Perfect NIZK with Adaptive Soundness

This paper presents a very simple and efficient adaptively-sound perfect NIZK argument system for any NP-language. In contrast to recently proposed schemes by Groth, Ostrovsky and Sahai, our scheme does not pose any restriction on the statements to be proven. Besides, it enjoys a number of desirable properties: it allows to re-use the common reference string (CRS), it can handle arithmetic circuits, and the CRS can be set-up very efficiently without the need for an honest party. We then show an application of our techniques in constructing efficient NIZK schemes for proving arithmetic relations among committed secrets, whereas previous methods required expensive generic NP-reductions. The security of the proposed schemes is based on a strong non-standard assumption, an extended version of the so-called Knowledge-of-Exponent Assumption (KEA) over bilinear groups. We give some justification for using such an assumption by showing that the commonly-used approach for proving NIZK arguments sound does not allow for adaptively-sound statistical NIZK arguments (unless NP is in P/poly). Furthermore, we show that the assumption used in our construction holds with respect to generic adversaries that do not exploit the specific representation of the group elements. We also discuss how to avoid the non-standard assumption in a pre-processing model

Fully leakage-resilient signatures revisited: Graceful degradation, noisy leakage, and construction in the bounded-retrieval model

We construct new leakage-resilient signature schemes. Our schemes remain unforgeable against an adversary leaking arbitrary (yet bounded) information on the entire state of the signer (sometimes known as fully leakage resilience), including the random coin tosses of the signing algorithm. The main feature of our constructions is that they offer a graceful degradation of security in situations where standard existential unforgeability is impossible

Naor-Yung paradigm with shared randomness and applications

The Naor-Yung paradigm (Naor and Yung, STOC’90) allows to generically boost security under chosen-plaintext attacks (CPA) to security against chosen-ciphertext attacks (CCA) for public-key encryption (PKE) schemes. The main idea is to encrypt the plaintext twice (under independent public keys), and to append a non-interactive zero-knowledge (NIZK) proof that the two ciphertexts indeed encrypt the same message. Later work by Camenisch, Chandran, and Shoup (Eurocrypt’09) and Naor and Segev (Crypto’09 and SIAM J. Comput.’12) established that the very same techniques can also be used in the settings of key-dependent message (KDM) and key-leakage attacks (respectively). In this paper we study the conditions under which the two ciphertexts in the Naor-Yung construction can share the same random coins. We find that this is possible, provided that the underlying PKE scheme meets an additional simple property. The motivation for re-using the same random coins is that this allows to design much more efficient NIZK proofs. We showcase such an improvement in the random oracle model, under standard complexity assumptions including Decisional Diffie-Hellman, Quadratic Residuosity, and Subset Sum. The length of the resulting ciphertexts is reduced by 50%, yielding truly efficient PKE schemes achieving CCA security under KDM and key-leakage attacks. As an additional contribution, we design the first PKE scheme whose CPA security under KDM attacks can be directly reduced to (low-density instances of) the Subset Sum assumption. The scheme supports keydependent messages computed via any affine function of the secret ke

Predictable arguments of knowledge

We initiate a formal investigation on the power of predictability for argument of knowledge systems for NP. Specifically, we consider private-coin argument systems where the answer of the prover can be predicted, given the private randomness of the verifier; we call such protocols Predictable Arguments of Knowledge (PAoK). Our study encompasses a full characterization of PAoK, showing that such arguments can be made extremely laconic, with the prover sending a single bit, and assumed to have only one round (i.e., two messages) of communication without loss of generality. We additionally explore PAoK satisfying additional properties (including zero-knowledge and the possibility of re-using the same challenge across multiple executions with the prover), present several constructions of PAoK relying on different cryptographic tools, and discuss applications to cryptography

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles

The Fiat-Shamir (FS) transform is a popular technique for obtaining practical zero-knowledge argument systems. The FS transform uses a hash function to generate, without any further overhead, non-interactive zero-knowledge (NIZK) argument systems from public-coin honest-verifier zero-knowledge (public-coin HVZK) proof systems. In the proof of zero knowledge, the hash function is modeled as a programmable random oracle (PRO). In TCC 2015, Lindell embarked on the challenging task of obtaining a similar transform with improved heuristic security. Lindell showed that, for several interesting and practical languages, there exists an efficient transform in the non-programmable random oracle (NPRO) model that also uses a common reference string (CRS). A major contribution of Lindell’s transform is that zero knowledge is proved without random oracles and this is an important step towards achieving efficient NIZK arguments in the CRS model without random oracles. In this work, we analyze the efficiency and generality of Lindell’s transform and notice a significant gap when compared with the FS transform. We then propose a new transform that aims at filling this gap. Indeed our transform is almost as efficient as the FS transform and can be applied to a broad class of public-coin HVZK proof systems. Our transform requires a CRS and an NPRO in the proof of soundness, similarly to Lindell’s transform

Multi-theorem (Malicious) Designated-Verifier NIZK for QMA

We present the first non-interactive zero-knowledge argument system for QMA with multi-theorem security. Our protocol setup constitutes an additional improvement and is constructed in the malicious designated-verifier (MDV-NIZK) model (Quach, Rothblum, and Wichs, EUROCRYPT 2019), where the setup consists of a trusted part that includes only a common uniformly random string and an untrusted part of classical public and secret verification keys, which even if sampled maliciously by the verifier, the zero knowledge property still holds. The security of our protocol is established under the Learning with Errors Assumption. Our main technical contribution is showing a general transformation that compiles any sigma protocol into a reusable MDV-NIZK protocol, using NIZK for NP. Our technique is classical but works for quantum protocols and allows the construction of a reusable MDV-NIZK for QMA

Bounded CCA2-Secure Non-Malleable Encryption

Under an adaptive chosen ciphertext attack (CCA2), the security of an encryption scheme must hold against adversaries that have access to a decryption oracle. We consider a weakening of CCA2 security, wherein security need only hold against adversaries making an a-priori bounded number of queries to the decryption oracle. Concerning this notion, which we call bounded-CCA2 security, we show the following two results. (1) Bounded-CCA2 secure non-malleable encryption schemes exist if and only if semantically-secure (IND-CPA-secure) encryption schemes exist.(As far as we know, bounded-CCA2 non-malleability is the strongest notion of security known to be satisfiable assuming only the existence of semantically-secure encryption schemes.) (2) In contrast to CCA2 security, bounded-CCA2 security alone does not imply non-malleability. In particular, if there exists an encryption scheme that is bounded-CCA2 secure, then there exists another encryption scheme which remains bounded-CCA2 secure, but is malleable under a simple chosen-plaintext attack

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

We construct a pairing based simulation-extractable SNARK (SE-SNARK) that consists of only 3 group elements and has highly efficient verification. By formally linking SE-SNARKs to signatures of knowledge, we then obtain a succinct signature of knowledge consisting of only 3 group elements. SE-SNARKs enable a prover to give a proof that they know a witness to an instance in a manner which is: (1) succinct - proofs are short and verifier computation is small; (2) zero-knowledge - proofs do not reveal the witness; (3) simulation-extractable - it is only possible to prove instances to which you know a witness, even when you have already seen a number of simulated proofs. We also prove that any pairing based signature of knowledge or SE-NIZK argument must have at least 3 group elements and 2 verification equations. Since our constructions match these lower bounds, we have the smallest size signature of knowledge and the smallest size SE-SNARK possible

On a New, Efficient Framework for Falsifiable Non-interactive Zero-Knowledge Arguments

Et kunnskapsløst bevis er en protokoll mellom en bevisfører og en attestant. Bevisføreren har som mål å overbevise attestanten om at visse utsagn er korrekte, som besittelse av kortnummeret til et gyldig kredittkort, uten å avsløre noen private opplysninger, som for eksempel kortnummeret selv. I mange anvendelser er det ønskelig å bruke IIK-bevis (Ikke-interaktive kunnskapsløse bevis), der bevisføreren produserer kun en enkelt melding som kan bekreftes av mange attestanter. En ulempe er at sikre IIK-bevis for ikke-trivielle språk kun kan eksistere ved tilstedeværelsen av en pålitelig tredjepart som beregner en felles referansestreng som blir gjort tilgjengelig for både bevisføreren og attestanten. Når ingen slik part eksisterer liter man av og til på ikke-interaktiv vitne-uskillbarhet, en svakere form for personvern. Studiet av effektive og sikre IIK-bevis er en kritisk del av kryptografi som har blomstret opp i det siste grunnet anvendelser i blokkjeder. I den første artikkelen konstruerer vi et nytt IIK-bevis for språkene som består av alle felles nullpunkter for en endelig mengde polynomer over en endelig kropp. Vi demonstrerer nytteverdien av beviset ved flerfoldige eksempler på anvendelser. Særlig verdt å merke seg er at det er mulig å gå nesten automatisk fra en beskrivelse av et språk på et høyt nivå til definisjonen av IIK-beviset, som minsker behovet for dedikert kryptografisk ekspertise. I den andre artikkelen konstruerer vi et IIV-bevis ved å bruke en ny kompilator. Vi utforsker begrepet Kunnskapslydighet (et sterkere sikkerhetsbegrep enn lydighet) for noen konstruksjoner av IIK-bevis. I den tredje artikkelen utvider vi arbeidet fra den første artikkelen ved å konstruere et nytt IIK-bevis for mengde-medlemskap som lar oss bevise at et element ligger, eller ikke ligger, i den gitte mengden. Flere nye konstruksjoner har bedre effektivitet sammenlignet med allerede kjente konstruksjoner.A zero-knowledge proof is a protocol between a prover, and a verifier. The prover aims to convince the verifier of the truth of some statement, such as possessing credentials for a valid credit card, without revealing any private information, such as the credentials themselves. In many applications, it is desirable to use NIZKs (Non-Interactive Zero Knowledge) proofs, where the prover sends outputs only a single message that can be verified by many verifiers. As a drawback, secure NIZKs for non-trivial languages can only exist in the presence of a trusted third party that computes a common reference string and makes it available to both the prover and verifier. When no such party exists, one sometimes relies on non interactive witness indistinguishability (NIWI), a weaker notion of privacy. The study of efficient and secure NIZKs is a crucial part of cryptography that has been thriving recently due to blockchain applications. In the first paper, we construct a new NIZK for the language of common zeros of a finite set of polynomials over a finite field. We demonstrate its usefulness by giving a large number of example applications. Notably, it is possible to go from a high-level language description to the definition of the NIZK almost automatically, lessening the need for dedicated cryptographic expertise. In the second paper, we construct a NIWI using a new compiler. We explore the notion of Knowledge Soundness (a security notion stronger than soundness) of some NIZK constructions. In the third paper, we extended the first paper’s work by constructing a new set (non-)membership NIZK that allows us to prove that an element belongs or does not belong to the given set. Many new constructions have better efficiency compared to already-known constructions.Doktorgradsavhandlin

Mitte-interaktiivsed nullteadmusprotokollid nõrgemate usalduseeldustega

Väitekirja elektrooniline versioon ei sisalda publikatsiooneTäieliku koosluskindlusega (TK) kinnitusskeemid ja nullteadmustõestused on ühed põhilisemad krüptograafilised primitiivid, millel on hulgaliselt päriselulisi rakendusi. (TK) Kinnitusskeem võimaldab osapoolel arvutada salajasest sõnumist kinnituse ja hiljem see verifitseeritaval viisil avada. Täieliku koosluskindlusega protokolle saab vabalt kombineerida teiste täieliku koosluskindlusega protokollidega ilma, et see mõjutaks nende turvalisust. Nullteadmustõestus on protokoll tõestaja ja verifitseerija vahel, mis võimaldab tõestajal veenda verifitseerijat mingi väite paikapidavuses ilma rohkema informatsiooni lekitamiseta. Nullteadmustõestused pakuvad suurt huvi ka praktilistes rakendustes, siinkohal on olulisemateks näideteks krüptorahad ja hajusandmebaasid üldisemalt. Siin on eriti asjakohased just lühidad mitteinteraktiivsed nullteadmustõestused (SNARKid) ning kvaasiadaptiivsed mitteinteraktiivsed nullteadmustõestused (QA-NIZKid). Mitteinteraktiivsetel nullteadmustõestustel juures on kaks suuremat praktilist nõrkust. Esiteks on tarvis usaldatud seadistusfaasi osapoolte ühisstringi genereerimiseks ja teiseks on tarvis täielikku koosluskindlust. Käesolevas doktoritöös me uurime neid probleeme ja pakume välja konkreetseid konstruktsioone nende leevendamiseks. Esmalt uurime me õõnestuskindlaid SNARKe juhu jaoks, kus seadistusfaasi ühisstring on õõnestatud. Me konstrueerime õõnestuskindla versiooni seni kõige tõhusamast SNARKist. Samuti uurime me QA-NIZKide õõnestuskindlust ja konstrueerime kõige efektiivsemate QA-NIZKide õõnestuskindla versiooni. Mis puutub teise uurimissuunda, nimelt täielikku koosluskindlusesse, siis sel suunal kasutame me pidevaid projektiivseid räsifunktsioone. Me pakume välja uue primitiivi, kus eelmainitud räsifunktsioonid on avalikult verifitseeritavad. Nende abil me konstrueerime seni kõige tõhusama mitteinteraktiivse koosluskindla kinnitusskeemi. Lõpetuseks me töötame välja uue võtte koosluskindlate kinnitusskeemide jaoks, mis võimaldab ühisarvutuse abil luua nullteadmustõestuste ühisstringe.Quite central primitives in cryptographic protocols are (Universally composable (UC)) commitment schemes and zero-knowledge proofs that getting frequently employed in real-world applications. A (UC) commitment scheme enables a committer to compute a commitment to a secret message, and later open it in a verifiable manner (UC protocols can seamlessly be combined with other UC protocols and primitives while the entire protocol remains secure). A zero-knowledge proof is a protocol usually between a prover and a verifier that allows the prover to convince the verifier of the legality of a statement without disclosing any more information. Zero-knowledge proofs and in particular Succinct non-interactive zero-knowledge proofs (SNARKs) and quasi adaptive NIZK (QA-NIZK) are of particular interest in the real-world applications, with cryptocurrencies or more generally distributed ledger technologies being the prime examples. The two serious issues and the main drawbacks of the practical usage of NIZKs are (i) the demand for a trusted setup for generating the common reference string (CRS) and (ii) providing the UC security. In this thesis, we essentially investigate the aforementioned issues and propose concrete constructions for them. We first investigate subversion SNARKs (Sub zk-SNARKs) when the CRS is subverted. In particular, we build a subversion of the most efficient SNARKs. Then we initiate the study of subversion QA-NIZK (Sub-QA-NIZK) and construct subversion of the most efficient QA-NIZKs. For the second issue, providing UC-security, we first using hash proof systems or smooth projective hash functions (SPHFs), we introduce a new cryptographic primitive called publicly computable SPHFs (PC-SPHFs) and construct the currently most efficient non-interactive UC-secure commitment. Finally, we develop a new technique for constructing UC-secure commitments schemes that enables one to generate CRS of NIZKs by using MPC in a UC-secure mannerhttps://www.ester.ee/record=b535926