Cryptographic Protocols

Transcription

1 Cryptographc Protocols Entty Authentcaton Key Agreement Fat-Shamr Identfcaton Schemes Zero-Knowledge Proof Systems Shnorr s Identfcaton/Sgnature Scheme Commtment Schemes Secret Sharng Electronc Electon

2 Entty Authentcaton Problem: Alce wants to prove to Bob that she s Alce and/or vce versa. Prvate-key based schemes Publc-key based schemes Integrated wth key agreement Zero-knowledge dentfcaton schemes

3 Challenge-and-response usng a prvate key Alce and Bob share a secret key k. Protocol ( nsecure): 1. Bob Alce: a random challenge r. 2. Bob Alce: y = MAC ( r). 3. Bob computes y = MAC ( r) and checks f y = y. Or 1. Bob Alce: a random challenge r. 2. Bob Alce: y = E ( r). 3. Bob checks f D ( y) = r. k k k k

4 Parallel sesson attack Eve r r y= MAC ( r) k y Bob

5 Countermeasure Eve Bo b r r y= M A Ck ( r Bob) y= MAC ( r Alce)? k

6 Challenge-and-response usng a prvate key Alce and Bob share a secret key k. Protocol ( secure): 1. Bob Alce: a random challenge r. 2. Bob Alce: y = MAC ( ID(Alce) r). 3. Bob computes y = MAC ( ID(Alce) and checks f y = y. Or 1. Bob Alce: a random challenge r. 2. Bob Alce: y = E (ID(Alce) r). 3. Bob checks f D ( y) = ID(Alce) r. k k k k r)

7 Mutual authentcaton usng a prvate key Alce and Bob share a secret key k. Protocol ( nsecure) : 1. Bob Alce: a random challenge r. 2. Bob Alce: 3. Bob Alce: y y = MAC 1 k 1 1 (ID(Alce) = MAC (ID(Bob) r ). 2 k 2 r ) and r. 4. Alce and Bob verfy each other's response. 2

8 Man-n-the-mddle attack Alce 1 MAC (A r ), k 1 2 r MAC (B r ) k 2 r Eve Bob r 2 MAC (B r ), k 2 3 r

9 Countermeasure Alce 1 MAC (A k MAC (B r k 2 r r r )? ), r Eve r 2 MAC (B r r ), r Bob k 2 3 3

10 Mutual authentcaton usng a prvate key Alce and Bob share a secret key k. Protocol ( secure): 1. Bob Alce: a random challenge r. 2. Bob Alce: y = MAC (ID(Alce) r r ) and r. 3. Bob Alce: y 1 k 1 = MAC (ID(Bob) r ). 2 k 2 4. Alce and Bob verfy each other's response. Alternatvely: 3. Bob Alce: y = MAC (ID(Bob) r r ). 2 k

11 Publc-key mutual authentcaton Protocol ( secure): 1. Bob Alce: a random challenge r. 2. Bob Alce: y = Sgn (ID(Bob) r r ) and r. 1 sk (Allce) Bob Alce: y = Sgn (ID(Alce) r ). 2 sk (Bob) 2 4. Alce and Bob verfy each other's response. Alternatvely: 3. Bob Alce: y = Sgn (ID(Alce) r r ). 2 sk (Bob) 2 1 1

12 Key Agreement/Dstrbuton

13 Two levels of keys Master (long-lved) keys: used for entty authentcaton and sesson key agreement/dstrbuton. Sesson keys: (symmetrc) keys used only for a sesson. Reasons for usng sesson keys: 1. Lmtng the amount of cphertext avalable to attackers. 2. Lmtng the damage to only a sesson n case of sesson key comprose. 3. Symmetrc encrypton s faster.

14 Key establshment Key dstrbuton: an onlne TA (trusted authorty) chooses sesson keys and dstrbute them to users va a key dstrbuton protocol. Key agreement: two partes agree on a sesson key va a key agreement protocol wthout nvolvng a TA.

15 Dffe-Hellman key agreement Alce and Bob wsh to agree on a secret key. 1. Alce and Bob agree on a large prme p and a prmtve root α Z p such that p 1 has a large prme factor. a 2. Alce Bob: α mod p, where a Z. p 1 b 3. Alce Bob: α mod p where b Z. p 1 ab 4. They agree on the key: α mod p. Securty: Provdes protecton aganst eavesdroppers. Insecure aganst actve adversares. Problem: lack of authentcaton. R R

16 Publc-key mutual authentcaton Protocol: 1. Alce Bob: a random challenge r. 2. Bob Alce: y = Sgn (ID(Bob) r r ) and r. 1 sk (Bob) 3. Alce Bob: y = Sgn (ID(Alce) r ). 2 sk (Alce) 2 4. Alce and Bob verfy each other's response Combne Dffe-Hellman wth the above protocol a Alce uses α for r. b Bob uses α for r. 2 1

17 Staton-to-staton protocol Alce and Bob each have a sgnature key par. Protocol: 0. A and B agree on p and α Z p as n DH key agreement. a 1. A B: r = α, where a Z. 2. B A: 1 r 2 b = α, y = Sgn 1 B s A 2 s 2 1 R p 1 3. A B: y = Sgn (A r r). (B r r ),where b Z. 1 2 R p 1 ab 4. If all verfcatons pass, use k = α as the sesson key. Rema rk: sgnatures may be further encrypted wth k.

18 Publc-key based authentcated key agreement Alce and Bob each have an encrypton and a sgnature key par. Protocol: 1. A B: a random challenge r. 2. A B: y = Sgn (A r r c), r, c = E ( k), 1 s where k a chosen sesson key. 3. A B: y = Sgn (B r ). B 2 s 2 A 4. Alce and Bob verfy each other's response. If all verfcatons pass, Bob decrypts c to obtan k. They now can use k as the sesson key. Securty : ths protocol provdes no forward secrecy. 1 e A

19 Forward secrecy Suppose Eve records all (encrypted) messages exchanged between Alce and Bob durng a sesson. If later Eve gets Alce's decrypton key get the sesson key k. d A, she wll be able to decrypt c to A sesson-key exchange scheme s sad to provde forward secrecy f t ressts ths knd of attacks (.e., sesson keys are secure even f master keys are compromsed. ) Staton-to-staton provdes forward secrecy.

20 Identfcaton Schemes based on zero-knowledge nteractve proof systems

21 Interactve proof system There s a secret, say x, known only to ts owner, Peggy. The prover, Peggy, wshes to convnce the verfer that she knows the secret, thereby provng her dentty. The verfer, Vc, verfes f the prover knows the secret. Basc requrements (w/o adversares): Completeness: succeeds n convncng Peggy, who knows the secret, always Vc. Su ondness: Anyone who doesn't know the secret can only succeed n convncng Vc wth small probablty. Desred property: zero-knowledge

22 Password Scheme Secret: Peggy's password. Protocol: Peggy sends her username and password to Vc. Vc accepts Peggy's dentty f the submtted password equals the stored password. Comments: complete and sound. not zero-knowledge (Peggy reveals some nformaton that may be used later by the adversary).

23 Scheme based on publc-key encrypton Secret: Peggy has a secret key sk and publck key pk. Protocol: 1. Peggy Vc: c= E ( m), m randomly chosen. 2. Peggy Vc: m = Dsk ( c). 3. Vc accepts Peggy's dentty ff m= m. Comments: Complete and sound. Problem: f Vc s not honest and has a cphertext c of Peggy's, he can have c decrypted (by Peggy). Ths scheme s not zero-knowledge. pk

24 Zero-Knowledge The schemes based on passwords and encrypton are not zero-knowledge; the prover reveals some knowledge to the verfer or eavesdropper. We are nterested n a proof system n whch the prover proves her knowledge of some secret wthout revealng anythng about that secret. We wll formalze the noton of zero-knowledge. But frst let us look at a proof system, whch wll be proved to be zero-knowledge.

25 Fat-Shamr dentfcaton scheme (deas) Parameters: n= pq y = x n Keys: publc ( ny, ); secret x known to Peggy only. 2, mod ; computatons done n Zn. Frst attempt: 1. Peggy chooses a random r Zn, and 2 send ( ab, ) = ( r, rx) to Vc Vc accepts Peggy's dentty ff b = ay. Comments: The scheme s complete. Not sound: Eve can mpersonate Peggy by sendng ( a, b) 2 1 = ( by, b), where b R Z n.

26 Basc dea: Let f be a homomorphc one-way functon. x f f r a: = f( r) b f y f( b) Peggy sends ( ab, ), and Vc checks f f( b) = ay. Peggy s supposed to choose a: = f( r) and b: = xr. Eve can cheat by not followng ths rule. Countermeasure: wth probablty 1 2, ask Peggy to reveal r.

27 Fat-Shamr dentfcaton scheme (smplfed) Parameters: n= pq y = x Keys: publc ( ny, ), secret x. Protocol: 2, mod ; computatons done n Zn Peggy Vc: =, wth n randomly chosen. n a r r Z 2. Peggy Vc: e {0,1}, randomly chosen. e 3. Peggy Vc: b = rx (.e., r f e = 0, and rx f e = 1). 4. Vc accepts Peggy's dentty f 2 e f =. Comments: Step 1 s a co mmtment; step 2 a challenge; 3 a response. b ay

28 Completeness: obvous. Soundness: Wthout knowng x, Eve can only successfully mpersonate Peggy wth probablty negl( n ). To cheat wth probablty non-neglgbly better than1 2, Eve has to choose a n a way such that wth non-neglgble probablty she can answer both challenges e= 0 and e= 1. That s, wth prob non-negl( n ) Eve can come up wth a value a and two values b and b such that b = a and b = ay Thus, wth prob non-negl( n ), Eve can compute 1 y = b2b1 y n. Computng mod s ntract able.

29 Eve can cheat wth probablty1 2 : (Idea: Eve guesses e and prepares ( a, b) accordngly.) 1. Eve Vc: a = by, where b Z n 2. Eve Vc: e {0,1}, randomly chosen. 3. Eve Vc: b. 2 e R, e 2 e 4. Vc accepts Peggy' dentty ff. (Eve succeeds n cheatng ff e= e.) s b = ay R {0,1}.

30 Q: s t possble to cheat wth probablty p wth 1 2 < p negl( n )? If the protocol s run t tmes, Eve's probablty of cheatng t wll be reduced to 2 + negl( n ).

31 General Fat-Shamr scheme (deas) do ths t tmes n parallel: a1: = r1,, at= rt a: = r a: = r e e1,, et e1,, et e e1 e e1 1: = 1,, : t t = t : = 1 b: = rx b rx b rx b rx x t t e?? 2 e 2 2 b = ay b = a y b = ay e 1 1 e...? e t y t

32 General Fat-Shamr dentfcaton scheme Publc key: Secret key: Protocol: 2 ( n, y1,, yt ), where n= pq, y = x (mod n). ( x1,, xt ), where x Zn. Repeat the followng k tmes: 1. Peggy Vc: a = 2 r, r Zn e1 et 3. Peggy Vc:. 2 e1 et 4. Vc rejects f randomly chosen. t 2. Peggy Vc: e = ( e,, e ) {0,1}, randomly chosen. b = rx t x b ay y t t

33 Remarks: Eve can succeed n cheatng f she guesses ( e,, e ) 1 k 2 t correctly n each of the k nteratons. Pr. Same level of securty for varous kt,, f kt= constant. l Stll zero-knowledge for t = O(log 2 n ) and k = O( n ). If tk, are too large, the smulator wll no longer be polynomal n expected runnng tme. Number of exchanged bts: k(2 n + t). Number of multplcatons: 2 kt ( + 1). Sze of prover's secret: t n. t

34 We can always convert an nteractve proof system nto a dgtal sgnature scheme. commtment a: = r challenge e response b: = rx 2 = e 2 ( b ay e?) 1. Compute a, e, b n that order. 2. Involve m n e, and use ( e, b) as the sgnature. hash( m, a) e sgnature( m) = ( a, e, b) or just ( e, b)

35 Fat-Shamr sgnature scheme ( k = 1) 2 Publc key: ( ny, 1,, yt), where n= pq, y = x (mod n). Secret key: ( x1,, xt ), where x Zn. t Hash functon: h :{0,1} {0,1}. Sgn ( m) = ( e, b) sk 1. choose r Z n e1 et mpute b: = rx x. 2 at random; let a: = r. 2. compute e: = h( m a) = ( e, e,, e ). 3. co Verfy ( m, eb, ) : = pk and accept ff e= h( m a). t 2 e1 et compute a: b y y, 1 t t

36 Remarks: A straghtforward but less nterestng alternatve s to nclude a n the sgnature,.e., Sgn ( m) : = ( aeb,, ), and verfy the sgnature by checkng f e= h( m a) and 2 e1 a= b y y 1 e t. t sk What f we compute e: = h( m) wthout a?

37 Fat-Shamr sgnature scheme 2 Publc key: ( ny, 1,, yt), where n= pq, y = x (mod n). Secret key: ( x1,, xt), where x Zn. kt Hash functon: h :{0,1} {0,1}. Sgn ( m) = ( e, b) 1. ch sk 2 oose r1,, rk Zn at random; let a = r, 1 k. 2. compute e= h( m a a ) = ( e ). 1 e1 et 3. compute (,, ), wth, 1. Verfy ( meb,, ) : pk 1 k 1 t 2 e1 et compute, 1, and accept ff e = hm ( a1 a k ). k 1 j k t b= b b b = rx x k a = b y y k t

38 Zero-Knowledge Proof Systems

39 Zero knowledge An nteractve proof system conssts of two algorthms ( PV, ). Informally, ( PV, ) s zero-knowledge f anythng that can be effcently computed after nteractng wth P can also be effcently computed wthout nteractng wth P. Q: How to formally formulate ths notton of zero-knowledge. PVV P V,, : honest prover, honest verfer, any verfer V (honest or dshonest) Common nput: some publc object y. Peggy the prover wshes to prove that she knows some secret about y. x

40 Messages from P to V : m1, m3, Messages from V to P: m2, m4, Transcrpt nput y : tr ( y) = ( m, m,, m ). of the jont computaton of P and V on PV, 1 2 A transcrpt s a random varable, dependng on the random bts chosen by P and n durng ther executons. Acceptng transcrpt: f V accepts after the last move. If the proof system s complete and P does know the secret, then tr ( y) s an acceptng transcrpt. PV, V

41 Defnton of (perfect) zero-knowledge An nteractve proof system ( PV, ) s zero-knowledge f there s a probablstc smulator SV (, y) such that 1. S runs n expected polynomal tme; 2. for every verfer V (honest or not) and nput y, S always generates an acceptng transcrpt t ; SV (, y) 1 2 SV (, y) 3. the two random varables have the same dstrbuton: t = ( m, m,, m ) acceptng transcrpt tr ( y) = ( m, m,, m ) n PV, 1 2 (Assumpton: the proof system s complete and sound and P s honest.) n

42 Remrks a A smulator S s an algorthm. Its nput s a (publc) object y and a subroutne V. S smulates the communcatons between P and V wthout nteractng wth P. Snce S does not nteract wth P, t obtans zero knowledge from P. Any nformaton V may acqure by nteractng wth P, he can acqure from S wthout nteractng wth P. Thus, P does not reveal any knowledge about her secret by nteractng w th V. Zero-knowledge s a property of P ( honest).

43 Smplfed Fat-Shamr s zero-knowled ge For y and V, the set of acceptng transcrpts: { 2 e} n n T = ( a, e, b) QR {0,1} Z : b = ay. Smulator SV (, y) : 1. whle 1 do 2. select e {0, 1}, b Zn unformly at random 2 e 3. a b y 4. e V ( a ) 5. f e= e then return ( a, e, b )

44 Expected runnng tme of SV ( regardless of how generatng. Let Pr( 0)., y): polynomal. Pr( e = e ) = 1 2. Each teraton succeeds wth prob 1 2. V e e= = p Pr( e= e ) = Pr( e= 0 e = 0) + Pr( e= 1 e = 1) = 1 2. Expected number of teratons for SV ( an acceptng transcrpt: 2. What's the worst case runnng tme?, y) to generate

45 ( aeb,, ) T and ( aeb,, ) have the same dstrbuton: 1. a and a are both unformly dstrbuted over QRn. ( a = r, r Z. a = b y, e {0,1}, b Z.) 2 2 e R n R R n 2. e and e are dstrbt u ed accordng to V ( a, y). Pr( e = ) Pr( e= ) (Pr( e = e = e) = = Pr( e= ).) Pr( e = e) 3. b and b are unformly dstrbuted over Zn. e ( b= rx, r R Zn, e R {0,1}. b R Zn.) 4. b depends on ae,, same as b depends on ae,. 2 e 2 e ( b = ay. b = ay.) 5. a and e are ndependent; so are a and e.

46 Shnorr s Identfcaton Scheme Another example of zero-knowledge nteractve proof system Involvng proof of knowledge of dscrete logarthm

47 Shnorr's dentfcaton scheme System setup: p, q large prmes, wth q p 1; G g q the unque subgroup of order of p; any generator of G ; x y = g for some x Z known q R q q R Z only to Peggy; Problem: Peggy wshes to prove that she knows x. Protocol: r 1. Peggy Vc: a= g, where r Z. 2. Peggy Vc: c Z. q q (commtment) (challenge) 3. Peggy Vc: b= r cx. (response) b c 4. Vc accepts ff a= g y.

48 Remarks: Completeness: trval. Soundness: Eve can cheat wth Pr = 1 qby guessng a c, commttng r c a: = g y, and respondng wth b: = r. Eve cannot cheat wth probablty non-neglgbly > 1/ q. Otherwse, wth non-neglgble probablty she can choose an a for whch she can compute b and b and successfully answer two dstnct challenges c and c : b c b c a= g y and a= g y, = 1 From whch she can compute log g y ( b b)( c c).

49 Honest verfer zero-knowledge: { b c acb a g y} Accetpng transcrpts: (,, ) : =. = r a g Gq s unformly dstrbuted. c Z, generated by an honest V, s unformly dstrbuted. q b= r cx Z R R q s unformly dstrbuted. b c b depends on a and c by a= g y. Smulator ( g, y, V): 1. select b Z unformly; 2. select c Z unformly; q q b c 3. let a : = g y, and return ( a, c, b ). ( acb,, ) has the same dstrbuton as ( acb,, ).

50 Remarks: Suppose the verfer, say V, s not honest and chooses non-unformly. Q: does the followng smulator serve to prove Shnorr's scheme zero-knowledge? Smulator ( g, yv, ): 1. select b Z unformly; R q 2. select c accordng to V 's strategy; b c 3. let a : g y, and return ( a, c, b ). = c

51 Shnorr's sgnature scheme: Log-Sgn ( mgy,, ) Use Fat-Shamr's standard method to convert an nteractve dentfcaton scheme nto a sgnature scheme. Idea: use a hash functo h h Z n :{0,1} q to from the commtment a and message m. To sgn message m, r 1. Compute a: = g, where r Z. 2. Compute c: = h( m a). 3. Compute b : = r cx. 4. Sgn( m) : = ( c, b). b c 5. Verfy( mcb,, ) = true ff c= hm ( g y) R q compute a challenge c

52 Provng Equalty of Logarthms (an extenson of Shnorr's dentfcaton scheme) Problem: log y = log z ( = x) g Protocol: Gven g, h, y, z, Peggy wshes to prove h r r 1. Peggy Vc: ( a, b) = ( g, h ), where r R Zq. 2. Peggy Vc: c Z, unformly chosen at random. 3. Peggy Vc: d = r cx. d c d c 4. Vc accepts ff a= g y and b= h z. q

53 Non-nteractve Verson Fat-Shamr method: use a collson-resstant hash functon hash :{0,1} Zq to post the challenge. Protocol: r r 1. Let ( ab, ) = ( g, h), wth r Z q. 2. Let c= hash( g h y z a b). 3. Let d = r cx (mod q). 4. Accept ff c = hash( g h y z g y hz R d c d c ). Note: ths protocol wll be used n electronc votng.

54 Provng Partal Equalty of Logarthms Problem: ether or Gven g, h, y, y, z, z, Peggy wshes to prove 1 h log y = log z ( = x) log g g y = log z ( = x) h 2 2 but not both, wthout revealng whch one she proves. 2 Note: ths protocol wll be used n electronc votng.

55 log y = log z log y = log z 1 g 1 h 1 g 2 h 2 wr,, d a 2 2 : = g r d w r d r2 d2 w r d wr,, d 2 : = b : = h b : = h z a b : = w g y : = h z R Z q : = d : = c d d : = c d r : = w xd r : = w xd a a b g y g : = h w R Z 2 q a1, b1, a2, b2 c d1, d2, r1, r2 c R Z q c= d + d a b a b = 1 2 r d 1 1 = g y h z 1 1 r d 1 1 = 1 1 g y r d 2 2 = h z 2 2 r d ?????

56 Easer to understand ths one. Problem : Peggy proves that she knows log g y or log y : 1 g 2 log g wr,, d g w r d r2 d2 w wr,, d a : = g a : = g y a : = y g y R Z q log a : = c= d + d c= d + d r : = w xd r : = w xd y g R Z 2 q a1, a2 c R q d1, d2, r1, r2 c Z c= d + d a a = 1 2 g y r d 1 1 = 1 1 g y r d ???

57 Commtment Schemes

58 Commtment schemes Two partes: sender S and recever R. Scheme: 1. Commt: S sends a message c, commtted to a bt b. 2. Reveal: S sends an addtonal message m to reveal b. 3. Verf y: Rc (, m) = accept ff the commtted bt equals the revealed bt. Securty equrements: b b 1. Hdng: R cannot learn anythng about b from c. 2. Bndng: S cannot change the commtted bt wthout beng detected. b b b

59 Hdng: Computatonally hdng: cannot n polynomal tme Uncondtonally hdng: absolutely cannot Bndng: Computatonally bndng: cannot n polynomal tme Uncondtonall y bnn d g: absolutely cannot

60 An applcaton: con tossng by emal or phone Problem: Alce and Bob want to toss a con by emal to decde who wns. Protocol: 1. Alce sends c to Bob, commtted to a random bt b. 2. Bob generates b a random bt b and sends t to Alce. 3. Alce sends her commtted bt b to Bob. 4. Bob verfes that R( c, b) = accept, and both partes agree on the outcome b b. Note: f b or b s random then b b s random. b

61 Usng symmetrc encrypton Protocol: 1. Commt: To commt a value m, Alce sends c: = E ( m) to Bob, where k s a symmetrc encrypton k key chosen by Alce. 2. Reveal: Alce sends k to Bob. 3. Verfy: Bob accepts the value m: = D ( c). k Queston: does t meet the hdng and bndng requrement?

62 Usng publc-key encrypton Protocol: 1. Commt: To commt a value m, Alce generates a par of keys ( pk, sk), and sends c : = E ( m) along wth pk (and system parameters) to Bob. 2. Reveal: Alce sends to Bob msk,, and the random cons used n her computng of E ( m). 3. Verfy: Bob accepts m f pk E ( m) = c usng the revealed random cons pk revealed pk, sk and system parameters match. Queston: Does t meet the hdng and bndng requrement? pk

63 Quadratc Resdues Let n= pq; p and q large prmes. Quadratc resdues: elements n Zn whch are a square. QR n= the subgroup of quadratc resdues n Zn. QNR n= Zn QR n= { quadratc non-resdue Z } n ( ) ( p 1)/2 Euler's crteron: x mod p. ( x) ( x)( x) s n. + 1 f [ x] QR p ( x s a square) Legendre symbol: ( x ) p = 1 f [ x] QNR p (not a square) 0 f [ x] = 0 = Jacob symbol: =. x p n p q

64 Quadratc Resdues (cont'd) x ( n ) x ( ) x ( ) ( x) ( x) Thus, = 1 ff = = ± 1. n p q ( x) ( x) s a quadratc resdue n Zn ff p q 1. x = = If 1, then x s not a quadratc resdue n Zn. If = 1, x may or may not be a quadratc resdue n Z. n Quadratc resduosty assumpton: wthout knowng the factors of n= x ( ) an x Zn wth 1 s = = + 1 QNR n the set o Jacob symbol 1. pq, t s ntractable to determne whether n a quadratc resdue. f quadratc non-resdues n wth Z n n

65 QR-based commtment scheme (deas) { } Let b be the commtted bt, b 0,1. Bnd b to a predcate (T or F), whch s hard to determne. Quadratc resduosty assumpton: wthout knowng the factors of n = pq, t s ntractable to determne whether x ( ) an x Zn wth = 1 s a quadratc resdue. n ( ) b Use b to produce a number x wth = 1 such that b= 0 xb s a quadratc resdue b= 1 x b s not a quadratc resdue b x n

66 QR-based commtment scheme + 1 System setup: S chooses n = pq and g. n 1. QNR 2. Commt ( S R): ( n, g, c), where c: = r g, r Z and b s the bt beng commtted. 3. Reveal ( S R): ( p, q, r, b). R 2 b R n Verfy: R accepts b f n = pq, r Zn, g QNR n, 2 b and c = r g.

67 Securty 2 b 1. (Computatonal) Hdng: c: = r g s a random element ( c ) wth = 1. Further, c s a square ( c QR ) ff b= 0. n If R can tell whether b= 0, then he can tell whether c s a square, contradctng the QR assumpton. 2. (Uncondtonal) Bndng: Once S s commtted to c s ether a square or a non-square. S cannot change her commtment wthout beng caught. n b,

68 DL-based commtment scheme 1. System setup (known to S and R): p, q large prmes, wth q p 1; G q : the unque subgroup of order q of Z g, h: generators of G ; h random; q { q 1} { 0 1 q 1 } G = g, g, g,, g = h, h,, h. q r m 2. Commt ( S R): c = g h, where r Z, and m Z q s the value beng commtted. 3. Reveal ( S R): ( rm, ). r m 4. Verfy: R accepts m f c = g h. R p ; q

69 Securty ( ) Hdng: For any m, r m 1. Uncondtonal c = g s unformly dstrbuted over G ; hence, m s perfectly hdden from R. 2. (Computatonal) Bndng: S can change her commtment ff she knows such that r m r m ( r r )( m m) gh g h g h 1 log h= ( r r )( m m) g q 1 h r m m ( rm, ), (, ), m, = = DL assumpton. r m Note: computatons lke gh are done modulo p; exponents and logarthms are computed modulo q.

70 Q: What f we change the commtment to the followng? m r c: = h (wthout usng g ) r+ m c: = g (namely, g = h) Q: Who should generate pqgh,,,?

71 Impossblty of uncondtonal bndng & hdng It s mpossble to have a commtment scheme whch s both uncondtonal bndng and uncondtonal hdng. n s Otherwse, let C : {0,1} {0,1} {0,1} be such a scheme. C s uncondtonal hdng When S sends a commtment c: = C( r, b), there exsts a ( r, b ), b b, s.t. C( r, b ) = c. (Otherwse, R can fnd b by computng a pre-mage of c.) C s uncondtonal bndng There exsts no such ( r, b ) (otherwse, S can fnd t and change her commtment).

72 Secret Sharng

73 Threshold secret sharng ( tn, )-threshold secret sharng scheme, t n: A secret s s dvded by a trusted authorty nto n shares s, each gven to a user u, 1 n. Any t or more users together can recover s. t 1 or fewer users can not recover s.

74 Shamr's threshold secret sharng scheme 1. Select a prme p> max( s, n). 2. Construct a ( t 1)-degree polynomal f( x) = a x, where a = s and a,, a Z. 0 1 t 1 R 3. Choose n dstnct values x,, x Z. 4. Share s = ( x, y ), where y = f( x ) mod p, 1 n. 1 p n p t 1 = 0

75 Gven t shares ( x, y), J, where J = t, f( x) and s can be recovered usng Lagrange's nterpolaton formula: x x f( x) = y and j J j J\{ } x xj x j s = a0 = f(0) = y = yλ x x J j J\{ } j J

76 Electronc Vote

77 A mult-authorty electon scheme 1. Partcpants: a trusted center, n authortes, m voters. 2. Partcpants post ther messages to a bulletn board. 3. The trusted center sets up parameters for the scheme. 4. Each vote, yes or no, s encrypted usng a homomorphc publc-key cryptosystem (e.g. ElGamal). 5. The decrypton key s s dvded among n authortes usng a ( tn, )-threshold scheme. 6. If t authortes are honest, the votes can be talled correctly wthout decryptng ndvdual votes.

78 System setup (by the trusted center) 1. For ElGamal encrypton (same as n DSA): choose two large prmes p and q such that q ( p 1). choose an element choose a g Z of order q. G = g Z. p q q secret key s Zq and compute the s publc key h= g mod p. 2. For Shamr ( tn, ) - threshold scheme: choose a ( t 1)-degree polynomal f( x) = a x + s. s let x =, and compute s = f( x ) and h = g, 1 n. Gve share ( x, s ) to authorty A. 3. Publsh ( pqghh,,,,,, h) on the bulletn board. 1 n t 1 = 1

79 Vote castng Each voter V cast hs vote v {1, 1} as r v r c = ( c, c ) = ( g, g h ),1,2 v n the bulletn board, where v s frst encoded as g and then encrypted by ElGamal encrypton. Each ballot c s sgned by ts voter V. V also has to prove that he follows the protocol and form c correctly; or hs vote wll be nvald.

80 Tally computng Everyone can compute m r v r c= ( c, c ) ( c, c ) ( g, g h ), 1 2,1,2 = 1 = 1 d m = = whch s an encrypton of g, where d = v s the dfference between yes votes and no votes. Decrypt c to recover g = c c. d s 2 1 m m+ 1, Fnd d by computng g, g and comparng d wth g.

81 Decryptng c= ( c, c ) wthout knowng 1 2 s s Recall that Ds( c) = cc, and s= s, f there s 2 1 λ a group J of t honest authortes. Each authorty A posts ( x, w ), where w = c, and J proves that she s honest. Check f there s a set J of t honest authortes; and f so, compute the coeffcents λ from { x : J}. Compute c c c w. s sλ sλ λ 1 = 1 = 1 = J J s 1

82 Authorty's proof of honesty Each authorty A has to prove that she really posts w = c s 1, where s s her share of the secret key s. s Recall that h = g s publshed on the bulletn board. Thus, A can prove her honesty by showng log w = log h c g 1 Ths can be done usng the non-nteractve verson of provng equal logarthms.

83 Voter's proof of honesty Each voter has to prove that hs vote s of the r v r form ( c1, c2) = ( g, g h ), wth v {1, 1}. Dependng on hs vote: v= c = c g 1 f 1, he proves log g 1 log h 2. f v= 1, he proves log g c1 = log hc2g. Harder than the problem of authorty's proof, because the voter doesn't want to reveal whch one s proved.

84 Extenton to mult-way electons If there are l optons, choose l generators g,, g n G, and encode opton by g. { } Voter V encrypts hs vote v g,, g as Tally: 1 l r c = ( c, c ) = ( g, h,1,2 m r j), where R q. Σ Σ d1 dl compute (, ) (, ) (, ), 1 2,1,2 1 l = 1 = 1 where d s the number of votes for opton. g r Z s d1 d2 dl Decrypt (, ) by computng m c c = c c = g h g g c c c c = g g g Fnd the exponents ( d,, d l ) by searchng. 1 1 l l q

85 Elmnatng the trusted center If there are l optons, choose l generators g,, g n G, and encode opton by g. { } Voter V encrypts hs vote v g,, g as Tally: 1 l c = ( c, c ) = ( g, h g r r,1,2 j m ), where r R Zq. Σ Σ d1 dl compute (, ) = (, ) = (, ), 1 2,1,2 1 l = 1 = 1 where d s the number of votes for opton. c1 c2 c2c1 = g1 g2 g Fnd the exponents ( d,, d l ) by searchng. s d1 d2 dl Decrypt (, ) by computng. m c c c c g h g g 1 1 l l q

86 Blnd Sgnature

87 Blnd sgnature Enables the sgner to sgn a message wthout seeng ts content. Suppose the sgner has sgned more than one message. When a sgned message s presented to the sgner, she can verfy whether t s her sgnature, but she cannot lnk the sgned message to any partcular transacton. Applcaton: dgtal cash.

88 RSA-based blnd sgnature d Note: Peggy's vald sgnature for m s m mod n. e e 1. Vc Peggy: a: = mr mod n, r R Zn. (Masks m wth r.) d 2. Peggy Vc : b: = a mod n. (Peggy sgns on a.) 3. Vc computes Peggy's sgnature for m as d = mod ( = m mod n). 1 s br n Idea: RSA sgnature s homomorphc: RSA ( mm ) = RSA ( m) RSA ( m )

89 Shnorr's blnd sgnature scheme (dea) If τ = ( acb,, ) s an acceptng transcrpt of Proof-Log( g, y), b c (.e., a = g y ), then τ = ( a, c, b) s also an acceptng transcrpt of Proof-Log( g, y), where a a g y u v w c uc + w u, v, w R Z b ub + v u v w ub uc v w ub v uc w b c Indeed, a= a g y = g y g y = g + y + = g y. q

90 Shnorr's blnd sgnature scheme Blnd-Log-Sg n ( m, g, y) h r 1. Peggy Vc: a = g, where r Z Vc Peggy: c = ( c w) u, where u, v, w R Zq, u v w u 0, c= h( m a), a= a g y. 3. Peggy Vc: b = r cx. b c 4. Vc verfes whether a = g y, computes b= ub + v, and gets the sgnature σ ( m) = ( c, b). b c Verfy( mcb,, ) = true ff c= h( m g y ). R q