fast zero knowledge proofs and post quantum signatures
play

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio - PowerPoint PPT Presentation

Apr 11, 2023 •418 likes •1.21k views

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

  1. Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi – Aarhus University @claudiorlandi

  2. Based on joint work with: • Meliisa Chase (Microsoft) • David Derler (TU Graz) • Tore Frederiksen (BIU) • Irene Giacomelli (UW-Madison) • Steven Goldfeder (Princeton) • Marek Jawurek (SAP) • Florian Kerschbaum (SAP) • Jesper Madsen (AU) • Jesper Buus Nielsen (AU) • Sebastian Ramacher (TU Graz) • Christian Rechberger (TU Graz, DTU) • Daniel Slamanig (TU Graz) • Greg Zaverucha (Microsoft)

  3. Motivation: Authentication P V “I am Claudio” “I know my password” “Here is my Pa55w0rD”

  4. Motivation: Authentication A V P “I am Claudio” “Here is my Pa55w0rD” “I am Claudio” “Here is my Pa55w0rD”

  5. Motivation: Zero-Knoweldge Authentication P V “I am Claudio” q a q a

  6. ZK: Definitions P(x) V “I know x s.t. f(x)=1” q Only P knows x a q P,V know f a

  7. ZK: Definitions P(x) V • Completeness • P,V honest à V accepts “I know x s.t. f(x)=1” q a q a

  8. ZK: Definitions P V • Completeness • P,V honest à V accepts “I know x s.t. f(x)=1” q • Proof-of-Knowledge a* q • If P does not know x à V rejects a*

  9. ZK: Definitions P(x) V • Completeness • P,V honest à V accepts “I know x s.t. f(x)=1” q* • Proof-of-Knowledge a q* • If P does not know x à V rejects a • Zero-Knowledge • V learns nothing about x

  10. What can be proven in ZK? Feasability : NP, even PSPACE! This talk: Can we construct efficient proofs for non- algebraic languages such as Efficiently : algebraic languages (Schnorr, …, Groth-Sahai, …) “I know x such that SHA(x)=y”? Two protocols: SNARKS (generic) • ZKGC (from Garbled Circuits) • Short proofs, efficient verification J • ZKBoo (from MPC) • Slow prover L One application: • Implementations: Pinocchio, libsnark, • Generic (post-quantum) signatures

  11. Example: Schnorr Protocol Go to Example

  12. The Crypto Toolbox Stronger assumption Weaker assumption OTP >> SKE >> PKE >> FHE >> Obfuscation More efficient Less efficient 12

  13. Zero-Knowledge from Garbled Circuits Jawurek, Ferschbaum, Orlandi CCS 2013

  14. Zero-Knowledge vs Secure 2PC f,x f,y f,x f B A V P f(x,y) f(x)=1

  15. Garbled Circuits Values in a box are “garbled” d r [F] y f De Gb [Y] [X] Ev e En x Correct if y=f(x)

  16. Garbled Circuits: Authenticity d r [F] y* f De Gb [y*] [X] Ev e En x y* = f(x) OR y* = ⊥

  17. (HV)ZKGC to prove f(x)=y Prover(x) Verifier( ) ([F],e,d) ß Gb( f,r ) x e OT [X] [F] [Y] ß Ev([F],[X]) [Y] Accept if De(d,[Y])=y

  18. (HV)ZKGC to prove f(x)=y Prover(?) Verifier( ) ([F],e,d) ß Gb( f,r ) x* e OT [X] [F] [Y*] De(d,[Y*])={f(x*), ⊥ } Authenticity!

  19. (HV)ZKGC to prove f(x)=y Prover(x) Verifier( ) ([G],e,d) ß Gb( g,r ) x e OT [X] [G] [Y] [Y] ß Ev([G],[X]) Learn g(x)=De(d,[Y]) Corrupt V can change f with g breaking ZK!

  20. Garbled circuits with active security? How can the verifier prove that f was garbled correctly (without breaking soundness)? • Plenty of (costly) solutions are known for 2PC • Zero-Knowledge • Cut-and-choose • Etc. • Can we do better for ZK?

  21. ZKGC to prove f(x)=y Prover(x) Verifier( ) ([F],e,d) ß Gb( f,r ) x e OT Commitment [X] [F] [Z] ß Ev([F],[X]) Comm([Y]) r If [F]!=Gb(f,r) abort Open([Y]) else Accept if De(d,[Y])=y Active security Using only 1 GC!

  22. Recap: ZK based on GC • The main idea: • In ZK the verifier (Bob) has no secrets! • After the protocol, Bob can reveal all his randomness. • Alice can simply check that Bob behaved honestly by redoing his entire computation .

  23. Privacy-Free Garbled Circuits Frederiksen, Nielsen, Orlandi EUROCRYPT 2015

  24. Main idea • In 2PC the garbler has secret input • GC privacy à privacy of input • In ZK V has no input to protect • Can we get more efficient GC without privacy? Yes!

  25. Example: Privacy Free Garbling Go to PFGC

  26. Runtime (rough estimates) • Proof of “c=AES(k,m)” for secret k and public (c,m) • AES: 35k gates (7k ANDs/28k XORs) • Communication : 204kB (98% GC) • Runtime : • OT : 29.4ms (Using Chou-Orlandi OT) (|w|=128) • Garbling : 721µs (Using JustGarble GaXR) • Eval : 273 µs • Total (Garble+OT+Eval+Garble) ~ 31.2ms (+network)

  27. Applications Hu, Mohassel, Rosulek • Sublinear ZK (via ORAM) , Crypto 2015 Chase, Ganesh, Mohassel, • Privacy-Preserving Credentials , Crypto 2016 Kolesnikov, Krawczyk, Lindell, Malozemoff, Rabin, • Attribute-Based KE with General Policies , CCS 2016 Baum; Katz, Malozemoff, Wang; Afshar, Mohassel, Rosulek, • Input validity in 2PC , SCN 2016; ePrint; ePrint …

  28. ZKBoo: Faster Zero-Knowledge for Boolean Circuits Giacomelli, Madsen, Orlandi USENIX Security 2016

  29. From ZKGC to ZKBoo • ZKGC is inherently interactive ( private coin, cannot use Fiat-Shamir) • IKOS ( Ishai, Kushilevitz, Ostrovsky, Sahai ) proposed in 2007 a method to get ZK from MPC. Plugging the right MPC protocol one can get ZK with very good asymptotic complexity. • ZKBoo can be seen as a generalization, simplification and implementation of IKOS with the sole goal of practical efficiency.

  30. To build ZKBoo, we need to find a suitable Instead of MPC protocol, we speak about (2 , 3) -decomposition for C : { Share , Output 1 , Output 2 , Output 3 , Rec } ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) 3 } j =1 ,..., N 12 / 19

  31. x Share To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : { Share , Output 1 , Output 2 , Output 3 , Rec } ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) 3 } j =1 ,..., N 12 / 19

  32. x Share To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : f 1 f 1 f 1 1 2 3 { Share , Output 1 , Output 2 , Output 3 , Rec } w 1 w 1 w 1 1 2 3 ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) 3 } j =1 ,..., N 12 / 19

  33. x Share To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : f 1 f 1 f 1 1 2 3 { Share , Output 1 , Output 2 , Output 3 , Rec } w 1 w 1 w 1 1 2 3 ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) 3 } j =1 ,..., N f 2 f 2 f 2 1 2 3 . . . . . . . . . w N w N w N 1 2 3 12 / 19

  34. To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : { Share , Output 1 , Output 2 , Output 3 , Rec } w 1 w 1 w 1 1 2 3 ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) . . . 3 } j =1 ,..., N . . . . . . . . . . . . . . . w N w N w N 1 2 3 Output 1 Output 2 Output 3 12 / 19

  35. To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : { Share , Output 1 , Output 2 , Output 3 , Rec } w 1 w 1 w 1 1 2 3 ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) . . . 3 } j =1 ,..., N . . . . . . . . . . . . . . . w N w N w N • correct: y = C ( x ) 1 2 3 • 2-private: ∀ e ∈ [3] ∃ a PPT simulator S e that perfectly simulate the Output 1 Output 2 Output 3 y 1 y 2 distribution of ( { w i } i ∈ { e , e +1 } , y e +2 ) y 3 Rec y 12 / 19

  36. Example: the linear decomposition • Computation in a ring (R,+,·) • Add(x 1 ,x 2 ,x 3 ,y 1 ,y 2 ,y 3 ) • z 1 = x 1 + y 1 • z 2 = x 2 + y 2 • Share(x) • z 3 = z 3 + y 3 • Get random x 1 , x 2 ß R • Let x 3 = x - x 1 - x 2 • Mul(x 1 ,x 2 ,x 3 ,y 1 ,y 2 ,y 3 ) • z 1 = x 1 y 1 + x 1 y 2 + x 2 y 1 + r 1 - r 2 • Rec(y 1 ,y 2 ,y 3 ) • z 2 = x 2 y 2 + x 2 y 3 + x 3 y 2 + r 2 - r 3 • y = y 1 + y 2 + y 3 • z 3 = x 3 y 3 + x 3 y 1 + x 1 y 3 + r 3 - r 1

  37. Example: the linear decomposition Correctness: z 1 +z 2 +z 3 = • Computation in a ring (R,+,·) • Add(x 1 ,x 2 ,x 3 ,y 1 ,y 2 ,y 3 ) (x 1 +x 2 +x 3 ) (y 1 +y 2 +y 3 ) • z 1 = x 1 + y 1 • z 2 = x 2 + y 2 • Share(x) • z 3 = z 3 + y 3 • Get random x 1 , x 2 ß R 2-privacy: • Let x 3 = x - x 1 - x 2 • Mul(x 1 ,x 2 ,x 3 ,y 1 ,y 2 ,y 3 ) Any pair (z i ,z i+1 ) is • z 1 = x 1 y 1 + x 1 y 2 + x 2 y 1 + r 1 - r 2 uniform random • Rec(y 1 ,y 2 ,y 3 ) • z 2 = x 2 y 2 + x 2 y 3 + x 3 y 2 + r 2 - r 3 (thanks to r 1 ,r 2 ,r 3 ) • y = y 1 + y 2 + y 3 • z 3 = x 3 y 3 + x 3 y 1 + x 1 y 3 + r 3 - r 1

  38. Public data: C : { 0 , 1 } n → { 0 , 1 } m (boolean circuit) and y ∈ { 0 , 1 } m Input: x s.t. C ( x ) = y 13 / 19

  39. Public data: C : { 0 , 1 } n → { 0 , 1 } m (boolean circuit) and y ∈ { 0 , 1 } m Input: x s.t. C ( x ) = y x w 0 w 0 w 0 1 2 3 f 1 f 1 f 1 1 2 3 w 1 w 1 w 1 1 2 3 f 2 f 2 f 2 1 2 3 . . . . . . . . . w N w N w N 1 2 3 y 1 y 2 y 3 y 13 / 19

  40. Public data: C : { 0 , 1 } n → { 0 , 1 } m (boolean circuit) and y ∈ { 0 , 1 } m Input: x s.t. C ( x ) = y x w 0 w 0 w 0 1 2 3 w 0 w 0 w 0 1 2 3 f 1 f 1 f 1 1 2 3 w 1 w 1 w 1 1 2 3 w 1 w 1 w 1 1 2 3 . . . . . . . . . . . . . . . . . . f 2 f 2 f 2 1 2 3 w 1 w 1 w 1 1 2 3 . . . . . . . . . y 1 y 2 y 3 w N w N w N 1 2 3 y 1 y 2 y 3 y 13 / 19

Recommend

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER SEBASTIAN RAMACHER STEVEN GOLDFEDER CHRISTIAN RECHBERGER JONATHAN KATZ DANIEL SLAMANIG VLAD KOLESNIKOV XIAO WANG CLAUDIO ORLANDI

577 views • 37 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of

416 views • 27 slides
Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on Post-Quantum Cryptography July 2019, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes 2 y

1.22k views • 101 slides
Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Problem Description Current State of the Art Our Contribution Our Scheme Summary References Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque , Alessandra Scafuro North Carolina State University May

736 views • 61 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch Hardware Enclaves A trusted component in an untrusted system Protected memory isolates enclave from compromised OS Untrusted System Enclave

505 views • 34 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

1.22k views • 86 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1 eXtended Merkle Signature Scheme 2 eXtended Merkle Signature Scheme Why should we look

949 views • 39 slides
McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J.

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J.

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J. Bernstein 1,2 and Tanja Lange 3 1 University of Illinois at Chicago 2 Ruhr University Bochum 3 Eindhoven University of Technology USENIX Security 2020

388 views • 19 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O.

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O.

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O. Blazy (XLim) Blind Sig Feb 2014 1 / 50 General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4

1.24k views • 89 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1 , David Derler 2 , Daniel Slamanig 2 , Raphael

345 views • 21 slides
Quantum gravity signatures in the Unruh effect N. Alkofer, G. DOdorico, F. Saueressig and FV

Quantum gravity signatures in the Unruh effect N. Alkofer, G. DOdorico, F. Saueressig and FV

Quantum gravity signatures in the Unruh effect N. Alkofer, G. DOdorico, F. Saueressig and FV PRD 94, 104055 (2016) Fleur Versteegen QG signatures in the Unruh effect April 25, 2017 1 / 31 Outline: QG signatures in the Unruh effect The

1.17k views • 85 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key Exchange Post-Quantum KX based on RLWE USENIX 2016 2/17 New Hope Key Exchange Post-Quantum KX based on RLWE USENIX 2016

586 views • 54 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

626 views • 23 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018

Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018

Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Just one talk on hash-based signatures . . . ? Post-quantum crypto so far 1. Take some hard problem,

1.02k views • 85 slides

More recommend