10 research outputs found
Resettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way
We construct a constant-round resettably-sound zero-knowledge argument of knowledge based on black-box use of any one-way function.
Resettable-soundness was introduced by Barak, Goldreich, Goldwasser and Lindell [FOCS 01] and is a strengthening of the soundness requirement in interactive proofs demanding that soundness should hold even if the malicious prover is allowed to “reset” and “restart” the verifier. In their work they show that resettably-sound ZK arguments require non-black-box simulation techniques, and also provide the first construction based on the breakthrough simulation technique of Barak [FOCS 01]. All known implementations of Barak’s non-black-box technique required non-black-box use of a collision-resistance hash-function (CRHF).
Very recently, Goyal, Ostrovsky, Scafuro and Visconti [STOC 14] showed an implementation of Barak’s technique that needs only black-box access to a collision-resistant hash-function while still having a non-black-box simulator. (Such a construction is referred to as semi black-box.) Plugging this implementation in the BGGL’s construction yields the first resettably-sound ZK arguments based on black-box use of CRHFs.
However, from the work of Chung, Pass and Seth [STOC 13] and Bitansky and Paneth [STOC13], we know that resettably-sound ZK arguments can be constructed from non-black-box use of any one-way function (OWF), which is the minimal assumption for ZK arguments.
Hence, a natural question is whether it is possible to construct resettably-sound zero-knowledge arguments from black-box use of any OWF only. In this work we provide a positive answer to this question thus closing the gap between black-box and non-black-box constructions for resettably-sound ZK arguments
The Hunting of the SNARK
The existence of succinct non-interactive arguments for NP (i.e.,
non-interactive computationally-sound proofs where the verifier\u27s
work is essentially independent of the complexity of the NP
nondeterministic verifier) has been an intriguing question for the
past two decades. Other than CS proofs in the random oracle model
[Micali, FOCS \u2794], the only existing candidate construction is
based on an elaborate assumption that is tailored to a specific
protocol [Di Crescenzo and Lipmaa, CiE \u2708].
We formulate a general and relatively natural notion of an
\emph{extractable collision-resistant hash function (ECRH)} and show
that, if ECRHs exist, then a modified version of Di Crescenzo and
Lipmaa\u27s protocol is a succinct non-interactive argument for
NP. Furthermore, the modified protocol is actually a succinct
non-interactive \emph{adaptive argument of knowledge (SNARK).} We
then propose several candidate constructions for ECRHs and
relaxations thereof.
We demonstrate the applicability of SNARKs to various forms of delegation of computation, to succinct non-interactive zero knowledge arguments, and to succinct two-party secure computation. Finally, we show that SNARKs essentially imply the existence of ECRHs, thus demonstrating the necessity of the assumption.
Going beyond \ECRHs, we formulate the notion of {\em extractable
one-way functions (\EOWFs)}. Assuming the existence of a natural
variant of \EOWFs, we construct a -message
selective-opening-attack secure commitment scheme and a 3-round
zero-knowledge argument of knowledge. Furthermore, if the \EOWFs are
concurrently extractable, the 3-round zero-knowledge protocol is also
concurrent zero-knowledge.
Our constructions circumvent previous black-box impossibility
results regarding these protocols by relying on \EOWFs as the non-black-box component in the security reductions
Round and computational efficiency of two-party protocols
2016 - 2017A cryptographic protocol is defined by the behaviour of the involved parties and the messages
that those parties send to each other. Beside the functionality and the security that a cryptographic
protocol provides, it is also important that the protocol is efficient. In this thesis
we focus on the efficiency parameters of a cryptographic protocol related to the computational
and round complexity. That is, we are interested in the computational cost that the parties
involved in the protocol have to pay and how many interactions between the parties are required
to securely implement the functionality which we are interested in. Another important aspect
of a cryptographic protocol is related to the computational assumptions required to prove that
the protocol is secure. The aim of this thesis is to improve the state of the art with respect to
some cryptographic functionalities where two parties are involved, by providing new techniques
to construct more efficient cryptographic protocols whose security can be proven by relying on
better cryptographic assumptions.
The thesis is divided in three parts. In the first part we consider Secure Two-Party Computation
(2PC), a cryptographic technique that allows to compute a functionality in a secure
way. More precisely, there are two parties, Alice and Bob, willing to compute the output of a
function f given x and y as input. The values x and y represent the inputs of Alice and Bob
respectively. Moreover, each party wants to keep the input secret while allowing the other party
to correctly compute f(x, y). As a first result, we show the first secure 2PC protocol with black
box simulation, secure under standard and generic assumption, with optimal round complexity
in the simultaneous message exchange model. In the simultaneous message exchange model both
parties can send a message in each round; in the rest of this thesis we assume the in each round
only one party can send a message.
We advance the state of the art in secure 2PC also in a relaxed setting. More precisely, in this
setting a malicious party that attacks the protocol to understand the secret input of the honest
party, is forced to follow the protocol description. Moreover, we consider the case in which the
parties want to compute in a secure way the Set-Membership functionality. Such a functionality
allows to check whether an element belongs to a set or not. The proposed protocol improves the
state of the art both in terms of performance and generality. In the second part of the thesis
we show the first 4-round concurrent non-malleable commitment under one-way functions. A
commitment scheme allows the sender to send an encrypted message, called commitment, in
such a way that the message inside the commitment cannot be opened until that an opening
information is provided by the sender. Moreover, there is a unique way in which the commitment
can be open. In this thesis we consider the case in which the sender sends the commitment (e.g.
trough a computer network) that can be eavesdropped by an adversary. In this setting the
adversary can catch the commitment C and modify it thus obtaining a new commitment C0
that contains a message related to the content of C. A non-malleable commitment scheme
prevents such attack, and our scheme can be proved secure even in the case that the adversary
can eavesdrop multiple commitments and in turn, compute and send multiple commitments.
The last part of the thesis concerns proof systems. Let us consider an NP-language, like
the language of graph Hamiltonicity. A proof system allows an entity called prover to prove
that a certain graph (instance) contains a Hamiltonian cycle (witness) to another entity called
verifier. A proof system can be easily instantiated in one round by letting the prover to send
the cycle to the verifier. What we actually want though, is a protocol in which the prover is able
to convince the verifier that a certain graph belongs to the language of graph Hamiltonicity, but
in such a way that no information about the cycle is leaked to the verifier. This kind of proof
systems are called Zero Knowledge. In this thesis we show a non-interactive Zero-Knowledge
proof system, under the assumption that both prover and verifier have access to some honestly
generated common reference string (CRS). The provided construction improves the state of the
art both in terms of efficiency and generality. We consider also the scenario in which prover
and verifier do not have access to some honestly generated information and study the notion of
Witness Indistinguishability. This notion considers instances that admit more than one witness,
e.g. graphs that admit two distinct Hamiltonian cycle (as for the notion of Zero Knowledge,
the notion of Witness Indistinguishability makes sense for all the languages in NP, but for
ease of exposition we keep focusing our attention of the language of graph Hamiltonicity). The
security notion of Witness-Indistinguishability ensures that a verifier, upon receiving a proof
from a prover, is not able to figure out which one of the two Hamiltonian cycles has been used
by the prover to compute the proof. Even though the notion of Witness Indistinguishability is
weaker than the notion of Zero Knowledge, Witness Indistinguishability is widely used in many
cryptographic applications. Moreover, given that a Witness-Indistinguishable protocol can be
constructed using just three rounds of communication compared to the four rounds required to
obtain Zero Knowledge (with black-box simulation), the use of Zero-Knowledge as a building
block to construct a protocol with an optimal number of rounds is sometimes prohibitive. Always
in order to provide a good building block to construct more complicated cryptographic protocols
with a nice round complexity, a useful property is the so called Delayed-Input property. This
property allows the prover to compute all but the last round of the protocol without knowing
the instance nor the witness. Also, the Delayed-Input property allows the verifier to interact
with the prover without knowing the instance at all (i.e. the verifier needs the instance just to
decide whether to accept or not the proof received by the prover). In this thesis we provide the
first efficient Delayed-Input Witness-Indistinguishable proof system that consists of just three
round of communication. [edited by author]XVI n.s
Delayed-Input and Non-Malleable Cryptographic Protocols
2016 - 2017A major goal in the design of cryptographic protocols is to re-
duce the number of communication rounds. Since a cryptographic
protocol usually consists of a composition and interplay of some
subprotocols and cryptographic primitives, the natural approach
to save rounds consists in playing all subprotocols in parallel. Un-
fortunately this approach often fails since a subprotocol in order
to start could require as input the output of another subprotocol.
In such cases the two subprotocols must be played sequentially
therefore penalizing the overall round complexity.
In this thesis we provide delayed-input cryptographic protocols
that can be played in parallel with other subprotocols even in the
above scenario where the output of a subprotocol is required as
input by the other subprotocol. We show the actual impact of
our delayed-input cryptographic protocols by improving the round
e ciency of various applications... [edited by Author]XXX cicl
The Cryptographic Strength of Tamper-Proof Hardware
Tamper-proof hardware has found its way into our everyday life in various forms, be it SIM cards, credit cards or passports. Usually, a cryptographic key is embedded in these hardware tokens that allows the execution of simple cryptographic operations, such as encryption or digital signing. The inherent security guarantees of tamper-proof hardware, however, allow more complex and diverse applications
Round Optimal Black-Box “Commit-and-Prove”
Motivatedbytheoreticalandpracticalconsiderations,anim- portant line of research is to design secure computation protocols that only make black-box use of cryptography. An important component in nearly all the black-box secure computation constructions is a black- box commit-and-prove protocol. A commit-and-prove protocol allows a prover to commit to a value and prove a statement about this value while guaranteeing that the committed value remains hidden. A black- box commit-and-prove protocol implements this functionality while only making black-box use of cryptography.
In this paper, we build several tools that enable constructions of round- optimal, black-box commit and prove protocols. In particular, assuming injective one-way functions, we design the first round-optimal, black- box commit-and-prove arguments of knowledge satisfying strong privacy against malicious verifiers, namely:
– Zero-knowledge in four rounds and,
– Witness indistinguishability in three rounds.
Prior to our work, the best known black-box protocols achieving commit- and-prove required more rounds.
We additionally ensure that our protocols can be used, if needed, in the delayed-input setting, where the statement to be proven is decided only towards the end of the interaction. We also observe simple applications of our protocols towards achieving black-box four-round constructions of extractable and equivocal commitments.
We believe that our protocols will provide a useful tool enabling several new constructions and easy round-efficient conversions from non-black- box to black-box protocols in the future
On the Power of Secure Two-Party Computation
Ishai, Kushilevitz, Ostrovsky and Sahai (STOC 2007, SIAM JoC 2009) introduced the powerful ``MPC-in-the-head\u27\u27 technique that provided a general transformation of information-theoretic MPC protocols secure against passive adversaries to a ZK proof in a ``black-box\u27\u27 way. In this work, we extend this technique and provide a generic transformation of any semi-honest secure two-party computation (2PC) protocol (with mild adaptive security guarantees) in the so called oblivious-transfer hybrid model to an adaptive ZK proof for any NP language, in a ``black-box\u27\u27 way assuming only one-way functions. Our basic construction based on Goldreich-Micali-Wigderson\u27s 2PC protocol yields an adaptive ZK proof with communication complexity proportional to quadratic in the size of the circuit implementing the NP relation. Previously such proofs relied on an expensive Karp reduction of the NP language to Graph Hamiltonicity (Lindell and Zarosim (TCC 2009, Journal of Cryptology 2011)).
As an application of our techniques, we show how to obtain a ZK proof with an ``input-delayed\u27\u27 property for any NP language without relying on expensive Karp reductions that is black-box in the underlying one-way function. Namely, the input delayed property allows the honest prover\u27s algorithm to receive the actual statement to be proved only in the final round. We further generalize this to obtain a ``commit and prove\u27\u27 protocol with the same property where the prover commits to a witness w in the second message and proves a statement x regarding the witness w in zero-knowledge where the statement is determined only in the last round. This improves a previous construction of Lapidot and Shamir (Crypto 1990) that was designed specifically for the Graph Hamiltonicity problem and relied on the underlying primitives in a non-black-box way.
Additionally, we provide a general transformation to construct a randomized encoding of a function f from any 2PC protocol that securely computes a related functionality (in a black-box way) from one-way functions. We show that if the 2PC protocol has mild adaptive security guarantees (which are satisfied by both the Yao\u27s and GMW\u27s protocol) then the resulting randomized encoding (RE) can be decomposed to an offline/online encoding
Sublinear Zero-Knowledge Arguments for RAM Programs
We describe a new succinct zero-knowledge argument protocol with the following properties. The prover commits to a large data-set , and can thereafter prove many statements of the form , where is a public function. The protocol is {\em succinct} in the sense that the cost for the verifier (in computation \& communication) does not depend on , not even in any initialization phase. In each proof, the computation/communication cost for {\em both} the prover and the verifier is proportional only to the running time of an oblivious RAM program implementing (in particular, this can be sublinear in ). The only costs that scale with are the computational costs of the prover in a one-time initial commitment to .
Known sublinear zero-knowledge proofs either require an initialization phase where the work of the verifier is proportional to and are therefore sublinear only in an amortized sense, or require that the computational cost for the prover is proportional to upon {\em each proof}.
Our protocol uses efficient crypto primitives in a black-box way and is UC-secure in the {\em global}, non-programmable random oracle, hence it does not rely on any trusted setup assumption
Minicrypt Primitives with Algebraic Structure and Applications
Algebraic structure lies at the heart of much of Cryptomania as we know it. An interesting question is the following: instead of building (Cryptomania) primitives from concrete assumptions, can we build them from simple Minicrypt primitives endowed with additional algebraic structure? In this work, we affirmatively answer this question by adding algebraic structure to the following Minicrypt primitives:
• One-Way Function (OWF)
• Weak Unpredictable Function (wUF)
• Weak Pseudorandom Function (wPRF)
The algebraic structure that we consider is group homomorphism over the input/output spaces of these primitives. We also consider a “bounded” notion of homomorphism where the primitive only supports an a priori bounded number of homomorphic operations in order to capture lattice-based and other “noisy” assumptions. We show that these structured primitives can be used to construct many cryptographic protocols. In particular, we prove that:
• (Bounded) Homomorphic OWFs (HOWFs) imply collision-resistant hash functions, Schnorr-style signatures, and chameleon hash functions.
• (Bounded) Input-Homomorphic weak UFs (IHwUFs) imply CPA-secure PKE, non-interactive key exchange, trapdoor functions, blind batch encryption (which implies anonymous IBE, KDM-secure and leakage-resilient PKE), CCA2 deterministic PKE, and hinting PRGs (which in turn imply transformation of CPA to CCA security for ABE/1-sided PE).
• (Bounded) Input-Homomorphic weak PRFs (IHwPRFs) imply PIR, lossy trapdoor functions, OT and MPC (in the plain model).
In addition, we show how to realize any CDH/DDH-based protocol with certain properties in a generic manner using IHwUFs/IHwPRFs, and how to instantiate such a protocol from many concrete assumptions. We also consider primitives with substantially richer structure, namely Ring IHwPRFs and L-composable IHwPRFs. In particular, we show the following:
• Ring IHwPRFs with certain properties imply FHE.
• 2-composable IHwPRFs imply (black-box) IBE, and -composable IHwPRFs imply non-interactive
-party key exchange.
Our framework allows us to categorize many cryptographic protocols based on which structured Minicrypt primitive implies them. In addition, it potentially makes showing the existence of many cryptosystems from novel assumptions substantially easier in the future
A New Approach to Black-Box Concurrent Secure Computation
We consider the task of constructing concurrently composable protocols for general secure computation by making only black-box use of underlying cryptographic primitives. Existing approaches for this task first construct a black-box version of CCA-secure commitments which provide a strong form of concurrent security to the committed value(s). This strong form of security is then crucially used to construct higher level protocols such as concurrently secure OT/coin-tossing (and eventually all functionalities).
This work explores a fresh approach. We first aim to construct a concurrently-secure OT protocol whose concurrent security is proven directly using concurrent simulation techniques; in particular, it does not rely on the usual ``non-polynomial oracles\u27\u27 of CCA-secure commitments. The notion of concurrent security we target is super-polynomial simulation (SPS). We show that such an OT protocol can be constructed from polynomial hardness assumptions in a black-box manner, and within a constant number of rounds. In fact, we only require the existence of (constant round) semi-honest OT and standard collision-resistant hash functions.
Next, we show that such an OT protocol is sufficient to obtain SPS-secure (concurrent) multiparty computation (MPC) for general functionalities. This transformation does not require any additional assumptions; it also maintains the black-box nature as well as the constant round feature of the original OT protocol.
Prior to our work, the only known black-box construction of constant-round concurrently composable MPC required stronger assumptions; namely, verifiable perfectly binding homomorphic commitment schemes and PKE with oblivious public-key generation