G /G Advanced Cryptography 12/9/2009. Lecture 14

Transcription

1 G /G Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we saw some UC secure ZK protocols and NIZKs. 1 Ideal/Real paradgm One of the man objectves of cryptography s to construct protocols, whch are secure even n the presence of corrupted partes. But, frst of all, we have to defne what secure means. In order to do so magne what propertes we would have n an deal world and then we call a protocol secure f the real (the constructed) protocol has smlar propertes. Ths s the basc dea of the Ideal/Real paradgm. There are two man knds of adversares: statc and adaptve. In the frst case, the adversary chooses whch party t corrupts before the protocol begns. In the latter case, the adversary chooses the party to be corrupted durng the executon of the protocol. The network, whch s used mght be ether authentcated, whch means that the recever always knows who the sender was, or not. It mght also have secure or publc channels. The former ensure that the transmtted messages reveal useful nformaton only to the recever, whle the latter do not. Here, for smplcty, we may assume statc adversares and a network wth secure, authentcated channels. For example let us see a ZK protocol for some relaton R, where generally the verfer V has as nput some y and the prover P wants to prove to V that there exsts some x such that (x, y) R. In an deal world we can magne a thrd party, whch s honest and trustful and can communcate wth both P and V. In ths deal scenaro, P could gve (x, y) to ths trusted party the latter would check f (x, y) R and then tell V f ths s true or false. However, n the real world we do not have such trusted partes and we have to substtute them wth a cryptographc protocol π between P and V. Roughly speakng, the Ideal/Real paradgm requres that for whatever nformaton an adversary A (whch plays the role of ether P or V ) could retreve n the Real world, there s a way to retreve t n the Ideal world as well. The trusted thrd party can be vewed as the functonalty we want to acheve and we denote t by F ZK. If some protocol satsfes the above property regardng ths functonalty, we call t secure. The formal defnton of securty follows: L14-1

2 Defnton 1 A protocol π realzes F ZK f for all ppt A, there exsts a ppt S such that Real π A c Ideal F ZK S. Now let us see what s the role of smulator S n each case of corrupton. In the case where the adversary A corrupts the verfer V, the smulator S only learns n the deal world whether the statement s true or not, whle n the real world A also sees a proof for that. Thus, S must be able to smulate an acceptng proof, whle only knowng that the statement s true. On the other hand, f A corrupts P, S must be able to provde the wtness x to the functonalty F ZK n the Ideal world. Observng that S can smulate V we see that S must be able to extract the wtness from P (whch s corrupted). The next theorem must be ntutvely clear: Theorem 2 Any ZKPoK protocol π realzes F ZK. 2 Unversal Composablty The above noton of securty s qute strong, but stll not enough. In some cases we want the protocols to be securely composable. That s, we want the protocols to be secure even f we use them as subroutnes n larger protocols or n cases where other protocols (related or not) are runnng concurrently. Therefore, we have to take nto consderaton any envronment n whch the nteracton takes place. The envronment can be vewed as an nteractve ppt Turng Machne, whch nteracts wth both P and V, and s denoted by Z. L14-2

3 Defnton 3 A protocol π UC-realzes F ZK f for all ppt A, there exsts a ppt S such that for all ppt Z Real π A,Z c Ideal F ZK S,Z. A negatve result s that ths noton of securty s too strong. Theorem 4 No protocol π UC-realzes F ZK. The ntuton s that the envronment Z does not allow the smulator to do rewndng. That s, n the case of corrupted prover P, the smulator must extract onlne, but f there s no set up the extracton could be done by a malcous verfer V, whch would contradct ZK. On the other hand f we assume an extended settng, we can have UC-realzable ZK protocols n the CRS model. The two models we assume are: Fresh CRS model. For every nteracton we use a new CRS. Reusable CRS model. For every nteracton we use the same CRS. Theorem 5 1. Any NIZKPoK π UC-realzes F ZK n the fresh CRS model. 2. Any wse-nizk wth labels π UC-realzes F ZK n the reusable CRS model Ω-protocols To construct protocols whch UC-realze F ZK based on weaker assumptons, we are gong to use Ω-protocols. Let us recall Ω-protocols, whch we saw n lecture 8: Defnton 6 Let π be a Σ-protocol. We call π an Ω-protocol, f there exsts a ppt extractor E such that for any prover P and statement y we have that: Pr[π (P (y) V (y));x E(π, TK) : Accept(π) (x, y) / R] = negl where TK s the trapdoor key of FakeCRS. 1 Every nteracton s labeled wth a dfferent dentfcaton number called sd (sesson dentfcaton number). If we use ths sd as label, then every new proof s fresh and cannot be used agan. L14-3

4 The dfference wth the prevous lecture s that here there s a CRS wth a trapdoor nstead of a (non-programmable) random oracle. Therefore, the extractor s gven the trapdoor oof the CRS nstead of the queres. Now let us see two constructons of Ω-protocols for a relaton R: Constructon 1 (from CPA+Σ-protocol wth large challenge space) The CRS s the publc key pk and the trapdoor of the CRS s the decrypton key dk for the CPA secure encrypton scheme. Durng the frst round the prover P computes c Enc pk (x) and sends t to the verfer V. Then P and V run a Σ-protocol of the statement: Dec sk (c) = x and (x, y) R. The extractor E smply uses the secret key to compute x = Dec sk (c). By soundness of the underlyng Σ-protocol x must be a wtness. A dsadvantage of ths constructon s that even f R has an effcent Σ-protocol, the relaton of the statements Dec sk (c) = x and (x, y) R mght not. Theorem 7 The above constructon s a secure Ω-protocol f Σ has a superlogarthmc challenge space. Constructon 2 (from CPA+Σ-protocol wth small challenge space) If the challenge space s bnary (small) then we can do the followng: P (a, z 0, z1 ) Σ-protocol γ 0 = Enc pk(z 0, r0 ) γ 1 = Enc pk(z 1, r1 ) (a,γ 0,γ1 ) (c 1,...,c n) z c,rc V c R {0, 1} Theorem 8 The above constructon s a secure Ω-protocol. Ths constructon s very smlar to that of lecture 8 for the case of non-programmable random oracle. The extractor here uses the secret key (trapdoor of CRS) to compute z 1 c and use specal soundness to compute the wtness from a, z c, z1 c. Wth overwhelmng probablty there exsts some whch gves a vald wtness. The advantage of ths protocol s that t s qute generc and only needs a Σ-protocol for relaton R tself (and not another relaton as before). The dsadvantage s that there s a great loss of effcency as t s lke runnng many protocols n parallel. L14-4

5 2.2 Constructon of a UC-secure ZK protocol n the fresh CRS model Suppose that we have a trapdoor commtment scheme. The CRS wll be the CRS of both the trapdoor commtment scheme and the Ω-protocol, namely CRS = (Ω-CRS, Com-CRS). P (γ, d) Com(a) γ c z,d,a V As we can see ths constructon s very smlar to that of concurrent ZK of lecture 7. However, here we not only need straghtlne smulatablty, but straghtlne extractablty as well. Ths s exactly the reason why we use Ω-protocols. 2.3 Constructon of a UC-secure ZK protocol n the reusable CRS model The above protocol s only secure f every tme there s a fresh CRS. However, f the CRS remans the same an adversary mght nteract wth some prover P and then use what P sent hm to break bndng and then nteract wth some verfer V. Therefore, here we are gong to use a tool called Identty Based Trapdoor Commtment Scheme (IBTC). It s almost the same wth a Trapdoor Commtment Scheme, but every recever has an dentty and each dentty has a dfferent trapdoor. More specfcally, there exsts a master secret key MSK and a publc key PK. Usng MSK we can compute for any ID ts trapdoor key TK ID. The property of equvocaton s the same wth that of regular Trapdoor Commtments wth respect to each dentty ID. Namely, havng TK ID, we can produce an equvocable commtment, whch can be opened to any message. Constructon of IBTC (from OWF+Σ-protocol) The constructon s very smlar to that of regular Trapdoor Commtments, whch we saw n lecture 4. There we used a Σ-protocol for a relaton R f such that (x, y) = 1 ff f(x) = y, wth f a OWF, the publc key was y and the trapdoor key x. Here we just use a dfferent relaton. Suppose that Γ = (Gen, Sg, V er) s a sgnature scheme, let R ID be a relaton such that (x, y) R ID ff y = (V K, ID) and x = σ s.t. V er(v K, ID, σ) = 1, and suppose that there s a Σ-protocol for ths relaton. Frstly, we choose a random strng r and compute (V K, SK) Gen(r). Then, we set MSK = r and PK = V K. The trapdoor key TK ID for dentty ID s σ ID = Sg SK (ID). Commtment and Equvocaton are the same as n the based on Σ- protocols Trapdoor Commtments. The ZK protocol s the same as before, but nstead of usng regular trapdoor commtments we use IBTC. Namely, L14-5

6 P (γ, d) Com V (a) γ c z,d,a V The usefulness of IBTC reles on the fact that every ID has a dfferent trapdoor and breakng bndng for one ID does not mply breakng bndng for other ID s. 3 Generalzed Unversal Composablty Although UC-securty s a very strong noton, t does not capture all securty propertes we want n the case of protocols whch use a global setup (CRS,PKI,etc.). That s, n cases where many protocols may use the same setup, there are ssues such as denablty and malleablty whch are not guaranteed wth UC-securty. Therefore, an even stronger noton of securty s requred, whch s called Generalzed Unversal Composablty (GUC). Roughly speakng, n the case of CRS model n UC framework the common reference strng s only gven to the adversary and the partes runnng the actual protocol (n the real world), but n the GUC framework the reference strng s gven to everyone ncludng the envronment. In a more techncal level the smulator s not allowed to choose ts own CRS, namely the CRS s non-programmable. What we acheve wth GUC secure protocols s that they can be securely composed wth other protocols whch use the same setup. L14-6