Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Size: px

Start display at page:

Download "Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives"

Beatrix Jackson
6 years ago
Views:

1 S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK, Graz University of Technology

2 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 2

3 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 3

4 Static Accumulators Finite set Accumulator 4

5 Static Accumulators Finite set Accumulator Witnesses wit x certifying membership of x in acc X Efficiently computable x X Intractable to compute x / X 4

6 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n mod N 5

7 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N 5

8 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. 5

9 A Simple Example - RSA Accumulator RSA modulus N Accumulator for X = {x 1,..., x n } acc X g x 1... x i 1 x i x i+1... x n Witness for x i : mod N wit xi g x 1... x i 1 x i+1... x n mod N Verify witness: Check whether (wit xi ) x i acc X mod N. Witness for y / X Would imply breaking strong RSA... unless factorization of N is known. 5

10 Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X 6

11 Dynamic and Universal Features Dynamically add/delete elements...to/from accumulator acc X Update witnesses accordingly All updates independent of X Universal features Demonstrate non-membership Non-membership witness wit x Efficiently computable x / acc X Intractable to compute x acc X 6

12 Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability 7

13 Motivation Accumulators widely used in various applications e.g., credential revocation, malleable signatures,... Previous models tailored to specific constructions Different features Private/public updatability Thus, accumulators not usable as black-boxes Limited exchangeability when used in other constructions Relations to other primitives hard to study 7

14 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability 8

15 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc 8

16 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets 8

17 Contribution Unified formal model for Static/dynamic/universal accumulators Introduces randomized and bounded accumulators Introduces indistinguishability Includes undeniability First constructions fulfilling new notions First indistinguishable, dynamic acc First undeniable, indistinguishable, universal acc Black-box relations to commitments and ZK-sets Exhaustive classification of existing schemes (see Paper) 8

18 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 9

19 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify 10

20 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit 10

21 Algorithms Static Accumulators - Algorithms Gen Eval WitCreate Verify We call accumulators t-bounded, if an upper bound for the set size exists randomized, if Eval is probabilistic Eval r to make used randomness explicit Dynamic Accumulators additionally provide Add Delete WitUpdate 10

22 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type 11

23 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) 11

24 Algorithms - Universal Accumulators Static or dynamic accumulator, but in addition WitCreate and Verify take additional parameter type Membership (type = 0) vs. non-membership mode (type = 1) For dynamic accumulator schemes The same additionally applies to WitUpdate 11

25 Security Correctness Collision freeness Undeniability Indistinguishability 12

26 Security - Collision Freeness Experiment Exp cf κ ( ): 13

27 Security - Collision Freeness Experiment Exp cf κ ( ): A wins if wit x is membership witness for non-member, or wit x is non-membership witness for member 13

28 Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): 14

29 Security - Undeniability Defined for universal accumulators Experiment Exp ud κ ( ): A wins if verification succeeds for both wit x and wit x 14

30 Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud 15

31 Undeniability Collision Freeness We show that Efficient A cf can be turned into efficient A ud Other direction does not hold [BLL02] 15

32 Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators 16

33 Security - Indistinguishability I So far, no meaningful formalization Existing formalization allows to prove indistinguishability for trivially distinguishable accumulators We provide formalization not suffering from shortcomings above 16

34 Security - Indistinguishability II Experiment Exp ind κ ( ): 17

35 Security - Indistinguishability II Experiment Exp ind κ ( ): A wins if guess correct 17

36 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. 18

37 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition 18

38 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability 18

39 Security - Indistinguishability III Ad-hoc solution in literature Insert a (secret) random value z into acc. However, weakens collision freeness Witness for z efficiently computable by definition Thus, we distinguish Indistinguishability Collision freeness weakening (cfw)-indistinguishability We modify [Ngu05] to provide indistinguishability First indistinguishable t-bounded dynamic accumulator 18

40 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 19

41 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X 20

42 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators 20

43 Zero-Knowledge Sets Commit to a set X Prove predicates of the form x X x / X While not revealing anything else about X Observation Similar to undeniable indistinguishable accumulators Algorithms compatible Security notions similar 20

44 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability 21

45 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) 21

46 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability Other direction unclear, sim-based notion seems stronger 21

47 Accumulators from Zero-Knowledge Sets Security notions Perfect completeness correctness Soundness undeniability Zero-knowledge Simulation-based notion simulator S, negl. ɛ, s.t. PPT distinguishers: Pr [distinguish sim/real] ɛ(κ) We show that zero-knowledge = indistinguishability 21 Other direction unclear, sim-based notion seems stronger First undeniable, unbounded, indistinguishable acc Nearly ZK sets t-bounded

48 Outline 1. Introduction 2. A Unified Formal Model 3. Accumulators from Zero-Knowledge Sets 4. Black-Box Construction of Commitments 22

49 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m 23

50 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward 23

51 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m 23

52 Commitments Compute commitment C to message m Later: provide opening O demonstrating that C is commitment to m Security (informal): Correctness: straight forward Binding: Intractable to find C, O, O such that C opens to two different messages m m Hiding: For C to either m 0 or m 1. Intractable to decide whether C opens to m 0 or m 1 23

53 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true 24

54 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding 24

55 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding 24

56 Commitments from Accumulators I Use 1-bounded indistinguishable accumulators C acc {m} O (m, r, wit m, aux) such that acc {m} = Eval r ((, pk acc ), {m}) Verify(pk acc, acc {m}, wit m, m) = true Collision-freeness Binding Indistinguishability Hiding Observe: cfw-indistinguishability not useful 24

57 Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set 25

58 Commitments from Accumulators II Straight forward extension to set-commitments Use t-bounded accumulators Opening w.r.t. entire set Trapdoor commitments Use sk acc as trapdoor 25

59 Conclusion Unified model for accumulators Covering all features existing to date 26

60 Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme 26

61 Conclusion Unified model for accumulators Covering all features existing to date Introduce indistinguishability notion Provide first indistinguishable dynamic scheme Show relations to other primitives Commitments Zero-knowledge sets Yields first undeniable, unbounded, indistinguishable, universal accumulator Inspiration for new constructions 26

62 Thank you. Extended version:

63 References I [BLL02] Ahto Buldas, Peeter Laud, and Helger Lipmaa. Eliminating counterevidence with applications to accountable certificate management. Journal of Computer Security, 10(3): , [Ngu05] Lan Nguyen. Accumulators from bilinear pairings and applications. In Topics in Cryptology - CT-RSA 2005, The Cryptographers Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005, Proceedings, pages ,

64 Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA / 22

65 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22

66 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22

67 Proof of Knowledge Alice Bob Interactive method for one party to prove to another the knowledge of a secret S. Classical Instantiations : Schnorr proofs, Sigma Protocols... O. Blazy (XLim) Negative-NIZK CT-RSA / 22

68 Proving that a statement is not satisfied Alice Bob Interactive method for one party to prove to another the knowledge of a secret S that does not belong to a language L. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

69 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22

70 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22

71 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22

72 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22

73 Applications Credentials Enhanced Authenticated Key Exchange Additional properties Non-Interactive Zero-Knowledge Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22

74 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22

75 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA / 22

76 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA / 22

77 Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting... O. Blazy (XLim) Negative-NIZK CT-RSA / 22

78 Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

79 Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: if S is true, the honest verifier will be convinced of this fact 2 Soundness: if S is false, no cheating prover can convince the honest verifier that it is true 3 Zero-knowledge: if S is true, no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S.

80 Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S. 1 Completeness: S is true verifier will be convinced of this fact 2 Soundness: S is false no cheating prover can convince the verifier that S is true 3 Zero-knowledge: S is true no cheating verifier learns anything other than this fact. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

81 Certification of Public Keys: SPHF [ACP09] A user can ask for the certification of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certificate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

82 Certification of Public Keys: SPHF [ACP09] A user can ask for the certification of pk, but if he knows the associated sk only: With a Smooth Projective Hash Function L: pk and C = C(sk; r) are associated to the same sk U sends his pk, and an encryption C of sk; A generates the certificate Cert for pk, and sends it, masked by Hash = Hash(hk; (pk, C)); U computes Hash = ProjHash(hp; (pk, C), r)), and gets Cert. Implicit proof of knowledge of sk O. Blazy (XLim) Negative-NIZK CT-RSA / 22

83 Smooth Projective Hash Functions [CS02] Definition Let {H} be a family of functions: X, domain of these functions L, subset (a language) of this domain such that, for any point x in L, H(x) can be computed by using either a secret hashing key hk: H(x) = Hash L (hk; x); or a public projected key hp: H (x) = ProjHash L (hp; x, w) [CS02,GL03] Public mapping hk hp = ProjKG L (hk, x) O. Blazy (XLim) Negative-NIZK CT-RSA / 22

84 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

85 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

86 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

87 SPHF Properties For any x X, H(x) = Hash L (hk; x) For any x L, H(x) = ProjHash L (hp; x, w) w witness that x L, hp = ProjKG L (hk, x) Smoothness For any x L, H(x) and hp are independent Pseudo-Randomness For any x L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

88 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22

89 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22

90 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22

91 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22

92 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22

93 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22

94 Global Idea π: Proof that W L π: Randomizable, Indistinguishability of Proof π : Proof that π was computed honestly To prove that W L Try to prove that W L which will output a π π will not be valid Compute π stating that π was computed honestly O. Blazy (XLim) Negative-NIZK CT-RSA / 22

95 From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA / 22

96 From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA / 22

97 From a very high level If an adversary forges a proof, this means that both π and π are valid Either π was not computed honestly, and under the Soundness of π this should not happen Or π was computed honestly but lead to an invalid proof, and under the Completeness of π this should not happen O. Blazy (XLim) Negative-NIZK CT-RSA / 22

98 Possible Instantiations Proof π Proof π Interactive Properties Groth Sahai Groth Sahai No Zero-Knowledge SPHF SPHF Yes Implicit Groth Sahai SPHF Depends ZK, Implicit O. Blazy (XLim) Negative-NIZK CT-RSA / 22

99 1 Brief Overview 2 Building blocks 3 Proving that you can not 4 Applications O. Blazy (XLim) Negative-NIZK CT-RSA / 22

100 Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA / 22

101 Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA / 22

102 Anonymous Credentials Allows user to authenticate while protecting their privacy. Recent work, build non-interactive credentials for NAND By combining with ours, it leads to efficient Non-Interactive Credentials No accumulators are needed O. Blazy (XLim) Negative-NIZK CT-RSA / 22

103 Language Authenticated Key Exchange Alice C(M B ) C(M A ), hp B hp A Bob H B H A H B H A Same value iff languages are as expected, and users know witnesses. O. Blazy (XLim) Negative-NIZK CT-RSA / 22

104 Summing up Proposed a generic framework to prove negative statement * Gives several instantiation of this framework, allowing some modularity Works outside pairing environment Open Problems Be compatible with post-quantum cryptography Weaken the requirements, on the building blocks O. Blazy (XLim) Negative-NIZK CT-RSA / 22

105 Summing up Proposed a generic framework to prove negative statement * Gives several instantiation of this framework, allowing some modularity Works outside pairing environment Open Problems Be compatible with post-quantum cryptography Weaken the requirements, on the building blocks O. Blazy (XLim) Negative-NIZK CT-RSA / 22

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building