post quantum zero knowledge proofs for accumulators
play

Post-Quantum Zero-Knowledge Proofs for Accumulators with - PowerPoint PPT Presentation

Jan 01, 2024 •324 likes •612 views

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

  1. Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler ‡ , Sebastian Ramacher ‡ , Daniel Slamanig § PQC rypto ’18, April 9, 2018 ‡ § 1

  2. Ring Signatures • P rivacy enhancing primitive • Sign a message on behalf of ad-hoc group (= ring) � Signature attests some member of ring signed � Signer remains anonymous within ring � � � � � � � 2

  3. PQ Ring Signatures How to build ring signatures in a post-quantum setting? • Code based [MCG08] • Multivariate [MP17] Linear size in # ring members! Only recently first sublinear ring signatures: • Lattice based [LLNW16] � From generic accumulator based approach [DKNS04] 3

  4. Can we build ring signatures solely from symmetric key primitives? 3

  5. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message 4

  6. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message Instantiation via Merkle trees y 0,0 y 0,1 y 1,1 y 0,2 y 1,2 y 2,2 y 3,2 x 2,2 4

  7. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message Instantiation via Merkle trees y 0,0 y 0,1 y 1,1 y 0,2 y 1,2 y 2,2 y 3,2 Public keys of users x 2,2 4

  8. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message Instantiation via Merkle trees y 0,0 y 0,1 y 1,1 Inner nodes: y 1,1 ← H ( y 2,2 || y 3,2 ) y 0,2 y 1,2 y 2,2 y 3,2 Public keys of users x 2,2 4

  9. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message Instantiation via Merkle trees y 0,0 y 0,1 y 1,1 Inner nodes: y 1,1 ← H ( y 2,2 || y 3,2 ) y 0,2 y 1,2 y 2,2 y 3,2 Public keys of users Each public key associated to a secret key x 2,2 4

  10. Zero-Knowledge Membership Proof Naive approach reveals path taken y 0,0 y 0,0 y 1,1 y 0,1 y 0,1 y 1,1 y 2,2 y 1,2 y 0,2 y 1,2 y 3,2 y 0,2 y 2,2 y 3,2 Trivial approach • Disjunctive proof of knowledge over all possible paths • Linear size in # ring members! 5

  11. Zero-Knowledge Membership Proof Use commutative hash function? [DKNS04] • y i = H ( a i , b i ) = H ( b i , a i ) • y i , a i , b i not revealed (except root of tree) • Does not reveal whether we continue lef or right • Not directly possible in symmetric setting! 6

  12. Zero-Knowledge Membership Proof Use commutative hash function? [DKNS04] • y i = H ( a i , b i ) = H ( b i , a i ) • y i , a i , b i not revealed (except root of tree) • Does not reveal whether we continue lef or right • Not directly possible in symmetric setting! Our technique • “Emulate” commutativity • Disjunctive statement per level y i = H ( a i || b i ) ∨ y i = H ( b i || a i ) 6

  13. Our Ring Signatures • Accumul ate public keys • Prove knowledge of secret key corresponding to public key • Proof membership of public key 7

  14. Our Ring Signatures • Accumul ate public keys • Prove knowledge of secret key corresponding to public key • Proof membership of public key Unforgeability: • From collision-free accumulator with one-way domain • And simulation-sound extractability + Prove that ZKB++/FS is simulation-sound extractable 7

  15. Our Ring Signatures • Accumul ate public keys • Prove knowledge of secret key corresponding to public key • Proof membership of public key Unforgeability: • From collision-free accumulator with one-way domain • And simulation-sound extractability + Prove that ZKB++/FS is simulation-sound extractable Anonymity: • From zero-knowledge 7

  16. Instantiation & Signature Size Instantiation • ZKB++ • One-way function: use LowMC • Hash function: use LowMC in Sponge framework Estimated signature sizes • Logarithmic in # of ring members Ring size | σ | (FS/ROM) | σ | (Unruh/QROM) 2 5 2125 KB 3159 KB 2 10 4086 KB 6067 KB 2 20 8008 KB 11882 KB 8

  17. Can we do better? - New results 8

  18. Instantiating the Circuit Multiplexer x 0 x s x 1 M s 9

  19. Instantiating the Circuit Multiplexer x 0 x 0 x 1 M 0 9

  20. Instantiating the Circuit Multiplexer x 0 x 1 x 1 M 1 9

  21. Instantiating the Circuit a i + 1 H a i b i + 1 M H s i + 1 9

  22. Instantiating the Circuit a i + 1 M a i b i + 1 H M s i + 1 9

  23. Instantiating the Circuit a i + 1 M a i b i + 1 H M s i + 1 • R equires 2 AND gates / output bit + Can be optimized to only require 1 AND gate / output bit 9

  24. Smaller Signatures • Onl y one hash function evaluation • Two multiplexers with circuit optimizations • Additionally AND gates in digest size � Signature size reduction by factor ≈ 2 Ring size | σ | (FS/ROM) | σ | (Unruh/QROM) 2 5 1200 KB 2289 KB 2 10 2283 KB 4388 KB 2 20 4450 KB 8584 KB 10

  25. Conclusions Important steps towards PQ privacy enhancing primitives • Solely from symmetric primitives • PQ accumulators + ZK proofs • Construction of ring signatures Very flexible • Similar techniques recently used by Boneh et al. [BEF18] � In construction of PQ dynamic group signatures Future directions • New results → smaller signatures • Even smaller sizes for group signatures of Boneh et al. ? Further optimizations & new constructions 11

  26. Questions? Full version: https://ia.cr/2017/1154 Supported by: 12

  27. References i [BEF18] Dan Boneh, Saba Eskandarian, and Ben Fisch. Post-quantum group signatures from symmetric primitives. IACR Cryptology ePrint Archive , 2018:261, 2018. [DKNS04] Yevgeniy Dodis, Aggelos Kiayias, Antonio Nicolosi, and Victor Shoup. Anonymous identification in ad hoc groups. In EUROCRYPT , 2004. [LLNW16] Benoˆ ıt Libert, San Ling, Khoa Nguyen, and Huaxiong Wang. Zero-knowledge arguments for lattice-based accumulators: Logarithmic-size ring signatures and group signatures without trapdoors. In EUROCRYPT , 2016. [MCG08] Carlos Aguilar Melchor, Pierre-Louis Cayrel, and Philippe Gaborit. A new efficient threshold ring signature scheme based on coding theory. In PQCrypto , 2008. [MP17] Mohamed Saied Emam Mohamed and Albrecht Petzoldt. Ringrainbow - an efficient multivariate ring signature scheme. In AFRICACRYPT , 2017. 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

1.21k views • 77 slides
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER SEBASTIAN RAMACHER STEVEN GOLDFEDER CHRISTIAN RECHBERGER JONATHAN KATZ DANIEL SLAMANIG VLAD KOLESNIKOV XIAO WANG CLAUDIO ORLANDI

577 views • 37 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios Papadopoulos 3 Roberto Tamassia 1 Nikos Triandopoulos 4 1 Brown University 2 Microsoft Research 3 University of Maryland 4 Stevens Institute of Technology

614 views • 39 slides
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

1.22k views • 86 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search

33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search

33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search subtrees Functional data structures Strategies we've seen so far "Strengthen the recursion": solve a more general problem

745 views • 51 slides
Network Structure & Information Advantage: Structural Determinants of Access to Novel

Network Structure & Information Advantage: Structural Determinants of Access to Novel

Network Structure & Information Advantage: Structural Determinants of Access to Novel Information and Their Performance Implications Sinan Aral NYU Stern School & MIT Sloan School Room: NE20-336, 3 Cambridge Center, Cambridge, MA 02142

339 views • 4 slides
Adaptable component frameworks: Using vector from the C ++ standard library as an example Bo

Adaptable component frameworks: Using vector from the C ++ standard library as an example Bo

Adaptable component frameworks: Using vector from the C ++ standard library as an example Bo Simonsen University of Copenhagen Joint work with Jyrki Katajainen These slides are available at http://cphstl.dk Performance Engineering

464 views • 21 slides
Access Monitoring Review Plan Presented by: Jessica Chislett, Access Stakeholder Relations

Access Monitoring Review Plan Presented by: Jessica Chislett, Access Stakeholder Relations

Access Monitoring Review Plan Presented by: Jessica Chislett, Access Stakeholder Relations Specialist Jan-20 1 Our Mission Improving health care access and outcomes for the people we serve while demonstrating sound stewardship of financial

336 views • 33 slides
INFORMATION GOVERNANCE INITIATIVE TriMet Board Presentation November 19, 2014 Phase I Recap

INFORMATION GOVERNANCE INITIATIVE TriMet Board Presentation November 19, 2014 Phase I Recap

INFORMATION GOVERNANCE INITIATIVE TriMet Board Presentation November 19, 2014 Phase I Recap Records Inventory and Survey Agency-Wide File Classification Plan Records Assessment 2 Multi-Year Roadmap 2014 2015 2016 2017 3

375 views • 12 slides
Castlight Health Investor Presentation J une 2020 (NY S E : C S LT) 1 S afe Harbor S tatement

Castlight Health Investor Presentation J une 2020 (NY S E : C S LT) 1 S afe Harbor S tatement

Castlight Health Investor Presentation J une 2020 (NY S E : C S LT) 1 S afe Harbor S tatement This presentation contains forward-looking statements within the meaning of the safe harbor provisions of the Private Securities Litigation

1.48k views • 28 slides
Priorities for the Battery Directive Revision Hamburg September 24th 2014 Eucobat 1.

Priorities for the Battery Directive Revision Hamburg September 24th 2014 Eucobat 1.

Priorities for the Battery Directive Revision Hamburg September 24th 2014 Eucobat 1. European association of Na#onal Non profit Industry-driven Collec#on schemes for portable,

462 views • 22 slides
IRIS IMAGE SEGMENTATION Problem statement Related work BY PAIRED GRADIENT METHOD Proposed

IRIS IMAGE SEGMENTATION Problem statement Related work BY PAIRED GRADIENT METHOD Proposed

Iris image segmen- tation 1 / 28 Efimov Y. Matveev I. IRIS IMAGE SEGMENTATION Problem statement Related work BY PAIRED GRADIENT METHOD Proposed solution WITH PUPIL BOUNDARY REFINEMENT Edge detection Pairs for voting Accumulator analysis

705 views • 28 slides
S155 Churchill Gardens Phase 5 Scheme Presentation 27 th July 2016 Introduction Capital

S155 Churchill Gardens Phase 5 Scheme Presentation 27 th July 2016 Introduction Capital

S155 Churchill Gardens Phase 5 Scheme Presentation 27 th July 2016 Introduction Capital Programme Team Rita Bailey, Project Manager (Technical Services Department) Keith Rouse, Project Surveyor (Delivery Team) Resident Relations

367 views • 9 slides

More recommend