foundation of cryptography lecture 7 non interactive zk
play

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof - PowerPoint PPT Presentation

Mar 03, 2024 •263 likes •1.79k views

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 1 / 33 Part I

  1. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  2. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  3. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  4. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Simulator outputs a proof π , a set of indices I and a partially hidden 3 CRS c H . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  5. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Simulator outputs a proof π , a set of indices I and a partially hidden 3 CRS c H . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  6. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Simulator outputs a proof π , a set of indices I and a partially hidden 3 CRS c H . Soundness, completeness and ZK are naturally defined. We give a NIZK for HC , Directed Graph Hamiltonicity, in the HBM, and then transfer it into a NIZK for HC in the standard model. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  7. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Simulator outputs a proof π , a set of indices I and a partially hidden 3 CRS c H . Soundness, completeness and ZK are naturally defined. We give a NIZK for HC , Directed Graph Hamiltonicity, in the HBM, and then transfer it into a NIZK for HC in the standard model. The latter implies a NIZK for all NP . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  8. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  9. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Hamiltonian matrix: an n × n adjacency matrix of a directed graph that is an Hamiltonian cycle of all nodes (note that Hamiltonian matrix is also a permutation matrix)/ Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  10. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Hamiltonian matrix: an n × n adjacency matrix of a directed graph that is an Hamiltonian cycle of all nodes (note that Hamiltonian matrix is also a permutation matrix)/ An n 3 × n 3 Boolean matrix is useful: if it contains an Hamiltonian generalized n × n sub-matrix, and all its other entries are zeros. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  11. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Hamiltonian matrix: an n × n adjacency matrix of a directed graph that is an Hamiltonian cycle of all nodes (note that Hamiltonian matrix is also a permutation matrix)/ An n 3 × n 3 Boolean matrix is useful: if it contains an Hamiltonian generalized n × n sub-matrix, and all its other entries are zeros. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  12. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Hamiltonian matrix: an n × n adjacency matrix of a directed graph that is an Hamiltonian cycle of all nodes (note that Hamiltonian matrix is also a permutation matrix)/ An n 3 × n 3 Boolean matrix is useful: if it contains an Hamiltonian generalized n × n sub-matrix, and all its other entries are zeros. Claim 3 Let T be a random n 3 × n 3 Boolean matrix where each entry is 1 w.p n − 5 . Then, Pr [ T is useful ] ∈ Ω( n − 3 / 2 ) . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  13. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  14. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . By (extended) Chernoff bound, T contains exactly n ones w.p. θ ( 1 / √ n ) . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  15. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . By (extended) Chernoff bound, T contains exactly n ones w.p. θ ( 1 / √ n ) . Each row/colomn of T contain more than a single one entry with � n 3 · n − 10 < n − 4 . � probability at most 2 Hence, wp at least 1 − 2 · n 3 · n − 4 = 1 − O ( n − 1 ) , no raw or column of T contains more than a single one entry. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  16. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . By (extended) Chernoff bound, T contains exactly n ones w.p. θ ( 1 / √ n ) . Each row/colomn of T contain more than a single one entry with � n 3 · n − 10 < n − 4 . � probability at most 2 Hence, wp at least 1 − 2 · n 3 · n − 4 = 1 − O ( n − 1 ) , no raw or column of T contains more than a single one entry. Hence, wp θ ( 1 / √ n ) the matrix T contains a permutation matrix and all its other entries are zero. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  17. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . By (extended) Chernoff bound, T contains exactly n ones w.p. θ ( 1 / √ n ) . Each row/colomn of T contain more than a single one entry with � n 3 · n − 10 < n − 4 . � probability at most 2 Hence, wp at least 1 − 2 · n 3 · n − 4 = 1 − O ( n − 1 ) , no raw or column of T contains more than a single one entry. Hence, wp θ ( 1 / √ n ) the matrix T contains a permutation matrix and all its other entries are zero. A random permutation matrix forms a cycle wp 1 / n (there are n ! permutation matrices and ( n − 1 )! of them form a cycle) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  18. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  19. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) we assume wlg. that n is a power of 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  20. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) we assume wlg. that n is a power of 2 Common reference string T viewed as a n 3 × n 3 Boolean matrix, where each entry is 1 w.p n − 5 (?) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  21. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) we assume wlg. that n is a power of 2 Common reference string T viewed as a n 3 × n 3 Boolean matrix, where each entry is 1 w.p n − 5 (?) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  22. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) we assume wlg. that n is a power of 2 Common reference string T viewed as a n 3 × n 3 Boolean matrix, where each entry is 1 w.p n − 5 (?) Algorithm 4 ( P ) Input: n -node graph G and a cycle C in G. CRS: T ∈ { 0 , 1 } n 3 × n 3 . If T not useful, set I = n 3 × n 3 (i.e., reveal all T ) and φ = ⊥ . 1 Otherwise, let H be the (generalized) n × n sub-matrix containing the 2 hamiltonian cycle in T . Set I = T \ H (i.e., reveal the bits of T outside of H ). 1 Choose φ ← Π n s.t. C is mapped to the cycle in H . 2 Add the entries in H corresponding to non edges in G (wrt. φ ) to I . 3 Output π = ( I , φ ) . 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  23. NIZK for Hamiltonicity in HBM cont. Algorithm 5 ( V ) Input: a graph G, index set I ⊆ [ n 3 ] × [ n 3 ] , ordered set { T i } i ∈I , a mapping φ . Accept if all the bits of T are revealed and T is not useful. Otherwise, Verify that ∃ n × n submatrix H ⊆ T with all entries in T \ H are zeros. 1 Verify that φ ∈ Π n , and that all entries of H not corresponding to edges of 2 G (according to φ ) are zeros. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 10 / 33

  24. NIZK for Hamiltonicity in HBM cont. Algorithm 5 ( V ) Input: a graph G, index set I ⊆ [ n 3 ] × [ n 3 ] , ordered set { T i } i ∈I , a mapping φ . Accept if all the bits of T are revealed and T is not useful. Otherwise, Verify that ∃ n × n submatrix H ⊆ T with all entries in T \ H are zeros. 1 Verify that φ ∈ Π n , and that all entries of H not corresponding to edges of 2 G (according to φ ) are zeros. Claim 6 The above protocol is a perfect NIZK for HC in the HBM, with perfect completeness and soundness error 1 − Ω( n − 3 / 2 ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 10 / 33

  25. Proving Claim 6 Completeness: Clear. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 11 / 33

  26. Proving Claim 6 Completeness: Clear. Soundness: Assume T is useful and V accepts. Then φ − 1 maps the unrevealed “edges" of H to the edges of G. Hence, φ − 1 maps the cycle in H to an Hamiltonian cycle in G. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 11 / 33

  27. Proving Claim 6 Completeness: Clear. Soundness: Assume T is useful and V accepts. Then φ − 1 maps the unrevealed “edges" of H to the edges of G. Hence, φ − 1 maps the cycle in H to an Hamiltonian cycle in G. Zero knowledge? Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 11 / 33

  28. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  29. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Perfect simulation for non-useful T ’s. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  30. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Perfect simulation for non-useful T ’s. For useful T , the location of H is uniform in the real and simulated case. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  31. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Perfect simulation for non-useful T ’s. For useful T , the location of H is uniform in the real and simulated case. φ is a random element in Π n in both (real and simulated) cases Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  32. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Perfect simulation for non-useful T ’s. For useful T , the location of H is uniform in the real and simulated case. φ is a random element in Π n in both (real and simulated) cases Hence, the simulation is perfect! Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  33. Section 2 From HBM to Standard NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 13 / 33

  34. Trapdoor permutations Definition 8 (trapdoor permutations) A triplet ( G , f , Inv ) , where G is a PPTM , and f and Inv are poly-time computable, is a family of trapdoor permutation (TDP), if: On input 1 n , G ( 1 n ) outputs a pair ( sk , pk ) . 1 f pk = f ( pk , · ) is a permutation over { 0 , 1 } n , for every n ∈ N and 2 pk ∈ Supp ( G ( 1 n ) 2 ) . Inv sk = Inv ( sk , · ) ≡ f − 1 pk for every ( sk , pk ) ∈ Supp ( G ( 1 n )) 3 For any PPTM A, 4 � � A ( pk , x ) = f − 1 Pr x ←{ 0 , 1 } n , pk ← G ( 1 n ) 2 pk ( x ) = neg ( n ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 14 / 33

  35. Hardcore Predicates for Trapdoor Permutations Definition 9 (hardcore predicates for TDP) A polynomial-time computable b : { 0 , 1 } n �→ { 0 , 1 } is a hardcore predicate of a TDP ( G , f , Inv ) , if pk ← G ( 1 n ) 2 , x ←{ 0 , 1 } n [ P ( pk , f pk ( x )) = b ( x )] ≤ 1 Pr 2 + neg ( n ) , for any PPTM P. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 15 / 33

  36. Hardcore Predicates for Trapdoor Permutations Definition 9 (hardcore predicates for TDP) A polynomial-time computable b : { 0 , 1 } n �→ { 0 , 1 } is a hardcore predicate of a TDP ( G , f , Inv ) , if pk ← G ( 1 n ) 2 , x ←{ 0 , 1 } n [ P ( pk , f pk ( x )) = b ( x )] ≤ 1 Pr 2 + neg ( n ) , for any PPTM P. Goldreich-Levin: any TDP has an hardcore predicate (ignoring padding issues) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 15 / 33

  37. Example, RSA In the following n ∈ N and all operations are modulo n . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  38. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  39. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  40. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  41. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  42. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Definition 10 (RSA) G ( p , q ) sets pk = ( n = pq , e ) for some e ∈ Z ∗ φ ( n ) , and sk = ( n , d ≡ e − 1 mod φ ( n )) f ( pk , x ) = x e mod n Inv ( sk , x ) = x d mod n Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  43. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Definition 10 (RSA) G ( p , q ) sets pk = ( n = pq , e ) for some e ∈ Z ∗ φ ( n ) , and sk = ( n , d ≡ e − 1 mod φ ( n )) f ( pk , x ) = x e mod n Inv ( sk , x ) = x d mod n ⇒ RSA is easy. Factoring is easy = Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  44. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Definition 10 (RSA) G ( p , q ) sets pk = ( n = pq , e ) for some e ∈ Z ∗ φ ( n ) , and sk = ( n , d ≡ e − 1 mod φ ( n )) f ( pk , x ) = x e mod n Inv ( sk , x ) = x d mod n ⇒ RSA is easy. The other direction? Factoring is easy = Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  45. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  46. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  47. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: sk ← { 0 , 1 } n 1 where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  48. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: sk ← { 0 , 1 } n 1 pk = PK ( sk ) 2 where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  49. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: sk ← { 0 , 1 } n 1 pk = PK ( sk ) 2 where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  50. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: sk ← { 0 , 1 } n 1 pk = PK ( sk ) 2 where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. We construct a NIZK ( P , V ) for L , with the same completeness and “not too large" soundness error. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  51. The protocol Algorithm 11 ( P ) Input: x ∈ L , w ∈ R L ( x ) and CRS c = ( c 1 , . . . , c ℓ ) ∈ { 0 , 1 } n ℓ , where n = | x | and ℓ = ℓ ( n ) . Choose ( sk , pk ) ← G ( sk ) and compute 1 c H = ( b ( z 1 = f − 1 pk ( c 1 )) , . . . , b ( z ℓ ( n ) = f − 1 pk ( c ℓ ))) Let ( π H , I ) ← P H ( x , w , c H ) and output ( π H , I , pk , { z i } i ∈I ) 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 18 / 33

  52. The protocol Algorithm 11 ( P ) Input: x ∈ L , w ∈ R L ( x ) and CRS c = ( c 1 , . . . , c ℓ ) ∈ { 0 , 1 } n ℓ , where n = | x | and ℓ = ℓ ( n ) . Choose ( sk , pk ) ← G ( sk ) and compute 1 c H = ( b ( z 1 = f − 1 pk ( c 1 )) , . . . , b ( z ℓ ( n ) = f − 1 pk ( c ℓ ))) Let ( π H , I ) ← P H ( x , w , c H ) and output ( π H , I , pk , { z i } i ∈I ) 2 Algorithm 12 ( V ) Input: x ∈ L , CRS c = ( c 1 , . . . , c ℓ ) ∈ { 0 , 1 } np , and ( π H , I , pk , { z i } i ∈I ) , where n = | x | and ℓ = ℓ ( n ) . Verify that pk ∈ { 0 , 1 } n and that f pk ( z i ) = c i for every i ∈ I 1 Return V H ( x , π H , I , c H ) , where c H i = b ( z i ) for every i ∈ I . 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 18 / 33

  53. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  54. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  55. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). � � For every pk ∈ { 0 , 1 } n : b ( f − 1 pk ( c 1 )) , . . . , b ( f − 1 pk ( c ℓ )) c ←{ 0 , 1 } np is uniformly distributed in { 0 , 1 } ℓ . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  56. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). � � For every pk ∈ { 0 , 1 } n : b ( f − 1 pk ( c 1 )) , . . . , b ( f − 1 pk ( c ℓ )) c ←{ 0 , 1 } np is uniformly distributed in { 0 , 1 } ℓ . Completeness: clear Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  57. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). � � For every pk ∈ { 0 , 1 } n : b ( f − 1 pk ( c 1 )) , . . . , b ( f − 1 pk ( c ℓ )) c ←{ 0 , 1 } np is uniformly distributed in { 0 , 1 } ℓ . Completeness: clear Soundness: follows by a union bound over all possible choice of pk ∈ { 0 , 1 } n . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  58. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). � � For every pk ∈ { 0 , 1 } n : b ( f − 1 pk ( c 1 )) , . . . , b ( f − 1 pk ( c ℓ )) c ←{ 0 , 1 } np is uniformly distributed in { 0 , 1 } ℓ . Completeness: clear Soundness: follows by a union bound over all possible choice of pk ∈ { 0 , 1 } n . Zero knowledge:? Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  59. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  60. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. The above implicitly describes an efficient M s.t. M ( S H ( x )) ≡ S ( x ) and M ( P H ( x , w ( x ))) ≈ c P ( x , w ( x )) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  61. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. The above implicitly describes an efficient M s.t. M ( S H ( x )) ≡ S ( x ) and M ( P H ( x , w ( x ))) ≈ c P ( x , w ( x )) Hence, distinguishing P ( x , w ( x )) from S ( x ) is hard Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  62. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. The above implicitly describes an efficient M s.t. M ( S H ( x )) ≡ S ( x ) and M ( P H ( x , w ( x ))) ≈ c P ( x , w ( x )) Hence, distinguishing P ( x , w ( x )) from S ( x ) is hard Direct solution for our NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  63. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. The above implicitly describes an efficient M s.t. M ( S H ( x )) ≡ S ( x ) and M ( P H ( x , w ( x ))) ≈ c P ( x , w ( x )) Hence, distinguishing P ( x , w ( x )) from S ( x ) is hard Direct solution for our NIZK An “adaptive" NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  64. Section 3 Adaptive NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 21 / 33

  65. Adaptive NIZK x is chosen after the CRS. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  66. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  67. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  68. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  69. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  70. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  71. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 x = f ( c ) 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  72. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 x = f ( c ) 2 Output ( c , x , S 2 ( x , c , s )) 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  73. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 x = f ( c ) 2 Output ( c , x , S 2 ( x , c , s )) 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  74. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 x = f ( c ) 2 Output ( c , x , S 2 ( x , c , s )) 3 Why do we need s ? Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  75. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  76. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Not every NIZK is adaptive ZK . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  77. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Not every NIZK is adaptive ZK . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  78. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Not every NIZK is adaptive ZK . Theorem 15 Assume TDP exist, then every NP language has an adaptive NIZK with perfect completeness and negligible soundness error. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  79. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Not every NIZK is adaptive ZK . Theorem 15 Assume TDP exist, then every NP language has an adaptive NIZK with perfect completeness and negligible soundness error. In the following, when saying adaptive NIZK , we mean negligible completeness and soundness error. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  80. Section 4 Simulation-Sound NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 24 / 33

  81. Simulation soundness A NIZK system ( P , V ) for L has (one-time) simulation soundness, if ∃ a pair of PPTM ’s S = ( S 1 , S 2 ) that satisfies the ZK property of P with respect to L , and in addition Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 25 / 33

  82. Simulation soundness A NIZK system ( P , V ) for L has (one-time) simulation soundness, if ∃ a pair of PPTM ’s S = ( S 1 , S 2 ) that satisfies the ZK property of P with respect to L , and in addition [ x ′ / ∈ L ∧ V ( x ′ , π ′ , c ) = 1 ∧ ( x ′ , π ′ ) � = ( x , π )] = neg ( n ) Pr ( c , x ,π, x ′ ,π ′ ) ← Exp n V , S , P ∗ for any pair of PPTM ’s P ∗ = ( P ∗ 1 , P ∗ 2 ) . Experiment 16 ( Exp n V , S , P ∗ ) ( c , s ) ← S 1 ( 1 n ) 1 ( x , p ) ← P ∗ 1 ( 1 n , c ) 2 π ← S 2 ( x , c , s ) 3 ( x ′ , π ′ ) ← P ∗ 2 ( p , π ) 4 Output ( c , x , π, x ′ , π ′ ) 5 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 25 / 33

  83. Simulation soundness A NIZK system ( P , V ) for L has (one-time) simulation soundness, if ∃ a pair of PPTM ’s S = ( S 1 , S 2 ) that satisfies the ZK property of P with respect to L , and in addition [ x ′ / ∈ L ∧ V ( x ′ , π ′ , c ) = 1 ∧ ( x ′ , π ′ ) � = ( x , π )] = neg ( n ) Pr ( c , x ,π, x ′ ,π ′ ) ← Exp n V , S , P ∗ for any pair of PPTM ’s P ∗ = ( P ∗ 1 , P ∗ 2 ) . Experiment 16 ( Exp n V , S , P ∗ ) ( c , s ) ← S 1 ( 1 n ) 1 ( x , p ) ← P ∗ 1 ( 1 n , c ) 2 π ← S 2 ( x , c , s ) 3 ( x ′ , π ′ ) ← P ∗ 2 ( p , π ) 4 Output ( c , x , π, x ′ , π ′ ) 5 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 25 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 16 Today: Non-Interactive

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 16 Today: Non-Interactive

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 16 Today: Non-Interactive Zero-Knowledge (NIZK) In Two Days: An Application of NIZK NP Proofs For the NP-complete problem of graph 3-coloring Proof = Verifier V checks:

538 views • 37 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 CCA Security SIM-CCA Security (PKE) Recv Send PK/Enc SK/Dec Replay Filter Secure (and correct) if: s.t. output of is distributed

1.26k views • 101 slides
Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University

Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University

Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University Tel Aviv University. March 17, 2013 Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 1 / 39 Part I Message Authentication Codes

1.41k views • 113 slides
Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach Haitner, Tel Aviv University November 1, 2011 Administration Course Topics Part I Administration and Course Overview Administration Course Topics

714 views • 24 slides
Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Message Authentication Code (MAC) Constructions Signature Schemes OWFs = Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011 Message Authentication

1.25k views • 89 slides
Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel Aviv University Tel Aviv University. February 25, 2014 Iftach Haitner (TAU) Foundation of Cryptography February 25, 2014 1 / 26 Part I

1.38k views • 76 slides
Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function

Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function

The Information Theoretic Case The Computational Case Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function Iftach Haitner, Tel Aviv University November 22, 2011 The Information Theoretic Case The

1.03k views • 85 slides
Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Function Families PRF from OWF PRP from PRF Applications Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel Aviv University November 29, 2011 Function Families PRF from OWF PRP from PRF

1.17k views • 58 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and

478 views • 23 slides
Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy: Secret-Sharing Secrecy Secrecy Cryptography is all about controlling access to information Access to learning and/or influencing

2.01k views • 171 slides
Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv

Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv

Definitions Constructions Active Adversaries Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv University January 3 17, 2012 Definitions Constructions Active Adversaries Section 1

1.33k views • 112 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

# These slides should give an overview of the sofware architecture, and what its role is. # Why and when is sofware architecture important. # In other words: sofware architecture in a nutshell ! Overview of Sofware Architecture Sofware

207 views • 7 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Authorisation Developments in Grids (particularly EGEE) David Kelsey RAL/STFC,

Authorisation Developments in Grids (particularly EGEE) David Kelsey RAL/STFC,

Enabling Grids for E-sciencE Authorisation Developments in Grids (particularly EGEE) David Kelsey RAL/STFC, d.p.kelsey@rl.ac.uk TERENA NRENS &amp; Grids meeting, Dublin, 1st September 2008 www.eu-egee.org EGEE-III INFSO-RI-222667 EGEE and

701 views • 28 slides
Wine Development Updates, Performance and the D3D9 State Tracker Stefan Dsinger

Wine Development Updates, Performance and the D3D9 State Tracker Stefan Dsinger

Wine Development Updates, Performance and the D3D9 State Tracker Stefan Dsinger stefandoesinger@gmail.com Outline P r o g r e s s r e p o r t Why we think the d3d9 state tracker is a bad idea Wishlist / Interface ideas Wine

419 views • 38 slides
Simulation Engines TDA571|DIT030 Miscellaneous, input, collision detection ... Tommaso Piazza 1

Simulation Engines TDA571|DIT030 Miscellaneous, input, collision detection ... Tommaso Piazza 1

Simulation Engines TDA571|DIT030 Miscellaneous, input, collision detection ... Tommaso Piazza 1 Administrative stuff Tech Demo presentation A few slides presenting the overall concept 1-2 slides for each extension Screen shots

565 views • 45 slides
Localization and universality in non-Hermitian many-body systems Ryusuke Hamazaki R.H., K.

Localization and universality in non-Hermitian many-body systems Ryusuke Hamazaki R.H., K.

Localization and universality in non-Hermitian many-body systems Ryusuke Hamazaki R.H., K. Kawabata and M. Ueda. Phys. Rev. Lett. 123, 090603 (2019) R.H., K. Kawabata, N. Kura and M. Ueda. Phys. Rev. Research, to appear

464 views • 30 slides
1 ~Title~ ~Hello ~ Hello, my name is Paul Sztorc. I have been a Bitcoiner since 2012. And Ive

1 ~Title~ ~Hello ~ Hello, my name is Paul Sztorc. I have been a Bitcoiner since 2012. And Ive

1 ~Title~ ~Hello ~ Hello, my name is Paul Sztorc. I have been a Bitcoiner since 2012. And Ive published Bitcoin research, on my blog truthcoin.info since 2014. I presented at many Bitcoin conferences, especially the scaling conferences,

282 views • 10 slides
Theory and applications 1 Roadmap to Lecture 6 Part 3 1. The Reynolds stress model 2.

Theory and applications 1 Roadmap to Lecture 6 Part 3 1. The Reynolds stress model 2.

Turbulence and CFD models: Theory and applications 1 Roadmap to Lecture 6 Part 3 1. The Reynolds stress model 2. Budgets of turbulence kinetic energy, dissipation rate, and Reynolds stress 3. Transition models Review of the

619 views • 50 slides

More recommend