Results 1 -
5 of
5
Automatic generation of sound zero-knowledge protocols (Extended Poster Abstract)
, 2008
"... Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZK-PoKs are being deployed in the re ..."
Abstract
-
Cited by 8 (5 self)
- Add to MetaCart
Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZK-PoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM). Implementing systems using ZK-PoK turns out to be challenging, since ZK-PoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZK-PoK are time-consuming and error-prone, in particular for developers with minor or no cryptographic skills. In this paper we report on our ongoing and future research vision with the goal to bring ZK-PoK to practice by automatically generating sound ZK-PoK protocols and make them accessible to crypto and security engineers. To this end we are developing protocols and compilers that support and automate the design and generation of secure and efficient implementation of ZK-PoK protocols.
Further Simplifications in Proactive RSA Signature Schemes
- TCC’05
, 2005
"... We present a new robust proactive (and threshold) RSA signature scheme secure with the optimal threshold of t
Abstract
-
Cited by 6 (1 self)
- Add to MetaCart
We present a new robust proactive (and threshold) RSA signature scheme secure with the optimal threshold of t<n/2 corruptions. The new scheme offers a simpler alternative to the best previously known (static) proactive RSA scheme given by Tal Rabin [36], itself a simplification over the previous schemes given by Frankel et al. [18, 17]. The new scheme is conceptually simple because all the sharing and proactive re-sharing of the RSA secret key is done modulo a prime, while the reconstruction of the RSA signature employs an observation that the secret can be recovered from such sharing using a simple equation over the integers. This equation was first observed and utilized by Luo and Lu in a design of a simple and efficient proactive RSA scheme [31] which was not proven secure and which, alas, turned out to be completely insecure [29] due to the fact that the aforementioned equation leaks some partial information about the shared secret. Interestingly, this partial information leakage can be proven harmless once the polynomial sharing used by [31] is replaced by top-level additive sharing with second-level polynomial sharing for back-up. Apart of conceptual simplicity and of new techniques of independent interests, efficiency-wise the new scheme gives a factor of 2 improvement in speed and share size in the general case, and almost a factor of 4 improvement for the common RSA public exponents 3, 17, or 65537, over the scheme of [36] as analyzed in [36]. However, we also present an improved security analysis and a generalization of the [36] scheme, which shows that this scheme remains secure for smaller share sizes, leading to the same factor of 2 or 4 improvements for that scheme as well.
Concurrent/Resettable Zero-Knowledge with Concurrent Soundness in the Bare Public-Key Model and Its Applications
, 2003
"... In this paper, we present both practical and general 4-round concurrent and resettable zeroknowledge arguments with concurrent soundness in the bare public-key (BPK) model. To our knowledge, our result is the first work that achieves concurrent soundness for ZK protocols in the BPK model and stan ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
In this paper, we present both practical and general 4-round concurrent and resettable zeroknowledge arguments with concurrent soundness in the bare public-key (BPK) model. To our knowledge, our result is the first work that achieves concurrent soundness for ZK protocols in the BPK model and stands for the current state-of-the-art of concurrent zero-knowledge with setup assumptions.
Appeared in TCC-2010. Efficiency Preserving Transformations for Concurrent Non-Malleable Zero Knowledge
"... Abstract. Ever since the invention of Zero-Knowledge by Goldwasser, Micali, and Rackoff [1], Zero-Knowledge has become a central building block in cryptography- with numerous applications, ranging from electronic cash to digital signatures. The properties of Zero-Knowledge range from the most simple ..."
Abstract
- Add to MetaCart
Abstract. Ever since the invention of Zero-Knowledge by Goldwasser, Micali, and Rackoff [1], Zero-Knowledge has become a central building block in cryptography- with numerous applications, ranging from electronic cash to digital signatures. The properties of Zero-Knowledge range from the most simple (and not particularly useful in practice) requirements, such as honest-verifier zero-knowledge to the most demanding (and most useful in applications) such as non-malleable and concurrent zero-knowledge. In this paper, we study the complexity of efficient zero-knowledge reductions, from the first type to the second type. More precisely, under a standard complexity assumption (ddh), on input a public-coin honest-verifier statistical zero knowledge argument of knowledge π ′ for a language L we show a compiler that produces an argument system π for L that is concurrent non-malleable zero-knowledge (under non-adaptive inputs – which is the best one can hope to achieve [2, 3]). If κ is the security parameter, the overhead of our compiler is as follows:
Concurrent Knowledge Extraction in the Public-Key Model ∗
, 908
"... Knowledge extraction is a fundamental notion, modelling machine possession of values (witnesses) in a computational complexity sense. The notion provides an essential tool for cryptographic protocol design and analysis, enabling one to argue about the internal state of protocol players without ever ..."
Abstract
- Add to MetaCart
Knowledge extraction is a fundamental notion, modelling machine possession of values (witnesses) in a computational complexity sense. The notion provides an essential tool for cryptographic protocol design and analysis, enabling one to argue about the internal state of protocol players without ever looking at this supposedly secret state. However, when transactions are concurrent (e.g., over the Internet) with players possessing public-keys (as is common in cryptography), assuring that entities “know ” what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. Here, we investigate how to formally treat knowledge possession by parties (with registered public-keys) interacting over the Internet. Stated more technically, we look into the relative power of the notion of “concurrent knowledge-extraction ” (CKE) in the concurrent zero-knowledge (CZK) bare public-key (BPK) model. We show the potential vulnerability of man-in-the-middle (MIM) attacks turn out to be a real security threat to existing natural protocols running concurrently in the public-key model, which motivates us to introduce and formalize the notion of CKE. Then, both generic (based on standard polynomial assumptions) and efficient (employing complexity leveraging in a novel way) implementations for N P are presented for constant-round (in particular, round-optimal) concurrently knowledge-extractable concurrent zero-knowledge (CZK-CKE) arguments in the BPK model. The efficient implementation can be further high practically instantiated for specific number-theoretic language. Along the way, we discuss and clarify the various subtleties surrounding the security formulation and analysis, which provides insights into the complex CZK-CKE setting. 1
