Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Similar documents
Lecture Notes 20: Zero-Knowledge Proofs

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 10: Zero-Knowledge Proofs

Lecture 15 - Zero Knowledge Proofs

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Improved OR-Composition of Sigma-Protocols

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

From Secure MPC to Efficient Zero-Knowledge

Lecture 3: Interactive Proofs and Zero-Knowledge

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

Winter 2011 Josh Benaloh Brian LaMacchia

Lecture 3,4: Universal Composability

Interactive Zero-Knowledge with Restricted Random Oracles

Constant-round Leakage-resilient Zero-knowledge from Collision Resistance *

Statistical WI (and more) in Two Messages

Statistically Secure Sigma Protocols with Abort

Generic and Practical Resettable Zero-Knowledge in the Bare Public-Key Model

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

1 Recap: Interactive Proofs

Improved OR Composition of Sigma-Protocols

PAPER An Identification Scheme with Tight Reduction

Distinguisher-Dependent Simulation in Two Rounds and its Applications

Concurrent Knowledge Extraction in the Public-Key Model

An Identification Scheme Based on KEA1 Assumption

Notes on Zero Knowledge

Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds

Concurrent Non-malleable Commitments from any One-way Function

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Concurrent Zero Knowledge without Complexity Assumptions

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Efficient Constructions of Composable Commitments and Zero-Knowledge Proofs

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Zero-Knowledge Proofs and Protocols

Highly-Efficient Universally-Composable Commitments based on the DDH Assumption

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

Homework 3 Solutions

Lecture 18: Zero-Knowledge Proofs

Cryptographic Protocols Notes 2

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

Cryptographic Protocols FS2011 1

Non-Conversation-Based Zero Knowledge

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

On The (In)security Of Fischlin s Paradigm

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

III. Authentication - identification protocols

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11

Lecture 17: Constructions of Public-Key Encryption

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function

COS Cryptography - Final Take Home Exam

CS151 Complexity Theory. Lecture 13 May 15, 2017

Non-interactive Zaps and New Techniques for NIZK

Achieving Constant Round Leakage-Resilient Zero-Knowledge

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

CPSC 467: Cryptography and Computer Security

Interactive protocols & zero-knowledge

Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function

How to Go Beyond the Black-Box Simulation Barrier

Advanced Topics in Cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Zero-Knowledge Against Quantum Attacks

A Note on the Cramer-Damgård Identification Scheme

Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function

How to Go Beyond the Black-Box Simulation Barrier

1 Number Theory Basics

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

G /G Advanced Cryptography 10/21/2009. Lecture 7

On the Security of Classic Protocols for Unique Witness Relations

Minimal Assumptions for Efficient Mercurial Commitments

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Cryptography in the Multi-string Model

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Magic Functions. In Memoriam Bernard M. Dwork

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Introduction to Modern Cryptography Lecture 11

Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Lecture 14: Secure Multiparty Computation

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Smooth Projective Hash Function and Its Applications

March 19: Zero-Knowledge (cont.) and Signatures

Anonymous Credentials Light

Theory of Computation Chapter 12: Cryptography

University of Bristol - Explore Bristol Research. Peer reviewed version. Link to published version (if available): /iet-ifs.2015.

Transcription:

Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1

Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written by hand; non-interactive Interactive proofs: Prover and verifier interact Adds a lot of power (NP vs PSPACE) 2

Graph Non-Isomorphism P claims that and are not isomorphic Verifier step Chooses a random bit Computes as a random permutation of Sends to prover P Prover step Find (inefficiently) the bit b such that Send to V 3

Graph Non-Isomorphism Completeness: easy Soundness: If the graphs are isomorphic, then a random permutation of G 0 has the same distribution as a random permutation of G 1 P cannot know which bit V started with, and so is right with probability at most ½ Repeating n times reduces the cheating probability to 2 n 4

Prover P, verifier V, language L, statement x P proves that x L without revealing anything but that fact Completeness: as before Soundness: V accepts with negligible probability when x L, for any P Computational soundness: when P is polynomial-time Zero-knowledge: For every V there exists a simulator S such that S(x) outputs a view indistinguishable from V s view in a real execution with P Zero Knowledge 5

ZK Proof of Knowledge Prover P, verifier V, relation R P proves that it knows a witness w for which (x, w) R without revealing anything The proof is zero knowledge as before There exists an extractor K that obtains w from any P where (x, w) R with the same probability that P convinces V Equivalently: The protocol securely computes the functionality f zk ((x, w), x) = (λ, R(x, w)) 6

Zero Knowledge An amazing concept; everything can be proven in zero knowledge Central to fundamental feasibility results of cryptography (e.g., GMW) But, can it be efficient? It seems that zero-knowledge protocols for interesting languages are complicated and expensive 7

Sigma Protocols A way to obtain efficient zero knowledge Many general tools Many interesting languages can be proven with a sigma protocol 8

An Example Schnorr DLOG Let G be a group of order q, with generator g P and V have input h = g w, P has w P proves that to V that it knows w P chooses a random r Z q and sends a = g r to V V sends P a random e 0,1 t P sends z = r + ew mod q to V V checks that g z = a h e Completeness Follows since g z = g r+ew = g r g w e = a h e 9

Schnorr s Protocol Proof of knowledge Assume P can answer two queries e 1 and e 2 for the same first message a Then, we have g z 1 = a h e 1 and g z 2 = a h e 2 Thus, a = g z 1 h e 1 = g z 2 h e 2 and so g z 1 z 2 = h e 1 e 2 Therefore DLOG g h = z 1 z 2 e 1 e 1 2 mod q Since are all known from the transcripts, this can be computed Conclusion: If P can answer with probability greater than, then it must know the dlog P (h, w) a = gr e z = r + ew V (h) g z? = ah e 10

Schnorr s Protocol What about zero knowledge? Seems not Honest-verifier zero knowledge Choose a random z and e, and compute a = g z h e Observe that (a, e, z) chosen this way has the same distribution as when V chooses e randomly In particular, g z = a h e This is not very strong, but we will see that it yields efficient general ZK 11

Definitions Sigma protocol template Common input: P and V both have x Private input: P has w such that (x,w) R Protocol: P sends a message a V sends a random t-bit string e P sends a reply z V accepts based solely on (x,a,e,z) 12

Definitions Completeness: as usual Special soundness: There exists an algorithm A that given any x and pair of transcripts (a,e,z),(a,e,z ) with e e outputs w s.t. (x,w) R Special honest-verifier ZK There exists an M that given x and e outputs (a,e,z) which is distributed exactly like a real execution where V sends e 13

Sigma Protocol DH Tuple Relation R of Diffie-Hellman tuples (g,h,u,v) R iff exists w s.t. u=g w and v = h w Useful in many protocols Protocol P chooses a random r and sends a=g r, b=h r V sends a random e P sends z=r+ew mod q V checks that g z =au e, h z =bv e 14

Sigma Protocol DH Tuple Completeness: as in DLOG Special soundness: Given (a,b,e,z),(a,b,e,z ), we have g z =au e, g z =au e, h z =bv e, h z =bv e and so like in DLOG on both w = (z-z )(e-e ) Special HVZK Given (g,h,u,v) and e, choose random z and compute a = g z u -e P ((g,h,u,v),w) a=g r, b=h r e z=r+ew V g z? = au e h z = bv e b = h z v -e 15

Basic Properties Any sigma protocol is an interactive proof with soundness error 2 -t Properties of sigma protocols are invariant under parallel composition Any sigma protocol is a proof of knowledge with error 2 -t The difference between the probability that P * convinces V and the probability that K obtains a witness is at most 2 -t 16

Tools for Sigma Protocols Prove compound statements AND, OR, subset Can be done efficiently (won t see here) ZK from sigma protocols Can first make a compound sigma protocol and then compile it ZKPOK from sigma protocols 17

ZK from Sigma: Preliminaries Commitment schemes: Binding: after the commitment phase, the committer cannot change the value Hiding: the receiver does not know anything about the commitment Variants Perfect and computational binding Perfect and computational hiding Cannot have both perfect binding and hiding 18

Perfectly-Binding Commitments The ElGamal usage in Blum s coin tossing is a perfectly-binding commitment Com m = h = g r, u = g s, v = h s m for m G Perfect binding: the values (h, u, v) fully define m There exists a single pair (r, s) so that h = g r, u = g s and m is fully defined by v u r Computational hiding: for every m, m G, {Com(m)} {Com(m )} 19

ZK from Sigma Protocols The basic idea Have V first commit to its challenge e using a perfectly-hiding commitment The protocol P sends the 1 st message of the commit protocol V sends a commitment c=com (e;r) P sends a message a V sends (e,r) P checks that c=com (e;r) and if yes sends a reply z V accepts based on (x,a,e,z) 20

ZK from Sigma Protocols Soundness: The perfectly hiding commitment reveals nothing about e and so soundness is preserved Zero knowledge In order to simulate: Send a generated by the simulator, for a random e Receiver V s decommitment to e Run the simulator again with e, rewind V and send a Repeat until V decommits to e again Conclude by sending z Analysis 21

Pedersen Commitments Highly efficient perfectly-hiding commitments Parameters: generator g, order q Commit protocol (commit to x Z q ): Receiver chooses random k Z q and sends h = g k Sender sends c = g r h x, for a random r Z q Perfect hiding: For every x, y Z q there exist r, s Z q such that r + kx = s + ky mod q Computational binding: If can find x, r, (y, s) such that g r h x = g s h y then can compute k = DLOG g h = r s y x mod q 22

Efficiency of ZK Using Pedersen commitments, this costs only 5 additional group exponentiations This is very efficient 23

ZKPOK from Sigma Protocols Is the previous protocol a proof of knowledge? It seems not to be The extractor for the Sigma protocol needs to obtain two transcripts with the same a and different e The prover may choose its first message a differently for every commitment string, so if the extractor changes e, the prover changes a 24

ZKPOK from Sigma Protocols Solution: use a trapdoor (equivocal) commitment scheme Given a trapdoor, it is possible to open the commitment to any value Pedersen has this property, and the previous protocol can be modified only slightly to get a proof of knowledge 25

ZK and Sigma Protocols We typically want zero knowledge, so why bother with sigma protocols? We have many useful general transformations E.g., parallel composition, compound statements The ZK and ZKPOK transformations can be applied on top of the above, so obtain transformed ZK It is much harder to prove ZK than Sigma ZK distributions and simulation Sigma: only HVZK and special oundness 26

Using Sigma Protocols and ZK Prove that the El Gamal encryption (u,v) under public-key (g,h) is to the value m By encryption definition u=g r, v=h r m ThUS (g,h,u,v/m) is a DH tuple So, given (g,h,u,v,m), just prove that (g,h,u,v/m) is a DH tuple Database of ElGamal(K i ),E Ki (T i ) Can release T i without revealing anything about T j for j I 27

Non-Interactive ZK (ROM) The Fiat-Shamir paradigm To prove a statement x Generate a, compute e=h(a,x), compute z Send (a,e,z) Properties: Soundness: follows from random oracle property Zero knowledge: same Can achieve simulation-soundness (non malleability) by including unique sid in H 28

Summary Efficient zero knowledge is very important in secure computation protocols Using sigma protocols, we can get very efficient ZK Sigma protocols are very useful: Efficient ZK Efficient ZKPOK Efficient NIZK in the random oracle model Many other applications as well 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback