Zero- Knowledge Proofs in Anonymous Creden6al Systems. Gergely Alpár October 21, 2011
|
|
- Hugo Hall
- 5 years ago
- Views:
Transcription
1 Zero- Knowledge Proofs in Anonymous Creden6al Systems Gergely Alpár October 21, 2011
2 Waldo
3 Source: findwaldo.com // Department Store Idea: Moni Naor et al. How to Convince your children you are not chea6ng, 1999
4
5 ?
6 Overview Zero- knowledge proof of knowledge Signatures from ZK PK U- Prove Idemix Comparison
7 Schnorr iden6fica6on System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x w 2 R Z q a := g w mod p r := c x + w mod q Complete Sound a c r Verifier! Commitment c 2 R {0, 1} Challenge! Verification: Response a =? g r h c (mod p)
8 From outside? (a, c, r)
9 Simula6on à Zero- knowledgeness Real communica6on Input: private key x Output: conversation (a, c, r) 1. w2 R Z q 2. a:= g w (mod p) a c2 R {0,1}! V 5. r:= w + cx (mod q) 6. Output: (a, c, r) Simulated communica6on Input: public key h Output: conversation (a, c, r) 1. c2 R {0, 1}; r 2 R Z q 2. a:= g r h c (mod p) a ĉ2 R {0,1}! V 5. If c 6= ĉ: RewindV Go to step Output: (a, c, r)
10 Schnorr iden6fica6on System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x w 2 R Z q a := g w mod p r := c x + w mod q a c r Verifier! Commitment c 2 R Z q Challenge! Verification: Response a =? g r h c (mod p)
11 Schnorr iden6fica6on System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x w 2 R Z q a := g w mod p r := c x + w mod q a c r Verifier! Commitment c 2 R Z q Challenge! Verification: Response a? = g r h c (mod p)
12 Schnorr iden6fica6on System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x w 2 R Z q a := g w mod p r := c x + w mod q a c r Verifier! Commitment c 2 R Z q Challenge! Verification: Response a =? g r h c (mod p) PK{( ) :h g (mod p)}
13 Non- interac6ve Schnorr (Fiat- Shamir) System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x Verifier w 2 R Z q a := g w mod p Commitment c := H(a) Challenge r := c x + w mod q a,r! Verification: Response c 0 := H(a) a? = g r h c0 (mod p) PK{( ) :h g (mod p)}
14 Schnorr signature (freshness) System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x n Verifier w 2 R Z q n 2 R Z q a := g w mod p Commitment c := H(akn) Challenge r := c x + w mod q a,r! Verification: Response c 0 := H(akn) a? g r h c0 (mod p) SPK{( ) :h g (mod p)}(n)
15 Schnorr signature System parameters: (p, q, g) Public key: h g x (mod p) Message: m 2 Z q Prover Secret: x Verifier w 2 R Z q a := g w mod p Commitment c := H(akm) Challenge r := c x + w mod q a,r! Verification: Response c 0 := H(akm) a? = g r h c0 (mod p) SPK{ : h g (mod p)}(m)
16 Schnorr blind signature System parameters: (p, q, g) Public key: h g x (mod p) Signer Secret: x w 2 R Z q a := g w (mod p) r := c x + w (mod q) a c r Receipient!, 2 R Z q Commitment a 0 := a g h (mod p) c 0 := H(a 0 km) c := c 0 + (mod q) Challenge! a? g r h c (mod p) Response r 0 := r + (mod q) Signature: (c 0,r 0 ) Verification: c 0? = H(g r 0 h c0 km)
17 Schnorr blind signature System parameters: (p, q, g) Public key: h g x (mod p) Signer Secret: x w 2 R Z q a := g w (mod p) r := c x + w (mod q) a c r Receipient!, 2 R Z q Commitment a 0 := a g h (mod p) c 0 := H(a 0 km) c := c 0 + (mod q) Challenge! a? g r h c (mod p) Response r 0 := r + (mod q) Signature: (c 0,r 0 ) SPK{( ) :h g (mod p)}(m)
18 Brands issuing protocol (U- Prove) System parameters: (p, q, g, g 1 p g y 1,...,g l p g y l ) Issuer Secret: x, y 1,...,y l w 2 R Z q a := g w (mod p) r := c Public key: h g x (mod p) Attributes: x 1,...,x l x + P l 1 x iy i + w (mod q) Verification: c 0 a c r? = H h 0 kg r0 (h h 0 ) c0! h U := Y g x i i (mod p) User!,, 2 R Z q Commitment h 0 := g h U (mod p) c 0 := H(h 0 kg (h h U ) a) c := c 0 + (mod q) Challenge! a? g r (h h U ) c (mod p) Response r 0 := r + + c 0 (mod q) Signature: (c 0,r 0 ) on h 0
19 Brands issuing protocol (U- Prove) System parameters: (p, q, g, g 1 p g y 1,...,g l p g y l ) Issuer Secret: x, y 1,...,y l Public key: h g x (mod p) Attributes: x 1,...,x l! h U := Y g x i i (mod p) User w 2 R Z q a := g w (mod p) r := c x + P l 1 x iy i + w (mod q) a c r!,, 2 R Z q Commitment h 0 := g h U (mod p) c 0 := H(h 0 kg (h h U ) a) c := c 0 + (mod q) Challenge! a? g r (h h U ) c (mod p) Response r 0 := r + + c 0 (mod q) Signature: (c 0,r 0 ) on h 0 SPK{( ) :h g (mod p)}(,x 1,...,x l )
20 Brands showing protocol (U- Prove) System parameters: (p, q, g, g 1,...,g l ) Public key: h g x (mod p) Credential: (h 0, (c 0,r 0 )) User Secret:,x 1,...,x l Verifier 2 R Z q i 2 {1,...,l} : w i 2 R Z q a := g Q g w i i (mod p) r 0 := c + (mod q) r i := c x i + w i (mod q) PK{(,µ 1,...,µ l ):h 0 g a! Commitment c c 2 R Z q Challenge r 0,r 1,...,r l! Verification: Response a? g r0 Q g r i i h 0 c (mod p) ly 1 g µ i i (mod p)}
21 Brands showing: selec6ve disclosure System parameters: (p, q, g, g 1,...,g l ) Public key: h g x (mod p) Some attributes: x 1,x 2 Credential: (h 0, (c 0,r 0 )) User Secret:,x 3,...,x l Verifier 2 R Z q i 2 {1,...,l} : w i 2 R Z q a := g Ql 3 gw i i (mod p) r 0 := c + (mod q) r i := c x i + w i (mod q) PK{(,µ 3,...,µ l ): a! Commitment c c 2 R Z q Challenge r 0,r 3,...,r l! Verification: Response a? g r0 Ql 3 gr i i h 0 c (mod p) h 0 ly g x g g µ i 1 1 gx 2 i (mod p)} 2 3
22 CL issuing protocol (Idemix) * Issuer System parameters: (n, R 0,...,R l,s,z) Attributes: x 1,...,x l! R := ly 1 User Secret: p, q Secret: x 0 Random v 0 Random v 00 and prime e 1/e Z A := US Q v00 l 1 Rx i (mod n) i PK{( ):A ± Z US v00 Q l 1 Rx i i (mod n)} U, P K R x i i (mod n) U := S v0 R x 0 0 (mod n) PK{( 0,µ 0 ):U ±S 0 R µ 0 0 (mod n)} (A,e,v 00 ),P K! v := v 0 + v 00! (A, e, v) Z? A e S v Q l 0 Rx i i Plus: freshness with nonces! à SPKs * without intervals
23 Randomized CL- signature (A, e, v)! Z? A e S v ly Randomization: A 0 := A S r (mod n) 0 R x i i (mod n) v 0 := v + er ly ly A 0e S v0 R x i i A e S er S v S er R x i i 0 0 ly A e S v R x i i 0 Z (mod n)
24 CL showing protocol (Idemix) * System parameters: (n, R 0,...,R l,s,z) Attributes: x 1,...,x l! R := ly 1 R x i i (mod n) User Secret: x 0, (A, e, v) Random r! (A 0,e,v 0 ) PK{(", ˆ,µ 0 ):Z Q l 1 R x i i ±A 0" S ˆ R µ 0 0 (mod n)} A 0,PK! Verifier Verif. Plus: freshness with a nonce! à SPK * without intervals
25 CL showing: selec6ve disclosure * System parameters: (n, R 0,...,R l,s,z) Some attributes: x 1,x 2! R := R x 1 1 Rx 2 2 (mod n) User Secret: x 0,x 3,...x l, (A, e, v) Random r! (A 0,e,v 0 ) PK{(", ˆ,µ 0,µ 3,...,µ l ): Verifier Z R x 1 1 R x 2 2 ±A 0" S ˆ R µ 0 0 Q l 3 Rµ i i (mod n)} A 0,PK! Verif. Plus: freshness with a nonce! à SPK * without intervals
26 Similari6es Representa6on problem for signing mul6ple a_ributes Protec6ng anonymity Selec6ve disclosure Comparable efficiency l: # attributes d: # revealed attributes Step U-Prove Idemix Issuing credential # exponentation l +5 l +7 Selective disclosure # exponentations l d +1 l d +3
27 Differences Basic assump6on: DL vs. (strong) RSA Blind signature: only the secret key vs. a_ributes can be hidden from the issuer User s secret key used only once vs. always One- 6me showing vs. randomizable signature
Self-Scrambling Anonymizer. Overview
Financial Cryptography 2000 21-25 february 2000 - Anguilla Self-Scrambling Anonymizers Département d Informatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Introduction
More informationPrinciples of Ad Hoc Networking
Principles of Ad Hoc Networking Michel Barbeau and Evangelos Kranakis November 12, 2007 Wireless security challenges Network type Wireless Mobility Ad hoc Sensor Challenge Open medium Handover implies
More informationPrivacy Postures of Authen2ca2on Technologies
Privacy Postures of Authen2ca2on Technologies Presenta2on to ID360 2013 Francisco Corella (fcorella@pomcor.com) Karen Lewison (kplewison@pomcor.com) Web site: pomcor.com Blog: pomcor.com/blog Update (May17,
More informationPrimitives et constructions cryptographiques pour la confiance numrique
Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 3 avril 2014 D. Vergnaud (ENS) Cryptographic Primitives for Digital
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 5: Cryptographic Algorithms Common Encryption Algorithms RSA
More informationBivariate Polynomials Modulo Composites and Their Applications
Bivariate Polynomials Modulo Composites and Their Applications Dan Boneh and Henry Corrigan-Gibbs Stanford University ASIACRYPT 8 December 2014 Crypto s Bread and Butter Let N = pq be an RSA modulus of
More informationSecure Location Verification with Hidden and Mobile Base Stations
Secure Location Verification with Hidden and Mobile Base Stations S. Capkun, K.B. Rasmussen - Department of Computer Science, ETH Zurich M. Cagalj FESB, University of Split M. Srivastava EE Department,
More informationThe Chinese Remainder Theorem
The Chinese Remainder Theorem Theorem. Let m and n be two relatively prime positive integers. Let a and b be any two integers. Then the two congruences x a (mod m) x b (mod n) have common solutions. Any
More informationThe Chinese Remainder Theorem
The Chinese Remainder Theorem Theorem. Let n 1,..., n r be r positive integers relatively prime in pairs. (That is, gcd(n i, n j ) = 1 whenever 1 i < j r.) Let a 1,..., a r be any r integers. Then the
More informationCS 261 Notes: Zerocash
CS 261 Notes: Zerocash Scribe: Lynn Chua September 19, 2018 1 Introduction Zerocash is a cryptocurrency which allows users to pay each other directly, without revealing any information about the parties
More informationAssignment 2. Due: Monday Oct. 15, :59pm
Introduction To Discrete Math Due: Monday Oct. 15, 2012. 11:59pm Assignment 2 Instructor: Mohamed Omar Math 6a For all problems on assignments, you are allowed to use the textbook, class notes, and other
More informationA Glossary of Voting Terminology
A Glossary of Voting Terminology SecVote 2010, 3 sep 2010 Hugo Jonker - p. 2/27 Structure Terms from actual elections Requirements Attacks Cryptography Determining the winner Some academic systems of renown
More informationDiscrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography
Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography Colin Stirling Informatics Some slides based on ones by Myrto Arapinis Colin Stirling (Informatics) Discrete
More informationCryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1
Cryptography CS 555 Topic 20: Other Public Key Encryption Schemes Topic 20 1 Outline and Readings Outline Quadratic Residue Rabin encryption Goldwasser-Micali Commutative encryption Homomorphic encryption
More informationOn the Physical Layer for Secure Distance Measurement
On the Physical Layer for Secure Distance Measurement Srdjan Čapkun Department of Computer Science ETH Zurich All photographs, imagery, media belong to their respective owners/creators. Secure Distance
More informationCryptography, Number Theory, and RSA
Cryptography, Number Theory, and RSA Joan Boyar, IMADA, University of Southern Denmark November 2015 Outline Symmetric key cryptography Public key cryptography Introduction to number theory RSA Modular
More informationDTTF/NB479: Dszquphsbqiz Day 30
DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA Coin flipping over the phone RSA Signatures allow you to recover the message from the signature; ElGamal signatures
More informationSecure Distributed Computation on Private Inputs
Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015 The Cloud David Pointcheval Introduction
More informationTMA4155 Cryptography, Intro
Trondheim, December 12, 2006. TMA4155 Cryptography, Intro 2006-12-02 Problem 1 a. We need to find an inverse of 403 modulo (19 1)(31 1) = 540: 540 = 1 403 + 137 = 17 403 50 540 + 50 403 = 67 403 50 540
More informationThe number theory behind cryptography
The University of Vermont May 16, 2017 What is cryptography? Cryptography is the practice and study of techniques for secure communication in the presence of adverse third parties. What is cryptography?
More informationFair tracing based on VSS and blind signature without Trustees
Fair tracing based on VSS and blind signature without Trustees ByeongGon Kim SungJun Min Kwangjo Kim International Research center for Information Security (IRIS) Information and Communications Univ.(ICU),
More informationIdentity-based multisignature with message recovery
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 Identity-based multisignature with message
More informationFinal exam. Question Points Score. Total: 150
MATH 11200/20 Final exam DECEMBER 9, 2016 ALAN CHANG Please present your solutions clearly and in an organized way Answer the questions in the space provided on the question sheets If you run out of room
More informationGustavus J. Simmons Sandia National Laboratories Applied Mathematics Department Albuquerque, New Mexico Introduction
A SECURE SUBLIMINAL CHANNZL (?) Gustavus J. Simmons Sandia National Laboratories Applied Mathematics Department Albuquerque, New Mexico 87185 Introduction At Crypto'83, the present author showed that a
More informationLinear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.
Section 4.4 Linear Congruences Definition: A congruence of the form ax b (mod m), where m is a positive integer, a and b are integers, and x is a variable, is called a linear congruence. The solutions
More informationJuan Garay (Yahoo Labs) Clint Givens (Maine School of Science and Mathematics) Rafail Ostrovsky (UCLA) Pavel Raykov (ETH)
Broadcast (and Round) Efficient Secure Multiparty Computation Juan Garay (Yahoo Labs) Clint Givens (Maine School of Science and Mathematics) Rafail Ostrovsky (UCLA) Pavel Raykov (ETH) Secure Multiparty
More informationLecture 28: Applications of Crypto Protocols
U.C. Berkeley Lecture 28 CS276: Cryptography April 27, 2006 Professor David Wagner Scribe: Scott Monasch Lecture 28: Applications of Crypto Protocols 1 Electronic Payment Protocols For this section we
More informationAlgorithmic Number Theory and Cryptography (CS 303)
Algorithmic Number Theory and Cryptography (CS 303) Modular Arithmetic and the RSA Public Key Cryptosystem Jeremy R. Johnson 1 Introduction Objective: To understand what a public key cryptosystem is and
More informationMA/CSSE 473 Day 9. The algorithm (modified) N 1
MA/CSSE 473 Day 9 Primality Testing Encryption Intro The algorithm (modified) To test N for primality Pick positive integers a 1, a 2,, a k < N at random For each a i, check for a N 1 i 1 (mod N) Use the
More informationSecure Multiparty Computations
Secure Multiparty Computations CS 6750 Lecture 11 December 3, 2009 Riccardo Pucella The Last Few Lectures... Secret sharing: How to get two or more parties to share a secret in such a way that each individual
More informationAccelerating Authenticated Emergence Message Propagation to Mitigate Chain-Reaction Accidents in Highway Traffic
Accelerating Authenticated Emergence Message Propagation to Mitigate Chain-Reaction Accidents in Highway Traffic Rongxing Lu, Xiaodong Lin, Haojin Zhu, and Xuemin (Sherman) Shen Department of Electrical
More informationPublic Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014
7 Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 Cryptography studies techniques for secure communication in the presence of third parties. A typical
More informationLecture Notes in Computer Science,
JAIST Reposi https://dspace. Title A Multisignature Scheme with Message Order Flexibility and Order Verifiab Author(s)Mitomi, Shirow; Miyai, Atsuko Citation Lecture Notes in Computer Science, 298-32 Issue
More informationDiffie-Hellman key-exchange protocol
Diffie-Hellman key-exchange protocol This protocol allows two users to choose a common secret key, for DES or AES, say, while communicating over an insecure channel (with eavesdroppers). The two users
More informationData security (Cryptography) exercise book
University of Debrecen Faculty of Informatics Data security (Cryptography) exercise book 1 Contents 1 RSA 4 1.1 RSA in general.................................. 4 1.2 RSA background.................................
More informationMath 319 Problem Set #7 Solution 18 April 2002
Math 319 Problem Set #7 Solution 18 April 2002 1. ( 2.4, problem 9) Show that if x 2 1 (mod m) and x / ±1 (mod m) then 1 < (x 1, m) < m and 1 < (x + 1, m) < m. Proof: From x 2 1 (mod m) we get m (x 2 1).
More informationMathematics Explorers Club Fall 2012 Number Theory and Cryptography
Mathematics Explorers Club Fall 2012 Number Theory and Cryptography Chapter 0: Introduction Number Theory enjoys a very long history in short, number theory is a study of integers. Mathematicians over
More informationCS70: Lecture 8. Outline.
CS70: Lecture 8. Outline. 1. Finish Up Extended Euclid. 2. Cryptography 3. Public Key Cryptography 4. RSA system 4.1 Efficiency: Repeated Squaring. 4.2 Correctness: Fermat s Theorem. 4.3 Construction.
More informationHow I Learned to Stop Worrying and Dismantle the Bomb
How I Learned to Stop Worrying and Dismantle the Bomb A New Approach to Nuclear Warhead Verification Alexander Glaser Department of Mechanical and Aerospace Engineering and Woodrow Wilson School of Public
More informationSequential Aggregate Signatures from Trapdoor Permutations
Sequential Aggregate Signatures from Trapdoor Permutations Anna Lysyanskaya Silvio Micali Leonid Reyzin Hovav Shacham Abstract An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and
More informationElGamal Public-Key Encryption and Signature
ElGamal Public-Key Encryption and Signature Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 10 ElGamal Cryptosystem and Signature Scheme Taher ElGamal, originally from Egypt,
More informationXor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.
CS70: Lecture 9. Outline. 1. Public Key Cryptography 2. RSA system 2.1 Efficiency: Repeated Squaring. 2.2 Correctness: Fermat s Theorem. 2.3 Construction. 3. Warnings. Cryptography... m = D(E(m,s),s) Alice
More informationEE 418: Network Security and Cryptography
EE 418: Network Security and Cryptography Homework 3 Solutions Assigned: Wednesday, November 2, 2016, Due: Thursday, November 10, 2016 Instructor: Tamara Bonaci Department of Electrical Engineering University
More informationp 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.
Great Theoretical Ideas In Computer Science Steven Rudich CS - Spring Lecture Feb, Carnegie Mellon University Modular Arithmetic and the RSA Cryptosystem p- p MAX(a,b) + MIN(a,b) = a+b n m means that m
More informationA Visual Cryptography Based Watermark Technology for Individual and Group Images
A Visual Cryptography Based Watermark Technology for Individual and Group Images Azzam SLEIT (Previously, Azzam IBRAHIM) King Abdullah II School for Information Technology, University of Jordan, Amman,
More informationPhysical Zero-Knowledge Proof: From Sudoku to Nonogram
Physical Zero-Knowledge Proof: From Sudoku to Nonogram Wing-Kai Hon (a joint work with YF Chien) 2008/12/30 Lab of Algorithm and Data Structure Design (LOADS) 1 Outline Zero-Knowledge Proof (ZKP) 1. Cave
More informationSecure Ad-Hoc Routing Protocols
Secure Ad-Hoc Routing Protocols ARIADNE (A secure on demand RoutIng protocol for Ad-Hoc Networks & TESLA ARAN (A Routing protocol for Ad-hoc Networks SEAD (Secure Efficient Distance Vector Routing Protocol
More informationSimple And Efficient Shuffling With Provable Correctness and ZK Privacy
Simple And Efficient Shuffling With Provable Correctness and ZK Privacy Kun Peng, Colin Boyd and Ed Dawson Information Security Institute Queensland University of Technology {k.peng, c.boyd, e.dawson}@qut.edu.au
More informationContinuous Non-Malleable Key Derivation and Its Application to Related-Key Security
Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security Baodong Qin 1,2, Shengli Liu 1, Tsz Hon Yuen 3, Robert H. Deng 4, Kefei Chen 5 1. Shanghai Jiao Tong University, China
More informationFermat s little theorem. RSA.
.. Computing large numbers modulo n (a) In modulo arithmetic, you can always reduce a large number to its remainder a a rem n (mod n). (b) Addition, subtraction, and multiplication preserve congruence:
More informationCard-Based Protocols for Securely Computing the Conjunction of Multiple Variables
Card-Based Protocols for Securely Computing the Conjunction of Multiple Variables Takaaki Mizuki Tohoku University tm-paper+cardconjweb[atmark]g-mailtohoku-universityjp Abstract Consider a deck of real
More informationExploring Signature Schemes with Subliminal Channel
SCIS 2003 The 2003 Symposium on Cryptography and Information Security Hamamatsu,Japan, Jan.26-29,2003 The Institute of Electronics, Information and Communication Engineers Exploring Signature Schemes with
More informationSolution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.
Example - Coin Toss Coin Toss: Alice and Bob want to toss a coin. Easy to do when they are in the same room. How can they toss a coin over the phone? Mutual Commitments Solution: Alice tosses a coin and
More informationRelated Ideas: DHM Key Mechanics
Related Ideas: DHM Key Mechanics Example (DHM Key Mechanics) Two parties, Alice and Bob, calculate a key that a third person Carl will never know, even if Carl intercepts all communication between Alice
More informationLecture 39: GMW Protocol GMW
Lecture 39: Protocol Recall Last lecture we saw that we can securely compute any function using oblivious transfer (which can be constructed from the RSA assumption) However, the protocol is efficient
More informationCongruence. Solving linear congruences. A linear congruence is an expression in the form. ax b (modm)
Congruence Solving linear congruences A linear congruence is an expression in the form ax b (modm) a, b integers, m a positive integer, x an integer variable. x is a solution if it makes the congruence
More informationA Blueprint for Civil GPS Navigation Message Authentication
A Blueprint for Civil GPS Navigation Message Authentication Andrew Kerns, Kyle Wesson, and Todd Humphreys Radionavigation Laboratory University of Texas at Austin Applied Research Laboratories University
More informationPublic Key Cryptography
Public Key Cryptography How mathematics allows us to send our most secret messages quite openly without revealing their contents - except only to those who are supposed to read them The mathematical ideas
More informationEnabling Trust in e-business: Research in Enterprise Privacy Technologies
Enabling Trust in e-business: Research in Enterprise Privacy Technologies Dr. Michael Waidner IBM Zurich Research Lab http://www.zurich.ibm.com / wmi@zurich.ibm.com Outline Motivation Privacy-enhancing
More informationAn Efficient Interception Mechanism Against Cheating In Visual Cryptography With Non Pixel Expansion Of Images
An Efficient Interception Mechanism Against Cheating In Visual Cryptography With Non Pixel Expansion Of Images Linju P.S, Sophiya Mathews Abstract: Visual cryptography is a technique of cryptography in
More informationDistributed Settlers of Catan
Distributed Settlers of Catan Hassan Alsibyani, Tim Mickel, Willy Vasquez, Xiaoyue Zhang Massachusetts Institute of Technology May 15, 2014 Abstract Settlers of Catan is a popular multiplayer board game
More informationarxiv: v1 [cs.cr] 3 Jun 2016
arxiv:1606.01045v1 [cs.cr] 3 Jun 2016 Physical Zero-Knowledge Proofs for Akari, Takuzu, Kakuro and KenKen Xavier Bultel Jannik Dreier Jean-Guillaume Dumas Pascal Lafourcade June 6, 2016 Abstract Akari,
More informationMAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.
MAT 302: ALGEBRAIC CRYPTOGRAPHY Department of Mathematical and Computational Sciences University of Toronto, Mississauga February 27, 2013 Mid-term Exam INSTRUCTIONS: The duration of the exam is 100 minutes.
More informationCombating Double-Spending Using Cooperative P2P Systems
Combating Double-Spending Using Cooperative P2P Systems Ivan Osipkov Eugene Y. Vasserman Nicholas Hopper Yongdae Kim Computer Science & Engineering, University of Minnesota, Minneapolis, MN 55455 {osipkov,eyv,hopper,kyd}@cs.umn.edu
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 25 Mental Poker And Semantic Security CS 355 Fall 2005 / Lecture 25 1 Lecture Outline Review of number theory The Mental Poker Protocol Semantic security Semantic
More informationHow to Use Bitcoin to Play Decentralized Poker
How to Use Bitcoin to Play Decentralized Poker Iddo Bentov Ranjit Kumaresan Tal Moran Technion MIT IDC GTACS January 8, 2015 Secure multiparty computation (MPC) / secure function evaluation (SFE) Parties
More informationDesigning Protocols for Nuclear Warhead Verification
Designing Protocols for Nuclear Warhead Verification Sébastien Philippe, Boaz Barak, and Alexander Glaser. Nuclear Futures Laboratory, Princeton University, Princeton, NJ Microsoft Research, Cambridge,
More informationLECTURE 3: CONGRUENCES. 1. Basic properties of congruences We begin by introducing some definitions and elementary properties.
LECTURE 3: CONGRUENCES 1. Basic properties of congruences We begin by introducing some definitions and elementary properties. Definition 1.1. Suppose that a, b Z and m N. We say that a is congruent to
More informationCryptographic Shuffles and Their Applications
이학박사학위논문 Cryptographic Shuffles and Their Applications ( 암호학적셔플과그응용 ) 2012 년 8 월 서울대학교대학원 수리과학부 김명선 Cryptographic Shuffles and Their Applications ( 암호학적셔플과그응용 ) 지도교수천정희 이논문을이학박사학위논문으로제출함 2012 년 5 월 서울대학교대학원
More informationNumber Theory and Security in the Digital Age
Number Theory and Security in the Digital Age Lola Thompson Ross Program July 21, 2010 Lola Thompson (Ross Program) Number Theory and Security in the Digital Age July 21, 2010 1 / 37 Introduction I have
More informationPublic Key Encryption
Math 210 Jerry L. Kazdan Public Key Encryption The essence of this procedure is that as far as we currently know, it is difficult to factor a number that is the product of two primes each having many,
More informationGeneric Attacks on Feistel Schemes
Generic Attacks on Feistel Schemes Jacques Patarin 1, 1 CP8 Crypto Lab, SchlumbergerSema, 36-38 rue de la Princesse, BP 45, 78430 Louveciennes Cedex, France PRiSM, University of Versailles, 45 av. des
More informationGame Theoretic Resistance to DoS Attacks Using Hidden Difficul
Game Theoretic Resistance to DoS Attacks Using Hidden Difficulty Puzzles Harikrishna 1, Venkatanathan 1 and Pandu Rangan 2 1 College of Engineering Guindy, Anna University Chennai,Tamil Nadu, India 2 Indian
More informationA Simple and Secure E-Ticketing System for Intelligent Public Transportation based on NFC. Ivan Gudymenko Felipe Sousa Stefan Köpsell
A Simple and Secure E-Ticketing System for Intelligent Public Transportation based on NFC Ivan Gudymenko Felipe Sousa Stefan Köpsell Outline Introduction System Description Validation A Simple and Secure
More informationA Lightweight Implementation of a Shuffle Proof for Electronic Voting Systems
A Lightweight Implementation of a Shuffle Proof for Electronic Voting Systems Philipp Locher 1,2 and Rolf Haenni 1 1 Research Institute for Security in the Information Society Bern University of Applied
More informationVisual Cryptography. Frederik Vercauteren. University of Bristol, Merchant Venturers Building, Woodland Road, Bristol BS8 1UB.
Visual Cryptography Frederik Vercauteren University of Bristol, Merchant Venturers Building, Woodland Road, Bristol BS8 1UB frederik@cs.bris.ac.uk Frederik Vercauteren 1 University of Bristol 21 November
More informationCard-Based Zero-Knowledge Proof for Sudoku
Card-Based Zero-Knowledge Proof for Sudoku Tatsuya Sasaki Graduate School of Information Sciences, Tohoku University 6 3 09 Aramaki-Aza-Aoba, Aoba, Sendai 980 8579, Japan tatsuya.sasaki.p2@dc.tohoku.ac.jp
More informationSOLUTIONS FOR PROBLEM SET 4
SOLUTIONS FOR PROBLEM SET 4 A. A certain integer a gives a remainder of 1 when divided by 2. What can you say about the remainder that a gives when divided by 8? SOLUTION. Let r be the remainder that a
More informationSecure Reac)ve Ad Hoc Rou)ng. Hongyang Li
Secure Reac)ve Ad Hoc Rou)ng Hongyang Li Proac)ve vs. Reac)ve Rou)ng Proac&ve Reac&ve Build routing tables Know path to destination? Route Find path Route 2 Why Reac)ve Ad Hoc Rou)ng Unstable network condi)ons:
More informationLegal Aspects of Identity Management and Trust Services
Legal Aspects of Identity Management and Trust Services Anna Joubin-Bret Secretary What is Identity Management (IdM)? Fundamental issue for the use of electronic means Answers the basic questions: Who
More informationAnalysis of Informa.on - III
Analysis of Informa.on - III Efficiency of Graphic The efficiency of a graphic is determined as: To obtain a correct and complete answer to a given ques.on, all other things being equal, one graphic requires
More informationIntroduction to probability
Introduction to probability Suppose an experiment has a finite set X = {x 1,x 2,...,x n } of n possible outcomes. Each time the experiment is performed exactly one on the n outcomes happens. Assign each
More informationCryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);
18.310 lecture notes September 2, 2013 Cryptography Lecturer: Michel Goemans 1 Public Key Cryptosystems In these notes, we will be concerned with constructing secret codes. A sender would like to encrypt
More informationDiscrete Random Variables Day 1
Discrete Random Variables Day 1 What is a Random Variable? Every probability problem is equivalent to drawing something from a bag (perhaps more than once) Like Flipping a coin 3 times is equivalent to
More informationAn open assertion and evidence exchange and query language requirements and abstract syntax
An open assertion and evidence exchange and query language requirements and abstract syntax Author:Giles Hogben Affiliation: European Commission Joint Research Centre, Ispra, Italy Introduction Efficient,
More informationLecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.
Lecture 32 Instructor s Comments: This is a make up lecture. You can choose to cover many extra problems if you wish or head towards cryptography. I will probably include the square and multiply algorithm
More informationGeneric Attacks on Feistel Schemes
Generic Attacks on Feistel Schemes -Extended Version- Jacques Patarin PRiSM, University of Versailles, 45 av. des États-Unis, 78035 Versailles Cedex, France This paper is the extended version of the paper
More informationSynthesis and Analysis of 32-Bit RSA Algorithm Using VHDL
Synthesis and Analysis of 32-Bit RSA Algorithm Using VHDL Sandeep Singh 1,a, Parminder Singh Jassal 2,b 1M.Tech Student, ECE section, Yadavindra collage of engineering, Talwandi Sabo, India 2Assistant
More informationContributions to Mental Poker
Contributions to Mental Poker Submitted to Universitat Autònoma de Barcelona in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science by Jordi Castellà-Roca
More informationWhoPay: A Scalable and Anonymous Payment System for Peer-to-Peer Environments
WhoPay: A Scalable and Anonymous Payment System for Peer-to-Peer Environments Kai Wei CS Division, Dept. of EECS University of Cailfornia, Berkeley Berkeley, CA 94720 USA kwei@cs.berkeley.edu Alan J. Smith
More informationNote Computations with a deck of cards
Theoretical Computer Science 259 (2001) 671 678 www.elsevier.com/locate/tcs Note Computations with a deck of cards Anton Stiglic Zero-Knowledge Systems Inc, 888 de Maisonneuve East, 6th Floor, Montreal,
More informationAlternative Mining Puzzles. Puzzles (recap)
Essential Puzzle Requirements ASIC-Resistant Puzzles Proof-of-Useful-Work Non-outsourceable Puzzles Proof-of-Stake Virtual Mining Puzzles (recap) Incentive system steers participants Basic features of
More informationSequential Aggregate Signatures from Trapdoor Permutations
Sequential Aggregate Signatures from Trapdoor Permutations Anna Lysyanskaya anna@cs.brown.edu Silvio Micali Hovav Shacham hovav@cs.stanford.edu Leonid Reyzin reyzin@cs.bu.edu Abstract An aggregate signature
More informationMixture of Discrete and Continuous Random Variables
Mixture of Discrete and Continuous Random Variables What does the CDF F X (x) look like when X is discrete vs when it s continuous? A r.v. could have a continuous component and a discrete component. Ex
More informationPKI/PKD Requirements, Challenges & Opportunities
Federal Department of Justice and Police Federal Office of Police, fedpol PKI/PKD Requirements, Challenges & Opportunities Arnaldo Cremisini Senior PKI Officer Federal Office of Police fedpol Switzerland
More information"P2P Scrabble. Can P2P games commence?"
"P2P Scrabble. Can P2P games commence?" Adam Wierzbicki* Tomasz Kucharski* adamw@pjwstk.edu.pl *Polish-Japanese Institute of Information Technology ul. Koszykowa 86, 02-008 Warsaw, Poland Abstract The
More informationDistributed Broadcast Scheduling in Mobile Ad Hoc Networks with Unknown Topologies
Distributed Broadcast Scheduling in Mobile Ad Hoc Networks with Unknown Topologies Guang Tan, Stephen A. Jarvis, James W. J. Xue, and Simon D. Hammond Department of Computer Science, University of Warwick,
More informationProof of Process A Foundation for Networks of Trust
Proof of Process A Foundation for Networks of Trust Abstract Proof of Process is a protocol that allows participants to trust a common process by decoupling the proof of data from the actual source data
More informationFormal Reasoning about Physical Properties of Security Protocols
Formal Reasoning about Physical Properties of Security Protocols DAVID BASIN, SRDJAN CAPKUN, PATRICK SCHALLER, and BENEDIKT SCHMIDT ETH Zurich, Switzerland Traditional security protocols are mainly concerned
More informationPIVX Zerocoin (zpiv) Technical Paper
PIVX Zerocoin (zpiv) Technical Paper Revision 0.9 Last updated October 16 2017 PIVX OVERVIEW PIVX is a Bitcoin-based community-centric cryptocurrency with a focus on decentralization, privacy, and real-world
More information