SlideShare ist ein Scribd-Unternehmen logo

Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols

Mauricio Quezada
Mauricio Quezada

Presentation for CC5301 - Fundamentos de Criptografía exam. Based on the same name paper. DCC. Universidad de Chile. 2011.

BildungTechnologie
1 von 29
Downloaden Sie, um offline zu lesen
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols Mauricio Quezada Miércoles 7 de Septiembre, 2011 Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Outline 1 Proofs of Knowledge 2 Secret Sharing schemes 3 Main Result 4 Extensions, applications, open problems Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Requirements A Proof of Knowledge with a few special properties An Access Structure for n participants Secret Sharing with the dual of the previous access structure Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Proofs of Knowledge Let a binary relation R = {(x, w)} The witness set w(x) is the set of w such that (x, w ) ∈ R Let P a Proof of Knowledge protocol, in which there is a common input x (of length k bits) to a prover P and a verifier V , and a private input w to P . The prover tries to convince the verifier that w ∈ w(x). Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Some restrictions Assume that P is a three round public coin protocol Conversations will be ordererd triples of the form m1 , c, m2 Where c is called the challenge, uniformly random bits chosen by the verifier Also, assume that completeness holds with probability 1 I.e., if indeed w ∈ w(x), then the verifier always accepts Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Some restrictions P has the special soundness property: 1 The length of c is such that the number of possible values of c is super-polynomial in k 2 For any prover P ∗ , given two conversations between P ∗ and V , (m1 , c, m2 ) and (m1 , c , m2 ), where c = c , an element of w(x) can be computed in polynomial time. Also, is Honest Verifier Zero Knowledge Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Witness Indistinguishability and Witness Hiding A protocol is witness indistinguishable (WI) if conversations generated with same x, but different elements from w(x) have indistinguishable distributions Even a cheating verifier can’t tell which witness the prover is using A protocol is witness hiding (WH), if it does not help even a cheating verifier to compute a witness for x with non-negligible probability when x is generated under a certain distribution Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems WI, WH and PoK. Proposition 1 Let P a three round public coin proof of knowledge for a relation R. If P is honest verifier zero-knowledge proof, then P is witness indistinguishable Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Secret Sharing A Secret Sharing scheme is a method by which a secret s can be distributed among n participants by giving a share to each one. The subsets of participants which can reconstruct s are called qualified sets The collection of qualified sets is called the access structure for the scheme Monotone access structure property: If A is a qualified set, then any set containing A is also qualified Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Access structures Definition (Dual structures) Let Γ be an access structure containing subsets of a set M . If A ⊆ M , A denotes the complement of A in M . Now the dual access structure, Γ∗ is defined as follows: A ∈ Γ∗ iff A ∈ Γ / Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Access structures The dual Γ∗ of a monotone access structure is monotone, and satisfies (Γ∗ )∗ = Γ Let Γ be monotone. A is qualified in Γ exactly when it has a non-empty intersection with every qualified set in Γ∗ Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Notations Let D(s) denote the joint probability distribution of all shares resulting from distributing the secret s. For a set of A participants, DA (s) denotes the restriction of D to shares in A. As a secret sharing scheme S(k) is perfect, DA (s) is independent from s for any non-qualified set A Will be denoted DA whenever A is non-qualified Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Requirements 1 All shares in S(k) have length polynomial in k 2 Distribution, reconstruction of a secret can be done in polynomial time 3 Verification can be done in polynomial time in k 4 A set of non-qualified shares can be completed to a full set of shares according to D(s) and consistent to s (guess in how much time) 5 For any non-qualified set A, the probability distribution DA is such that shares in A are independent and uniformly chosen Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Perfect Secret Sharing A perfect secret sharing scheme satisfying 1 to 4 is called semi-smooth. If 5 is also satisfied, then is called smooth. Which protocol would be a good example? Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Notations Let R be a binary relation Let Γ = {Γ(k)} a family of access structures on n(k) participants Let RΓ be a relation defined as follows: ((x1 , . . . , xm ), (w1 , . . . , wm )) ∈ RΓ iff all xi are of the same length and the set of indices i for which (xi , wi ) ∈ R corresponds to a qualified set in Γ(k) In a PoK for RΓ , the prover proves to know witnesses to a set corresponding to a qualified set in Γ(k). Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Main Result Let P be a three round public coin honest verifier zero-knowledge proof of knowledge for a relation R with special soundness property. Let Γ = {Γ(k)} be a family of monotone access structures and let {S(k)} be a family of smooth secret sharing schemes Such that the access structure of S(k) is Γ(k)∗ Then exists a three round public coin witness indistinguishable proof of knowledge for relation RΓ Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Proof A basic approach in the following is to interpret a challenge as a share (remember that the challenge is the message sent by the verifier) If c is a challenge, share(c) will denote the corresponding share. A ∈ Γ denotes the set of indices for which P knows a witness for xi The protocol is as follows: Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems The protocol (1/4) For each i ∈ A, P runs simulator S on input xi to produce conversations (mi , ci , mi ). 1 2 For each i ∈ A, P determines mi as what the prover in 1 P would send as m1 given a witness for input xi . P then sends the values mi , i = 1, . . . , n to V 1 Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems The protocol (2/4) V chooses a t-bit string s at random and sends it to P Note: t is the length of shares in S(k) Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems The protocol (3/4) Consider the set of shares {share(ci ) | i ∈ A} that correspond to the ci As A is not qualified in Γ∗ , P can complete these shares to a full set of shares (req. 4) For A, P now forms challenges ci for indices i ∈ A, such that share(ci ) corresponds to the share produced in the completion process. In step 1, S has produced a final message, mi in P for 2 i∈A For i ∈ A, P knows a witness for xi , then can find a valid mi for mi and ci by running the prover from P 2 1 Finally, P sends the set of messages ci , mi , i = 1, . . . , n 2 to V Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems The protocol (4/4) V checks that all conversations (mi , ci , mi ) now 1 2 produced would lead to acceptance by the verifier of P, and shares share(ci ) are consistent with secret s. It accepts iff these checks are satisfied Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Properties Completeness: trivial Soundness: Assume that some prover P ∗ for a given first message {mi | i = 1, . . . , n} can answer correctly a 1 non-negligible fraction of possible choices of s As there are 2t possible values of s, any polynomial fraction contains at least 2 values of s. Call them s, s For any qualified set B in Γ∗ , there must be an i ∈ B, such that share(ci ) = share(ci ) Then we could compute a witness for xi (by special soundness property) So P ∗ knows a witness in every qualified set of Γ∗ Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Properties Witness Indistinguishability: The distribution of the conversation is independent of which qualified set A ∈ Γ the prover uses. The distribution of each mi depends only on xi , and is 1 the same of the prover of P (using that P is HVZK) Hence the verifier’s choice of s is independent of A As {share(ci )} is constructed by completing a set of shares in a non-qualified set, the joint distribution is simply D(s). Then the joint distribution of the ci ’s is independent of A Finally, the first proposition implies that the distribution of mi depends only on xi , mi and ci and therefore 2 1 independent of A. Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Extensions Three-round protocol can be generalized Another types of PoK, like special honest verifier zero-knowledge with a SS semi-smooth protocol Using invulnerable generators for a relation R lead to designing protocols satisfying WI Then, using this technique we could turn a PoK protocol into a WI protocol Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Applications (the typical example) Suppose we have n executives of a company, with public and private key (xi , wi ) Certain groups of them can do specific actions: taking decisions on behalf of the company, etc. We want to make them doing that actions as a qualified group, not revealing anything else about their identities This makes good sense, if they are to assume responsability on behalf of the company, rather than personally Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Open problems The main theorem holds for ordinary soundness property in P? Can be generalized to other types of protocols than public coin protocols? Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems References 1 Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. Ronald Cramer, Ivan Damgardm Berry Schoenmakers. CRYPTO ‘94. Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne

Empfohlen

Hv3114921496
Hv3114921496Hv3114921496
Hv3114921496
IJERA Editor
 
Lightweight Cryptography for Distributed PKI Based MANETS
Lightweight Cryptography for Distributed PKI Based MANETSLightweight Cryptography for Distributed PKI Based MANETS
Lightweight Cryptography for Distributed PKI Based MANETS
IJCNCJournal
 
GECCO'2007: Modeling XCS in Class Imbalances: Population Size and Parameter S...
GECCO'2007: Modeling XCS in Class Imbalances: Population Size and Parameter S...GECCO'2007: Modeling XCS in Class Imbalances: Population Size and Parameter S...
GECCO'2007: Modeling XCS in Class Imbalances: Population Size and Parameter S...
Albert Orriols-Puig
 
RFID security presentation
RFID security presentationRFID security presentation
RFID security presentation
mdxtech
 
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARDDATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
ijait
 
Arvind stegnography
Arvind stegnographyArvind stegnography
Arvind stegnography
arvind carpenter
 
CCIA'2008: On the dimensions of data complexity through synthetic data sets
CCIA'2008: On the dimensions of data complexity through synthetic data setsCCIA'2008: On the dimensions of data complexity through synthetic data sets
CCIA'2008: On the dimensions of data complexity through synthetic data sets
Albert Orriols-Puig
 
Secrecy and Performance Analysis of Symmetric Key Encryption Algorithms
Secrecy and Performance Analysis of Symmetric Key Encryption AlgorithmsSecrecy and Performance Analysis of Symmetric Key Encryption Algorithms
Secrecy and Performance Analysis of Symmetric Key Encryption Algorithms
Tharindu Weerasinghe
 

Empfohlen

Hv3114921496
Hv3114921496Hv3114921496
Hv3114921496
IJERA Editor
 
Lightweight Cryptography for Distributed PKI Based MANETS
Lightweight Cryptography for Distributed PKI Based MANETSLightweight Cryptography for Distributed PKI Based MANETS
Lightweight Cryptography for Distributed PKI Based MANETS
IJCNCJournal
 
GECCO'2007: Modeling XCS in Class Imbalances: Population Size and Parameter S...
GECCO'2007: Modeling XCS in Class Imbalances: Population Size and Parameter S...GECCO'2007: Modeling XCS in Class Imbalances: Population Size and Parameter S...
GECCO'2007: Modeling XCS in Class Imbalances: Population Size and Parameter S...
Albert Orriols-Puig
 
RFID security presentation
RFID security presentationRFID security presentation
RFID security presentation
mdxtech
 
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARDDATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
ijait
 
Arvind stegnography
Arvind stegnographyArvind stegnography
Arvind stegnography
arvind carpenter
 
CCIA'2008: On the dimensions of data complexity through synthetic data sets
CCIA'2008: On the dimensions of data complexity through synthetic data setsCCIA'2008: On the dimensions of data complexity through synthetic data sets
CCIA'2008: On the dimensions of data complexity through synthetic data sets
Albert Orriols-Puig
 
Secrecy and Performance Analysis of Symmetric Key Encryption Algorithms
Secrecy and Performance Analysis of Symmetric Key Encryption AlgorithmsSecrecy and Performance Analysis of Symmetric Key Encryption Algorithms
Secrecy and Performance Analysis of Symmetric Key Encryption Algorithms
Tharindu Weerasinghe
 
Data Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill CipherData Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill Cipher
Aashirwad Kashyap
 
New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
Albert Orriols-Puig
 
Natural Language Inference: for Humans and Machines
Natural Language Inference: for Humans and MachinesNatural Language Inference: for Humans and Machines
Natural Language Inference: for Humans and Machines
Valeria de Paiva
 
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
Albert Orriols-Puig
 
Lecture8 - From CBR to IBk
Lecture8 - From CBR to IBkLecture8 - From CBR to IBk
Lecture8 - From CBR to IBk
Albert Orriols-Puig
 
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
Albert Orriols-Puig
 
Prezentare fără titlu
Prezentare fără titluPrezentare fără titlu
Prezentare fără titlu
Constantin Rusu
 
Uc
UcUc
Uc
Sravan Mannem
 
Lo Cotidiano - Tomo II - Capitulos= La busqueda de la Luz - La Espera y la Es...
Lo Cotidiano - Tomo II - Capitulos= La busqueda de la Luz - La Espera y la Es...Lo Cotidiano - Tomo II - Capitulos= La busqueda de la Luz - La Espera y la Es...
Lo Cotidiano - Tomo II - Capitulos= La busqueda de la Luz - La Espera y la Es...
inesalonsoares
 
Samrat Patil
Samrat PatilSamrat Patil
Samrat Patil
Samrat Patil
 
Aspectos y seguridad
Aspectos y seguridadAspectos y seguridad
Aspectos y seguridad
Mauricio Quezada
 
Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
Andres Agostini, Polymath Futurist
 
Stir fry
Stir fryStir fry
Stir fry
Liza Clutario
 
CEE startups in SV 2012
CEE startups in SV 2012CEE startups in SV 2012
CEE startups in SV 2012
Oliver Holle
 
Manual
ManualManual
Manual
alecx
 
Speed invest inits public
Speed invest inits publicSpeed invest inits public
Speed invest inits public
Oliver Holle
 
Línea de tiempo Movimiento Estudiantil 2011
Línea de tiempo Movimiento Estudiantil 2011Línea de tiempo Movimiento Estudiantil 2011
Línea de tiempo Movimiento Estudiantil 2011
Mauricio Quezada
 
Doa untuk pelajar
Doa untuk pelajarDoa untuk pelajar
Doa untuk pelajar
Nurul Ismail
 
Startup leadership short
Startup leadership shortStartup leadership short
Startup leadership short
Oliver Holle
 
Motivation(2)
Motivation(2)Motivation(2)
Motivation(2)
Bramhesh Aptekar
 
[Script Documentation] Add reminders to spreadsheet
[Script Documentation] Add reminders to spreadsheet [Script Documentation] Add reminders to spreadsheet
[Script Documentation] Add reminders to spreadsheet
Constantin Rusu
 
Google Apps for Education > Chapter 3: Customize Google Apps for your school
Google Apps for Education > Chapter 3: Customize Google Apps for your schoolGoogle Apps for Education > Chapter 3: Customize Google Apps for your school
Google Apps for Education > Chapter 3: Customize Google Apps for your school
Constantin Rusu
 

Weitere ähnliche Inhalte

Was ist angesagt?

New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
Albert Orriols-Puig
 
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
Albert Orriols-Puig
 
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
Albert Orriols-Puig
 

Was ist angesagt? (6)

Data Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill CipherData Encryption and Decryption using Hill Cipher
Data Encryption and Decryption using Hill Cipher
 
New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
New Challenges in Learning Classifier Systems: Mining Rarities and Evolving F...
 
Natural Language Inference: for Humans and Machines
Natural Language Inference: for Humans and MachinesNatural Language Inference: for Humans and Machines
Natural Language Inference: for Humans and Machines
 
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
CCIA'2008: Can Evolution Strategies Improve Learning Guidance in XCS? Design ...
 
Lecture8 - From CBR to IBk
Lecture8 - From CBR to IBkLecture8 - From CBR to IBk
Lecture8 - From CBR to IBk
 
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
IWLCS'2008: First Approach toward Online Evolution of Association Rules wit...
 

Andere mochten auch

Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
Andres Agostini, Polymath Futurist
 
Manual
ManualManual
Manual
alecx
 
[Script Documentation] Add reminders to spreadsheet
[Script Documentation] Add reminders to spreadsheet [Script Documentation] Add reminders to spreadsheet
[Script Documentation] Add reminders to spreadsheet
Constantin Rusu
 
Google Apps for Education > Chapter 3: Customize Google Apps for your school
Google Apps for Education > Chapter 3: Customize Google Apps for your schoolGoogle Apps for Education > Chapter 3: Customize Google Apps for your school
Google Apps for Education > Chapter 3: Customize Google Apps for your school
Constantin Rusu
 

Andere mochten auch (19)

Prezentare fără titlu
Prezentare fără titluPrezentare fără titlu
Prezentare fără titlu
 
Uc
UcUc
Uc
 
Lo Cotidiano - Tomo II - Capitulos= La busqueda de la Luz - La Espera y la Es...
Lo Cotidiano - Tomo II - Capitulos= La busqueda de la Luz - La Espera y la Es...Lo Cotidiano - Tomo II - Capitulos= La busqueda de la Luz - La Espera y la Es...
Lo Cotidiano - Tomo II - Capitulos= La busqueda de la Luz - La Espera y la Es...
 
Samrat Patil
Samrat PatilSamrat Patil
Samrat Patil
 
Aspectos y seguridad
Aspectos y seguridadAspectos y seguridad
Aspectos y seguridad
 
Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
Futuretronium Book 100.0 (The Revolution II)! By Andres Agostini at http://li...
 
Stir fry
Stir fryStir fry
Stir fry
 
CEE startups in SV 2012
CEE startups in SV 2012CEE startups in SV 2012
CEE startups in SV 2012
 
Manual
ManualManual
Manual
 
Speed invest inits public
Speed invest inits publicSpeed invest inits public
Speed invest inits public
 
Línea de tiempo Movimiento Estudiantil 2011
Línea de tiempo Movimiento Estudiantil 2011Línea de tiempo Movimiento Estudiantil 2011
Línea de tiempo Movimiento Estudiantil 2011
 
Doa untuk pelajar
Doa untuk pelajarDoa untuk pelajar
Doa untuk pelajar
 
Startup leadership short
Startup leadership shortStartup leadership short
Startup leadership short
 
Motivation(2)
Motivation(2)Motivation(2)
Motivation(2)
 
[Script Documentation] Add reminders to spreadsheet
[Script Documentation] Add reminders to spreadsheet [Script Documentation] Add reminders to spreadsheet
[Script Documentation] Add reminders to spreadsheet
 
Google Apps for Education > Chapter 3: Customize Google Apps for your school
Google Apps for Education > Chapter 3: Customize Google Apps for your schoolGoogle Apps for Education > Chapter 3: Customize Google Apps for your school
Google Apps for Education > Chapter 3: Customize Google Apps for your school
 
Introduccion a AspectJ
Introduccion a AspectJIntroduccion a AspectJ
Introduccion a AspectJ
 
Step 2-chassis-air-bag
Step 2-chassis-air-bagStep 2-chassis-air-bag
Step 2-chassis-air-bag
 
Mga bahagi ng pahayagan
Mga bahagi ng pahayaganMga bahagi ng pahayagan
Mga bahagi ng pahayagan
 

Kürzlich hochgeladen

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
discovermytutordmt
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 

Kürzlich hochgeladen (20)

Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 

Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols

  • 1. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols Mauricio Quezada Miércoles 7 de Septiembre, 2011 Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 2. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Outline 1 Proofs of Knowledge 2 Secret Sharing schemes 3 Main Result 4 Extensions, applications, open problems Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 3. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Requirements A Proof of Knowledge with a few special properties An Access Structure for n participants Secret Sharing with the dual of the previous access structure Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 4. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Proofs of Knowledge Let a binary relation R = {(x, w)} The witness set w(x) is the set of w such that (x, w ) ∈ R Let P a Proof of Knowledge protocol, in which there is a common input x (of length k bits) to a prover P and a verifier V , and a private input w to P . The prover tries to convince the verifier that w ∈ w(x). Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 5. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Some restrictions Assume that P is a three round public coin protocol Conversations will be ordererd triples of the form m1 , c, m2 Where c is called the challenge, uniformly random bits chosen by the verifier Also, assume that completeness holds with probability 1 I.e., if indeed w ∈ w(x), then the verifier always accepts Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 6. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Some restrictions P has the special soundness property: 1 The length of c is such that the number of possible values of c is super-polynomial in k 2 For any prover P ∗ , given two conversations between P ∗ and V , (m1 , c, m2 ) and (m1 , c , m2 ), where c = c , an element of w(x) can be computed in polynomial time. Also, is Honest Verifier Zero Knowledge Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 7. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Witness Indistinguishability and Witness Hiding A protocol is witness indistinguishable (WI) if conversations generated with same x, but different elements from w(x) have indistinguishable distributions Even a cheating verifier can’t tell which witness the prover is using A protocol is witness hiding (WH), if it does not help even a cheating verifier to compute a witness for x with non-negligible probability when x is generated under a certain distribution Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 8. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems WI, WH and PoK. Proposition 1 Let P a three round public coin proof of knowledge for a relation R. If P is honest verifier zero-knowledge proof, then P is witness indistinguishable Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 9. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Secret Sharing A Secret Sharing scheme is a method by which a secret s can be distributed among n participants by giving a share to each one. The subsets of participants which can reconstruct s are called qualified sets The collection of qualified sets is called the access structure for the scheme Monotone access structure property: If A is a qualified set, then any set containing A is also qualified Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 10. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Access structures Definition (Dual structures) Let Γ be an access structure containing subsets of a set M . If A ⊆ M , A denotes the complement of A in M . Now the dual access structure, Γ∗ is defined as follows: A ∈ Γ∗ iff A ∈ Γ / Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 11. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Access structures The dual Γ∗ of a monotone access structure is monotone, and satisfies (Γ∗ )∗ = Γ Let Γ be monotone. A is qualified in Γ exactly when it has a non-empty intersection with every qualified set in Γ∗ Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 12. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Notations Let D(s) denote the joint probability distribution of all shares resulting from distributing the secret s. For a set of A participants, DA (s) denotes the restriction of D to shares in A. As a secret sharing scheme S(k) is perfect, DA (s) is independent from s for any non-qualified set A Will be denoted DA whenever A is non-qualified Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 13. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Requirements 1 All shares in S(k) have length polynomial in k 2 Distribution, reconstruction of a secret can be done in polynomial time 3 Verification can be done in polynomial time in k 4 A set of non-qualified shares can be completed to a full set of shares according to D(s) and consistent to s (guess in how much time) 5 For any non-qualified set A, the probability distribution DA is such that shares in A are independent and uniformly chosen Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 14. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Perfect Secret Sharing A perfect secret sharing scheme satisfying 1 to 4 is called semi-smooth. If 5 is also satisfied, then is called smooth. Which protocol would be a good example? Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 15. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Notations Let R be a binary relation Let Γ = {Γ(k)} a family of access structures on n(k) participants Let RΓ be a relation defined as follows: ((x1 , . . . , xm ), (w1 , . . . , wm )) ∈ RΓ iff all xi are of the same length and the set of indices i for which (xi , wi ) ∈ R corresponds to a qualified set in Γ(k) In a PoK for RΓ , the prover proves to know witnesses to a set corresponding to a qualified set in Γ(k). Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 16. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Main Result Let P be a three round public coin honest verifier zero-knowledge proof of knowledge for a relation R with special soundness property. Let Γ = {Γ(k)} be a family of monotone access structures and let {S(k)} be a family of smooth secret sharing schemes Such that the access structure of S(k) is Γ(k)∗ Then exists a three round public coin witness indistinguishable proof of knowledge for relation RΓ Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 17. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Proof A basic approach in the following is to interpret a challenge as a share (remember that the challenge is the message sent by the verifier) If c is a challenge, share(c) will denote the corresponding share. A ∈ Γ denotes the set of indices for which P knows a witness for xi The protocol is as follows: Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 18. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems The protocol (1/4) For each i ∈ A, P runs simulator S on input xi to produce conversations (mi , ci , mi ). 1 2 For each i ∈ A, P determines mi as what the prover in 1 P would send as m1 given a witness for input xi . P then sends the values mi , i = 1, . . . , n to V 1 Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 19. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems The protocol (2/4) V chooses a t-bit string s at random and sends it to P Note: t is the length of shares in S(k) Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 20. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems The protocol (3/4) Consider the set of shares {share(ci ) | i ∈ A} that correspond to the ci As A is not qualified in Γ∗ , P can complete these shares to a full set of shares (req. 4) For A, P now forms challenges ci for indices i ∈ A, such that share(ci ) corresponds to the share produced in the completion process. In step 1, S has produced a final message, mi in P for 2 i∈A For i ∈ A, P knows a witness for xi , then can find a valid mi for mi and ci by running the prover from P 2 1 Finally, P sends the set of messages ci , mi , i = 1, . . . , n 2 to V Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 21. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems The protocol (4/4) V checks that all conversations (mi , ci , mi ) now 1 2 produced would lead to acceptance by the verifier of P, and shares share(ci ) are consistent with secret s. It accepts iff these checks are satisfied Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 22. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Properties Completeness: trivial Soundness: Assume that some prover P ∗ for a given first message {mi | i = 1, . . . , n} can answer correctly a 1 non-negligible fraction of possible choices of s As there are 2t possible values of s, any polynomial fraction contains at least 2 values of s. Call them s, s For any qualified set B in Γ∗ , there must be an i ∈ B, such that share(ci ) = share(ci ) Then we could compute a witness for xi (by special soundness property) So P ∗ knows a witness in every qualified set of Γ∗ Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 23. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Properties Witness Indistinguishability: The distribution of the conversation is independent of which qualified set A ∈ Γ the prover uses. The distribution of each mi depends only on xi , and is 1 the same of the prover of P (using that P is HVZK) Hence the verifier’s choice of s is independent of A As {share(ci )} is constructed by completing a set of shares in a non-qualified set, the joint distribution is simply D(s). Then the joint distribution of the ci ’s is independent of A Finally, the first proposition implies that the distribution of mi depends only on xi , mi and ci and therefore 2 1 independent of A. Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 24. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Extensions Three-round protocol can be generalized Another types of PoK, like special honest verifier zero-knowledge with a SS semi-smooth protocol Using invulnerable generators for a relation R lead to designing protocols satisfying WI Then, using this technique we could turn a PoK protocol into a WI protocol Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 25. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Applications (the typical example) Suppose we have n executives of a company, with public and private key (xi , wi ) Certain groups of them can do specific actions: taking decisions on behalf of the company, etc. We want to make them doing that actions as a qualified group, not revealing anything else about their identities This makes good sense, if they are to assume responsability on behalf of the company, rather than personally Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 26. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 27. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 28. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems Open problems The main theorem holds for ordinary soundness property in P? Can be generalized to other types of protocols than public coin protocols? Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne
  • 29. Introduction Proofs of Knowledge Secret Sharing Main Result Extensions, applications, open problems References 1 Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. Ronald Cramer, Ivan Damgardm Berry Schoenmakers. CRYPTO ‘94. Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witne