Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Similar documents
Lecture Notes 20: Zero-Knowledge Proofs

Lecture 15 - Zero Knowledge Proofs

Interactive protocols & zero-knowledge

Notes on Zero Knowledge

CPSC 467b: Cryptography and Computer Security

Lecture 10: Zero-Knowledge Proofs

III. Authentication - identification protocols

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Lecture 3: Interactive Proofs and Zero-Knowledge

CPSC 467: Cryptography and Computer Security

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptographical Security in the Quantum Random Oracle Model

Zero-Knowledge Proofs and Protocols

Cryptographic Protocols FS2011 1

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Interactive protocols & zero-knowledge

George Danezis Microsoft Research, Cambridge, UK

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Dr George Danezis University College London, UK

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

CPSC 467: Cryptography and Computer Security

Notes for Lecture 25

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Introduction to Cryptography. Lecture 8

CPSC 467b: Cryptography and Computer Security

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Cryptographic Protocols Notes 2

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Some ZK security proofs for Belenios

CPSC 467: Cryptography and Computer Security

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

PAPER An Identification Scheme with Tight Reduction

Interactive Zero-Knowledge with Restricted Random Oracles

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

An Identification Scheme Based on KEA1 Assumption

Concurrent Non-malleable Commitments from any One-way Function

Homework 3 Solutions

Statistical WI (and more) in Two Messages

Lecture 1: Introduction to Public key cryptography

Lecture Notes, Week 10

Introduction to Modern Cryptography Lecture 11

Zero-Knowledge Proofs 1

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

Cryptographic Protocols. Steve Lai

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

An Introduction to Probabilistic Encryption

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

A Fair and Efficient Solution to the Socialist Millionaires Problem

Interactive proof and zero knowledge protocols

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CS151 Complexity Theory. Lecture 13 May 15, 2017

Lecture 13: Seed-Dependent Key Derivation

A Note on the Cramer-Damgård Identification Scheme

Question 1. The Chinese University of Hong Kong, Spring 2018

Primary-Secondary-Resolver Membership Proof Systems

March 19: Zero-Knowledge (cont.) and Signatures

Theory of Computation Chapter 12: Cryptography

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

How many rounds can Random Selection handle?

Introduction to Cryptography Lecture 13

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Non-Interactive Zero-Knowledge Proofs of Non-Membership

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

Lecture 2: Perfect Secrecy and its Limitations

CS 355: TOPICS IN CRYPTOGRAPHY

Lecture 3,4: Universal Composability

An Epistemic Characterization of Zero Knowledge

Non-Conversation-Based Zero Knowledge

On The (In)security Of Fischlin s Paradigm

Lecture 14: Secure Multiparty Computation

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Commitment Schemes and Zero-Knowledge Protocols (2011)

Entity Authentication

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

ASYMMETRIC ENCRYPTION

An Epistemic Characterization of Zero Knowledge

Lecture 15: Interactive Proofs

How to Go Beyond the Black-Box Simulation Barrier

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Lecture 17: Constructions of Public-Key Encryption

Lecture 28: Public-key Cryptography. Public-key Cryptography

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

ECash and Anonymous Credentials

Advanced Topics in Cryptography

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

1 Number Theory Basics

Transcription:

Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1

Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes Pedersen commitment schemes Oblivious commitment based envelope Readings: Barak s notes on ZK CS555 Topic 23 2

Interactive Proof Systems Traditionally, a proof for a statement is a static string such that one can verify for its correctness Follows axioms and deduction rules. Generalizing proof systems to be interactive A proof system involves an algorithm for a prover and a verifier. A proof system can be probabilistic in ensuring correctness of the statement being proved CS555 Topic 23 3

Zero Knowledge Proofs A protocol involving a prover and a verifier that enables the prover to prove to a verifier without revealing any other information E.g., proving that a number n is of the form of the product of two prime number Proving that one knows p,q such that n=pq Proving that one knows x such g x mod p = y CS555 Topic 23 4

Two Kinds of Zero-Knowledge Proofs ZK proof of a statement convincing the verifier that a statement is true without yielding any other information example of a statement, a propositional formula is satisfiable ZK proof of knowledge convincing the verifier that one knows a secret, e.g., one knows the discrete logarithm log g (y) CS555 Topic 23 5

Fiat-Shamir Protocol for Proving Quadratic Residues Statement: x is QR modulo n Prover knows w such that w 2 =x (mod n) Repeat the following one-round protocol t times One-round Protocol: P to V: y = r 2 mod n, where r randomly chosen V to P: b {0,1}, randomly chosen P to V: z=rw b, i.e., z=r if b=0, z=rw if b=1 V verifies: z 2 =yx b, i.e., z 2 =y if b=0, z 2 =yx if b=0 CS555 Topic 23 6

Observations on the Protocol Multiple rounds Each round consists of 3 steps Commit; challenge; respond If challenge can be predicted, then cheating is possible. Cannot convince a third party (even if the party is online) Essense why it is ZK If respond to more than one challenge with one commit, then the secret is revealed. Essence that this proves knowledge of the secret CS555 Topic 23 7

Properties of Interactive Zero- Knowledge Proofs of Knowledge Completeness Given honest prover and honest verifier, the protocol succeeds with overwhelming probability Soundness no one who doesn t know the secret can convince the verifier with nonnegligible probability Zero knowledge the proof does not leak any additional information CS555 Topic 23 8

Analysis of the Fair-Shamir protocol Completeness, when proven is given w 2 =x and both party follows protocol, the verification succeeds Soundness: if x is not QR, verifier will not be fooled. Needs to show that no matter what the prover does, the verifier s verification fails with some prob. (1/2 in this protocol) Assumes that x is not QR, V receives y Case 1: y is QR, then when b=1, checking z 2 =yx will fail. Case 2: y is QNR, then when b=0, checking z 2 =y will fail. Proof will be rejected with probability ½. CS555 Topic 23 9

Formalizing ZK property A protocol is ZK if a simulator exists Taking what the verifier knows before the proof, can generate a communication transcript that is indistinguishable from one generated during ZK proofs Intuition: One observes the communication transcript. If what one sees can be generated oneself, one has not learned anything new knowledge in the process. Three kinds of indistinguishability Perfect (information theoretic) Statistical Computational CS555 Topic 23 10

Honest Verifier ZK vs. Standard ZK Honest Verifier ZK means that a simulator exists for the Verifier algorithm V given in the protocol. Standard ZK requires that a simulator exists for any algorithm V* that can play the role of the verifier in the protocol. CS555 Topic 23 11

Fiat-Shamir is honest-verifier ZK The transcript of one round consists of (n, x, y, b, z) satisfying z 2 =yx b The bit b is generated by honest Verifier V is uniform independent of other values Construct a simulator for one-round as follows Given (x,n) Pick at uniform random b {0,1}, If b=0, pick random z and sets y=z 2 mod n If b=1, pick random z, and sets y=z 2 x -1 mod n Output (n,x,y,b,z) The transcript generated by the simulator is from the same prob. distribution as the protocol run CS555 Topic 23 12

Fiat-Shamir is ZK Given any possible verifier V*, A simulator works as follows: 1. Given (x,n) where x is QR; let T=(x,n) 2. Repeat steps 3 to 7 for 3. Randomly chooses b {0,1}, 4. When b=0, choose random z, set y=z 2 mod n 5. When b=1, choose random z, set y=z 2 x -1 mod n 6. Invoke let b =V*(T,y), if b b, go to step 3 7. Output (n,x,y,b,z); T.append((n,x,y,b,z)); Observe that both z 2 and z 2 x -1 are a random QR; they have the same prob. distribution, thus the success prob. of one round is at least ½ CS555 Topic 23 13

Zero Knowledge Proof of Knowledge A ZKP protocol is a proof of knowledge if it satisfies a stronger soundness property: The prover must know the witness of the statement Soundness property: If a prover A can convince a verifier, then a knowledge exactor exists a polynomial algorithm that given A can output the secret The Fiat-Shamir protocol is also a proof of knowledge: CS555 Topic 23 14

Knowledge Extractor for the QR Protocol If A can convince V that x is QR with probability significanly over ½, then after A outputs y, then A can pass when challenged with both 0 and 1. Knowledge extractor Given an algorithm A that can convince a verifier, After A has sent y, first challenge it with 0, and receives z 1 such that z 12 =y Then reset A to the state after sending y, challenge it with 1 and receives z 2 such that z 22 =xy, then compute s=z 1-1 z 2, we have s 2 =x CS555 Topic 23 15

Running in Parallel All rounds in Fiat-Shamir can be run in parallel 1. Prover: picks random r 1,r 2,,r t, sends y 1 =r 12, y 2 =r 22,, y t =r t 2 2. Verifier checks the y s are not 0 and sends t random bits b 1, b t 3. Prover sends z 1,z 2,,z k, 4. Verifier accept if z j2 y j x b_j mod n This protocol still a proof of knowledge. This protocol still honest verifier ZK. This protocol is no longer ZK! Consider the V* such that V* chooses b 1, b t to be the first t bits of H(y 1,y 2,,y t ), where H is a cryptographic hash function. One can no longer generate an indistinguishable transcript. CS555 Topic 23 16

Schnorr Id protocol (ZK Proof of Discrete Log) System parameter: p, g generator of Z p * Public identity: v Private authenticator: s v = g s mod p Protocol (proving knowledge of discrete log of v with base g) 1. A: picks random r in [1..p-1], sends x = g r mod p, 2. B: sends random challenge e in [1..2 t ] 3. A: sends y=r-se mod (p-1) 4. B: accepts if x = (g y v e mod p) CS555 Topic 23 17

Security of Schnorr Id protocol Completeness: straightforward. Soundness (proof of knowledge): if A can successfully answer two challenges e 1 and e 2, i.e., A can output y 1 and y 2 such that x=g y1 v e1 =g y2 v e2 (mod p) then g (y1-y2) =v (e2-e1) and g (y1-y2) (e2-e1)^{-1} mod (p-1) =v thus the secret s=(y 1 -y 2 )(e 2 -e 1 ) -1 mod (p-1) ZK property Is honest verifier ZK, how does the simulate works? Is not ZK if the range of challenge e is chosen from a range that is too large (2 t >log n). Why? CS555 Topic 23 18

Commitment schemes An electronic way to temporarily hide a value that cannot be changed Stage 1 (Commit) Sender locks a message in a box and sends the locked box to another party called the Receiver State 2 (Reveal) the Sender proves to the Receiver that the message in the box is a certain message CS555 Topic 23 19

Security properties of commitment schemes Hiding at the end of Stage 1, no adversarial receiver learns information about the committed value Binding at the end of State 1, no adversarial sender can successfully convince reveal two different values in Stage 2 CS555 Topic 23 20

A broken commitment scheme Using encryption Stage 1 (Commit) the Sender generates a key k and sends E k [M] to the Receiver State 2 (Reveal) the Sender sends k to the Receiver, the Receiver can decrypt the message What is wrong using the above as a commitment scheme? CS555 Topic 23 21

Formalizing Security Properties of Commitment schemes Two kinds of adversaries those with infinite computation power and those with limited computation power Unconditional hiding the commitment phase does not leak any information about the committed message, in the information theoretical sense (similar to perfect secrecy) Computational hiding an adversary with limited computation power cannot learn anything about the committed message (similar to semantic security) CS555 Topic 23 22

Formalizing Security Properties of Commitment schemes Unconditional binding after the commitment phase, an infinite powerful adversary sender cannot reveal two different values Computational binding after the commitment phase, an adversary with limited computation power cannot reveal two different values No commitment scheme can be both unconditional hiding and unconditional binding CS555 Topic 23 23

Another (also broken) commitment scheme Using a one-way function H Stage 1 (Commit) the Sender sends c=h(m) to the Receiver State 2 (Reveal) the Sender sends M to the Receiver, the Receiver verifies that c=h(m) What is wrong using this as a commitment scheme? A workable scheme (though cannot prove security) Commit: choose r1, r2, sends (r1, H(r1 M r2)) Reveal (open): sends M, r2. Disadvantage: Cannot do much interesting things with the commitment scheme. CS555 Topic 23 24

Pedersen Commitment Scheme Setup The receiver chooses two large primes p and q, such that q (p-1). Typically, p is 1024 bit, q is 160 bit. The receiver chooses an element g that has order q, she also chooses secret a randomly from Z q ={0,..,q-1}. Let h = g a mod p. Values <p,q,g,h> are the public parameters and a is the private parameter. We have g q = 1 (mod p), and we have g ={g,g 2,g 3,..,g q =1}, the subgroup of Z p * generated by g Commit The domain of the committed value is Z q. To commit an integer x Z q, the sender chooses r Z q, and computes c = g x h r mod p Open To open a commitment, the sender reveal x and r, the receiver verifies whether c = g x h r mod p. CS555 Topic 23 25

Pedersen Commitment Scheme (cont.) Unconditionally hiding Given a commitment c, every value x is equally likely to be the value committed in c. For example, given x,r, and any x, there exists r such that g x h r = g x h r, in fact r = (x-x )a -1 + r mod q. Computationally binding Suppose the sender open another value x x. That is, the sender find x and r such that c = g x h r mod p. Now the sender knows x,r,x,r s.t., g x h r = g x h r (mod p), the sender can compute log g (h) = (x -x) (r-r ) -1 mod q. Assume DL is hard, the sender cannot open the commitment with another value. CS555 Topic 23 26

Pedersen Commitment ZK Prove know how to open (without actually opening) Public commitment c = g x h r (mod p) Private knowledge x,r Protocol: 1. P: picks random y, s in [1..q], sends d = g y h s mod p 2. V: sends random challenge e in [1..q] 3. P: sends u=y+ex, v=s+er (mod q) 4. V: accepts if g u h v = dc e (mod p) Security property similar to Schnorr protocol CS555 Topic 23 27

Proving that the committed value is either 0 or 1 Let <p,q,g,h> be the public parameters of the Pedersen commitment scheme. Let x {0,1}, c = g x h r mod p The prover proves to the verifier that x is either 0 or 1 without revealing x Note that c = h r or c = gh r The prover proves that she knows either log h (c) or log h (c/g) Recall if the prover can predict the challenge e, she can cheat The prover uses Schnorr protocol to prove the one she knows, and to cheat the other one CS555 Topic 23 28

Bit Proof Protocol (cont.) Recall Schnorr Protcol of proving knowledge of discrete log of c with basis h: P V: x; V P: e; P V: y; Verifies: x=h y c e To cheat, chooses e and f, compute x To prove one, and cheat in another, conduct two proofs, one for challenge e 1 and the other for e 2 with e 1 +e 2 =e Prover can control exactly one of e 1 and e 2, Verifier doesn t know which Case 1: c=h r P V: choose w,y 1,e 1 from Z q, sends x 0 =h w, x 1 =h y1 (c/g) e1 V P: e P V : e 0 = e-e 1 mod q, y 0 = w+r e 0 mod q sends y 0,y 1,e 0,e 1 V: verify e=e 0 +e 1, x 0 =h y0 c e0, x 1 =h y1 (c/g) e1 CS555 Topic 23 29

Bit Proof Protocol (cont.) Case 2: c=gh r P V: choose w,y 0,e 0 from Z q, computes x 1 =h w, x 0 =h z0 c e0, and sends a 0, a 1 V P: e P V : computes e 1 = e-e 0 mod q, y 1 = w+r e 1 mod q, sends y 0,y 1,e 0,e 1 V: verify e=e 0 +e 1, x 0 =h y0 c e0, x 1 = h y1 (c/g) e1 CS555 Topic 23 30

Security of Bit Proof Protocol Zero-knowledge The verifier cannot distinguish whether the prover committed a 0 or 1, as what the prover sends in the two cases are drawn from the same distribution. Soundness Bit proof protocol is a proof of knowledge CS555 Topic 23 31

An Application Oblivious Commitment Based Envelope and Oblivious Attribute Certificates Jiangtao Li, Ninghui Li: OACerts: Oblivious Attribute Certificates. ACNS 2005: 301-317 CS555 Topic 23 32

Oblivious Attribute Certificates (OACerts) California Driver License California Driver License Expired: 04-11-06 Expired: 04-11-06 Name: Bear Boy DoB: 12-01-96 Address: 206 Sweet Rd Sex: M HT: 20 WT: 75 Name: com (Bear Boy) DoB: com (12-01-96) Address: com (206 Sweet Rd) Sex: com (M) HT: com (20 ) WT: com (75) Signed by PMV Signed by PMV X.509 Certificate OACerts CS555 Topic 23 33

Features of OACerts Selective show of attributes Zero-Knowledge proof that attributes satisfy some properties Compatible with existing certificate systems, e.g., X.509 Revocation can be handled using traditional techniques, e.g., CRL CS555 Topic 23 34

Oblivious Usage of Attributes Receiver c Sender Case 1: Case 2: Message: Policy: Pred Oblivious Commitment-Based Envelope (OCBE) CS555 Topic 23 35

Formal Definition of OCBE CA chooses commit chooses r 1. CA-Setup 2. CA-Commit 3. Initialization 4. Interaction 5. Open chooses Interaction chooses M chooses Pred Receiver If outputs M Sender CS555 Topic 23 36

Oblivious OCBE is oblivious if no adversary has a non-negligible advantage in the following game. run steup picks Challenger Receiver Pred Interaction b chooses Pred, M Adversary Sender Adversary wins if b=b CS555 Topic 23 37

Secure Against the Receiver OCBE is secure against receiver if no adversary has a nonnegligible advantage in the following game. run steup picks Challenger Sender Pred, M1, M2 Interaction b Adversary wins if b=b chooses M1,M2, Pred, s.t. Adversary Receiver CS555 Topic 23 38

OCBE Protocols We developed the following OCBE protocols for the Pedersen commitment schemes Committed value =,>,<,,, or a known value Committed value lies in a certain range Committed value satisfy conjunction of two conditions Committed value satisfy disjunction of two conditions CS555 Topic 23 39

Coming Attractions Topics Secure function evaluation, Oblivious transfer, secret sharing Identity based encryption & quantum cryptography CS555 Topic 23 40

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback