634 research outputs found
Assumptions, Efficiency and Trust in Non-Interactive Zero-Knowledge Proofs
Vi lever i en digital verden. En betydelig del av livene våre skjer på nettet, og vi bruker internett for stadig flere formål og er avhengig av stadig mer avansert teknologi. Det er derfor viktig å beskytte seg mot ondsinnede aktører som kan forsøke å utnytte denne avhengigheten for egen vinning.
Kryptografi er en sentral del av svaret på hvordan man kan beskytte internettbrukere. Historisk sett har kryptografi hovedsakelig vært opptatt av konfidensiell kommunikasjon, altså at ingen kan lese private meldinger sendt mellom to personer. I de siste tiårene har kryptografi blitt mer opptatt av å lage protokoller som garanterer personvern selv om man kan gjennomføre komplekse handlinger.
Et viktig kryptografisk verktøy for å sikre at disse protokollene faktisk følges er kunnskapsløse bevis. Et kunnskapsløst bevis er en prosess hvor to parter, en bevisfører og en attestant, utveksler meldinger for å overbevise attestanten om at bevisføreren fulgte protokollen riktig (hvis dette faktisk er tilfelle) uten å avsløre privat informasjon til attestanten.
For de fleste anvendelser er det ønskelig å lage et ikke-interaktivt kunnskapsløst bevis (IIK-bevis), der bevisføreren kun sender én melding til attestanten. IIK-bevis har en rekke ulike bruksområder, som gjør de til attraktive studieobjekter. Et IIK-bevis har en rekke ulike egenskaper og forbedring av noen av disse fremmer vår kollektive kryptografiske kunnskap.
I den første artikkelen i denne avhandlingen konstruerer vi et nytt ikke-interaktivt kunnskapsløst bevis for språk basert på algebraiske mengder. Denne artikkelen er basert på arbeid av Couteau og Hartmann (Crypto 2020), som viste hvordan man omformer et bestemt interaktivt kunnskapsløst bevis til et IIK-bevis. Vi følger deres tilnærming, men vi bruker et annet interaktivt kunnskapsløst bevis. Dette fører til en forbedring sammenlignet med arbeidet deres på flere områder, spesielt når det gjelder både formodninger og effektivitet.
I den andre artikkelen i denne avhandlingen studerer vi egenskapene til ikke-interaktive kunnskapsløse bevis som er motstandsdyktige mot undergraving. Det er umulig å lage et IIK-bevis uten å stole på en felles referansestreng (FRS) generert av en pålitelig tredjepart. Men det finnes eksempler på IIK-bevis der ingen lærer noe privat informasjon fra beviset selv om den felles referansestrengen ble skapt på en uredelig måte. I denne artikkelen lager vi en ny kryptografisk primitiv (verifiserbart-uttrekkbare enveisfunksjoner) og viser hvordan denne primitiven er relatert til IIK-bevis med den ovennevnte egenskapen.We live in a digital world. A significant part of our lives happens online, and we use the internet for incredibly many different purposes and we rely on increasingly advanced technology. It therefore is important to protect against malicious actors who may try to exploit this reliance for their own gain.
Cryptography is a key part of the answer to protecting internet users. Historically, cryptography has mainly been focused on maintaining the confidentiality of communication, ensuring that no one can read private messages sent between people. In recent decades, cryptography has become concerned with creating protocols which guarantee privacy even as they support more complex actions.
A crucial cryptographic tool to ensure that these protocols are indeed followed is the zero-knowledge proof. A zero-knowledge proof is a process where two parties, a prover and a verifier, exchange messages to convince the verifier that the prover followed the protocol correctly (if indeed the prover did so) without revealing any private information to the verifier.
It is often desirable to create a non-interactive zero-knowledge proof (NIZK), where the prover only sends one message to the verifier. NIZKs have found a number of different applications, which makes them an attractive object of study. A NIZK has a variety of different properties, and improving any of these aspects advances our collective cryptographic knowledge.
In the first paper in this thesis, we construct a new non-interactive zero-knowledge proof for languages based on algebraic sets. This paper is based on work by Couteau and Hartmann (Crypto 2020), which showed how to convert a particular interactive zero-knowledge proof to a NIZK. We follow their approach, but we start with a different interactive zero-knowledge proof. This leads to an improvement compared to their work in several ways, in particular in terms of both assumptions and efficiency.
In the second paper in this thesis, we study the property of subversion zero-knowledge in non-interactive zero-knowledge proofs. It is impossible to create a NIZK without relying on a common reference string (CRS) generated by a trusted party. However, a NIZK with the subversion zero-knowledge property guarantees that no one learns any private information from the proof even if the CRS was generated dishonestly. In this paper, we create a new cryptographic primitive (verifiably-extractable one-way functions) and show how this primitive relates to NIZKs with subversion zero-knowledge.Doktorgradsavhandlin
Oblivious Transfer from Trapdoor Permutations in Minimal Rounds
Oblivious transfer (OT) is a foundational primitive within cryptography owing to its connection with secure computation. One of the oldest constructions of oblivious transfer was from certified trapdoor permutations (TDPs). However several decades later, we do not know if a similar construction can be obtained from TDPs in general.
In this work, we study the problem of constructing round optimal oblivious transfer from trapdoor permutations. In particular, we obtain the following new results (in the plain model) relying on TDPs in a black-box manner:
1) Three-round oblivious transfer protocol that guarantees indistinguishability-security against malicious senders (and semi-honest receivers).
2) Four-round oblivious transfer protocol secure against malicious adversaries with black-box simulation-based security.
By combining our second result with an already known compiler we obtain the first round-optimal 2-party computation protocol that relies in a black-box way on TDPs. A key technical tool underlying our results is a new primitive we call dual witness encryption (DWE) that may be of independent interest
Recommended from our members
Honest Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge
We show how to transform any interactive proof system which is statistical zero-knowledge with respect to the honest-verifier, into a proof system which is statistical zero-knowledge with respect to any verifier. This is done by limiting the behavior of potentially cheating verifiers, without using computational assumptions or even referring to the complexity of such verifier strategies. (Previous transformations have either relied on computational assumptions or were applicable only to constant-round public-coin proof systems.)
Our transformation also applies to public-coin (aka Arthur-Merlin) computational zero-knowledge proofs: We transform any Arthur-Merlin proof system which is computational zero-knowledge with respect to the honest-verifier, into an Arthur-Merlin proof system which is computational zero-knowledge with respect to any probabilistic polynomial-time verifier.
A crucial ingredient in our analysis is a new lemma regarding 2-universal hashing functions.Engineering and Applied Science
Unitary Complexity and the Uhlmann Transformation Problem
State transformation problems such as compressing quantum information or
breaking quantum commitments are fundamental quantum tasks. However, their
computational difficulty cannot easily be characterized using traditional
complexity theory, which focuses on tasks with classical inputs and outputs.
To study the complexity of such state transformation tasks, we introduce a
framework for unitary synthesis problems, including notions of reductions and
unitary complexity classes. We use this framework to study the complexity of
transforming one entangled state into another via local operations. We
formalize this as the Uhlmann Transformation Problem, an algorithmic version of
Uhlmann's theorem. Then, we prove structural results relating the complexity of
the Uhlmann Transformation Problem, polynomial space quantum computation, and
zero knowledge protocols.
The Uhlmann Transformation Problem allows us to characterize the complexity
of a variety of tasks in quantum information processing, including decoding
noisy quantum channels, breaking falsifiable quantum cryptographic assumptions,
implementing optimal prover strategies in quantum interactive proofs, and
decoding the Hawking radiation of black holes. Our framework for unitary
complexity thus provides new avenues for studying the computational complexity
of many natural quantum information processing tasks.Comment: 126 pages, comments welcom
Round and computational efficiency of two-party protocols
2016 - 2017A cryptographic protocol is defined by the behaviour of the involved parties and the messages
that those parties send to each other. Beside the functionality and the security that a cryptographic
protocol provides, it is also important that the protocol is efficient. In this thesis
we focus on the efficiency parameters of a cryptographic protocol related to the computational
and round complexity. That is, we are interested in the computational cost that the parties
involved in the protocol have to pay and how many interactions between the parties are required
to securely implement the functionality which we are interested in. Another important aspect
of a cryptographic protocol is related to the computational assumptions required to prove that
the protocol is secure. The aim of this thesis is to improve the state of the art with respect to
some cryptographic functionalities where two parties are involved, by providing new techniques
to construct more efficient cryptographic protocols whose security can be proven by relying on
better cryptographic assumptions.
The thesis is divided in three parts. In the first part we consider Secure Two-Party Computation
(2PC), a cryptographic technique that allows to compute a functionality in a secure
way. More precisely, there are two parties, Alice and Bob, willing to compute the output of a
function f given x and y as input. The values x and y represent the inputs of Alice and Bob
respectively. Moreover, each party wants to keep the input secret while allowing the other party
to correctly compute f(x, y). As a first result, we show the first secure 2PC protocol with black
box simulation, secure under standard and generic assumption, with optimal round complexity
in the simultaneous message exchange model. In the simultaneous message exchange model both
parties can send a message in each round; in the rest of this thesis we assume the in each round
only one party can send a message.
We advance the state of the art in secure 2PC also in a relaxed setting. More precisely, in this
setting a malicious party that attacks the protocol to understand the secret input of the honest
party, is forced to follow the protocol description. Moreover, we consider the case in which the
parties want to compute in a secure way the Set-Membership functionality. Such a functionality
allows to check whether an element belongs to a set or not. The proposed protocol improves the
state of the art both in terms of performance and generality. In the second part of the thesis
we show the first 4-round concurrent non-malleable commitment under one-way functions. A
commitment scheme allows the sender to send an encrypted message, called commitment, in
such a way that the message inside the commitment cannot be opened until that an opening
information is provided by the sender. Moreover, there is a unique way in which the commitment
can be open. In this thesis we consider the case in which the sender sends the commitment (e.g.
trough a computer network) that can be eavesdropped by an adversary. In this setting the
adversary can catch the commitment C and modify it thus obtaining a new commitment C0
that contains a message related to the content of C. A non-malleable commitment scheme
prevents such attack, and our scheme can be proved secure even in the case that the adversary
can eavesdrop multiple commitments and in turn, compute and send multiple commitments.
The last part of the thesis concerns proof systems. Let us consider an NP-language, like
the language of graph Hamiltonicity. A proof system allows an entity called prover to prove
that a certain graph (instance) contains a Hamiltonian cycle (witness) to another entity called
verifier. A proof system can be easily instantiated in one round by letting the prover to send
the cycle to the verifier. What we actually want though, is a protocol in which the prover is able
to convince the verifier that a certain graph belongs to the language of graph Hamiltonicity, but
in such a way that no information about the cycle is leaked to the verifier. This kind of proof
systems are called Zero Knowledge. In this thesis we show a non-interactive Zero-Knowledge
proof system, under the assumption that both prover and verifier have access to some honestly
generated common reference string (CRS). The provided construction improves the state of the
art both in terms of efficiency and generality. We consider also the scenario in which prover
and verifier do not have access to some honestly generated information and study the notion of
Witness Indistinguishability. This notion considers instances that admit more than one witness,
e.g. graphs that admit two distinct Hamiltonian cycle (as for the notion of Zero Knowledge,
the notion of Witness Indistinguishability makes sense for all the languages in NP, but for
ease of exposition we keep focusing our attention of the language of graph Hamiltonicity). The
security notion of Witness-Indistinguishability ensures that a verifier, upon receiving a proof
from a prover, is not able to figure out which one of the two Hamiltonian cycles has been used
by the prover to compute the proof. Even though the notion of Witness Indistinguishability is
weaker than the notion of Zero Knowledge, Witness Indistinguishability is widely used in many
cryptographic applications. Moreover, given that a Witness-Indistinguishable protocol can be
constructed using just three rounds of communication compared to the four rounds required to
obtain Zero Knowledge (with black-box simulation), the use of Zero-Knowledge as a building
block to construct a protocol with an optimal number of rounds is sometimes prohibitive. Always
in order to provide a good building block to construct more complicated cryptographic protocols
with a nice round complexity, a useful property is the so called Delayed-Input property. This
property allows the prover to compute all but the last round of the protocol without knowing
the instance nor the witness. Also, the Delayed-Input property allows the verifier to interact
with the prover without knowing the instance at all (i.e. the verifier needs the instance just to
decide whether to accept or not the proof received by the prover). In this thesis we provide the
first efficient Delayed-Input Witness-Indistinguishable proof system that consists of just three
round of communication. [edited by author]XVI n.s
A Black-Box Approach to Post-Quantum Zero-Knowledge in Constant Rounds
In a recent seminal work, Bitansky and Shmueli (STOC \u2720) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks.
However, their construction has several drawbacks compared to the classical counterparts.
Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation.
In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called -zero-knowledge.
Concretely, we construct the following protocols:
- We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box -zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions.
Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC \u2796) though the proof of -zero-knowledge property against quantum adversaries requires novel ideas.
- We construct a constant round interactive argument for NP that satisfies computational soundness and black-box -zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions.
At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier\u27s internal state in an appropriate sense
Deep R Programming
Deep R Programming is a comprehensive course on one of the most popular
languages in data science (statistical computing, graphics, machine learning,
data wrangling and analytics). It introduces the base language in-depth and is
aimed at ambitious students, practitioners, and researchers who would like to
become independent users of this powerful environment. This textbook is a
non-profit project. Its online and PDF versions are freely available at
. This early draft is distributed in the hope
that it will be useful.Comment: Draft: v0.2.1 (2023-04-27
Non-Uniformly Sound Certificates with Applications to Concurrent Zero-Knowledge
We introduce the notion of non-uniformly sound certificates: succinct single-message (unidirectional) argument systems that satisfy a ``best-possible security\u27\u27 against non-uniform polynomial-time attackers. In particular, no polynomial-time attacker with s bits of non-uniform advice can find significantly more than s accepting proofs for false statements. Our first result is a construction of non-uniformly sound certificates for all NP in the random oracle model, where the attacker\u27s advice can depend arbitrarily on the random oracle.
We next show that the existence of non-uniformly sound certificates for P (and collision resistant hash functions) yields a public-coin constant-round fully concurrent zero-knowledge argument for NP
Secure computation under network and physical attacks
2011 - 2012This thesis proposes several protocols for achieving secure com-
putation under concurrent and physical attacks. Secure computation
allows many parties to compute a joint function of their inputs, while
keeping the privacy of their input preserved. It is required that the pri-
vacy one party's input is preserved even if other parties participating
in the protocol collude or deviate from the protocol.
In this thesis we focus on concurrent and physical attacks, where
adversarial parties try to break the privacy of honest parties by ex-
ploiting the network connection or physical weaknesses of the honest
parties' machine.
In the rst part of the thesis we discuss how to construct proto-
cols that are Universally Composable (UC for short) based on physical
setup assumptions. We explore the use of Physically Uncloneable Func-
tions (PUFs) as setup assumption for achieving UC-secure computa-
tions. PUF are physical noisy source of randomness. The use of PUFs
in the UC-framework has been proposed already in [14]. However, this
work assumes that all PUFs in the system are trusted. This means
that, each party has to trust the PUFs generated by the other parties.
In this thesis we focus on reducing the trust involved in the use of such
PUFs and we introduce the Malicious PUFs model in which only PUFs
generated by honest parties are assumed to be trusted. Thus the secu-
rity of each party relies on its own PUF only and holds regardless of the
goodness of the PUFs generated/used by the adversary. We are able to
show that, under this more realistic assumption, one can achieve UC-
secure computation, under computational assumptions. Moreover, we
show how to achieve unconditional UC-secure commitments with (ma-
licious) PUFs and with stateless tamper-proof hardware tokens. We
discuss our contribution on this matter in Part I. These results are
contained in papers [80] and [28].
In the second part of the thesis we focus on the concurrent setting,
and we investigate on protocols achieving round optimality and black-
box access to a cryptographic primitive. We study two fundamental
functionalities: commitment scheme and zero knowledge, and we focus
on some of the round-optimal constructions and lower bounds con-
cerning both functionalities. We nd that such constructions present
subtle issues. Hence, we provide new protocols that actually achieve
the security guarantee promised by previous results.
Concerning physical attacks, we consider adversaries able to re-
set the machine of the honest party. In a reset attack a machine is
forced to run a protocol several times using the same randomness. In
this thesis we provide the rst construction of a witness indistinguish-
able argument system that is simultaneous resettable and argument of
knowledge. We discuss about this contribution in Part III, which is the
content of the paper. [edited by author]XI n.s
One-Way Functions and (Im)perfect Obfuscation
A program obfuscator takes a program and outputs an scrambled version of it, where the goal is that the obfuscated program will not reveal much about its structure beyond what is apparent from executing it. There are several ways of formalizing this goal. Specifically, in indistinguishability obfuscation, first defined by Barak et al. (CRYPTO 2001), the requirement is that the results of obfuscating any two functionally equivalent programs (circuits) will be computationally indistinguishable. Recently, a fascinating candidate construction for indistinguishability obfuscation was proposed by Garg et al. (FOCS 2013). This has led to a flurry of discovery of intriguing constructions of primitives and protocols whose existence was not previously known (for instance, fully deniable encryption by Sahai and Waters, STOC 2014). Most of them explicitly rely on additional hardness assumptions, such as one-way functions.
Our goal is to get rid of this extra assumption. We cannot argue that indistinguishability obfuscation of all polynomial-time circuits implies the existence of one-way functions, since if , then program obfuscation (under the indistinguishability notion) is possible. Instead, the ultimate goal is to argue that if and program obfuscation is possible, then one-way functions exist.
Our main result is that if and there is an efficient (even imperfect) indistinguishability obfuscator, then there are one-way functions. In addition, we show that the existence of an indistinguishability obfuscator implies (unconditionally) the existence of SZK-arguments for . This, in turn, provides an alternative version of our main result, based on the assumption of hard-on-the average problems. To get some of our results we need obfuscators for simple programs such as 3CNF formulas
- …