malleable proof systems and applications
play

Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) - PowerPoint PPT Presentation

Jan 04, 2023 •140 likes •1.6k views

Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 Non-malleable cryptography Twenty years ago, saw a strong emphasis on

  1. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one 8

  2. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , τ e 8

  3. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , τ e σ , τ e 8

  4. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , σ , τ e τ e 8

  5. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one Q σ , τ s , σ , τ e τ e 8

  6. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i Q σ , τ s , σ , τ e τ e 8

  7. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i π i Q σ , τ s , σ , τ e τ e 8

  8. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) π i Q σ , τ s , σ , τ e τ e 8

  9. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e 8

  10. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 8

  11. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) We call the proof CM-SSE (controlled malleable simulation sound extractable) if any PPT adversary A has at most negligible probability in winning this game 8

  12. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) We call the proof CM-SSE (controlled malleable simulation sound extractable) if any PPT adversary A has at most negligible probability in winning this game (like function privacy for encryption) If a proof is zero knowledge, CM-SSE, and strongly derivation private, then we call it a cm-NIZK 8

  13. Outline cm-NIZK construction Cryptographic background Definitions Malleable NIZK construction Generic construction Efficient instantiation Applications Conclusions 9

  14. How to construct cm-NIZKs 10

  15. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures 10

  16. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } 10

  17. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } 10

  18. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } Q τ s =sk 10

  19. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i Q τ s =sk 10

  20. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  21. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i (x, π ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  22. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  23. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  24. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  25. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  26. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or w ≠ ⊥ but isn’t a valid witness T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  27. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) violates extractability x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or w ≠ ⊥ but isn’t a valid witness T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  28. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x ≠ T(x ′ ) T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  29. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) violates extractability x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x ≠ T(x ′ ) T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  30. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) T is not in T 10

  31. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) T is not in T violates extractability 10

  32. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  33. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) violates extractability 10

  34. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  35. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x violates extractability T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  36. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x violates extractability T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) violates unforgeability 10

  37. Instantiating this (relatively) efficiently 11

  38. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] 11

  39. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear 11

  40. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) 11

  41. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) For the class of transformations, need it to contain the identity (for simulation) and be closed under composition (for compactness): given proof for x = T 1 (x ′ ), size won’t increase for T 2 (x) = T 2° T 1 (x ′ ) 11

  42. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) For the class of transformations, need it to contain the identity (for simulation) and be closed under composition (for compactness): given proof for x = T 1 (x ′ ), size won’t increase for T 2 (x) = T 2° T 1 (x ′ ) In the paper, we examine the many ways in which GS proofs are malleable 11

  43. Outline Cryptographic background Definitions cm-NIZK construction Applications Applications Conclusions Boosting encryption security Compactly verifiable shuffles 12

  44. CM-CCA security 13

  45. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) 13

  46. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) 13

  47. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Real KeyGen Enc(pk,m) Dec(sk,c) 13

  48. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real KeyGen SimKeyGen Enc(pk,m) Dec(sk,c) 13

  49. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) 13

  50. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real Which world? KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) 13

  51. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real Which world? KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) Give a generic construction for achieving CM-CCA-secure encryption: just define Enc(pk,m) = (c, π ), where c is IND-CPA-secure and π is a cm-NIZK 13

  52. A shuffle 14

  53. A shuffle c 1 c 2 c 3 c 4 c 5 Users encrypt their individual values to yield a public set of ciphertexts {c i } 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe

Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe

Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe Institute of Technology TCRC 89 "Invasive Computing" ATPS 2015 No faster CPUs, only more of them More cores means slower cores M. B. Taylor,

531 views • 25 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X , July 18, 2014 1/32 Outline Introduction Proof Systems Proof Search Proof Formats Proof Production Proof Consumption Applications Conclusions

574 views • 36 slides
CASTER ASSEMBLY SCALE 1 : 1 DRAWN 1/26/2010 swaters A A CHECKED TITLE QA CASTER ASSEMBLY

CASTER ASSEMBLY SCALE 1 : 1 DRAWN 1/26/2010 swaters A A CHECKED TITLE QA CASTER ASSEMBLY

4 3 2 1 PARTS LIST ITEM QTY PART NUMBER MATERIAL 1 1 TOP PLATE MALLEABLE IRON 2 2 AXLE SUPPORT MALLEABLE IRON 3 1 AXLE SAE 1020 4 2 BUSHING BRONZE 5 1 WHEEL MALLEABLE IRON B B CASTER ASSEMBLY SCALE 1 : 1 DRAWN

434 views • 7 slides
Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao

Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao

Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao Liu Yiannis Tselekounis Edin. & FAU CRYPTO 2018 Outline Introduction to non-malleable codes Adversarial model, motivation Results,

772 views • 55 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik

Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik

Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik Leibniz-Universitt Hannover, Germany joint work with Johannes Kbler and Sebastian Mller Olaf Beyersdorff Proof Systems that Take Advice Proof Systems

854 views • 69 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/ Automated Reasoning and Satisfiability, September 24, 2019 Certificates What makes a problem hard? Certificate angle: can one efficiently check an

1.11k views • 107 slides
Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with

Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with

Introduction Graphical Definitions The R Operation Convergence Proof Equivalence to Counterterms Power Counting Applications Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with applications to lattice

557 views • 44 slides
CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2. Complete proof search with JProver Tactic-based proof search Sort rule applications by cost of induced proof search let simple prover = Repeat (

562 views • 9 slides
Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics

Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics

Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics of the AS CR, Prague Logic Colloquium 2007, Wrocaw p. 1 Propositional proof complexity Studies efficiency (absolute or relative) of proof

302 views • 18 slides
Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/51 Hard

300 views • 17 slides
A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

Introduction Proof System Applications Experiments A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte Helmert University of Basel, Switzerland ICAPS 2018 Introduction Proof System Applications

325 views • 21 slides
Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof

Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof

Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof Pietrzak 1st International Summer School on Security & Privacy for Blockchains and Distributed Ledger Technologies. September 5th 2019. Proof Systems

1.44k views • 142 slides
Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace

Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace

Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace Sam Buss U.C. San Diego Virtual Seminar Proof Society proofsociety.org October 7, 2020 includes joint work with Anupam Das and Alexander Knop

367 views • 25 slides
Estimating treatment effects from observational data using teffects, stteffects, and eteffects

Estimating treatment effects from observational data using teffects, stteffects, and eteffects

Estimating treatment effects from observational data using teffects, stteffects, and eteffects David M. Drukker Executive Director of Econometrics Stata UK Stata Users Group meeting London September 8 & 9, 2016 What do we want to

837 views • 65 slides
Linking Design to Analysis of Cluster Randomized Trials: Covariate Balancing Strategies Fan

Linking Design to Analysis of Cluster Randomized Trials: Covariate Balancing Strategies Fan

Linking Design to Analysis of Cluster Randomized Trials: Covariate Balancing Strategies Fan (Frank) Li PhD Candidate in Biostatistics Department of Biostatistics and Bioinformatics Duke Clinical Research Institute Duke University NIH

533 views • 40 slides
How Do Individuals Repay Their Debt? The Balance-Matching Heuristic John Gathergood, 1 Neale

How Do Individuals Repay Their Debt? The Balance-Matching Heuristic John Gathergood, 1 Neale

How Do Individuals Repay Their Debt? The Balance-Matching Heuristic John Gathergood, 1 Neale Mahoney, 2 Neil Stewart, 3 & Joerg Weber 1 1 University of Nottingham 2 University of Chicago and NBER 3 University of Warwick FDIC Consumer Research

588 views • 58 slides
Internal Load Balancing in 5 mins Deliver scalable and resilient internal-only services on GCP

Internal Load Balancing in 5 mins Deliver scalable and resilient internal-only services on GCP

Internal Load Balancing in 5 mins Deliver scalable and resilient internal-only services on GCP Google Cloud Load Balancing HTTP(S) Load SSL proxy Global Balancing Network TCP/UDP Internal TCP/UDP Regional Load Balancing Load Balancing

538 views • 18 slides
Balance of Electric and Diffusion Forces Ions flow into and out of the neuron under the forces of

Balance of Electric and Diffusion Forces Ions flow into and out of the neuron under the forces of

Balance of Electric and Diffusion Forces Ions flow into and out of the neuron under the forces of electricity and concentration gradients (diffusion). The net result is a electric potential difference between the inside and outside of the cell

492 views • 24 slides
GPUnet: networking abstractions for GPU programs Mark Silberstein Technion Israel Institute

GPUnet: networking abstractions for GPU programs Mark Silberstein Technion Israel Institute

GPUnet: networking abstractions for GPU programs Mark Silberstein Technion Israel Institute of Technology Sangman Kim, Seonggu Huh, Xinya Zhang Amir Wated Yige Hu, Emmett Witchel Technion University of Texas at Austin Mark Silberstein -

1.07k views • 45 slides
Magic Lessons: Designing and Balancing Game Objects K. Robert Gutschera Director of Development

Magic Lessons: Designing and Balancing Game Objects K. Robert Gutschera Director of Development

Magic Lessons: Designing and Balancing Game Objects K. Robert Gutschera Director of Development Wizards of the Coast robert.gutschera@wizards.com I. Introduction II. Computer vs. Paper III. Design vs. Development IV. Why We Cost V. How We

622 views • 19 slides
Distributed load balancing Real case example using open source on commodity hardware Pavlos

Distributed load balancing Real case example using open source on commodity hardware Pavlos

Distributed load balancing Real case example using open source on commodity hardware Pavlos Parissis | LinuxConf Berlin 2016 Pavlos Parissis Senior UNIX System Administrator Global Traffic Distribution pavlos.parissis@booking.com The

384 views • 20 slides

More recommend