3,995 research outputs found
Classical Cryptographic Protocols in a Quantum World
Cryptographic protocols, such as protocols for secure function evaluation
(SFE), have played a crucial role in the development of modern cryptography.
The extensive theory of these protocols, however, deals almost exclusively with
classical attackers. If we accept that quantum information processing is the
most realistic model of physically feasible computation, then we must ask: what
classical protocols remain secure against quantum attackers?
Our main contribution is showing the existence of classical two-party
protocols for the secure evaluation of any polynomial-time function under
reasonable computational assumptions (for example, it suffices that the
learning with errors problem be hard for quantum polynomial time). Our result
shows that the basic two-party feasibility picture from classical cryptography
remains unchanged in a quantum world.Comment: Full version of an old paper in Crypto'11. Invited to IJQI. This is
authors' copy with different formattin
Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease
In this work, we provide the first lattice-based group signature that offers
full dynamicity (i.e., users have the flexibility in joining and leaving the
group), and thus, resolve a prominent open problem posed by previous works.
Moreover, we achieve this non-trivial feat in a relatively simple manner.
Starting with Libert et al.'s fully static construction (Eurocrypt 2016) -
which is arguably the most efficient lattice-based group signature to date, we
introduce simple-but-insightful tweaks that allow to upgrade it directly into
the fully dynamic setting. More startlingly, our scheme even produces slightly
shorter signatures than the former, thanks to an adaptation of a technique
proposed by Ling et al. (PKC 2013), allowing to prove inequalities in
zero-knowledge. Our design approach consists of upgrading Libert et al.'s
static construction (EUROCRYPT 2016) - which is arguably the most efficient
lattice-based group signature to date - into the fully dynamic setting.
Somewhat surprisingly, our scheme produces slightly shorter signatures than the
former, thanks to a new technique for proving inequality in zero-knowledge
without relying on any inequality check. The scheme satisfies the strong
security requirements of Bootle et al.'s model (ACNS 2016), under the Short
Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.
Furthermore, we demonstrate how to equip the obtained group signature scheme
with the deniability functionality in a simple way. This attractive
functionality, put forward by Ishida et al. (CANS 2016), enables the tracing
authority to provide an evidence that a given user is not the owner of a
signature in question. In the process, we design a zero-knowledge protocol for
proving that a given LWE ciphertext does not decrypt to a particular message
Efektiivsed mitteinteraktiivsed nullteadmusprotokollid referentssÔne mudelis
VĂ€itekirja elektrooniline versioon ei sisalda publikatsioone.Koos digitaalse ajastu vĂ”idukĂ€iguga on interneti vahendusel vĂ”imalik sooritada ĂŒha ulmelisemana nĂ€ivaid tegevusi.
TĂ€ielikule krĂŒpteeringule ehitatud mobiilsed rakendused, nagu nĂ€iteks WhatsApp, suudavad tagada, et kĂ”ne vĂ”i sĂ”num jĂ”uaksid ĂŒksnes Ă”ige adressaadini.
Enamik pangasĂŒsteeme garanteerivad TLS protokolli kasutades, et arvete maksmisel ja ĂŒlekannete tegemisel poleks nende andmeid kellelgi vĂ”imalik lugeda ega muuta.
MĂ”ned riigid pakuvad vĂ”imalust elektroonilisel teel hÀÀletada (nĂ€iteks Eesti) vĂ”i referendumeid lĂ€bi viia (nĂ€iteks Ć veits), tagades sealjuures traditsioonilise paberhÀÀletuse tasemel turvalisuse kriteeriumid.
KĂ”ik eelnevalt kirjeldatud tegevused vajavad kasutajate turvalisuse tagamiseks krĂŒptograafilist protokolli.
Tegelikkuses ei saa me kunagi eeldada, et kÔik protokolli osapooled jÀrgivad protokolli spetsifikatsiooni.
Reaalses elus peab protokolli turvalisuseks iga osapool tÔestama, et ta seda jÀrgis ilma privaatsuse ohverdamiseta.
Ăks viis seda teha on nullteadmusprotokolli abil. Nullteadmusprotokoll on tĂ”estus, mis ei lekita mingit informatsiooni peale selle, et vĂ€ide on tĂ”ene.
Tihti tahame, et nullteadmusprotokoll oleks mitteinteraktiivne. Sellisel juhul piisab, kui tĂ”estus on arvutatud ainult ĂŒhe korra ning verifitseerijatel on igal ajal vĂ”imalik seda kontrollida.
On kaks peamist mudelit, mis vÔimaldavad mitteinteraktiivsete nullteadmusprotokollide loomist: juhusliku oraakli (JO) mudel ja referentssÔne mudel.
JO mudeli protokollid on vÀga efektiivsed, kuid mÔningate piirangute tÔttu eelistame referentssÔne mudelit.
Selles töös esitleme kolme stsenaariumit, milles mitteinteraktiivne nullteadmus on asjakohane: verifitseeritav arvutamine, autoriseerimine ja elektrooniline hÀÀletamine.
Igas stsenaariumis pakume vÀlja nullteadmusprotokolli referentssÔne mudelis, mis on seni efektiivseim ning vÔrreldava efektiivsusega protokollidega JO mudelis.In the current digital era, we can do increasingly astonishing activities remotely using only our electronic devices.
Using mobile applications such as WhatsApp, we can contact someone with the guarantee, using an end-to-end encryption protocol, that only the recipient can know the conversation's contents.
Most banking systems enable us to pay our bills and perform other financial transactions, and use the TLS protocol to guarantee that no one can read or modify the transaction data.
Some countries provide an option to vote electronically in an election (e.g. Estonia) or referendum (e.g. Switzerland) with similar privacy guarantees to traditional paper voting.
In all these activities, a cryptographic protocol is required to ensure users' privacy.
In reality, some parties participating in a protocol might not act according to what was agreed in the protocol specification.
Hence, for a real world protocol to be secure, we also need each party to prove that it behaves honestly, but without sacrificing privacy of its inputs.
This can be done using a zero-knowledge argument: a proof by a polynomial-time prover that gives nothing else away besides its correctness.
In many cases, we want a zero-knowledge argument to be non-interactive and transferable, so that it is computed only once, but can be verified by many verifiers at any future time.
There are two main models that enable transferable non-interactive zero-knowledge (NIZK) arguments: the random oracle (RO) model and the common reference string (CRS) model.
Protocols in the RO model are very efficient, but due to some of its limitations, we prefer working in the CRS model.
In this work we provide three scenarios where NIZK arguments are relevant: verifiable computation, authorization, and electronic voting.
In each scenario, we propose NIZK arguments in the CRS model that are more efficient than existing ones, and are comparable in efficiency to the best known NIZK arguments in the RO model
LNCS
We extend a commitment scheme based on the learning with errors over rings (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge. Our scheme maps elements from the ring (or equivalently, n elements fro
Concurrent Knowledge-Extraction in the Public-Key Model
Knowledge extraction is a fundamental notion, modelling machine possession of
values (witnesses) in a computational complexity sense. The notion provides an
essential tool for cryptographic protocol design and analysis, enabling one to
argue about the internal state of protocol players without ever looking at this
supposedly secret state. However, when transactions are concurrent (e.g., over
the Internet) with players possessing public-keys (as is common in
cryptography), assuring that entities ``know'' what they claim to know, where
adversaries may be well coordinated across different transactions, turns out to
be much more subtle and in need of re-examination. Here, we investigate how to
formally treat knowledge possession by parties (with registered public-keys)
interacting over the Internet. Stated more technically, we look into the
relative power of the notion of ``concurrent knowledge-extraction'' (CKE) in
the concurrent zero-knowledge (CZK) bare public-key (BPK) model.Comment: 38 pages, 4 figure
07421 Abstracts Collection -- Formal Protocol Verification Applied
From 14/10/2007 to 19/10/2007, the Dagstuhl Seminar 07421 ``Formal Protocol Verification Applied\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl.
During the seminar, several participants presented their current
research, and ongoing work and open problems were discussed. Abstracts of
the presentations given during the seminar as well as abstracts of
seminar results and ideas are put together in this paper. The first section
describes the seminar topics and goals in general.
Links to extended abstracts or full papers are provided, if available
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption
International audienceGroup encryption (GE) is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As introduced by Kiayias, Tsiounis and Yung (Asiacrypt'07), GE is motivated by applications in the context of oblivious retriever storage systems, anonymous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model (assuming interaction in the proving phase) under the Learning-With-Errors (LWE) and Short-Integer-Solution (SIS) assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hidden but certified public key, which incurs to prove quadratic statements about LWE relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of X â Z mĂn q , s â Z n q and a small-norm e â Z m which underlie a public vector b = X · s + e â Z m q while simultaneously proving that the matrix X â Z mĂn q has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting
- âŠ