Interactive and Non-Interactive Proofs of Knowledge

Size: px

Start display at page:

Download "Interactive and Non-Interactive Proofs of Knowledge"

Pierce Bailey
5 years ago
Views:

1 Interactive and Non-Interactive Proofs of Knowledge Olivier Blazy ENS / CNRS / INRIA / Paris 7 RUB Sept 2012 O. Blazy (ENS RUB) INIPoK Sept / 63

2 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63

3 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63

4 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63

5 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63

6 Proof of Knowledge Alice Bob interactive method for one party to prove to another the knowledge of a secret S. 1 Completeness: S is true verier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verier that S is true Classical Instantiations : Schnorr proofs, Sigma Protocols... O. Blazy (ENS RUB) INIPoK Sept / 63

7 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Racko. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (ENS RUB) INIPoK Sept / 63

8 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Racko. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (ENS RUB) INIPoK Sept / 63

9 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Racko. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (ENS RUB) INIPoK Sept / 63

10 Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verier that it is true 3 Zero-knowledge: if S is true, no cheating verier learns anything other than this fact. O. Blazy (ENS RUB) INIPoK Sept / 63

11 Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verier that it is true 3 Zero-knowledge: if S is true, no cheating verier learns anything other than this fact. O. Blazy (ENS RUB) INIPoK Sept / 63

Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S.

12 Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: S is true verier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verier that S is true 3 Zero-knowledge: S is true no cheating verier learns anything other than this fact. O. Blazy (ENS RUB) INIPoK Sept / 63

13 History of NIZK Proofs Inecient NIZK Blum-Feldman-Micali, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZK But limited by the Random Oracle Ecient NIZK Groth-Ostrovsky-Sahai, Groth-Sahai, O. Blazy (ENS RUB) INIPoK Sept / 63

14 History of NIZK Proofs Inecient NIZK Blum-Feldman-Micali, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZK But limited by the Random Oracle Ecient NIZK Groth-Ostrovsky-Sahai, Groth-Sahai, O. Blazy (ENS RUB) INIPoK Sept / 63

15 History of NIZK Proofs Inecient NIZK Blum-Feldman-Micali, De Santis-Di Crescenzo-Persiano, Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZK But limited by the Random Oracle Ecient NIZK Groth-Ostrovsky-Sahai, Groth-Sahai, O. Blazy (ENS RUB) INIPoK Sept / 63

16 Applications of NIZK Proofs Fancy signature schemes group signatures ring signatures traceable signatures Ecient non-interactive proof of correctness of shue Non-interactive anonymous credentials CCA-2-secure encryption schemes (with public veriability) Identication E-voting, E-cash... O. Blazy (ENS RUB) INIPoK Sept / 63

17 Conditional Actions Group Manager Certication of a public key User pk Cert π The User should know the associated sk. O. Blazy (ENS RUB) INIPoK Sept / 63

18 Conditional Actions Signer Signature of a blinded message User C(M) σ π The User should know the plaintext M. O. Blazy (ENS RUB) INIPoK Sept / 63

19 Conditional Actions Server Transmission of private information User Request info π The User should possess some credentials. O. Blazy (ENS RUB) INIPoK Sept / 63

20 Soundness Only people proving they know the expected secret should be able to access the information. Zero-Knowledge The authority should not learn said secret. O. Blazy (ENS RUB) INIPoK Sept / 63

21 1 General Remarks 2 Building blocks Bilinear groups aka Pairing-friendly environments Commitment / Encryption Signatures Security hypotheses 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63

22 Symmetric bilinear structure (p, G, G T, e, g) bilinear structure: G, G T multiplicative groups of order p p = prime integer g = G e : G G G T e(g, g) = G T e(g a, g b ) = e(g, g) ab, a, b Z deciding group membership, group operations, eciently computable. bilinear map O. Blazy (ENS RUB) INIPoK Sept / 63

23 Denition (Encryption Scheme) E = (Setup, EKeyGen, Encrypt, Decrypt): Setup(1 K ): param; EKeyGen(param): public encryption key pk, private decryption key dk; Encrypt(pk, m; r): ciphertext c on m M and pk; Decrypt(dk, c): decrypts c under dk. F(M) Encrypt SE pk, r r dk Random E C r Decrypt E Indistinguishability: Given M 0, M 1, it should be hard to guess which one is encrypted in C. O. Blazy (ENS RUB) INIPoK Sept / 63

24 Denition (Linear Encryption) Setup(1 K ): Generates a multiplicative group (p, G, g). EKeyGen E (param): dk = (µ, ν) $ Z 2 p, and pk = (X 1 = g µ, X 2 = g ν ). Encrypt(pk = (X 1, X 2 ), M; α, β): For M, and random α, β $ Z 2 p, C = ( c 1 = X α 1, c 2 = X β 2, c 3 = g α+β M ). Decrypt(dk = (µ, ν), C = (c 1, c 2, c 3 )): Computes M = c 3 /(c 1/µ 1 c 1/ν 2 ). Randomization (BBS04) Random(pk, C; r, s) : C = ( c 1 X r 1, c 2X s 2, c 3g r+s) = ( X α+r 1, X β+s 2, g α+r+β+s M ) O. Blazy (ENS RUB) INIPoK Sept / 63

25 Denition (Commitment Scheme) E = (Setup, Commit, Decommit): Setup(1 K ): param, ck; Commit(ck, m; r): c on the input message m M using r $ R; Decommit(c, m; w) opens c and reveals m, together with w that proves the correct opening. M Commit ck, r r Decommit C O. Blazy (ENS RUB) INIPoK Sept / 63

26 Pedersen Setup(1 K ): g, h G; Commit(m; r): c = g m h r ; Decommit(c, m; r): c? = g m h r. O. Blazy (ENS RUB) INIPoK Sept / 63

27 F(M) s sk; s SignS σ(f) Denition (Signature Scheme) S = (Setup, SKeyGen, Sign, Verif): Setup(1 K ): param; SKeyGen(param): public verication key vk, private signing key sk; Sign(sk, m; s): signature σ on m, under sk; Verif(vk, m, σ): checks whether σ is valid on m. Random S Unforgeability: Given q pairs (m i, σ i ), it should be hard to output a valid σ on a fresh m. O. Blazy (ENS RUB) INIPoK Sept / 63

28 Denition (Waters Signature) (Wat05) Setup S (1 K ): Generates (p, G, G T, e, g), an extra h, and (u i ) for the Waters function (F(m) = u 0 i um i i ). SKeyGen S (param): Picks x $ Z p and outputs sk = h x, and vk = g x ; Sign(sk, m; s): Outputs σ(m) = (skf(m) s, g s ); Verif(vk, m, σ): Checks the validity of σ: e(g, σ 1 )? = e(f(m), σ 2 ) e(vk, h) Randomization Random(σ; r) : σ = ( σ 1 F(m) r, σ 2 g r ) = ( skf(m) r+s, g r+s) O. Blazy (ENS RUB) INIPoK Sept / 63

29 Denition (DL) Given g, h G 2, it is hard to compute α such that h = g α. Denition (CDH) Given g, g a, h G 3, it is hard to compute h a. Denition (DLin) Given u, v, w, u a, v b, w c G 6, it is hard to decide whether c = a + b. O. Blazy (ENS RUB) INIPoK Sept / 63

30 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge Groth Sahai methodology Motivation Signature on Ciphertexts Application to other protocols Waters Programmability 4 Interactive Implicit Proofs O. Blazy (ENS RUB) INIPoK Sept / 63

31 Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1,..., X n G n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T determined by A i G, γ i,j Z p and t T G T. Groth-Sahai WI proofs that elements in G that were committed to satisfy PPE Setup(G): commitment key ck; Com(ck, X G; ρ): commitment c X to X ; Prove(ck, (X i, ρ i ) i=1,...,n, (E)): proof φ; Verify(ck, c Xi, (E), φ): checks whether φ is valid. O. Blazy (ENS RUB) INIPoK Sept / 63

32 Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1,..., X n G n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T determined by A i G, γ i,j Z p and t T G T. Groth-Sahai WI proofs that elements in G that were committed to satisfy PPE Setup(G): commitment key ck; Com(ck, X G; ρ): commitment c X to X ; Prove(ck, (X i, ρ i ) i=1,...,n, (E)): proof φ; Verify(ck, c Xi, (E), φ): checks whether φ is valid. O. Blazy (ENS RUB) INIPoK Sept / 63

33 n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T Assumption DLin SXDH SD Variables PPE 9 (2,2) 1 Linear Verication 12n m + 3n + 16 n + 1 [ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1 Properties: correctness soundness witness-indistinguishability randomizability Commitments and proofs are publicly randomizable. O. Blazy (ENS RUB) INIPoK Sept / 63

34 n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T Assumption DLin SXDH SD Variables PPE 9 (2,2) 1 Linear Verication 12n m + 3n + 16 n + 1 [ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1 Properties: correctness soundness witness-indistinguishability randomizability Commitments and proofs are publicly randomizable. O. Blazy (ENS RUB) INIPoK Sept / 63

35 n n n (E) : e(a i, X i ) e(x i, X j ) γ i,j i=1 i=1 j=1 = t T Assumption DLin SXDH SD Variables PPE 9 (2,2) 1 Linear Verication 12n m + 3n + 16 n + 1 [ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1 Properties: correctness soundness witness-indistinguishability randomizability Commitments and proofs are publicly randomizable. O. Blazy (ENS RUB) INIPoK Sept / 63

36 Electronic Voting For dessert, we let people vote Chocolate Cake Cheese Cake Fruit Salad Brussels Sprout After collection, we count the number of ballots: Chocolate Cake 123 Cheese Cake 79 Fruit Salad 42 Brussels sprout 1 O. Blazy (ENS RUB) INIPoK Sept / 63

37 Authentication Only people authorized to vote should be able to vote People should be able to vote only once Anonymity Votes and voters should be anonymous Receipt freeness O. Blazy (ENS RUB) INIPoK Sept / 63

38 Homomorphic Encryption and Signature approach The voter generates his vote v. The voter encrypts v to the server as c. The voter signs c and outputs σ. (c, σ) is a ballot unique per voter, and anonymous. Counting: granted homomorphic encryption C = c. The server decrypts C. O. Blazy (ENS RUB) INIPoK Sept / 63

39 Electronic Cash Identify Deposit Withdraw Randomize Spend Randomize O. Blazy (ENS RUB) INIPoK Sept / 63

40 Protocol Withdrawal: A user get a coin c from the bank Spending: A user pays a shop with the coin c Deposit: The shop gives the coin c back to the bank Electronic Coins Chaum 81 Expected properties Unforgeability Coins are signed by the bank No Double-Spending Each coin is unique Anonymity Blind Signature Denition (Blind Signature) A blind signature allows a user to get a message m signed by an authority into σ so that the authority even powerful cannot recognize later the pair (m, σ). O. Blazy (ENS RUB) INIPoK Sept / 63

41 Round-Optimal Blind Signature Fischlin 06 The user encrypts his message m in c. The signer then signs c in σ. The user veries σ. He then encrypts σ and c into C σ and C and generates a proof π. π: C σ is an encryption of a signature over the ciphertext c encrypted in C, and this c is indeed an encryption of m. Anyone can then use C, C σ, π to check the validity of the signature. O. Blazy (ENS RUB) INIPoK Sept / 63

42 Vote E-Cash A user should be able to encrypt a ballot. He should be able to sign this encryption. Receiving this vote, one should be able to randomize for Receipt-Freeness. A user should be able to encrypt a token The bank should be able to sign it providing Unforgeability This signature should now be able to be randomized to provide Anonymity Our Solution Same underlying requirements; Advance security notions in both schemes requires to extract some kind of signature on the associated plaintext; General Framework for Signature on Randomizable Ciphertexts; Revisited Waters, Commutative encryption / signature. O. Blazy (ENS RUB) INIPoK Sept / 63

43 Commutative properties Encrypt To encrypt a message m: c = (pk 1 r 1, pk 2 r 2, F(m) g r1+r2 ) O. Blazy (ENS RUB) INIPoK Sept / 63

44 Commutative properties Encrypt To encrypt a message m: c = (pk 1 r 1, pk 2 r 2, F(m) g r1+r2 ) Sign Encrypt To sign a valid ciphertext c 1, c 2, c 3, one has simply to produce. σ = (c 1 s, c 2 s, sk c 3 s, pk 1 s, pk 2 s, g s ). O. Blazy (ENS RUB) INIPoK Sept / 63

45 Commutative properties Encrypt To encrypt a message m: c = (pk 1 r 1, pk 2 r 2, F(m) g r1+r2 ) Sign Encrypt To sign a valid ciphertext c 1, c 2, c 3, one has simply to produce. σ = (c 1 s, c 2 s, sk c 3 s, pk 1 s, pk 2 s, g s ). Decrypt Sign Encrypt Using dk. σ = (σ 3 /σ dk1 1 σ dk2 2, σ 6 ) = (sk F(m) s, g s ). O. Blazy (ENS RUB) INIPoK Sept / 63

46 Denition (Signature on Ciphertexts) SE = (Setup, SKeyGen, EKeyGen, Encrypt, Sign, Decrypt, Verif): Setup(1 K ): param e, param s ; EKeyGen(param e ): pk, dk; SKeyGen(param s ): vk, sk; Encrypt(pk, vk, m; r): produces c on m M and pk; Sign(sk, pk, c; s): produces σ, on the input c under sk; Decrypt(dk, vk, c): decrypts c under dk; Verif(vk, pk, c, σ): checks whether σ is valid. Denition (Extractable Randomizable Signature on Ciphertexts) SE=(Setup, SKeyGen, EKeyGen, Encrypt, Sign, Random, Decrypt, Verif, SigExt): Random(vk, pk, c, σ; r, s ) produces c and σ on c, using additional coins; SigExt(dk, vk, σ) outputs a signature σ. O. Blazy (ENS RUB) INIPoK Sept / 63

47 Randomizable Signature on Ciphertexts [PKC 2011: BFPV] M Encrypt SE pk, r r dk Decrypt E C sk; s SignS sk, pk, c; s SignSE s Random S σ(m) SigExt SE r dk σ(c) O. Blazy (ENS RUB) INIPoK Sept / 63

48 Extractable SRC M Encrypt SE pk, r r Random E C r dk Decrypt E sk; s SignS sk, pk, c; s SignSE s Random S σ(m) SigExt SE r dk σ(c) r, s Random SE O. Blazy (ENS RUB) INIPoK Sept / 63

49 E-Voting [PKC 2011: BFPV] F(M) Encrypt SE pk, r r C User sk, pk, c; s SignSE σ(f) SigExt SE dk σ(c) r, s Authority Random SE O. Blazy (ENS RUB) INIPoK Sept / 63

50 Blind Signature [PKC 2011: BFPV] User F(M) Encrypt SE pk, r r dk C Signer Decrypt E sk, pk, c; s SignSE s Random S σ(f) SigExt SE r dk σ(c) O. Blazy (ENS RUB) INIPoK Sept / 63

51 Partially-Blind Signature User info C = C(M, info) σ(c ) Signer O. Blazy (ENS RUB) INIPoK Sept / 63

52 Partially-Blind Signature User Signer C = C(M, info) σ(c, info s ) O. Blazy (ENS RUB) INIPoK Sept / 63

53 Signer-Friendly Partially Blind Signature [SCN 2012: BPV] User F(M) Blind BS pk BS, r r C info C Signer skbs, C, infos; s SignBS s σ(f ) r Unblind BS σ(c ) info s Random S Verif O. Blazy (ENS RUB) INIPoK Sept / 63

54 Multi-Source Blind Signatures Wireless Sensor Network Captors Central Hub Receiver c 1 c i c n C = c i σ(c, s) O. Blazy (ENS RUB) INIPoK Sept / 63

55 Multi-Source Blind Signatures [SCN 2012: BPV] User i F i Blind BS pk BS, r i r i C i Signer R skbs, C 1,..., Cn; s SignBS s σ( F) dk BS σ( C i ) Random S Unblind BS Verif O. Blazy (ENS RUB) INIPoK Sept / 63

56 Two solutions Dierent Generators Each captor has a disjoint set of generators for the Waters function Enormous public key O. Blazy (ENS RUB) INIPoK Sept / 63

57 Two solutions Dierent Generators Each captor has a disjoint set of generators for the Waters function Enormous public key O. Blazy (ENS RUB) INIPoK Sept / 63

58 Two solutions Dierent Generators Each captor has a disjoint set of generators for the Waters function Enormous public key A single set of generators The captors share the same set of generators Waters over a non-binary alphabet? O. Blazy (ENS RUB) INIPoK Sept / 63

59 Two solutions Dierent Generators Each captor has a disjoint set of generators for the Waters function Enormous public key A single set of generators The captors share the same set of generators Waters over a non-binary alphabet? O. Blazy (ENS RUB) INIPoK Sept / 63

60 Programmability of Waters over a non-binary alphabet Denition ((m, n)-programmability) F is (m, n) programmable if given g, h there is an ecient trapdoor producing a X, b X such that F (X ) = g a X h b X, and for all X i, Z j, Pr[a X1 = = a Xm = 0 a Z1... a Zn 0] is not negligible. (1, q)-programmability of Waters function Why do we need it: Unforgeabilty, q signing queries, 1 signature to exploit. Choose independent and uniform elements (a i ) (1,...,l) in { 1, 0, 1}, and random exponents (b i ) (0,...,l), and setting a 0 = 1. Then u i = g a i h b i. F(m) = u 0 u m i i δ a = g i i δ b h i i = g a m h bm. O. Blazy (ENS RUB) INIPoK Sept / 63

61 Non (2, 1)-programmability Waters over a non-binary alphabet is not (2, 1)-programmable. (1, q)-programmability Waters over a polynomial alphabet remains (1, q)-programmable. O. Blazy (ENS RUB) INIPoK Sept / 63

62 Sum of random walks on polynomial alphabets Local Central Limit Theorem Lindeberg Feller O. Blazy (ENS RUB) INIPoK Sept / 63

63 New primitive: Signature on Randomizable Ciphertexts One Round Blind Signature Receipt Free E-Voting Signer-Friendly Blind Signature Multi-Source Blind Signature [PKC 2011: BFPV] [PKC 2011: BFPV] [PKC 2011: BFPV] [SCN 2012: BPV] [SCN 2012: BPV] Eciency DLin + CDH : 9l + 24 Group elements. SXDH + CDH + : 6l + 15, 6l + 7 Group elements. Other results based on Groth Sahai Methodology: Traceable Signatures Transferable E-Cash [2012: BP] [Africacrypt 2011: BCF+] O. Blazy (ENS RUB) INIPoK Sept / 63

64 1 General Remarks 2 Building blocks 3 Non-Interactive Proofs of Knowledge 4 Interactive Implicit Proofs Motivation Smooth Projective Hash Function Application to various protocols Manageable Languages O. Blazy (ENS RUB) INIPoK Sept / 63

65 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User O. Blazy (ENS RUB) INIPoK Sept / 63

66 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User O. Blazy (ENS RUB) INIPoK Sept / 63

67 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User O. Blazy (ENS RUB) INIPoK Sept / 63

68 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User O. Blazy (ENS RUB) INIPoK Sept / 63

69 Certication of Public Keys: (NI)ZKPoK Server Certication of a public key pk π(sk) Cert User π can be forwarded O. Blazy (ENS RUB) INIPoK Sept / 63

70 Certication of Public Keys: SPHF [ACP09] A user can ask for the certication of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certicate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. O. Blazy (ENS RUB) INIPoK Sept / 63

71 Certication of Public Keys: SPHF [ACP09] A user can ask for the certication of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certicate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. Implicit proof of knowledge of sk O. Blazy (ENS RUB) INIPoK Sept / 63

72 Smooth Projective Hash Functions [CS02] Denition Let {H} be a family of functions: X, domain of these functions L, subset (a language) of this domain such that, for any point x in L, H(x) can be computed by using either a secret hashing key hk: H(x) = Hash L (hk; x); or a public projected key hp: H (x) = ProjHash L (hp; x, w) [CS02,GL03] Public mapping hk hp = ProjKG L (hk, x) O. Blazy (ENS RUB) INIPoK Sept / 63

73 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (ENS RUB) INIPoK Sept / 63

74 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (ENS RUB) INIPoK Sept / 63

75 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (ENS RUB) INIPoK Sept / 63

76 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (ENS RUB) INIPoK Sept / 63

77 Certication of Public Keys: SPHF [ACP09] Server Certication of a public key pk, C = C(sk; r) P = Cert Hash(hk; (pk, C)) hp = ProjKG(hk, C) User P ProjHash(hp; (pk, C), r) = Cert O. Blazy (ENS RUB) INIPoK Sept / 63

78 Certication of Public Keys: SPHF [ACP09] Server Certication of a public key pk, C = C(sk; r) P = Cert Hash(hk; (pk, C)) hp = ProjKG(hk, C) User Implicit proof of knowledge of sk P ProjHash(hp; (pk, C), r) = Cert O. Blazy (ENS RUB) INIPoK Sept / 63

79 Oblivious Signature-Based Envelope (OSBE) [LDB03] A sender S wants to send a message P to U such that U gets P i it owns σ(m) valid under vk S does not learn whereas U gets the message P or not Correctness: if U owns a valid signature, he learns P Security Notions Oblivious: S does not know whether U owns a valid signature (and thus gets the message); Semantic Security: U does not learn any information about P if he does not own a valid signature. O. Blazy (ENS RUB) INIPoK Sept / 63

80 Oblivious Signature-Based Envelope (OSBE) [LDB03] A sender S wants to send a message P to U such that U gets P i it owns σ(m) valid under vk S does not learn whereas U gets the message P or not Correctness: if U owns a valid signature, he learns P Security Notions Oblivious: S does not know whether U owns a valid signature (and thus gets the message); Semantic Security: U does not learn any information about P if he does not own a valid signature. O. Blazy (ENS RUB) INIPoK Sept / 63

81 Oblivious Signature-Based Envelope (OSBE) [LDB03] A sender S wants to send a message P to U such that U gets P i it owns σ(m) valid under vk S does not learn whereas U gets the message P or not Correctness: if U owns a valid signature, he learns P Security Notions Oblivious: S does not know whether U owns a valid signature (and thus gets the message); Semantic Security: U does not learn any information about P if he does not own a valid signature. O. Blazy (ENS RUB) INIPoK Sept / 63

82 One-Round OSBE from IBE The authority owns the master key of an IBE scheme, and provides the decryption key (signature) associated to m to U. S wants to send a message P to U, if U owns a valid signature. S encrypts P under the identity m. Security properties Correct: trivial Oblivious: no message sent! Semantic Security: IND-CPA of the IBE But the authority can decrypt everything! O. Blazy (ENS RUB) INIPoK Sept / 63

83 One-Round OSBE from IBE The authority owns the master key of an IBE scheme, and provides the decryption key (signature) associated to m to U. S wants to send a message P to U, if U owns a valid signature. S encrypts P under the identity m. Security properties Correct: trivial Oblivious: no message sent! Semantic Security: IND-CPA of the IBE But the authority can decrypt everything! O. Blazy (ENS RUB) INIPoK Sept / 63

84 One-Round OSBE from IBE The authority owns the master key of an IBE scheme, and provides the decryption key (signature) associated to m to U. S wants to send a message P to U, if U owns a valid signature. S encrypts P under the identity m. Security properties Correct: trivial Oblivious: no message sent! Semantic Security: IND-CPA of the IBE But the authority can decrypt everything! O. Blazy (ENS RUB) INIPoK Sept / 63

85 A Stronger Security Model S wants to send a message P to U, if U owns/uses a valid signature. Security Notions Oblivious w.r.t. the authority: the authority does not know whether U uses a valid signature; Semantic Security: U cannot distinguish multiple interactions with : S sending P 0 from those with S sending P 1 if he does not own/use a valid signature; Semantic Security w.r.t. the Authority: after the interaction, the authority does not learn any information about P. O. Blazy (ENS RUB) INIPoK Sept / 63

86 Our New OSBE [TCC 2012: BPV] S wants to send a message P to U, if U owns a valid σ(m) under vk: With a Smooth Projective Hash Function L: C = C(σ, r) contains a valid σ(m) under vk the user U sends an encryption C of σ; A generates hk and the associated hp, computes H = Hash(hk; C), and sends hp together with c = P H; U computes X = ProjHash(hp; C, r), and gets P. Lin(pk, m) : {C(m)} WLin(pk, vk, m) : {C(σ(m))} (U, V, W, G) WLin(pk, vk, m): r, s Z p, (U, V, W ) = (u r, v s, g r+s σ), e(σ, g) = e(h, vk) e(f(m), G) O. Blazy (ENS RUB) INIPoK Sept / 63

87 Security Properties Oblivious w.r.t. the authority: IND-CPA of the encryption scheme (Hard-partitioned Subset of the SPHF); Semantic Security: Smoothness of the SPHF Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF Semantic Security w.r.t. the Authority requires one interaction round-optimal Standard model with Waters Signature + Linear Encryption CDH and DLin O. Blazy (ENS RUB) INIPoK Sept / 63

88 Security Properties Oblivious w.r.t. the authority: IND-CPA of the encryption scheme (Hard-partitioned Subset of the SPHF); Semantic Security: Smoothness of the SPHF Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF Semantic Security w.r.t. the Authority requires one interaction round-optimal Standard model with Waters Signature + Linear Encryption CDH and DLin O. Blazy (ENS RUB) INIPoK Sept / 63

89 Security Properties Oblivious w.r.t. the authority: IND-CPA of the encryption scheme (Hard-partitioned Subset of the SPHF); Semantic Security: Smoothness of the SPHF Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF Semantic Security w.r.t. the Authority requires one interaction round-optimal Standard model with Waters Signature + Linear Encryption CDH and DLin O. Blazy (ENS RUB) INIPoK Sept / 63

90 σ(m) Commit σ ck, σ; r Q Q = P H c hk = HashKG L H = Hash L (hk, c) hp = ProjKG L (hk, c) P ProjHash L (hp, C; w) = H P = Q H L = WLin(ck, vk, m) e(x, g) = e(f(m), σ 2 ) e(vk, h) O. Blazy (ENS RUB) INIPoK Sept / 63

91 Blind-Signatures [TCC 2012: BPV] User F(M) Encrypt SE pk, r r dk C Signer Decrypt E sk, pk, c; s SignSE Groth Sahai 9 l + 24 s Random S σ(f) SigExt SE r dk σ(c) O. Blazy (ENS RUB) INIPoK Sept / 63

92 Blind-Signatures [TCC 2012: BPV] User F(M) Encrypt SE pk, r r dk Decrypt E C Signer Groth Sahai 9 l + 24 sk, pk, c; s SignSE SPHF 8 l + 12 Languages s σ(f) SigExt SE r dk σ(c) BLin: {0, 1}, ELin: {C(C(...))}. Random S O. Blazy (ENS RUB) INIPoK Sept / 63

93 Alice Password Authenticated Key Exchange C(pw B ) C(pw A ), hp B hp A Bob H B H A H B H A Same value i both passwords are the same, and users know witnesses. O. Blazy (ENS RUB) INIPoK Sept / 63

94 Alice Language Authenticated Key Exchange C(L B ), C(L A ), C(M B) C(L A ), C(L B ), C(M A), hp B hp A Bob H B H A H B H A Same value i languages are as expected, and users know witnesses. O. Blazy (ENS RUB) INIPoK Sept / 63

95 Die Hellman / Linear Tuple Conjunction / Disjunction (g, h, G = g a, H = h a ) hp = g κ h λ Oblivious Transfer, Implicit Opening of a ciphertext Valid Die Hellman tuple? hp a = G κ H λ (U = u a, V = v b, W = g a+b ) Valid Linear tuple? hp = u κ g λ, v µ g λ hp a 1 hpb = 2 Uκ V µ W λ O. Blazy (ENS RUB) INIPoK Sept / 63

96 Die Hellman / Linear Tuple Conjunction / Disjunction (g, h, G = g a, H = h a ) hp = g κ h λ Oblivious Transfer, Implicit Opening of a ciphertext Valid Die Hellman tuple? hp a = G κ H λ (U = u a, V = v b, W = g a+b ) Valid Linear tuple? hp = u κ g λ, v µ g λ hp a 1 hpb = 2 Uκ V µ W λ O. Blazy (ENS RUB) INIPoK Sept / 63

97 Die Hellman / Linear Tuple Conjunction / Disjunction L 1 L 2 Simultaneous verication hp = hp 1, hp 2 H 1 H = H 2 1 H 2 A i O. Blazy (ENS RUB) INIPoK Sept / 63

98 Die Hellman / Linear Tuple Conjunction / Disjunction L 1 L 2 Simultaneous verication hp = hp 1, hp 2 H 1 H = H 2 1 H 2 A i L 1 L 2 hp = hp 1, hp 2, hp Is it a bit? One out of 2 conditions H = L 1?hp w1 : hp w2 hp 1 2 = X hk1 1 O. Blazy (ENS RUB) INIPoK Sept / 63

99 Die Hellman / Linear Tuple Conjunction / Disjunction L 1 L 2 Simultaneous verication hp = hp 1, hp 2 H 1 H = H 2 1 H 2 A i L 1 L 2 hp = hp 1, hp 2, hp Is it a bit? One out of 2 conditions H = L 1?hp w1 : hp w2 hp 1 2 = X hk1 1 BLin. O. Blazy (ENS RUB) INIPoK Sept / 63

100 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation (e = h r M, u 1 = g r, u 1 2 = g r, v = (cd α 2 ) r ) Veriability of the CS hp = g κg µ (cd α 1 ) η h λ 2 hp r = u κ 1 uµ v η (e/m) λ 2 Implicit Opening of a ciphertext, veriability of a ciphertext, PAKE (g r, g s, g r+s 1 2, h r 3 1 hs M, (c 2 1d α 1 )r )(c 2 d α 2 )s ) Veriability of the LCS hp = g κg θ(c 1 3 1d α 1 )η h λ, g µ g θ(c 2 3 1d α 1 )η h λ hp r 1 hps = 2 uκ 1 uµ 2 uθv η 3 (e/m) λ O. Blazy (ENS RUB) INIPoK Sept / 63

101 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation (e = h r M, u 1 = g r, u 1 2 = g r, v = (cd α 2 ) r ) Veriability of the CS hp = g κg µ (cd α 1 ) η h λ 2 hp r = u κ 1 uµ v η (e/m) λ 2 Implicit Opening of a ciphertext, veriability of a ciphertext, PAKE (g r, g s, g r+s 1 2, h r 3 1 hs M, (c 2 1d α 1 )r )(c 2 d α 2 )s ) Veriability of the LCS hp = g κg θ(c 1 3 1d α 1 )η h λ, g µ g θ(c 2 3 1d α 1 )η h λ hp r 1 hps = 2 uκ 1 uµ 2 uθv η 3 (e/m) λ O. Blazy (ENS RUB) INIPoK Sept / 63

102 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation (U = u a, V = v s, G = h s g a ) Previous Language ELin hp = u η g λ, v θ h λ hp a 1 hps = 2 Uη V θ G λ O. Blazy (ENS RUB) INIPoK Sept / 63

103 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation ( i A k e(y i, A k,i ) For each variables: hp i = u κ i g λ, v µ i g ( λ i A k e(hp w i i, A k,i ) ) ( ) HPZ k,i w i i Bk i = ( i A k e(h i, A k,i ) ) ( ) Z i B k H k,i i /D λ k ) ( ) Z Z k,i i i B k = D k Knowledge of a secret key, Knowledge of a (secret) signature on a (secret) message valid under a (secret) verication key,... O. Blazy (ENS RUB) INIPoK Sept / 63

104 (Linear) Cramer-Shoup Encryption Commitment of a commitment Linear Pairing Equations Quadratic Pairing Equation ( e(y i, A k,i ) e(y i, Y j ) γi,j i j A k Z Zk,i i i B k Anonymous membership to a group, other way to do BLin,... e(g b, g 1 b ) = 1 T ) = D k O. Blazy (ENS RUB) INIPoK Sept / 63

105 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge O. Blazy (ENS RUB) INIPoK Sept / 63

106 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

107 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

108 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

109 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

110 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

111 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures [TCC 2012: BPV] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

112 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures Oblivious Signature-Based Envelope [TCC 2012: BPV] [TCC 2012: BPV] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

113 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures Oblivious Signature-Based Envelope (v)-pake, LAKE, Secret Handshakes [TCC 2012: BPV] [TCC 2012: BPV] [eprint/sub 2012: BPCV] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

114 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures Oblivious Signature-Based Envelope (v)-pake, LAKE, Secret Handshakes E-Voting [TCC 2012: BPV] [TCC 2012: BPV] [eprint/sub 2012: BPCV] [sub 2012: BP] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

115 Smooth Projective Hash Functions ˆ= implicit proofs of knowledge Various Applications: IND-CCA [CS02] PAKE [GL03] Certication of Public Keys [ACP09] Privacy-preserving protocols: Blind signatures Oblivious Signature-Based Envelope (v)-pake, LAKE, Secret Handshakes E-Voting [TCC 2012: BPV] [TCC 2012: BPV] [eprint/sub 2012: BPCV] [sub 2012: BP] Many more Round optimal applications? O. Blazy (ENS RUB) INIPoK Sept / 63

116 Groth-Sahai Allows to combine eciently classical building blocks Allows several kind of new signatures under standard hypotheses Smooth Projective Hash Functions Can handle more general languages under better hypotheses Do not add any extra-rounds in an interactive scenario More ecient in the usual cases O. Blazy (ENS RUB) INIPoK Sept / 63

117 Groth-Sahai Allows to combine eciently classical building blocks Allows several kind of new signatures under standard hypotheses Smooth Projective Hash Functions Can handle more general languages under better hypotheses Do not add any extra-rounds in an interactive scenario More ecient in the usual cases O. Blazy (ENS RUB) INIPoK Sept / 63

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building