Results 1  10
of
16
Efficient protocols for set membership and range proofs
 In ASIACRYPT
, 2008
"... Abstract. We consider the following problem: Given a commitment to a value σ, prove in zeroknowledge that σ belongs to some discrete set Φ. The set Φ can perhaps be a list of cities or clubs; often Φ can be a numerical range such as [1, 2 20]. This problem arises in ecash systems, anonymous creden ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the following problem: Given a commitment to a value σ, prove in zeroknowledge that σ belongs to some discrete set Φ. The set Φ can perhaps be a list of cities or clubs; often Φ can be a numerical range such as [1, 2 20]. This problem arises in ecash systems, anonymous credential systems, and various other practical uses of zeroknowledge protocols. When using commitment schemes relying on RSAlike assumptions, there are solutions to this problem which require only a constant number of RSAgroup elements to be exchanged between the prover and verifier [5, 16, 15]. However, for many commitment schemes based on bilinear group assumptions, these techniques do not work, and the best known protocols require O(k) group elements to be exchanged where k is a security parameter. In this paper, we present two new approaches to building setmembership proofs. The first is based on bilinear group assumptions. When applied to the case where Φ is a range of integers, our protocols require k log k−log log k O ( ) group elements to be exchanged. Not only is this result asymptotically better, but the constants are small enough to provide significant improvements even for small ranges. Indeed, for a discrete logarithm based setting, our new protocol is an order of magnitude more efficient than previously known ones. We also discuss alternative implementations of our membership proof based on the strong RSA assumption. Depending on the application, e.g., when Φ is a published set of values such a frequent flyer clubs, cities, or other ad hoc collections, these alternative also outperform prior solutions.
A certifying compiler for zeroknowledge proofs of knowledge based on sigmaprotocols
 In ESORICS ’10
, 2010
"... Abstract. Zeroknowledge proofs of knowledge (ZKPoK) are important building blocks for numerous cryptographic applications. Although ZKPoK have very useful properties, their real world deployment is typically hindered by their significant complexity compared to other (noninteractive) crypto primit ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Zeroknowledge proofs of knowledge (ZKPoK) are important building blocks for numerous cryptographic applications. Although ZKPoK have very useful properties, their real world deployment is typically hindered by their significant complexity compared to other (noninteractive) crypto primitives. Moreover, their design and implementation is timeconsuming and errorprone. We contribute to overcoming these challenges as follows: We present a comprehensive specification language and a certifying compiler for ZKPoK protocols based on Σprotocols and composition techniques known in literature. The compiler allows the fully automatic translation of an abstract description of a proof goal into an executable implementation. Moreover, the compiler overcomes various restrictions of previous approaches, e.g., it supports the important class of exponentiation homomorphisms with hiddenorder codomain, needed for privacypreserving applications such as idemix. Finally, our compiler is certifying, in the sense that it automatically produces a formal proof of security (soundness) of the compiled protocol (currently covering special homomorphisms) using the Isabelle/HOL theorem prover.
Automatic generation of sound zeroknowledge protocols (Extended Poster Abstract)
, 2008
"... Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the re ..."
Abstract

Cited by 12 (6 self)
 Add to MetaCart
(Show Context)
Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM). Implementing systems using ZKPoK turns out to be challenging, since ZKPoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZKPoK are timeconsuming and errorprone, in particular for developers with minor or no cryptographic skills. In this paper we report on our ongoing and future research vision with the goal to bring ZKPoK to practice by automatically generating sound ZKPoK protocols and make them accessible to crypto and security engineers. To this end we are developing protocols and compilers that support and automate the design and generation of secure and efficient implementation of ZKPoK protocols.
On the portability of generalized Schnorr proofs
 In EUROCRYPT 2009, LNCS
, 2009
"... The notion of Zero Knowledge Proofs (of knowledge) [ZKP] is central to cryptography; it provides a set of security properties that proved indispensable in concrete protocol design. These properties are defined for any given input and also for any auxiliary verifier private state, as they are aimed a ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
(Show Context)
The notion of Zero Knowledge Proofs (of knowledge) [ZKP] is central to cryptography; it provides a set of security properties that proved indispensable in concrete protocol design. These properties are defined for any given input and also for any auxiliary verifier private state, as they are aimed at any use of the protocol as a subroutine in a bigger application. Many times, however, moving the theoretical notion to practical designs has been quite problematic. This is due to the fact that the most efficient protocols fail to provide the above ZKP properties for all possible inputs and verifier states. This situation has created various problems to protocol designers who have often either introduced imperfect protocols with mistakes or with lack of security arguments, or they have been forced to use much less efficient protocols in order to achieve the required properties. In this work we address this issue by introducing the notion of “protocol portability, ” a property that identifies input and verifier state distributions under which a protocol becomes a ZKP when called as a subroutine in a sequential execution of a larger application. We then concentrate on the very efficient and heavily employed “Generalized Schnorr Proofs ” (GSP) and identify the portability of such protocols. We also point to previous protocol weaknesses and errors that have been made in numerous applications throughout the years, due to employment of GSP instances while lacking the notion of portability (primarily in the case of unknown order
Bringing zeroknowledge proofs of knowledge to practice
 In 17th International Workshop on Security Protocols
, 2009
"... Abstract. Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. Efficient zeroknowledge proofs of knowledge (ZKPoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multiparty computation. Currently, first applications that critically rely on ZKPoKs are being deployed in the real world. The most prominent example is Direct Anonymous Attestation (DAA), which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic Trusted Platform Module (TPM) chip. Implementing systems using ZKPoK turns out to be challenging, since ZKPoK are, loosely speaking, significantly more complex than standard crypto primitives, such as encryption and signature schemes. As a result, implementation cycles of ZKPoK are timeconsuming and errorprone, in particular for developers with minor or no cryptographic skills. In this paper we report on our ongoing and future research vision with the goal to bring ZKPoK to practice by making them accessible to crypto and security engineers. To this end we are developing compilers and related tools that support and partially automate the design, implementation, verification and secure implementation of ZKPoK protocols. 1
Full proof cryptography: Verifiable compilation of efficient zeroknowledge protocols
 In 19th ACM Conference on Computer and Communications Security, CCS 2012. ACM
, 2012
"... Developers building cryptography into securitysensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers f ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Developers building cryptography into securitysensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers from having to implement cryptography on their own by turning highlevel specifications of security goals into efficient implementations. Yet, trusting such tools is risky as they rely on complex mathematical machinery and claim security properties that are subtle and difficult to verify. In this paper, we present ZKCrypt, an optimizing cryptographic compiler that achieves an unprecedented level of assurance without sacrificing practicality for a comprehensive class of cryptographic protocols, known as ZeroKnowledge Proofs of Knowledge. The pipeline of ZKCrypt tightly integrates purposebuilt verified compilers and verifying compilers producing formal proofs in the CertiCrypt framework. By combining the guarantees delivered by each stage in the pipeline, ZKCrypt provides assurance that the implementation it outputs securely realizes the highlevel proof goal given as input. We report on the main characteristics of ZKCrypt, highlight new definitions and concepts at its foundations, and illustrate its applicability through a representative example of an anonymous credential system.
ZQL: A compiler for privacypreserving data processing
 In USENIX Security
, 2013
"... Open access to the Proceedings of the ..."
(Show Context)
Cryptanalysis of an efficient proof of knowledge of discrete logarithm
 In PKC 06, volume 3958 of LNCS
, 2006
"... Abstract. At PKC 2005, Bangerter, Camenisch and Maurer proposed an efficient protocol to prove knowledge of discrete logarithms in groups of unknown order. We describe an attack that enables the verifier to recover the full secret with essentially no computing power beyond what is required to run th ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. At PKC 2005, Bangerter, Camenisch and Maurer proposed an efficient protocol to prove knowledge of discrete logarithms in groups of unknown order. We describe an attack that enables the verifier to recover the full secret with essentially no computing power beyond what is required to run the protocol and after only a few iterations of it. We also describe variants of the attack that apply when some additional simple checks are performed by the prover.
Efficient Oblivious Augmented Maps: Location‐Based Services with a Payment Broker
 in: N. Borisov and P. Golle (Eds.): Privacy Enhancing Technologies, 7th International Symposium, PET 2007 (LNCS 4776
, 2007
"... Abstract. Secure processing of location data in locationbased services (LBS) can be implemented with cryptographic protocols. We propose a protocol based on oblivious transfer and homomorphic encryption. Its properties are the avoidance of personal information on the services side, and a fair reven ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Secure processing of location data in locationbased services (LBS) can be implemented with cryptographic protocols. We propose a protocol based on oblivious transfer and homomorphic encryption. Its properties are the avoidance of personal information on the services side, and a fair revenue distribution scheme. We discuss this in contrast to other LBS solutions that seek to anonymize information as well as possible towards the services. For this purpose, we introduce a proxy party. The proxy interacts with multiple services and collects money from subscribing users. Later on, the proxy distributes the collected payment to the services based on the number of subscriptions to each service. Neither the proxy nor the services learn the exact relation between users and the services they are subscribed to. 1
On the design and implementation of efficient zeroknowledge proofs of knowledge
 In Software Performance Enhancements for Encryption and Decryption and Cryptographic Compilers – SPEEDCC 09
"... Abstract. Zeroknowledge proofs of knowledge (ZKPoK) play an important role in many cryptographic applications. Direct anonymous attestation (DAA) and the identity mixer anonymous authentication system are first real world applications using ZKPoK as building blocks. But although being used for ma ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Zeroknowledge proofs of knowledge (ZKPoK) play an important role in many cryptographic applications. Direct anonymous attestation (DAA) and the identity mixer anonymous authentication system are first real world applications using ZKPoK as building blocks. But although being used for many years now, design and implementation of sound ZKPoK remains challenging. In fact, there are security flaws in various protocols found in literatur. Especially for nonexperts in the field it is often hard to design ZKPoK, since a unified and easy to use theoretical framework on ZKPoK is missing. With this paper we overcome important challenges and facilitate the design and implementation of efficient and sound ZKPoK in practice. First, Camenisch et al. have presented at EUROCRYPT 2009 a first unified and modular theoretical framework for ZKPoK. This is compelling, but makes use of a rather inefficient 6move protocol. We extend and improve their framework in terms of efficiency and show how to realize it using efficient 3move Σprotocols. Second, we perform an exact security and efficiency analysis for our new protocol and various protocols found in the literature. The analysis yields novel and perhaps surprising results and insights. It reveals for instance that using a 2048 bit RSA modulus, as specified in the DAA standard, only guarantees an upper bound on the success probability of a malicious prover between 1/2 4 and 1/2 24. Also, based on that analysis we show how to select the most efficient protocol to realize a given proof goal. Finally, we also provide lowlevel support to a designer by presenting a compiler realizing our framework and optimization techniques, allowing easy implementation of efficient and sound protocols.