zero knowledge arguments for matrix vector relations and
play

Zero-Knowledge Arguments for Matrix-Vector Relations and - PowerPoint PPT Presentation

Oct 30, 2022 •157 likes •618 views

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

  1. Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption ıt Libert 1 San Ling 2 Fabrice Mouhartem 1 Benoˆ Khoa Nguyen 2 Huaxiong Wang 2 1 ´ Ecole Normale Sup´ erieure de Lyon (France) 2 Nanyang Technological University (Singapore) ASIACRYPT 2016, Hanoi, Dec 5th 2016

  2. Outline Introduction 1 Group Encryption Towards Realizing Lattice-Based Group Encryption Our Results and Techniques 2 Proving “Quadratic Relations” in Zero-Knowledge Khoa Nguyen ZK & Lattice-Based Group Encryption 2 / 16

  3. Group Signature and Group Encryption Group signature [CvH - EC’91]: Group member can anonymously sign messages on behalf of the whole group. ⇒ Hiding the source of the messages within registered signers. Khoa Nguyen ZK & Lattice-Based Group Encryption 3 / 16

  4. Group Signature and Group Encryption Group signature [CvH - EC’91]: Group member can anonymously sign messages on behalf of the whole group. ⇒ Hiding the source of the messages within registered signers. Group encryption [KTY - AC’07]: the encryption analogue of group signature. Sender can encrypt messages to an anonymous group member. ⇒ Hiding the destination of the messages within registered receivers. Khoa Nguyen ZK & Lattice-Based Group Encryption 3 / 16

  5. Group Signature and Group Encryption Group signature [CvH - EC’91]: Group member can anonymously sign messages on behalf of the whole group. ⇒ Hiding the source of the messages within registered signers. Group encryption [KTY - AC’07]: the encryption analogue of group signature. Sender can encrypt messages to an anonymous group member. ⇒ Hiding the destination of the messages within registered receivers. Group members are kept accountable for their actions: an opening authority can un-anonymize the signatures/ciphertexts - should the needs arise. Khoa Nguyen ZK & Lattice-Based Group Encryption 3 / 16

  6. Group Encryption [KTY - AC’07] GE allows encrypting while proving that: 1 The ciphertext is well-formed and intended for some registered group member who will be able to decrypt; 2 The opening authority will be able identify the receiver if necessary; 3 The plaintext satisfies certain properties. Khoa Nguyen ZK & Lattice-Based Group Encryption 4 / 16

  7. Group Encryption [KTY - AC’07] GE allows encrypting while proving that: 1 The ciphertext is well-formed and intended for some registered group member who will be able to decrypt; 2 The opening authority will be able identify the receiver if necessary; 3 The plaintext satisfies certain properties. Possible applications of GE: Firewall filtering Anonymous trusted third parties Cloud storage services Hierarchical group signatures [TW - ICALP’05]. Khoa Nguyen ZK & Lattice-Based Group Encryption 4 / 16

  8. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  9. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. [CLY - AC’09]: non-interactive GE in the standard model under pairing-related assumptions. Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  10. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. [CLY - AC’09]: non-interactive GE in the standard model under pairing-related assumptions. [El Aimani,Joye - ACNS’13] suggested various improvements. Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  11. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. [CLY - AC’09]: non-interactive GE in the standard model under pairing-related assumptions. [El Aimani,Joye - ACNS’13] suggested various improvements. [LYJP - PKC’14]: refined traceability mechanism. Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  12. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. [CLY - AC’09]: non-interactive GE in the standard model under pairing-related assumptions. [El Aimani,Joye - ACNS’13] suggested various improvements. [LYJP - PKC’14]: refined traceability mechanism. All existing realizations of GE rely on number-theoretic assumptions. ✗ ? Construction from other assumptions, e.g., lattice-based? Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  13. In the World of Lattice-Based Crypto... Many lattice-based group signatures published in the last 6 years. First constructions: [GKV - AC’10], [CNR - SCN’12] - linear-size signatures, static groups. Logarithmic-size signatures: [LLLS - AC’13]. Improvements: [NZZ - PKC’15], [LNW - PKC’15], [LLNW - EC’16]. With additional features: [LLNW - PKC’14], [LNW - ACNS’16]. Dynamic groups: [LLMNW - AC’16]. Khoa Nguyen ZK & Lattice-Based Group Encryption 6 / 16

  14. In the World of Lattice-Based Crypto... Many lattice-based group signatures published in the last 6 years. First constructions: [GKV - AC’10], [CNR - SCN’12] - linear-size signatures, static groups. Logarithmic-size signatures: [LLLS - AC’13]. Improvements: [NZZ - PKC’15], [LNW - PKC’15], [LLNW - EC’16]. With additional features: [LLNW - PKC’14], [LNW - ACNS’16]. Dynamic groups: [LLMNW - AC’16]. But no lattice-based GE so far! Note that both GS and GE rely on Ordinary signatures; Public-key encryption; Supporting zero-knowledge proofs . Where is the main technical difficulty? Khoa Nguyen ZK & Lattice-Based Group Encryption 6 / 16

  15. Existing ZK Protocols in Lattice-Based Crypto Two main classes: 1 Schnorr-like [Schnorr - Crypto’89] approach. Introduced by Lyubashevsky [Lyu - PKC’08, EC’12]: rejection sampling . 2 Stern-like [Stern - Crypto’93, IEEE IT’96] approach. First considered in the lattice setting by [KTX - AC’08]. Empowered by [LNSW - PKC’13]: decomposition and extension . Khoa Nguyen ZK & Lattice-Based Group Encryption 7 / 16

  16. Existing ZK Protocols in Lattice-Based Crypto Two main classes: 1 Schnorr-like [Schnorr - Crypto’89] approach. Introduced by Lyubashevsky [Lyu - PKC’08, EC’12]: rejection sampling . 2 Stern-like [Stern - Crypto’93, IEEE IT’96] approach. First considered in the lattice setting by [KTX - AC’08]. Empowered by [LNSW - PKC’13]: decomposition and extension . These techniques deal with linear relations , i.e., equations containing terms: (public matrix) · (secret vector), where the secret vector may satisfy some constraints (e.g., smallness). The (I)SIS relation [Ajtai - STOC’96, GPV - STOC’08]: A · x = u mod q , for public ( A , u ). The LWE relation [Regev - STOC’05]: A · s + e = b mod q , for public ( A , b ). Khoa Nguyen ZK & Lattice-Based Group Encryption 7 / 16

  17. The Case of Lattice-Based Group Signatures A modular design for GS [BMW-EC’03]: sign-then-encrypt-then-prove Each user has a signature σ on his identity id , issued by the group manager (GM). In the process of generating GS, the user encrypts id to c - using the public key of the opening authority (OA), then proves in ZK that: 1 He has a secret valid pair ( id , σ ), w.r.t. pk GM . 2 c is a well-formed ciphertext of id , w.r.t. pk OA . Khoa Nguyen ZK & Lattice-Based Group Encryption 8 / 16

  18. The Case of Lattice-Based Group Signatures A modular design for GS [BMW-EC’03]: sign-then-encrypt-then-prove Each user has a signature σ on his identity id , issued by the group manager (GM). In the process of generating GS, the user encrypts id to c - using the public key of the opening authority (OA), then proves in ZK that: 1 He has a secret valid pair ( id , σ ), w.r.t. pk GM . 2 c is a well-formed ciphertext of id , w.r.t. pk OA . Known techniques allow to realize the core ZK components required ✓ by group signatures, for SIS-based signatures and LWE-based encryption. Khoa Nguyen ZK & Lattice-Based Group Encryption 8 / 16

  19. Towards Realizing Lattice-Based Group Encryption A modular design: Each member has a key pair ( sk , pk ) for an anonymous encryption scheme. Manager signs member’s public key pk , and publishes ( pk , σ ). Khoa Nguyen ZK & Lattice-Based Group Encryption 9 / 16

  20. Towards Realizing Lattice-Based Group Encryption A modular design: Each member has a key pair ( sk , pk ) for an anonymous encryption scheme. Manager signs member’s public key pk , and publishes ( pk , σ ). Sender uses pk to encrypt a message µ satisfying relation R , obtains c . Sender also encrypts pk under the pk OA , obtains c OA . Khoa Nguyen ZK & Lattice-Based Group Encryption 9 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018 Zero-Knowledge

422 views • 30 slides
Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations Dimensions length and size functions length - returns the number of elements in a vector size - returns the number of rows and columns in a vector or

588 views • 22 slides
Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Short Pairing-based Non-interactive Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In a zero knowledge protocol a prover can convince a verifier that some statement is true without leaking any side

628 views • 14 slides
Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 15, 2019 1 / 24 zkSNARKs Arguments ZK proofs

435 views • 24 slides
Exploiting Matrix Reuse and Data Locality in Sparse Matrix-Vector and Matrix-Transpose-Vector

Exploiting Matrix Reuse and Data Locality in Sparse Matrix-Vector and Matrix-Transpose-Vector

Matrix reuse and data locality in parallel y = A z and z = A T x Exploiting Matrix Reuse and Data Locality in Sparse Matrix-Vector and Matrix-Transpose-Vector Multiplication on Many-Core Architectures Kadir Akbudak Ozan Karsavuran 1 (speaker)

822 views • 15 slides
= an orthogonal matrix T X X l l Cov( , ) i k ij kj j = 1 = X F l Cov( , )

= an orthogonal matrix T X X l l Cov( , ) i k ij kj j = 1 = X F l Cov( , )

Factor analysis (cf. section 9.3) In matrix notation the factor model takes the form: An observable random vector X of dimension p has mean X LF = + vector and covariance matrix L Here is the p x m matrix

98 views • 6 slides
Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication

Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication

CS 140 : Numerical Examples on Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication Hyperobjects Thank nks to Charles E. L Leiserson on for some of t these slides 1 Work and Span (Recap) T P =

449 views • 29 slides
Parallel Sparse Matrix-Vector and Matrix- Transpose-Vector Multiplication using Compressed Sparse

Parallel Sparse Matrix-Vector and Matrix- Transpose-Vector Multiplication using Compressed Sparse

Parallel Sparse Matrix-Vector and Matrix- Transpose-Vector Multiplication using Compressed Sparse Blocks Aydn Bulu, UCSB Jeremy T. Fineman (MIT) Matteo Frigo (Cilk Arts) John R. Gilbert (UCSB) Charles E. Leiserson (MIT & Cilk Arts) 1

523 views • 21 slides
CS 140 : Matrix multiplication Warmup: Matrix times vector: communication volume Matrix

CS 140 : Matrix multiplication Warmup: Matrix times vector: communication volume Matrix

CS 140 : Matrix multiplication Warmup: Matrix times vector: communication volume Matrix multiplication I: parallel issues Matrix multiplication II: cache issues Thanks to Jim Demmel and Kathy Yelick (UCB) for some of these slides

473 views • 45 slides
Matrix Multiplication Matrix Multiplication via Matrix-Vector Mult Defn. If matrix A is m n

Matrix Multiplication Matrix Multiplication via Matrix-Vector Mult Defn. If matrix A is m n

Matrix Multiplication Matrix Multiplication via Matrix-Vector Mult Defn. If matrix A is m n and matrix B is r s , then for the product AB to be valid it must be that n = r . If valid, the product AB has size m s . The columns of the

400 views • 12 slides
Parallel Numerical Algorithms Chapter 3 Dense Linear Systems Section 3.1 Vector and

Parallel Numerical Algorithms Chapter 3 Dense Linear Systems Section 3.1 Vector and

BLAS Inner Product Outer Product Matrix-Vector Product Matrix-Matrix Product Parallel Numerical Algorithms Chapter 3 Dense Linear Systems Section 3.1 Vector and Matrix Products Michael T. Heath and Edgar Solomonik Department of

1.19k views • 77 slides
Parallel Scientific Computing Matrix-vector multiplication. Matrix-matrix multiplication.

Parallel Scientific Computing Matrix-vector multiplication. Matrix-matrix multiplication.

CS140 IV-1 Parallel Scientific Computing Matrix-vector multiplication. Matrix-matrix multiplication. Direct method for solving a linear equation. Gaussian Elimination. Iterative method for solving a linear equation.

367 views • 25 slides
Vector FPGA Acceleration of 1-D DWT Computations using Sparse Matrix Skeletons Sidharth

Vector FPGA Acceleration of 1-D DWT Computations using Sparse Matrix Skeletons Sidharth

Vector FPGA Acceleration of 1-D DWT Computations using Sparse Matrix Skeletons Sidharth Maheshwari, Gourav Modi, Siddhartha , Nachiket Kapre School of Computer Science and Engineering Nanyang Technological University Matrix-Form 1-D DWT

500 views • 16 slides
Matrix-Vector Multiplication in Sub-Quadratic Time (Some Preprocessing Required) Ryan Williams

Matrix-Vector Multiplication in Sub-Quadratic Time (Some Preprocessing Required) Ryan Williams

Matrix-Vector Multiplication in Sub-Quadratic Time (Some Preprocessing Required) Ryan Williams Carnegie Mellon University 0-0 Introduction Matrix-Vector Multiplication: Fundamental Operation in Scientific Computing 1 Introduction

1.15k views • 55 slides
Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

712 views • 33 slides
Quiz I Give our two primary interpretations of matrix-vector multiplication. I Give the

Quiz I Give our two primary interpretations of matrix-vector multiplication. I Give the

Quiz I Give our two primary interpretations of matrix-vector multiplication. I Give the matrix-vector definition of matrix-matrix multiplication. 2 1 2 3 4 3 I Let A = 0 1 2 3 5 . 4 0 0 0 1 1. What is the rank of A ? 2. What is the

576 views • 23 slides
Group Results Safe Harbor Some of the information in this presentation may contain projections or

Group Results Safe Harbor Some of the information in this presentation may contain projections or

Q1 2020 May 26, 2020 Group Results Safe Harbor Some of the information in this presentation may contain projections or other from those contained in our projections or forward-looking statements, forward-looking statements regarding future

260 views • 25 slides
COVID-19 and the Anchorage economy What do we know and where do we go from here? Mouhcine

COVID-19 and the Anchorage economy What do we know and where do we go from here? Mouhcine

Basics COVID-19 and the Anchorage economy What do we know and where do we go from here? Mouhcine Guettabi, PhD Associate Professor of Economics Institute of Social and Economic Research University of Alaska Anchorage May 6th, 2020 1/14

494 views • 24 slides
Gary F. Simons SIL International AARDVARC Symposium, LSA, Portland, OR, 11 Jan 2015 Given the

Gary F. Simons SIL International AARDVARC Symposium, LSA, Portland, OR, 11 Jan 2015 Given the

Gary F. Simons SIL International AARDVARC Symposium, LSA, Portland, OR, 11 Jan 2015 Given the relentless entropy that degrades our field recordings, and innovation that makes the technology we have used to capture them obsolete within

367 views • 20 slides
What is the Public Interest Demand for

What is the Public Interest Demand for

What is the Public Interest Demand for Openness and Transparency? Howard Kushner Kushner

130 views • 11 slides
AGENDA GDPR - what is the problem Architecture Solution components Watson APIs

AGENDA GDPR - what is the problem Architecture Solution components Watson APIs

GDPR DISCOVERY USING TEXT MINING AND DEEP LEARNING #23120 Elinar Oy Ltd Ari Juntunen ChiefTechnology Officer 1 AGENDA GDPR - what is the problem Architecture Solution components Watson APIs Networks Performance

482 views • 25 slides
Demography, meet Big Data; Big Data, meet Demography: Reflections on the Data-Rich Future of

Demography, meet Big Data; Big Data, meet Demography: Reflections on the Data-Rich Future of

UN EGM on Strengthening the Demographic Evidence Base For The Post-2015 Development Agenda, New York, 5-6 October 2015 Demography, meet Big Data; Big Data, meet Demography: Reflections on the Data-Rich Future of Population Science Emmanuel

811 views • 44 slides
- Case Study of DBS Saket Saith DBS is one of the leading financial services group in Asia

- Case Study of DBS Saket Saith DBS is one of the leading financial services group in Asia

The Rise of Invisible Banking - Case Study of DBS Saket Saith DBS is one of the leading financial services group in Asia Largest bank in South-East Asia with over 280 branches in 18 markets Market leader in Singapore Growing presence

448 views • 19 slides
MASTERS PRESENTATIONS WINTER 2015 Thursday, April 23, 2015 8:00 am 4:00 pm Room A-1-105

MASTERS PRESENTATIONS WINTER 2015 Thursday, April 23, 2015 8:00 am 4:00 pm Room A-1-105

MASTERS PRESENTATIONS WINTER 2015 Thursday, April 23, 2015 8:00 am 4:00 pm Room A-1-105 Mackinac Hall Room A-1-111 Mackinac Hall SCHOOL OF CIS WINTER 2015 MASTERS PRESENTATIONS Thursday, April 23, 2015 Schedule of Presentations MAK

513 views • 24 slides

More recommend