Cryptographic Protocols. Steve Lai

Similar documents
Introduction to Cryptography. Lecture 8

Lecture 1: Introduction to Public key cryptography

Introduction to Cryptography Lecture 13

CPSC 467b: Cryptography and Computer Security

Lecture 10: Zero-Knowledge Proofs

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Homework 3 Solutions

Lecture Notes, Week 6

1 Number Theory Basics

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Notes on Zero Knowledge

Lecture 15 - Zero Knowledge Proofs

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

An Introduction to Probabilistic Encryption

Public-Key Cryptosystems CHAPTER 4

Winter 2011 Josh Benaloh Brian LaMacchia

ASYMMETRIC ENCRYPTION

CPSC 467: Cryptography and Computer Security

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

CPSC 467b: Cryptography and Computer Security

Cryptographical Security in the Quantum Random Oracle Model

Cryptology. Vilius Stakėnas autumn

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Question: Total Points: Score:

Cryptographic Protocols FS2011 1

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

CPSC 467b: Cryptography and Computer Security

PAPER An Identification Scheme with Tight Reduction

Digital Signatures. p1.

Lecture Notes 20: Zero-Knowledge Proofs

Introduction to Modern Cryptography. Benny Chor

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Katz, Lindell Introduction to Modern Cryptrography

Notes for Lecture 17

ECash and Anonymous Credentials

MATH 158 FINAL EXAM 20 DECEMBER 2016

Introduction to Modern Cryptography Lecture 11

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

III. Authentication - identification protocols

Lecture 11: Key Agreement

Cryptographic Protocols Notes 2

Lecture 17: Constructions of Public-Key Encryption

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Interactive protocols & zero-knowledge

An Identification Scheme Based on KEA1 Assumption

1 Secure two-party computation

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Lecture Notes 15 : Voting, Homomorphic Encryption

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

14 Diffie-Hellman Key Agreement

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture Notes, Week 10

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

March 19: Zero-Knowledge (cont.) and Signatures

Public Key Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Security Protocols and Application Final Exam

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Entity Authentication

Question 1. The Chinese University of Hong Kong, Spring 2018

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

1 Basic Number Theory

Interactive protocols & zero-knowledge

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Introduction to Cybersecurity Cryptography (Part 4)

Zero-Knowledge Proofs and Protocols

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

RSA RSA public key cryptosystem

Practice Assignment 2 Discussion 24/02/ /02/2018

Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo

Lecture 3: Interactive Proofs and Zero-Knowledge

CRYPTANALYSIS OF COMPACT-LWE

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Threshold Undeniable RSA Signature Scheme

Lecture V : Public Key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Transcription:

Cryptographic Protocols Steve Lai

This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational Difficulty (One-Way Functions) 2

Cryptographic Protocols Entity Authentication Key Agreement Fiat-Shamir Identification Schemes Zero-Knowledge Proof Systems Shnorr s Identification/Signature Scheme Commitment Schemes Secret Sharing Electronic Election Blind Signature Digital Cash

Entity Authentication Problem: Alice wants to prove to Bob that she is Alice and/or vice versa. Basic idea: Alice shows that she knows some secrecy which is presumably known only to Alice (and Bob). That secrecy could be, for example: - Alice s password or PIN - a MAC or encryption key shared by Alice and Bob, or - Alice s RSA private key.

Is it secure against an eavesdropper? Protocol: 0. Alice Bob: "I'm Alice" 1. Alice Bob: "What's your password?" 2. Alice Bob: Alice's password 3. Bob verifies the password

Challenge-and-response using a secrete key Alice and Bob share a secret key k. Protocol ( insecure): (0. Alice Bob: "I'm Alice") 1. Alice Bob: a random challenge r. 2. 3. Or Alice Bob: y MAC ( r). k Bob computes ymac ( r) and checks if y y. Use encryption instead of MAC. k

Parallel sessions attack Alice Eve r Bob r y MAC ( r) k y MAC ( r) k

Countermeasure Alice Eve r Bob r y MAC ( r Bob) k y MAC ( r Alice) k

Mutual authentication using a secret key Alice and Bob share a secret key k. Protocol ( insecure) : 1. Alice Bob: a random challenge r. 2. Alice Bob: y MAC (ID( Alice) r ) 1 k 1 3. Alice Bob: y2 MAC k (ID(Bob) r2). 4. Alice and Bob verify each other's response. 1 and r. 2

Man-in-the-middle attack Alice 1 MAC (A r ), k 1 2 r MAC (B r ) k 2 r Eve Bob r 2 MAC (B r ), k 2 3 r

Countermeasure Alice 1 MAC (A k 1 2 2 MAC r r r ), r (B r )??? Eve k 2 r 2 MAC (B r r ), r Bob k 2 3 3

Mutual authentication using a secret key Alice and Bob share a secret key k. Protocol ( secure): 1. Alice Bob: a random challenge r. 2. Alice Bob: y MAC (ID(Alice) r r ) and r. 1 k 1 3. Alice Bob: y2 MAC k (ID(Bob) r2). 4. Alice and Bob verify each other's response. 1 2 2

Public-key mutual authentication Protocol ( secure): 1. Alice Bob: a random challenge r. 2. Alice Bob: y Sign (ID(Bob) r r ) and r. 1 pr(allice) 1 2 2 3. Alice Bob: y Sign (ID(Alice) r ). 2 1 pr(bob) 2 4. Alice and Bob verify each other's response.

Key Agreement

Two levels of keys Master (long-lived) keys: (asymmetric) keys used for entity authentication and session key agreement. Session k eys: (symmetric) keys used only for a session. Reasons for using session keys: 1. Limiting the amount of ciphertext available to attackers. 2. Limiting the damage to only a session in case of session key compromise. 3. Symmetric encryption is faster.

Diffie-Hellman key agreement Alice and Bob want to set up a session key. 1. Alice and Bob agree on a large prime p and a generator Z p. a 2. Alice Bob: mod p, where a Z. R p1 b 3. Alice Bob: mod p where b Z. R p1 ab 4. They agree on the key: mod p. Security: g Provides protection against eavesdroppers. g Insecure against active adversaries. g Problem: lack of authentication.

Authentication is important in key establishment When establishing a session key, make sure you are doing it with the right entity. Two approaches: g g Entity authentication + Diffie Hellman Entity authentication + Encrypted session key

Recall: Public-key mutual authentication Protocol: 1. Alice Bob: a random challenge r. 2. Alice Bob: y Sign (ID(Bob) r r ) and r. 1 2 pr(bob) 3. Alice Bob: y Sign (ID(Alice) r ). pr(alice) 4. Alice and Bob verify each other's response. a Alice uses for r. 2. 1 1 1 2 2 2 Combine Diffie-Hellman with the above protocol: b Bob uses for r The resulting protocol is called Station-to-Station Protocol.

Station-to-station protocol Alice and Bob each have a signature key pair. Protocol: 0. A and B agree on p and Z p as in DH key agreement. a 1. A B: r, where a Z. 1 b 2. A B: r, y Sign 2 1 R p1 3. A B: y Sign (A r r ). 2 pr(a) 2 1 (B r r ),where b Z. pr(b) 1 2 R p1 ab 4. If all verifications pass, use k as the session key. Remark: all computations are done modulo p.

Public-key based authenticated key agreement Alice and Bob each have an encryption and a signature key pair. Protocol: 1. A B: a random challenge r. 2. A B: y Sign (A r r c), 1 pr(b) 1 2 2 2 pr(a) 2 1 r, c E where k is a session key chosen by B. 3. A B: y Sign (B r ). 4. Alice and Bob verify each other's response. If all verifications pass, Alice decrypts c to obtain They now can use k as the session key. Security: this protocol provides no forward secrecy. e A ( k), k.

Public-key based authenticated key agreement Alice and Bob each have an encryption and a signature key pair. Protocol: 1. A B: a random challenge r. 2. A B: y Sign (A r r c), r, c E ( k), 1 s 1 2 2 B where k a chosen session key. 3. A B: y Sign (B r ). 2 s 2 A 4. Alice and Bob verify each other's response. If all verifications pass, Bob decrypts c to obtain k. They now can use k 1 as the session key. Security : this protocol provides no forward secrecy. e A

Forward secrecy Suppose Eve records all (encrypted) messages exchanged between Alice and Bob during a session. If later Eve gets Alice's decryption key d, she will be able to decrypt c to A get the session key k. A session-key agreement scheme is said to provide forward secrecy if it resists this kind of attacks (i.e., session keys are secure even if master keys are compromised.) Station-to-station provides forward secrecy.

Identification Schemes based on zero-knowledge interactive proof systems

Interactive proof system a secret x (known only to Peggy) about some public info y. Peggy, the prover, wishes to prove that she knows the secret x (thereby authenticating her identity). Vic, the verifier, verifies if the provided proof is acceptable. Basic requirements (w/o adversaries): (Perfect) Completeness: Peggy, who knows the secret, always succeeds in convincing Vic. Soundness: Anyone not knowing the secret can only cheat with a small success probability. Desired property: zero-knowledge

Formal definition of interactive proof system A pair of interactive machines ( PV, ) is called an interactive proof syatem for a language L if machine V is polynomial-time and the following two conditions hold: (Perfect) Completeness: For every y L, Pr P, V ( y) 11 Soundness: Remark: The error For every y L and every interactive machine P, 1 3 probability 1 3 is arbitrary, and can be made Pr P, V ( y) 1 exponentially small by repeating the interaction many times.

Password Scheme Secret: Peggy's password. Protocol: Peggy sends her username and password to Vic. Vic accepts Peggy's identity if the submitted password equals the stored password. Comments: complete and sound. not zero-knowledge (Peggy reveals some information that may be used later by the adversary). Q: Is this protocol an interactive proof system for some language L?

Scheme based on public-key encryption Secret: Peggy has a secret key sk and publick key pk. Protocol: 1. Peggy Vic: c E ( m), m randomly chosen. 2. Peggy Vic: m D ( c). 3. Vic accepts Peggy's identity iff m m. Comments: Complete and sound. Not zero-knowledge: if Vic has a ciphertext c of Peggy's, he can have c decrypted (by Peggy). An interactive proof system fo r what language L? pk sk

Zero-Knowledge The schemes based on passwords and encryption are not zero-knowledge; the prover reveals some knowledge to the verifier or eavesdropper. We are interested in a proof system in which the prover proves her knowledge of some secret without revealing anything about that secret. We will formalize the notion of zero-knowledge. But first let us look at a proof zero-knowledge. system, which will be proved

Fiat-Shamir identification scheme (ideas) Parameters: 1. Peggy ch n pq y x x 2,, Zn; computations done in Zn. Keys: public ( ny, ); secret x known to Peggy only. First attempt: ooses a random r Zn, and 2 sends ( ab, ) ( r, rx) to Vic. 2 2. Vic accepts Peggy's identity iff b ay. Comments: The scheme is complete. Not sound: Eve can impersonate Peggy by sending ( a ) 2 1, b ( by, b), where br Z n.

Basic idea: Let f be a homomorphic one-way function. f x y f ( x) f r a f ( r) f b xr f ( x) f ( r) Peggy sends ( a, b), and Vic checks if f ( b) 1 an arbitrary b and let a f ( b) y. ay. Peggy is supposed to choose a f ( r) and b xr f ( b) ay. Eve can cheat by not following this rule, simply choosing Countermeasure: with probability 1 2, ask Peggy to reveal r (to check whether she follows the rule).

Fiat-Shamir identification scheme (simplified) Parameters: n pq y x x Keys: public ( n, y), secret x. Protocol: 2,, Zn; computations done in Zn. 2 1. Peggy Vic: a r, with r Zn randomly chosen. 2. Peggy Vic: e {0,1}, randomly chosen. e 3. Peggy Vic: b rx ( b r or rx). 4. Vic accept 2 e s Peggy's identity iff b ay. Comments: Step 1 is a commitment; step 2 a challenge; 3 a response.

Completeness: obvious. Soundness: Eve can cheat with probability1 2 : (Idea: guess e and prepare ( a, b) accordingly.) 2 e 1. Eve Vic: a : b y, where b R Z n, er {0,1}. 2. Eve Vic: e {0, 1}, randomly chosen. 3. Eve Vic: b. 2 e 4. Vic accepts Peggy's identity iff b ay. (Eve succeeds in cheating iff e e.) Q: How to cheat with Pr > 1 2?

Eve may succeed with probability at most 1 2 negl( n ). a e e Prher value a is good only for e 1 Pre 1 Prher value a is good for both challenges a Pr Eve succeeds in cheating Pr her value is good only for 0 Pr 0 1 2 Pr Eve is able to choose an good for both challenges Eve is able to choose an a with which she can meet both challenges she can come up with a value a b a and b 2 2 1 2 ay and two values b and b s.t. 1 2 1 she can compute y b2b 1 in Zn, which is intractable. such probability negl( n ).

Eve can cheat with probability1 2 : (Idea: Eve guesses e and prepares ( a, b) accordingly.) 2 e 1. Eve Vic: a b y, where b R Z n, e 2. Eve Vic: e {0,1}, randomly chosen. 3. Eve Vic: b. 2 e 4. Vic accepts Peggy' s identity iff b ay. (Eve succeeds in cheating iff e e.) R {0,1}.

If the protocol is run t times, Eve's success probability of cheating will be reduced to 2 t negl( n ). The protocol can be viewed as an interactive proof system for a language L. L QR y Z : y is a quadratic residue in Z n n n

General Fiat-Shamir scheme (ideas) do this t times in parallel: 2 2 2 2 a1: r1, K, atrt a : r a : r e e1, K, et e1, K, et e e1 e e1 1: 1, K, : t t t : 1 b: rx b r x b r x b rx K x t t e? i? 2 e 2 i 2 b ay b a y b ay i i e 1 1 e...? e t y t

General Fiat-Shamir identification scheme Public key: Secret key: Protocol: 2 ( n, y1,, yt ), where n pq, yi xi (mod n). ( x1,, xt ), where xi Zn. Repeat the following k times: 1. Peggy Vic: a 2 r, r Zn e1 et 3. Peggy Vic: b rx x. 2 e1 et 4. Vic rejects if b ay y. 1 1 1 randomly chosen. t 2. Peggy Vic: e ( e,, e ) {0,1}, randomly chosen. t t t

Remarks: Eve can succeed in cheating if she guesses ( e, K, e ) k correctly in each of the k interations. Pr 2 t. Same level of security for various k, t, if kt constant. l Still zero-knowledge for t O(log n ) and k O( n ). If tk, are too large, the simulator will no longer be polynomial in expected running time. Number of exchanged bits: k(2 n t). Number of multiplications: 2 kt ( 1). Size of prover's secret: t n. 2 1 t

We can always convert an interactive identification scheme into a digital signature scheme. commitment a: r challenge e response b: rx e ( 2 e b ay?) 2 1. Compute a, e, b in that order (by the signer). 2. Involve m in e, and use ( e, b) as the signature. hash( m, a) e signature( m) = ( a, e, b) or just ( e, b)

Fiat-Shamir signature scheme ( k 1) 2 Public key: ( n, y1,, yt ), where n pq, yi xi (mod n). Secret key: ( x1,, xt ), where xi Zn. t Hash function: h :{0,1} {0,1}. Sign ( m) ( e, b) sk 1. choose r Z n e1 et mpute b : rx x. 2 at random; let a: r. 2. compute e: h( m a) = ( e, e,, e ). 3. co Verify ( m, eb, ) : pk and accept iff e 1 1 2 2 e1 et compute a : b y y, h( m a). t 1 t t

Remarks: A straightforward but less interesting alternative is to include a in the signature, i.e., Sign ( m) : and verify the signature by checking if e a 2 b y y t e1 e t 1. sk ( ae,, b), h( m a) and In step 2 of the protocol, why is it important to include in the computation of e : h( m a)? a

Fiat-Shamir signature scheme 2 Public key: ( n, y1,, yt ), where n pq, yi xi (mod n). Secret key: ( x1,, xt ), where xi Zn. kt Hash function: h :{0,1} {0,1}. Sign ( m) ( e, b) sk 1. ch 2 oose r1,, rk Zn at random; let ai ri, 1 i k. 2. compute e h( m a a ) = ( e ). 1 ei 1 eit 3. compute b ( b,, b ), with b r x x, 1 i k. Verify ( m, e, b) : pk and accept iff e 1 k i i 1 t 2 ei 1 eit compute a b y y, 1 i k, h( m a1 a k ). i k i 1 ij kt t

Zero-Knowledge Proof Systems

Zero knowledge Let ( P, V ) be an interactive proof system for a language L. Informally, P is zero-knowledge if anything that can be efficiently computed by someone after interacting with P can also be efficiently computed without interacting with P. Q: How to formally formulate this notiton of zero-knowledge. P V V P V V,, : honest prover, honest verifier, any any verifier (honest or dishonest) Common input: some public object (string) y. Peggy wishes to prove y L by showing that she knows some secret evidence x.

Messages from P to V : m1, m3, Messages from V to P: m2, m4, Transcript of the joint computation of P and V on common input y : tr ( y) ( m, m,, m ). PV, 1 2 A transcript is a random variable, depending on the random bits used by P and V during their executions. Accepting transcript : if V outputs 1 after the last move. If the proof system is complete and P does know the secret, then tr PV, ( y) is an accepting transcript. n

Definition of (perfect) zero-knowledge An interactive proof system ( PV, ) is zero-knowledge if there is a probabilistic simulator S( V, y) such that 1. S runs in expected polynomial time; 2. for every verifier V (honest or not) and input y, S V y t (, ) generates a transcript ; S ( V, y) 3. for every y L, these two random variables have the same distribution: tr ( y) ( m, m, PV, 1 2 S ( V, y) 1 2, m ) t ( m, m,, m ) (Assumption: the proof system is complete and sound, and P does know the secret.) n n

Remarks A simulator S is an algorithm. Its input is a (public) object (string) y and a subroutine V. S simulates the communications between P and V without interacting with P. Since S does not interact with P, it obtains zero knowledge from P. Any information V may acquire by interacting with P, he can produce with S without interacting with P. Thus, P does not reveal any knowledge about her secret by interacting with V (except the fact P knows of x). Zero-knowledge is a property of P.

Simplified Fiat-Shamir is zero-knowledge For any V and y L QRn, PV, 1. while 1 do Simulator a, e, b tr y QR Z b ay 2 e ( ) n 0,1 n with. S V (, y) : 2. select e{0,1}, bzn unif 3. a 2 e b y 4. e V ( a) 5. if e e then return a, e, b ormly at random

Expected running time of S( V, y) : Each iteration succeeds with prob 1 2. Expected number of iterations 2. Expected running time is polynomial. What's the worst-case running time?

a, e, b a, e, b Now we show and have the same distribution: 1. a and a are both uniformly distributed over QR. n a : r, where r Z, is uniformly distributed over QR 2 R n 2 since r r is a 4-to-1 mapping from Zn QRn. n a : b y, where e {0,1}, b Z. Observe that: 2 e R R n b 2 is uniformly distributed over so is b y (since y 2 1 1 QR is fixed) n So, a 2 b with prob 1 2 2 1 b y with prob 1 2 uniformly distributed

,,,, 2. The e in a e b and e in a e b have the same distribution. V ( a, y) generates e according to some distribution. The distribution of e in a, eb, is that for i {0,1} Pr e i e in a, e, b Pr e i e e Pr( e i) Pr( e i) Pr( e e) Pr( ei).

3. b b Z and are uniformly distributed over n. e b : rx, where r, x Z and e {0,1} according to V. R n R b R Z n. 5. a and e are independent; so are a and e. 4. b depends on a, e, same as b depends on ae,. 2 e 2 e b ay b ay..

Shnorr s Identification Scheme Another example of zero-knowledge interactive proof system Proof of knowledge of discrete logarithm

Shnorr's identification scheme: Proof-Log( gy, ) System setup: p, q large primes, with q p 1; G g q the unique subgroup of order q of Zp; any generator of G ; y g x R q q ; (, ) for some x Z xy Peggy's private & public keys; Problem: Peggy wishes to prove that she knows x. Protocol: r 1. Peggy Vic: a : g, where r Z. (commitment) 2. Peggy Vic: c Z. 3. Peggy Vic: b : r cx. 4. Vic accepts iff a q b c g y. R q (challenge) (response)

Completeness: trivial. Soundness: Eve can cheat with Pr 1 qby guessing a c, committing b c a : g y, and responding with b. Eve cannot cheat with probability non-negligibly > 1/ q. Otherwise, with non-negligible probability she can choose an a for which she can compute b and b to successfully answer two distinct challenges c and c: b c b c a g y and a g y, 1 from which she can compute log g y ( b b )( c c).

Honest verifier zero-knowledge: b c Accetping transcripts: ( a, c, b) : a g y. r a g Gq q b r cx Z is uniformly distributed. c Z, generated by an honest V, is uniformly distributed. R R q is uniformly distributed. b c a, c independent; b depends on ( a, c) by a g y. Simulator ( g, y, V ): 1. select b% Z uniformly; 2. select c% Z uniformly; q q b% c 3. let a% : g y %, and return ( a%%, c, b % ). ( a%%, c, b% ) has the same distribution as ( a, c, b).

Remarks: If the verifier, say V non-uniformly., is not honest, he may choose Q: does the following simulator serve to prove Shnorr's scheme zero-knowledge? Simulator ( g, yv R, ): 1. select b Z uniformly; q 2. select c according to V 's strategy; b c 3. let a : g y, and return ( a, c, b). c

What about this simulator? Simulator S( g, V while 1 do q select c, b Z uniformly at random a cv if c b c g y ( a), y): c then return a, c, b Shnorr's identification scheme is an interactive proof system for what language?

Shnorr's signature scheme: ProofLog ( m, g, y) Use Fiat-Shamir's standard method to convert an interactive identification scheme into a signature scheme. Idea: use a hash functio h n h:{0,1} Zq to R compute a challenge c from the commitment a and message m. To sign message m, r 1. Compute a : g, where r Z. 2. Compute c : h( m a). 3. Compute b : r cx. 4. ( m) : ( c, b). 5. Verify( m, c, b) true iff c h( m q g b y c )

Remark: If the same commitment a is used to sign two different messages, then the secret x is revealed. Reason: a g y g y g g b c b c 1 1 2 2 g g b xc b xc 1 1 2 2 x ( b b )( c c ) 1 2 2 1 1 This property will be used in digital cash.

Proving Equality of Logs: ProofLogEq( g, y, h, z) (an extension of ProofLog) Problem: Given g, y, h, z such that log y = log z ( x) Peggy wishes to prove that she knows the secret, x. Protocol: 1. Peggy Vic: ( a, a ) : ( g, h ), where r Z. r r 1 2 R 2. Peggy Vic: cz, uniformly chosen at random. 3. Peggy Vic: b : r cx. 4. Vic accepts iff a g y and a h z. q b c b c 1 2 g h q

An application of ProofLogEq( g, y, h, z) In a protocol, Alice is required to post a value z: x : Alice' secret h: some generator of G When Alice posts hz,, how can she prove that she did compute z as prescribed? Solution: x Public info : g, y, where y g. When posting z, Alice proves log y = log z. q g h h x

Non-interactive Version: log g y log h z Fiat-Shamir method: functi Protocol: use a collision-resistant hash on hash :{0,1} Zq to post the challenge. 1. Let ( a, a ) : ( g, h ), with r Z. r r 1 2 R 2. Let c : hash( g h y z a a 3. Let b : r cx (mod q). 1 2 ). b c b c 4. Accept iff c hash( g h y z g y h z ). Rem ark: This protocol will be used in electronic voting. q

Proving Partial Equality of Logarithms Problem: Given g, h, y, y, z, z, Peggy wishes to prove that 2 2 1 1 ( at least) one of the two equalities 1 2 log y log z ( x ) g 1 h 1 1 log y log z ( x ) g 2 h 2 2 is true without revealing which one she proves. (If y y, then she proves exactly one of the two equalities.) Note: this protocol will be used in electronic voting.

Possible final exam question First consider this easier problem and protocol. Prob lem : Peggy proves that she knows log y or g 1 log y : g 2 log 1 2 g 1 w, r, d a a c y 2 2 : g : g d 1 w R d 2 2 2 2 r : w d x r y d 1 1 Z q log 2 w, r, d a a 1 1 r d 1 1 2 g : y : g c d 2 g y 1 R 1 1 w d 2 Z r w d x q a, a 1 2 d1, d2, r1, r : 2 c d d? 2 c c a a 1 R Z 1 q r1 g y r2 g y 2 d 1 1 d 2 2 2??

log w, r, d a b a b d 1 1 2 2 R r d 2 2 2 2 r d 2 2 1 g : g : y : h = log 1 h 1 g w w y : h z 2 2 Z q z log w, r, d 1 1 R r d 1 1 1 1 r d 1 1 2 h 2 1 1 2 2 1 1 1 2 2 2 2 : : g log r : w xd r : w xd a b a b g y g y : h z : h : c d d : c w w d Z q z a1, b1, a2, b2 c d1, d2, r1, r2 c a b a b R q 1 2 r1 g y d 1 1 h Z c d d r d 1 1 z 1 1 r2 g y r2 h z 1 d 2 2 d 2 2 2??? 2??

Commitment Schemes

Commitment schemes Two parties: sender S and receiver R. Scheme: 1. Commit: S sends a message c, committed to a bit b. 2. Reveal: S sends an additional message m to reveal b. 3. Verif y: R( c, m ) accept iff the committed bit equals the revealed bit. Security equirements: b b 1. Hiding: R cannot learn anything about b from c. 2. Binding: S cannot change the committed bit without being detected. b b b

Hiding: Computationally hiding: cannot in polynomial time Unconditionally hiding: absolutely cannot Binding: Computationally binding: cannot in polynomial time Unconditionall y bid n ing: absolutely cannot

An application: coin tossing by email or phone Problem: Alice and Bob want to toss a coin by email to decide who wins. Protocol: 1. Alice sends c to Bob, committed to a random bit b. b 2. Bob generates a random bit b 3. Alice sends her committed bit b to Bob. and sends it to Alice. 4. Bob verifies that R( c, b) accept, and both parties agree on the outcome b b. Note: if b or b is random then b b is random. b

Using symmetric encryption Protocol: 1. Commit: To commit a value m, Alice sends c : E ( m) to Bob, where k is a symmetric encryption k key chosen by Alice. 2. Reveal: Alice sends k to Bob. 3. Verify: Bob accepts the value m : D ( c). k Question: does it meet the hiding and binding requirement?

Using public-key encryption Protocol: 1. Commit: To commit a value m, Alice generates a pair of keys ( pk, sk), and sends c : E ( m) along with pk (and system parameters) to Bob. 2. Reveal: Alice sends Bob m and the random coins used in her computing of E ( m). 3. Verify: Bob accepts m if pk E ( m) c using the revealed random coins. pk pk Question: Does i tmeet the hiding and binding requirement?

Quadratic Residues Let n pq; p and q large primes. Quadratic residues: elements in QR n= the subgroup of quadratic residues in Zn. QNR n = Zn QR n = quadratic non-residue Z n Z n which are a square. ( p 1)/2 Euler's criterion: x mod p ( p 2) s in. 1 if [ x] QR p ( x is a square) Legendre symbol: x p 1 if [ x] QNR p (not a square) 0 if [ x] 0 x p x x x Jacobi symbol:. n p q

Quadratic Residues (cont'd) x n x x x x Thus, 1 iff 1. n p q x x x is a quadratic residue in Zn iff 1. p q If 1, then x is not a quadratic residue in Zn. If 1, x may or m ay not be a quadratic residue in Z. n Quadratic residuosity assumption: without knowing the factors of n pq, it is intractable to determine whether x an xzn with 1 is 1 QNR n the set o Jacobi symbol 1. n a quadratic residue. f quadratic non-residues in Z n with n

Quadratic Residues (cont'd) Let n pq; p and q large primes. 0 1 2 p2 Suppose Z p g, g, g,, g and 0 1 2 q2 Z q h, h, h,, h, where g and h are generators of Z p and Z q, res 0 2 p3 1 3 p2 g g g p g g g 0 2 q3 1 3 q2 h h h q h h h pectively. QR,,, and QNR,,,. p QR,,, and QNR,,,. q QR? QNR? QNR? n n n

QR-based commitment scheme (ideas) Let b be the committed bit, b 0,1. Bind b to a predicate (T or F), which is hard to determine. Quadratic residuosity assumption: without knowing the factors of n x an xzn with 1 is a quadratic residue. pq, it is intractable to determine whether b Use b to produce a number x with 1 such that b 0 x is a quadratic residue b n b1 x b is not a quadratic residue b x n

QR-based commitment scheme 1 System setup: S chooses n pq and g. n 1. QNR 2. Commit ( S R): ( n, g, c), where c : r g, r Z and b is the bit being committed. 3. Reveal ( S R): ( p, q, r, b). R 2 b R n 4. Verify: R accepts b if n pq, r Zn, g QNR n, 2 b and c r g. Remark: g g 1 To generate gr QNR n, choose g such that 1. p q R needs p, q to verify if g is not a square. Or, w/o revealing pq,, S could prove that g is not a square.

Security 2 b 1. (Computational) Hiding: c : r g is a random element c with 1. Further, c is a square ( c QR ) iff b 0. n If R can tell whether b 0, then he can tell whether c is a square, contradicting the QR assumption. 2. (Unconditional) Binding: Once S is committed to c is either a square or a non-square. S cannot change her commitment without being caught. n b,

Proving Quadratic Non-Residuosity (if S does not reveal pq, ) Problem: Peggy wishes to prove that g (Assume g 1. QNR 2 b P V: a : r g, n QNR (not as a quare)., and Peggy wants to convince Vic of that.) where r R Zn b R {0,1}. 0 if a QR n 2. P V: :=. 1 if a QR n 3. Verify: Vic accepts the proof if b. n Idea : If g QNR, P can always tell b. What if g QNR? n n

DL-based commitment scheme 1. System setup (known to S and R): p, q large primes, with q p 1; G q : the unique subgroup of order q of Z g, h : generators of G ; h random; q 0 1 2 q1 0 1 2 q1 G g, g, g,, g h, h, h,, h. q r m 2. Commit ( S R): c g h, where r Z, and m Z q is the value being committed. 3. Reveal ( S R): ( r, m). 4. Verify: R accepts m if c g r h m. R p ; q

Security ( ) Hiding: For any m, r m 1. Unconditional c g is uniformly distributed over G ; hence, m is perfectly hidden from R. 2. (Computational) Binding: S can change her commitment iff she knows such that r m r m ( r r )( m m) g h g h g h log h ( r r)( m m) g q 1 1 h r m m ( r, m), (, ), m, DL assumption. r m Note: computations like g h are done modulo p; exponents and logarithms are computed modulo q.

Q: What if we change the commitment to the following? m r c : h (without using g ) rm c : g (namely, g h) Q: Who should generate p, q, g, h?

Impossibility of unconditional binding & hiding It is impossible to have a commitment scheme which is both unconditional binding and unconditional hiding. n s Otherwise, let C :{0,1} {0,1} {0,1} be such a scheme. C is unconditional hiding When S sends a commitment c : C( r, b), there exists a ( r, b), b b, s.t. C( r, b) c. (Otherwise, R can find b by computing a pre-image of c.) C is unconditional binding There exists no such ( r, b) (otherwise, S can find it and change her commitment).

Secret Sharing

Threshold secret sharing ( t, n)-threshold secret sharing scheme, t n: A secret s is divided by a trusted authority into n shares s, each given to a user u, 1 i n. i Any t or more users together can recover s. t1 or fewer users can not recover s. i

Shamir's threshold secret sharing scheme 1. Select a prime p max( s, n). i 2. Construct a ( t 1)-degree polynomial f ( x) a x, where a s and a, K, a Z. 0 1 t1 R 3. Choose n distinct values x, K, x Z. 4. Share s ( x, y ), where y f( x ) mod p, 1 i n. i i i 1 i p i n p t1 i0 i

Given t shares ( x, y ), i J, where J t, f ( x) and s can be recovered using Lagrange's interpolation formula: x x j f ( x) yi and ij jj \{ i} xi x j s where a f (0) y 0 i i i x j i ij jj\ {} i xi xj x x jj \{ i} i j j x ij y i i

Electronic Vote

A multi-authority election scheme 1. Participants: a trusted center, n authorities, m voters. 2. Participants post their messages to a bulletin board. 3. The trusted center sets up parameters for the scheme. 4. Each vote, yes or no, is encrypted using a homomorphic public-key cryptosystem (e.g. ElGamal). 5. The decryption key s is shared among n authorities using a ( tn, )-threshold scheme. 6. If t authorities are honest, the votes can be tallied correctly without decrypting individual votes.

System setup (by the trusted center) 1. For ElGamal encryption (same as in Shnorr's ID scheme): choose two large primes p and q such that q ( p 1). choose an element g Z of order q. G g Z choose a secret key s Z s public key h: g mod p. 2. For Shamir ( tn, ) - threshold scheme: p q p q and compute the i choose a ( t 1)-degree polynomial f ( x) a x s. let x : i, s : f ( x i i 1 i s ), h : g i, 1 i n. give the share ( x, s ) to authority A. i i 3. Publish ( pq,, g, h, h,, h ) on the bulletin board. n i i t1 i1 i.

Vote casting Each voter V casts his vote v 1, 1 as r i ri vi,1,2 c : c, c g, h g i i i in the bulletin board, where g g v i is encoded as i g ElGamal encryption. c i is signed by V. i v i i and then encrypted using V i forms also has to prove that he follows the protocol and c g Prove v i correctly; or his vote will be invalid. i 1, 1 without revealing its value.

Tally the vote w/o decrypting ballots Everyone can compute c ( c, c ) : ( c, c ) m 1 2 i,1 i,2 i1 m m c i,1, ci,2 g, h g i1 i1 r r v i i i d which is an encryption of g, with d vi being the difference between yes-votes and no-votes. d Decrypt c to recover g. d 0 1 2 Find d by brute force, comparing g with g, g, g,.

Decrypting c ( c, c ) without knowing s 1 2 Q: Why is it required to decrypt c witout knowing s? To decrypt, recall D ( c) : c c, and group J of t honest authorities. s s 2 1 i i s ij s sii s i c 1 1 1 i i 1 ij ij s for any s Thus, c c, where =. i w w c i i (This requires each authority A to post ( x, w ) and proves i i i her honesty.) Everyone can check if there is a set J of t honest authorities, and if so, compute the coefficients { x : i J} and then compute c as above. i s 1 from i

Authority's proof of honesty Each authority w i c s 1 Recall that Thus, i A i i has to prove that she really posts, where s is her share of the secret key s. h i 1 A g i s i was published on the bulletin board. can prove her honesty by showing log w = log h c i g i This can be done using the non-interactive version of proving equal logarithms.

Voter's proof of honesty Each voter has to prove that his vote is of the r r v c c g h g v form,,, with 1, 1. 1 2 v r r c 1 c2g g h That is, prove,,. Depending on his vote: if v 1, he 1 proves log g c1 log hc2g. if v 1, he proves log c log c g. g 1 h 2 Also, he doesn't want to reveal which one is proved. A problem of Proving Partial Equality of Logarithms.

Extention to multi-way elections If there are l candidates, choose l generators g,, g in G, and encode candidate i by g. Voter V encrypts his vote v g,, g as Tally: i i 1 l c c, c i i,1 i,2 i d1 dl Compute ( c, c ) c, c ( g, h g g ), d1 d2 c c g g g ri ri : g, h vi, where ri R Zq. m m where d is the number of votes for candidate i. i 1 2 i,1 i,2 1 l i1 i1 Decrypting (, ) yields 1 2 1 2 d1 d l Find the exponents (,, ) by searching. l d l. 1 l q

Eliminate the trusted center Let the authorities jointly do the trusted center's job. All authorities run the same algorithm to generate p, q, g. (This needs a common random input.) Generate a secret key s Z and public key h g with s known to nobody. Share s among the authorities using a polynomial f ( x). Authority A's share is s f ( i). si Let h g, 1 i n. i i q i s

Generate a common random string When n users wish to run a same probabilistic algorithm to generate the same output, they need a common random string as input to the algorithm. They generate such a string jointly: guser A i chooses a random string r, computes a commitment c : C( r ), and posts c to a bulletin board. i i i gafter all users have posted their commitments, each user opens his commitment. glet r : r :1 i n be the common random string. i i

Generate ElGamal keys jointly Want to jointly choose a secret key s and public key h g for ElGamal encryption, with s known to nobody. si Authority Ai chooses s i Z q; computes hi : g ; commitments c : C( h ). After all users have posted their commitments, each user opens its commitment. n s Let s : s be the secret key and h : h g the i1 corresponding public key. Everyone can compute i i i h, but not s. n i1 i s

Share the secret key among authorities (skipped) Note: s n i1 s i is shared among the authorities, recoverable if all the n authorities are honest. We can make s recoverable by t n honest authorities. Authority A shares his s using a polynomial f ( x) of degree t 1, with f (0) s, giving s : f ( j) to A in a secret way. i i i, j i j Let f ( x) f ( x). (Not known to anyone) i1 Then, f (0) i i i n i n i1 s i s.

A 's new share of s is s f ( j) f ( j) s. j j i1 i i1 i, j Any t honest authorities can recover f( x) and s. si The next step is for each A to post h : g (the public key corresponding to s i i i n rather than s ) on the bulletin. Remark: g This protocol requires all authorities to be honest. g So, it seems not very exciting to make s recoverable by t n honest authorities. i n

Blind Signature

Blind signature Two parties: the signer (Peggy) and the message author (Vic). Vic has a message m that needs Peggy's signature. For some reasons (application-dependent), Vic doesn't want Peggy to know about the content of m. Vic disguises (blinds) m as m, and presents m to Peggy. Peggy signs on mwith a (blind) signature. Vic converts to a signature for m. The signed message m, can be publicly verified.

Unlinkability: Suppose Peggy has blindly signed more than one message. When later a signed message is presented, Peggy can tell whether it is her signature, but she cannot link the signed message to any particular transaction. Applications: e.g., digital c ash.

RSA-based blind signature d Note: Peggy's valid signature for m is m mod n. e e 1. Peggy Vic: a : mr mod n, r R Zn. (Masks m with r.) d 2. Peggy Vic : b : a mod n. (Peggy signs on a.) 3. Vic obtains Peggy's signature on m as s br n 1 d : mod ( m mod n). Idea: RSA signature is homomorphic: 1 e 1 1 e RSA ( m r ) RSA ( m) RSA ( r ) 1 1 e 1 e RSA ( m) RSA ( m r ) RSA ( r ) Q: Do you see the "blind signature" property?

Recall Shnorr's signature scheme: Log-Sign ( m, g, y) h Use Fiat-Shamir's standard method to convert an interactive identification scheme into a signature scheme. Key idea: compute challenge c from commitment a and message m: c : h( m a). To sign message m, r 1. Compute a : g, where r Z. 2. Compute c : h( m a). 3. Compute b: rcx. 4. Sign( m) : ( c, b). b c 5. Verify( m, c, b) true iff c h( m g y ) R q

A non-blind interactive signature scheme Rewrite Shnorr's signature scheme as an interactive one Vic has a message m for Peggy to sign: r 1. Peggy Vic: a : g, where r Z. 2. Peggy Vic: c : h( m a). 3. Peggy Vic: b : r cx. b c 5. Vic verifies whether a g y, and if so, obtains the signature ( m) : ( cb, ). To verify a presented (,, ), check if ( b c m c b c h m g y ). R q

Deriving a blind signature scheme b c Any transcript ( a, c, b) with a g y and c h( m a) is a valid signature for m. b c Or ( c, b) with c h( m g y ). b Recall: ( a, c, b) with a g y c is an accepting transcript. To obtain a blind signature for m, Vic simultaneously uses Shnorr's identification scheme to get an acceping transcript ( a, c, b). transforms to another accepting transcript ( a, c, b) such that c h( m a).

Peggy Vic a: g r commitment a challenge c c : h( m a) b : r cx c response b a a b b Q: How to transform an acceping transcript ( a, c, b) to another acceping transcript ( a, c, b)?

If ( a, c, b ) is an accepting transcript of Proof-Log( g, y), then ( a, c, b) is also an accepting transcript of Proof-Log( g, y), where b b v : u u, v, w R Z c c w q a : a g y u v w Ideas behind the above transformation: Linear transformation from ( b, c) to ( b, c). a u b c ub v uc w b c v w u v w g y g y g y g y a g y.

We need c to satisfy c h( m a). So, when generating the challenge c, Vic lets c : h( m a) 1 converts c to c as c : ( c w) u. This way, after transforming ( a, c, b) to ( a, c, b), we ensure c h( m a).

Shnorr's blind signature scheme BlindLogSig( m, g, y) r 1. Peggy Vic: a : g, where r Z. 1 2. Peggy Vic: : ( ), wh c c w u ere u, v, w Z, u v w u 0, c: h( m a), a : a g y. 3. Peggy Vic: b r cx. b c 4. Vic verifies whether a g y, computes b : ub v, and gets the signature ( m) ( c, b). b c Verify( m, c, b) true iff c h( m g y ). R q R q

Blindness/Unlinkability For a fixed accepting transcript ( a, b, c ), consider T ( u, v, w) a b c a b c the transformation:,,,, with randomly selected ( u, v, w). v b v T ( u, v, w) ( ) T ( u, v, w) ( ) ( u ). w u c w For each accepting transcript a, b, c, exactly q triplets c ( u, v, w) transform a, b, c to the same a, b,. If ( uv,, w) is randomly/uniformly selected, then independent of ( a, b, c ) the signature ( a, b, c) is randomly/uniformly distributed over all accepting transcripts.

Is it secure? Q: Can Vic use a blind signature ( a, b, c) to obtain a valid signature ( a, b, c) for more than one message? Let ( a, b, c ) be a blind signature and ( a, b, c) the legitimate signature for m. Then, for some u, v, wz q a a g y u v w u v w c h( m a) h( m a g y ) c ( c w) u 1 u v w c h( m a g y ) w u 1

If Vic is able to derive from ( a, b, c) a valid signature ( a, b, c) for another message m, then: Vic is able to find m, u, v, w such that u v w 1 ( ) c h m a g y w u u v w h( m a g y ) a given value (namely, cu w) h is collision resistant.

Recall: ProofLogEq( g, y, m, z) Can be used as a signature scheme. x Peggy's private key and public key: ( x, y), where y g. Vic has a message 1 mg for Peggy to sign. x They invoke ProofLogEq( g, y, m, z) with z m. 0. Peggy Vic: message 1 mg. q 1. Peggy Vic: ( a, a, z) : ( g, m, m ), where r G. r r x 1 2 R 2. Peggy Vic: cz, uniformly chosen at random. 3. Peggy Vic: b : r cx. b c b c 4. Vic accepts iff a g y and a m z. q 1 2 The signature for m is ( m) z, a, a, b, c. q 1 2 q

BlindLogEqSig ( g, y, m) Peggy h Vic m m m a : g, a : m, z x z : m a a, a a z z r r 1 2 a1 a2, 1 1 2 2 c c c : h( m z a a ) 1 2 b : r cx b b b, verifies whether b c b c c h( m z g y mz) y, The blind signature of m is b, c, z : BlindLogEqSig g, m h

: u v w 1 1 2 2 m z a c b m z a c b Trans. between,,,, and,,,, a a g y u v w u v w a : a m z a g y b : u b v c : u c w s t m z : : s t m g s t z y

Ideas behind ( m, z, a ) ( m, z, a ) : 2 2 As elements in G, m g and m g for some,. The linear transformation : s t yields s t s t m : m g and z : z y. As for a a,we want ( m, z, a a 2 m b z c q 2 2 ( m g ) ( z y ) s t ub v s t uc w s ub v uc w ub v uc w m z g y 2 t ) to satisfy s u v w u v w a 2 m z a g y t

BlindLogEqSig ( M, g, y, m) h BlindLogEqSig ( g, y, m) can be modified to blindly sign more than one message. In the third step, if Vic computes then h b, c, z : BlindLogEqSig g, y, m signature of both m and M. h c : h( M m z a a ) is a blind This variant of BlindLogEqSig is denoted by: BlindLogEqSig ( M, g, y, m) h h 1 2

Digital Cash

An online electronic cash system Participants: a bank B, customer C, shop S, trusted center T. C withdraws some digital cash M from her account at B, and later pays it to S. S deposits M to his account at B. Required: 1. Whether M is genuine or counterfeit is verifiable. 2. M can be spent only once by the customer. 3. M is not traceable by the bank. 4. But if needed, M is traceable by the trusted center. M will be referred to as a coin and all coins assumed to have the same denomination, say $10.

Easy to achieve properties 1, 2, 3 Design: Let a coin M be simply a blind signature ( b, c) signed by the bank on an empty message of the customer's. M 's genuinity or counterfeit is verifiable. M is not traceable by the bank When the customer wants to spend the coin, the shop checks with the bank whether This ensures that a coin b e M has already been spent. spent only once. Requires the bank to be online all the time. Requires the shop to deposit the coin right awa y.

Make M traceable by the trusted center (TC) Recall: ( b, c) can be traced to ( a, b, c) if the blinding factor ( u, v, w) is known. When withdrawing a coin (i.e., obtaining a blind signature) from the bank, the customer, Vic, also sends to the bank, Peggy, the blinding factor ( u, v, w) encrypted with the TC's public key. The latter is then forwarded to the TC. This would enable the TC to link ( b, c) to ( a, b, c) and then to Vic. Requires the TC to be online all the ti me. Why?

TC Bank Customer commitment a a a B A c, E ( u, v, w) TC c c : h( a) OK response b b b A : ( ab,, c) and E pk (TC) ( uv,, w) B: checks if ( u, vw, ) is genuine. How?

Offline electronic cash systems Objectives: The withdrawal protocol does not involve the TC. Payments do not involve the bank. Basic ideas: When withdrawing a coin, the customer (say Alice) presents two related messages m, d. Given m, the TC can compute d, and vice versa. Only the TC is capable of doing this. The bank B keeps a record of ( d, Alice). Message m, blindly signed by B, becomes a coin.

System Setup p, q large primes; q p 1 2 ( p 1). G Z the unique subgroup of order q. q g, g, g randomly selected generators of G. x Bank's keys: ( g, x, y), where g y (in G ). x private, y public. Customer's keys: ( g, x, y ), where g y. xc 1 C C 1 C Shop's keys: ( g, x, y ), where g y. xs 1 S S 1 S Trusted Center's keys: ( g, x, y ), where g y. xt 2 T T 2 T q q

Withdrawal I: enabling coin and owner tracing Alice computes: m g g d y s Z s s : 1 2, : T, where R q. As will be seen soon, m identifies a coin; d does its ownr e. (Coin tracing) Given d, the TC can compute (trace) m g g g d s 1 2 1 1 x T s T 1 2 1. (Owner tracing) Given m, the TC can compute (trace) d y g mg s T x x T.

Alice needs to prove that she computed md, as prescribed. 1 This can be done by proving log mg log d using 1 2 1 g2 1 y T ProofLogEq g, mg, y, d, except that m need be blindd e. Recall: m T in BlindLogEqSig. Choosing t 0, 1 s s 1 s 1 s 1 s 1 2 1 2 2 1 we have m : m g g g g mg g. Thus, Alice computes m : g g and Alice sends c, s t m g 1 s 1 2 ( c, b) : ProofLogEq mg, g, y, d. the bank stores 1 2 1 1 2 1 b, mg,, g, y, d to the bank. The bank verifies the proof. If the verification condition holds, d in Alice's T T entry in the withdrawal database.

Withdrawal II: withdrawing a coin r Alice chooses r R Zq, computes a coin number c# : g, z c b c g y m and executes,, : BlindLogEqSig #,,, 1 1 with the bank. In the first step of BlindLogEqSig, m is converted to s m : m using the same s as in Withdrawal I. The coin number c# is part of the mechanism of double-spending detection. It is inculded in the computation of c c : h( c# m z a a ). 1 1 h 1 2 The coin consists o f c, b, c#, g, y, m, z

Payment Main issue: to enable the bank to detect double spending and identify the customer's name w/o involving the TC. When paying with a coi n c, b, c#, g, y, m, z, 1 1 Alice signs the message M c, b, y, time using ProofLog : 1 1 ( M ) ( c, b ) : ProofLog M, g, mg 1 2 2 h 2 1 Alice proves that she knows the secret s log mg. r The coin number c# g is used as the commitment. S g 2 1 1 h The coin submitted to the shop is defined by: 1 1, 1, #,,,,, 2, 2,, 2, 1 coin c b c g y m z c b M g mg

The shop verifies the submitted by verifying 1 1, 1, #,,,,, 2, 2,, 2, 1 coin c b c g y m z c b M g mg The correct form of M. Whether c h( M c #). The proof/signature 2 z c b c g y m,, BlindLogEqSig #,,,. 1 1 The proof/signature 1 c 2, b2 ProofLog h M, g2, mg1 b 2 2 1 c by testing c2 h M g2 mg1. h (How?)

Deposit Suppose the shop wants to deposit a coin 1 2 The bank verifies the coin and searches its database for an identical coin. Double depos it, if the bank finds an indentical Double spending, C 2 C 2 C, C. C 1 2 1 2, C. if the bank finds a coin C, C with. In this case, the bank can recover the customer's identity d, since the same c# was used as the commitment when the customer made the two payments.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback