Interactive protocols & zero-knowledge

Transcription

1 Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes that verifiers learn nothing beyond recognizing language. 1

2 Class NP and verifiers Definition 3.6 A verifier V for language L Σ is a computable function V : Σ { 0,1} { 0,1} such that { { } : V ( w,c) } = 1. L = w Σ c 0,1 Definition 3.7 V is a polynomial verifier for language L Σ if V is a verifier for L and 1. the running time of V on input ( w,c) is polynomial in w, 2. there is a polynomial p:n N such that for all w L there ( ) is a c { 0,1} p w with V ( w,c) = 1. If language L has a polynomial verifier we call it polynomially verifiable. 2

3 Class NP and verifiers Theorem 3.8 A language L is in NP if and only if there is a polynomial verifier for L. verifier w L? prover outputs 1, iff ( ) = 1 V w,c try c! 3

4 SAT and NP SAT:= { ϕ ϕ is a satisfiable Boolean formula} verifier ϕ SAT? prover outputs 1, iff ( ) ϕ c = 1 try assignment c! SAT NP. 4

5 Quadratic residues Definition 3.9 Let N N, then QR N { s 2 = v mod N} is called the set of ( ) := v Z N s Z N quadratic residues modulo N. QNR ( N) := Z N \ QR ( N) is called the set of quadratic nonresidues modulo N. QR := N,v QNR := N,v {( ) v QR ( N) } {( ) v QR ( N) } Property If v QR N ( ) and u QNR N ( ), then v u QNR N ( ). 5

6 QR is in NP Observation QR NP. verifier ( N,v) N ZN prover outputs 1, iff s 2 = v mod N try s! 6

7 Quadratic non-residues and protocols What about QNR and NP? Don t know, but. verifier ( N,v) N Z N prover b { 0,1},r Z N, y := r 2 v b mod N y b b outputs 1 iff b = b 7

8 Quadratic non-residues and protocols Properties If ( N,v) QNR, then P can make V accept with prob. 1. If ( N,v) QR, then no matter what P does, V accepts only with prob

9 Interactive protocols Interactive protocols - use randomness - use communication - allow error in acceptance/rejection Definition 3.10 A language L is in the class IP, if there are V,P and a protocol V/P with 1. for all w L the verifier V outputs 1 with probability 2 3 after execution of V/P with input w, 2. for all w L and all provers P the verifier outputs 1 with probability 1 3 after execution of V/ P with P and input w, 3. the overall running time of V is polynomial. 9

10 Interactive protocols Definition 3.10 A language L is in the class IP, if there are V,P and a protocol V/P with 1. for all w L the verifier V outputs 1 with probability 2 3 after execution of V/P with input w, 2. for all w L and all provers P the verifier outputs 1 with probability 1 3 after execution of V/ P with P and input w, 3. the overall running time of V is polynomial. Remarks In protocol V/ P V behaves as in V/P, but P may behave differently from P. May assume that format of message of P is as in V/P. Constants 2 3 and 1 3 are arbitrary, 1+ ε ( ) & 1 ε ( ) suffice. 10

11 QR,QNR and IP Observation QR and QNR are in IP. Theorem 3.11 NP IP. 11

12 QR is in NP Observation QR NP. verifier ( N,v) N Z N prover outputs 1, iff s 2 = v mod N try s! 12

13 Fiat-Shamir revisited P/A r Z N *,x := r 2 mod N b t: = r s A mod N ( N,v) N Z N x b t V/B b { 0,1} outputs 1, iff t 2 = x v A b mod N Properties ( ) QR, then P can make V accept with prob. 1. ( ) QNR, then no matter what P does, V accepts only with prob If N,v If N,v

14 Fiat-Shamir revisited 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. V/B accepts. 14

15 Transcripts Definition 3.11 Let L be a language,v L and V/P be an interactive protocol for L. A transcript τ { 0,1} of V/P on input v consists of v, the output and all messages exchanged between V and P. By T ( V,P v) we denote the random variable ( ) = τ corresponding to these transcripts, i.e. Pr T V,P v denotes the probability that the transcript of V/P on input v is τ. Remark Similarly for a probabilistic algorithm S we denote by S v ( ) the random variable corresponding to the output of S on input v, i.e. by Pr S v ( ) = τ we denote the probability that S on input v outputs τ. 15

16 Fiat-Shamir revisited 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. V/B accepts. 16

17 Zero-knowledge protocols Definition 3.12 Let L be a language and V/P be an interactive protocol for L. Protocol V/P is called a (honest verifier) zero-knowledge protocol, if there is a ppt S such that for all v L and all τ { 0,1} Pr T V,P ( v) = τ = Pr S ( v ) = τ. Remarks Definition only says something about v L. ppt verifier V learn nothing from execution of V/P since all it learns (=transcript) it can compute alone (via S). 17

18 Zero-knowledge protocols and Fiat-Shamir Theorem 3.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. Fact Let N N, then every element in QR ( N) has the same number of square roots modulo N, namely Z N QR ( N). 18

19 Fiat-Shamir identification protocol 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. B accepts. 19

20 Zero-knowledge protocols and Fiat-Shamir Theorem 3.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. S on input v Z N b { 0,1},t Z N x := t 2 v b mod N output ( v,x,b, t,1) 20

21 Zero-knowledge protocols and Fiat-Shamir Theorem 4.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. Why is zero-knowledge possible? - Protocol and simulator compute same transcripts, but in different order. - In Fiat-Shamir, first compute square, then square root. - In simulator, first compute root, then square it. - Squaring is easy, taking square roots modulo N (probably) not. 21

22 Perfect zero-knowledge protocols Definition 3.14 Let L be a language and V/P be an interactive protocol for L. Protocol V/P is called a perfect zero-knowledge protocol, if for all ppt verifiers V there is a ppt S such that for all v L and all τ { 0,1} 1. with probability 1 2 S output a special symbol, 2. Pr T v V,P ( ) = τ = Pr S v ( ) = τ S ( v). Remarks In protocol V /P P behaves as in V/P, but V may behave differently from V. May assume that format of message of V is as in V/P. 22

23 Zero-knowledge protocols and Fiat-Shamir Theorem 4.15 The Fiat-Shamir protocol is a perfect zero-knowledge protocol for the language QR. S on input v Z N b { 0,1},t Z N,x := t 2 v b mod N simulate V with input ( v,n,x), until V outputs a bit b. if b b, output, else output ( v,x,b, t,1) 23

24 Fiat-Shamir identification - offers security against cheating prover and verifier, - has significant round and communication complexity, - has significant computational complexity. - Schnorr and Okamoto protocols improve this. - Fiat-Shamir based on factoring problem, - Schnorr and Okamoto based on discrete logarithm problem. 24

25 Candidates for one-way functions 3. Gen( 1 n ) generates prime number p 2 n and generator g Samp ( I) x Z p 1 f I for the multiplicative group Z p,i = ( p,g) ( x) outputs g x mod p Idea Exponentiation is easy, discrete logarithm is difficult. 25

26 Schnorr identification setup TA chooses primes p,q such that q p 1 and q > 2 l, chooses generator z of Z p and sets g:= z p 1 q. A chooses a Z q, sets v A := g a mod p. TA sets cert(a) := ( id(a),v A,Sign ( TA id(a),v )) A Remark g has order q. 26

27 Schnorr identification protocol A k Z q,x := g k mod p cert(a),x challenge r B verifies cert(a) { } r 1,,2 l y : = k + a r mod q y response accepts iff y r x = g v A mod p 27

28 Impersonation in Schnorr protocol Theorem 3.16 For any δ 2 l+2 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g,v A C impersonates A with probability δ, then C on input p,q,g,v A computes a discrete logarithm of v A to base g with probability 0.03; 2. If C runs in time T, then C runs in time O ( T/δ + log 2 ( p) ). 28

29 From C to C C on input p,q,g,v A 1. repeat at most 1 δ times a) z { 0,1} R,r { 1,,2 l } b) simulate C with random bits z and r c) if C succeeds set r 1 : = r and goto 2) 2. repeat at most 1 δ times a) r { 1,,2 l } b) simulate C with random bits z and r c) if C succeeds set r 2 : = r and goto 3) 3. if r 1 r 2, output r 1,r 2 and corresponding y 1,y 2. 29

30 Zero-knowledge protocols and Schnorr Theorem 3.17 The Schnorr protocol is a zero-knowledge protocol. Observations - The Schnorr protocol is not known to be perfect zeroknowledge. - No attacks against Schnorr protocol are known. Okamoto protocol - efficiency similar to Schnorr - still not zero-knowledge - but witness hiding 30

31 Okamoto identification setup TA chooses primes p,q such that q p 1 and q > 2 l, chooses generator z of Z p and sets g:= z p 1 q, chooses g 1,g 2 g A chooses a 1,a 2 Z q, sets v := g 1 a 1 g 2 a 2 mod p. TA sets cert(a) := ( id(a),v,sign ( TA id(a),v )) Remark g,g 1,g 2 have order q. 31

32 Okamoto identification protocol A k 1,k 2 Z q, B x := g 1 k 1 g 2 k 2 mod p y : = k + a r mod q y : = k + a r mod q cert(a),x r y 1,y 2 verifies cert(a) { } r 1,,2 l accepts iff y x = g 1 y 1 g 2 2 v r mod p 32

33 Okamoto identification protocol - security - security against cheating prover as in Schnorr protocol - security against cheating verifier in 2 steps o show that Okamoto is witness indistinguishable (unconditionally) o under assumption that discrete logarithm is hard show that witness indistinguishability implies witness hiding, i.e. cheating B cannot learn A s secret. 33

34 Witnesses and discrete logarithms Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v,g 1,g 2 called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Theorem 3.19 For any δ > 0 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g and g 1,g 2,v g, C finds a pair ( a 1,a ) 2 W(v,g 1,g 2 ) with probability δ, then C on input p,q,g.g 1,g 2 computes the discrete logarithm of g 2 to base g 1 with probability δ ( 1 1 q); 2. If C runs in time T, then C runs in time O ( T+log 3 (p)). 34

35 Witnesses and discrete logarithms Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v,g 1,g 2 called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Claim p,q,g,g 1,g 2,v : W ( v,g 1,g ) 2 = q 35

36 Cheating provers and discrete logarithms Theorem 3.20 For any δ > 2 l+2 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g,g 1 g 2,v A C impersonates A with probability δ, then C on input p,q,g,g 1,g 2 computes the discrete logarithm of g 1 to base g 2 with probability 0.03; 2. If C runs in time T, then C runs in time O ( T/δ + log 3 ( p) ). 36

37 Witnesses and witness indistinguishability Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Lemma 3.21 Given p,q,g,g 1,g 2 and v g as before, then for all ( b 1,b ) 2 W ( v) and all possible transcripts ( x,r,y 1,y ) 2 of the Okamoto protocol there is a unique ( l 1,l ) 2 Z 2 q chosen by A with on input v the transcript is ( x,r,y 1,y 2 ), B accepts, i.e. the Okamoto protocol is witness indistinguishable. 37

38 Witness hiding Theorem 3.22 Given p,q,g,g 1,g 2 and v g as before. Assuming that the discrete logarithm problem is hard, then given a transcript of the Okamoto protocol no ppt B can compute a pair ( b 1,b ) 2 W ( v), i.e. the Okamoto protocol is witness hiding. 38