Efficient asynchronous accumulators for distributed PKI

Cryptographic accumulators are a tool for compact set representation and secure set membership proofs. When an element is added to a set by means of an accumulator, a membership witness is generated. This witness can later be used to prove the membership of the element. Typically, the membership witness has to be synchronized with the accumulator value, and to be updated every time another element is added to the accumulator. In this work we propose an accumulator that, unlike any prior scheme, does not require strict synchronization. In our construction a membership witness needs to be updated only a logarithmic number of times in the number of subsequent element additions. Thus, an out-of-date witness can be easily made current. Vice versa, a verifier with an out-of-date accumulator value can still verify a current membership witness. These properties make our accumulator construction uniquely suited for use in distributed applications, such as blockchain-based public key infrastructures

An Overview of Cryptographic Accumulators

This paper is a primer on cryptographic accumulators and how to apply them practically. A cryptographic accumulator is a space- and time-efficient data structure used for set-membership tests. Since it is possible to represent any computational problem where the answer is yes or no as a set-membership problem, cryptographic accumulators are invaluable data structures in computer science and engineering. But, to the best of our knowledge, there is neither a concise survey comparing and contrasting various types of accumulators nor a guide for how to apply the most appropriate one for a given application. Therefore, we address that gap by describing cryptographic accumulators while presenting their fundamental and so-called optional properties. We discuss the effects of each property on the given accumulator's performance in terms of space and time complexity, as well as communication overhead.Comment: Note: This is an extended version of a paper published In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021), pages 661-66

Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions

International audienceWe formalize a cryptographic primitive called functional commitment (FC) which can be viewed as a generalization of vector commitments (VCs), polynomial commitments and many other special kinds of commitment schemes. A non-interactive functional commitment allows committing to a message in such a way that the committer has the flexibility of only revealing a function F (M) of the committed message during the opening phase. We provide constructions for the functionality of linear functions, where messages consist of a vectors of n elements over some domain D (e.g., m = (m_1,. .. , m_n) ∈ D_n) and commitments can later be opened to a specific linear function of the vector coordinates. An opening for a function F : D_n → R thus generates a witness for the fact that F (m) indeed evaluates to y ∈ R. One security requirement is called function binding and requires that no adversary be able to open a commitment to two different evaluations y, y for the same function F. We propose a construction of functional commitment for linear functions based on constant-size assumptions in composite order groups endowed with a bilinear map. The construction has commitments and openings of constant size (i.e., independent of n or function description) and is perfectly hiding – the underlying message is information theoretically hidden. Our security proofs builds on the Déjà Q framework of Chase and Meiklejohn (Eurocrypt 2014) and its extension by Wee (TCC 2016) to encryption primitives, thus relying on constant-size subgroup decisional assumptions. We show that the FC for linear functions are sufficiently powerful to solve four open problems. They, first, imply polynomial commitments, and, then, give cryptographic accumulators (i.e., an algebraic hash function which makes it possible to efficiently prove that some input belongs to a hashed set). In particular, specializing our FC construction leads to the first pairing-based polynomial commitments and accumulators for large universes known to achieve security under simple assumptions. We also substantially extend our pairing-based accumulator to handle subset queries which requires a non-trivial extension of the Déjà Q framework

Improved Extension Protocols for Byzantine Broadcast and Agreement

Byzantine broadcast (BB) and Byzantine agreement (BA) are two most fundamental problems and essential building blocks in distributed computing, and improving their efficiency is of interest to both theoreticians and practitioners. In this paper, we study extension protocols of BB and BA, i.e., protocols that solve BB/BA with long inputs of l bits using lower costs than l single-bit instances. We present new protocols with improved communication complexity in almost all settings: authenticated BA/BB with t < n/2, authenticated BB with t < (1-?)n, unauthenticated BA/BB with t < n/3, and asynchronous reliable broadcast and BA with t < n/3. The new protocols are advantageous and significant in several aspects. First, they achieve the best-possible communication complexity of ?(nl) for wider ranges of input sizes compared to prior results. Second, the authenticated extension protocols achieve optimal communication complexity given the current best available BB/BA protocols for short messages. Third, to the best of our knowledge, our asynchronous and authenticated protocols in the setting are the first extension protocols in that setting

Certificate Transparency with Enhancements and Short Proofs

Browsers can detect malicious websites that are provisioned with forged or fake TLS/SSL certificates. However, they are not so good at detecting malicious websites if they are provisioned with mistakenly issued certificates or certificates that have been issued by a compromised certificate authority. Google proposed certificate transparency which is an open framework to monitor and audit certificates in real time. Thereafter, a few other certificate transparency schemes have been proposed which can even handle revocation. All currently known constructions use Merkle hash trees and have proof size logarithmic in the number of certificates/domain owners. We present a new certificate transparency scheme with short (constant size) proofs. Our construction makes use of dynamic bilinear-map accumulators. The scheme has many desirable properties like efficient revocation, low verification cost and update costs comparable to the existing schemes. We provide proofs of security and evaluate the performance of our scheme.Comment: A preliminary version of the paper was published in ACISP 201

Certificate Transparency with Enhancements and Short Proofs

Browsers can detect malicious websites that are provisioned with forged or fake TLS/SSL certificates. However, they are not so good at detecting malicious websites if they are provisioned with mistakenly issued certificates or certificates that have been issued by a compromised certificate authority. Google proposed certificate transparency which is an open framework to monitor and audit certificates in real time. Thereafter, a few other certificate transparency schemes have been proposed which can even handle revocation. All currently known constructions use Merkle hash trees and have proof size logarithmic in the number of certificates/domain owners. We present a new certificate transparency scheme with short (constant size) proofs. Our construction makes use of dynamic bilinear-map accumulators. The scheme has many desirable properties like efficient revocation, low verification cost and update costs comparable to the existing schemes. We provide proofs of security and evaluate the performance of our scheme.Comment: A preliminary version of the paper was published in ACISP 201

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives

In this paper we address the construction of privacy-friendly cryptographic primitives for the post-quantum era and in particular accumulators with zero-knowledge membership proofs and ring signatures. This is an important topic as it helps to protect the privacy of users in online authentication or emerging technologies such as cryptocurrencies. Recently, we have seen first such constructions, mostly based on assumptions related to codes and lattices. We, however, ask whether it is possible to construct such primitives without relying on structured hardness assumptions, but solely based on symmetric-key primitives such as hash functions or block ciphers. This is interesting because the resistance of latter primitives to quantum attacks is quite well understood. In doing so, we choose a modular approach and firstly construct an accumulator (with one-way domain) that allows to efficiently prove knowledge of (a pre-image of) an accumulated value in zero-knowledge. We, thereby, take care that our construction can be instantiated solely from symmetric-key primitives and that our proofs are of sublinear size. Latter is non trivial to achieve in the symmetric setting due to the absence of algebraic structures which are typically used in other settings to make these efficiency gains. Regarding efficient instantiations of our proof system, we rely on recent results for constructing efficient non-interactive zero-knowledge proofs for general circuits. Based on this building block, we then show how to construct logarithmic size ring signatures solely from symmetric-key primitives. As constructing more advanced primitives only from symmetric-key primitives is a very recent field, we discuss some interesting open problems and future research directions. Finally, we want to stress that our work also indirectly impacts other fields: for the first time it raises the requirement for collision resistant hash functions with particularly low AND count

On a New, Efficient Framework for Falsifiable Non-interactive Zero-Knowledge Arguments

Et kunnskapsløst bevis er en protokoll mellom en bevisfører og en attestant. Bevisføreren har som mål å overbevise attestanten om at visse utsagn er korrekte, som besittelse av kortnummeret til et gyldig kredittkort, uten å avsløre noen private opplysninger, som for eksempel kortnummeret selv. I mange anvendelser er det ønskelig å bruke IIK-bevis (Ikke-interaktive kunnskapsløse bevis), der bevisføreren produserer kun en enkelt melding som kan bekreftes av mange attestanter. En ulempe er at sikre IIK-bevis for ikke-trivielle språk kun kan eksistere ved tilstedeværelsen av en pålitelig tredjepart som beregner en felles referansestreng som blir gjort tilgjengelig for både bevisføreren og attestanten. Når ingen slik part eksisterer liter man av og til på ikke-interaktiv vitne-uskillbarhet, en svakere form for personvern. Studiet av effektive og sikre IIK-bevis er en kritisk del av kryptografi som har blomstret opp i det siste grunnet anvendelser i blokkjeder. I den første artikkelen konstruerer vi et nytt IIK-bevis for språkene som består av alle felles nullpunkter for en endelig mengde polynomer over en endelig kropp. Vi demonstrerer nytteverdien av beviset ved flerfoldige eksempler på anvendelser. Særlig verdt å merke seg er at det er mulig å gå nesten automatisk fra en beskrivelse av et språk på et høyt nivå til definisjonen av IIK-beviset, som minsker behovet for dedikert kryptografisk ekspertise. I den andre artikkelen konstruerer vi et IIV-bevis ved å bruke en ny kompilator. Vi utforsker begrepet Kunnskapslydighet (et sterkere sikkerhetsbegrep enn lydighet) for noen konstruksjoner av IIK-bevis. I den tredje artikkelen utvider vi arbeidet fra den første artikkelen ved å konstruere et nytt IIK-bevis for mengde-medlemskap som lar oss bevise at et element ligger, eller ikke ligger, i den gitte mengden. Flere nye konstruksjoner har bedre effektivitet sammenlignet med allerede kjente konstruksjoner.A zero-knowledge proof is a protocol between a prover, and a verifier. The prover aims to convince the verifier of the truth of some statement, such as possessing credentials for a valid credit card, without revealing any private information, such as the credentials themselves. In many applications, it is desirable to use NIZKs (Non-Interactive Zero Knowledge) proofs, where the prover sends outputs only a single message that can be verified by many verifiers. As a drawback, secure NIZKs for non-trivial languages can only exist in the presence of a trusted third party that computes a common reference string and makes it available to both the prover and verifier. When no such party exists, one sometimes relies on non interactive witness indistinguishability (NIWI), a weaker notion of privacy. The study of efficient and secure NIZKs is a crucial part of cryptography that has been thriving recently due to blockchain applications. In the first paper, we construct a new NIZK for the language of common zeros of a finite set of polynomials over a finite field. We demonstrate its usefulness by giving a large number of example applications. Notably, it is possible to go from a high-level language description to the definition of the NIZK almost automatically, lessening the need for dedicated cryptographic expertise. In the second paper, we construct a NIWI using a new compiler. We explore the notion of Knowledge Soundness (a security notion stronger than soundness) of some NIZK constructions. In the third paper, we extended the first paper’s work by constructing a new set (non-)membership NIZK that allows us to prove that an element belongs or does not belong to the given set. Many new constructions have better efficiency compared to already-known constructions.Doktorgradsavhandlin