Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

Transcription

1 Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group

2 Zero-Knowledge and Interaction ZK systems combine conflicting requirements - Soundness: No prover P can cheat (honest) verifier V - Zero-Knowledge: No info is leaked about proven statement Interaction is key to strike the balance - ZK Simulator can fake proof transcript by creating its parts out of order - But actual execution is interactive, so V can witness that things happen in the right order So how is Non-Interactive ZK possible?!

3 Non-Interactive Zero-Knowledge (NIZK) NIZK Removing Interaction from ZK - Can t conciliate Soundness and Zero Knowledge without leveraging another resource e.g., Interaction But the other resource need not be Interaction... NIZK Replacing Interaction in ZK with - Shared Randomness ([BFM88]) - Random Oracles (á la [FiSh86]) - Trusted Set-Up ([CLOS02]) - Correlated Secret Randomness ([CrDa04]) - Public-Key Infrastructure ([BCNP04])

4 Conventional NIZK [BFM88] Common Random String (CRS) model - P and V share a fixed, random string + Pro s ([BFM88], [BDMP91], [FLS90], [KiPe98]) - Elegant model, techniques and constructions - Efficient protocols for (few) NP-complete problems Con s - NIZKs in this model are not deniable ([Pas03]) - Efficient constructions for number-theoretic languages?

5 The Fiat-Shamir Heuristic Originally proposed to remove interaction from (public-coin) identification schemes Idea: Use random oracle to replace V s challenge(s) with hash of (partial) transcript - Random behavior of H makes it hard for cheating P to control value of challenge(s) + Can remove interaction from existing ZK protocol NIZKs are not deniable in this model, either Not really provable random oracles don t exist!

6 The Fiat-Shamir Heuristic Originally proposed to remove interaction from (public-coin) identification schemes Idea: Use random oracle to replace V s challenge(s) with hash of (partial) transcript - Random behavior of H makes it hard for cheating P to control value of challenge(s) + Can remove interaction from existing ZK protocol NIZKs are not deniable in this model, either Not really provable random oracles don t exist!

7 This Talk Provable alternative to Fiat-Shamir heuristic Overview - Compiler for (a large subclass of) Σ-protocols - Based on homomorphic encryption (e.g., Paillier) - Assume a PKI-like setting (Registered Public-Key model) Applications - Threshold RSA without Random Oracles - Linear NIZK protocol for Circuit Satisfiability Comparison with [BCNP04] and [GOS05]

8 Homomorphic Encryption Public-Key Encryption Scheme (E, D, KG), where - Ciphertexts form an Abelian group - Group operation efficiently computable Example: Paillier s Cryptosystem - Public key: 3k-bit RSA modulus n - Private key: factorization of n into two k-bit primes - E n (m; r) = (1 + n) m r n mod n 2 - E n (m 1 ; r 1 ) E n (m 2 ; r 2 ) = E n (m 1 + m 2 ; r 1 r 2 )

9 Σ-Protocols 3-move, public-coin interactive proof systems x a w P e V z - Public-coin: V s challenge is just a random bitstring - Virtually all efficient protocols have this form

10 Example: Equality of Dlogs in Z p L eqdlog : set of tuples x = (p,p,g 1,g 2,h 1,h 2 ), where - p is a k-bit prime s.t. p = 2p + 1 is also prime - g 1, g 2 have order p in Z p - h 1 = g w 1 mod p, h 2 = g w 2 mod p, for same w Z p L dlmodn : set of tuples x = (N,g 1,g 2,h 1,h 2 ) with properties as above, but w.r.t. RSA modulus N Useful in several applications - E.g., Threshold RSA (later)

11 Σ-Protocol for L eqdlog ŵ r {0,1} 3k (p, p, g 1, g 2, h 1, h 2 ) ĥ 1 = gŵ1 mod p, ĥ 1, ĥ2 ĥ 2 = gŵ2 mod p w P e V e r {0, 1} k w = ŵ + we w g w 1? ĥ1h e 1 (mod p) Σ eqdlog g w 2? ĥ2h e 2 (mod p)

12 The Role of Interaction in Σ-Protocols x a w P e V z Why 3 moves? - Soundness hinges upon P s ability to answer V s challenge So z must depend on e - ZK Simulator can fake transcript choosing e, then z, then a So P must convince V that a generated w/o knowing e

13 NIZK via Homomorphic Encryption Recap of requirements for Σ-protocols - P should send a without knowing challenge e - V should get a response z which depends on e What if P had a homomorphic encryption c of e? - Semantic Security prevents P from reading through c - Homomorphic property allows P to tinker with c and create encrypted answer E pubv (z)

14 A Compilation Technique for Σ-Protocols Preliminarily, V publishes a (hom.) public key pub V and an encrypted challenge, c = E pubv (e) Later, P computes a NIZK for V as follows x (pub V, c) (pub V, c) (priv V, e) w Generate a Compute c = E pubv (z) from w, pub V, c and (the coins used to prepare) a P (a, c) V Decrypt z = D privv ( c) Verify (a, e, z) as before Compile(Σ)

15 Compiling Σ eqdlog using Paillier (n V, c) P (n V, λ(n V )): 3k-bit RSA modulus and its Carmichael function e r {0, 1} k c = E nv (e) V (λ(n V ), e) (p, p, g 1, g 2, h 1, h 2 ) ŵ r {0,1} 3k w ĥ 1 = gŵ1, ĥ2 = gŵ2 c = E nv (ŵ)c w (ĥ1, ĥ2), c (= E nv (ŵ + we)) Compile(Σ eqdlog ) g w 1 w = D λ(nv )( c)? = ĥ1h e 1 g w 2? = ĥ2h e 2

16 Compilation Technique: Remarks Applies to Σ-protocol with linear answers - I.e., z = (z 1,...,z t ), and z j s linear (over Z) in e - True for dlog-, QR- and Paillier-based Σ-protocols Preserves efficiency of the given Σ-Protocol Technique compatible with OR-Construction - Given Σ-protocols for languages L l and L r, obtain a Σ-protocol for language L l L r Only Verifiers need public keys - Keys are not prover-specific

17 Compilation Technique: Security Correctness: Clear by inspection Intuition for Zero-Knowledge - Use Σ s simulator to get (z, a) that works with e = D privv (c) - Encrypt c = E pubv (z), yielding valid NIZK (a, c) - Self-simulatable ([BCNP04]), so NIZKs are deniable Intuition for Soundness - If P can find good (a, z) for false x, can recover e inside c Almost...

18 Compilation Technique: Security Correctness: Clear by inspection Intuition for Zero-Knowledge - Use Σ s simulator to get (z, a) that works with e = D privv (c) - Encrypt c = E pubv (z), yielding valid NIZK (a, c) - Self-simulatable ([BCNP04]), so NIZKs are deniable Intuition for Soundness - If P can find good (a, z) for false x, can recover e inside c Almost...

19 Soundness of Compile(Σ eqdlog ) Assume P cheats V with probability ε: given (n,c), P outputs (p,p,g 1,g 2,h 1,h 2 ), ((ĥ1,ĥ2), c), where h 1 = g w 1 1 (modp), h 2 = g w 2 2 (modp), w 1 w 2 ĥ 1 = gŵ1 1 (modp), ĥ 2 = gŵ2 2 (modp), z = Dec λ(n) ( c) Since (with probability ε) V accepts, it holds that { g z 1 h e 1 = ĥ1(modp) ( ) ( ) ) 1 w1 z (ŵ1 = = g2 z h e 2 = ĥ2(modp) 1 w 2 e ŵ 2

20 Soundness of Compile(Σ eqdlog ) (cont d) Hence, can invert Paillier on 3k-bit modulus in approx. time to compute dlog s modulo k-bit prime Best algorithm to invert Paillier is to first factor n State of the art for both factoring and dlog s is exp((c + o(1))k 1/3 log 2/3 k), where c < 2 Choosing Paillier modulus larger than dlog prime, ε can be made negligible (Complexity Leveraging)

21 The Registered Public-Key Model P (Rtrv, V) F KS Reg V (Reg,Coins) 1.(pub V, priv V ) KS(Coins) 2.Store(V, pub V ) KS: Key Setup Algorithm

22 The Registered Public-Key Model P V (Rtrv, V) F KS Reg (V, pub V ) KS: Key Setup Algorithm

23 The Registered Public-Key Model P (Rtrv, V) pub V V F KS Reg (V, pub V ) KS: Key Setup Algorithm

24 The Registered Public-Key Model (cont d) P (Rtrv, V) pub V F KS Reg (V, pub V ) V (Reg, Coins) 1.(pub V, priv V ) KS(Coins) 2.Store(V, pub V ) V s registration with FReg KS implementable (under standard PKI) via ZK Proof of Knowledge to CA Inefficient for generic key setup algorithm + Can be done efficiently for our Paillier-based compiler

25 Implementing the Key Setup Recall: p = q = 1.5k, n = pq, e [0, 2 k [,c = (1 + n) e r n mod n 2, (pub V,priv V ) ((n,c), (p,e)) High-level protocol between V and CA Step 0: V sends (n, c) to CA Step 1: V proves to CA that n is well-formed Step 2: V proves knowledge of value e hidden within c; and that e lies in specified interval

26 Implementing the Key Setup (cont d) Proving Well-Formedness of Modulus 1. V proves n = p i q j, for p q 3 mod 4, i, j odd ([GrPe87]) 2. To ensure i = j = 1, CA chooses (few) random elements in Z n, and V shows (in ZK) that they have n-th root modn (succeeds w.h.p. if (n, φ(n)) = 1, fails w.h.p. otherwise) Proving knowledge and range-property of e 1. V creates integer commitment Com to e, and proves knowledge of value hidden in Com [DaFu02] 2. V proves membership to range using Boudot s protocol 3. V shows that Com and c hide same value e

27 Auxiliary Σ-Protocol for the Key Setup (c, n, Com, G, H, N) ê r {0, 1} 3k, ŝ r {0,1} 4k ˆr r Z N ĉ = (1 + n)êˆr n mod n 2 ĉ, Com d dcom = GêHŝ mod N ẽ = ê + et s = ŝ + st r = ˆrr t mod n e, r, s P t ẽ, s, r G,H,N are chosen by CA, and V t r {0, 1} k (1 + n)ẽ r n? ĉc t (mod n 2 ) GẽH s? d ComCom t (mod N) e r {0, 1} k,s r {0, 1} 2k,r r Z n c = (1 + n) e r n mod n 2 Com = G e H s mod N

28 Applications Threshold RSA without Random Oracles Non-Interactive Bit-Commitment Scheme Linear NIZK for Circuit Sat. w/o R.O. s

29 Threshold RSA w/o Random Oracles S i S 1 v 1, a 1 v i, a i v l, a l b u D 1. Generate N = pq, p = 2p + 1, q = 2q + 1, with p, q k-bit primes 2. Choose signing/verification exponents (a, b) 3. Split a into l server shares a 1,..., a l 4. Publish random value u Z N along with v i = u a i mod N S l

30 Threshold RSA w/o Random Oracles (cont d) a 1 a i S i v i y i = x a i mod N π i = NIZK{(N, u, v i, x, y i ) L dlmodn } a l S 1 v 1 x y 1, π 1 y i, π i b u x v l y l, π l x S l 1. Send message x to be signed to all servers 2. Upon receiving (y i, π i ) from server S i : - If π i is valid, mark y i valid ; otherwise, mark y i invalid 3. Once (l + 1)/2 valid shares y i s have been collected, reconstruct y and check y b? x (mod N)

31 Threshold RSA w/o Random Oracles (cont d) Σ-protocol for L dlmodn analogous to Σ eqdlog - In particular, it is linear can apply our compiler Cheating server S i does not learn whether client accepted NIZK π i for its signature share y i - Client only uses NIZKs to pick valid shares - So single-theorem soundness is enough

32 Application Non-Int. Bit Commitments Apply OR-Construction to two copies of L eqdlog - Get L 1out2 with statements x = (p, p, g 1, g (0) 2, g(1) 2, h 1, h 2 ) s.t. (p, p, g 1, g (0) 2, h 1, h 2 ) L eqdlog (p, p, g 1, g (1) 2, h 1, h 2 ) L eqdlog Commit to b {0, 1} with stmt. x that uses g (b) 2 - Can prove validity of x with a NIZK that x L 1out2 - Can open x to committed bit via L eqdlog Can also prove relations among committed bits - Further application of OR-Construction

33 Application Circuit Satisfiability Goal: Prove input s.t. circuit C outputs 1 - P knows assignment to input-wires For each gate of C, P includes - NI commitments to the gates input- and output-wires - NIZK proof of consistency of input- and output-wires P also opens commitment to C s global output to 1 Remark: Size of NIZK is O(ks C ) (Linear ZK)

34 Comparison with NIZKs from [BCNP04] Same set-up assumption (Registered PK model) - NIZKs are deniable, as in our case Based on ZAP s + CCA2-encryption UC-secure, but not very efficient No efficient NIZKs for practical languages

35 Comparison with NIZKs of [GOS05] Common Reference String model - Trusted Set-up Assumption - No deniability Uses bilinear maps on hyperelliptic curves of composite order - Subgroup Decision Problem ([BGN05]) NIZK for Circuit Satisfiability as efficient as ours Practical applications? (Cook-Levin reduction) - In particular, not a compiler

36 Thanks!

37 S i S 1 Thanks! Thanks! Thanks! S l