MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Similar documents
Entity Authentication

Lecture Notes 20: Zero-Knowledge Proofs

From Secure MPC to Efficient Zero-Knowledge

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Additive Conditional Disclosure of Secrets

Homework 3 Solutions

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Lecture 15 - Zero Knowledge Proofs

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 3: Interactive Proofs and Zero-Knowledge

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lecture 10: Zero-Knowledge Proofs

Notes on Zero Knowledge

Statistically Secure Sigma Protocols with Abort

Interactive protocols & zero-knowledge

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11

An Identification Scheme Based on KEA1 Assumption

1 Recap: Interactive Proofs

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

1 Secure two-party computation

Zero-Knowledge Against Quantum Attacks

Lecture 3,4: Universal Composability

On The (In)security Of Fischlin s Paradigm

Smooth Projective Hash Function and Its Applications

March 19: Zero-Knowledge (cont.) and Signatures

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 18: Message Authentication Codes & Digital Signa

Improved OR-Composition of Sigma-Protocols

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Non-Conversation-Based Zero Knowledge

Interactive protocols & zero-knowledge

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Round-Efficient Multi-party Computation with a Dishonest Majority

Zero-Knowledge Proofs and Protocols

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

PAPER An Identification Scheme with Tight Reduction

Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World

Introduction to Modern Cryptography Lecture 11

III. Authentication - identification protocols

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Concurrent Non-malleable Commitments from any One-way Function

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting

1 Number Theory Basics

Lecture 28: Public-key Cryptography. Public-key Cryptography

Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Distinguisher-Dependent Simulation in Two Rounds and its Applications

Dr George Danezis University College London, UK

Proofs of Ignorance and Applications to 2-Message Witness Hiding

Statistical WI (and more) in Two Messages

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

George Danezis Microsoft Research, Cambridge, UK

Introduction to Cryptography Lecture 13

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

An Epistemic Characterization of Zero Knowledge

An Epistemic Characterization of Zero Knowledge

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

On The (In)security Of Fischlin s Paradigm

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Concurrent Knowledge Extraction in the Public-Key Model

Efficient Constructions of Composable Commitments and Zero-Knowledge Proofs

Multiparty Computation

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lecture 22: RSA Encryption. RSA Encryption

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Interactive Zero-Knowledge with Restricted Random Oracles

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Founding Cryptography on Smooth Projective Hashing

Anonymous Credentials Light

A Note on the Cramer-Damgård Identification Scheme

Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

Katz, Lindell Introduction to Modern Cryptrography

Cryptographic Protocols FS2011 1

Security Protocols and Application Final Exam

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Encryption Switching Protocols

Rate-Limited Secure Function Evaluation: Definitions and Constructions

CPSC 467b: Cryptography and Computer Security

Question 1. The Chinese University of Hong Kong, Spring 2018

1 Public-key encryption

Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

On the Security of Classic Protocols for Unique Witness Relations

Transcription:

MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu

Formal Syntax

Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R α k In many settings, some system-wide or otherwise important parameters pk are generated by potentially malicious participants. Zero-knowledge proofs guarantee that the parameters pk are correctly generated without leaking any extra information. Often, public parameters pk are generated together with auxiliary secret information sk that is essential for the zero-knowledge proof. The secret auxiliary information sk is known as a witness of pk. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 1

An integer n is a RSA modulus: A few interesting statements A witness is a pair of primes (p, q) such that n = p q. The relation is defined as follows (n, p,q) R n = p q p,q P A prover has a secret key sk that corresponds to a public key pk: A witness is a secret key sk such that (pk, sk) Gen. More formally (pk,sk) R m M : Dec sk (Enc pk (m)) = m. A ciphertext c is an encryption of m wrt the public key pk: A witness is a randomness r R such that Enc pk (m; r) = c. The relation is defined as follows (pk, c,m, r) R Enc pk (m; r) = c. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 2

Two flavours of zero knowledge pk An ideal implementation of a zero-knowledge proof pk pk y If sk : (pk, sk) R y 1 Else y 0 pk An ideal implementation of a zero-knowledge proof of knowledge pk pk, sk pk y If (pk,sk) R y 1 Else y 0 pk, sk MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 3

Formal security requirements Completeness. A zero-knowledge proof is perfectly complete if all runs between honest prover and honest verifier are accepting. A zero knowledge protocol is ε 1 -incomplete if for all (pk,sk) R the interaction between honest prover and honest verifier fails with probability at most ε 1. Soundness. A zero-knowledge proof is ε 2 -unsound if the probability that an honest verifier accepts an incorrect input pk with probability at most ε 2. An input pk is incorrect if (pk, sk) / R for all possible witnesses sk. Zero-knowledge property. A zero-knowledge proof is (t re, t id, ε 3 )-private if for any t re -time verifying strategy V there exists a t id -time algorithm V that does not interact with the prover and the corresponding output distributions are statistically ε 3 -close. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 4

A Simple Example

Quadratic residuosity v = s 2 s Z n β u {0,1} α = r 2 β γ = rs β r u Z n Halt if γ / Z γ 2 = r 2 s 2β =? n αv β The modified Fiat-Shamir protocol is also secure against malicious verifiers. If we guess the challenge bit β then we can create α such that the transcript corresponds to the real world execution. Random guessing leads to the correct answer with probability 1 2. By rewinding we can decrease the failure probability. The failure probability decreases exponentially w.r.t. maximal number of rewindings. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 5

Simulation principle sk α(sk) β γ(sk,α, β) pk Even if Lucy is honest she might learn something about the secret sk. since messages α and γ depend on the secret sk. sk pk, β α(β) β γ(α, β) pk As Lucy is malicious the value of β is not known by her before the protocol and Snoopy must guess β to simulate the other messages. Lucy should not be able to distinguish between these two experiments. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 6

Simulation as rejection sampling As the Fiat-Shamir protocol is a sigma protocol, we can construct protocol transcripts (α, β,γ ) Sim Fiat-Shamir for honest verifier. Note that α has the same distribution than α in the real protocol run. Now consider a modified prover P that generates (α,β, γ ) Sim and sends α to the verifier, given a challenge β computes the correct reply γ, outputs Sim-Success if β = β. Important observations. Let D denote the distribution of the outputs of a verifier V which satisfy the condition P outputs Sim-Success. Then the distribution D coincides with the distribution of all outputs of V. For each reply β, the condition β = β holds with probability 1 2. The distribution D is easily simulatable. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 7

The complete simulator construction V For i {1,...,k} do (α, β,γ ) Sim Fiat-Shamir β V (α ) if β = β then return V (γ ) return failure By the construction the output distribution of V is (1 2 k )D + 2 k failure (1 2 k )D + 2 k failure and thus the statistical distance between outputs of V and V is 2 k. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 8

The corresponding security guarantees Theorem. The modified Fiat-Shamir protocol is a zero-knowledge proof with the following properties: the protocol is perfectly complete; the protocol is 1 2 -unsound; for any k and t re the protocol is (t re,k t re,2 k )-private. Further remarks Sequential composition of l protocol instances decreases soundness error to 2 l. The compound protocol becomes (t re,k l t re,l 2 k )-private. The same proof is valid for all sigma protocols, where the challenge β is only one bit long. For longer challenges β, the success probability decreases with an exponential rate and simulation becomes inefficient. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 9

Zero-Knowledge Proofs and Knowledge Extraction

Challenge-response paradigm v QNR(n) n = p q β u {0,1} r u Z n α = r 2 v β β β IsNQR p,q (α) β? = β For semi-honest provers it is trivial to simulate the interaction, since the verifier knows the expected answer β = β. To provide security against malicious verifiers V, we must assure that we can extract β from V : Verifier must prove that she knows (r,β) such that c = r 2 v β The corresponding proof of knowledge does not have be zero knowledge proof as long as it does not decrease soundness. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 10

Classical construction β u {0,1} r u Z n α r 2 v β v QNR(n) β? = β α pok β [α = r 2 v β ] β n = p q β IsNQR p,q (α) Halt if pok β [ ] fails We can use proofs of knowledge to assure that the verifier knows the end result β. The proof must perfectly hide information about witness β. If v QR then α is independent from β and malicious prover can infer information about β only through the proof of knowledge. Hence, we are interested in witness indistinguishability of the proof of knowledge, i.e., the proof transcripts should coincide for both β values. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 11

Witness indistinquishability provides soundness We have to construct a sigma protocol for the following statement pok β [ r : α = r 2 v β] pok r [ r 2 = α ] pok r [ r 2 = αv 1] Both sub-proofs separately can be implemented through the modified Fiat-Shamir protocol. To achieve witness indistinguishability, we just use disjunctive proof construction. For fixed challenge β, the sub-challenge pairs are uniformly chosen from a set B = {(β 1,β 2 ) : β 1 + β 2 = β}. Hence, the interactions where V proves pok r [ r 2 = α ] and simulates pok r [r 2 = αv 1 ] are indistinguishable form the interactions where V proves pok r [r 2 = αv 1 ] and simulates pok r [r 2 = α]. If v = s 2 then also α 0 = r 2 and α 1 = r 2 v are indistinguishable. Consequently, a malicious adversary succeeds with probability 1 2 if v = s2. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 12

Simulator construction S V Choose randomness ω for V and store α. Use knowledge extractor to extract β. Run V once again. if pok β [ r : α = r 2 v β ] fails then [ Send to V and output whatever V outputs. else [ Send β to V and output whatever V outputs. The simulation fails only if knowledge extraction fails and pok β [ ] succeeds. With proper parameter choice, we can achieve failure ε in time Θ ( t re ε κ). MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 13

Optimal choice of parameters Let ε be the desired failure bound and let κ be the knowledge error of the sigma protocol. Now if we set the maximal number of repetitions l = 4 log 2(1/ε) ε κ in the knowledge extraction algorithm so that the knowledge extraction procedure fails on the set of good coins Ω good = {ω Ω : Pr[pok β [ ] = 1 ω] ε} with probability less than ε. Consequently, we can estimate Pr[Fail] Pr[ω / Ω good ] Pr[pok β [ ] = 1 ω] Pr[ExtrFailure ω] + Pr[ω Ω good ] Pr[pok β [ ] = 1 ω] Pr [ExtrFailure ω] ε. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 14

Soundness through temporal order β u {0,1} r u Z n α r 2 v β v QNR(n) β? = Open pk (c,d) α c,pk r,β d n = p q pk Gen β IsNQR p,q (α) (c,d) Com pk (β) Halt if α r 2 v β Let (Gen,Com, Open) is a perfectly binding commitment scheme such that the validity of public parameters can be verified (ElGamal encryption). Then the perfect binding property assures that the malicious prover P cannot change his reply. Soundness guarantees are preserved. A commitment scheme must be (t re + t,κ)-hiding for t re -time verifier. By rewinding we can find out the correct answer in time Θ( 1 ε κ ), where ε is the success probability of malicious verifier V. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 15

Simulator construction S V Choose randomness ω for V and store α. Use knowledge extractor to extract β. Run V once again with (c,d) Com pk (β). if α r 2 v β then [ Send to V and output whatever V outputs. else [ Send d to V and output whatever V outputs. Knowledge-extraction is straightforward. We just provide (c,d) Com pk (0) and verify whether α = r 2 v β. The choice of parameters is analogous. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 16

Further analysis The output of the simulator is only computationally indistinguishable from the real protocol run, as the commitment is only computationally hiding. Let A be a t-time adversary that tries to distinguish outputs of V and S V If α = r 2 v β and knowledge extraction succeeds, the simulation is perfect. If α r 2 v β then from (t re + t,κ)-hiding, we get Pr [ A = 1 V P α r 2 v β] Pr [ A = 1 S V α r 2 v β] κ. Similarly, (t re + t, κ)-hiding assures that Pr [ α = r 2 v β V P ] Pr [ α r 2 v β V (c,d) Com pk (0) ] κ. Hence, the knowledge extractor makes on average 1 ε κ probes. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 17

Strengthening of Σ-protocols

Strengthening with commitments zk x [(x, w) R] β u B (c,d) Com pk (β) x pk c α dγ x,w pk Gen α P w β Open pk (c,d) γ P w (α,β) Ver x (α,β, γ) If the commitment is statistically hiding then the soundness guarantees are preserved. Again, rewinding allows us to extract the value of β. If commitment scheme is ((l + 1) t re, ε 2 )-binding then commitment can be double opened with probability at most ε 2. Hence, we can choose l = Θ( 1 ε 1 ) so that simulation failure is ε 1 + ε 2. The protocol does not have knowledge extraction property any more. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 18

Strengthening with coin-flipping zk-pok x [(x, w) R] x Ver x (α,β, γ) α β = coin-flip[b] γ x,w α P w γ P w (α,β) We can substitute trusted sampling β u B with a coin-flipping protocol. To achieve soundness, we need a coin-flipping protocol that is secure against unbounded provers. Statistical indistinguishability is achievable provided that the coin-flipping protocol is secure even if all internal variables become public afterwards. Rewinding takes now place inside the coin-flipping block. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 19

Strengthening with disjunctive proofs zka-pok x [(x,w) R] (x, w) Gen R x x pok w [(x, w) R] pok w,w [(x, w) R (x, w) R] x, w If the relation R generated by Gen R is hard, i.e., given x it is difficult to find matching w, then the proof is computationally sound. The hardness of R also guarantees that the second proof is witness hiding. Thus, we can extract first w and use it to by-pass the second proof. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 20

Certified Computations Malicious case

The concept pk Com pk (x) f f(x),α β γ pk f f(x) x f halt/ok Lucy should learn f(x) and nothing more even if Charlie is malicious. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 21

A quick recap of the semihonest case Construct the circuit and commit all values f(x) u3 u1 u2 x1 x2 x3 x4 Construct a sigma protocols for validity of inputs f(x) u3 u1 u2 x1 x2 x3 x4 Pok Pok Pok Pok Construct a sigma protocol for validity of intermediate values Pok f(x) Pok u3 Pok u1 u2 Pok x1 x2 x3 x4 Pok Pok Pok Pok MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 22

Security against malicious verifiers We can use several methods to strengthen the protocol. We can restrict challenge space B to {0, 1} and then use sequential composition to achieve reasonable soundness level. We can use commitments to strengthen the sigma protocol. We can use coin-flipping protocol to generate the challenge β. We can use disjunctive proofs to strengthen the sigma protocol. The resulting construction which is based on a coin-flipping protocol is often referred as Gmw-compiler, since it forces semihonest behaviour. MTAT.07.003 Cryptology II, Zero-knowledge Proofs, 7 May, 2010 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback