Interactive protocols & zero-knowledge

Similar documents
Interactive protocols & zero-knowledge

III. Authentication - identification protocols

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Zero-Knowledge Proofs and Protocols

Lecture Notes 20: Zero-Knowledge Proofs

Notes on Zero Knowledge

Lecture 10: Zero-Knowledge Proofs

Lecture 19: Interactive Proofs and the PCP Theorem

1 Recap: Interactive Proofs

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 15 - Zero Knowledge Proofs

CS151 Complexity Theory. Lecture 13 May 15, 2017

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Katz, Lindell Introduction to Modern Cryptrography

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

CPSC 467b: Cryptography and Computer Security

Homework 3 Solutions

Cryptographic Protocols Notes 2

A Note on the Cramer-Damgård Identification Scheme

An Identification Scheme Based on KEA1 Assumption

CS151 Complexity Theory. Lecture 14 May 17, 2017

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

CPSC 467: Cryptography and Computer Security

Cryptographic Protocols FS2011 1

Statistically Secure Sigma Protocols with Abort

VI. The Fiat-Shamir Heuristic

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Non-Interactive Zero Knowledge (II)

An Epistemic Characterization of Zero Knowledge

Lecture 18: Zero-Knowledge Proofs

From Secure MPC to Efficient Zero-Knowledge

Interactive proof and zero knowledge protocols

CPSC 467: Cryptography and Computer Security

PAPER An Identification Scheme with Tight Reduction

CPSC 467: Cryptography and Computer Security

Notes for Lecture 25

CPSC 467: Cryptography and Computer Security

Lecture Notes, Week 10

198:538 Complexity of Computation Lecture 16 Rutgers University, Spring March 2007

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CPSC 467b: Cryptography and Computer Security

How many rounds can Random Selection handle?

Dr George Danezis University College London, UK

Entity Authentication

Pairing-Based Identification Schemes

14 Diffie-Hellman Key Agreement

Lecture 12: Interactive Proofs

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Zero Knowledge and Soundness are Symmetric

Lecture 13: Seed-Dependent Key Derivation

Shamir s Theorem. Johannes Mittmann. Technische Universität München (TUM)

An Epistemic Characterization of Zero Knowledge

Rational Proofs with Multiple Provers. Jing Chen, Samuel McCauley, Shikha Singh Department of Computer Science

On the Security of Classic Protocols for Unique Witness Relations

Zero-Knowledge Proofs 1

Introduction to Cryptography. Lecture 8

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

Lecture 17: Constructions of Public-Key Encryption

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

1 Number Theory Basics

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks

Notes on Complexity Theory Last updated: November, Lecture 10

Cryptographic Protocols. Steve Lai

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

CMSC 858K Advanced Topics in Cryptography March 4, 2004

Introduction to Interactive Proofs & The Sumcheck Protocol

Lecture Notes, Week 6

Interactive Zero-Knowledge with Restricted Random Oracles

Question 1. The Chinese University of Hong Kong, Spring 2018

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Lecture 26. Daniel Apon

CPSC 467b: Cryptography and Computer Security

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture : PSPACE IP

Classical Verification of Quantum Computations

2 Evidence that Graph Isomorphism is not NP-complete

Secure Computation. Unconditionally Secure Multi- Party Computation

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

The Proof of IP = P SP ACE

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Probabilistically Checkable Arguments

Computer Science A Cryptography and Data Security. Claude Crépeau

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Magic Functions. In Memoriam Bernard M. Dwork

PAIRING-BASED IDENTIFICATION SCHEMES

Theory of Computation Chapter 12: Cryptography

The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

George Danezis Microsoft Research, Cambridge, UK

Cryptographic Hardness Assumptions

Zero-Knowledge Against Quantum Attacks

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

Transcription:

Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes that verifiers learn nothing beyond recognizing language. 1

Class NP and verifiers Definition 3.6 A verifier V for language L Σ is a computable function V : Σ { 0,1} { 0,1} such that { { } : V ( w,c) } = 1. L = w Σ c 0,1 Definition 3.7 V is a polynomial verifier for language L Σ if V is a verifier for L and 1. the running time of V on input ( w,c) is polynomial in w, 2. there is a polynomial p:n N such that for all w L there ( ) is a c { 0,1} p w with V ( w,c) = 1. If language L has a polynomial verifier we call it polynomially verifiable. 2

Class NP and verifiers Theorem 3.8 A language L is in NP if and only if there is a polynomial verifier for L. verifier w L? prover outputs 1, iff ( ) = 1 V w,c try c! 3

SAT and NP SAT:= { ϕ ϕ is a satisfiable Boolean formula} verifier ϕ SAT? prover outputs 1, iff ( ) ϕ c = 1 try assignment c! SAT NP. 4

Quadratic residues Definition 3.9 Let N N, then QR N { s 2 = v mod N} is called the set of ( ) := v Z N s Z N quadratic residues modulo N. QNR ( N) := Z N \ QR ( N) is called the set of quadratic nonresidues modulo N. QR := N,v QNR := N,v {( ) v QR ( N) } {( ) v QR ( N) } Property If v QR N ( ) and u QNR N ( ), then v u QNR N ( ). 5

QR is in NP Observation QR NP. verifier ( N,v) N ZN prover outputs 1, iff s 2 = v mod N try s! 6

Quadratic non-residues and protocols What about QNR and NP? Don t know, but. verifier ( N,v) N Z N prover b { 0,1},r Z N, y := r 2 v b mod N y b b outputs 1 iff b = b 7

Quadratic non-residues and protocols Properties If ( N,v) QNR, then P can make V accept with prob. 1. If ( N,v) QR, then no matter what P does, V accepts only with prob. 1 2. 8

Interactive protocols Interactive protocols - use randomness - use communication - allow error in acceptance/rejection Definition 3.10 A language L is in the class IP, if there are V,P and a protocol V/P with 1. for all w L the verifier V outputs 1 with probability 2 3 after execution of V/P with input w, 2. for all w L and all provers P the verifier outputs 1 with probability 1 3 after execution of V/ P with P and input w, 3. the overall running time of V is polynomial. 9

Interactive protocols Definition 3.10 A language L is in the class IP, if there are V,P and a protocol V/P with 1. for all w L the verifier V outputs 1 with probability 2 3 after execution of V/P with input w, 2. for all w L and all provers P the verifier outputs 1 with probability 1 3 after execution of V/ P with P and input w, 3. the overall running time of V is polynomial. Remarks In protocol V/ P V behaves as in V/P, but P may behave differently from P. May assume that format of message of P is as in V/P. Constants 2 3 and 1 3 are arbitrary, 1+ ε ( ) & 1 ε ( ) suffice. 10

QR,QNR and IP Observation QR and QNR are in IP. Theorem 3.11 NP IP. 11

QR is in NP Observation QR NP. verifier ( N,v) N Z N prover outputs 1, iff s 2 = v mod N try s! 12

Fiat-Shamir revisited P/A r Z N *,x := r 2 mod N b t: = r s A mod N ( N,v) N Z N x b t V/B b { 0,1} outputs 1, iff t 2 = x v A b mod N Properties ( ) QR, then P can make V accept with prob. 1. ( ) QNR, then no matter what P does, V accepts only with prob. 1 2. 13 If N,v If N,v

Fiat-Shamir revisited 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. V/B accepts. 14

Transcripts Definition 3.11 Let L be a language,v L and V/P be an interactive protocol for L. A transcript τ { 0,1} of V/P on input v consists of v, the output and all messages exchanged between V and P. By T ( V,P v) we denote the random variable ( ) = τ corresponding to these transcripts, i.e. Pr T V,P v denotes the probability that the transcript of V/P on input v is τ. Remark Similarly for a probabilistic algorithm S we denote by S v ( ) the random variable corresponding to the output of S on input v, i.e. by Pr S v ( ) = τ we denote the probability that S on input v outputs τ. 15

Fiat-Shamir revisited 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. V/B accepts. 16

Zero-knowledge protocols Definition 3.12 Let L be a language and V/P be an interactive protocol for L. Protocol V/P is called a (honest verifier) zero-knowledge protocol, if there is a ppt S such that for all v L and all τ { 0,1} Pr T V,P ( v) = τ = Pr S ( v ) = τ. Remarks Definition only says something about v L. ppt verifier V learn nothing from execution of V/P since all it learns (=transcript) it can compute alone (via S). 17

Zero-knowledge protocols and Fiat-Shamir Theorem 3.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. Fact Let N N, then every element in QR ( N) has the same number of square roots modulo N, namely Z N QR ( N). 18

Fiat-Shamir identification protocol 1. For i=1 to l P/A and V/B do: r P/A Z,x : = r mod N * 2 i N i x i b i i V/B { } b 0,1 b t: = r s i mod N i i A t i 2 b rejects if t x v i mod N i i A 2. B accepts. 19

Zero-knowledge protocols and Fiat-Shamir Theorem 3.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. S on input v Z N b { 0,1},t Z N x := t 2 v b mod N output ( v,x,b, t,1) 20

Zero-knowledge protocols and Fiat-Shamir Theorem 4.13 The Fiat-Shamir protocol is a zero-knowledge protocol for the language QR. Why is zero-knowledge possible? - Protocol and simulator compute same transcripts, but in different order. - In Fiat-Shamir, first compute square, then square root. - In simulator, first compute root, then square it. - Squaring is easy, taking square roots modulo N (probably) not. 21

Perfect zero-knowledge protocols Definition 3.14 Let L be a language and V/P be an interactive protocol for L. Protocol V/P is called a perfect zero-knowledge protocol, if for all ppt verifiers V there is a ppt S such that for all v L and all τ { 0,1} 1. with probability 1 2 S output a special symbol, 2. Pr T v V,P ( ) = τ = Pr S v ( ) = τ S ( v). Remarks In protocol V /P P behaves as in V/P, but V may behave differently from V. May assume that format of message of V is as in V/P. 22

Zero-knowledge protocols and Fiat-Shamir Theorem 4.15 The Fiat-Shamir protocol is a perfect zero-knowledge protocol for the language QR. S on input v Z N b { 0,1},t Z N,x := t 2 v b mod N simulate V with input ( v,n,x), until V outputs a bit b. if b b, output, else output ( v,x,b, t,1) 23

Fiat-Shamir identification - offers security against cheating prover and verifier, - has significant round and communication complexity, - has significant computational complexity. - Schnorr and Okamoto protocols improve this. - Fiat-Shamir based on factoring problem, - Schnorr and Okamoto based on discrete logarithm problem. 24

Candidates for one-way functions 3. Gen( 1 n ) generates prime number p 2 n and generator g Samp ( I) x Z p 1 f I for the multiplicative group Z p,i = ( p,g) ( x) outputs g x mod p Idea Exponentiation is easy, discrete logarithm is difficult. 25

Schnorr identification setup TA chooses primes p,q such that q p 1 and q > 2 l, chooses generator z of Z p and sets g:= z p 1 q. A chooses a Z q, sets v A := g a mod p. TA sets cert(a) := ( id(a),v A,Sign ( TA id(a),v )) A Remark g has order q. 26

Schnorr identification protocol A k Z q,x := g k mod p cert(a),x challenge r B verifies cert(a) { } r 1,,2 l y : = k + a r mod q y response accepts iff y r x = g v A mod p 27

Impersonation in Schnorr protocol Theorem 3.16 For any δ 2 l+2 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g,v A C impersonates A with probability δ, then C on input p,q,g,v A computes a discrete logarithm of v A to base g with probability 0.03; 2. If C runs in time T, then C runs in time O ( T/δ + log 2 ( p) ). 28

From C to C C on input p,q,g,v A 1. repeat at most 1 δ times a) z { 0,1} R,r { 1,,2 l } b) simulate C with random bits z and r c) if C succeeds set r 1 : = r and goto 2) 2. repeat at most 1 δ times a) r { 1,,2 l } b) simulate C with random bits z and r c) if C succeeds set r 2 : = r and goto 3) 3. if r 1 r 2, output r 1,r 2 and corresponding y 1,y 2. 29

Zero-knowledge protocols and Schnorr Theorem 3.17 The Schnorr protocol is a zero-knowledge protocol. Observations - The Schnorr protocol is not known to be perfect zeroknowledge. - No attacks against Schnorr protocol are known. Okamoto protocol - efficiency similar to Schnorr - still not zero-knowledge - but witness hiding 30

Okamoto identification setup TA chooses primes p,q such that q p 1 and q > 2 l, chooses generator z of Z p and sets g:= z p 1 q, chooses g 1,g 2 g A chooses a 1,a 2 Z q, sets v := g 1 a 1 g 2 a 2 mod p. TA sets cert(a) := ( id(a),v,sign ( TA id(a),v )) Remark g,g 1,g 2 have order q. 31

Okamoto identification protocol A k 1,k 2 Z q, B x := g 1 k 1 g 2 k 2 mod p y : = k + a r mod q 1 1 1 y : = k + a r mod q 2 2 2 cert(a),x r y 1,y 2 verifies cert(a) { } r 1,,2 l accepts iff y x = g 1 y 1 g 2 2 v r mod p 32

Okamoto identification protocol - security - security against cheating prover as in Schnorr protocol - security against cheating verifier in 2 steps o show that Okamoto is witness indistinguishable (unconditionally) o under assumption that discrete logarithm is hard show that witness indistinguishability implies witness hiding, i.e. cheating B cannot learn A s secret. 33

Witnesses and discrete logarithms Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v,g 1,g 2 called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Theorem 3.19 For any δ > 0 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g and g 1,g 2,v g, C finds a pair ( a 1,a ) 2 W(v,g 1,g 2 ) with probability δ, then C on input p,q,g.g 1,g 2 computes the discrete logarithm of g 2 to base g 1 with probability δ ( 1 1 q); 2. If C runs in time T, then C runs in time O ( T+log 3 (p)). 34

Witnesses and discrete logarithms Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v,g 1,g 2 called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Claim p,q,g,g 1,g 2,v : W ( v,g 1,g ) 2 = q 35

Cheating provers and discrete logarithms Theorem 3.20 For any δ > 2 l+2 and any algorithm C there exists an algorithm C with the following properties: 1. If on input p,q,g,g 1 g 2,v A C impersonates A with probability δ, then C on input p,q,g,g 1,g 2 computes the discrete logarithm of g 1 to base g 2 with probability 0.03; 2. If C runs in time T, then C runs in time O ( T/δ + log 3 ( p) ). 36

Witnesses and witness indistinguishability Definition 3.18 Given p,q,g,g 1,g 2 and v g as before, the elements of W v called witnesses. { } are ( ) := ( b 1,b ) b 2 v = g 1 b 1 g 2 2 mod p Lemma 3.21 Given p,q,g,g 1,g 2 and v g as before, then for all ( b 1,b ) 2 W ( v) and all possible transcripts ( x,r,y 1,y ) 2 of the Okamoto protocol there is a unique ( l 1,l ) 2 Z 2 q chosen by A with on input v the transcript is ( x,r,y 1,y 2 ), B accepts, i.e. the Okamoto protocol is witness indistinguishable. 37

Witness hiding Theorem 3.22 Given p,q,g,g 1,g 2 and v g as before. Assuming that the discrete logarithm problem is hard, then given a transcript of the Okamoto protocol no ppt B can compute a pair ( b 1,b ) 2 W ( v), i.e. the Okamoto protocol is witness hiding. 38

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback