation of multi-round interactive proofs, and (2) whether Don et al.'s $O(q^2)$ loss in security is optimal. Firstly, we answer question (1) in the affirmative. As a byproduct of solving a technical difficulty in proving this result, we slightly improve the result of Don et al., equipping it with a cleaner bound and an even simpler proof. We apply our result to digital signature schemes showing that it can be used to prove strong security for schemes like MQDSS in the QROM. As another application we prove QROM-security of a non-interactive OR proof by Liu, Wei and Wong. As for question (2), we show via a Grover-search based attack that Don et al.'s quadratic security loss for the Fiat-Shamir transformation of $\Sigma$-protocols is optimal up to a small constant factor. This extends to our new multi-round result, proving it tight up to a factor that depends on the number of rounds only, i.e. is constant for any constant-round interactive proof.Comment: 22 page

Efficient public-key cryptography with bounded leakage and tamper resilience

We revisit the question of constructing public-key encryption and signature schemes with security in the presence of bounded leakage and tampering memory attacks. For signatures we obtain the first construction in the standard model; for public-key encryption we obtain the first construction free of pairing (avoiding non-interactive zero-knowledge proofs). Our constructions are based on generic building blocks, and, as we show, also admit efficient instantiations under fairly standard number-theoretic assumptions. The model of bounded tamper resistance was recently put forward by Damgård et al. (Asiacrypt 2013) as an attractive path to achieve security against arbitrary memory tampering attacks without making hardware assumptions (such as the existence of a protected self-destruct or key-update mechanism), the only restriction being on the number of allowed tampering attempts (which is a parameter of the scheme). This allows to circumvent known impossibility results for unrestricted tampering (Gennaro et al., TCC 2010), while still being able to capture realistic tampering attack

Universally Composable Verifiable Random Oracles

Random Oracles werden häufig in der Kryptographie eingesetzt um sehr effiziente Instanziierungen mächtiger kryptographischer Primitive zu konstruieren. Jedoch ist diese Praxis im Allgemeinen nicht zulässig wie verschiedene Nicht-Instanziierungs-Ergebnisse für Random Oracles mittels lokal berechenbarer Familien von Funktionen durch Halevi et al. (JACM ’04) zeigt. Die Random Oracle Modell kann sicher eingesetzt werden, indem Random Oracles nicht mit einer lokal berechenbaren Hashfunktion, sondern stattdessen mit einem interaktiven Protokoll instanziiert werden. In der realen Welt könnte solch ein interaktives Protokoll beispielsweise aus einem vertrauenswürdigen Server, welcher über das Internet erreichbar ist, bestehen. Dieser Server würde sodann eine der bekannten Techniken wie lazy sampling oder das Auswerten einer Pseudo-Zufälligen Funktion verwenden, um die Funktionalität eines Random Oracle bereitzustellen. Ein klarer Nachteil dieses Ansatzes ist die große Menge an Interaktion, die bei jeder Berechnung, die eine Auswertung des Random Oracle beinhaltet, nötig ist. Wir wollen diese Interaktion auf ein Minimum reduzieren. Um obiges Unmöglichkeitsresultat zu umgehen, muss die Auswertung des Random Oracle auf einer frischen Eingabe Interaktion der auswertenden Partei mit einer anderen Partei beinhalten. Dies ist jedoch nicht der einzige Verwendungszweck von Random Oracles, der häufig in kryptographischen Protokollen auftritt. Bei einem weiteren solchen Zweck wertet zunächst eine Partei A das Orakel auf einer Eingabe aus und erhält einen Hashwert. Im Anschluss sendet A Eingabe und Ausgabe (im Kontext eines Protokolls) an eine zweite Partei B und möchte B davon überzeugen, dass das Random Oracle korrekt ausgewertet wurde. Eine einfache Möglichkeit dies zu prüfen besteht darin, dass B selbst eine Auswertung des Random Oracle auf der erhaltenen Eingabe tätigt und die beiden Ausgaben vergleicht. In unserem Kontext benötigt dies jedoch erneut Interaktion. Der Wunsch diesen zweiten Verwendungszweck nicht-interaktiv zu machen führt uns zum Begriff eines Verifiable Random Oracle (VRO) als Erweiterung eines Random Oracle. Abstrakt besteht ein VRO aus zwei Orakeln. Das erste Orakel verhält sich wie ein Random Oracle dessen Ausgabe um einen Korrektheitsbeweis erweitert wurde. Mit Hilfe dieses Beweises kann das zweite Orakel dazu verwendet werden öffentlich die korrekte Auswertung des Random Oracle zu verifizieren. Obwohl diese Orakel-basierte Formulierung nicht notwendigerweise nicht-interaktive Verifikation besitzt, so erlaubt jedoch die Einführung expliziter Korrektheitsbeweise dies. In dieser Masterarbeit formalisieren wir zunächst den Begriff eines VRO im Universal Composability Framework von Canetti (FOCS ’01). Danach wenden wir VROs auf zwei kryptographische Anwendungen an, die in ihrer ursprünglichen Formulierung das Random Oracle Modell verwenden, und zeigen, das deren Sicherheitseigenschaften erhalten bleiben. Um zu zeigen, dass unsere Definition realisierbar ist, konstruieren wir mehrere Protokolle, die die ideale VRO Funktionalität realisieren. Diese reichen von Protokollen für eine einzelne vertrauenswürdige Partei bis hin zu verteilten Protokollen, die eine gewisse Menge an böswilliger Korruption erlauben. Wir vergleichen weiterhin VROs mit ähnlichen existierenden Primitiven