This document provides an overview of zero-knowledge proofs (ZKPs) and their applications. It discusses:
- The history and types of ZKPs including SNARKs, STARKs, and Bulletproofs.
- Projects using different types of ZKPs like Zcash using zk-SNARKs and decentralized exchanges using zk-STARKs.
- The theory behind how ZKPs work by proving computations without revealing inputs, using examples like Diffie-Hellman key exchange and RSA signatures.
- Background math concepts relevant to ZKPs like modular arithmetic, elliptic curves, and finite fields.
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonSSIMeetup
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
zk-SNARKs are zero-knowledge succinct non-interactive arguments of knowledge that allow a prover to convince a verifier of a statement without revealing details. They work by converting a function and its inputs/outputs into a quadratic arithmetic program (QAP) represented as polynomials. This allows a verifier to efficiently check a proof generated by the prover using techniques like Lagrange interpolation and pairings on elliptic curves to ensure the polynomials satisfy the QAP without directly evaluating the function. The setup requires a "trusted setup" but then allows very efficient verification.
This document provides an overview of ZK-Snarks (zero-knowledge succinct non-interactive arguments of knowledge). It begins by outlining the problem of two parties conducting a transaction privately without revealing inputs. It then discusses zero-knowledge proofs and how ZK-Snarks allow for verifying computation integrity and input privacy. The document details how ZK-Snarks work by converting programs to arithmetic circuits and using a cryptographic proof system involving polynomial equations to generate proofs that can be verified without revealing inputs. Overall, the document serves as a high-level introduction to ZK-Snarks and how they enable private and verifiable blockchain transactions.
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...MITSUNARI Shigeo
This document presents an efficient two-level homomorphic encryption scheme based on Type 3 pairings. The scheme allows for many additions on encrypted data and one multiplication. It combines the lifted-ElGamal encryption scheme with Type 3 pairings to encrypt data at two levels. Level-1 ciphertexts support homomorphic addition and multiplication, while a homomorphic multiplication of two Level-1 ciphertexts results in an encrypted value at Level-2. The scheme is more efficient than previous schemes and supports proofs of knowledge of plaintexts. It is IND-CPA secure under the SXDH assumption and provides circuit privacy. Benchmark results show it outperforms previous schemes on common processors and JavaScript.
1. The document discusses public key cryptography concepts like Diffie-Hellman key exchange, finite fields, discrete logarithm problems, key encapsulation mechanisms, and the security properties of IND-CCA security.
2. It provides examples of finite field arithmetic and constructions of finite fields and explains how fields can be extended.
3. The document compares public key cryptography and common key cryptography, noting that public key cryptography allows each user to have a single private key regardless of the number of users.
Zero Knowledge Proofs: What they are and how they workAll Things Open
Title: Zero Knowledge Proofs: What they are and how they work
Presented at All Things Open 2022
Presented by Jim Zhang
Abstract: Have you ever wanted to convince the security guard at the bar that you are over the legal drinking age, but didn’t want to tell them how old you are? Use a zero knowledge proof! Zero knowledge proofs (or ZKPs) are a powerful cryptographic technology that are being used to build privacy-preserving blockchains, next-generation digital identities, and many other things. Come and learn more about what Zero Knowledge Proofs are and how they work.
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonSSIMeetup
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
zk-SNARKs are zero-knowledge succinct non-interactive arguments of knowledge that allow a prover to convince a verifier of a statement without revealing details. They work by converting a function and its inputs/outputs into a quadratic arithmetic program (QAP) represented as polynomials. This allows a verifier to efficiently check a proof generated by the prover using techniques like Lagrange interpolation and pairings on elliptic curves to ensure the polynomials satisfy the QAP without directly evaluating the function. The setup requires a "trusted setup" but then allows very efficient verification.
This document provides an overview of ZK-Snarks (zero-knowledge succinct non-interactive arguments of knowledge). It begins by outlining the problem of two parties conducting a transaction privately without revealing inputs. It then discusses zero-knowledge proofs and how ZK-Snarks allow for verifying computation integrity and input privacy. The document details how ZK-Snarks work by converting programs to arithmetic circuits and using a cryptographic proof system involving polynomial equations to generate proofs that can be verified without revealing inputs. Overall, the document serves as a high-level introduction to ZK-Snarks and how they enable private and verifiable blockchain transactions.
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...MITSUNARI Shigeo
This document presents an efficient two-level homomorphic encryption scheme based on Type 3 pairings. The scheme allows for many additions on encrypted data and one multiplication. It combines the lifted-ElGamal encryption scheme with Type 3 pairings to encrypt data at two levels. Level-1 ciphertexts support homomorphic addition and multiplication, while a homomorphic multiplication of two Level-1 ciphertexts results in an encrypted value at Level-2. The scheme is more efficient than previous schemes and supports proofs of knowledge of plaintexts. It is IND-CPA secure under the SXDH assumption and provides circuit privacy. Benchmark results show it outperforms previous schemes on common processors and JavaScript.
1. The document discusses public key cryptography concepts like Diffie-Hellman key exchange, finite fields, discrete logarithm problems, key encapsulation mechanisms, and the security properties of IND-CCA security.
2. It provides examples of finite field arithmetic and constructions of finite fields and explains how fields can be extended.
3. The document compares public key cryptography and common key cryptography, noting that public key cryptography allows each user to have a single private key regardless of the number of users.
Zero Knowledge Proofs: What they are and how they workAll Things Open
Title: Zero Knowledge Proofs: What they are and how they work
Presented at All Things Open 2022
Presented by Jim Zhang
Abstract: Have you ever wanted to convince the security guard at the bar that you are over the legal drinking age, but didn’t want to tell them how old you are? Use a zero knowledge proof! Zero knowledge proofs (or ZKPs) are a powerful cryptographic technology that are being used to build privacy-preserving blockchains, next-generation digital identities, and many other things. Come and learn more about what Zero Knowledge Proofs are and how they work.
The document summarizes cryptography techniques such as hashing functions, MAC, digital signatures, and FIDO authentication. It discusses SHA-2 and SHA-3 hashing standards, how MAC provides data integrity while signatures provide non-repudiation. ECDSA is introduced as an elliptic curve digital signature algorithm. FIDO aims to standardize multi-factor authentication using authentication devices and attestation signatures.
Monero is a cryptocurrency that uses ring signatures to obscure the origin of transactions. It uses twisted Edwards curves to implement elliptic curve cryptography. Ring signatures allow multiple people to sign a transaction at once, making it difficult to determine the true signer. Monero implements ring signatures and uses the Ed25519 elliptic curve for its digital signatures.
Eos - Efficient Private Delegation of zkSNARK proversAlex Pruden
Succinct zero knowledge proofs (i.e. zkSNARKs) are powerful cryptographic tools that enable a prover to convince a verifier that a given statement is true without revealing any additional information. Unfortunately, existing systems for generating zkSNARKs are expensive, which limits the applications in which these proofs can be used.
This new work (presented by co-author Pratyush Mishra) achieves security against malicious workers without relying on heavyweight cryptographic tools. We implement and evaluate our delegation protocols for a state-of-the-art zkSNARK in a variety of computational and bandwidth settings, and demonstrate that our protocols
are concretely efficient. When compared to local proving, using our protocols to delegate proof generation from a recent smartphone (a) reduces end-to-end latency by up to 26×, (b) lowers the delegator’s active computation time by up to 1447×, and (c) enables proving up to 256× larger instances
https://www.usenix.org/system/files/sec23fall-prepub-492-chiesa.pdf
Introduction of cryptography and network securityNEHA PATEL
This document outlines the course structure for IT306.01: Cryptography and Network Security. The course is divided into theory and practical components worth 3 and 2 hours per week respectively, over 4 credits. It covers 8 topics related to cryptography and network security, including conventional encryption, block ciphers, public key cryptography, number theory, message authentication, and network, IP, email and web security. Assessment includes a theory exam worth 100 marks and a practical exam worth 50 marks. The document lists two textbooks for the course and provides an introduction by the course instructor, Neha Patel.
Bitcoin is a cryptocurrency that uses blockchain technology to record transactions. Transactions are grouped into blocks and added to the blockchain through a process called proof-of-work that requires significant computing power. Miners who solve the proof-of-work puzzles and add blocks to the blockchain are rewarded with new bitcoins and transaction fees. The blockchain prevents double spending by ordering transactions and ensuring bitcoins cannot be spent twice. As more blocks are added, transactions are confirmed, though single transfers occur instantly. A maximum of 21 million bitcoins will ever be created through mining rewards.
One-Time Pad (OTP) encryption uses truly random keys that are only used once to encrypt plaintext. If the keys are random, only used once, and securely transferred and destroyed, then OTP provides perfect secrecy since the ciphertext reveals no information about the plaintext. However, achieving these strict conditions is difficult in practice, requiring solutions for secure key generation, transfer, storage and destruction. While OTP provides unbreakable encryption theoretically, more practical algorithms are needed to address its limitations.
The document summarizes topics related to cryptography including RSA encryption, elliptic curve encryption, man-in-the-middle attacks, and hash functions. It discusses the basic principles of RSA encryption and key generation. It also explains elliptic curve cryptography, including elliptic curve addition and the difficulty of solving elliptic curve discrete logarithm problems. Additionally, it covers man-in-the-middle attacks on public key encryption and key agreement protocols. Finally, it provides an overview of hash functions and their properties like one-wayness and collision resistance.
Public Key Cryptography and RSA algorithmIndra97065
Public Key Cryptography and RSA algorithm.Explanation and proof of RSA algorithm in details.it also describer the mathematics behind the RSA. Few mathematics theorem are given which are use in the RSA algorithm.
In the near future, privacy-preserving authentication methods will flood the market, and they will be based on Zero-Knowledge Proofs. IBM and Microsoft invested in these solutions many years ago.
Tendermint/Cosmos: Many Chains, Many Tokens, One EcosystemSunny Aggarwal
The document discusses the Cosmos ecosystem, which aims to connect many blockchain networks through the use of Tendermint consensus, the ABCI application interface, and IBC for inter-blockchain communication. This allows for scalability, diversity, and sovereignty among participating blockchains while enabling interoperability between applications and smart contracts across different chains. The goal is for tokens, value, and data to be transferable across separate but interconnected blockchains, forming a heterogeneous "internet of blockchains."
In this presentation there will be brief overview on what is Blockchain Technology?
What are the components in a block?
what are the applications of BlockChain technology?
The document describes the one-time pad cipher, which is considered theoretically unbreakable. It works by combining a plaintext message with a randomly generated key that is at least as long as the message. Each character of the key is combined with the corresponding character of the message using modular arithmetic. The key is then destroyed after use, and both the sender and receiver must have identical copies of the key to encrypt and decrypt messages. It provides perfect secrecy because an attacker with infinite computing power could not determine the original plaintext without the key.
The document discusses the history and applications of blockchain technology and cryptocurrencies like Bitcoin. It provides statistics on search interest in Bitcoin and the number of cryptocurrencies. Blockchain allows for decentralized, secure transaction records maintained on distributed ledgers without intermediaries. Potential applications include financial settlement, digital art ownership, and supply chain management. It also discusses industry consortiums working on blockchain standards and predictions that blockchain will disrupt banking by 2035.
Elliptic Curve Cryptography was presented by Ajithkumar Vyasarao. He began with an introduction to ECC, noting its advantages over RSA like smaller key sizes providing equal security. He described how ECC works using elliptic curves over real numbers and finite fields. He demonstrated point addition and scalar multiplication on curves. ECC can be used for applications like smart cards and mobile devices. For key exchange, Alice and Bob can agree on a starting point and generate secret keys by multiplying a private value with the shared point. ECC provides security through the difficulty of solving the elliptic curve discrete logarithm problem.
Cryptography: way to Arkham - Andriy SavchenkoRuby Meditation
This document discusses cryptography concepts including one-way hash functions, symmetric encryption using the Vigenère cipher, and asymmetric encryption using a simple RSA example. It provides sample code to demonstrate encrypting and decrypting messages using a basic public/private key pair. The document also briefly outlines the Secure Remote Password protocol and some considerations for implementing cryptography protocols including using the correct algorithms, versions, and avoiding partial implementations.
The document summarizes cryptography techniques such as hashing functions, MAC, digital signatures, and FIDO authentication. It discusses SHA-2 and SHA-3 hashing standards, how MAC provides data integrity while signatures provide non-repudiation. ECDSA is introduced as an elliptic curve digital signature algorithm. FIDO aims to standardize multi-factor authentication using authentication devices and attestation signatures.
Monero is a cryptocurrency that uses ring signatures to obscure the origin of transactions. It uses twisted Edwards curves to implement elliptic curve cryptography. Ring signatures allow multiple people to sign a transaction at once, making it difficult to determine the true signer. Monero implements ring signatures and uses the Ed25519 elliptic curve for its digital signatures.
Eos - Efficient Private Delegation of zkSNARK proversAlex Pruden
Succinct zero knowledge proofs (i.e. zkSNARKs) are powerful cryptographic tools that enable a prover to convince a verifier that a given statement is true without revealing any additional information. Unfortunately, existing systems for generating zkSNARKs are expensive, which limits the applications in which these proofs can be used.
This new work (presented by co-author Pratyush Mishra) achieves security against malicious workers without relying on heavyweight cryptographic tools. We implement and evaluate our delegation protocols for a state-of-the-art zkSNARK in a variety of computational and bandwidth settings, and demonstrate that our protocols
are concretely efficient. When compared to local proving, using our protocols to delegate proof generation from a recent smartphone (a) reduces end-to-end latency by up to 26×, (b) lowers the delegator’s active computation time by up to 1447×, and (c) enables proving up to 256× larger instances
https://www.usenix.org/system/files/sec23fall-prepub-492-chiesa.pdf
Introduction of cryptography and network securityNEHA PATEL
This document outlines the course structure for IT306.01: Cryptography and Network Security. The course is divided into theory and practical components worth 3 and 2 hours per week respectively, over 4 credits. It covers 8 topics related to cryptography and network security, including conventional encryption, block ciphers, public key cryptography, number theory, message authentication, and network, IP, email and web security. Assessment includes a theory exam worth 100 marks and a practical exam worth 50 marks. The document lists two textbooks for the course and provides an introduction by the course instructor, Neha Patel.
Bitcoin is a cryptocurrency that uses blockchain technology to record transactions. Transactions are grouped into blocks and added to the blockchain through a process called proof-of-work that requires significant computing power. Miners who solve the proof-of-work puzzles and add blocks to the blockchain are rewarded with new bitcoins and transaction fees. The blockchain prevents double spending by ordering transactions and ensuring bitcoins cannot be spent twice. As more blocks are added, transactions are confirmed, though single transfers occur instantly. A maximum of 21 million bitcoins will ever be created through mining rewards.
One-Time Pad (OTP) encryption uses truly random keys that are only used once to encrypt plaintext. If the keys are random, only used once, and securely transferred and destroyed, then OTP provides perfect secrecy since the ciphertext reveals no information about the plaintext. However, achieving these strict conditions is difficult in practice, requiring solutions for secure key generation, transfer, storage and destruction. While OTP provides unbreakable encryption theoretically, more practical algorithms are needed to address its limitations.
The document summarizes topics related to cryptography including RSA encryption, elliptic curve encryption, man-in-the-middle attacks, and hash functions. It discusses the basic principles of RSA encryption and key generation. It also explains elliptic curve cryptography, including elliptic curve addition and the difficulty of solving elliptic curve discrete logarithm problems. Additionally, it covers man-in-the-middle attacks on public key encryption and key agreement protocols. Finally, it provides an overview of hash functions and their properties like one-wayness and collision resistance.
Public Key Cryptography and RSA algorithmIndra97065
Public Key Cryptography and RSA algorithm.Explanation and proof of RSA algorithm in details.it also describer the mathematics behind the RSA. Few mathematics theorem are given which are use in the RSA algorithm.
In the near future, privacy-preserving authentication methods will flood the market, and they will be based on Zero-Knowledge Proofs. IBM and Microsoft invested in these solutions many years ago.
Tendermint/Cosmos: Many Chains, Many Tokens, One EcosystemSunny Aggarwal
The document discusses the Cosmos ecosystem, which aims to connect many blockchain networks through the use of Tendermint consensus, the ABCI application interface, and IBC for inter-blockchain communication. This allows for scalability, diversity, and sovereignty among participating blockchains while enabling interoperability between applications and smart contracts across different chains. The goal is for tokens, value, and data to be transferable across separate but interconnected blockchains, forming a heterogeneous "internet of blockchains."
In this presentation there will be brief overview on what is Blockchain Technology?
What are the components in a block?
what are the applications of BlockChain technology?
The document describes the one-time pad cipher, which is considered theoretically unbreakable. It works by combining a plaintext message with a randomly generated key that is at least as long as the message. Each character of the key is combined with the corresponding character of the message using modular arithmetic. The key is then destroyed after use, and both the sender and receiver must have identical copies of the key to encrypt and decrypt messages. It provides perfect secrecy because an attacker with infinite computing power could not determine the original plaintext without the key.
The document discusses the history and applications of blockchain technology and cryptocurrencies like Bitcoin. It provides statistics on search interest in Bitcoin and the number of cryptocurrencies. Blockchain allows for decentralized, secure transaction records maintained on distributed ledgers without intermediaries. Potential applications include financial settlement, digital art ownership, and supply chain management. It also discusses industry consortiums working on blockchain standards and predictions that blockchain will disrupt banking by 2035.
Elliptic Curve Cryptography was presented by Ajithkumar Vyasarao. He began with an introduction to ECC, noting its advantages over RSA like smaller key sizes providing equal security. He described how ECC works using elliptic curves over real numbers and finite fields. He demonstrated point addition and scalar multiplication on curves. ECC can be used for applications like smart cards and mobile devices. For key exchange, Alice and Bob can agree on a starting point and generate secret keys by multiplying a private value with the shared point. ECC provides security through the difficulty of solving the elliptic curve discrete logarithm problem.
Cryptography: way to Arkham - Andriy SavchenkoRuby Meditation
This document discusses cryptography concepts including one-way hash functions, symmetric encryption using the Vigenère cipher, and asymmetric encryption using a simple RSA example. It provides sample code to demonstrate encrypting and decrypting messages using a basic public/private key pair. The document also briefly outlines the Secure Remote Password protocol and some considerations for implementing cryptography protocols including using the correct algorithms, versions, and avoiding partial implementations.
Cryptography involves transforming data using an algorithm and key to make it unreadable. Common techniques include encryption algorithms like the Caesar cipher which shifts letters by a set number, and the Vigenère cipher which uses a keyword for polyalphabetic substitution. Modern standards like the Data Encryption Standard and Advanced Encryption Standard use confusion and diffusion principles with substitution boxes and key lengths of 128+ bits for security. Key exchange methods like Diffie-Hellman allow secure key agreement without prior secrets.
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...Mozaic Works
This document summarizes a presentation about Clojure and ClojureScript. It describes Clojure as a modern Lisp dialect that runs on the JVM with a focus on concurrency. It notes advantages like stable platforms, access to Java libraries, and immutable persistent data structures that facilitate parallelism. The document discusses Clojure concepts like homoiconicity, concurrency vs parallelism, syntax using s-expressions, macros for metaprogramming, and data structures like maps, vectors, and sets. It also mentions ClojureScript and domain-specific languages.
Elliptic curve cryptography and zero knowledge proofNimish Joseph
This document discusses elliptic curve cryptography and zero knowledge proofs. It begins by establishing the mathematical foundations needed for cryptography, including groups, rings, fields, and the discrete logarithm problem. It then explains how elliptic curves can be used in public key cryptography applications like Diffie-Hellman key exchange and ElGamal encryption. It also covers zero knowledge proofs, their properties, examples of uses, and the Fiat-Shamir identification protocol. Throughout, it provides examples to illustrate key concepts in elliptic curve cryptography and zero knowledge proofs.
Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta
Elliptic Curve Cryptography and Zero Knowledge Proof
Presentation by Nimish Joseph, at College of Engineering Cherthala, Kerala, India, during Faculty Development Program, on 06-Nov-2013
Elliptic curve cryptography (ECC) uses elliptic curves over finite fields to provide public-key encryption and digital signatures. ECC requires significantly smaller key sizes than other cryptosystems like RSA to provide equivalent security. This allows for faster computations and less storage requirements, making ECC ideal for constrained environments like smartphones. ECC relies on the difficulty of solving the elliptic curve discrete logarithm problem to provide security.
This document discusses several public key cryptosystems based on discrete logarithms, including Diffie-Hellman key exchange, ElGamal encryption, and ElGamal digital signatures. It provides examples of how each system works using mathematical operations like exponentiation modulo a prime number. Diffie-Hellman allows two parties to securely generate a shared secret key over an insecure channel. ElGamal encryption and signatures extend this idea to allow public key encryption and digital signatures based on the difficulty of solving discrete logarithms.
HW 5-RSA/ascii2str.m
function str = ascii2str(ascii)
% Convert to string
str = char(ascii);
HW 5-RSA/bigmod.m
function remainder = bigmod (number, power, modulo)
% modulo function for large numbers, -> number^power(mod modulo)
% by bennyboss / 2005-06-24 / Matlab 7
% I used algorithm from this webpage:
% http://www.disappearing-inc.com/ciphers/rsa.html
% binary decomposition
binary(1,1) = 1;
col = 2;
while ( binary(1, col-1) <= power-binary(1, col-1) )
binary(1, col) = 2*binary(1, col-1);
col = col + 1;
end
% flip matrix
binary = fliplr(binary);
% extract binary decomposition from number
result = power;
cols = length(binary);
extracted_binary = zeros(1, cols);
index = zeros(1, cols);
for ( col=1 : cols )
if( result-binary(1, col) > 0 )
result = result - binary(1, col);
extracted_binary(1, col) = binary(1, col);
index(1, col) = col;
elseif ( result-binary(1, col) == 0 )
extracted_binary(1, col) = binary(1, col);
index(1, col) = col;
break;
end
end
% flip matrix
binary = fliplr(binary);
% doubling the powers by squaring the numbers
cols2 = length(extracted_binary);
rem_sqr = zeros(1, cols);
rem_sqr(1, 1) = mod(number^1, modulo);
if ( cols2 > 1 )
for ( col=2 : cols)
rem_sqr(1, col) = mod(rem_sqr(1, col-1)^2, modulo);
end
end
% flip matrix
rem_sqr = fliplr(rem_sqr);
% compute reminder
index = find(index);
remainder = rem_sqr(1, index(1, 1));
cols = length(index);
for (col=2 : cols)
remainder = mod(remainder*rem_sqr(1, index(1, col)), modulo);
end
HW 5-RSA/EGCP447-Lecture No 10.pdf
RSA Encryption
RSA = Rivest, Shamir, and Adelman (MIT), 1978
Underlying hard problem
– Number theory – determining prime factors of a given
(large) number
e.g., factoring of small #: 5 -) 5, 6 -) 2 *3
– Arithmetic modulo n
How secure is RSA?
– So far remains secure (after all these years...)
– Will somebody propose a quick algorithm to factor
large numbers?
– Will quantum computing break it? -) TBD
RSA Encryption
In RSA:
– P = E (D(P)) = D(E(P)) (order of D/E does not matter)
– More precisely: P = E(kE, D(kD, P)) = D(kD, E(kE, P))
Encryption: C = Pe mod n KE = e
– n is the key length
– Note, P is turned into an integer using a padding
scheme
– Given C, it is very difficult to find P without knowing
KD
Decryption: P = Cd mod n KD = d
We will look at this algorithm in detail next time
RSA Algorithm
1. Key Generation
– A key generation algorithm
2. RSA Function Evaluation
– A function F, that takes as an input a point x and a
key k and produces either an encrypted result or
plaintext, depending on the input and the key
Key Generation
The key generation algorithm is the most
complex part of RSA
The aim of the key generation algorithm is to
generate both th ...
This document contains the notes from a class about cryptocurrency. It discusses the final exam, which will involve explaining bitcoin to different audiences and answering substantive questions. It then lists the names of students in the class divided into teams based on their answers to a registration question. The rest of the document outlines a jeopardy game about cryptocurrency topics played between the student teams, including questions about Satoshi Nakamoto, hashing, scripts, cryptography, randomness, and altcoins.
Public key cryptography uses two keys, a public key that can encrypt messages and a private key that decrypts messages. It has six components: plain text, encryption algorithm, public and private keys, ciphertext, and decryption algorithm. Some key characteristics are that it is computationally infeasible to determine the private key from the public key alone, and encryption/decryption is easy when the relevant key is known. The requirements of public key cryptography are that it is easy to generate a public-private key pair, easy to encrypt with the public key, easy for the recipient to decrypt with the private key, and infeasible to determine the private key from the public key or recover the plaintext from the ciphertext and public key alone
The document discusses the Diffie-Hellman key exchange algorithm. It explains that the algorithm allows two users to securely exchange a key over an insecure channel. It describes how each user generates a public and private key, and how they can then calculate the same secret key to encrypt subsequent messages, even though the keys were never directly exchanged. The document provides examples to illustrate how the algorithm works and ensures only the two intended users can calculate the shared secret key.
This document discusses parallelizing loops to compute pi through numerical integration. It begins by describing how pi can be computed by approximating the integral of 1/(1+x^2) from 0 to 1. It then shows C++ and Fortran code that performs this computation sequentially with increasing numbers of steps to improve the approximation of pi. The document discusses variable scopes in C++ and Fortran and how OpenMP parallelization works by dividing the loop workload across threads. It demonstrates parallelizing the loops in both languages using the reduction clause to correctly sum values across threads. Finally, it discusses considerations for parallelizing loops and challenges like data dependencies.
Elliptic Curve Cryptography for those who are afraid of mathsMartijn Grooten
A low level introduction into elliptic curve cryptography, as presented at BSides San Francisco 2016.
NB don't be put off by the 100 slides; every transition is on its own slide.
1. The document discusses cryptography and the RSA algorithm. It provides definitions of encryption, decryption, symmetric and asymmetric cryptography.
2. RSA is described as an asymmetric cryptography algorithm invented by Rivest, Adleman and Shamir using the initials of their last names. It uses a public key for encryption and a private key for decryption.
3. An example is provided to demonstrate how RSA works by encrypting a message using a public key and decrypting it with a private key.
The document provides an overview of cryptography concepts including secrecy ciphers, secret key cryptography, public key cryptography, digital signatures, and their applications to internet security. It discusses how early ciphers like Caesar cipher could be broken through frequency analysis but were made more secure through techniques like modular exponentiation. It introduces key concepts like Diffie-Hellman key exchange that allow parties to establish a shared secret key over insecure channels and digital signatures to authenticate messages and identities. It also discusses how certification authorities help validate public keys on the internet.
Elliptic curve cryptography (ECC) uses elliptic curves over finite fields for encryption, digital signatures, and key exchange. It provides the same security as RSA or discrete logarithm schemes but with smaller key sizes (e.g. 256-bit ECC vs. 3072-bit RSA). ECC algorithms are also faster and use less energy than other schemes. While ECC offers advantages, security relies on using cryptographically strong elliptic curves and there is no deterministic method to encode messages as curve points.
The RSA algorithm describes how to generate a public/private key pair for encryption. It involves choosing prime numbers p and q, computing n as their product, and using n to calculate the public and private keys. The Diffie-Hellman key exchange allows two parties to agree on a shared secret key over an insecure channel by each selecting a private value and computing a public value from it. They can then use the exchanged public values to independently derive the same shared key. MD5 and SHA-1 are cryptographic hash functions, with SHA-1 having a larger state size, more rounds, different bitwise functions, and preprocessing the message words differently than MD5.
Secure multi-party computation allows multiple parties to jointly compute a function over their private inputs while preserving privacy. This is achieved through techniques like secret sharing, garbled circuits, and secure multi-party protocols. Recent improvements have increased performance, enabling practical applications in domains like genome analytics, smart cities, and blockchain where privacy-sensitive data from different entities must be analyzed without being shared in the clear.
Similar to Demystifying Zero Knowledge Proofs [FINAL].pptx (20)
A SYSTEMATIC RISK ASSESSMENT APPROACH FOR SECURING THE SMART IRRIGATION SYSTEMSIJNSA Journal
The smart irrigation system represents an innovative approach to optimize water usage in agricultural and landscaping practices. The integration of cutting-edge technologies, including sensors, actuators, and data analysis, empowers this system to provide accurate monitoring and control of irrigation processes by leveraging real-time environmental conditions. The main objective of a smart irrigation system is to optimize water efficiency, minimize expenses, and foster the adoption of sustainable water management methods. This paper conducts a systematic risk assessment by exploring the key components/assets and their functionalities in the smart irrigation system. The crucial role of sensors in gathering data on soil moisture, weather patterns, and plant well-being is emphasized in this system. These sensors enable intelligent decision-making in irrigation scheduling and water distribution, leading to enhanced water efficiency and sustainable water management practices. Actuators enable automated control of irrigation devices, ensuring precise and targeted water delivery to plants. Additionally, the paper addresses the potential threat and vulnerabilities associated with smart irrigation systems. It discusses limitations of the system, such as power constraints and computational capabilities, and calculates the potential security risks. The paper suggests possible risk treatment methods for effective secure system operation. In conclusion, the paper emphasizes the significant benefits of implementing smart irrigation systems, including improved water conservation, increased crop yield, and reduced environmental impact. Additionally, based on the security analysis conducted, the paper recommends the implementation of countermeasures and security approaches to address vulnerabilities and ensure the integrity and reliability of the system. By incorporating these measures, smart irrigation technology can revolutionize water management practices in agriculture, promoting sustainability, resource efficiency, and safeguarding against potential security threats.
International Conference on NLP, Artificial Intelligence, Machine Learning an...gerogepatton
International Conference on NLP, Artificial Intelligence, Machine Learning and Applications (NLAIM 2024) offers a premier global platform for exchanging insights and findings in the theory, methodology, and applications of NLP, Artificial Intelligence, Machine Learning, and their applications. The conference seeks substantial contributions across all key domains of NLP, Artificial Intelligence, Machine Learning, and their practical applications, aiming to foster both theoretical advancements and real-world implementations. With a focus on facilitating collaboration between researchers and practitioners from academia and industry, the conference serves as a nexus for sharing the latest developments in the field.
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Sinan KOZAK
Sinan from the Delivery Hero mobile infrastructure engineering team shares a deep dive into performance acceleration with Gradle build cache optimizations. Sinan shares their journey into solving complex build-cache problems that affect Gradle builds. By understanding the challenges and solutions found in our journey, we aim to demonstrate the possibilities for faster builds. The case study reveals how overlapping outputs and cache misconfigurations led to significant increases in build times, especially as the project scaled up with numerous modules using Paparazzi tests. The journey from diagnosing to defeating cache issues offers invaluable lessons on maintaining cache integrity without sacrificing functionality.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...IJECEIAES
Medical image analysis has witnessed significant advancements with deep learning techniques. In the domain of brain tumor segmentation, the ability to
precisely delineate tumor boundaries from magnetic resonance imaging (MRI)
scans holds profound implications for diagnosis. This study presents an ensemble convolutional neural network (CNN) with transfer learning, integrating
the state-of-the-art Deeplabv3+ architecture with the ResNet18 backbone. The
model is rigorously trained and evaluated, exhibiting remarkable performance
metrics, including an impressive global accuracy of 99.286%, a high-class accuracy of 82.191%, a mean intersection over union (IoU) of 79.900%, a weighted
IoU of 98.620%, and a Boundary F1 (BF) score of 83.303%. Notably, a detailed comparative analysis with existing methods showcases the superiority of
our proposed model. These findings underscore the model’s competence in precise brain tumor localization, underscoring its potential to revolutionize medical
image analysis and enhance healthcare outcomes. This research paves the way
for future exploration and optimization of advanced CNN models in medical
imaging, emphasizing addressing false positives and resource efficiency.
Comparative analysis between traditional aquaponics and reconstructed aquapon...bijceesjournal
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Batteries -Introduction – Types of Batteries – discharging and charging of battery - characteristics of battery –battery rating- various tests on battery- – Primary battery: silver button cell- Secondary battery :Ni-Cd battery-modern battery: lithium ion battery-maintenance of batteries-choices of batteries for electric vehicle applications.
Fuel Cells: Introduction- importance and classification of fuel cells - description, principle, components, applications of fuel cells: H2-O2 fuel cell, alkaline fuel cell, molten carbonate fuel cell and direct methanol fuel cells.
2. Who is this workshop for:
- No prior knowledge necessary
- Some experience with Solidity smart contracts
- Basic math
3. Where to get these slides & links
Twitter: @leanthebean
4. What we’ll go over
Part 1 - theory
- Some background knowledge
- Overview of how ZKPs work
Part 2 - coding
- Use Zokrates to make a smart contract that will generate
NFT tokens only if the correct proof to a puzzle is given
15. - Merkle path to my commitment notes
that cover my transaction
- Entire Blockchain
f(x) = y
16. - Change to a smart contract
- One machine does the computation, all
others accept new state change with a
proof
f(x) = y
17. History
- 1985 "The Knowledge Complexity of Interactive Proof-
Systems"
- Shafi Goldwasser, Silvio Micali, and Charles Rackoff
- http://web.mit.edu/~ezyang/Public/graph/svg.html
18. Proof Size Prover Time Verification
Time
SNARKs
(has trusted setup)
STARKs
Bulletproofs
20. Projects using ZKPs
SNARKs
Zcash: has optional shielded transactions that use zk-SNARKs
Has a ceremony for the trusted setup per circuit upgrade
21. SNARKs
Use recursive SNARKs to give a merkle root of latest global
state with a proof
New nodes do not have to sync from the genesis block to
build up their in-memory global state
Projects using ZKPs
24. SNARKs Zokrates a great SNARK domain specific language (DSL) for generating proofs
and validating them on Ethereum
Bellman Rust implementation
Snarky OCaml implementation (DSL)
LIbsnark C++
Iden3’s Circum (DSL) & SnarkJS Javascript Implementation
Republic Protocol’s zksnark-rs (DSL) Rust implementation
DIZK Java Distributed system
Go-SNARK zkSNARK library implementation in Go
STARKs Go implementation (with pretty useful links!)
C++ implementation
Bulletproofs Ristretto Rust implementation with GREAT documentation (maintained by
Chain/Interstellar)
Benedikt's Bunz Java implementation
Open Source Projects
25. Modular Math
22 (mod 12) = 10
Because 12 divides 22 one time
evenly with 10 as the remainder
3 + 16 (mod 12) = 7
And so on
26. Diffie Hellman (1976)
- First published method of public-key cryptography
- Secret sharing of an encryption key
(Learn more on early cryptography from The Code Book)
28. Diffie Hellman (1976)
1. p = 23 (modulus) g = 5 (base)
2. Alice chooses a secret a = 4, and sends Bob A = ga mod p
○ A = 54 mod 23 = 4
29. Diffie Hellman (1976)
1. p = 23 (modulus) g = 5 (base)
2. Alice chooses a secret a = 4, and sends Bob A = ga mod p
○ A = 54 mod 23 = 4
3. Bob chooses a secret b = 3, and sends Alice B = gb mod p
○ B = 53 mod 23 = 10
30. Diffie Hellman (1976)
1. p = 23 (modulus) g = 5 (base)
2. Alice chooses a secret a = 4, and sends Bob A = ga mod p
○ A = 54 mod 23 = 4
3. Bob chooses a secret b = 3, and sends Alice B = gb mod p
○ B = 53 mod 23 = 10
4. Alice computes s = Ba mod p
○ s = gb a mod p = 104 mod 23 = 18
31. Diffie Hellman (1976)
1. p = 23 (modulus) g = 5 (base)
2. Alice chooses a secret a = 4, and sends Bob A = ga mod p
○ A = 54 mod 23 = 4
3. Bob chooses a secret b = 3, and sends Alice B = gb mod p
○ B = 53 mod 23 = 10
4. Alice computes s = Ba mod p
○ s = gb a mod p = 104 mod 23 = 18
5. Bob computes s = Ab mod p
○ s = ga b mod p = 43 mod 23 = 18
32. Diffie Hellman (1976)
1. p = 23 (modulus) g = 5 (base)
2. Alice chooses a secret a = 4, and sends Bob A = ga mod p
○ A = 54 mod 23 = 4
3. Bob chooses a secret b = 3, and sends Alice B = gb mod p
○ B = 53 mod 23 = 10
4. Alice computes s = Ba mod p
○ s = gb a mod p = 104 mod 23 = 18
5. Bob computes s = Ab mod p
○ s = ga b mod p = 43 mod 23 = 18
Now Alice and Bob know to encrypt/decrypt their messages using the shared secret 18
33. RSA (1977)
- One of the first public key cryptosystems
- Uses Diffie-Hellman
- Digital Signatures
35. RSA
1. Choose 2 primes: p = 5 q = 11
n = p * q = 55
1. lcm(p-1, q-1) = 20 (totient)
36. RSA
1. Choose 2 primes: p = 5 q = 11
n = p * q = 55
1. lcm(p-1, q-1) = 20 (totient)
2. Choose a private key e that is 1 < e < 20 (coprime to 20)
e = 7
37. RSA
1. Choose 2 primes: p = 5 q = 11
n = p * q = 55
1. lcm(p-1, q-1) = 40 (totient)
2. Choose a private key e that is 1 < e < 20 (coprime to 20)
e = 7
1. Choose a public key d such that
d * e mod(totient) = 1
d = 23
39. RSA
private key e = 7 and public key d = 23
message to sign= 8
c = 87 mod 55 = 2
40. RSA
private key e = 7 and public key d = 23
message to sign= 8
c = 87 mod 55 = 2
Anyone can check the signature using the public key 23
41. RSA
private key e = 7 and public key d = 23
message to sign= 8
c = 87 mod 55 = 2
Anyone can check the signature using the public key 23
m = 223 mod 55 = 8
42. Fiat-Shamir (1986)
- Interactive proof of knowledge
- “Grandfather” of ZKPs
- Allows one to prove information about a number, without
revealing the number
43. - g is a number (called generator) everyone knows
Fiat-Shamir
44. - g is a number (called generator) everyone knows
- Alice wants to prove that she knows x, such that y = gx
Fiat-Shamir
45. - g is a number (called generator) everyone knows
- Alice wants to prove that she knows x, such that y = gx
- She picks a random v, and sends t such that t = gv
Fiat-Shamir
46. - g is a number (called generator) everyone knows
- Alice wants to prove that she knows x, such that y = gx
- She picks a random v, and sends t such that t = gv
- Bob pics a random c, and sends that to Alice
Fiat-Shamir
47. - g is a number (called generator) everyone knows
- Alice wants to prove that she knows x, such that y = gx
- She picks a random v, and sends t such that t = gv
- Bob pics a random c, and sends that to Alice
- Alice sends back r = v - cx
Fiat-Shamir
48. - g is a number (called generator) everyone knows
- Alice wants to prove that she knows x, such that y = gx
- She picks a random v, and sends t such that t = gv
- Bob pics a random c, and sends that to Alice
- Alice sends back r = v - cx
- Bob checks t = gryc
Fiat-Shamir
49. - g is a number (called generator) everyone knows
- Alice wants to prove that she knows x, such that y = gx
- She picks a random v, and sends t such that t = gv
- Bob pics a random c, and sends that to Alice
- Alice sends back r = v - cx
- Bob checks t = gryc
- Since gryc = gv-cx gxc = gv = t
Fiat-Shamir
50. - g is a number (called generator) everyone knows
- Alice wants to prove that she knows x, such that y = gx
- She picks a random v, and sends t such that t = gv
- Bob pics a random c, and sends that to Alice
- Alice sends back r = v - cx
- Bob checks t = gryc
- Since gryc = gv-cx gxc = gv = t
- Bob knows that Alice knows the “preimage” x
Fiat-Shamir
52. - Much more powerful and efficient tool than
exponentiation & modular math
- Great tutorial by Andrea Corbellini
- (much of which we’ll go over here)
Elliptic Curve Cryptography
54. ~ ¾ of 100k top websites use ECDHE (https://)
(Elliptic Curve Diffie-Hellman Exchange)
96.1% of those use P256 curve (a NIST standard):
y2 = x3 - 3x + b (mod p)
Parameters generated from hashing a seed
From a video by Dan Boneh
Elliptic Curve Cryptography
55. ~ ¾ of 100k top websites use ECDHE (https://)
(Elliptic Curve Diffie-Hellman Exchange)
96.1% of those use P256 curve (a NIST standard):
y2 = x3 - 3x + b (mod p)
Parameters generated from hashing a seed
From a video by Dan Boneh
Elliptic Curve Cryptography
56. Elliptic Curve Cryptography
Abelian Group Properties for a set 𝔾
1) Closure: if a and b are members of 𝔾 then a + b is also
2) Associativity: (a + b) + c = a + (b + c)
3) Identity: a + 0 = 0 + a = a
4) Inverse: for every a, there exists b such that a + b = 0
5) Commutativity: a + b = b + a
58. ECC - Addition
If P + Q + R = 0, then P + Q = -R
If we draw a line between 2 pts P and
Q, it’ll intersect at a point R
Since P + Q = -R we can easily find R
and use it to compute addition of two
points from it
59. ECC - Addition
P + Q = -R
m = (3xP
3 + a) / 2yP
xR = m2 - xp - xQ
yR = yP + m(xR - xP) = yQ + m(xR - xQ)
60. ECC - Addition
P + P = -R for Q = P = (1, 2) on y2 = x3 - 7x + 10
m = (3xP
3 + a) / 2yP
= -1
xR = m2 - xp - xQ
= -1
yR = yP + m(xR - xP) = yQ + m(xR - xQ) = 4
61.
62. nP = P + P + … + P
(We have clever optimization techniques to do this fast)
ECC - Multiplication
n times
63. nP = P + P + … + P
nP = Q : fairly easily to compute
n = Q/P : very hard to compute (no efficient method)
Logarithm Problem (it’s not called division for conformity reasons)
ECC - Multiplication
n times
64. nP = P + P + … + P
nP = Q : fairly easily to compute
n = Q/P : very hard to compute (no efficient method)
Logarithm Problem (it’s not called division for conformity reasons)
But we’re missing cycles
ECC - Multiplication
n times
65. Finite field 𝔽p: set of elements (mod p) where p is prime
y2 = x3 + ax + b (mod p)
ECC - Finite Fields & Discrete Log
66. y2 = x3 - 7x + 10
p = 19
p = 127
p = 97
p = 487
67. P + P = ? in a finite field
ECC - Finite Fields (Addition)
68. ECC - Finite Fields (Addition)
P + P = ? in a finite field
P + P = (-1, -4) on y2 = x3 - 7x + 10
For a finite field on p = 19
-1 (mod 19) = 18
-4 (mod 19) = 15
So P + P on y2 = x3 - 7x + 10 (mod 19) = (18, 15)
69.
70. ECC - Groups
y2 = x3 + 2x + 3 (mod 97) at point P(3, 6)
Let’s calculate some multiples of P
85. ECC - Groups
y2 = x3 + 2x + 3 (mod 97) on P(3, 6) we saw a cycle
There are just 5 distinct points:
0, P, 2P, 3P, 4P
86. ECC - Groups
y2 = x3 + 2x + 3 (mod 97) on P(3, 6) we saw a cycle
There are just 5 distinct points:
0, P, 2P, 3P, 4P
These five points are closed under addition.
However you add 0, P, 2P, 3P or 4P, the
result is always one of these five points.
87. ECC - Groups
The point P(3, 6) on y2 = x3 + 2x + 3 (mod 97)
is therefore said to be a generator
or base point of the cyclic subgroup
and the order of this subgroup is
therefore 5
(the smallest n such that nP=0)
88. ECC - Groups
Q = nP mod p : easy to calculate
n = P/Q mod p : discrete logarithm problem
If you choose your curve, parameters, and generator point
carefully, finding n becomes very very very hard
And this is exactly how the ECDSA signature scheme works
89. ECDSA
ECDSA signature (used in Bitcoin, Ethereum, etc):
1. private key random integer d from {1, … n-1} where n is the
order of the subgroup
2. public key where G is the base point H = dG
90. ECDSA
A Bitcoin private key is 256 bits and gives 128-bit security
level
To achieve the same security with RSA you would need 3092
bit length key
91. Pedersen Commitments
Tool for Confidential Transaction: Pedersen Commitment
Used in privacy coin Grin
Learn more about how Grin works
92. Pedersen Commitments
You could use Q = vG to “hash” or hide amounts per tx
But that’s susceptible to ‘Rainbow table’ attacks as one could
precompute popular amount denominations
93. Pedersen Commitments
You could use Q = vG to “hash” or hide amounts per tx
But that’s susceptible to ‘Rainbow table’ attacks as one could
precompute popular amount denominations
Solution: add a blinding factor
Com(v) = vG + bH
94. Pedersen Commitments
You could use Q = vG to “hash” or hide amounts per tx
But that’s susceptible to ‘Rainbow table’ attacks as one could
precompute popular amount denominations
Solution: add a blinding factor
Com(v) = vG + bH
Where G and H are generator points
b is random number used as a blinding factor
95. Pedersen Commitments
The cool property of Pedersen Commitments (or sometimes
called hashes) is that you can add them to check equality
Com(v1) = v1G + b1H
Com(v2) = v2G + b2H
Such that:
v2G + b2H + v1G + b1H = G(v2 + v1) + H(b1 + b2)
96. Bulletproofs (Range Proofs)
Proving that a number is within a range
v ∈ [0,2n)
Zero Knowledge about the Inner Product of Two Vectors
Learn more how Bulletproofs work
97. Bulletproofs (Range Proofs)
Any number can be represented as inner product of two
vectors.
5 = <[1, 0, 1] , [22, 21, 20]>
5 equals inner product of 2 vectors [1, 0, 1] and [22, 21, 20]
99. Bulletproofs (Range Proofs)
v = <a, 2n>
Example:
v = 5 and we wanted to prove that 5 is in range of 0 to 2n
without showing 5
v ∈ [0,2n)
100. Bulletproofs (Range Proofs)
5decimal = 101binary = 1(22) + 0(21) + 1(20)
Need at least 3 bits to represent 5: n has to be at least 3
23 = 8
Therefore it’s clear that 5 must be in range of 0 to 2n
101. Bulletproofs (Range Proofs)
v = <a, 2n>
We need to prove that:
1) That assignment of a is correct
2) We can commit to secret values using Pedersen
commitments and prove we know the value using a
technique similar to Fiat-Shamir
105. SNARKs
There are many (50+) variants of SNARKs
QAP variant (quadratic arithmetic program):
Computation → Arithmetic Circuit → R1CS → QAP → SNARK
Check out this excellent primer by Decentriq
And Zcash’s explainer
106. SNARKs - Computation
x * y + 4 = 10
Prover wants to prove that they know values x and y
107. SNARKs - Arithmetic Circuit
x * y + 4 = 10 x y 4
*
+
10
constraint 1
output1
constraint 2
108. SNARKs - Arithmetic Circuit
x y 4
*
+
10
constraint 1
output1
Constraint 1:
output1 = x * y
Constraint 2:
output1 + 4 = 10
Constraint 3:
Equality constraint
constraint 2
109. SNARKs - R1CS
x y 4
*
+
10
constraint 1
output1
constraint 2
Constraint has a left input, right input
and output
Such that:
left(L) * right(R) = output(O)
With 3 vectors:
<L, v> * <R, v> = <O, v>
v is the variable vector
v = [1, x, y, output1]
110. SNARKs - Arithmetic Circuit
<L, v> * <R, v> = <O, v>
v = [1, x, y, output1]
Constraint 1: x * y = output1
L = [0, 1, 0, 0] // x
R = [0, 0, 1, 0] // y
O = [0, 0, 0, 1] // output1
Constraint 2: (output1 + 4) * 1 = 10
L = [4, 0, 0, 1] // output1 + 5
R = [1, 0, 0, 0] // 1
O = [10, 0, 0, 0] // 10
x y 4
*
+
10
constraint 1
output1
constraint 2
111. SNARKs - QAP
Create polynomials for each constraint using Lagrange interpolation
L * R = O
Constraint 1:
L = [0, 1, 0, 0] // x
R = [0, 0, 1, 0] // y
O = [0, 0, 0, 1] // output1
Constraint 2:
L = [4, 0, 0, 1] // output1 + 5
R = [1, 0, 0, 0] // 1
O = [10, 0, 0, 0] // 10
L1[1] = 0 (look at 1st constraint, 1st element of L)
L1[2] = 4 (look at 2nd constraint, 1st element of L)
2 points: (1, 0) and (2, 4). We can use Lagrange
interpolation to get a polynomial: 4x - 4
L1(x) = 4x - 4
And we do this for each constraint, for each
variable Li(x), Ri(x), Oi(x)
112. L1(x) = 4x - 4
L2(x) = -1x + 2
L3(x) = 0
L4(x) = 1x - 1
SNARKs - QAP
L * R = O
Constraint 1:
L = [0, 1, 0, 0] // x
R = [0, 0, 1, 0] // y
O = [0, 0, 0, 1] // output1
Constraint 2:
L = [4, 0, 0, 1] // output1 + 5
R = [1, 0, 0, 0] // 1
O = [10, 0, 0, 0] // 10
113. SNARKs - QAP
L(x) * R(x) = O(x) for x in {1, 2} (since we have 2 constraints)
114. SNARKs - QAP
L(x) * R(x) = O(x) for x in {1, 2} (since we have 2 constraints)
P = L(x) * R(x) - O(x)
115. L(x) * R(x) = O(x) for x in {1, 2} (since we have 2 constraints)
P = L(x) * R(x) - O(x) = T(x) * H(x)
T(x) is a publicly known evaluation used for Verification
SNARKs - QAP
116. L(x) * R(x) = O(x) for x in {1, 2} (since we have 2 constraints)
P = L(x) * R(x) - O(x) = T(x) * H(x)
T(x) is a publicly known evaluation used for Verification
H(x) is provided by the Prover and divides
L(x) * R(x) - O(x) evenly (without remainder)
SNARKs - QAP
117. L(x) * R(x) - O(x) = T(x) * H(x)
The Prover would send evaluations of x for L, R, O, and H
polynomials
But how would we ensure that:
1) This “x” is hidden
2) Prover actually uses its polynomials
SNARKs - QAP
118. L(s) * R(s) - O(s) = T(s) * H(s)
s is a linear combination of (g, s⋅g ,…, sd⋅g) of length d (which
corresponds to the max degrees of these polynomials)
This achieves two things:
1) We’re forcing the Prover to evaluate s on its polynomials
2) This s is encrypted, or “hidden”
SNARKs - QAP
119. How can we evaluate a value that is encrypted?
Ex: Instead of sending s plaintext, we can send E(s)
E(s) = sG
(where G is a generator point on a elliptic curve)
SNARKs
120. We can still do evaluations of E(s), even though it’s
encrypted (sometimes called homomorphic addition):
Example:
E(3) + E(4) = E(3 + 4) = E(7)
SNARKs
121. L(s) * R(s) - O(s) = T(s) * H(s)
Using encrypted s, the Prover would send back:
E(L(s)), E(L(s)), E(O(s)), E(L(s)),
SNARKs
122. L(s) * R(s) - O(s) = T(s) * H(s)
Using encrypted s, the Prover would send back:
E(L(s)), E(L(s)), E(O(s)), E(L(s)),
But we still don’t have zero-knowledge as some information
about the assignment is leaked
SNARKs
123. L(s) * R(s) - O(s) = T(s) * H(s)
Adding zero-knowledge:
The Prover simply adds a form of a blinding factor to the
L, R, O evaluations
SNARKs
124. 1. Setup: E(s) is known to everyone, T(s) is known to
everyone (s itself is thrown away, “toxic waste”)
2. Prover has L, R, O and H polynomials
3. Prover sends E(L(s)), E(R(s)), E(O(s)), E(H(s))
4. Anyone in the network can verify:
E(L(s)) * E(R(s)) - E(O(s)) = E(H(s)) * E(T(s))
SNARKs - Protocol
125. 1. This is a huge oversimplification, and we skipped
some details regarding “blinding factors”
2. Pairing of Elliptic Curves for the Verifier
3. This went over the Pinocchio Protocol (PGHR) 2013
Better proving systems already out there: Groth16
SNARKs - what’s left
126. 1. Enormous effort in research for further optimization
a. Research in pairings
b. Research in optionality of elliptic curves
c. Lattice-based SNARKs
d. And a lot, lot more
SNARKs - the Future