noninteractive zero knowledge for np from learning with
play

Noninteractive Zero Knowledge for NP from Learning With Errors - PowerPoint PPT Presentation

Feb 18, 2023 •314 likes •1.21k views

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+ 1 May 2019 1 / 15 Zero Knowledge [GoldwasserMicaliRackoff85] Zero-knowledge (interactive) proof for language L : allows a prover P to

  1. Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+ 1 May 2019 1 / 15

  2. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. 2 / 15

  3. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] 2 / 15

  4. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) 2 / 15

  5. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) 2 / 15

  6. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 2 / 15

  7. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 / 15

  8. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . 2 / 15

  9. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . Soundness error can be reduced exponentially by (parallel) repetition. 2 / 15

  10. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . Soundness error can be reduced exponentially by (parallel) repetition. 3 Zero Knowledge: can simulate (honest) V ’s view when G 0 ≡ G 1 . 2 / 15

  11. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. 3 / 15

  12. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . 3 / 15

  13. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) 3 / 15

  14. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) 3 / 15

  15. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } 3 / 15

  16. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } b = 0 : open all h i,j , ρ check H = ρ ( G ) 3 / 15

  17. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } b = 0 : open all h i,j , ρ check H = ρ ( G ) b = 1 : open h i,j check cycle for ( i, j ) ∈ ρ ( C ) 3 / 15

  18. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) V ( x ) π acc/rej 4 / 15

  19. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) V ( x ) π acc/rej ◮ In ‘plain’ model, NIZK = BPP (trivial). 4 / 15

  20. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: 4 / 15

  21. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] 4 / 15

  22. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . 4 / 15

  23. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . ◮ Open [PV’08] : a ‘post-quantum’ foundation like lattices/LWE [Regev’05] 4 / 15

  24. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . ◮ Open [PV’08] : a ‘post-quantum’ foundation like lattices/LWE [Regev’05] Our Main Theorem ◮ NP ⊆ NIZK assuming LWE/worst-case lattice problems are hard. 4 / 15

  25. Fiat-Shamir Heuristic [FiatShamir’86] ◮ A way to remove interaction from a public-coin protocol, via hashing: 5 / 15

  26. Fiat-Shamir Heuristic [FiatShamir’86] ◮ A way to remove interaction from a public-coin protocol, via hashing: P V α β ← { 0 , 1 } m γ 5 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 15, 2019 1 / 24 zkSNARKs Arguments ZK proofs

435 views • 24 slides
Academia: no learning without knowledge, no knowledge without learning TRPC6, NEP Van den Berg,

Academia: no learning without knowledge, no knowledge without learning TRPC6, NEP Van den Berg,

Academia: no learning without knowledge, no knowledge without learning TRPC6, NEP Van den Berg, Weening et al., 2004 Pathology of Idiopathic Membranous Glomerulopathy Subepithelial electron dense deposits Injury of epithelial cells

303 views • 11 slides
Active Learning Passive Learning Active Learning 1. Think 1. Acquisition of knowledge Ability

Active Learning Passive Learning Active Learning 1. Think 1. Acquisition of knowledge Ability

Active Learning Passive Learning Active Learning 1. Think 1. Acquisition of knowledge Ability 2. Decision making 2. Application of knowledge 3. Explain/communicate 1. Deep learning Approach to Uni-directional 2. Interactive Learning

282 views • 5 slides
Discovering, Visualizing and Sharing Knowledge through Personalized Learning Knowledge Maps The

Discovering, Visualizing and Sharing Knowledge through Personalized Learning Knowledge Maps The

Discovering, Visualizing and Sharing Knowledge through Personalized Learning Knowledge Maps The AWAKE Project personal knowledge structure (user A) A m E ?? y map grid semantische ? C d achsen o netz awarenes cs kuns s multi-

234 views • 21 slides
Global Knowledge Management Process Integration of Business, Learning, and Knowledge Processes

Global Knowledge Management Process Integration of Business, Learning, and Knowledge Processes

Global Knowledge Management Process Integration of Business, Learning, and Knowledge Processes Jan M. Pawlowski Autumn 2013 The Challenge Going one step further: Re-Design of Knowledge, Learning and Business Processes -> fostering

855 views • 43 slides
ence The Expeditionary Learning Public Knowledge Public Knowledge E X 1+1= P 1+1=2 E R

ence The Expeditionary Learning Public Knowledge Public Knowledge E X 1+1= P 1+1=2 E R

Expeditionary Learning Exper h c of r i A ence The Expeditionary Learning Public Knowledge Public Knowledge E X 1+1= P 1+1=2 E R I E N C E Personal Knowledge Personal Knowledge Expedition as Educational Experience

318 views • 18 slides
The logic of learning: The logic of learning: logic and knowledge representation logic and

The logic of learning: The logic of learning: logic and knowledge representation logic and

The logic of learning: The logic of learning: logic and knowledge representation logic and knowledge representation in machine learning in machine learning Peter A. Flach Department of Computer Science University of Bristol

771 views • 59 slides
The standard for personalized learning We focus on the how in learning We want to help

The standard for personalized learning We focus on the how in learning We want to help

The standard for personalized learning We focus on the how in learning We want to help learners study more efficiently so they can reap measureable knowledge gains.* We provide insights into learner diligence, knowledge and agility that

451 views • 16 slides
26:198:722 Expert Systems I Knowledge representation I Knowledge acquisition I Machine learning I

26:198:722 Expert Systems I Knowledge representation I Knowledge acquisition I Machine learning I

26:198:722 Expert Systems I Knowledge representation I Knowledge acquisition I Machine learning I ID3 & C4.5 Knowledge Representation Recall: I Knowledge engineering F Knowledge acquisition N Knowledge elicitation F Knowledge representation N

668 views • 62 slides
Accelerating Innovation through Knowledge & Learning Transferring a Knowledge Management

Accelerating Innovation through Knowledge & Learning Transferring a Knowledge Management

Accelerating Innovation through Knowledge & Learning Transferring a Knowledge Management proof of concept model from the for-Profit sector to the not-for-Profit sector and driving multi- stakeholder cross- sector knowledge sharing

253 views • 23 slides
Where are we? Knowledge Engineering Semester 2, 2004-05 Last time . . . Michael Rovatsos

Where are we? Knowledge Engineering Semester 2, 2004-05 Last time . . . Michael Rovatsos

Knowledge Representation & Learning Knowledge Representation & Learning Current Best Hypothesis Search Current Best Hypothesis Search Version Space Learning Version Space Learning Summary Summary Where are we? Knowledge Engineering

673 views • 5 slides
10d Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A

10d Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A

10d Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A Framework for 10.6 Unsupervised Learning Symbol-based Learning 10.7 Reinforcement Learning 10.2 Version Space Search 10.8 Epilogue and 10.3 The

1.05k views • 29 slides
10b Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A

10b Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A

10b Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A Framework for 10.6 Unsupervised Learning Symbol-based Learning 10.7 Reinforcement Learning 10.2 Version Space Search 10.8 Epilogue and 10.3 The

866 views • 50 slides
10a Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A

10a Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A

10a Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A Framework for 10.6 Unsupervised Learning Symbol-based Learning 10.7 Reinforcement Learning 10.2 Version Space Search 10.8 Epilogue and 10.3 The

934 views • 54 slides
10c Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A

10c Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A

10c Machine Learning: Symbol-based 10.0 Introduction 10.5 Knowledge and Learning 10.1 A Framework for 10.6 Unsupervised Learning Symbol-based Learning 10.7 Reinforcement Learning 10.2 Version Space Search 10.8 Epilogue and 10.3 The

605 views • 35 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
MLTI Advisory Board Meeting #6 June 12 th , 2020 Beth Lambert, Team Lead Deb Lajoie, Project

MLTI Advisory Board Meeting #6 June 12 th , 2020 Beth Lambert, Team Lead Deb Lajoie, Project

MLTI Advisory Board Meeting #6 June 12 th , 2020 Beth Lambert, Team Lead Deb Lajoie, Project Manager Jordan Dean, Office Specialist Brandi Cota, Management Analyst Jon Graham, Elementary Digital Learning Specialist Emma Banks, Secondary Digital

379 views • 15 slides
An Initial Investigation of Protocol Customization David Ke Hong , Qi Alfred Chen, Z. Morley Mao

An Initial Investigation of Protocol Customization David Ke Hong , Qi Alfred Chen, Z. Morley Mao

An Initial Investigation of Protocol Customization David Ke Hong , Qi Alfred Chen, Z. Morley Mao University of Michigan Todays protocols are feature-rich Widely-used protocols contain a rich set of features and extensions Around

420 views • 15 slides
Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work with: Joint work with: Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Distance Bounding 2

370 views • 16 slides
Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Page 1 Page 1 Authentication

799 views • 59 slides
Scalable Communication Protocols for Dynamic Sparse Data Exchange Torsten Hoefler, Christian

Scalable Communication Protocols for Dynamic Sparse Data Exchange Torsten Hoefler, Christian

Scalable Communication Protocols for Dynamic Sparse Data Exchange Torsten Hoefler, Christian Siebert, Andrew Lumsdaine PPoPP 2010, Bangalore, India The Sparse Data Exchange Problem Defines a generic communication problem Assume a set of

545 views • 26 slides
Protocol Validation with CRL Wan Fokkink Modelling Distributed Systems Springer, 2007 Goals

Protocol Validation with CRL Wan Fokkink Modelling Distributed Systems Springer, 2007 Goals

Protocol Validation with CRL Wan Fokkink Modelling Distributed Systems Springer, 2007 Goals Formal modeling of real-life protocols Automated analysis of protocols by means of state space exploration (i.e. simulation or model

1.86k views • 125 slides
Cryptographic protocols: design and analysis David Wagner University of California, Berkeley 1

Cryptographic protocols: design and analysis David Wagner University of California, Berkeley 1

Cryptographic protocols: design and analysis David Wagner University of California, Berkeley 1 Notation A, B, C, S : names of legitimate parties. (Short for: Alice, Bob, client, server.) M : name of a malicious attacker. (Short for: Mallet.)

516 views • 25 slides

More recommend