post quantum zero knowledge proofs for accumulators
play

Post-Quantum Zero-Knowledge Proofs for Accumulators with - PowerPoint PPT Presentation

Jan 01, 2024 •324 likes •612 views

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

  1. Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler ‡ , Sebastian Ramacher ‡ , Daniel Slamanig § PQC rypto ’18, April 9, 2018 ‡ § 1

  2. Ring Signatures • P rivacy enhancing primitive • Sign a message on behalf of ad-hoc group (= ring) � Signature attests some member of ring signed � Signer remains anonymous within ring � � � � � � � 2

  3. PQ Ring Signatures How to build ring signatures in a post-quantum setting? • Code based [MCG08] • Multivariate [MP17] Linear size in # ring members! Only recently first sublinear ring signatures: • Lattice based [LLNW16] � From generic accumulator based approach [DKNS04] 3

  4. Can we build ring signatures solely from symmetric key primitives? 3

  5. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message 4

  6. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message Instantiation via Merkle trees y 0,0 y 0,1 y 1,1 y 0,2 y 1,2 y 2,2 y 3,2 x 2,2 4

  7. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message Instantiation via Merkle trees y 0,0 y 0,1 y 1,1 y 0,2 y 1,2 y 2,2 y 3,2 Public keys of users x 2,2 4

  8. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message Instantiation via Merkle trees y 0,0 y 0,1 y 1,1 Inner nodes: y 1,1 ← H ( y 2,2 || y 3,2 ) y 0,2 y 1,2 y 2,2 y 3,2 Public keys of users x 2,2 4

  9. PQ Ring Signature Intuition Generic approach [DKNS04] • Compute compact representation of public keys • Prove knowledge of a secret key • Corresponding to one of the public keys + Incorporate message Instantiation via Merkle trees y 0,0 y 0,1 y 1,1 Inner nodes: y 1,1 ← H ( y 2,2 || y 3,2 ) y 0,2 y 1,2 y 2,2 y 3,2 Public keys of users Each public key associated to a secret key x 2,2 4

  10. Zero-Knowledge Membership Proof Naive approach reveals path taken y 0,0 y 0,0 y 1,1 y 0,1 y 0,1 y 1,1 y 2,2 y 1,2 y 0,2 y 1,2 y 3,2 y 0,2 y 2,2 y 3,2 Trivial approach • Disjunctive proof of knowledge over all possible paths • Linear size in # ring members! 5

  11. Zero-Knowledge Membership Proof Use commutative hash function? [DKNS04] • y i = H ( a i , b i ) = H ( b i , a i ) • y i , a i , b i not revealed (except root of tree) • Does not reveal whether we continue lef or right • Not directly possible in symmetric setting! 6

  12. Zero-Knowledge Membership Proof Use commutative hash function? [DKNS04] • y i = H ( a i , b i ) = H ( b i , a i ) • y i , a i , b i not revealed (except root of tree) • Does not reveal whether we continue lef or right • Not directly possible in symmetric setting! Our technique • “Emulate” commutativity • Disjunctive statement per level y i = H ( a i || b i ) ∨ y i = H ( b i || a i ) 6

  13. Our Ring Signatures • Accumul ate public keys • Prove knowledge of secret key corresponding to public key • Proof membership of public key 7

  14. Our Ring Signatures • Accumul ate public keys • Prove knowledge of secret key corresponding to public key • Proof membership of public key Unforgeability: • From collision-free accumulator with one-way domain • And simulation-sound extractability + Prove that ZKB++/FS is simulation-sound extractable 7

  15. Our Ring Signatures • Accumul ate public keys • Prove knowledge of secret key corresponding to public key • Proof membership of public key Unforgeability: • From collision-free accumulator with one-way domain • And simulation-sound extractability + Prove that ZKB++/FS is simulation-sound extractable Anonymity: • From zero-knowledge 7

  16. Instantiation & Signature Size Instantiation • ZKB++ • One-way function: use LowMC • Hash function: use LowMC in Sponge framework Estimated signature sizes • Logarithmic in # of ring members Ring size | σ | (FS/ROM) | σ | (Unruh/QROM) 2 5 2125 KB 3159 KB 2 10 4086 KB 6067 KB 2 20 8008 KB 11882 KB 8

  17. Can we do better? - New results 8

  18. Instantiating the Circuit Multiplexer x 0 x s x 1 M s 9

  19. Instantiating the Circuit Multiplexer x 0 x 0 x 1 M 0 9

  20. Instantiating the Circuit Multiplexer x 0 x 1 x 1 M 1 9

  21. Instantiating the Circuit a i + 1 H a i b i + 1 M H s i + 1 9

  22. Instantiating the Circuit a i + 1 M a i b i + 1 H M s i + 1 9

  23. Instantiating the Circuit a i + 1 M a i b i + 1 H M s i + 1 • R equires 2 AND gates / output bit + Can be optimized to only require 1 AND gate / output bit 9

  24. Smaller Signatures • Onl y one hash function evaluation • Two multiplexers with circuit optimizations • Additionally AND gates in digest size � Signature size reduction by factor ≈ 2 Ring size | σ | (FS/ROM) | σ | (Unruh/QROM) 2 5 1200 KB 2289 KB 2 10 2283 KB 4388 KB 2 20 4450 KB 8584 KB 10

  25. Conclusions Important steps towards PQ privacy enhancing primitives • Solely from symmetric primitives • PQ accumulators + ZK proofs • Construction of ring signatures Very flexible • Similar techniques recently used by Boneh et al. [BEF18] � In construction of PQ dynamic group signatures Future directions • New results → smaller signatures • Even smaller sizes for group signatures of Boneh et al. ? Further optimizations & new constructions 11

  26. Questions? Full version: https://ia.cr/2017/1154 Supported by: 12

  27. References i [BEF18] Dan Boneh, Saba Eskandarian, and Ben Fisch. Post-quantum group signatures from symmetric primitives. IACR Cryptology ePrint Archive , 2018:261, 2018. [DKNS04] Yevgeniy Dodis, Aggelos Kiayias, Antonio Nicolosi, and Victor Shoup. Anonymous identification in ad hoc groups. In EUROCRYPT , 2004. [LLNW16] Benoˆ ıt Libert, San Ling, Khoa Nguyen, and Huaxiong Wang. Zero-knowledge arguments for lattice-based accumulators: Logarithmic-size ring signatures and group signatures without trapdoors. In EUROCRYPT , 2016. [MCG08] Carlos Aguilar Melchor, Pierre-Louis Cayrel, and Philippe Gaborit. A new efficient threshold ring signature scheme based on coding theory. In PQCrypto , 2008. [MP17] Mohamed Saied Emam Mohamed and Albrecht Petzoldt. Ringrainbow - an efficient multivariate ring signature scheme. In AFRICACRYPT , 2017. 13

Recommend

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

1.21k views • 77 slides
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER SEBASTIAN RAMACHER STEVEN GOLDFEDER CHRISTIAN RECHBERGER JONATHAN KATZ DANIEL SLAMANIG VLAD KOLESNIKOV XIAO WANG CLAUDIO ORLANDI

577 views • 37 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios Papadopoulos 3 Roberto Tamassia 1 Nikos Triandopoulos 4 1 Brown University 2 Microsoft Research 3 University of Maryland 4 Stevens Institute of Technology

614 views • 39 slides
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

1.22k views • 86 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search

33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search

33: Accumulators & Polishing code (Functional Data) Accumulators Estimated Value and search subtrees Functional data structures Strategies we've seen so far "Strengthen the recursion": solve a more general problem

745 views • 51 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

332 views • 32 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient way to do 1-in-N proofs zk-SNARKs A general way to prove anything in Zero-Knowledge (if you dont know how to do it any other way, use

3.26k views • 68 slides

More recommend