III. Authentication - identification protocols

Similar documents
Interactive protocols & zero-knowledge

Interactive protocols & zero-knowledge

VI. The Fiat-Shamir Heuristic

Notes on Zero Knowledge

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Entity Authentication

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Cryptographic Protocols Notes 2

Cryptographic Protocols FS2011 1

Katz, Lindell Introduction to Modern Cryptrography

Lecture 10: Zero-Knowledge Proofs

CPSC 467: Cryptography and Computer Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 15 - Zero Knowledge Proofs

14 Diffie-Hellman Key Agreement

Lecture Notes 20: Zero-Knowledge Proofs

Homework 3 Solutions

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Notes for Lecture 25

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Lecture 13: Seed-Dependent Key Derivation

An Identification Scheme Based on KEA1 Assumption

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

Lecture 3: Interactive Proofs and Zero-Knowledge

CPSC 467: Cryptography and Computer Security

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Dr George Danezis University College London, UK

PAPER An Identification Scheme with Tight Reduction

1 Number Theory Basics

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

CPSC 467b: Cryptography and Computer Security

A Note on the Cramer-Damgård Identification Scheme

Zero-knowledge proofs of knowledge for group homomorphisms

CPSC 467b: Cryptography and Computer Security

Lecture Notes, Week 6

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Zero-Knowledge Proofs and Protocols

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Cryptographical Security in the Quantum Random Oracle Model

George Danezis Microsoft Research, Cambridge, UK

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

On the Security of Classic Protocols for Unique Witness Relations

CPSC 467: Cryptography and Computer Security

Number Theory and Algebra: A Brief Introduction

March 19: Zero-Knowledge (cont.) and Signatures

From Secure MPC to Efficient Zero-Knowledge

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Pseudo-random Number Generation. Qiuliang Tang

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

CIS 551 / TCOM 401 Computer and Network Security

CPSC 467b: Cryptography and Computer Security

Cryptology. Vilius Stakėnas autumn

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Interactive Zero-Knowledge with Restricted Random Oracles

1 Recap: Interactive Proofs

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Non-Interactive Zero Knowledge (II)

Statistically Secure Sigma Protocols with Abort

Lecture 15: Interactive Proofs

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols

ALG 4.0 Number Theory Algorithms:

Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Cryptographic Protocols. Steve Lai

Winter 2011 Josh Benaloh Brian LaMacchia

Elementary Number Theory MARUCO. Summer, 2018

The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols

Lecture Notes, Week 10

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Pairing-Based Identification Schemes

ICS141: Discrete Mathematics for Computer Science I

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

OWO Lecture: Modular Arithmetic with Algorithmic Applications

GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks

Introduction to Cybersecurity Cryptography (Part 5)

Security II: Cryptography exercises

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Improved OR-Composition of Sigma-Protocols

CS151 Complexity Theory. Lecture 13 May 15, 2017

Public-Key Cryptosystems CHAPTER 4

Some ZK security proofs for Belenios

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

An Epistemic Characterization of Zero Knowledge

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

An Anonymous Authentication Scheme for Trusted Computing Platform

Public Key Cryptography

CPSC 467: Cryptography and Computer Security

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Transcription:

III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security objectives. Definition 3.2 A cryptographic scheme is a suite of cryptographic algorithms and protocols, achieving certain security objectives. 1

Identification schemes and protocols Definition 3.3 An identification scheme consists of two cryptographic protocols, called registration and identification, between two parties, called the prover and the verifier. In a symmetric identification scheme, registrations ends with both parties sharing a secret key. In an asymmetric identification scheme, registration will end with both parties sharing a public key, for which only the prover knows the secret key. In the identification the verifier is assured of the identity of the prover. 2

Objective of identification protocols 1. If the prover P and the verifier V are honest, V will accept P s identity. 2. V cannot reuse an identification exchange to impersonate P to a third party C. 3. Only with negligible probability a party C distinct from P is able to cause V to accept C as P s identity. 4. The previous points remain true even if - a large number of authentications between P and V have been observed; - C has participated in previous executions of the protocol (either as P or V). 3

Identification - overview - formalize security requirements for identification schemes - proofs of knowledge (simplified) - zero-knowledge proofs - mostly ignore registration - consider simplified but most important form of identification protocols, i.e. -protocols - indicate more general context - see important examples - Schnorr protocol - Fiat-Shamir protocol 4

Identification - overview - introduced witness hiding as relaxation of zero-knowledge property - present Okamoto-Schnorr protocol as an example 5

Challenge-response protocols In a challenge-response protocol P proves its identity to V by answering a challenge posed by V. Only by knowing the secret key should P be able to respond to the challenge correctly. Structure - challenge - response 6

Simple identification based on signatures ( ) signature scheme with message ( ) P's key pair. Π = Gen,Sign, Vrfy length n, pk P,sk P P r Sign skp ( c) c challenge r response V { } n c 0,1 return 1 iff Vrfy pkp ( c,r ) c is called nonce. Chosen for each execution. Guarantees time dependence. 7

Relations R {0,1} * {0,1} * binary relation, (x,y) R : R(x,y) = 1 x {0,1} * : W(x) := {w {0,1} * : R(x,w) = 1},w W(x) called called witnesses for x. L R := {x {0,1} * : W(x) } language corresponding to R R polynomially bounded: there is a c N such that for all x {0,1} * and all w W(x) : w x c R polynomially verifiable : R(, ) can be computed in polynomial time R NP-relation: R polynomially bounded and polynomially verifiable 8

Relations and the class NP Observation If R is an NP-relation, then L R NP. If L NP, then there is an NP-relation R with L = L R. 9

Relations and languages - SAT Example L = SAT x = φ Boolean formula, w assignment to varaibles R SAT (x,w) = 1: φ(w) = true. 10

Quadratic residues Definition 3.4 Let N N, then QR N { s 2 = v mod N} is called the set of ( ) := v Z N s Z N quadratic residues modulo N. QNR ( N) := Z N \ QR ( N) is called the set of quadratic nonresidues modulo N. QR := N,v QNR := N,v {( ) v QR ( N) } {( ) v QR ( N) } 11

Relations and languages Quadratic residues Example L = QR x = (N,v),N!,v " N *,w " N * R QR (x,w) = 1: w 2 = x mod N. 12

Relations and languages Discrete logarithms Example L = DL x = (p,g,v), p! prime, g, v " p *,w " p 1 R DL (x,w) = 1: g w = v mod p 13

Relations and identification Given binary relation R {0,1} * {0,1}, in registration P and V agree on x L R, for which P knows w W(x). In identification, P convinces V that he knows w W(x). verifier x L R? prover try w! outputs 1, iff ( ) = 1 R x,w 14

SAT and identification SAT:= { ϕ ϕ is a satisfiable Boolean formula} verifier ϕ SAT? prover outputs 1, iff ( ) ϕ c = 1 try assignment c! Identifciation reveals secret key! 15

QR and identification QR N { s 2 = v mod N} is called the set of ( ) := v Z N s Z N quadratic residues modulo N. verifier ( N,v) N Z N prover outputs 1, iff s 2 = v mod N try s! Identifciation reveals secret key! 16

Three round protocols Let C a finite set, let α,ρ be ppts, and let ϕ be a polynomial time computable predicate. Consider a three round protocol as below. P with input (x,w) a α(x,w;k) a V with input x r ρ(x,w,k,c) c r c C ϕ(x,a,c,r)? 17

Three round protocols P with input (x,w) a α(x,w;k) a V with input x r ρ(x,w,k,c) c r c C ϕ(x,a,c,r)? - a is called announcement. - c is called challenge and C is called challenge space. - r is called response. - (a,c,r) is called a conversation or transcript. - (a,c,r) is called accepting, if φ(x,a,c,r) = 1. - In this case, we say that V accepts. 18

Three round protocols P with input (x,w) a α(x,w;k) a V with input x r ρ(x,w,k,c) c r c C ϕ(x,a,c,r)? - Let R be a binary relation. - The protocol is called complete for R, or simply a protocol for R, if for (x,w) R verifier V always accepts. 19

Fiat-Shamir protocol P on input (N,v,w) k Z N *,a := k 2 mod N r := k w c mod N a c r V on input (N,v) c { 0,1} accepts iff r 2 = a v c mod N The Fiat-Shamir protocol is a complete protocol for the relation R QR. Example L = QR x = (N,v),N!,v " N *,w " N * R QR (x,w) = 1: w 2 = v mod N. 20

Schnorr protocol P on input (p,g,v,w) k Z p 1,a := g k mod p r := k w c mod p 1 a c r V on input (p,g,v) c { 1,,2 l },2 l < p accepts iff a = g r v c mod p The Schnorr protocol is a complete protocol for the relation R DL. Example L = DL x = (p,g,v),p! prime, g,v " * p,w " p 1 R DL (x,w) = 1: g w = v mod p 21

Soundness and zero-knowledge Definition 3.5 A three round protocol for relation R has special soundness if there exists a ppt algorithm E (extractor) which given x L R and any two accepting transcripts (a,c,r) and (a,c',r') with c c' computes a witness w satisfying (x,w) R. Definition 3.6 A three round protocol for relation R is a special honest verifier zero-knowledge protocol if there exists a ppt algorithm S (simulator) which given any x L R and any challenge c produces transcripts (a,c,r) with the same distribution as in the real protocol. 22

- protocols Definition 3.7 A three round protocol is a - protocol for relation R if 1. it is complete for relation R, 2. it has special soundness, 3. it is a special honest verifier zero-knowledge protocol for R. Theorem 3.8 The Fiat-Shamir protocol is a Σ- protocol for relation R QR.The Schnorr protocol is a Σ- protocol for relation R DL restricted to triples (p,g,v), where the order of g is a known prime. 23

Soundness for Schnorr and Fiat-Shamir Lemma 3.9 The Fiat-Shamir protocol and the Schnorr protocol are sound. In the later case, we need that for triples (p,g,v) the order of g is a known prime. 24

Schnorr protocol in prime order groups Let G be a group with G = p, p prime, and let g G \ { 1}. P on input (G,g,v,w) k Z p,a := g k (in G) r := k w c mod p a c r V on input (G,g,v) c { 1,,2 l },2 l < p accepts iff a = g r v c (in G) Observation The Schnorr protocol is a Σ-protocol for the relation R GDL : v,w ( ) G Z p : R GDL ( v,w ) = 1 g w = v (in G). 25

Zero-knowledge for Schnorr and Fiat-Shamir Lemma 3.10 The Fiat-Shamir protocol is a special honest verifier zero-knowledge protocol. Lemma 3.11 The Schnorr protocol is a special honest verifier zero-knowledge protocol. 26

Soundness and security against cheating provers Theorem 3.12 Let R be a binary relation and V/P a three round protocol for R with special soundness and challenge space C. Then for any ε > 0 and any algorithm A there exists an algorithm A with the following properties: 1. If on input x L R algorithm A impersonates P with probability 1/ C + ε, ε > 0, then A on input x and with probability ε 16 computes a witness w W(x). 2. If A runs in time T, then A runs in time O ( T/ε + T' ), where T' is the runnig time of the extractor E for P/V. 27

Three round protocols P with input (x,w) a α(x,w;k) a V with input x r ρ(x,w,k,c) c r c C ϕ(x,a,c,r)? 28

From A to A A on input x 1. repeat at most 1 ε times a) R { 0,1} L,c C b) simulate A with random bits R and challenge c c) ( if A succeeds set c 1 ) : = c and goto 2) 2. repeat at most 2 ε times a) c C b) simulate A with random bits R and challenge c c) ( if A succeeds set c 2 ) : = c and goto 3) 3. Let a be the announcement that A computes with. ( random bits R. Use extractor E with input a, c 1 ) 2, c to compute a witness w. ( ) 29

Soundness and security against cheating provers the main claim A uses bit strings in {0,1} L as its source of randomness. With R {0,1} L and c C fixed, the bevaiour of A is fixed. (R,c) called accepting if A, by using randomness R and upon receiving challenge c, makes V accept. R { 0,1} * called heavy if for at least a ( 1 C +ε / 2)-fraction of all c C the pair (R,c) is accepting. Otherwise R is light. (R,c) called heavy if ( R,c) is accepting and R is heavy. Claim If A is as in Theorem 3.12 then for at least an ε/2-fraction of accepting pairs (R,c) the element R is heavy. 30

Proof of the main claim Let p be the fraction of accepting pairs (R,c) with a light R. Hence the number of accepting pairs with light R is p (1/ C +ε) 2 L C. Since each light R appears in at most (1/ C +ε) C such pairs, the number of light R's is at least p (1/ C +ε) 2 L C (1/ C +ε / 2) C = p (1/ C +ε) (1/ C +ε / 2) 2L. p (1/ C +ε) Hence (1/ C +ε / 2) 1 or p 1/ C +ε / 2 1/ C +ε. For 1/ C +ε 1 we have Hence p < 1 ε / 2. 1/ C +ε / 2 1/ C +ε < 1 ε / 2. 31

What does it mean? - Cheating provers succeed with probability at most 1/ C, if computing witnesses for elements in L R is a hard problem. - Easy to see that cheating provers can always succeed with probability 1/ C. - For Schnorr computing witnesses means computing discrete logorithms. - Which, currenty, seems to be a hard problem, provided the prime p is chosen carefully. - Schnorr can easily be generalized to other groups, where computation of discrete logarithm is even harder than in Z p. - C =2 l and can make l suffciently large. - What about Fiat-Shamir? 32

Security of Fiat-Shamir - factoring and modular square root Theorem 3.13 For any δ > 0 and any algorithm A there exists an algorithm A with the following properties: 1. If on input N = p q, p,q prime, and a Z N, A finds b Z N satisfying b 2 = a mod N with probability δ, then A on input N computes p,q with probability δ/2; 2. If A runs in time T, then A runs in time O ( T+log 2 (N)). 33

Chinese Remainder Theorem Chinese Remainder Theorem Let m 1,,m r N be pairwise relatively prime, i.e. gcd( m i,m ) j = 1 for i j. Let b 1,,b r N be arbitrary integers. Then the system of congruences x = b 1 mod m 1! x = b r mod m r has a unique solution modulo M = m 1 "m r. Corollary 3.14 Let N = p q be the product of two distinct odd primes. For every a Z N the equation x 2 = a mod N has either 0 or 4 solutions. In case of 4 solutions, these solutions are of the form ± s 1,±s 2,s 2 /± s 1. 34

From A to A A on input N 1. choose b Z N 2. if d = gcd( b,n) 1, output d,n d 3. a := b 2 mod N 4. simulate A with input N,a to obtain w Z N 5. if w 2 = a mod N and w ±b mod N, compute d = gcd( w b,n) and output d,n d 35

Parallel Fiat-Shamir protocol P on input (N,v,w) V on input (N,v) k i Z N *,a i := k i 2 mod N, i = 1,,l ( a 1,,a l ) c { } l ( ) c 0,1 c = c 1,,c l r i := k i w c i i = 1,,l mod N, ( a 1,,a l ) accepts, iff for all i r i 2 = a i v c i mod N 36

Parallel Fiat-Shamir protocol Theorem 3.15 The parallel Fiat-Shamir protocol is a Σ- protocol for relation R QR. 37