malleable proof systems and applications
play

Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) - PowerPoint PPT Presentation

Jan 04, 2023 •140 likes •1.6k views

Malleable Proof Systems and Applications Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 Non-malleable cryptography Twenty years ago, saw a strong emphasis on

  1. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one 8

  2. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , τ e 8

  3. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , τ e σ , τ e 8

  4. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one σ , τ s , σ , τ e τ e 8

  5. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one Q σ , τ s , σ , τ e τ e 8

  6. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i Q σ , τ s , σ , τ e τ e 8

  7. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i π i Q σ , τ s , σ , τ e τ e 8

  8. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) π i Q σ , τ s , σ , τ e τ e 8

  9. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e 8

  10. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 8

  11. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) We call the proof CM-SSE (controlled malleable simulation sound extractable) if any PPT adversary A has at most negligible probability in winning this game 8

  12. Controlled-malleable SSE zero-knowledge proofs High-level idea: extractor can pull out either a witness, or a previously queried statement and a transformation from that statement to the new one x i (x, π ) (w,x ′ ,T) π i Q σ , τ s , σ , τ e τ e A wins if the proof verifies and x ∉ Q but (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) We call the proof CM-SSE (controlled malleable simulation sound extractable) if any PPT adversary A has at most negligible probability in winning this game (like function privacy for encryption) If a proof is zero knowledge, CM-SSE, and strongly derivation private, then we call it a cm-NIZK 8

  13. Outline cm-NIZK construction Cryptographic background Definitions Malleable NIZK construction Generic construction Efficient instantiation Applications Conclusions 9

  14. How to construct cm-NIZKs 10

  15. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures 10

  16. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } 10

  17. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } 10

  18. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } Q τ s =sk 10

  19. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i Q τ s =sk 10

  20. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  21. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } x i (x, π ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  22. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  23. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  24. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) 10

  25. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  26. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or w ≠ ⊥ but isn’t a valid witness T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  27. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) violates extractability x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or w ≠ ⊥ but isn’t a valid witness T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  28. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x ≠ T(x ′ ) T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  29. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) violates extractability x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x ≠ T(x ′ ) T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  30. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) T is not in T 10

  31. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) T is not in T violates extractability 10

  32. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  33. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) violates extractability 10

  34. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  35. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x violates extractability T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) 10

  36. How to construct cm-NIZKs We will combine malleable NIWIPoKs with unforgeable signatures cm-NIZK(x,w) = NIWIPoK{(x,(w,x ′ ,T, σ )) s.t. either (x,w) ∈ R or Verify(vk,x ′ , σ )=1, x=T(x ′ ), and T is in T } (Extractor for NIWIPoK) x i (x, π ) (w,x ′ ,T, σ ) π i Q τ s =sk use witness ( ⊥ ,x i ,id, σ ) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q x x x A wins if (1) w ≠ ⊥ but isn’t a valid witness, (2) (x ′ ,T) ≠ ( ⊥ , ⊥ ) but x ′ ∉ Q, x ≠ T(x ′ ), or x x violates extractability T is not in T , or (3) (w,x ′ ,T)=( ⊥ , ⊥ , ⊥ ) violates unforgeability 10

  37. Instantiating this (relatively) efficiently 11

  38. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] 11

  39. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear 11

  40. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) 11

  41. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) For the class of transformations, need it to contain the identity (for simulation) and be closed under composition (for compactness): given proof for x = T 1 (x ′ ), size won’t increase for T 2 (x) = T 2° T 1 (x ′ ) 11

  42. Instantiating this (relatively) efficiently For the NIWIPoK, we use Groth-Sahai proofs [GS08] For the signature, we need a structure-preserving signature [AFGHO10,CK11] to integrate with GS proofs (verifying signature = verifying set of pairing product equations), this means we can instantiate based solely on Decision Linear The efficiency of our scheme hinges on the efficiency of the signature and the representation of the transformation (depends on the transformation) For the class of transformations, need it to contain the identity (for simulation) and be closed under composition (for compactness): given proof for x = T 1 (x ′ ), size won’t increase for T 2 (x) = T 2° T 1 (x ′ ) In the paper, we examine the many ways in which GS proofs are malleable 11

  43. Outline Cryptographic background Definitions cm-NIZK construction Applications Applications Conclusions Boosting encryption security Compactly verifiable shuffles 12

  44. CM-CCA security 13

  45. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) 13

  46. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) 13

  47. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Real KeyGen Enc(pk,m) Dec(sk,c) 13

  48. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real KeyGen SimKeyGen Enc(pk,m) Dec(sk,c) 13

  49. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) 13

  50. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real Which world? KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) 13

  51. CM-CCA security Expand our notion of controlled malleability from proofs to encryption to get CM-CCA security (inspired by HCCA [PR08] and related to targeted malleability [BSW12]) Simulated Real Which world? KeyGen SimKeyGen E(pk,m) c = SimEnc(pk, τ ) Enc(pk,m) add (m,c) to Q return c Q D(sk,c) (c ′ ,T) = SimExt(sk,c) Dec(sk,c) if ∃ i s.t. c ′ =c i ∈ Q and T ∈ T return T(m i ) else return Dec(sk,c) Give a generic construction for achieving CM-CCA-secure encryption: just define Enc(pk,m) = (c, π ), where c is IND-CPA-secure and π is a cm-NIZK 13

  52. A shuffle 14

  53. A shuffle c 1 c 2 c 3 c 4 c 5 Users encrypt their individual values to yield a public set of ciphertexts {c i } 14

Recommend

Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe

Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe

Invasive Malleable Applications Sebastian Buchwald, Manuel Mohr, Andreas Zwinkau Karlsruhe Institute of Technology TCRC 89 "Invasive Computing" ATPS 2015 No faster CPUs, only more of them More cores means slower cores M. B. Taylor,

531 views • 25 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X , July 18, 2014 1/32 Outline Introduction Proof Systems Proof Search Proof Formats Proof Production Proof Consumption Applications Conclusions

574 views • 36 slides
CASTER ASSEMBLY SCALE 1 : 1 DRAWN 1/26/2010 swaters A A CHECKED TITLE QA CASTER ASSEMBLY

CASTER ASSEMBLY SCALE 1 : 1 DRAWN 1/26/2010 swaters A A CHECKED TITLE QA CASTER ASSEMBLY

4 3 2 1 PARTS LIST ITEM QTY PART NUMBER MATERIAL 1 1 TOP PLATE MALLEABLE IRON 2 2 AXLE SUPPORT MALLEABLE IRON 3 1 AXLE SAE 1020 4 2 BUSHING BRONZE 5 1 WHEEL MALLEABLE IRON B B CASTER ASSEMBLY SCALE 1 : 1 DRAWN

434 views • 7 slides
Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao

Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao

Non-Malleable Codes for Partial Functions with Manipulation Detection Aggelos Kiayias Feng-Hao Liu Yiannis Tselekounis Edin. & FAU CRYPTO 2018 Outline Introduction to non-malleable codes Adversarial model, motivation Results,

772 views • 55 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik

Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik

Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik Leibniz-Universitt Hannover, Germany joint work with Johannes Kbler and Sebastian Mller Olaf Beyersdorff Proof Systems that Take Advice Proof Systems

854 views • 69 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/ Automated Reasoning and Satisfiability, September 24, 2019 Certificates What makes a problem hard? Certificate angle: can one efficiently check an

1.11k views • 107 slides
Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with

Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with

Introduction Graphical Definitions The R Operation Convergence Proof Equivalence to Counterterms Power Counting Applications Momentum Space Proof of BPH Renormalization to all orders in perturbation theory with applications to lattice

557 views • 44 slides
CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2. Complete proof search with JProver Tactic-based proof search Sort rule applications by cost of induced proof search let simple prover = Repeat (

562 views • 9 slides
Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics

Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics

Proof systems for modal logics Emil Je r abek jerabek@math.cas.cz Institute of Mathematics of the AS CR, Prague Logic Colloquium 2007, Wrocaw p. 1 Propositional proof complexity Studies efficiency (absolute or relative) of proof

302 views • 18 slides
Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/51 Hard

300 views • 17 slides
A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

Introduction Proof System Applications Experiments A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte Helmert University of Basel, Switzerland ICAPS 2018 Introduction Proof System Applications

325 views • 21 slides
Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof

Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof

Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof Pietrzak 1st International Summer School on Security & Privacy for Blockchains and Distributed Ledger Technologies. September 5th 2019. Proof Systems

1.44k views • 142 slides
Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace

Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace

Propositional proof systems and bounded arithmetic for logspace and nondeterministic logspace Sam Buss U.C. San Diego Virtual Seminar Proof Society proofsociety.org October 7, 2020 includes joint work with Anupam Das and Alexander Knop

367 views • 25 slides
Spreadsheets: an Introduction to utilized the notion of a malleable matrix to develop the

Spreadsheets: an Introduction to utilized the notion of a malleable matrix to develop the

From word munching to number crunching In 1978 Harvard grad student Dan Bricklin Spreadsheets: an Introduction to utilized the notion of a malleable matrix to develop the first computer spreadsheet program Excel Vastly expanded

185 views • 7 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
strongly equal k-tautologies in some proof systems. Anahit Chubaryan and Garik Petrosyan

strongly equal k-tautologies in some proof systems. Anahit Chubaryan and Garik Petrosyan

On the relations between the proof complexity measures of strongly equal k-tautologies in some proof systems. Anahit Chubaryan and Garik Petrosyan (speaker) Department of Informatics and Applied Mathematics Yerevan State University

645 views • 39 slides
Systems & Applications: Introduction Ling 573 NLP Systems and Applications April 1, 2014

Systems & Applications: Introduction Ling 573 NLP Systems and Applications April 1, 2014

Systems & Applications: Introduction Ling 573 NLP Systems and Applications April 1, 2014 Roadmap Motivation 573 Structure Question-Answering Shared Tasks Motivation Information retrieval is very powerful

1.11k views • 98 slides
Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the Programatica team WG2.8 08 1 Functional Languages for High- Assurance Applications Goal: rely on properties of functional languages to

774 views • 59 slides
Systems & Applications: Introduction Ling 573 NLP Systems and Applications March 29, 2016

Systems & Applications: Introduction Ling 573 NLP Systems and Applications March 29, 2016

Systems & Applications: Introduction Ling 573 NLP Systems and Applications March 29, 2016 Roadmap Motivation 573 Structure Summarization Shared Tasks Motivation Information retrieval is very powerful

444 views • 29 slides
A Case for Malleable Thread-Level Linear Algebra Libraries: The LU Factorization with Partial

A Case for Malleable Thread-Level Linear Algebra Libraries: The LU Factorization with Partial

A Case for Malleable Thread-Level Linear Algebra Libraries: The LU Factorization with Partial Pivoting Sandra Cataln, Jose R. Herrero, Enrique S. Quintana-Ort, Rafael Rodrguez-Snchez, Robert van de Geijn BLIS Retreat, 19-20th September

361 views • 25 slides
The Case for Malleable Stream Architectures Christopher Batten 1 , 3 , Hidetaka Aoki 2 , Krste

The Case for Malleable Stream Architectures Christopher Batten 1 , 3 , Hidetaka Aoki 2 , Krste

The Case for Malleable Stream Architectures Christopher Batten 1 , 3 , Hidetaka Aoki 2 , Krste Asanovi c 3 1 Department of Electrical Engineering and Computer Science Massachusetts Institute of Technology, Cambridge, MA 2 Central Research

535 views • 10 slides

More recommend