verifiable elections that scale for free
play

Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) - PowerPoint PPT Presentation

Aug 13, 2022 •547 likes •2.01k views

Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 10,000-foot view of cryptographic voting 2 10,000-foot view of

  1. Outline Definitions Malleable proofs [CKLM12] Definitions Shuffling and decrypting Compact shuffles [CKLM12] Threshold decryption A voting scheme Conclusions 5

  2. Malleability for proofs [CKLM12] 6

  3. Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit 6

  4. Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{x i , π i }), outputs a proof π for T({x i }) 6

  5. Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{x i , π i }), outputs a proof π for T({x i }) • E.g., T = × , x i = “b i is a bit” 6

  6. Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{x i , π i }), outputs a proof π for T({x i }) • E.g., T = × , x i = “b i is a bit” Can define zero knowledge in the usual way as long as proofs are malleable only with respect to operations under which the language is closed 6

  7. Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{x i , π i }), outputs a proof π for T({x i }) • E.g., T = × , x i = “b i is a bit” Can define zero knowledge in the usual way as long as proofs are malleable only with respect to operations under which the language is closed But how to define a strong notion of soundness like extractability? 6

  8. Controlled-malleable proofs (cm-NIZKs) [CKLM12] 7

  9. Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T 7

  10. Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) 7

  11. Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x, π ) the extractor outputs (w,x ′ ,T) such that either (1) (x,w) ∈ R or (2) x ′ was queried (to simulator) and x = T(x ′ ) for T ∈ T 7

  12. Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x, π ) the extractor outputs (w,x ′ ,T) such that either (1) (x,w) ∈ R or (2) x ′ was queried (to simulator) and x = T(x ′ ) for T ∈ T We call the proof CM-SSE (controlled malleable simulation sound extractable) if no PPT adversary A can violate these two conditions 7

  13. Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x, π ) the extractor outputs (w,x ′ ,T) such that either (1) (x,w) ∈ R or (2) x ′ was queried (to simulator) and x = T(x ′ ) for T ∈ T We call the proof CM-SSE (controlled malleable simulation sound extractable) if no PPT adversary A can violate these two conditions If a proof is zero knowledge, CM-SSE, and strongly derivation private, then we call it a cm-NIZK (like function privacy for homomorphic encryption) 7

  14. Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 8

  15. Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 π Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

  16. Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 π Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

  17. Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

  18. Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

  19. Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T M =( φ M ,R M ,sk M ) T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

  20. Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T M =( φ M ,R M ,sk M ) T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) π (M) =Eval(T k, π (M-1) ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i We call this shuffle compactly verifiable, as the last proof π (M) can now be used to verify the correctness of the whole shuffle (under an appropriate definition) 8

  21. Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T M =( φ M ,R M ,sk M ) T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) π (M) =Eval(T k, π (M-1) ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i We call this shuffle compactly verifiable, as the last proof π (M) can now be used to verify the correctness of the whole shuffle (under an appropriate definition) So if there are L ciphertexts and M servers, proof size can be O(L+M) 8

  22. Compact threshold decryption 9

  23. Compact threshold decryption C=Enc(pk,m) 9

  24. Compact threshold decryption C=Enc(pk,m) KeyGen Enc 9

  25. Compact threshold decryption C=Enc(pk,m) sec KeyGen Enc 9

  26. Compact threshold decryption C=Enc(pk,m) sec s 1 KeyGen Enc 9

  27. Compact threshold decryption ret C=Enc(pk,m) sec s 1 KeyGen Enc 9

  28. Compact threshold decryption ret C=Enc(pk,m) sec s 1 s 2 KeyGen Enc 9

  29. Compact threshold decryption ret C=Enc(pk,m) sec s 1 s 2 Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) 9

  30. Compact threshold decryption ret C=Enc(pk,m) k sec s 1 s 2 Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) ShareVerify 9

  31. Compact threshold decryption ret C=Enc(pk,m) k sec s 1 s 2 s 3 Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) ShareVerify 9

  32. Compact threshold decryption ey ret C=Enc(pk,m) k sec s 1 s 2 s 3 Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) ShareVerify 9

  33. Compact threshold decryption m ey ret C=Enc(pk,m) k sec s 1 s 2 s 3 π (N) Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) ShareVerify 9

  34. Compact threshold decryption m ey ret C=Enc(pk,m) k sec s 1 s 2 s 3 π (N) Formed with ShareDec(C,s 1 ) Shares contain proof of correctness Servers can decrypt in any order; not fixed KeyGen Enc ShareDec (ShareProve) ShareVerify 9

  35. Compact threshold decryption m ey ret C=Enc(pk,m) k sec s 1 s 2 s 3 π (N) Formed with ShareDec(C,s 1 ) Shares contain proof of correctness Servers can decrypt in any order; not fixed KeyGen Enc Once again, final proof π (N) suffices for whole decryption, meaning total proof size can again be O(L+N) instead of O(LN) ShareDec (again, under an appropriate definition) (ShareProve) ShareVerify 9

  36. Outline Shuffling and decrypting Cryptographic background Definitions Shuffling and decrypting A compact verifiable shuffle Threshold decryption A voting scheme Conclusions 10

  37. Preliminary: BBS encryption [BBS04] 11

  38. Preliminary: BBS encryption [BBS04] Setup: generate a symmetric prime-order bilinear group (p,G,G T ,e,g) 11

  39. Preliminary: BBS encryption [BBS04] Setup: generate a symmetric prime-order bilinear group (p,G,G T ,e,g) KeyGen(crs): α , β ← F p ; f = g α , h = g β ; output sk = ( α , β ) and pk = (f,h) 11

  40. Preliminary: BBS encryption [BBS04] Setup: generate a symmetric prime-order bilinear group (p,G,G T ,e,g) KeyGen(crs): α , β ← F p ; f = g α , h = g β ; output sk = ( α , β ) and pk = (f,h) Enc(crs,pk,M): r,s ← F p ; u = f r , v = h s , w = g r+s M; return (u,v,w) 11

  41. Preliminary: BBS encryption [BBS04] Setup: generate a symmetric prime-order bilinear group (p,G,G T ,e,g) KeyGen(crs): α , β ← F p ; f = g α , h = g β ; output sk = ( α , β ) and pk = (f,h) Enc(crs,pk,M): r,s ← F p ; u = f r , v = h s , w = g r+s M; return (u,v,w) Dec(crs,sk,(u,v,w)): return u -1/ α v -1/ β w 11

  42. Part 1: Compact verifiable shuffle 12

  43. Part 1: Compact verifiable shuffle Our concrete shuffle is based on the Groth-Lu shuffle [GL07] 12

  44. Part 1: Compact verifiable shuffle Our concrete shuffle is based on the Groth-Lu shuffle [GL07] • CRS of size O(M), proofs of size O(L) (but M of them) • Based on static pairing-based assumptions 12

  45. Part 1: Compact verifiable shuffle Our concrete shuffle is based on the Groth-Lu shuffle [GL07] • CRS of size O(M), proofs of size O(L) (but M of them) • Based on static pairing-based assumptions Basically, alter their proofs and make them malleable (i.e., show they satisfy CM-friendliness) 12

  46. Part 1: Compact verifiable shuffle Our concrete shuffle is based on the Groth-Lu shuffle [GL07] • CRS of size O(M), proofs of size O(L) (but M of them) • Based on static pairing-based assumptions Basically, alter their proofs and make them malleable (i.e., show they satisfy CM-friendliness) End up with CRS of size O(M), proofs of size O(L+M) (improvement over [CKLM12], which had constant-sized CRS but proofs of size O(L 2 +M)) 12

  47. Part 2: Compact threshold decryption (KeyGen) 13

  48. Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β 13

  49. Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret k ey 13

  50. Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret k ey 13

  51. Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret k ey sk i = ( α i , β i ) 13

  52. Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret Observe that for c = (u,v,w) = Enc(pk,m): k ey sk i = ( α i , β i ) 13

  53. Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret Observe that for c = (u,v,w) = Enc(pk,m): k ey w ∏ u α j ⋅ v β j = u α 1+...+ α k ⋅ v β 1+...+ β k ⋅ w = u -1/ α ⋅ v -1/ β w sk i = ( α i , β i ) 13

  54. Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret Observe that for c = (u,v,w) = Enc(pk,m): k ey w ∏ u α j ⋅ v β j = u α 1+...+ α k ⋅ v β 1+...+ β k ⋅ w = u -1/ α ⋅ v -1/ β w sk i = ( α i , β i ) = m 13

  55. Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret Observe that for c = (u,v,w) = Enc(pk,m): k ey w ∏ u α j ⋅ v β j = u α 1+...+ α k ⋅ v β 1+...+ β k ⋅ w = u -1/ α ⋅ v -1/ β w sk i = ( α i , β i ) = m Also want verification key vk = (Com(sk 1 )=(Com( α 1 ),Com( β 1 )),...,Com(sk N )) 13

  56. Part 2: Compact threshold decryption (ShareDec) 14

Recommend

Free and Fair Free and Fair Elections Elections Twenty-first Century Challenges At the

Free and Fair Free and Fair Elections Elections Twenty-first Century Challenges At the

Free and Fair Free and Fair Elections Elections Twenty-first Century Challenges At the December TACIR meeting, Commissioners voted to study elections and voting methods in Tennessee Goals of the comprehensive study: Increasing public

979 views • 23 slides
Local Government Elections Task Force Local Government Elections: Scale and Scope Local

Local Government Elections Task Force Local Government Elections: Scale and Scope Local

Local Government Elections Task Force Local Government Elections: Scale and Scope Local Government Act and Vancouver Charter govern local government elections; Apply to: Municipal and electoral area elections By-elections

461 views • 32 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Bio-inspired computation: Clock-free, grid-free, scale-free, and symbol-free (FA2386-12-1-4050)

Bio-inspired computation: Clock-free, grid-free, scale-free, and symbol-free (FA2386-12-1-4050)

Bio-inspired computation: Clock-free, grid-free, scale-free, and symbol-free (FA2386-12-1-4050) PI: Janet Wiles (University of Queensland) AFOSR Program Review: Mathematical and Computational Cognition Program Computational and Machine

307 views • 29 slides
ODEM makes education and employment more affordable, accessible, verifiable and transferable on a

ODEM makes education and employment more affordable, accessible, verifiable and transferable on a

ODEM makes education and employment more affordable, accessible, verifiable and transferable on a global scale. ODEMs Three Key Offerings: 1. Digital Verified Credentials Using Ethereum blockchain and IPFS, ODEM records and stores

535 views • 18 slides
Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vNFO joint with Seyed Fayazbakhsh,

434 views • 28 slides
Masked Ballot Voting for Receipt-Free Online Elections Roland Wen and Richard Buckland School of

Masked Ballot Voting for Receipt-Free Online Elections Roland Wen and Richard Buckland School of

Masked Ballot Voting for Receipt-Free Online Elections Roland Wen and Richard Buckland School of Computer Science and Engineering The University of New South Wales Sydney, Australia {rolandw,richardb}@cse.unsw.edu.au VOTE-ID 2009 1 / 35

509 views • 35 slides
Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Leonard Lensink, Sjaak Smetsers and Marko van Eekelen Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable Java Code from Verified PVS Specifications Overview Motivation Code generation

544 views • 26 slides
Outline Scale-Free Networks Networks Scale-Free Networks Original model Original model

Outline Scale-Free Networks Networks Scale-Free Networks Original model Original model

Scale-Free Outline Scale-Free Networks Networks Scale-Free Networks Original model Original model Original model Introduction Introduction Model details Model details Complex Networks, Course 295A, Spring, 2008 Introduction Analysis

298 views • 12 slides
The contact process on evolving scale-free networks Peter M orters Bath joint work with

The contact process on evolving scale-free networks Peter M orters Bath joint work with

The contact process on evolving scale-free networks Peter M orters Bath joint work with Emmanuel Jacob (Lyon) Setup of the talk (1) The contact process (2) Scale-free networks (3) The contact process on static scale-free networks (4) The

678 views • 63 slides
Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang July 8, 2019 | Dallas, TX Large-scale volumetric DDoS attacks are common (distributed denial of

569 views • 29 slides
Scale-Free Networks Original model Introduction Model details Complex Networks, Course 303A,

Scale-Free Networks Original model Introduction Model details Complex Networks, Course 303A,

Scale-Free Networks Scale-Free Networks Original model Introduction Model details Complex Networks, Course 303A, Spring, 2009 Analysis A more plausible mechanism Robustness Redner & Prof. Peter Dodds Krapiviskys model

894 views • 47 slides
Community Council Elections 2015 Key facts: Elections will be held in all 25 community

Community Council Elections 2015 Key facts: Elections will be held in all 25 community

Community Council Elections 2015 Key facts: Elections will be held in all 25 community council areas Elections run as per agreed Scheme of Electoral Arrangements Delayed by one year from October 2014 Community Councillors elected

232 views • 10 slides
Albert-Lszl Barabsi with Emma K. Towlson, Michael M. Danziger, Sebastian Ruf and Louis

Albert-Lszl Barabsi with Emma K. Towlson, Michael M. Danziger, Sebastian Ruf and Louis

Network Science Class 4: Scale-free property Albert-Lszl Barabsi with Emma K. Towlson, Michael M. Danziger, Sebastian Ruf and Louis Shekhtman www.BarabasiLab.com Questions Scale-free Property 1. From the WWW to Scale-free networks.

933 views • 25 slides
Liberating the API Economy with Scale-Free Networks Mike Amundsen CA Technologies @mamund I

Liberating the API Economy with Scale-Free Networks Mike Amundsen CA Technologies @mamund I

Liberating the API Economy with Scale-Free Networks Mike Amundsen CA Technologies @mamund I come as a messenger and the news is not so good SCALE-POCALYPSE! Wait, Im getting ahead of myself 1998 East Lansing, Michigan, USA

1.8k views • 130 slides
Open Problem: Parameter-Free and Scale-Free Online Algorithms Francesco Orabona D avid P

Open Problem: Parameter-Free and Scale-Free Online Algorithms Francesco Orabona D avid P

Open Problem: Parameter-Free and Scale-Free Online Algorithms Francesco Orabona D avid P al Yahoo Research, New York June 25, 2016 COLT 2016 Online Linear Optimization Given a convex set K R N For t = 1, 2, . . . predict w t

353 views • 7 slides
Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT Verifiable Computation Verifiable Computation Verifiable Computation M(x)=? M(x) = y Verifiable Computation M(x)=? , challenge , proof

1.73k views • 119 slides
Elections 2018 Information Session November 22 & 23; December 6 & 7; January 10 & 11

Elections 2018 Information Session November 22 & 23; December 6 & 7; January 10 & 11

Elections 2018 Information Session November 22 & 23; December 6 & 7; January 10 & 11 Elections Contacts Talha Naeem mnaeem@wlu.ca Chair Elections Portfolio Abii Barrett sucro@wlu.ca Chief Returning Officer (CRO)

579 views • 30 slides
A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York

A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York

A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York rosario@cs.ccny.cuny.edu CANS 2013, Paraty, Brasil November 22, 2013 Outline Motivation Verifiable Computation Memory Delegation Conclusion

937 views • 80 slides
Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions Veronika Kuchta and Mark Manulis CANS 2013, Paraty, Brazil November 21, 2013 Overview Unique Signature Schemes Verifiable Random Functions Unique

420 views • 13 slides
Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

NutMiC19, June, 2019 Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University What is a VDF? (verifiable delay function) Intuition: a function X Y that (1) takes time T to evaluate, even with

694 views • 30 slides
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe

Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe

Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Bguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable Security 2011.10.17 Verifiable Security

457 views • 41 slides
Local Elections 2019 1 Tonight Introductions Elections Process Overview Speakers

Local Elections 2019 1 Tonight Introductions Elections Process Overview Speakers

Local Elections 2019 1 Tonight Introductions Elections Process Overview Speakers TDC, SCDHB, ECan Housekeeping Emergency exits Questions Mobile phones Toilets Handouts Coffee/tea to follow 2 Part 1:

541 views • 36 slides

More recommend