Lecture 10: Zero-Knowledge Proofs

Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak.

Quo vadis? Eo Romam Iterum Crucifigi So far, we became familiar with a variety of cryptographic primitives, as well as specific implementations of them. These include: Perfect secrecy, computational secrecy Pseudorandomness generators/functions/permutations and DES/AES Symmetric Encryption stream ciphers, block ciphers, different modes of operation Data Integrity, MACs, Cryptographic hashing Public key framework, Key exchange Diffie Hellman, Merkle Public-key Encryptions Elgamal, RSA, Rabin, GoldwasserMicali Signature schemes FDH-RSA, Generic Construction Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 2 / 38

Quo vadis? Eo Romam Iterum Crucifigi In the remaining weeks, we will introduce a number of additional cryptographic primitives, as well as cryptographic notions with proposed implementations. These include: Zero knowledge proofs Identification and user authentication schemes Hard core bits Coin flipping over the phone Secret sharing Computing over encrypted data Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 3 / 38

Zero Knowledge Proofs Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 4 / 38

Story (Naor, Naor, Reingold) This is Waldo. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 5 / 38

Where is Waldo? Daughter: I see Waldo in the picture. Dad: I also see him. Daughter: Really, where? Dad: Prove to me the you see it, and I ll show him to you Daughter:???? What should the daughter do? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 6 / 38

Proofs Proofs In mathematics and in life, we often want to convince or prove things to others. Typically, if I know that X is true, and I want to convince you of that, I try to present all the facts I know and the inferences from that fact that imply that X is true. Example: I know that 26781 is not a prime since it is 113 237, to prove to you that fact, I will present these factor and demonstrate that indeed 113 237 = 26781. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 7 / 38

Zero-Knowledge Proofs Goldwasser, Micali and Rackoff Typically, a proof yields some knowledge, beyond the fact that the statement is true. In the example, we learned that 26781 is not a prime, and, in addition, we learned its factorization. Zero knowledge proof tries to avoid it. Intuitively: Zero-Knowledge Proofs (GMR 82 ) Alice will prove to Bob that a statement X is true, Bob will completely convinced that X is true, but will not learn anything as a result of this process. One of the most beautiful and influential concepts in CS Lead to many applications (E.g., practical digital signatures and hardness of approximation). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 8 / 38

Application 1: Identification We want to control access to the department. Sol: Give authorized people a smart card with a PIN and put a box outside the building that verifies the PIN. Problem: Box is outside! Someone may attack it and discover the PIN. by reading the memory by installing a fake box that records the user s PIN Better if the box contains no secret information at all Sol: Let the box store f(p IN) where f is one-way function. The user proves in ZK to the Box that he knows PIN We will see details later Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 9 / 38

Application 2: Protocol Design Alice & Bob don t trust each other and run some crypto protocol Security holds if Alice and Bob follow the instructions e.g., Alice should choose an RSA modulus n = pq But what if Alice does not follow the protocol? e.g., chooses n = pqr Security may be lost! Bad Sol: Alice sends her inputs and let Bob verify that all is well e.g., reveals n, p, q This is bad for Alice: her inputs are private and she does not trust Bob! Sol: Alice proves to Bob that she followed the instructions of the protocol correctly using Zero-Knowledge Proofs Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 10 / 38

Plan Interactive Proofs Honest Verifier Zero Knowledge Proofs Special Soundness Property Next week: Applications, General Zero-Knowledge, and Zero-Knowledge for all NP Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 11 / 38

Mathematical Proofs Proof system: Axioms and inference rules Soundness: Cannot prove false statements Completeness: Can prove all true statements Proof is a fixed static string that can be verified by anyone Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 12 / 38

Interactive Probabilistic Proofs Public statement: x is in a language L e.g., x PRIMES, x QR n Verifier Vicky suspects that Peggy is cheating accept/reject Prover Peggy Tries to convince that x L Completeness: If statement is true (x L) the Vicky accepts Soundness: If statement is false (x / L), Vicky rejects whp 99%. The proof is an interactive probabilistic game (rather than a fixed string) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 13 / 38

Silly Example: Coke and Pepsi There are two bottles on the table labeled by 0 and 1. Peggy: One bottle is pepsi and one is coke Vicky: Suspects that both are coke. Verifier Vicky Toss a coin b Secretly fills a cup from bottle # b Accept iff b = b b Prover Peggy Peggy tastes and guesses Bottle # b. Completeness: If Peggy is honest (knows how to distinguish), Vicky will accept w/p 1. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 14 / 38

Silly Example: Coke and Pepsi There are two bottles on the table labeled by 0 and 1. Peggy: One bottle is pepsi and one is coke Vicky: Suspects that both are coke. Verifier Vicky Toss a coin b Secretly fills a cup from bottle # b Accept iff b = b b Prover Peggy Crazy computation... Soundness: If Peggy cheats and bottles are both coke Vicky will reject w/p 1/2. To reduce the soundness error to 2 k repeat the protocol k times, and accept iff Peggy never errs. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 15 / 38

Reminder: Graph isomorphism Def: A graph G 0 = (V, E 0 ) is isomorphic to a graph G 1 = (V, E 1 ) if there exists a permutation π over the nodes V s.t. (i, j) is an edge of G 0 iff (π(i), π(j)) is an edge in G 1 Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 16 / 38

Proof for Graph non-isomorphism Public statement: G 0 = (V, E 0 ) is not isomorphic to G 1 = (V, E 1 ) Verifier Vicky Randomly choose bit b and permutation π Π Accept iff b = b π(g b ) b Prover Peggy Peggy guesses which graph was used Completeness: If graphs are non-isomorphic Peggy can guess b w/p 1. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 17 / 38

Proof for Graph non-isomorphism Public statement: G 0 = (V, E 0 ) is not isomorphic to G 1 = (V, E 1 ) Verifier Vicky Randomly choose bit b and permutation π Π Accept iff b = b π(g b ) b Prover Peggy Crazy computation! Soundness: If graphs are isomorphic no matter what Peggy does Vicky will reject w/p 1/2. The r.v π(g 0 ) and π(g 1 ) are identically distributed Therefore, Vicky cannot distinguish them and can t guess b with probability better than 1/2 Soundness error can be reduced via repetition. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 18 / 38

Graph isomorphism I Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Verifier Vicky Accept iff π(g 0 ) = G 1 π Prover Peggy Private input: isomorphism π Completeness: If graphs are isomorphic Vicky is always convinced. Soundness: If graphs are non-isomorphic no matter what Peggy does Vicky will reject w/p 1. What did Vicky learn from the proof? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 19 / 38

Graph isomorphism II Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Vicky b R {0, 1} Accept iff α(g b ) = H H = σ(g 0 ) b { σ if b = 0, α = σ π if b = 1. Peggy (π) σ R Π Completeness: If graphs are isomorphic Vicky is always convinced. If b = 0 then α(g b ) = σ(g 0 ) = H. If b = 1 then α(g b ) = α(g 1 ) = σ π(g 1 ) = σ(g 0 ) = H. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 20 / 38

Graph isomorphism II Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Vicky b R {0, 1} H b α Peggy (π) Crazy computation Accept iff α(g b ) = H Soundness: If graphs are non-isomorphic Vicky will reject w/p 1/2. H cannot be isomorphic to both graphs (why?) With probability 1/2 Vicky will choose the graph G b to which H is not isomorphic Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 21 / 38

What did Vicky learn from the proof? Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Vicky b R {0, 1} H = σ(g 0 ) Peggy (π) σ R Π b { σ if b = 0, α = σ π if b = 1. If Vicky is honest then she learns nothing from the proof: All she sees is a random graph H isomorphic to G b via random permutation α She could have computed it by herself! How can we formulate that? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 22 / 38

Zero-Knowledge Proofs Definition The view view V (x) of the verifier V in a proof system is a random variable that consists of the public input x, the internal randomness of V, and the incoming messages. Definition (Honest Verifier Perfect Zero-Knowledge Proofs) An HVZK system for a language L is a proof system (P, V ) that has an efficient simulator S that runs in expected polynomial time such that for every x L S(x) view V (x). Simulator is allowed to run in expected polynomial time means that the two r.v. s are identically distributed Weaker variant: S(x) and view V (x) are (t, ɛ) indistinguishable. Stronger variant: require ZK against a cheating verifier Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 23 / 38

Graph Isomorphism is in HVZK Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Vicky b R {0, 1} H = σ(g 0 ) b { σ if b = 0, α = σ π if b = 1. Peggy (π) σ R Π HVZK: Vicky s view is (H, b, α) where b R {0, 1}, α R Π, and H = α(g b ) The simulator S can generate it easily: α R Π, b R {0, 1}, H = α(g b ) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 24 / 38

Sequential Repetitions Public statement: G 0 = (V, E 0 ) is isomorphic to G 1 = (V, E 1 ) Repeat k times: Vicky b i R {0, 1} k H i = σ i (G 0 ) Peggy (π) R σ b i i Π { σ i if b i = 0, α i = σ i π if b i = 1. Recall that we suggested to amplify soundness via repetition Does HVZK is preserved under k-wise sequential repetition? Thm. k-wise repetition preserve HVZK Proof: just invoke the basic simulator k times with ind. randomness Does parallel repetition preserve HVZK? Yes Does it preserve soundness? Not always Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 25 / 38

Another example: Quadratic Residue Reminder: Let n = pq be an RSA modulus. Then: x QR n if there exists w such that w 2 = x (mod n) QR n is a subgroup of Z n If x R QR n and y QR n then xy is uniform in QR n On the other hand, x / QR n, y QR n then xy / QR n Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 26 / 38

HVZK for Quadratic Residue Public information: x and n = pq (Vicky does not know p and q). Peggy claims that x is in QR n. Vicky b R {0, 1} Accept iff: b = 0 & y = z 2 OR b = 1 & yx = z 2 Completeness: Trivial. y = u 2 b { u if b = 0, z = uw if b = 1. Peggy w : w 2 = x u R Z n Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 27 / 38

HVZK for Quadratic Residue Public information: x and n = pq (Vicky does not know p and q). Peggy claims that x is in QR n. Vicky b R {0, 1} Accept iff: b = 0 & y = z 2 OR b = 1 & yx = z 2 y = u 2 b { u if b = 0, z = uw if b = 1. Peggy w : w 2 = x Crazy Computation HVZK: The view is y R QR n, b R {0, 1}, z R Z n subject to yx b = z 2 Simulator S does the following: b R {0, 1}, z R Z n, y = z 2 /x b (mod n). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 28 / 38

HVZK for Quadratic Residue Public information: x and n = pq (Vicky does not know p and q). Peggy claims that x is in QR n. Vicky b R {0, 1} Accept iff: b = 0 & y = z 2 OR b = 1 & yx = z 2 y = u 2 b { u if b = 0, z = uw if b = 1. Peggy w : w 2 = x Crazy Computation Soundness: If x / QR n then Vicky will reject w/p 1/2. Either y is not QR n or yx is not QR n (why?) With probability 1/2 Vicky will hit the non-qr element In fact, if Peggy succeeds with probability better than 1/2 + ɛ then in some sense she must know w (Why?) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 29 / 38

Special Soundness Public information: x and n = pq (Vicky does not know p and q). Peggy claims that x is in QR n. Vicky b R {0, 1} Accept iff: b = 0 & y = z 2 OR b = 1 & yx = z 2 y = u 2 b { u if b = 0, z = uw if b = 1. Peggy w : w 2 = x Crazy Computation Special Soundness: Given valid answer to 2 different challenges (b = 0 and b = 1) we can recover w. Given y and yx we can recover x by division Hence, Peggy proved that she knows a sqrt of x. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 30 / 38

Schnorr s protocol Schnorr suggested the following proof of knowledge for the discrete logarithm: Public statement: Peggy knows discrete log of h w.r.t. g, where these are members of some group G of order q, and g is a generator. Vicky b R Z q Accept iff: ah b = g c a = g r b c = r+xb (mod q) Peggy x : g x = h r R Z q Completeness:? HVZK:? Special Soundness:? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 31 / 38

Sigma protocols Protocols of the following for are called Sigma Protocols Public statement: x L and Peggy knows a witness w Vicky challenge b R R Accept iff: (a, b, c) are valid a b c Peggy w commit a The protocol satisfies: Completeness: x L, Pr[(P, V )(x) = accept] = 1 HVZK: S, x L, S(x) view V (x) Special Soundness: Given a pair of accepting transcripts (a, b, c) and (a, b, c ) with b b it is possible to efficiently recover the witness w. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 32 / 38

Properties of Sigma Protocols Sigma protocols have nice properties: can be repeated in parallel can be nicely composed can be combined to prove: I know a witness for x OR/AND for x easily transformed to work against cheating verifiers Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 33 / 38

Application: Identification Scheme We assume that there is a public key tied to Alice s identity The key is published on authenticated public record and everyone knows it Alice also holds the corresponding private key These keys are distributed once and for all by some trusted party (e.g., government, university security unit) Eve s attack avenue is the Alice-Bob connection. Eve may play the role of Bob and ask Alice to identify many times Then, using this information she may talk to Bob and try to impersonate Alice Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 34 / 38

Identification via Zero-Knowledge Let f : W X be a one-way function (e.g., squaring mod n = pq, or discrete log). Private key: w R W, Public key: x = f(w) stored in a public file next to Peggy s name. To identify herself, Peggy proves that she knows w via a sigma protocol. Impersonation is as hard as convincing a verifier to accept. By special soundness, if you can impersonate you know w. Since the protocol is zero-knowledge, Eve cannot impersonate Peggy even if Eve heard Alice identifying herself many times. (To obtain full security we need ZK against cheating verifier) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 35 / 38

Sigma protocols Removing Interaction Public statement: x L and Peggy knows a witness w Vicky challenge b R R Accept iff: (a, b, c) are valid b a c Peggy w commit a How can we make the protocol non-interactive? (Remove b) Idea: Let the prover choose b. This may be bad, the prove can pose herself an easy challenge b. Fiat-Shamir: Let b = H(a) where H is a hash function. Security holds in the random-oracle model. Open question: Remove interaction without random oracle. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 36 / 38

Application: Signature Schemes Let f : W X be a one-way function (e.g., squaring mod n = pq, or discrete log). Private key: w R W, Public key: x = f(w). To sign m herself, Peggy proves that she knows w via a sigma protocol where b = H(m, a). Forging is as hard as convincing a verifier to accept. By special soundness, if you can forge you know w. Since the protocol is zero-knowledge, forging remains hard even after seeing many signed messages. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 37 / 38

Example: Schnorr s signature Schnorr suggested the following proof of knowledge for the discrete logarithm: Public parameters: group G of prime order q and a generator g. Private key: x R Z q Public key: y = g x To sign m do the following: Vicky Accept iff: ah b = g c a = g r b = H(a, m) c = r+xb (mod q) Peggy x : g x = h r R Z q The scheme can be optimized such that the signature consists of only two group elements. See Ex 4. Several variants exist including Elgamal signatures, and the Digital Signature Algorithm (DSA/DSS) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 10 Fall Semester, 2011 12 38 / 38