Junning Ze,Xinfeng Li,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ICPADS56603.2022.00033

2022-01-01

Abstract:Automatic speaker verification (ASV) systems have been widely applied in voice user interfaces to conduct person identification and access control via voiceprints. A typical ASV system consists of three stages, i.e., training, enrollment, and verification. Previous work has revealed that the ASV system can be bypassed at the training stage by backdoor attacks and at the verification stage by adversarial example attacks. In this paper, we propose a new type of backdoor attack aimed at the enrollment stage via adversarial ultrasound, named UltraBD, which is highly imperceptible, synchronization-free, and content-independent. By simultaneously injecting the ultrasound backdoor examples when the legitimate user initiates the enrollment, the polluted voiceprints stored in the ASV systems grant access to both the legitimate user and the adversary with relatively high confidence. Despite the challenges, i.e., when, what, and how the legitimate user articulates at the enrollment stage can be remarkably unpredictable and various, we managed to launch UltraBD by augmenting the generation and optimization process of the ultrasound backdoor examples with the randomness of synchronous time and relative amplitude ratio. Furthermore, we optimize the modulation mechanism of adversarial ultrasound by tuning the baseband signal on limited signal frequency points to improve its robustness in the physical world setting. We validate UltraBD on two common datasets together with two open-source ASV models. Results show that UltraBD can be robust to various configurations, e.g., different speakers and utterance content. In sum, our attack calls attention to a new attack surface of ASV systems and sheds light on its fundamental mechanisms.

Zhang Huqiang,Hong Peilin,Li Jinsheng

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.064

2006-01-01

Abstract:We point out secure weakness of the Zero-knowledge proof scheme proposed by Sultan Almuhammadi and Clifford Neuman[1] in parameter selecting of public key, and analyze it from calculation of discrete logarithm. Then we propose a new Zero-knowledge proof identification scheme by combining with the effectual cipher key selection method in DSA. The analysis shows that the new scheme is secure, efficient and 1/3 faster than Schnorr's.

Yunlei Zhao

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:In this work, we investigate concurrent knowledge-extraction (CKE) and concurrent non-malleability (CNM) for concurrent (and stronger, resettable) ZK protocols in the bare public-key model. We formulate, driven by concrete attacks, and achieve CKE for constant-round concurrent/resettable arguments in the BPK model under standard polynomial assumptions. We get both generic and practical implementations. Here, CKE is a new concurrent verifier security that is strictly stronger than concurrent soundness in public-key model. We investigate, driven by concrete attacks, and clarify the subtleties in formulating CNM in the public-key model. We then give a new (augmented) CNM formulation in the public-key model and a construction of CNMZK in the public-key model satisfying the new CNM formulation.

Yl Zhao,Xt Deng,Ch Lee,H Zhu

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:A new public-key model for resettable zero-knowledge (rZK) protocols, which is an extension and generalization of the upper-bounded public-key (UPK) model introduced by Micali and Reyzin [EuroCrypt'01, pp. 373-393], is introduced and is named weak public-key (WPK) model. The motivations and applications of the WPK model are justified in the distributed smart-card/server setting and it seems more preferable in practice, especially in E-commerce over Internet. In this WPK model a 3-round (optimal) black-box resettable zero-knowledge argument with concurrent soundness for NP is presented assuming the security of RSA with large exponents against subexponential-time adversaries. Our result improves Micali and Reyzin's result of resettable zero-knowledge argument with concurrent soundness for NP in the UPK model. Note that although Micali and Reyzin' protocol satisfies concurrent soundness in the UPK model, but it does not satisfy even sequential soundness in our WPK model.Our protocol works in a somewhat "parallel repetition" manner to reduce the error probability and the black-box zero-knowledge simulator works in strict polynomial time rather than expected polynomial time. The critical tools used are: verifiable random functions introduced by Micali, Rabin and Vadhan [FOCS'99, pp. 120-130], zap presented by Dwork and Naor [FOCS'00, pp. 283-293] and complexity leveraging introduced by Canetti, Goldreich, Goldwasser and Micali [STOC'00, pp. 235-244].

Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Ronald Cramer,Ivan Damgard,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-319-56620-7_17

2017-01-01

Abstract:We propose a new zero-knowledge protocol for proving knowledge of short preimages under additively homomorphic functions that map integer vectors to an Abelian group. The protocol achieves amortized efficiency in that it only needs to send O(n) function values to prove knowledge of n preimages. Furthermore we significantly improve previous bounds on how short a secret we can extract from a dishonest prover, namely our bound is a factor O(k) larger than the size of secret used by the honest prover, where k is the statistical security parameter. In the best previous result, the factor was O(k(log k) n). Our protocol can be applied to give proofs of knowledge for plaintexts in (Ring-) LWE-based cryptosystems, knowledge of preimages of homomorphic hash functions as well as knowledge of committed values in some integer commitment schemes.

Dai Yiqi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.06.038

2012-01-01

Abstract:UC security is the framework in treating a stand-alone protocol and guaranteeing the secure composition.This means that a protocol may run concurrently with many other protocols,on arbitrary inputs and in adversarial controlled way,if it is UC security in the sense that it emulates an ideal functionality,it can be treated as a piece of that ideal functionality in overall system security analysis.In this paper,ZK under UC framework is studied,and the study proves that Blum protocol is closed under sequential composition in the Fwzk-hybrid model.

Ning Ding,Dawu Gu

DOI: https://doi.org/10.1109/cis.workshops.2007.186

2007-01-01

Abstract:We present a stronger notion of precise bounded-concurrent zero-knowledge. Our notion captures the idea that view of any verifier in a bounded-concurrent interaction can be reconstructed in the almost same time. Precise zero-knowledge in stand-alone setting was introduced by Micali and Pass in STOC'06 and they constructed some precise stand-alone zero-knowledge protocols for NP using at least omega(1) rounds. Via providing a precise simulator for the known O(1)-round bounded-concurrent non-black-box zero-knowledge argument, we show the existence of O(1)- round bounded-concurrent zero-knowledge arguments with polynomial precision for NP. Our result assumes that the ratio of running-time of any adversarial verifier on any two different views in bounded-concurrent execution of the protocol is bounded by na, where a is any predeterminate constant. Such verifiers are called restricted verifiers.

Yunlei Zhao,Chan H. Lee,Yiming Zhao,Hong Zhu

DOI: https://doi.org/10.1007/978-3-540-24852-1_13

2004-01-01

Abstract:In this paper we make some observations on the zaps and their applications developed by Dwork and Naor [13]. We clarify the relations among public-coin witness indistinguishability (WI), public-coin honest verifier zero-knowledge (HVZK) and public-coin special honest verifier zero-knowledge (SHVZK). Specifically, we observe that the existence of zaps under the existence of one-way permutations actually strictly separates public-coin WI and public-coin SHVZK assuming ArP not subset of or equal to BPP. We also show that public-coin HVZK does not implies WI assuming the existence of one-way permutations. For zap-based applications, we present an improved Dwork-Naor 2-round timed deniable authentication scheme that improves the communication and computation complexity of the original protocol presented by Dwork and Naor [13]. Specifically, in the improved protocol the first message (from the verifier to the authenticator) is independent on the message to be authenticated by the authenticator.

Fangguo Zhang,Qiping Lin,Shengli Liu

DOI: https://doi.org/10.1007/978-3-642-31284-7_18

2012-01-01

Abstract:The Zero-Value Point (ZVP) attack, one of side channel attacks, is very powerful to recover the secret information of elliptic curve cyrptosystem (ECC) on memory constraint devices by monitoring their power consumptions. In the ZVP attack, the zero-value registers are used in point addition and doubling formula of ECC to resist randomizations. Hence, the countermeasures against the differential power analysis (DPA), like Coron's and Joye-Tymen's randomization, do not work for the ZVP attack. The Kummer surface is a variety associated to the Jacobian of a genus 2 curve with a map. The pseudo-group structure on the Kummer surface defines a scalar multiplication, which is more efficient than that in HECC and comparable to ECC, especially in constraint environments. We inspect the pseudo-addition and doubling formula of the Kummer surface and show how to find zero-value registers. Our analysis shows that the scalar multiplication on the Kummer surface suffers from the ZVP attack, hence all Kummer-based cryptosystems are inevitable to the ZVP attack.

Xiangyu Liu,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-31371-4_17

2023-01-01

Abstract:In this paper, we propose a new type of non-interactive zero-knowledge (NIZK), called Fine-grained Verifier NIZK (FV-NIZK), which provides more flexible and more fine-grained verifiability of proofs than standard NIZK that supports public verifiability and designated-verifier NIZK (DV-NIZK) that supports private verifiability. FV-NIZK has two statistically equivalent verification approaches: We require unbounded simulation soundness (USS) of FV-NIZK to hold, even if an adversary obtains derived secret keys $$sk_d$$ with d of its choices, and define proof pseudorandomness which stipulates the pseudorandomness of proofs for adversaries that are not given any secret key. We present two instantiations of FV-NIZK for linear subspace languages, based on the matrix decisional Diffie-Hellman (MDDH) assumption. One of the FV-NIZK instantiations is pairing-free and achieves almost tight USS and proof pseudorandomness. We illustrate the usefulness of FV-NIZK by showing two applications and obtain the following pairing-free schemes:

Shirley H. C. Cheung,Xiaotie Deng,Chan H. Lee,Yunlei Zhao

DOI: https://doi.org/10.1007/3-540-36413-7_23

2002-01-01

Abstract:A new notion of soundness in bare public-key (BPK) model is presented. This new notion just lies in between one-time soundness and sequential soundness and its reasonableness is justified in the context of resettable zero-knowledge when resettable zero-knowledge prover is implemented by smart card.

Yi Deng,Giovanni Di Crescenzo,Dongdai Lin

2006-01-01

Abstract:We consider a type of zero-knowledge protocols that are of interest for their practical applications within networks like the Internet: efficient zero-knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks. In an effort to reduce the setup assumptions required for efficient zero-knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks, we consider a model, which we call the Authenticated Public-Key (APK) model. The APK model seems to significantly reduce the setup assumptions made by the CRS model (as no trusted party or honest execution of a centralized algorithm are required), and can be seen as a slightly stronger variation of the Bare Public-Key (BPK) model from , and a weaker variation of the registered public-key model used in . We then define and study man-in-the-middle attacks in the APK model. Our main result is a constant-round concurrent non-malleable zero-knowledge argument of knowledge for any polynomial-time relation (associated to a language in 𝒩𝒫), under the (minimal) assumption of the existence of a one-way function family. Furthermore,We show time-efficient instantiations of our protocol based on known number-theoretic assumptions. We also note a negative result with respect to further reducing the setup assumptions of our protocol to those in the (unauthenticated) BPK model, by showing that concurrently non-malleable zero-knowledge arguments of knowledge in the BPK model are only possible for trivial languages.

Weiyi Zhang,Shuning Zhao,Le Liu,Jianmin Li,Xingliang Cheng,Thomas Fang Zheng,Xiaolin Hu

DOI: https://doi.org/10.1109/icassp39728.2021.9413467

2021-06-06

Abstract:In authentication scenarios, applications of practical speaker verification systems usually require a person to read a dynamic authentication text. Previous studies played an audio adversarial example as a digital signal to perform physical attacks, which would be easily rejected by audio replay detection modules. This work shows that by playing our crafted adversarial perturbation as a separate source when the adversary is speaking, the practical speaker verification system will misjudge the adversary as a target speaker. A two-step algorithm is proposed to optimize the universal adversarial perturbation to be text-independent and has little effect on the authentication text recognition. We also estimated room impulse response (RIR) in the algorithm which allowed the perturbation to be effective after being played over the air. In the physical experiment, we achieved targeted attacks with success rate of 100%, while the word error rate (WER) on speech recognition was only increased by 3.55%. And recorded audios could pass replay detection for the live person speaking.

Nai-Hui Chia,Kai-Min Chung,Takashi Yamakawa

2023-10-30

Abstract:In a recent seminal work, Bitansky and Shmueli (STOC '20) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks. However, their construction has several drawbacks compared to the classical counterparts. Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation. In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called $\epsilon$-zero-knowledge. Concretely, we construct the following protocols: - We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box $\epsilon$-zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions. Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC '96) though the proof of $\epsilon$-zero-knowledge property against quantum adversaries requires novel ideas. - We construct a constant round interactive argument for NP that satisfies computational soundness and black-box $\epsilon$-zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions. At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier's internal state in an appropriate sense.

Quantum Physics,Cryptography and Security

Yunlei Zhao,Robert Deng,Binyu Zang,Yiming Zhao

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general NP languages with going through general NP-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named ∑-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from ∑-protocols to practical (real) ZK arguments without general NP-reductions under either the DLP or RSA assumptions. © Springer-Verlag Berlin Heidelberg 2005.

ZHANG Jun

DOI: https://doi.org/10.3778/j.issn.1673-9418.2002047

2021-01-01

Abstract:Power side-channel attacks, have become a serious threat to embedded computing devices in cyber-physical systems because of the ability of deducing secret data using statistical analysis. A common strategy for designing countermeasures against power-analysis-based side-channel attacks uses random masking techniques to remove the statistical dependency between secret data and side-channel information. Although existing techniques can verify whether a piece of cryptographic software code is perfectly masked, they are limited in accuracy and scalability. In order to eliminate such limitations, a refinement-based method for verifying masking countermeasures is proposed. This method is more accurate than prior type-inference based approaches and more scalable than prior model-counting based approaches using satisfiability (SAT) or satisfiability modulo theories (SMT) solvers. Indeed, this method uses a set of semantic type-inference rules to reason about distribution type. These rules are kept abstract initially to allow fast deduction, and then specified when the abstract version is not able to resolve the verification problem. This method is implemented in a software tool called SCVerify and is evaluated on cryptographic benchmarks including advanced encryption standard (AES) and message authentication code Keccak (MAC-Keccak). The experimental results show that the method significantly outperforms state-of-the-art techniques in terms of accuracy and scalability.

Puja Mondal,Supriya Adhikary,Suparna Kundu,Angshuman Karmakar

2024-09-11

Abstract:Computationally hard problems based on coding theory, such as the syndrome decoding problem, have been used for constructing secure cryptographic schemes for a long time. Schemes based on these problems are also assumed to be secure against quantum computers. However, these schemes are often considered impractical for real-world deployment due to large key sizes and inefficient computation time. In the recent call for standardization of additional post-quantum digital signatures by the National Institute of Standards and Technology, several code-based candidates have been proposed, including LESS, CROSS, and MEDS. These schemes are designed on the relatively new zero-knowledge framework. Although several works analyze the hardness of these schemes, there is hardly any work that examines the security of these schemes in the presence of physical attacks. In this work, we analyze these signature schemes from the perspective of fault attacks. All these schemes use a similar tree-based construction to compress the signature size. We attack this component of these schemes. Therefore, our attack is applicable to all of these schemes. In this work, we first analyze the LESS signature scheme and devise our attack. Furthermore, we showed how this attack can be extended to the CROSS signature scheme. Our attacks are built on very simple fault assumptions. Our results show that we can recover the entire secret key of LESS and CROSS using as little as a single fault. Finally, we propose various countermeasures to prevent these kinds of attacks and discuss their efficiency and shortcomings.

Cryptography and Security

Carlos E. González-Guillén,María Isabel González Vasco,Floyd Johnson,Ángel L. Pérez del Pozo

DOI: https://doi.org/10.48550/arXiv.2003.12095

2020-03-30

Abstract:Identification schemes are interactive protocols typically involving two parties, a prover, who wants to provide evidence of his or her identity and a verifier, who checks the provided evidence and decide whether it comes or not from the intended prover. In this paper, we comment on a recent proposal for quantum identity authentication from Zawadzki, and give a concrete attack upholding theoretical impossibility results from Lo and Buhrman et al. More precisely, we show that using a simple strategyan adversary may indeed obtain non-negligible information on the shared identification secret. While the security of a quantum identity authentication scheme is not formally defined in [1], it is clear that such a definition should somehow imply that an external entity may gain no information on the shared identification scheme (even if he actively participates injecting messages in a protocol execution, which is not assumed in our attack strategy).

Quantum Physics,Cryptography and Security

Jian Weng,Yunlei Zhao,Robert H. Deng,Shengli Liu,Yanjiang Yang,Kouichi Sakurai

DOI: https://doi.org/10.1016/j.tcs.2015.07.051

IF: 1.002

2015-01-01

Theoretical Computer Science

Abstract:A public key trace and revoke scheme combines the functionality of broadcast encryption with the capability of traitor tracing. In Asiacrypt 2003, Kim, Hwang and Lee proposed a public key trace and revoke scheme (referred to as KHL scheme), and gave the security proof to support that their scheme is z-resilient against adaptive chosen-ciphertext attacks, in which the adversary is allowed to adaptively issue decryption queries as well as adaptively corrupt up to z users. In the passed ten years, KHL scheme has been believed as one of the most efficient public key trace and revoke schemes with z-resilience against adaptive chosen-ciphertext attacks under the well-studied DDH assumption. However, in this paper, by giving a concrete attack, we indicate that KHL scheme is actually not secure against adaptive chosen-ciphertexts, even without corruption of any user. We then identify the flaws in the security proof for KHL-scheme, and discuss the consequences of the attack.