309 research outputs found
The knowledge complexity of quadratic residuosity languages
AbstractNoninteractive perfect zero-knowledge (ZK) proofs are very elusive objects. In fact, since the introduction of the noninteractive model of Blum . (1988), the only perfect zero-knowledge proof known was the one for quadratic nonresiduosity of Blum . (1991). The situation is no better in the interactive case where perfect zero-knowledge proofs are known only for a handful of particular languages.In this work, we show that a large class of languages related to quadratic residuosity admits noninteractive perfect zero-knowledge proofs. More precisely, we give a protocol for the language of thresholds of quadratic residuosity.Moreover, we develop a new technique for converting noninteractive zero-knowledge proofs into round-optimal zero-knowledge proofs for an even wider class of languages. The transformation preserves perfect zero knowledge in the sense that, if the noninteractive proof we started with is a perfect zero-knowledge proof, then we obtain a round-optimal perfect zero-knowledge proof. The noninteractive perfect zero-knowledge proofs presented in this work can be transformed into 4-round (which is optimal) interactive perfect zero-knowledge proofs. Until now, the only known 4-round perfect ZK proof systems were the ones for quadratic nonresiduosity (Goldwasser et al., 1989) and for graph nonisomorphism (Goldreich et al., 1986) and no 4-round perfect zero-knowledge proof system was known for the simple case of the language of quadratic residues
Efficient noninteractive certification of RSA moduli and beyond
In many applications, it is important to verify that an RSA public key (N; e) speci es a
permutation over the entire space ZN, in order to prevent attacks due to adversarially-generated
public keys. We design and implement a simple and e cient noninteractive zero-knowledge
protocol (in the random oracle model) for this task. Applications concerned about adversarial
key generation can just append our proof to the RSA public key without any other modi cations
to existing code or cryptographic libraries. Users need only perform a one-time veri cation of
the proof to ensure that raising to the power e is a permutation of the integers modulo N. For
typical parameter settings, the proof consists of nine integers modulo N; generating the proof
and verifying it both require about nine modular exponentiations.
We extend our results beyond RSA keys and also provide e cient noninteractive zero-
knowledge proofs for other properties of N, which can be used to certify that N is suitable
for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to
the recent work of Auerbach and Poettering (PKC 2018), who provide two-message protocols for
similar languages, our protocols are more e cient and do not require interaction, which enables
a broader class of applications.https://eprint.iacr.org/2018/057First author draf
A study of statistical zero-knowledge proofs
Thesis (Ph.D.)--Massachusetts Institute of Technology, Dept. of Mathematics, 1999.Includes bibliographical references (p. 181-190).by Salil Pravin Vadhan.Ph.D
Knowledge implies time/space efficiency
Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2007.Includes bibliographical references (p. 35-36).The probabilistically checkable proof (PCP) system enables proofs to be verified in time polylogarithmic in the length of a classical proof. Computationally sound (CS) proofs improve upon PCPs by additionally shortening the length of the transmitted proof to be polylogarithmic in the length of the classical proof. In this thesis we explore the ultimate limits of non-interactive proof systems with respect to time/space efficiency and the new criterion of composability. We deduce the existence of our proposed proof system by way of a natural new assumption about proofs of knowledge. In fact, a main contribution of our result is showing that knowledge can be "traded" for time and space efficiency in noninteractive proof systems.by Paul Valiant.S.M
Noninteractive Zero Knowledge for NP from (Plain) Learning With Errors
We finally close the long-standing problem of constructing a
noninteractive zero-knowledge (NIZK) proof system for any NP language
with security based on the plain Learning With Errors (LWE)
problem, and thereby on worst-case lattice problems. Our proof system
instantiates the framework recently developed by Canetti
et al. [EUROCRYPT\u2718], Holmgren and Lombardi [FOCS\u2718], and Canetti
et al. [STOC\u2719] for soundly applying the Fiat--Shamir transform using
a hash function family that is correlation intractable for a
suitable class of relations. Previously, such hash families were based
either on ``exotic\u27\u27 assumptions (e.g., indistinguishability
obfuscation or optimal hardness of certain LWE variants) or, more
recently, on the existence of circularly secure fully homomorphic
encryption (FHE). However, none of these assumptions are known to be
implied by plain LWE or worst-case hardness.
Our main technical contribution is a hash family that is correlation
intractable for arbitrary size- circuits, for any polynomially
bounded , based on plain LWE (with small polynomial approximation
factors). The construction combines two novel ingredients: a
correlation-intractable hash family for log-depth circuits
based on LWE (or even the potentially harder Short Integer Solution
problem), and a ``bootstrapping\u27\u27 transform that uses (leveled) FHE to
promote correlation intractability for the FHE decryption circuit to
arbitrary (bounded) circuits. Our construction can be
instantiated in two possible ``modes,\u27\u27 yielding a NIZK that is either
computationally sound and statistically zero knowledge
in the common random string model, or vice-versa in the common
reference string model
Design of large scale applications of secure multiparty computation : secure linear programming
Secure multiparty computation is a basic concept of growing interest in modern cryptography. It allows a set of mutually distrusting parties to perform a computation on their private information in such a way that as little as possible is revealed about each private input. The early results of multiparty computation have only theoretical signi??cance since they are not able to solve computationally complex functions in a reasonable amount of time. Nowadays, e??ciency of secure multiparty computation is an important topic of cryptographic research. As a case study we apply multiparty computation to solve the problem of secure linear programming. The results enable, for example in the context of the EU-FP7 project SecureSCM, collaborative supply chain management. Collaborative supply chain management is about the optimization of the supply and demand con??guration of a supply chain. In order to optimize the total bene??t of the entire chain, parties should collaborate by pooling their sensitive data. With the focus on e??ciency we design protocols that securely solve any linear program using the simplex algorithm. The simplex algorithm is well studied and there are many variants of the simplex algorithm providing a simple and e??cient solution to solving linear programs in practice. However, the cryptographic layer on top of any variant of the simplex algorithm imposes restrictions and new complexity measures. For example, hiding the number of iterations of the simplex algorithm has the consequence that the secure implementations have a worst case number of iterations. Then, since the simplex algorithm has exponentially many iterations in the worst case, the secure implementations have exponentially many iterations in all cases. To give a basis for understanding the restrictions, we review the basic theory behind the simplex algorithm and we provide a set of cryptographic building blocks used to implement secure protocols evaluating basic variants of the simplex algorithm. We show how to balance between privacy and e??ciency; some protocols reveal data about the internal state of the simplex algorithm, such as the number of iterations, in order to improve the expected running times. For the sake of simplicity and e??ciency, the protocols are based on Shamir's secret sharing scheme. We combine and use the results from the literature on secure random number generation, secure circuit evaluation, secure comparison, and secret indexing to construct e??cient building blocks for secure simplex. The solutions for secure linear programming in this thesis can be split into two categories. On the one hand, some protocols evaluate the classical variants of the simplex algorithm in which numbers are truncated, while the other protocols evaluate the variants of the simplex algorithms in which truncation is avoided. On the other hand, the protocols can be separated by the size of the tableaus. Theoretically there is no clear winner that has both the best security properties and the best performance
Probabilistic Proof Systems
Various types of probabilistic proof systems have played a central role in the development of computer science in the last decade. In this exposition, we concentrate on three such proof systems -- interactive proofs, zero-knowledge proofs, and probabilistic checkable proofs -- stressing the essential role of randomness in each of them. This exposition is an expanded version of a survey written for the proceedings of the International Congress of Mathematicians (ICM94) held in Zurich in 1994. It is hope that this exposition may be accessible to a broad audience of computer scientists and mathematians
Experimental Demonstration of Quantum Fully Homomorphic Encryption with Application in a Two-Party Secure Protocol
A fully homomorphic encryption system hides data from unauthorized parties while still allowing them to perform computations on the encrypted data. Aside from the straightforward benefit of allowing users to delegate computations to a more powerful server without revealing their inputs, a fully homomorphic cryptosystem can be used as a building block in the construction of a number of cryptographic functionalities. Designing such a scheme remained an open problem until 2009, decades after the idea was first conceived, and the past few years have seen the generalization of this functionality to the world of quantum machines. Quantum schemes prior to the one implemented here were able to replicate some features in particular use cases often associated with homomorphic encryption but lacked other crucial properties, for example, relying on continual interaction to perform a computation or leaking information about the encrypted data. We present the first experimental realization of a quantum fully homomorphic encryption scheme. To demonstrate the versatility of a a quantum fully homomorphic encryption scheme, we further present a toy two-party secure computation task enabled by our scheme
Functional Commitments for All Functions, with Transparent Setup and from SIS
A *functional commitment* scheme enables a user to concisely commit to a function from a specified family, then later concisely and verifiably reveal values of the function at desired inputs. Useful special cases, which have seen applications across cryptography, include vector commitments and polynomial commitments.
To date, functional commitments have been constructed (under falsifiable assumptions) only for functions that are essentially *linear*, with one recent exception that works for arbitrarily complex functions. However, that scheme operates in a strong and non-standard model, requiring an online, trusted authority to generate special keys for any opened function inputs.
In this work, we give the first functional commitment scheme for nonlinear functions---indeed, for *all functions* of any bounded complexity---under a standard setup and a falsifiable assumption. Specifically, the setup is ``transparent,\u27\u27 requiring only public randomness (and not any trusted entity), and the assumption is the hardness of the standard Short Integer Solution (SIS) lattice problem. Our construction also has other attractive features, including: *stateless updates* via generic composability; excellent *asymptotic efficiency* for the verifier, and also for the committer in important special cases like vector and polynomial commitments, via preprocessing; and *post-quantum security*, since it is based on SIS
- …