Cryptographic Protocols. Steve Lai

Transcription

1 Cryptographic Protocols Steve Lai

2 This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational Difficulty (One-Way Functions) 2

3 Cryptographic Protocols Entity Authentication Key Agreement Fiat-Shamir Identification Schemes Zero-Knowledge Proof Systems Shnorr s Identification/Signature Scheme Commitment Schemes Secret Sharing Electronic Election Blind Signature Digital Cash

4 Entity Authentication Problem: Alice wants to prove to Bob that she is Alice and/or vice versa. Basic idea: Alice shows that she knows some secrecy which is presumably known only to Alice (and Bob). That secrecy could be, for example: - Alice s password or PIN - a MAC or encryption key shared by Alice and Bob, or - Alice s RSA private key.

5 Is it secure against an eavesdropper? Protocol: 0. Alice Bob: "I'm Alice" 1. Alice Bob: "What's your password?" 2. Alice Bob: Alice's password 3. Bob verifies the password

6 Challenge-and-response using a secrete key Alice and Bob share a secret key k. Protocol ( insecure): (0. Alice Bob: "I'm Alice") 1. Alice Bob: a random challenge r Or Alice Bob: y MAC ( r). k Bob computes ymac ( r) and checks if y y. Use encryption instead of MAC. k

7 Parallel sessions attack Alice Eve r Bob r y MAC ( r) k y MAC ( r) k

8 Countermeasure Alice Eve r Bob r y MAC ( r Bob) k y MAC ( r Alice) k

9 Mutual authentication using a secret key Alice and Bob share a secret key k. Protocol ( insecure) : 1. Alice Bob: a random challenge r. 2. Alice Bob: y MAC (ID( Alice) r ) 1 k 1 3. Alice Bob: y2 MAC k (ID(Bob) r2). 4. Alice and Bob verify each other's response. 1 and r. 2

10 Man-in-the-middle attack Alice 1 MAC (A r ), k 1 2 r MAC (B r ) k 2 r Eve Bob r 2 MAC (B r ), k 2 3 r

11 Countermeasure Alice 1 MAC (A k MAC r r r ), r (B r )??? Eve k 2 r 2 MAC (B r r ), r Bob k 2 3 3

12 Mutual authentication using a secret key Alice and Bob share a secret key k. Protocol ( secure): 1. Alice Bob: a random challenge r. 2. Alice Bob: y MAC (ID(Alice) r r ) and r. 1 k 1 3. Alice Bob: y2 MAC k (ID(Bob) r2). 4. Alice and Bob verify each other's response

13 Public-key mutual authentication Protocol ( secure): 1. Alice Bob: a random challenge r. 2. Alice Bob: y Sign (ID(Bob) r r ) and r. 1 pr(allice) Alice Bob: y Sign (ID(Alice) r ). 2 1 pr(bob) 2 4. Alice and Bob verify each other's response.

14 Key Agreement

15 Two levels of keys Master (long-lived) keys: (asymmetric) keys used for entity authentication and session key agreement. Session k eys: (symmetric) keys used only for a session. Reasons for using session keys: 1. Limiting the amount of ciphertext available to attackers. 2. Limiting the damage to only a session in case of session key compromise. 3. Symmetric encryption is faster.

16 Diffie-Hellman key agreement Alice and Bob want to set up a session key. 1. Alice and Bob agree on a large prime p and a generator Z p. a 2. Alice Bob: mod p, where a Z. R p1 b 3. Alice Bob: mod p where b Z. R p1 ab 4. They agree on the key: mod p. Security: g Provides protection against eavesdroppers. g Insecure against active adversaries. g Problem: lack of authentication.

17 Authentication is important in key establishment When establishing a session key, make sure you are doing it with the right entity. Two approaches: g g Entity authentication + Diffie Hellman Entity authentication + Encrypted session key

18 Recall: Public-key mutual authentication Protocol: 1. Alice Bob: a random challenge r. 2. Alice Bob: y Sign (ID(Bob) r r ) and r. 1 2 pr(bob) 3. Alice Bob: y Sign (ID(Alice) r ). pr(alice) 4. Alice and Bob verify each other's response. a Alice uses for r Combine Diffie-Hellman with the above protocol: b Bob uses for r The resulting protocol is called Station-to-Station Protocol.

19 Station-to-station protocol Alice and Bob each have a signature key pair. Protocol: 0. A and B agree on p and Z p as in DH key agreement. a 1. A B: r, where a Z. 1 b 2. A B: r, y Sign 2 1 R p1 3. A B: y Sign (A r r ). 2 pr(a) 2 1 (B r r ),where b Z. pr(b) 1 2 R p1 ab 4. If all verifications pass, use k as the session key. Remark: all computations are done modulo p.

20 Public-key based authenticated key agreement Alice and Bob each have an encryption and a signature key pair. Protocol: 1. A B: a random challenge r. 2. A B: y Sign (A r r c), 1 pr(b) pr(a) 2 1 r, c E where k is a session key chosen by B. 3. A B: y Sign (B r ). 4. Alice and Bob verify each other's response. If all verifications pass, Alice decrypts c to obtain They now can use k as the session key. Security: this protocol provides no forward secrecy. e A ( k), k.

21 Public-key based authenticated key agreement Alice and Bob each have an encryption and a signature key pair. Protocol: 1. A B: a random challenge r. 2. A B: y Sign (A r r c), r, c E ( k), 1 s B where k a chosen session key. 3. A B: y Sign (B r ). 2 s 2 A 4. Alice and Bob verify each other's response. If all verifications pass, Bob decrypts c to obtain k. They now can use k 1 as the session key. Security : this protocol provides no forward secrecy. e A

22 Forward secrecy Suppose Eve records all (encrypted) messages exchanged between Alice and Bob during a session. If later Eve gets Alice's decryption key d, she will be able to decrypt c to A get the session key k. A session-key agreement scheme is said to provide forward secrecy if it resists this kind of attacks (i.e., session keys are secure even if master keys are compromised.) Station-to-station provides forward secrecy.

23 Identification Schemes based on zero-knowledge interactive proof systems

24 Interactive proof system a secret x (known only to Peggy) about some public info y. Peggy, the prover, wishes to prove that she knows the secret x (thereby authenticating her identity). Vic, the verifier, verifies if the provided proof is acceptable. Basic requirements (w/o adversaries): (Perfect) Completeness: Peggy, who knows the secret, always succeeds in convincing Vic. Soundness: Anyone not knowing the secret can only cheat with a small success probability. Desired property: zero-knowledge

25 Formal definition of interactive proof system A pair of interactive machines ( PV, ) is called an interactive proof syatem for a language L if machine V is polynomial-time and the following two conditions hold: (Perfect) Completeness: For every y L, Pr P, V ( y) 11 Soundness: Remark: The error For every y L and every interactive machine P, 1 3 probability 1 3 is arbitrary, and can be made Pr P, V ( y) 1 exponentially small by repeating the interaction many times.

26 Password Scheme Secret: Peggy's password. Protocol: Peggy sends her username and password to Vic. Vic accepts Peggy's identity if the submitted password equals the stored password. Comments: complete and sound. not zero-knowledge (Peggy reveals some information that may be used later by the adversary). Q: Is this protocol an interactive proof system for some language L?

27 Scheme based on public-key encryption Secret: Peggy has a secret key sk and publick key pk. Protocol: 1. Peggy Vic: c E ( m), m randomly chosen. 2. Peggy Vic: m D ( c). 3. Vic accepts Peggy's identity iff m m. Comments: Complete and sound. Not zero-knowledge: if Vic has a ciphertext c of Peggy's, he can have c decrypted (by Peggy). An interactive proof system fo r what language L? pk sk

28 Zero-Knowledge The schemes based on passwords and encryption are not zero-knowledge; the prover reveals some knowledge to the verifier or eavesdropper. We are interested in a proof system in which the prover proves her knowledge of some secret without revealing anything about that secret. We will formalize the notion of zero-knowledge. But first let us look at a proof zero-knowledge. system, which will be proved

29 Fiat-Shamir identification scheme (ideas) Parameters: 1. Peggy ch n pq y x x 2,, Zn; computations done in Zn. Keys: public ( ny, ); secret x known to Peggy only. First attempt: ooses a random r Zn, and 2 sends ( ab, ) ( r, rx) to Vic Vic accepts Peggy's identity iff b ay. Comments: The scheme is complete. Not sound: Eve can impersonate Peggy by sending ( a ) 2 1, b ( by, b), where br Z n.

30 Basic idea: Let f be a homomorphic one-way function. f x y f ( x) f r a f ( r) f b xr f ( x) f ( r) Peggy sends ( a, b), and Vic checks if f ( b) 1 an arbitrary b and let a f ( b) y. ay. Peggy is supposed to choose a f ( r) and b xr f ( b) ay. Eve can cheat by not following this rule, simply choosing Countermeasure: with probability 1 2, ask Peggy to reveal r (to check whether she follows the rule).

31 Fiat-Shamir identification scheme (simplified) Parameters: n pq y x x Keys: public ( n, y), secret x. Protocol: 2,, Zn; computations done in Zn Peggy Vic: a r, with r Zn randomly chosen. 2. Peggy Vic: e {0,1}, randomly chosen. e 3. Peggy Vic: b rx ( b r or rx). 4. Vic accept 2 e s Peggy's identity iff b ay. Comments: Step 1 is a commitment; step 2 a challenge; 3 a response.

32 Completeness: obvious. Soundness: Eve can cheat with probability1 2 : (Idea: guess e and prepare ( a, b) accordingly.) 2 e 1. Eve Vic: a : b y, where b R Z n, er {0,1}. 2. Eve Vic: e {0, 1}, randomly chosen. 3. Eve Vic: b. 2 e 4. Vic accepts Peggy's identity iff b ay. (Eve succeeds in cheating iff e e.) Q: How to cheat with Pr > 1 2?

33 Eve may succeed with probability at most 1 2 negl( n ). a e e Prher value a is good only for e 1 Pre 1 Prher value a is good for both challenges a Pr Eve succeeds in cheating Pr her value is good only for 0 Pr Pr Eve is able to choose an good for both challenges Eve is able to choose an a with which she can meet both challenges she can come up with a value a b a and b ay and two values b and b s.t she can compute y b2b 1 in Zn, which is intractable. such probability negl( n ).

34 Eve can cheat with probability1 2 : (Idea: Eve guesses e and prepares ( a, b) accordingly.) 2 e 1. Eve Vic: a b y, where b R Z n, e 2. Eve Vic: e {0,1}, randomly chosen. 3. Eve Vic: b. 2 e 4. Vic accepts Peggy' s identity iff b ay. (Eve succeeds in cheating iff e e.) R {0,1}.

35 If the protocol is run t times, Eve's success probability of cheating will be reduced to 2 t negl( n ). The protocol can be viewed as an interactive proof system for a language L. L QR y Z : y is a quadratic residue in Z n n n

36 General Fiat-Shamir scheme (ideas) do this t times in parallel: a1: r1, K, atrt a : r a : r e e1, K, et e1, K, et e e1 e e1 1: 1, K, : t t t : 1 b: rx b r x b r x b rx K x t t e? i? 2 e 2 i 2 b ay b a y b ay i i e 1 1 e...? e t y t

37 General Fiat-Shamir identification scheme Public key: Secret key: Protocol: 2 ( n, y1,, yt ), where n pq, yi xi (mod n). ( x1,, xt ), where xi Zn. Repeat the following k times: 1. Peggy Vic: a 2 r, r Zn e1 et 3. Peggy Vic: b rx x. 2 e1 et 4. Vic rejects if b ay y randomly chosen. t 2. Peggy Vic: e ( e,, e ) {0,1}, randomly chosen. t t t

38 Remarks: Eve can succeed in cheating if she guesses ( e, K, e ) k correctly in each of the k interations. Pr 2 t. Same level of security for various k, t, if kt constant. l Still zero-knowledge for t O(log n ) and k O( n ). If tk, are too large, the simulator will no longer be polynomial in expected running time. Number of exchanged bits: k(2 n t). Number of multiplications: 2 kt ( 1). Size of prover's secret: t n. 2 1 t

39 We can always convert an interactive identification scheme into a digital signature scheme. commitment a: r challenge e response b: rx e ( 2 e b ay?) 2 1. Compute a, e, b in that order (by the signer). 2. Involve m in e, and use ( e, b) as the signature. hash( m, a) e signature( m) = ( a, e, b) or just ( e, b)

40 Fiat-Shamir signature scheme ( k 1) 2 Public key: ( n, y1,, yt ), where n pq, yi xi (mod n). Secret key: ( x1,, xt ), where xi Zn. t Hash function: h :{0,1} {0,1}. Sign ( m) ( e, b) sk 1. choose r Z n e1 et mpute b : rx x. 2 at random; let a: r. 2. compute e: h( m a) = ( e, e,, e ). 3. co Verify ( m, eb, ) : pk and accept iff e e1 et compute a : b y y, h( m a). t 1 t t

41 Remarks: A straightforward but less interesting alternative is to include a in the signature, i.e., Sign ( m) : and verify the signature by checking if e a 2 b y y t e1 e t 1. sk ( ae,, b), h( m a) and In step 2 of the protocol, why is it important to include in the computation of e : h( m a)? a

42 Fiat-Shamir signature scheme 2 Public key: ( n, y1,, yt ), where n pq, yi xi (mod n). Secret key: ( x1,, xt ), where xi Zn. kt Hash function: h :{0,1} {0,1}. Sign ( m) ( e, b) sk 1. ch 2 oose r1,, rk Zn at random; let ai ri, 1 i k. 2. compute e h( m a a ) = ( e ). 1 ei 1 eit 3. compute b ( b,, b ), with b r x x, 1 i k. Verify ( m, e, b) : pk and accept iff e 1 k i i 1 t 2 ei 1 eit compute a b y y, 1 i k, h( m a1 a k ). i k i 1 ij kt t

43 Zero-Knowledge Proof Systems

44 Zero knowledge Let ( P, V ) be an interactive proof system for a language L. Informally, P is zero-knowledge if anything that can be efficiently computed by someone after interacting with P can also be efficiently computed without interacting with P. Q: How to formally formulate this notiton of zero-knowledge. P V V P V V,, : honest prover, honest verifier, any any verifier (honest or dishonest) Common input: some public object (string) y. Peggy wishes to prove y L by showing that she knows some secret evidence x.

45 Messages from P to V : m1, m3, Messages from V to P: m2, m4, Transcript of the joint computation of P and V on common input y : tr ( y) ( m, m,, m ). PV, 1 2 A transcript is a random variable, depending on the random bits used by P and V during their executions. Accepting transcript : if V outputs 1 after the last move. If the proof system is complete and P does know the secret, then tr PV, ( y) is an accepting transcript. n

46 Definition of (perfect) zero-knowledge An interactive proof system ( PV, ) is zero-knowledge if there is a probabilistic simulator S( V, y) such that 1. S runs in expected polynomial time; 2. for every verifier V (honest or not) and input y, S V y t (, ) generates a transcript ; S ( V, y) 3. for every y L, these two random variables have the same distribution: tr ( y) ( m, m, PV, 1 2 S ( V, y) 1 2, m ) t ( m, m,, m ) (Assumption: the proof system is complete and sound, and P does know the secret.) n n

47 Remarks A simulator S is an algorithm. Its input is a (public) object (string) y and a subroutine V. S simulates the communications between P and V without interacting with P. Since S does not interact with P, it obtains zero knowledge from P. Any information V may acquire by interacting with P, he can produce with S without interacting with P. Thus, P does not reveal any knowledge about her secret by interacting with V (except the fact P knows of x). Zero-knowledge is a property of P.

48 Simplified Fiat-Shamir is zero-knowledge For any V and y L QRn, PV, 1. while 1 do Simulator a, e, b tr y QR Z b ay 2 e ( ) n 0,1 n with. S V (, y) : 2. select e{0,1}, bzn unif 3. a 2 e b y 4. e V ( a) 5. if e e then return a, e, b ormly at random

49 Expected running time of S( V, y) : Each iteration succeeds with prob 1 2. Expected number of iterations 2. Expected running time is polynomial. What's the worst-case running time?

50 a, e, b a, e, b Now we show and have the same distribution: 1. a and a are both uniformly distributed over QR. n a : r, where r Z, is uniformly distributed over QR 2 R n 2 since r r is a 4-to-1 mapping from Zn QRn. n a : b y, where e {0,1}, b Z. Observe that: 2 e R R n b 2 is uniformly distributed over so is b y (since y QR is fixed) n So, a 2 b with prob b y with prob 1 2 uniformly distributed

51 ,,,, 2. The e in a e b and e in a e b have the same distribution. V ( a, y) generates e according to some distribution. The distribution of e in a, eb, is that for i {0,1} Pr e i e in a, e, b Pr e i e e Pr( e i) Pr( e i) Pr( e e) Pr( ei).

52 3. b b Z and are uniformly distributed over n. e b : rx, where r, x Z and e {0,1} according to V. R n R b R Z n. 5. a and e are independent; so are a and e. 4. b depends on a, e, same as b depends on ae,. 2 e 2 e b ay b ay..

53 Shnorr s Identification Scheme Another example of zero-knowledge interactive proof system Proof of knowledge of discrete logarithm

54 Shnorr's identification scheme: Proof-Log( gy, ) System setup: p, q large primes, with q p 1; G g q the unique subgroup of order q of Zp; any generator of G ; y g x R q q ; (, ) for some x Z xy Peggy's private & public keys; Problem: Peggy wishes to prove that she knows x. Protocol: r 1. Peggy Vic: a : g, where r Z. (commitment) 2. Peggy Vic: c Z. 3. Peggy Vic: b : r cx. 4. Vic accepts iff a q b c g y. R q (challenge) (response)

55 Completeness: trivial. Soundness: Eve can cheat with Pr 1 qby guessing a c, committing b c a : g y, and responding with b. Eve cannot cheat with probability non-negligibly > 1/ q. Otherwise, with non-negligible probability she can choose an a for which she can compute b and b to successfully answer two distinct challenges c and c: b c b c a g y and a g y, 1 from which she can compute log g y ( b b )( c c).

56 Honest verifier zero-knowledge: b c Accetping transcripts: ( a, c, b) : a g y. r a g Gq q b r cx Z is uniformly distributed. c Z, generated by an honest V, is uniformly distributed. R R q is uniformly distributed. b c a, c independent; b depends on ( a, c) by a g y. Simulator ( g, y, V ): 1. select b% Z uniformly; 2. select c% Z uniformly; q q b% c 3. let a% : g y %, and return ( a%%, c, b % ). ( a%%, c, b% ) has the same distribution as ( a, c, b).

57 Remarks: If the verifier, say V non-uniformly., is not honest, he may choose Q: does the following simulator serve to prove Shnorr's scheme zero-knowledge? Simulator ( g, yv R, ): 1. select b Z uniformly; q 2. select c according to V 's strategy; b c 3. let a : g y, and return ( a, c, b). c

58 What about this simulator? Simulator S( g, V while 1 do q select c, b Z uniformly at random a cv if c b c g y ( a), y): c then return a, c, b Shnorr's identification scheme is an interactive proof system for what language?

59 Shnorr's signature scheme: ProofLog ( m, g, y) Use Fiat-Shamir's standard method to convert an interactive identification scheme into a signature scheme. Idea: use a hash functio h n h:{0,1} Zq to R compute a challenge c from the commitment a and message m. To sign message m, r 1. Compute a : g, where r Z. 2. Compute c : h( m a). 3. Compute b : r cx. 4. ( m) : ( c, b). 5. Verify( m, c, b) true iff c h( m q g b y c )

60 Remark: If the same commitment a is used to sign two different messages, then the secret x is revealed. Reason: a g y g y g g b c b c g g b xc b xc x ( b b )( c c ) This property will be used in digital cash.

61 Proving Equality of Logs: ProofLogEq( g, y, h, z) (an extension of ProofLog) Problem: Given g, y, h, z such that log y = log z ( x) Peggy wishes to prove that she knows the secret, x. Protocol: 1. Peggy Vic: ( a, a ) : ( g, h ), where r Z. r r 1 2 R 2. Peggy Vic: cz, uniformly chosen at random. 3. Peggy Vic: b : r cx. 4. Vic accepts iff a g y and a h z. q b c b c 1 2 g h q

62 An application of ProofLogEq( g, y, h, z) In a protocol, Alice is required to post a value z: x : Alice' secret h: some generator of G When Alice posts hz,, how can she prove that she did compute z as prescribed? Solution: x Public info : g, y, where y g. When posting z, Alice proves log y = log z. q g h h x

63 Non-interactive Version: log g y log h z Fiat-Shamir method: functi Protocol: use a collision-resistant hash on hash :{0,1} Zq to post the challenge. 1. Let ( a, a ) : ( g, h ), with r Z. r r 1 2 R 2. Let c : hash( g h y z a a 3. Let b : r cx (mod q). 1 2 ). b c b c 4. Accept iff c hash( g h y z g y h z ). Rem ark: This protocol will be used in electronic voting. q

64 Proving Partial Equality of Logarithms Problem: Given g, h, y, y, z, z, Peggy wishes to prove that ( at least) one of the two equalities 1 2 log y log z ( x ) g 1 h 1 1 log y log z ( x ) g 2 h 2 2 is true without revealing which one she proves. (If y y, then she proves exactly one of the two equalities.) Note: this protocol will be used in electronic voting.

65 Possible final exam question First consider this easier problem and protocol. Prob lem : Peggy proves that she knows log y or g 1 log y : g 2 log 1 2 g 1 w, r, d a a c y 2 2 : g : g d 1 w R d r : w d x r y d 1 1 Z q log 2 w, r, d a a 1 1 r d g : y : g c d 2 g y 1 R 1 1 w d 2 Z r w d x q a, a 1 2 d1, d2, r1, r : 2 c d d? 2 c c a a 1 R Z 1 q r1 g y r2 g y 2 d 1 1 d 2 2 2??

66 log w, r, d a b a b d R r d r d g : g : y : h = log 1 h 1 g w w y : h z 2 2 Z q z log w, r, d 1 1 R r d r d h : : g log r : w xd r : w xd a b a b g y g y : h z : h : c d d : c w w d Z q z a1, b1, a2, b2 c d1, d2, r1, r2 c a b a b R q 1 2 r1 g y d 1 1 h Z c d d r d 1 1 z 1 1 r2 g y r2 h z 1 d 2 2 d 2 2 2??? 2??

67 Commitment Schemes

68 Commitment schemes Two parties: sender S and receiver R. Scheme: 1. Commit: S sends a message c, committed to a bit b. 2. Reveal: S sends an additional message m to reveal b. 3. Verif y: R( c, m ) accept iff the committed bit equals the revealed bit. Security equirements: b b 1. Hiding: R cannot learn anything about b from c. 2. Binding: S cannot change the committed bit without being detected. b b b

69 Hiding: Computationally hiding: cannot in polynomial time Unconditionally hiding: absolutely cannot Binding: Computationally binding: cannot in polynomial time Unconditionall y bid n ing: absolutely cannot

70 An application: coin tossing by or phone Problem: Alice and Bob want to toss a coin by to decide who wins. Protocol: 1. Alice sends c to Bob, committed to a random bit b. b 2. Bob generates a random bit b 3. Alice sends her committed bit b to Bob. and sends it to Alice. 4. Bob verifies that R( c, b) accept, and both parties agree on the outcome b b. Note: if b or b is random then b b is random. b

71 Using symmetric encryption Protocol: 1. Commit: To commit a value m, Alice sends c : E ( m) to Bob, where k is a symmetric encryption k key chosen by Alice. 2. Reveal: Alice sends k to Bob. 3. Verify: Bob accepts the value m : D ( c). k Question: does it meet the hiding and binding requirement?

72 Using public-key encryption Protocol: 1. Commit: To commit a value m, Alice generates a pair of keys ( pk, sk), and sends c : E ( m) along with pk (and system parameters) to Bob. 2. Reveal: Alice sends Bob m and the random coins used in her computing of E ( m). 3. Verify: Bob accepts m if pk E ( m) c using the revealed random coins. pk pk Question: Does i tmeet the hiding and binding requirement?

73 Quadratic Residues Let n pq; p and q large primes. Quadratic residues: elements in QR n= the subgroup of quadratic residues in Zn. QNR n = Zn QR n = quadratic non-residue Z n Z n which are a square. ( p 1)/2 Euler's criterion: x mod p ( p 2) s in. 1 if [ x] QR p ( x is a square) Legendre symbol: x p 1 if [ x] QNR p (not a square) 0 if [ x] 0 x p x x x Jacobi symbol:. n p q

74 Quadratic Residues (cont'd) x n x x x x Thus, 1 iff 1. n p q x x x is a quadratic residue in Zn iff 1. p q If 1, then x is not a quadratic residue in Zn. If 1, x may or m ay not be a quadratic residue in Z. n Quadratic residuosity assumption: without knowing the factors of n pq, it is intractable to determine whether x an xzn with 1 is 1 QNR n the set o Jacobi symbol 1. n a quadratic residue. f quadratic non-residues in Z n with n

75 Quadratic Residues (cont'd) Let n pq; p and q large primes p2 Suppose Z p g, g, g,, g and q2 Z q h, h, h,, h, where g and h are generators of Z p and Z q, res 0 2 p3 1 3 p2 g g g p g g g 0 2 q3 1 3 q2 h h h q h h h pectively. QR,,, and QNR,,,. p QR,,, and QNR,,,. q QR? QNR? QNR? n n n

76 QR-based commitment scheme (ideas) Let b be the committed bit, b 0,1. Bind b to a predicate (T or F), which is hard to determine. Quadratic residuosity assumption: without knowing the factors of n x an xzn with 1 is a quadratic residue. pq, it is intractable to determine whether b Use b to produce a number x with 1 such that b 0 x is a quadratic residue b n b1 x b is not a quadratic residue b x n

77 QR-based commitment scheme 1 System setup: S chooses n pq and g. n 1. QNR 2. Commit ( S R): ( n, g, c), where c : r g, r Z and b is the bit being committed. 3. Reveal ( S R): ( p, q, r, b). R 2 b R n 4. Verify: R accepts b if n pq, r Zn, g QNR n, 2 b and c r g. Remark: g g 1 To generate gr QNR n, choose g such that 1. p q R needs p, q to verify if g is not a square. Or, w/o revealing pq,, S could prove that g is not a square.

78 Security 2 b 1. (Computational) Hiding: c : r g is a random element c with 1. Further, c is a square ( c QR ) iff b 0. n If R can tell whether b 0, then he can tell whether c is a square, contradicting the QR assumption. 2. (Unconditional) Binding: Once S is committed to c is either a square or a non-square. S cannot change her commitment without being caught. n b,

79 Proving Quadratic Non-Residuosity (if S does not reveal pq, ) Problem: Peggy wishes to prove that g (Assume g 1. QNR 2 b P V: a : r g, n QNR (not as a quare)., and Peggy wants to convince Vic of that.) where r R Zn b R {0,1}. 0 if a QR n 2. P V: :=. 1 if a QR n 3. Verify: Vic accepts the proof if b. n Idea : If g QNR, P can always tell b. What if g QNR? n n

80 DL-based commitment scheme 1. System setup (known to S and R): p, q large primes, with q p 1; G q : the unique subgroup of order q of Z g, h : generators of G ; h random; q q q1 G g, g, g,, g h, h, h,, h. q r m 2. Commit ( S R): c g h, where r Z, and m Z q is the value being committed. 3. Reveal ( S R): ( r, m). 4. Verify: R accepts m if c g r h m. R p ; q

81 Security ( ) Hiding: For any m, r m 1. Unconditional c g is uniformly distributed over G ; hence, m is perfectly hidden from R. 2. (Computational) Binding: S can change her commitment iff she knows such that r m r m ( r r )( m m) g h g h g h log h ( r r)( m m) g q 1 1 h r m m ( r, m), (, ), m, DL assumption. r m Note: computations like g h are done modulo p; exponents and logarithms are computed modulo q.

82 Q: What if we change the commitment to the following? m r c : h (without using g ) rm c : g (namely, g h) Q: Who should generate p, q, g, h?

83 Impossibility of unconditional binding & hiding It is impossible to have a commitment scheme which is both unconditional binding and unconditional hiding. n s Otherwise, let C :{0,1} {0,1} {0,1} be such a scheme. C is unconditional hiding When S sends a commitment c : C( r, b), there exists a ( r, b), b b, s.t. C( r, b) c. (Otherwise, R can find b by computing a pre-image of c.) C is unconditional binding There exists no such ( r, b) (otherwise, S can find it and change her commitment).

84 Secret Sharing

85 Threshold secret sharing ( t, n)-threshold secret sharing scheme, t n: A secret s is divided by a trusted authority into n shares s, each given to a user u, 1 i n. i Any t or more users together can recover s. t1 or fewer users can not recover s. i

86 Shamir's threshold secret sharing scheme 1. Select a prime p max( s, n). i 2. Construct a ( t 1)-degree polynomial f ( x) a x, where a s and a, K, a Z. 0 1 t1 R 3. Choose n distinct values x, K, x Z. 4. Share s ( x, y ), where y f( x ) mod p, 1 i n. i i i 1 i p i n p t1 i0 i

87 Given t shares ( x, y ), i J, where J t, f ( x) and s can be recovered using Lagrange's interpolation formula: x x j f ( x) yi and ij jj \{ i} xi x j s where a f (0) y 0 i i i x j i ij jj\ {} i xi xj x x jj \{ i} i j j x ij y i i

88 Electronic Vote

89 A multi-authority election scheme 1. Participants: a trusted center, n authorities, m voters. 2. Participants post their messages to a bulletin board. 3. The trusted center sets up parameters for the scheme. 4. Each vote, yes or no, is encrypted using a homomorphic public-key cryptosystem (e.g. ElGamal). 5. The decryption key s is shared among n authorities using a ( tn, )-threshold scheme. 6. If t authorities are honest, the votes can be tallied correctly without decrypting individual votes.

90 System setup (by the trusted center) 1. For ElGamal encryption (same as in Shnorr's ID scheme): choose two large primes p and q such that q ( p 1). choose an element g Z of order q. G g Z choose a secret key s Z s public key h: g mod p. 2. For Shamir ( tn, ) - threshold scheme: p q p q and compute the i choose a ( t 1)-degree polynomial f ( x) a x s. let x : i, s : f ( x i i 1 i s ), h : g i, 1 i n. give the share ( x, s ) to authority A. i i 3. Publish ( pq,, g, h, h,, h ) on the bulletin board. n i i t1 i1 i.

91 Vote casting Each voter V casts his vote v 1, 1 as r i ri vi,1,2 c : c, c g, h g i i i in the bulletin board, where g g v i is encoded as i g ElGamal encryption. c i is signed by V. i v i i and then encrypted using V i forms also has to prove that he follows the protocol and c g Prove v i correctly; or his vote will be invalid. i 1, 1 without revealing its value.

92 Tally the vote w/o decrypting ballots Everyone can compute c ( c, c ) : ( c, c ) m 1 2 i,1 i,2 i1 m m c i,1, ci,2 g, h g i1 i1 r r v i i i d which is an encryption of g, with d vi being the difference between yes-votes and no-votes. d Decrypt c to recover g. d Find d by brute force, comparing g with g, g, g,.

93 Decrypting c ( c, c ) without knowing s 1 2 Q: Why is it required to decrypt c witout knowing s? To decrypt, recall D ( c) : c c, and group J of t honest authorities. s s 2 1 i i s ij s sii s i c i i 1 ij ij s for any s Thus, c c, where =. i w w c i i (This requires each authority A to post ( x, w ) and proves i i i her honesty.) Everyone can check if there is a set J of t honest authorities, and if so, compute the coefficients { x : i J} and then compute c as above. i s 1 from i

94 Authority's proof of honesty Each authority w i c s 1 Recall that Thus, i A i i has to prove that she really posts, where s is her share of the secret key s. h i 1 A g i s i was published on the bulletin board. can prove her honesty by showing log w = log h c i g i This can be done using the non-interactive version of proving equal logarithms.

95 Voter's proof of honesty Each voter has to prove that his vote is of the r r v c c g h g v form,,, with 1, v r r c 1 c2g g h That is, prove,,. Depending on his vote: if v 1, he 1 proves log g c1 log hc2g. if v 1, he proves log c log c g. g 1 h 2 Also, he doesn't want to reveal which one is proved. A problem of Proving Partial Equality of Logarithms.

96 Extention to multi-way elections If there are l candidates, choose l generators g,, g in G, and encode candidate i by g. Voter V encrypts his vote v g,, g as Tally: i i 1 l c c, c i i,1 i,2 i d1 dl Compute ( c, c ) c, c ( g, h g g ), d1 d2 c c g g g ri ri : g, h vi, where ri R Zq. m m where d is the number of votes for candidate i. i 1 2 i,1 i,2 1 l i1 i1 Decrypting (, ) yields d1 d l Find the exponents (,, ) by searching. l d l. 1 l q

97 Eliminate the trusted center Let the authorities jointly do the trusted center's job. All authorities run the same algorithm to generate p, q, g. (This needs a common random input.) Generate a secret key s Z and public key h g with s known to nobody. Share s among the authorities using a polynomial f ( x). Authority A's share is s f ( i). si Let h g, 1 i n. i i q i s

98 Generate a common random string When n users wish to run a same probabilistic algorithm to generate the same output, they need a common random string as input to the algorithm. They generate such a string jointly: guser A i chooses a random string r, computes a commitment c : C( r ), and posts c to a bulletin board. i i i gafter all users have posted their commitments, each user opens his commitment. glet r : r :1 i n be the common random string. i i

99 Generate ElGamal keys jointly Want to jointly choose a secret key s and public key h g for ElGamal encryption, with s known to nobody. si Authority Ai chooses s i Z q; computes hi : g ; commitments c : C( h ). After all users have posted their commitments, each user opens its commitment. n s Let s : s be the secret key and h : h g the i1 corresponding public key. Everyone can compute i i i h, but not s. n i1 i s

100 Share the secret key among authorities (skipped) Note: s n i1 s i is shared among the authorities, recoverable if all the n authorities are honest. We can make s recoverable by t n honest authorities. Authority A shares his s using a polynomial f ( x) of degree t 1, with f (0) s, giving s : f ( j) to A in a secret way. i i i, j i j Let f ( x) f ( x). (Not known to anyone) i1 Then, f (0) i i i n i n i1 s i s.

101 A 's new share of s is s f ( j) f ( j) s. j j i1 i i1 i, j Any t honest authorities can recover f( x) and s. si The next step is for each A to post h : g (the public key corresponding to s i i i n rather than s ) on the bulletin. Remark: g This protocol requires all authorities to be honest. g So, it seems not very exciting to make s recoverable by t n honest authorities. i n

102 Blind Signature

103 Blind signature Two parties: the signer (Peggy) and the message author (Vic). Vic has a message m that needs Peggy's signature. For some reasons (application-dependent), Vic doesn't want Peggy to know about the content of m. Vic disguises (blinds) m as m, and presents m to Peggy. Peggy signs on mwith a (blind) signature. Vic converts to a signature for m. The signed message m, can be publicly verified.

104 Unlinkability: Suppose Peggy has blindly signed more than one message. When later a signed message is presented, Peggy can tell whether it is her signature, but she cannot link the signed message to any particular transaction. Applications: e.g., digital c ash.

105 RSA-based blind signature d Note: Peggy's valid signature for m is m mod n. e e 1. Peggy Vic: a : mr mod n, r R Zn. (Masks m with r.) d 2. Peggy Vic : b : a mod n. (Peggy signs on a.) 3. Vic obtains Peggy's signature on m as s br n 1 d : mod ( m mod n). Idea: RSA signature is homomorphic: 1 e 1 1 e RSA ( m r ) RSA ( m) RSA ( r ) 1 1 e 1 e RSA ( m) RSA ( m r ) RSA ( r ) Q: Do you see the "blind signature" property?

106 Recall Shnorr's signature scheme: Log-Sign ( m, g, y) h Use Fiat-Shamir's standard method to convert an interactive identification scheme into a signature scheme. Key idea: compute challenge c from commitment a and message m: c : h( m a). To sign message m, r 1. Compute a : g, where r Z. 2. Compute c : h( m a). 3. Compute b: rcx. 4. Sign( m) : ( c, b). b c 5. Verify( m, c, b) true iff c h( m g y ) R q

107 A non-blind interactive signature scheme Rewrite Shnorr's signature scheme as an interactive one Vic has a message m for Peggy to sign: r 1. Peggy Vic: a : g, where r Z. 2. Peggy Vic: c : h( m a). 3. Peggy Vic: b : r cx. b c 5. Vic verifies whether a g y, and if so, obtains the signature ( m) : ( cb, ). To verify a presented (,, ), check if ( b c m c b c h m g y ). R q

108 Deriving a blind signature scheme b c Any transcript ( a, c, b) with a g y and c h( m a) is a valid signature for m. b c Or ( c, b) with c h( m g y ). b Recall: ( a, c, b) with a g y c is an accepting transcript. To obtain a blind signature for m, Vic simultaneously uses Shnorr's identification scheme to get an acceping transcript ( a, c, b). transforms to another accepting transcript ( a, c, b) such that c h( m a).

109 Peggy Vic a: g r commitment a challenge c c : h( m a) b : r cx c response b a a b b Q: How to transform an acceping transcript ( a, c, b) to another acceping transcript ( a, c, b)?

110 If ( a, c, b ) is an accepting transcript of Proof-Log( g, y), then ( a, c, b) is also an accepting transcript of Proof-Log( g, y), where b b v : u u, v, w R Z c c w q a : a g y u v w Ideas behind the above transformation: Linear transformation from ( b, c) to ( b, c). a u b c ub v uc w b c v w u v w g y g y g y g y a g y.

111 We need c to satisfy c h( m a). So, when generating the challenge c, Vic lets c : h( m a) 1 converts c to c as c : ( c w) u. This way, after transforming ( a, c, b) to ( a, c, b), we ensure c h( m a).

112 Shnorr's blind signature scheme BlindLogSig( m, g, y) r 1. Peggy Vic: a : g, where r Z Peggy Vic: : ( ), wh c c w u ere u, v, w Z, u v w u 0, c: h( m a), a : a g y. 3. Peggy Vic: b r cx. b c 4. Vic verifies whether a g y, computes b : ub v, and gets the signature ( m) ( c, b). b c Verify( m, c, b) true iff c h( m g y ). R q R q

113 Blindness/Unlinkability For a fixed accepting transcript ( a, b, c ), consider T ( u, v, w) a b c a b c the transformation:,,,, with randomly selected ( u, v, w). v b v T ( u, v, w) ( ) T ( u, v, w) ( ) ( u ). w u c w For each accepting transcript a, b, c, exactly q triplets c ( u, v, w) transform a, b, c to the same a, b,. If ( uv,, w) is randomly/uniformly selected, then independent of ( a, b, c ) the signature ( a, b, c) is randomly/uniformly distributed over all accepting transcripts.

114 Is it secure? Q: Can Vic use a blind signature ( a, b, c) to obtain a valid signature ( a, b, c) for more than one message? Let ( a, b, c ) be a blind signature and ( a, b, c) the legitimate signature for m. Then, for some u, v, wz q a a g y u v w u v w c h( m a) h( m a g y ) c ( c w) u 1 u v w c h( m a g y ) w u 1

115 If Vic is able to derive from ( a, b, c) a valid signature ( a, b, c) for another message m, then: Vic is able to find m, u, v, w such that u v w 1 ( ) c h m a g y w u u v w h( m a g y ) a given value (namely, cu w) h is collision resistant.

116 Recall: ProofLogEq( g, y, m, z) Can be used as a signature scheme. x Peggy's private key and public key: ( x, y), where y g. Vic has a message 1 mg for Peggy to sign. x They invoke ProofLogEq( g, y, m, z) with z m. 0. Peggy Vic: message 1 mg. q 1. Peggy Vic: ( a, a, z) : ( g, m, m ), where r G. r r x 1 2 R 2. Peggy Vic: cz, uniformly chosen at random. 3. Peggy Vic: b : r cx. b c b c 4. Vic accepts iff a g y and a m z. q 1 2 The signature for m is ( m) z, a, a, b, c. q 1 2 q

117 BlindLogEqSig ( g, y, m) Peggy h Vic m m m a : g, a : m, z x z : m a a, a a z z r r 1 2 a1 a2, c c c : h( m z a a ) 1 2 b : r cx b b b, verifies whether b c b c c h( m z g y mz) y, The blind signature of m is b, c, z : BlindLogEqSig g, m h

118 : u v w m z a c b m z a c b Trans. between,,,, and,,,, a a g y u v w u v w a : a m z a g y b : u b v c : u c w s t m z : : s t m g s t z y

119 Ideas behind ( m, z, a ) ( m, z, a ) : 2 2 As elements in G, m g and m g for some,. The linear transformation : s t yields s t s t m : m g and z : z y. As for a a,we want ( m, z, a a 2 m b z c q 2 2 ( m g ) ( z y ) s t ub v s t uc w s ub v uc w ub v uc w m z g y 2 t ) to satisfy s u v w u v w a 2 m z a g y t

120 BlindLogEqSig ( M, g, y, m) h BlindLogEqSig ( g, y, m) can be modified to blindly sign more than one message. In the third step, if Vic computes then h b, c, z : BlindLogEqSig g, y, m signature of both m and M. h c : h( M m z a a ) is a blind This variant of BlindLogEqSig is denoted by: BlindLogEqSig ( M, g, y, m) h h 1 2

121 Digital Cash

122 An online electronic cash system Participants: a bank B, customer C, shop S, trusted center T. C withdraws some digital cash M from her account at B, and later pays it to S. S deposits M to his account at B. Required: 1. Whether M is genuine or counterfeit is verifiable. 2. M can be spent only once by the customer. 3. M is not traceable by the bank. 4. But if needed, M is traceable by the trusted center. M will be referred to as a coin and all coins assumed to have the same denomination, say $10.

123 Easy to achieve properties 1, 2, 3 Design: Let a coin M be simply a blind signature ( b, c) signed by the bank on an empty message of the customer's. M 's genuinity or counterfeit is verifiable. M is not traceable by the bank When the customer wants to spend the coin, the shop checks with the bank whether This ensures that a coin b e M has already been spent. spent only once. Requires the bank to be online all the time. Requires the shop to deposit the coin right awa y.

124 Make M traceable by the trusted center (TC) Recall: ( b, c) can be traced to ( a, b, c) if the blinding factor ( u, v, w) is known. When withdrawing a coin (i.e., obtaining a blind signature) from the bank, the customer, Vic, also sends to the bank, Peggy, the blinding factor ( u, v, w) encrypted with the TC's public key. The latter is then forwarded to the TC. This would enable the TC to link ( b, c) to ( a, b, c) and then to Vic. Requires the TC to be online all the ti me. Why?

125 TC Bank Customer commitment a a a B A c, E ( u, v, w) TC c c : h( a) OK response b b b A : ( ab,, c) and E pk (TC) ( uv,, w) B: checks if ( u, vw, ) is genuine. How?

126 Offline electronic cash systems Objectives: The withdrawal protocol does not involve the TC. Payments do not involve the bank. Basic ideas: When withdrawing a coin, the customer (say Alice) presents two related messages m, d. Given m, the TC can compute d, and vice versa. Only the TC is capable of doing this. The bank B keeps a record of ( d, Alice). Message m, blindly signed by B, becomes a coin.

127 System Setup p, q large primes; q p 1 2 ( p 1). G Z the unique subgroup of order q. q g, g, g randomly selected generators of G. x Bank's keys: ( g, x, y), where g y (in G ). x private, y public. Customer's keys: ( g, x, y ), where g y. xc 1 C C 1 C Shop's keys: ( g, x, y ), where g y. xs 1 S S 1 S Trusted Center's keys: ( g, x, y ), where g y. xt 2 T T 2 T q q

128 Withdrawal I: enabling coin and owner tracing Alice computes: m g g d y s Z s s : 1 2, : T, where R q. As will be seen soon, m identifies a coin; d does its ownr e. (Coin tracing) Given d, the TC can compute (trace) m g g g d s x T s T (Owner tracing) Given m, the TC can compute (trace) d y g mg s T x x T.

129 Alice needs to prove that she computed md, as prescribed. 1 This can be done by proving log mg log d using g2 1 y T ProofLogEq g, mg, y, d, except that m need be blindd e. Recall: m T in BlindLogEqSig. Choosing t 0, 1 s s 1 s 1 s 1 s we have m : m g g g g mg g. Thus, Alice computes m : g g and Alice sends c, s t m g 1 s 1 2 ( c, b) : ProofLogEq mg, g, y, d. the bank stores b, mg,, g, y, d to the bank. The bank verifies the proof. If the verification condition holds, d in Alice's T T entry in the withdrawal database.

130 Withdrawal II: withdrawing a coin r Alice chooses r R Zq, computes a coin number c# : g, z c b c g y m and executes,, : BlindLogEqSig #,,, 1 1 with the bank. In the first step of BlindLogEqSig, m is converted to s m : m using the same s as in Withdrawal I. The coin number c# is part of the mechanism of double-spending detection. It is inculded in the computation of c c : h( c# m z a a ). 1 1 h 1 2 The coin consists o f c, b, c#, g, y, m, z

131 Payment Main issue: to enable the bank to detect double spending and identify the customer's name w/o involving the TC. When paying with a coi n c, b, c#, g, y, m, z, 1 1 Alice signs the message M c, b, y, time using ProofLog : 1 1 ( M ) ( c, b ) : ProofLog M, g, mg h 2 1 Alice proves that she knows the secret s log mg. r The coin number c# g is used as the commitment. S g h The coin submitted to the shop is defined by: 1 1, 1, #,,,,, 2, 2,, 2, 1 coin c b c g y m z c b M g mg

132 The shop verifies the submitted by verifying 1 1, 1, #,,,,, 2, 2,, 2, 1 coin c b c g y m z c b M g mg The correct form of M. Whether c h( M c #). The proof/signature 2 z c b c g y m,, BlindLogEqSig #,,,. 1 1 The proof/signature 1 c 2, b2 ProofLog h M, g2, mg1 b c by testing c2 h M g2 mg1. h (How?)

133 Deposit Suppose the shop wants to deposit a coin 1 2 The bank verifies the coin and searches its database for an identical coin. Double depos it, if the bank finds an indentical Double spending, C 2 C 2 C, C. C , C. if the bank finds a coin C, C with. In this case, the bank can recover the customer's identity d, since the same c# was used as the commitment when the customer made the two payments.