on the amortized complexity of zero knowledge protocols
play

On the Amortized Complexity of Zero Knowledge Protocols for - PowerPoint PPT Presentation

Dec 25, 2022 •314 likes •569 views

On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations Ronald Cramer 1 ard 2 Valerio Pastro 2 Ivan Damg 1 CWI Amsterdam 2 Aarhus University August 15, 2012 Centrum Wiskunde & Informatica Cramer, Damg ard,

  1. On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations Ronald Cramer 1 ard 2 Valerio Pastro 2 Ivan Damg˚ 1 CWI Amsterdam 2 Aarhus University August 15, 2012 Centrum Wiskunde & Informatica Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 1 / 22

  2. The Problem Scenario P holds x , y , z (in a finite field K ) s.t. z = xy V holds hom. commitments com ( x ) , com ( y ) , com ( z ), of size κ V wants to be sure z = xy P does not want to reveal x , y , z Commitments Homomorphic: com ( a ) · com ( b ) = com ( a + b ) Shorthand: com ( · ) = [ · ] Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 2 / 22

  3. The Problem Motivation Zero Knowledge proofs for satisfiability of Boolean circuits MPC based on additive secret sharing [BDOZ11, DPSZ12] Anonymous credentials, group signatures, . . . Previous and Related Work (Apologies if I forgot any of your papers) 1991 Beaver [Bea91] 1997 Fujisaki, Okamoto [FO97] [CDD + 99] 1999 Cramer et al., 2002 Damg˚ ard, Fujisaki [DF02] 2009 Cramer, Damg˚ ard [CD09] 2012 Ben-Sasson et al. [BSFO12] Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 3 / 22

  4. A Well-Known Solution [Bea91] Protocol P samples uniform a , b ← K P computes c = ab , and sends [ a ] , [ b ] , [ c ] to V V sends a uniform e ← K P opens [ ex − a ] , [ y − b ], define ε := ex − a , δ := y − b P opens [ ez − c − ε b − δ a − εδ ] V checks that P opened to 0 Properties Correctness: P honest = ⇒ ez − c − ε b − δ a − εδ = 0 Soundness: P dishonest = ⇒ Cheat with prob 1 / | K | (guess e ) Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 4 / 22

  5. Room for Improvement What if | K | small (e.g. K = F 2 )? Constant soundness error probability = ⇒ Bad! ⇒ soundness error 2 − l Repeating l times = Communication? O ( κ · l ) Basic Field Case Soundness Error Amortized comm. complexity 2 − l Previous solutions: O ( l · κ ) 2 − l Our work: O ( κ ) Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 5 / 22

  6. Our Solution Ingredients Homomorphic commitments (size = κ ) (for this part: statistically binding, computationally hiding commitment schemes) Linear (multi)secret sharing schemes with R -product reconstruction (share s , share s ′ , reconstruct s · s ′ as linear combo of shares of R players) commitments: not to reveal x , y , z homomorphic: to compute sums on committed values! multi-secret: to use amortization techniques! [CD09]. Amortization: more instances to prove ⇒ better comm. complexity! Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 6 / 22

  7. Digression on LSSS (multi-secret variant of Shamir) How to Share? Secret: x := ( x 1 , . . . , x l ). Polynomial: f x ← K [ X ], with deg( f x ) = t + l f x ( − i ) = x i for i = 1 , . . . , l Shares: f x (1) , . . . , f x ( n ) x l x l − 1 x 1 Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 7 / 22

  8. Digression on LSSS (multi-secret variant of Shamir) How to Share? Secret: x := ( x 1 , . . . , x l ). Polynomial: f x ← K [ X ], with deg( f x ) = t + l f x ( − i ) = x i for i = 1 , . . . , l Shares: f x (1) , . . . , f x ( n ) x l x l − 1 x 1 Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 8 / 22

  9. Digression on LSSS (multi-secret variant of Shamir) How to Share? Secret: x := ( x 1 , . . . , x l ). Polynomial: f x ← K [ X ], with deg( f x ) = t + l f x ( − i ) = x i for i = 1 , . . . , l Shares: f x (1) , . . . , f x ( n ) f x ( n ) f x (3) f x (1) x l x l − 1 x 1 f x (2) Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 9 / 22

  10. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 10 / 22

  11. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 11 / 22

  12. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 12 / 22

  13. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 13 / 22

  14. Digression on LSSS Product Reconstruction? (Yes, if n > 2( t + l )) Share x , y Local products f x ( i ) · f y ( i ) for > 2( t + l ) i ’s Reconstruct f x · f y Evaluate ( f x · f y )( − i ) for i = 1 , . . . , l z 1 z l z l − 1 Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 14 / 22

  15. Notice: Fact #1 V holds t evals f x ( j ) and f y ( j ) = ⇒ no info on f y ( − i ), f y ( − i ), ( f x · f y )( − i ) revealed to V . Fact #2 f � = g ∈ K [ X ], deg( f ) = 2( t + l ) = deg( g ) = ⇒ f and g agree on at most 2( t + l ) points. Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 15 / 22

  16. Back to the Original Problem. What if . . . ? Toy Protocol – Basic Field Scenario P samples f x , f y ← K [ X ], with deg( f x ) = t + l = deg( f y ), f x ( − i ) = x i , f y ( − i ) = y i P computes f z = f x · f y P commits [ f x ] , [ f y ] , [ f z ] V chooses t indices O ⊂ { 1 , . . . , n } P opens [ f x ]( j ), [ f y ]( j ), [ f z ]( j ) for j ∈ O V accepts iff f x ( j ) · f y ( j ) = f z ( j ) Private x i , y i , z i Fact #1 ⇒ no info revealed on secrets! Soundness Error � t � 2( t + l ) Fact #2 & Choice of O ⇒ soundness error ≤ n Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 16 / 22

  17. Back to the Original Problem. What if . . . ? Toy Protocol – Basic Field Scenario P samples f x , f y ← K [ X ], with deg( f x ) = t + l = deg( f y ), f x ( − i ) = x i , f y ( − i ) = y i P computes f z = f x · f y P commits [ f x ] , [ f y ] , [ f z ] V chooses t indices O ⊂ { 1 , . . . , n } P opens [ f x ]( j ), [ f y ]( j ), [ f z ]( j ) for j ∈ O V accepts iff f x ( j ) · f y ( j ) = f z ( j ) Private x i , y i , z i Fact #1 ⇒ no info revealed on secrets! Soundness Error � t � 2( t + l ) = 2 − l , if t , l = Θ( n ) Fact #2 & Choice of O ⇒ s.e. ≤ n Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 17 / 22

  18. The General Result Shamir: n < | K | = ⇒ general LSSS? Basic Field Case Using a linear (multi)secret sharing scheme over K with K a finite field d players t privacy l secrets R product reconstruction A zero-knowledge protocol for the language � � ( com ( x i ) , com ( y i ) , com ( z i )) l i =1 | x i , y i , z i ∈ K ; x i · y i = z i , � R − 1 � t with soundness error d Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 18 / 22

  19. Parameters Choice of parameters to get negligible soundness error: Basic Field Case Using a linear (multi)secret sharing scheme over K with K a finite field d players d = Θ( l ) t privacy t = Θ( l ) l secrets R product reconstruction R = Θ( l ) A zero-knowledge protocol for the language � � ( com ( x i ) , com ( y i ) , com ( z i )) l i =1 | x i , y i , z i ∈ K ; x i · y i = z i , � R − 1 � t = 2 − l . Amo.Comm.: O ( κ ) with soundness error d Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 19 / 22

  20. Comparisons & Extensions Basic Field Case Soundness Error Amortized comm. complexity 2 − l Our work: O ( κ ) 2 − l Previous solutions: O ( l · κ ) Let’s play! What if values were integers (rather than in a finite field)? We have a solution! k -bit Integers Case Security Notion Our work: Factoring Previous solutions: Strong-RSA Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 20 / 22

  21. Comparisons & Extensions - General Field Case Basic field case: x · y = z . General field case: D ( x 1 , . . . , x v ) = z . Extension of protocol: to prove any algebraic rel. on committed values. Formally, a zero knowledge protocol for the language � ( com ( x 1 , i ) , . . . , com ( x v , i ) , com ( z i )) l i =1 | � x 1 , i , . . . , x v , i , z i ∈ K ; D ( x 1 , i , . . . , x v , i ) = z i , where D is an algebraic circuit. Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 21 / 22

  22. Final Slide Q: Standard commitments: cheating? A: We also consider commitments of the following form � P : v , m v = a · v + b v [ v ] : : a , V b v given by some setup, e.g. the preprocessing phase of [BDOZ11], or [DPSZ12]. Such commitments: Homomorphic (that is all we need!) Information theoretically secure NEW! Can be used over the integers! Cramer, Damg˚ ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 22 / 22

Recommend

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir authentication protocol

170 views • 16 slides
Amortized Analysis and Union-Find 02283, Inge Li Grtz 1 Today Amortized analysis 3

Amortized Analysis and Union-Find 02283, Inge Li Grtz 1 Today Amortized analysis 3

Amortized Analysis and Union-Find 02283, Inge Li Grtz 1 Today Amortized analysis 3 different methods 2 examples Union-Find data structures Worst-case complexity Amortized complexity 2 Amortized Analysis

610 views • 42 slides
A DVANCED A NALYSIS : A MORTIZATION AND R ECURRECNE R ELATIONS amortized time complexity

A DVANCED A NALYSIS : A MORTIZATION AND R ECURRECNE R ELATIONS amortized time complexity

A DVANCED A NALYSIS : A MORTIZATION AND R ECURRECNE R ELATIONS amortized time complexity accounting method Java vectors Recurrence Relations Advanced Analysis: Amortization 1 Amortized Running Time Amortized running time

913 views • 20 slides
Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis Amortized analysis averages the time required to perform a sequence of operations on a data structure over all the operations performed An

2.15k views • 56 slides
Amortized Complexity of Information- Theoretically Secure MPC Revisited Ignacio Cascudo 1 Ronald

Amortized Complexity of Information- Theoretically Secure MPC Revisited Ignacio Cascudo 1 Ronald

Amortized Complexity of Information- Theoretically Secure MPC Revisited Ignacio Cascudo 1 Ronald Cramer 2 , 3 Chaoping Xing 4 Chen Yuan 2 1 Aalborg University 2 CWI Amsterdam 3 Leiden University 4 NTU Singapore CRYPTO, 22 August 2018 Secure

320 views • 29 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents

Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents

Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents Introduction Simple analysis Amortized analysis Amortized analysis in a lazy setting Conclusion Bibliography 2 / 57 The traditional use of types

590 views • 57 slides
On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols Knowledge Protocols Coin Zero Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktrm (KTH) 1 Zero Knowledge [GMR85] Zero

614 views • 22 slides
Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second

Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second

Zero-Knowledge Zero-Knowledge Two-Party Protocols Two-Party Protocols Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Introduction to Zero-Knowledge Third Lecture:

473 views • 31 slides
Amortized Analysis Fibonacci Heaps thanks MIT slides thanks Amortized Analysis by Rebecca

Amortized Analysis Fibonacci Heaps thanks MIT slides thanks Amortized Analysis by Rebecca

Amortized Analysis Fibonacci Heaps thanks MIT slides thanks Amortized Analysis by Rebecca Fiebrink thanks Jay Aslams notes Objectives Amortized Analysis - potential method Fibonacci Heaps - construction - operations running

339 views • 16 slides
Amortized Analysis performed An individual operation may itself be relatively expensive, but

Amortized Analysis performed An individual operation may itself be relatively expensive, but

4/18/2013 Amortized Analysis Amortized analysis averages the time required to perform a sequence of operations on a data structure over all the operations Amortized Analysis performed An individual operation may itself be relatively

507 views • 4 slides
Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of

Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of

Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of Science, Bangalore with Pramod Viswanath (UIUC), Shaileshh Venkatakrishnan (UIUC), and Shun Watanabe (TUAT) Private Coin Interactive Protocols X Y

767 views • 43 slides
Section 2.2: Amortized Loans and Annuities An amortized loan is one in which a large debt assumed

Section 2.2: Amortized Loans and Annuities An amortized loan is one in which a large debt assumed

Section 2.2: Amortized Loans and Annuities An amortized loan is one in which a large debt assumed up-front is Notes, 2.2 MATH 105 (UofL) depleted slowly over time. mathematics, where a large up-front deposit to a savings account is An annuity

475 views • 6 slides
MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

Zero-Knowledge Two-Party Protocols MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of Tartu MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge

1.49k views • 122 slides
Introduction to Complexity Theory Winter 2005/06 Dr. Axel Gromann Knowledge Representation and

Introduction to Complexity Theory Winter 2005/06 Dr. Axel Gromann Knowledge Representation and

Introduction to Complexity Theory Winter 2005/06 Dr. Axel Gromann Knowledge Representation and Reasoning Group Artificial Intelligence Institute 1 Computational complexity theory Complexity theory is part of the theory of computation dealing

915 views • 15 slides
} n ops take time T(n) PUSH(S,x) --- O(1) Avg cost per op = T(n)/n (Amortized

} n ops take time T(n) PUSH(S,x) --- O(1) Avg cost per op = T(n)/n (Amortized

Stack Example Stack Example Amortized Analysis: 3 Methods Amortized Analysis: 3 Methods Aggregate Consider a stack data structure with 3 ops } n ops take time T(n) PUSH(S,x) --- O(1) Avg cost per op = T(n)/n (Amortized

258 views • 4 slides
Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay trees Inge Li Grtz CLRS Chapter 17 Je ff Erickson notes Dynamic tables Dynamic tables Problem. Have to assign size of table at initialization.

365 views • 11 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
Zero-Knowledge Protocols A B 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Claim The Awards

Zero-Knowledge Protocols A B 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Claim The Awards

The People Zero-Knowledge Protocols A B 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Claim The Awards I Prover (Peggy) Verifier (Vic) S Secret Decision d { true , false } A zero-knowledge protocol allows Peggy to Convince Vic that

414 views • 10 slides
Amortized Analysis Pedro Ribeiro DCC/FCUP 2018/2019 Pedro Ribeiro (DCC/FCUP) Amortized

Amortized Analysis Pedro Ribeiro DCC/FCUP 2018/2019 Pedro Ribeiro (DCC/FCUP) Amortized

Amortized Analysis Pedro Ribeiro DCC/FCUP 2018/2019 Pedro Ribeiro (DCC/FCUP) Amortized Analysis 2018/2019 1 / 30 Amortized Analysis In amortized analysis we are concerned about the average over a sequence of operations Some operations

890 views • 30 slides
Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and Stphanie Delaune LORIA, CNRS &amp; INRIA project Cassis, Nancy, France July 8, 2007 S. Delaune (LORIA Projet Cassis) Deciding knowledge

378 views • 37 slides
On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/helger Pedase Theory Day, 04.10.2003 On Diophantine Complexity and SZK Arguments, Helger Lipmaa 1

501 views • 24 slides
Knowledge transfer and information leakage in protocols Abdullah Abdul Khadir, Madhavan Mukund, S P

Knowledge transfer and information leakage in protocols Abdullah Abdul Khadir, Madhavan Mukund, S P

Knowledge transfer and information leakage in protocols Abdullah Abdul Khadir, Madhavan Mukund, S P Suresh Chennai Mathematical Institute {abdullah,madhavan, spsuresh }@cmi.ac.in Formal Methods Update Meeting IIT Mandi July 18, 2017 Abdullah,

795 views • 60 slides

More recommend