predicate-preserving collision-resistant hashing
DESCRIPTION
The slides of the defense of my thesis in Santiago de Chile.TRANSCRIPT
Predicate-Preserving Collision-Resistant Hashing
Philippe Camacho
November 18, 2013
Advisor Alejandro Hevia
Co-advisor Jérémy Barbay
Committee
Marcos Kiwi
Gonzalo Navarro
Gregory Neven
http://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall
Motivation
Database
Cloud Alice
I need to outsource my database for
scaling reasons
How can I be sure that I obtain Bob’s
database data and not something else?
We need to handle a short representation of the database.
Bob
Collision-Resistance
V
If 𝑋 ≠ 𝑋′ and 𝐻 𝑋 = 𝐻 𝑋’ then
the adversary has found a collision.
openssl.tar.gz
File’
𝑋 =
𝑋′ =
Cryptology = Algorithms ∩ Security
Algorithms Security
Cryptology
This Thesis
Programming Languages
Operating Systems
Networks
Distributed Systems
Databases Data-
structures
Hash Functions
Computer Science
Digital Signatures
Why Collision-Resistance is not enough
𝑆 = 0111100111111111 𝑆𝐻𝐴 − 3(𝑆)
How can I convince (efficiently) someone that 𝑺 … contains a 1 in position 5? starts with 0111? contains more 1’s than 0’s ? …
Predicate: P(𝑋, 𝑥) = 𝑇𝑟𝑢𝑒 𝑥 𝜖 𝑋
𝑋 = * 𝑥1, 𝑥2, 𝑥3, 𝑥4, 𝑥5+ 𝐻(𝑋)
𝑷𝒓𝒐𝒐𝒇𝑮𝒆𝒏(𝑋, 𝑥) = 𝜋
𝐻(𝑋)
𝑷𝒓𝒐𝒐𝒇𝑪𝒉𝒆𝒄𝒌 𝐻 𝑋 , 𝑥, 𝜋 = 𝑌𝐸𝑆 𝑥 𝜖 X
𝜋
0 1
2
3
Known as Accumulators. A lot of applications: e-cash, zero-knowledge sets, anonymous credentials & ring signatures, database authentication, …
Predicate-Preserving Collision-Resistant
Hashing
Map
Accumulators
Optimal Data Authentication
Transitive Signatures
Short Transitive Signatures For Directed Trees
Fair Exchange of Short Signatures without Trusted Third Party
Optimal Data Authentication From Directed Transitive
Signatures
Strong Accumulators From Collision-Resistant
Hashing
Impossibility of Batch Update For Cryptographic
Accumulators
Pivot
Difficult Problem (Still Open BTW)
1
2
3
4
5
6
7
8 9
ISC 2008
LatinCrypt 2010
eprint 2011
CT-RSA 2012
CT-RSA 2013
Predicate-Preserving Collision-Resistant
Hashing
Map
Accumulators
Optimal Data Authentication
Transitive Signatures
Short Transitive Signatures For Directed Trees
Fair Exchange of Short Signatures without Trusted Third Party
Optimal Data Authentication From Directed Transitive
Signatures
Strong Accumulators From Collision-Resistant
Hashing
Impossibility of Batch Update For Cryptographic
Accumulators
Pivot
Difficult Problem (Still Open BTW)
1
2
3
4
5
6
7
8 9
Outsourcing Securely a Database
How can Alice be sure that the reply she gets corresponds to the real state of the database?
𝐼𝑁𝑆𝐸𝑅𝑇 (𝑥) 𝑆𝑖𝑔𝑛(𝑆𝐾, 𝑥) = 𝜎𝑥
Replay Attack (*)
Does 𝑥 belong to 𝑋?
𝑌𝐸𝑆: 𝜎𝑥
(*) The reason why trivial solutions don’t work.
𝐷𝐸𝐿𝐸𝑇𝐸 (𝑥)
Replay Attack (*)
Does 𝑥 belong to 𝑋?
𝑌𝐸𝑆: 𝜎𝑥
(*) The reason why trivial solutions don’t work.
Manager
Acc1, Acc2 Acc1 Insert(x)
( x , )
Acc1, Acc2, Acc3
Verify( x , , Acc3) = YES
Witness
Delete(x)
Verify( x , , Acc4) = NO
Alice
Manager
Acc1, Acc2, Acc3, Acc4
Manager
Acc1, Acc2 Acc1 Insert(x)
( x , )
Acc1, Acc2, Acc3
Verify( x , , Acc3) = YES
Witness
Cryptographic Accumulator
Manager
Alice 1 Alice 2 Alice 3
x1 w1 x2 w2 x3 w3
Acc1 Acc1, Acc2 Acc1, Acc2, Acc3
Problem: after each update of the
accumulated value it is necesarry
to recompute all the witnesses.
Manager …,Acc99, Acc100, Acc101,…, Acc200,…
(x1,w1,Acc100)
( x2,w2,Acc100)
( x6,w6,Acc100)
(x36,w36,Acc100)
( x87,w87,Acc100)
(x1,w1,Acc100)
( x20,w20,Acc100)
( x69,w68,Acc100) ( x64,w64,Acc100) …
(x1,w1,Acc100)
( x2,w2,Acc100)
( x6,w6,Acc100) ….
Alice 42 Alice 29 Alice 1 Alice 2
Upd100,200
Batch Update [FN02]
Manager …,Acc99, Acc100, Acc101,…, Acc200,…
(x1,w1’,Acc200)
( x2,w2’,Acc200)
( x6,w6’,Acc200)
(x36,w36’,Acc200)
( x87,w87’,Acc200)
(x1,w1’,Acc200)
( x20,w20’,Acc200)
( x69,w68’,Acc200) ( x64,w64’,Acc200) …
(x1,w1’,Acc200)
( x2,w2’,Acc200)
( x6,w6’,Acc200) ….
Alice 42 Alice 29 Alice 1 Alice 2
Batch Update [FN02]
Batch Update [FN02]
Trivial solution: 𝑈𝑝𝑑𝑋𝑖, 𝑋𝑗 = *list of all witnesses for 𝑋𝑗+
What we would like: |𝑈𝑝𝑑𝑋𝑖, 𝑋𝑗| = 𝑂(1)
Attack on [WWP08]
But 𝒙𝟏 does not belong to 𝑿𝟐!
𝑿𝟎 ∶= Ø
Insert 𝒙𝟏
Delete 𝒙𝟏 𝑿 𝟏∶= *𝒙𝟏+
Please send 𝑼𝒑𝒅𝑿𝟏, 𝑿𝟐 𝑿𝟐 = ∅
𝑼𝒑𝒅𝑿𝟏, 𝑿𝟐
With 𝑼𝒑𝒅𝑿𝟏, 𝑿𝟐 I can update my witness 𝒘𝒙𝟏
Manager
Batch Update is Impossible [CH10]
• Theorem: Let 𝑨𝒄𝒄 be a secure accumulator scheme with deterministic 𝑼𝒑𝒅𝑾𝒊𝒕
and 𝑽𝒆𝒓𝒊𝒇𝒚 algorithms.
For an update involving 𝒎 delete operations in a set of 𝑵 elements,
the size of the update information 𝑼𝒑𝒅𝑿, 𝑿′ required by the algorithm
𝑼𝒑𝒅𝑾𝒊𝒕 is (𝒎 log (𝑵/𝒎)).
In particular if 𝒎 = 𝑵/𝟐 we have 𝑼𝒑𝒅𝑿, 𝑿′ = 𝒎 = (𝑵)
Predicate-Preserving Collision-Resistant
Hashing
Map
Accumulators
Optimal Data Authentication
Transitive Signatures
Short Transitive Signatures For Directed Trees
Fair Exchange of Short Signatures without Trusted Third Party
Optimal Data Authentication From Directed Transitive
Signatures
Strong Accumulators From Collision-Resistant
Hashing
Impossibility of Batch Update For Cryptographic
Accumulators
Pivot
Difficult Problem (Still Open BTW)
1
2
3
4
5
6
7
8 9
What happens when the Database Owner is not Trusted?
Insert(x)
Belongs(x)
NO
OK
The adversary is lying! How to prevent such a
behaviour?
Manager
(New) Security Model [CHKO08]
Acc1, Acc2, Acc3
Upd1, Upd2, Upd3
𝑉𝑒𝑟𝑖𝑓𝑦𝑈𝑝𝑑𝐴𝑑𝑑(𝐴𝑐𝑐1, 𝐴𝑐𝑐2, 𝑈𝑝𝑑1)
𝐼𝑛𝑠𝑒𝑟𝑡(𝑥)
𝐼𝑛𝑠𝑒𝑟𝑡(𝑦)
𝐷𝑒𝑙𝑒𝑡𝑒(𝑥)
𝑥 ∈ 𝑋? 𝑌𝑒𝑠/𝑁𝑜 𝜋
𝑉𝑒𝑟𝑖𝑓𝑦 (𝐴𝑐𝑐3, 𝑥, 𝜋)
Main Idea of the Construction [CHKO08]
• Merkle Trees [M87]
Z1=H(Y1||Y2)
Y1=H(x4||x1)
x4 x1 x5 x6 x2 x8 x7 x3
Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)
Z2=H(Y3||Y4)
P=H(Z1||Z2)
Root value:
Represents
the set
*𝑥1, … , 𝑥8+
Predicate-Preserving CRHF
Z1=H(Y1||Y2)
Y1=H(x4||x1)
x4 x1 x5 x6 x2 x8 x7 x3
Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)
Z2=H(Y3||Y4)
P=H(Z1||Z2)
H’
Proof for predicate 𝒙𝟐 ∈ 𝑿
𝑂( log 𝑛)
Technical difficulties
• The tree needs to grow dynamically – Not enough to use leaves for storing values
• How to handle membership and non-membership predicates
– Kocher’s trick [Koch98]
• 𝑿 = *𝒙𝟏, 𝒙𝟐, 𝒙𝟑, … , 𝒙𝒏+
• 𝒙 ∉ 𝑿 ⇔ 𝒙𝟐 < 𝒙 < 𝒙𝟑
• Some security issues arise
– Need to apply padding-techniques (Thanks Gregory!)
Main Theorem [CHKO08]
• Theorem: The accumulator is secure if CRHF exist.
All operations run in logarithmic time w.r.t. to the size of the set.
Predicate-Preserving Collision-Resistant
Hashing
Map
Accumulators
Optimal Data Authentication
Transitive Signatures
Short Transitive Signatures For Directed Trees
Fair Exchange of Short Signatures without Trusted Third Party
Optimal Data Authentication From Directed Transitive
Signatures
Strong Accumulators From Collision-Resistant
Hashing
Impossibility of Batch Update For Cryptographic
Accumulators
Pivot 1
2
3
4
5
6
7
8 9
Difficult Problem (Still Open BTW)
A challenging open problem Optimal Data Authentication (ODA)
Time to compute the proofs: 𝑂(log 𝑛) Time to verify the proof : 𝑂(1)
Using (known) accumulators we only get…
𝑛 = 9, 𝜖 = 1 𝑶( 𝒏) v/s 𝑶(𝟏)
𝑛 = 9, 𝜖 = 2 𝑶( 𝒏) v/s 𝑶(𝟏)
Trade off (Time to compute the proof v/s Time to Verify the proofs)
𝑶(𝝐 𝒏𝟏/𝝐 ) v/s 𝑶 𝝐
𝜖 = log𝑛 𝑶(𝐥𝐨𝐠𝒏) v/s 𝑶(𝐥𝐨𝐠 𝒏)
…
Predicate-Preserving Collision-Resistant
Hashing
Map
Accumulators
Optimal Data Authentication
Transitive Signatures
Short Transitive Signatures For Directed Trees
Fair Exchange of Short Signatures without Trusted Third Party
Optimal Data Authentication From Directed Transitive
Signatures
Strong Accumulators From Collision-Resistant
Hashing
Impossibility of Batch Update For Cryptographic
Accumulators
Pivot
Difficult Problem (Still Open BTW)
1
2
3
4
5
6
7
8 9
Intro to Cryptology
0
How do we sign a graph?
a
b
Is there a path from 𝑎 to 𝑏?
𝑮
Trivial Solutions
Let 𝒏 = |𝑮|, security parameter 𝛋 When adding a new node… • Sign each edge
– Time to sign: 𝑶(𝟏) – Size of signature: 𝑶(𝒏𝜿) bits
• Sign each path
– Time to sign (new paths): 𝑶(𝒏) – Size of signature: 𝑶(𝜿) bits
Transitive Signature Schemes [MR02,BN05,SMJ05]
𝜎𝐴𝐵 𝜎𝐵𝐶 𝐴 𝐵 𝐶
← 𝑇𝑉𝑒𝑟𝑖𝑓𝑦(𝐴, 𝐶, 𝜎𝐴𝐶, )
Combiner
𝜎𝐴𝐶 ← 𝐶𝑜𝑚𝑏𝑖𝑛𝑒(𝜎𝐴𝐵,𝜎𝐵𝐶, ) 𝜎𝑋𝑌 ← 𝑇𝑆𝑖𝑔𝑛(𝑋, 𝑌, 𝜎𝑋𝑌, )
𝜎𝐴𝐶
𝐷𝑇𝑆 ⇒ 𝑂𝐷𝐴 [C11]
𝑥1 𝑥2 𝑥3 … … … 𝑥25 𝑥26 𝑥27
𝑡1
𝑥15 𝑦15
𝑡2 𝑡3
𝑥19 𝑦19
𝑶(log 𝒏)
Sounds good, but…
• [MR02,BN05,SMJ05] for UNDIRECTED graphs
• Transitive Signatures for Directed Graphs (DTS) still OPEN
• [Hoh03] DTS ⇒ Trapdoor Groups with Infeasible Inversion
Predicate-Preserving Collision-Resistant
Hashing
Map
Accumulators
Optimal Data Authentication
Transitive Signatures
Short Transitive Signatures For Directed Trees
Fair Exchange of Short Signatures without Trusted Third Party
Optimal Data Authentication From Directed Transitive
Signatures
Strong Accumulators From Collision-Resistant
Hashing
Impossibility of Batch Update For Cryptographic
Accumulators
Pivot
Difficult Problem (Still Open BTW)
1
2
3
4
5
6
7
8 9
Intro to Cryptology
0
Transitive Signatures for Directed Trees
Previous Work
• [Yi07]
• Signature size: 𝒏 log (𝒏 log 𝒏) bits • Better than 𝑶(𝒏𝜿) bits for the trivial solution
• RSA related assumption
• [Neven08]
• Signature size: 𝒏 log 𝒏 bits
• Standard Digital Signatures
𝑶(𝒏 log 𝒏) bits still impractical
Our Results
Examples 𝝐 = 𝟏 𝝐 = 𝟐 𝝐 = log (𝒏)
Time to sign edge / verify path signature
𝑶(𝟏) 𝑶(𝟏) 𝑶(log 𝒏)
Time to compute a path signature
𝑶(𝒏/𝜿) 𝑶( 𝒏/𝜿) 𝑶(log 𝒏)
Size of path signature 𝑶(𝜿) 𝑶(𝜿) 𝑶(𝜿 log 𝒏)
• For 𝝐 ≥ 𝟏 • Time to sign edge / verify path signature: 𝑶(𝝐) • Time to compute a path signature: 𝑶(𝝐(𝒏 𝜿 )1/𝝐) • Size of path signature: 𝑶(𝝐𝜿) bits
Pre/Post Order Tree Traversal
a
h b
c
d
i j k
e f g
Pre order: a b c d e f g h i j k Post order: c e f g d b i j k h a
Property of Pre/Post order Traversal
• Proposition [Dietz82]
a
h b
c
d
i j k
e f g
Pre order: a b c d e f g h i j k Post order: c e f g d b i j k h a
𝒑𝒐𝒔 𝒙 < 𝒑𝒐𝒔 𝒚 in 𝑷𝒓𝒆 𝒑𝒐𝒔 𝒚 < 𝒑𝒐𝒔(𝒙) in 𝑷𝒐𝒔𝒕
There is a path from 𝒙 to 𝒚 ⇔
Idea
a
h b
c i j k
e f
d
Signature of path (𝒂, 𝒆): • Signature of 𝒂||𝟏||𝟏𝟎 • Signature of 𝒆||𝟓||𝟐
• Check signatures • Check
𝟏 < 𝟓 𝟏𝟎 > 𝟐
• Compute 𝒑𝒐𝒔(𝒙) in 𝑷𝒓𝒆 and 𝑷𝒐𝒔𝒕
• E.g.: Sign 𝒂||𝟏||𝟏𝟎
Position 1 2 3 4 5 6 7 8 9 10
Pre a b c d e f h i j k
Post c e f d b i j k h a
Is there a path from 𝑎 to 𝑒?
𝑮
Challenge: handle changes
Intuition: tricks to assign labels to the vertices so that these labels do not change. We use Order DS.
Remaining task: to compare large labels efficiently
Predicate: P(𝑆, 𝑃) = 𝑇𝑟𝑢𝑒 𝑃 and S share a common prefix
𝑆 = 1000111 𝑃 = 10000
𝐻(𝑆), 𝐻(𝑃)
𝑷𝒓𝒐𝒐𝒇𝑮𝒆𝒏(𝑆, 𝑃) = 𝜋
In the litterature: Accumulators A lot of applications: e-cash, zero-knowledge sets, anonymous credentials & ring signatures, database authentication, …
𝐻 𝑆 ,𝐻(𝑃)
𝑷𝒓𝒐𝒐𝒇𝑪𝒉𝒆𝒄𝒌 𝐻 𝑆 ,𝐻(𝑃), 𝜋 = 𝑌𝐸𝑆 𝑃 and 𝑆 share a common
prefix until position 4
𝜋
0 1
2
3
Very easy to derive a bigger family of predicates: • Suffix • Substring • Compare through lexicographical order • …
Security
𝑯𝑮𝒆𝒏(𝟏𝜿, 𝒏) → 𝑷𝑲 (𝑨, 𝑩, 𝝅, 𝒊)
𝑨𝒅𝒗 𝑨 = 𝐏𝐫 𝑷𝒓𝒐𝒐𝒇𝑪𝒉𝒆𝒄𝒌 𝑯 𝑨 ,𝑯 𝑩 , 𝒊, 𝝅, 𝑷𝑲 = 𝑻𝒓𝒖𝒆
∧𝑨 𝟏. . 𝒊 ≠ 𝑩 𝟏. . 𝒊
Bilinear maps (pairings)
• 𝑝, 𝑒, 𝐺, 𝐺𝑇 , 𝑔 ← 𝐵𝑀𝐺𝑒𝑛 1𝑘
• 𝐺 = 𝐺𝑇 = 𝑝
• 𝑒: 𝐺 × 𝐺 → 𝐺𝑇
• 𝑒 𝑔𝑎, 𝑔𝑏 = 𝑒 𝑔, 𝑔 𝑎𝑏
• 𝑒 𝑔, 𝑔 generates 𝐺𝑇
AMAZING TOOL: • Started in 2001 • Thousands of
publications • Dedicated
Conference (Pairings)
n-BDHI assumption [BB04]
𝒆: 𝑮 × 𝑮 → 𝑮𝑻 𝒔 ← 𝒁𝒑
𝒈 generator of 𝑮 (𝒈𝒔, 𝒈𝒔
𝟐
, … , 𝒈𝒔𝒏
)
𝒆(𝒈, 𝒈)𝟏 𝒔
The Hash Function
• 𝑯𝑮𝒆𝒏(𝟏𝜿, 𝒏)
𝒑, 𝑮, 𝑮𝑻, 𝒆, 𝒈 ← 𝐵𝑀𝐺𝑒𝑛 1𝜅
𝒔 ← 𝒁𝒑 𝑻:= (𝒈𝒔, 𝒈𝒔
𝟐
, … , 𝒈𝒔𝒏
) return 𝑷𝑲:= (𝒑, 𝑮, 𝑮𝑻, 𝒆, 𝒈, 𝑻)
• 𝑯𝑬𝒗𝒂𝒍(𝑴,𝑷𝑲)
𝑯(𝑴) ∶= 𝒈𝑴 𝒊 𝒔𝒊
𝒏
𝒊=𝟏
Toy example: 𝑴 = 𝟏𝟎𝟎𝟏 ⇒ 𝑯 𝑴 = 𝒈𝒔 . 𝒈𝒔
𝟒
Generating & Verifying Proofs
• 𝑨 = 𝑨 𝟏. . 𝒏 = 𝟏𝟎𝟎𝟎𝟏𝟏𝟏𝟎𝟎𝟏
• 𝑩 = 𝑩,𝟏. . 𝒏- = 𝟏𝟎𝟎𝟎𝟏𝟎𝟏𝟏𝟎𝟎
• 𝜟 ∶=𝑯 𝑨
𝑯 𝑩=𝒈𝒔𝒈𝒔
𝟓𝒈𝒔𝟔𝒈𝒔𝟕𝒈𝒔𝟏𝟎
𝒈𝒔𝒈𝒔𝟓𝒈𝒔𝟕𝒈𝒔𝟖
= 𝒈𝒔
𝟔
𝒈−𝒔𝟖 𝒈𝒔𝟏𝟎
• 𝜟 = 𝒈𝑪 𝒋 𝒔𝒋𝒏
𝒋=𝟏 with 𝑪 = ,𝟎, 𝟎, 𝟎, 𝟎, 𝟎, 𝟏, 𝟎, −𝟏, 𝟎, 𝟏-
Generating & Verifying Proofs
• 𝜟 = 𝒈𝑪 𝒋 𝒔𝒋𝒏
𝒋=𝟏 with 𝑪 = ,𝟎, 𝟎, 𝟎, 𝟎, 𝟎, 𝟏, 𝟎, −𝟏, 𝟎, 𝟏-
• “Remove” factor 𝐬𝐢+1 in the exponent without knowing 𝐬
𝝅 ≔ 𝜟𝟏
𝒔𝒊+𝟏 = 𝒈𝑪 𝒋 𝒔
𝒋−𝒊−𝟏
𝒏
𝒋=𝒊+𝟏
= 𝒈 𝒈−𝒔𝟐𝒈𝒔𝟒
• Check the proof : 𝒆(𝝅,𝒈𝒔𝒊+1) = 𝒆(𝜟, 𝒈)
Security [CH12]
• Proposition: If the n-BDHI assumption holds, then the previous construction is a CRHF that preserves the common-prefix predicate.
• Proof (idea)
𝐇 𝐀 = 𝐠𝐬 𝐠𝐬𝟓
𝐇 𝐁 = 𝐠𝐬 𝐠𝐬
𝟑
𝐠𝐬𝟔
𝚫 =𝐇 𝐀
𝐇 𝐁= 𝐠−𝒔
𝟑 𝐠𝐬𝟓
𝒈−𝒔𝟔
𝛑 = 𝚫𝟏
𝒔𝟒 = 𝐠−𝟏 𝒔 𝐠𝐬 𝐠−𝐬𝟐
𝐀 = 𝟏𝟎𝟎𝟎𝟏𝟎 𝐁 = 𝟏𝟎𝟏𝟎𝟎𝟏 𝐢 = 𝟑
Tradeoff 𝒏 = 𝟓𝟒, 𝜿 = 𝟐, 𝚺 = 𝒂, 𝒃, 𝒄, 𝒅 𝒏 𝜿 = 𝟓𝟒 𝟐 = 𝟐𝟕 𝝀 = 𝟑 ⇒ (𝒏 𝜿 )𝟏 𝝀 = 𝟑
Predicate-Preserving Collision-Resistant
Hashing
Map
Accumulators
Optimal Data Authentication
Transitive Signatures
Short Transitive Signatures For Directed Trees
Fair Exchange of Short Signatures without Trusted Third Party
Optimal Data Authentication From Directed Transitive
Signatures
Strong Accumulators From Collision-Resistant
Hashing
Impossibility of Batch Update For Cryptographic
Accumulators
Pivot
Difficult Problem (Still Open BTW)
1
2
3
4
5
6
7
8 9
Modeling Transactions with Digital Signatures
Buyer Seller
Digital Check
Software License
The problem: Who starts first? Impossibility Result [Cleve86]
Gradual Release of a Secret
1001 0111
Bob’s signature Alice’s signature
1
0
0
1
0
1
1
1
Allows to circumvent Cleve’s impossibility result (relaxed security definition).
How do I know that the bit I received is not garbage?
Contributions
• Formal definition of Partial Fairness
• Efficiency
• First protocol for Boneh-Boyen signatures
𝜿: Security Parameter 𝜿 = 𝟏𝟔𝟎
# Rounds 𝜅 + 5 165
Communication 16𝜅2 + 12𝜅 bits ≈ 52 kB
# Crypto operations per participant
≈ 30𝜅 ≈ 4800
Commitments
secret
Commitment
secret = +
I will try to open the box with
another value.
I will attempt to find out what is
in the box before I get the key.
1
2
3
secret
The secret is revealed.
Zero-Knowledge Proofs of Knowledge
0 𝜋 ,
I want to fool Alice: Make her believe that the value in the box is binary while it is not (e.g: 15).
I want to know exactly what is in the box (not only that the secret is a bit).
= Yes / No + 0 𝜋
1
2
Prove you know the content of the box and something about this content without opening the box.
Intuition of the Construction [C13]
Signature
1 0 1 1 0 0
35 = 100011 2 Encrypted Signature = + 1
2
3 𝜋1 Each small box contains a bit.
𝜋2 The sequence of small boxes is the binary decomposition of the secret inside the big box.
4 1 0 1 1 0 0 0 0 0 1 1 1
Conclusion
• We introduced the concept of Predicate-Preserving Collision-Resistant Hashing
• Many open questions
– Optimal Data Authentication
– Relationship between predicate complexity and size for proofs
– Apply these techniques to authenticated pattern matching
– Find new applications…
Bibliography
• [BB04] Dan Boneh and Xavier Boyen. Short Signatures Without Random Oracles. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004.
• [ BN05] Mihir Bellare and Gregory Neven. Transitive Signatures: New Schemes and Proofs. IEEE Transactions on Information Theory, 51(6):2133–2151, 2005.
• [ Cleve86] Richard Cleve. Limits on the security of coin flips when half the processors are faulty. In STOC, 1986.
• [ Dietz82 ] Paul F. Dietz. Maintaining Order in a Linked List. In STOC, pages 122–127. ACM Press, May 1982.
• [ FN02] Nelly Fazio and Antonio Nicolisi. Cryptographic Accumulators: Definitions, Constructions and Applications. Technical report, 2002.
• [GM84] Goldwasser, Shafi, and Silvio Micali. "Probabilistic encryption." Journal of computer and system sciences , 1984
• [GMR88] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM, 1988.
• [ Hoh03] Susan Rae Hohenberger. The Cryptographic Impact of Groups with Infeasible Inversion. Master’s thesis, Massachusetts Institute of Technology, 2003.
Bibliography
• [MR02] Silvio Micali and Ronald Rivest. Transitive Signature Schemes. In Bart Preneel, editor, CT-RSA, 2002.
• [SMJ05] Siamak Fayyaz Shahandashti, Mahmoud Salmasizadeh, and Javad Mohajeri. A Provably Secure Short Transitive Signature Scheme from Bilinear Group Pairs. In Carlo Blundo and Stelvio Cimato, editors, Security in Communication Networks, 2005.
• [WWP08] Peishun Wang, Huaxiong Wang, and Josef Pieprzyk. Improvement of a Dynamic Accumulator at ICICS 07 and Its Application in Multi-user Keyword-Based Retrieval on Encrypted Data. In Asia-Pacific Conference on Services Computing, 2008.
Strong Accumulators from CRHF
Hashing: padding-techniques
The trees are different yet
yield the same hash value.
We need to hash the final value (root) and concatenated with some data on the “shape” of the tree:
𝑯(𝑯’(𝒂||𝒃)||𝟏||𝟏)
Batch Update
Batch Update is Impossible [CH10]
• Theorem: Let 𝑨𝒄𝒄 be a secure accumulator scheme with deterministic 𝑼𝒑𝒅𝑾𝒊𝒕
and 𝑽𝒆𝒓𝒊𝒇𝒚 algorithms.
For an update involving 𝒎 delete operations in a set of 𝑵 elements,
the size of the update information 𝑼𝒑𝒅𝑿, 𝑿′ required by the algorithm
𝑼𝒑𝒅𝑾𝒊𝒕 is (𝒎 log (𝑵/𝒎)).
In particular if 𝒎 = 𝑵/𝟐 we have |𝑼𝒑𝒅𝑿, 𝑿′| = (𝒎) = (𝑵)
X={x1,x2,…,xN}
X={x1,x2,…,xN}
AccX , {w1,w2,…,wN}
Compute AccX, {w1,w2,…,wN}
Delete Xd:={xi1
,xi2,…,xim
} X’ := X\Xd
AccX’ , UpdX,X’
Compute AccX’,UpdX,X’
Proof 1/3
User Manager
Proof 2/3
User
X={x1,x2,…,xN} {w1,…,wN} AccX, AccX’, UpdX,X’
For each element xєX
w’ := UpdWit(w,AccX,AccX’,UpdX,X’) x w’ valid?
YES
NO
CASE 1
User can reconstruct the set Xd
CASE 1
If x is not in X’ => Scheme insecure x still in X’
CASE 2
CASE 2
If x is in X’ => Scheme incorrect x not in X’ anymore
Proof 3/3
• There are subsets of m elements in a set of N elements
• We need log ≥ m log(N/m) bits to encode Xd
( ) N m
( ) N m
Transitive Signatures
Digital Signatures
𝜎 = 𝑆𝑖𝑔𝑛(𝑆𝐾,𝑚)
SK PK
PK
𝑌𝐸𝑆/𝑁𝑂 = 𝑉𝑒𝑟𝑖𝑓𝑦(𝑃𝐾, 𝜎,𝑚)
If the 𝑉𝑒𝑟𝑖𝑓𝑦 algorithm returns 𝑌𝐸𝑆, I am sure Alice is the
author of message 𝑚.
Security for Digital Signatures [GMR88]
(Adversary) (Oracle)
Signature request for message 𝑚1
𝜎1
𝑃𝐾
…
(𝜎,𝑚) such that 𝑉𝑒𝑟𝑖𝑓𝑦(𝑃𝐾, 𝜎,𝑚) returns 𝑌𝐸𝑆 but 𝑚 has not been requested before
This should not happen!
Signature request for message 𝑚2
𝜎2
Signature request for message 𝑚𝑖
𝜎𝑖
Security of transitive signatures [MR02]
(𝐴, 𝐵)
𝜎𝐴𝐵
(𝐵, 𝐶)
σBC
(𝐵, 𝐷)
𝜎𝐵𝐷
(𝐴, 𝐸)
𝜎𝐴𝐸
𝐴
𝐵
𝐶 𝐷
E 𝜎∗, 𝐵, 𝐸 : ← 𝑇𝑉𝑒𝑟𝑖𝑓𝑦(𝐵, 𝐸, 𝜎∗, ) and
There is no path from 𝑩 to 𝑬
ODA is still open
• [PTT10] Papamanthou, Charalampos, Roberto Tamassia, and Nikos Triandopoulos. "Optimal authenticated data structures with multilinear forms." Pairing-Based Cryptography-Pairing 2010. Springer Berlin Heidelberg, 2010. 246-264.
• [CLT13] Coron, Jean-Sébastien, Tancrede Lepoint, and Mehdi Tibouchi. "Practical Multilinear Maps over the Integers." IACR Cryptology ePrint Archive 2013 (2013): 183.
[PTT10] Only works for the two-party model.
Size of proof are 𝑶(𝟏) but time to verify is 𝑶 log 𝒏 .
[CLT13] We know how to build multilinear maps!
Fair Exchange
Partial Fairness
𝑚𝐴, 𝑚𝐵 , 𝑝𝑘𝐴 (𝑠𝑘𝐵, 𝑝𝑘𝐵)
(𝑠𝑘𝐴, 𝑝𝑘𝐴) 𝑚𝐴, 𝑚𝐵
𝑂𝑆𝑖𝑔𝑛 𝑠𝑘𝐵,⋅
𝜎𝐵 on 𝑚𝐴
Bet according to partially released secret
σ𝐴 on 𝑚𝐵 σ∗ on 𝑚∗
Not queried to signing oracle 𝑂𝑆𝑖𝑔𝑛
Simultaneous Hardness of Bits for Discrete Logarithm
𝑙 = 𝜔( log 𝜅)
An adversary cannot distinguish between a random sequence of 𝜿 − 𝒍 bits and the first 𝜿 − 𝒍 bits of 𝜽 given 𝒈𝜽 .
Holds in the generic group model [Schnorr98]
Provable Security
Provable Security
1. Define “Secure” (formally)
2. Design your solution
3. Prove it is secure with respect to definition proposed in step 1
4. Don’t forget to mention your assumptions (mathematical conjectures)
It’s not that easy. E.g. [GM84]
E.g. : Factoring is hard.
We want: If conjecture is true then NO adversary can break the security.
We prove: If adversary can break the security then the conjecture is false.
Provable Security 1. Given a random hash function 𝑯 it should be hard for any adversary to find to messages 𝒎,𝒎’ such that 𝑯(𝒎) = 𝑯(𝒎’) and 𝒎 ≠ 𝒎’
2. 𝑮 a cyclic group , 𝒈 a generator, 𝜶 a random value set 𝒉:= 𝒈𝜶 and define for 𝒎 = 𝒎𝟏||𝒎𝟐:
𝑯(𝒎𝟏| 𝒎𝟐 ∶= 𝒈𝒎𝟏𝒉𝒎𝟐
3. If adversary finds different 𝒎,𝒎’ such that 𝑯(𝒎) = 𝑯(𝒎’) then we can deduce 𝜶 .
4. Discrete logarithm is hard: given 𝒈, 𝒉 it’s difficult (takes a lot of time) to compute 𝜶 such that 𝒉 = 𝒈𝜶