Extending Oblivious Transfer Efficiently, or - How to get active security with constant cryptographic overhead

On top of the passively secure extension protocol of [IKNP03] we build a new construction secure against active adversaries. We can replace the invocation of the hash function that is used to check the receiver is well-behaved with the XOR of bit strings. This is possible by applying a cut-and-choose technique on the length of the bit strings that the receiver sends in the reversed OT. We also improve on the number of seeds required for the extension, both asymptotically and practically. Moreover, the protocol used to test receiver\u27s behaviour enjoys unconditional security

sVote with control components voting protocol: computational proof of complete verifiability and privacy

This document details the cryptographic analysis of the sVote v2.2.1 system - an e-voting solution developed by Scytl for the Switzerland context. We prove the complete verifiability and privacy under the Swiss legislation's informally stated goals. First, we derive the trust model for complete verifiability and voting secrecy from the Swiss Chancellery's requirements, supporting our interpretation by quotes from and references to relevant excerpts of the ordinance and the corresponding technical annex. Then, based on the derived model, we prove that sVote with Control Components provides complete verifiability and guarantees voting secrecy and the non-disclosure of early provisional results. We demonstrate that sVote fulfills the requirements of the Swiss federal chancellery for completely verifiable E-voting systems. In other words, we show that an adversary cannot break the complete verifiability and voting secrecy properties of sVote without being detected by either the voter or auditors.sVote with Control components is a cryptographic voting protocol that provides complete verifiability and guarantees voting secrecy and the non-disclosure of early provisional results. This report demonstrates that sVote fulfills the requirements of the Swiss federal chancellery for completely verifiable E-voting systems. We extract precise requirements from the ordinance and the corresponding technical annex and model the sVote cryptographic voting protocol based on its design documents. Based on this model, we show in a detailed security analysis that an adversary cannot break the complete verifiability and voting secrecy properties of sVote without being detected by either the voter or by auditorsThis work has received funding from the European Commission under the auspices of PROMETHEUS Project, Horizon 2020 Innovation Action (Grant Agreement No. 780701).Preprin

sVote with Control Components Voting Protocol. Computational Proof of Complete Verifiability and Privacy.

This document details the cryptographic analysis of the sVote v2.2.1 system - an e-voting solution developed by Scytl for the Switzerland context. We prove the complete verifiability and privacy under the Swiss legislation\u27s informally stated goals. First, we derive the trust model for complete verifiability and voting secrecy from the Swiss Chancellery\u27s requirements [1][2], supporting our interpretation by quotes from and references to relevant excerpts of the ordinance and the corresponding technical annex. Then, based on the derived model, we prove that sVote with Control Components provides complete verifiability and guarantees voting secrecy and the non-disclosure of early provisional results. We demonstrate that sVote fulfills the requirements of the Swiss federal chancellery for completely verifiable E-voting systems. In other words, we show that an adversary cannot break the complete verifiability and voting secrecy properties of sVote without being detected by either the voter or auditors. [1] Technical and administrative requirements for electronic vote casting v 2.0 https://www.bk.admin.ch/dam/bk/en/dokumente/pore/Annex_of_the_Federal_Chancellery_Ordinance_on_Electronic_Voting_V2.0_July_2018.pdf.download.pdf/Annex_of_the_Federal_Chancellery_Ordinance_on_Electronic_Voting_V2.0_July_2018.pdf [2] Federal Chancellery Ordinance on Electronic Voting https://www.fedlex.admin.ch/eli/cc/2013/859/e

Publicly Verifiable Auctions with Privacy

Online auctions have a steadily growing market size, creating billions of US dollars in sales value every year. To ensure fairness and auditability while preserving the bidder\u27s privacy is the main challenge of an auction scheme. At the same time, utility driven blockchain technology is picking up the pace, offering transparency and data integrity to many applications. In this paper, we present a blockchain-based first price sealed-bid auction scheme. Our scheme offers privacy and public verifiability. It can be built on any public blockchain, which is leveraged to provide transparency, data integrity, and hence auditability. The inability to double spend on a blockchain is used to prevent bid replay attacks. Moreover, our scheme can achieve non-repudiation for both bidders and the auctioneer without revealing the bids and we encapsulate this concept inside the public verification of the auction. We propose to use ElGamal encryption and Bulletproofs to construct an efficient instantiation of our scheme. We also propose to use recursive zkSNARKs to reduce the number of comparison proofs from $N-1$ to $1$, where $N$ is the number of bidders

NFT Trades in Bitcoin with Off-chain Receipts

Abstract. Non-fungible tokens (NFTs) are digital representations of assets stored on a blockchain. It allows content creators to certify authenticity of their digital assets and transfer ownership in a transparent and decentralized way. Popular choices of NFT marketplaces infrastructure include blockchains with smart contract functionality or layer-2 solutions. Surprisingly, researchers have largely avoided building NFT schemes over Bitcoin-like blockchains, most likely due to high transaction fees in the BTC network and the belief that Bitcoin lacks enough programmability to implement fair exchanges. In this work we fill this gap. We propose an NFT scheme where trades are settled in a single Bitcoin transaction as opposed to executing complex smart contracts. We use zero-knowledge proofs (concretely, recursive SNARKs) to prove that two Bitcoin transactions, the issuance transaction $tx_0$ and the current trade transaction $tx_n$, are linked through a unique chain of transactions. Indeed, these proofs function as “off-chain receipts” of ownership that can be transferred from the current owner to the new owner using an insecure channel. The size of the proof receipt is short, independent of the total current number of trades $n$, and can be updated incrementally by anyone at anytime. Marketplaces typically require some degree of token ownership delegation, e.g., escrow accounts, to execute the trade between sellers and buyers that are not online concurrently, and to alleviate transaction fees they resort to off-chain trades. This raises concerns on the transparency and purportedly honest behaviour of marketplaces. We achieve fair and non-custodial trades by leveraging our off-chain receipts and letting the involved parties carefully sign the trade transaction with appropriate combinations of sighash flags

Graded Encoding Schemes from Obfuscation

International audienceWe construct a graded encoding scheme (GES), an approximate form of graded multilinear maps. Our construction relies on indistinguishability obfuscation, and a pairing-friendly group in which (a suitable variant of) the strong Diffie-Hellman assumption holds. As a result of this abstract approach, our GES has a number of advantages over previous constructions. Most importantly: • We can prove that the multilinear decisional Diffie-Hellman (MDDH) assumption holds in our setting, assuming the used ingredients are secure (in a well-defined and standard sense). Hence, our GES does not succumb to so-called "zeroizing" attacks if the underlying ingredients are secure. • Encodings in our GES do not carry any noise. Thus, unlike previous GES constructions, there is no upper bound on the number of operations one can perform with our encodings. Hence, our GES essentially realizes what Garg et al. (EUROCRYPT 2013) call the "dream version" of a GES. Technically, our scheme extends a previous, non-graded approximate multilinear map scheme due to Albrecht et al. (TCC 2016-A). To introduce a graded structure, we develop a new view of encodings at different levels as polynomials of different degrees

Multilinear Maps from Obfuscation

International audienceWe provide constructions of multilinear groups equipped with natural hard problems from in-distinguishability obfuscation, homomorphic encryption, and NIZKs. This complements known results on the constructions of indistinguishability obfuscators from multilinear maps in the reverse direction. We provide two distinct, but closely related constructions and show that multilinear analogues of the DDH assumption hold for them. Our first construction is symmetric and comes with a κ-linear map e : G κ −→ G T for prime-order groups G and G T. To establish the hardness of the κ-linear DDH problem, we rely on the existence of a base group for which the (κ − 1)-strong DDH assumption holds. Our second construction is for the asymmetric setting, where e : G 1 × · · · × G κ −→ G T for a collection of κ + 1 prime-order groups G i and G T , and relies only on the standard DDH assumption in its base group. In both constructions the linearity κ can be set to any arbitrary but a priori fixed polynomial value in the security parameter. We rely on a number of powerful tools in our constructions: (probabilistic) indistinguishability obfuscation, dual-mode NIZK proof systems (with perfect soundness, witness indistinguishability and zero knowledge), and additively homomorphic encryption for the group Z + N. At a high level, we enable " bootstrapping " multilinear assumptions from their simpler counterparts in standard cryptographic groups, and show the equivalence of IO and multilinear maps under the existence of the aforementioned primitives

Notes On GGH13 Without The Presence Of Ideals

We investigate the merits of altering the Garg, Gentry and Halevi (GGH13) graded encoding scheme to remove the presence of the ideal $\langle g \rangle$. In particular, we show that we can alter the form of encodings so that effectively a new $g_i$ is used for each source group $\mathbb{G}_i$, while retaining correctness. This would appear to prevent all known attacks on indistinguishability obfuscation (IO) candidates instantiated using GGH13. However, when analysing security in simplified branching program and obfuscation security models, we present branching program (and thus IO) distinguishing attacks that do not use knowledge of $\langle g \rangle$. This result opens a counterpoint with the work of Halevi (EPRINT 2015) which stated that the core computational hardness problem underpinning GGH13 is computing a basis of this ideal. Our attempts seem to suggest that there is a structural vulnerability in the way that GGH13 encodings are constructed that lies deeper than the presence of $\langle g \rangle$

Multilinear Maps from Obfuscation

We provide constructions of multilinear groups equipped with natural hard problems from indistinguishability obfuscation, homomorphic encryption, and NIZKs. This complements known results on the constructions of indistinguishability obfuscators from multilinear maps in the reverse direction. We provide two distinct, but closely related constructions and show that multilinear analogues of the DDH assumption hold for them. Our first construction is symmetric and comes with a κ-linear map e : Gκ −→ GT for prime-order groups G and GT . To establish the hardness of the κ-linear DDH problem, we rely on the existence of a base group for which the κ-strong DDH assumption holds. Our second construction is for the asymmetric setting, where e : G1×· · ·×Gκ −→ GT for a collection of κ+1 prime-order groups G and GT , and relies only on the 1-strong DDH assumption in its base group. In both constructions, the linearity κ can be set to any arbitrary but a priori fixed polynomial value in the security parameter. We rely on a number of powerful tools in our constructions: probabilistic indistinguishability obfuscation, dual-mode NIZK proof systems (with perfect soundness, witness-indistinguishability, and zero knowledge), and additively homomorphic encryption for the group Z+N. At a high level, we enable “bootstrapping” multilinear assumptions from their simpler counterparts in standard cryptographic groups and show the equivalence of PIO and multilinear maps under the existence of the aforementioned primitives

How (not) to achieve both coercion resistance and cast as intended verifiability in remote eVoting

The version of record is available online at:10.1007/978-3-030-92548-2_25We consider the problem of achieving, at the same time, cast-as-intended verifiability and coercion resistance, in remote electronic voting systems where there are no secure channels through which voters can receive secret information/credentials before the voting phase. We discuss why some simple solutions fail to achieve the two desired notions and we propose (a bit) more involved solutions that are satisfactory. Part of the discussion is closely related to the gap “full versus honest-verifier” when defining the zero-knowledge property of cryptographic zero-knowledge systems.Peer ReviewedPostprint (author's final draft