zero knowledge arguments for matrix vector relations and
play

Zero-Knowledge Arguments for Matrix-Vector Relations and - PowerPoint PPT Presentation

Oct 30, 2022 •157 likes •618 views

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

  1. Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption ıt Libert 1 San Ling 2 Fabrice Mouhartem 1 Benoˆ Khoa Nguyen 2 Huaxiong Wang 2 1 ´ Ecole Normale Sup´ erieure de Lyon (France) 2 Nanyang Technological University (Singapore) ASIACRYPT 2016, Hanoi, Dec 5th 2016

  2. Outline Introduction 1 Group Encryption Towards Realizing Lattice-Based Group Encryption Our Results and Techniques 2 Proving “Quadratic Relations” in Zero-Knowledge Khoa Nguyen ZK & Lattice-Based Group Encryption 2 / 16

  3. Group Signature and Group Encryption Group signature [CvH - EC’91]: Group member can anonymously sign messages on behalf of the whole group. ⇒ Hiding the source of the messages within registered signers. Khoa Nguyen ZK & Lattice-Based Group Encryption 3 / 16

  4. Group Signature and Group Encryption Group signature [CvH - EC’91]: Group member can anonymously sign messages on behalf of the whole group. ⇒ Hiding the source of the messages within registered signers. Group encryption [KTY - AC’07]: the encryption analogue of group signature. Sender can encrypt messages to an anonymous group member. ⇒ Hiding the destination of the messages within registered receivers. Khoa Nguyen ZK & Lattice-Based Group Encryption 3 / 16

  5. Group Signature and Group Encryption Group signature [CvH - EC’91]: Group member can anonymously sign messages on behalf of the whole group. ⇒ Hiding the source of the messages within registered signers. Group encryption [KTY - AC’07]: the encryption analogue of group signature. Sender can encrypt messages to an anonymous group member. ⇒ Hiding the destination of the messages within registered receivers. Group members are kept accountable for their actions: an opening authority can un-anonymize the signatures/ciphertexts - should the needs arise. Khoa Nguyen ZK & Lattice-Based Group Encryption 3 / 16

  6. Group Encryption [KTY - AC’07] GE allows encrypting while proving that: 1 The ciphertext is well-formed and intended for some registered group member who will be able to decrypt; 2 The opening authority will be able identify the receiver if necessary; 3 The plaintext satisfies certain properties. Khoa Nguyen ZK & Lattice-Based Group Encryption 4 / 16

  7. Group Encryption [KTY - AC’07] GE allows encrypting while proving that: 1 The ciphertext is well-formed and intended for some registered group member who will be able to decrypt; 2 The opening authority will be able identify the receiver if necessary; 3 The plaintext satisfies certain properties. Possible applications of GE: Firewall filtering Anonymous trusted third parties Cloud storage services Hierarchical group signatures [TW - ICALP’05]. Khoa Nguyen ZK & Lattice-Based Group Encryption 4 / 16

  8. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  9. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. [CLY - AC’09]: non-interactive GE in the standard model under pairing-related assumptions. Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  10. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. [CLY - AC’09]: non-interactive GE in the standard model under pairing-related assumptions. [El Aimani,Joye - ACNS’13] suggested various improvements. Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  11. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. [CLY - AC’09]: non-interactive GE in the standard model under pairing-related assumptions. [El Aimani,Joye - ACNS’13] suggested various improvements. [LYJP - PKC’14]: refined traceability mechanism. Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  12. Previous Works on Group Encryption [KTY - AC’07] introduced GE, and provided: Modular design based on digital signatures, anonymous CCA-secure public-key encryption, interactive zero-knowledge proofs; Concrete instantiation based on number-theoretic assumptions. [CLY - AC’09]: non-interactive GE in the standard model under pairing-related assumptions. [El Aimani,Joye - ACNS’13] suggested various improvements. [LYJP - PKC’14]: refined traceability mechanism. All existing realizations of GE rely on number-theoretic assumptions. ✗ ? Construction from other assumptions, e.g., lattice-based? Khoa Nguyen ZK & Lattice-Based Group Encryption 5 / 16

  13. In the World of Lattice-Based Crypto... Many lattice-based group signatures published in the last 6 years. First constructions: [GKV - AC’10], [CNR - SCN’12] - linear-size signatures, static groups. Logarithmic-size signatures: [LLLS - AC’13]. Improvements: [NZZ - PKC’15], [LNW - PKC’15], [LLNW - EC’16]. With additional features: [LLNW - PKC’14], [LNW - ACNS’16]. Dynamic groups: [LLMNW - AC’16]. Khoa Nguyen ZK & Lattice-Based Group Encryption 6 / 16

  14. In the World of Lattice-Based Crypto... Many lattice-based group signatures published in the last 6 years. First constructions: [GKV - AC’10], [CNR - SCN’12] - linear-size signatures, static groups. Logarithmic-size signatures: [LLLS - AC’13]. Improvements: [NZZ - PKC’15], [LNW - PKC’15], [LLNW - EC’16]. With additional features: [LLNW - PKC’14], [LNW - ACNS’16]. Dynamic groups: [LLMNW - AC’16]. But no lattice-based GE so far! Note that both GS and GE rely on Ordinary signatures; Public-key encryption; Supporting zero-knowledge proofs . Where is the main technical difficulty? Khoa Nguyen ZK & Lattice-Based Group Encryption 6 / 16

  15. Existing ZK Protocols in Lattice-Based Crypto Two main classes: 1 Schnorr-like [Schnorr - Crypto’89] approach. Introduced by Lyubashevsky [Lyu - PKC’08, EC’12]: rejection sampling . 2 Stern-like [Stern - Crypto’93, IEEE IT’96] approach. First considered in the lattice setting by [KTX - AC’08]. Empowered by [LNSW - PKC’13]: decomposition and extension . Khoa Nguyen ZK & Lattice-Based Group Encryption 7 / 16

  16. Existing ZK Protocols in Lattice-Based Crypto Two main classes: 1 Schnorr-like [Schnorr - Crypto’89] approach. Introduced by Lyubashevsky [Lyu - PKC’08, EC’12]: rejection sampling . 2 Stern-like [Stern - Crypto’93, IEEE IT’96] approach. First considered in the lattice setting by [KTX - AC’08]. Empowered by [LNSW - PKC’13]: decomposition and extension . These techniques deal with linear relations , i.e., equations containing terms: (public matrix) · (secret vector), where the secret vector may satisfy some constraints (e.g., smallness). The (I)SIS relation [Ajtai - STOC’96, GPV - STOC’08]: A · x = u mod q , for public ( A , u ). The LWE relation [Regev - STOC’05]: A · s + e = b mod q , for public ( A , b ). Khoa Nguyen ZK & Lattice-Based Group Encryption 7 / 16

  17. The Case of Lattice-Based Group Signatures A modular design for GS [BMW-EC’03]: sign-then-encrypt-then-prove Each user has a signature σ on his identity id , issued by the group manager (GM). In the process of generating GS, the user encrypts id to c - using the public key of the opening authority (OA), then proves in ZK that: 1 He has a secret valid pair ( id , σ ), w.r.t. pk GM . 2 c is a well-formed ciphertext of id , w.r.t. pk OA . Khoa Nguyen ZK & Lattice-Based Group Encryption 8 / 16

  18. The Case of Lattice-Based Group Signatures A modular design for GS [BMW-EC’03]: sign-then-encrypt-then-prove Each user has a signature σ on his identity id , issued by the group manager (GM). In the process of generating GS, the user encrypts id to c - using the public key of the opening authority (OA), then proves in ZK that: 1 He has a secret valid pair ( id , σ ), w.r.t. pk GM . 2 c is a well-formed ciphertext of id , w.r.t. pk OA . Known techniques allow to realize the core ZK components required ✓ by group signatures, for SIS-based signatures and LWE-based encryption. Khoa Nguyen ZK & Lattice-Based Group Encryption 8 / 16

  19. Towards Realizing Lattice-Based Group Encryption A modular design: Each member has a key pair ( sk , pk ) for an anonymous encryption scheme. Manager signs member’s public key pk , and publishes ( pk , σ ). Khoa Nguyen ZK & Lattice-Based Group Encryption 9 / 16

  20. Towards Realizing Lattice-Based Group Encryption A modular design: Each member has a key pair ( sk , pk ) for an anonymous encryption scheme. Manager signs member’s public key pk , and publishes ( pk , σ ). Sender uses pk to encrypt a message µ satisfying relation R , obtains c . Sender also encrypts pk under the pk OA , obtains c OA . Khoa Nguyen ZK & Lattice-Based Group Encryption 9 / 16

Recommend

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018 Zero-Knowledge

422 views • 30 slides
Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations Dimensions length and size functions length - returns the number of elements in a vector size - returns the number of rows and columns in a vector or

588 views • 22 slides
Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Short Pairing-based Non-interactive Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In a zero knowledge protocol a prover can convince a verifier that some statement is true without leaking any side

628 views • 14 slides
Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 15, 2019 1 / 24 zkSNARKs Arguments ZK proofs

435 views • 24 slides
Exploiting Matrix Reuse and Data Locality in Sparse Matrix-Vector and Matrix-Transpose-Vector

Exploiting Matrix Reuse and Data Locality in Sparse Matrix-Vector and Matrix-Transpose-Vector

Matrix reuse and data locality in parallel y = A z and z = A T x Exploiting Matrix Reuse and Data Locality in Sparse Matrix-Vector and Matrix-Transpose-Vector Multiplication on Many-Core Architectures Kadir Akbudak Ozan Karsavuran 1 (speaker)

822 views • 15 slides
= an orthogonal matrix T X X l l Cov( , ) i k ij kj j = 1 = X F l Cov( , )

= an orthogonal matrix T X X l l Cov( , ) i k ij kj j = 1 = X F l Cov( , )

Factor analysis (cf. section 9.3) In matrix notation the factor model takes the form: An observable random vector X of dimension p has mean X LF = + vector and covariance matrix L Here is the p x m matrix

98 views • 6 slides
Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication

Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication

CS 140 : Numerical Examples on Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication Hyperobjects Thank nks to Charles E. L Leiserson on for some of t these slides 1 Work and Span (Recap) T P =

449 views • 29 slides
Parallel Sparse Matrix-Vector and Matrix- Transpose-Vector Multiplication using Compressed Sparse

Parallel Sparse Matrix-Vector and Matrix- Transpose-Vector Multiplication using Compressed Sparse

Parallel Sparse Matrix-Vector and Matrix- Transpose-Vector Multiplication using Compressed Sparse Blocks Aydn Bulu, UCSB Jeremy T. Fineman (MIT) Matteo Frigo (Cilk Arts) John R. Gilbert (UCSB) Charles E. Leiserson (MIT & Cilk Arts) 1

523 views • 21 slides
CS 140 : Matrix multiplication Warmup: Matrix times vector: communication volume Matrix

CS 140 : Matrix multiplication Warmup: Matrix times vector: communication volume Matrix

CS 140 : Matrix multiplication Warmup: Matrix times vector: communication volume Matrix multiplication I: parallel issues Matrix multiplication II: cache issues Thanks to Jim Demmel and Kathy Yelick (UCB) for some of these slides

473 views • 45 slides
Matrix Multiplication Matrix Multiplication via Matrix-Vector Mult Defn. If matrix A is m n

Matrix Multiplication Matrix Multiplication via Matrix-Vector Mult Defn. If matrix A is m n

Matrix Multiplication Matrix Multiplication via Matrix-Vector Mult Defn. If matrix A is m n and matrix B is r s , then for the product AB to be valid it must be that n = r . If valid, the product AB has size m s . The columns of the

400 views • 12 slides
Parallel Numerical Algorithms Chapter 3 Dense Linear Systems Section 3.1 Vector and

Parallel Numerical Algorithms Chapter 3 Dense Linear Systems Section 3.1 Vector and

BLAS Inner Product Outer Product Matrix-Vector Product Matrix-Matrix Product Parallel Numerical Algorithms Chapter 3 Dense Linear Systems Section 3.1 Vector and Matrix Products Michael T. Heath and Edgar Solomonik Department of

1.19k views • 77 slides
Parallel Scientific Computing Matrix-vector multiplication. Matrix-matrix multiplication.

Parallel Scientific Computing Matrix-vector multiplication. Matrix-matrix multiplication.

CS140 IV-1 Parallel Scientific Computing Matrix-vector multiplication. Matrix-matrix multiplication. Direct method for solving a linear equation. Gaussian Elimination. Iterative method for solving a linear equation.

367 views • 25 slides
Vector FPGA Acceleration of 1-D DWT Computations using Sparse Matrix Skeletons Sidharth

Vector FPGA Acceleration of 1-D DWT Computations using Sparse Matrix Skeletons Sidharth

Vector FPGA Acceleration of 1-D DWT Computations using Sparse Matrix Skeletons Sidharth Maheshwari, Gourav Modi, Siddhartha , Nachiket Kapre School of Computer Science and Engineering Nanyang Technological University Matrix-Form 1-D DWT

500 views • 16 slides
Matrix-Vector Multiplication in Sub-Quadratic Time (Some Preprocessing Required) Ryan Williams

Matrix-Vector Multiplication in Sub-Quadratic Time (Some Preprocessing Required) Ryan Williams

Matrix-Vector Multiplication in Sub-Quadratic Time (Some Preprocessing Required) Ryan Williams Carnegie Mellon University 0-0 Introduction Matrix-Vector Multiplication: Fundamental Operation in Scientific Computing 1 Introduction

1.15k views • 55 slides
Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

712 views • 33 slides
Quiz I Give our two primary interpretations of matrix-vector multiplication. I Give the

Quiz I Give our two primary interpretations of matrix-vector multiplication. I Give the

Quiz I Give our two primary interpretations of matrix-vector multiplication. I Give the matrix-vector definition of matrix-matrix multiplication. 2 1 2 3 4 3 I Let A = 0 1 2 3 5 . 4 0 0 0 1 1. What is the rank of A ? 2. What is the

576 views • 23 slides
Empirical arguments in the literature syntactic properties Locality of Grammatical Relations

Empirical arguments in the literature syntactic properties Locality of Grammatical Relations

Empirical arguments in the literature syntactic properties Locality of Grammatical Relations Bender and Flickinger (1999a,b): Bob Levine and Detmar Meurers Tag questions in English The Ohio State University Richard phenomenon H

335 views • 6 slides
Vectors and Matrices Vectors Defn. A matrix with one column is called a (column) vector . We

Vectors and Matrices Vectors Defn. A matrix with one column is called a (column) vector . We

Vectors and Matrices Vectors Defn. A matrix with one column is called a (column) vector . We use bold letters for vector variables, such as x and v . 3 We sometimes write the column vector as 5 (3 , 5) . vecMatONE: 2 Vector

360 views • 9 slides
Multivariate Gaussian Mean vector: Covariance matrix: 2 1 Conditioning a Gaussian Joint

Multivariate Gaussian Mean vector: Covariance matrix: 2 1 Conditioning a Gaussian Joint

Readings: K&F: 6.1, 6.2, 6.3, 14.1, 14.2, 14.3, 14.4, Kalman Filters Gaussian MNs Graphical Models 10708 Carlos Guestrin Carnegie Mellon University December 1 st , 2008 1 Multivariate Gaussian Mean vector: Covariance matrix: 2 1

257 views • 11 slides
Benchmarking Sparse Matrix-Vector Multiply In 5 Minutes Hormozd Gahvari, Mark Hoemmen, James

Benchmarking Sparse Matrix-Vector Multiply In 5 Minutes Hormozd Gahvari, Mark Hoemmen, James

Benchmarking Sparse Matrix-Vector Multiply In 5 Minutes Hormozd Gahvari, Mark Hoemmen, James Demmel, and Kathy Yelick January 21, 2007 Outline What is Sparse Matrix-Vector Multiply (SpMV)? Why benchmark it? How to benchmark it?

431 views • 31 slides
= + l 2 ij i F = FF = I E Cov( ) ( ) j = 1 0 = E ( ) = +

= + l 2 ij i F = FF = I E Cov( ) ( ) j = 1 0 = E ( ) = +

Factor rotation (cf. section 9.4 ) The model implies that An observable random vector X of dimension p has mean = X = X X E = LL + cov( ) {( )( ) } vector and covariance matrix We consider

525 views • 3 slides
Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics.

Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics.

Matrix Arithmetic (Multidimensional Math) Shaina Race, PhD Institute for Advanced Analytics. Element-wise Operations T ABLE OF C ONTENTS Linear Combinations of Matrices and Vectors. Vector Multiplication Inner products and Matrix-Vector

1.19k views • 78 slides
On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/helger Pedase Theory Day, 04.10.2003 On Diophantine Complexity and SZK Arguments, Helger Lipmaa 1

501 views • 24 slides
Matrix Equations Matrix Equations Fact. The matrix equation A x = b has a solu- tion if and only

Matrix Equations Matrix Equations Fact. The matrix equation A x = b has a solu- tion if and only

Matrix Equations Matrix Equations Fact. The matrix equation A x = b has a solu- tion if and only if b is a linear combination of the columns of A . In particular: Fact. Testing whether a vector b is in the span of some collection of vectors is

591 views • 11 slides

More recommend