Cryptology. Vilius Stakėnas autumn

Transcription

1 Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution Zero-knowledge proofs ZKP concept How is it possible? Requirements for ZKP Proving knowledge about congruences The Gouillou-Quisquater protocol Proving knowledge about discret logarithm General setting for ZKP General setting for ZKP General setting for ZKP without interactivity ZKP for the discret logarithm without interactivity ZKP for the discret logarithm without interactivity The coin tossing protocol Digital money 17 Requirements for digital money ECash system created be DigiCash Protocol for creating digital notes Protocol for creating digital notes Spending digital notes Against multiple spending

2 2.22 Cryptographic protocols 2 / 23 Key distribution Diffie-Hellman key exchange protocol g is generating element mod p. 3 / 23 Zero-knowledge proofs Sometimes it is needed that before the beginning of interactive protocol the participant should provide some proof of his rights to enter the protocol. The secret information can not be send over insecure channel! 4 / 23 ZKP concept Participants of the ZKP protocol: P prover, V verifier. P wants to prove having some knowledge without revealing it. 5 / 23 2

3 How is it possible? 6 / 23 Requirements for ZKP Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover. Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability. Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. 7 / 23 3

4 Proving knowledge about congruences P : I know the solution u of x 2 c mod n. The protocol: P chooses r randomly and sends y r 2 mod n to V. V chooses i {0, 1} randomly and sends to P. P computes z u i r mod n and sends to V. V checks whether z 2 c i y mod n The protocol is repeated. 8 / 23 The Gouillou-Quisquater protocol P : I know the solution u of x e c mod n. The protocol: P chooses r randomly and sends y r e mod n to V. T chooses i {0, 1,..., e 1} and sends to P. P computes z u i r mod n and sends to V. V verifies the congruence z e c i y mod n The protocol is repeated. 9 / 23 4

5 Proving knowledge about discret logarithm Public knowledge: the prime number p, generating element g and y. P knows the value of discret logarithm x, i.e. y g x mod p. The protocol: P chooses r randomly, computes t g r mod p and sends to V. V chooses a random c and sends to P. P computes s r + cx mod and sends to V; V verifies whether g s ty c mod p. General setting for ZKP P wants to prove to V that P knows how the solution of some difficult problem U without showing this solution itself. 10 / 23 P using a randomly chosen number r creates the new problem U(r) equivalent to U, solves it. P sends the problem U(r) to V. V chooses randomly the value b {0, 1} and sends to P. If b=0, P sends to V the proof that the problems U and U(r) are equivalent; if b = 1, P sends the solution of U(r); V checks if P has fulfilled the requirement. The protocol is repeated n times. 11 / 23 5

6 General setting for ZKP All date for repeating the protocol can be send at once: P wants to prove to V that P knows how the solution of some difficult problem U without showing this solution itself. P uses randomly chosen numbers r 1,..., r n, creates the problems U(r i ) equivalent to U and solves them. P sends to V the problems U(r i ); V chooses b 1,..., b n {0, 1} and sends to P; If b i = 0, P sends to V the proof, that U and U(r i ) are equivalent; if b i = 1, P sends the solution of U(r i ). V verifies if the requirements are fulfilled. General setting for ZKP without interactivity P wants to prove to V that P knows how the solution of some difficult problem U without showing this solution itself. The public hash function is used, the digest is the string of n bits. santraukas. 12 / 23 P uses randomly chosen numbers r 1,..., r n, creates the problems U(r i ) equivalent to U and solves them. P computes h(u(r 1 ),..., U(r n )) = (b 1,..., b n ); P publishes U(r i ); If b i = 0, P publishes the proof that U and U(r i ) are equivalent; if b i = 1, P publishes the solution of U(r i ). V can verify the proof without attending P. 13 / 23 6

7 ZKP for the discret logarithm without interactivity Public knowledge: ciklinė the prime number p, the generating element g, the hash function h-funkcija h(u, v, w) Z p 1 and y. P knows the discret logarithm x, g x y mod p. P wants to publish non-interactive proof of knowledge of x. P computes the proof: choses v randomly, computes t g v mod p. computes c = h(g, y, t); computes r v cx mod p 1. The proof of x is (c, r). 14 / 23 ZKP for the discret logarithm without interactivity Verification of the the proof: t g r y c mod p; check if c = h(g, y, t )? 15 / 23 7

8 The coin tossing protocol There are two participants A and B communicating over telephone ore . A and B agree over a value of large prime number p and choose two generating elements h and t. A chooses x randomly, computes y h x mod p (or y t x mod p) and sends to B. B guesses whether h (head) or t (tail) was used. A says to B whether the guess was correct and sends x for B could check the guess itself. 16 / Digital money 17 / 23 Requirements for digital money authenticity: only the owner of the account can get the digital money; integrity: the digital note can not be changed; direct payment: the digital money can be spend without contacting the bank issued it; security: the same digital note can not be spend repeatedly; anonimity: no personal information is required for spending the money. 18 / 23 8

9 ECash system created be DigiCash A wants to have digital money. A must have non-empty account at the bank B for to digitize" some of its real" money. When A asks B for digital money some authetification system of users should be used, for example, some digital signature scheme. The bank B should use a secure system of digital signatures, say RSA. 19 / 23 Protocol for creating digital notes Suppose A wants to get a digital note for 100 EU. A prepares n (as required by B, say, n = 100) sequences of strings (n strings in each sequence) S j = (I j1, I j2,..., I jn ), j = 1,..., n; each string I jk contains the informaton identifying A. Each string I jk as a secret is divided into two shares (L jk, R jk ). A prepares n notes for 100 EU each: M j = (m j, (L jk, R jk ) k=1,...,n ), here m j contains the number of the note (different numbers for different notes) and the value of the note. A masks the notes and sends M j = (z e j m j, (L jk, R jk ) k=1,...,n ), here e is the public key of the bank B and z j a number chosen randomly. 20 / 23 9

10 Protocol for creating digital notes The bank B chooses n 1 notes (for example, M 1,..., M 99) and requires that A must send the masking numbers z j. B gets the numbers z j, and verifies whether of notes chosen are created correctly: the same values, the different serial numbers. If all the notes are created according to rules, B believes that the last one is correct too. signs and sends to A ((z e 100m 100 ) d, (L 100,k, R 100,k ) k=1,...,n ). A removes the masking factor and has a digital note (m 100, (m 100 ) d ) with some attachment I 100 = (L 100,k, R 100,k ) k=1,...,n. Spending digital notes A gives the digital note to the vendor V (m 100, (m 100 ) d ) V checks the digital signature of B m 100 = ((m 100 ) d ) e. V generates the random bit string b 1 b 2... b 100 and gives to A. If b i = 0, A must convey L 100,i ; if b i = 1, A conveys R 100,i. V sends to B (m 100, (m 100 ) d ) and the revealed shares of I 100,i. 21 / 23 B verifies its signature and checks in its database whether the note with the serial number of m 100 was not spend earlier. If not the bank transfers the appropriate sum to the account of the vendor and inputs into database the information received. Against multiple spending If B finds out that the note is being spent repeatedly, it compares the shares of secret with that ones already in the database. 22 / 23 If all shares received are the same as in the database, the bank accuses the vendor. If some shares are different, then the bank can reveal the identity of A (computes the secret from two shares, say, L 100,k and R 100,k ). 23 / 23 10