CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

Similar documents
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Lecture 15 - Zero Knowledge Proofs

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Lecture Notes 20: Zero-Knowledge Proofs

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

March 19: Zero-Knowledge (cont.) and Signatures

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lecture 10: Zero-Knowledge Proofs

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Entity Authentication

Notes on Zero Knowledge

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 17: Constructions of Public-Key Encryption

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Winter 2011 Josh Benaloh Brian LaMacchia

Lecture 26: Arthur-Merlin Games

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

From Secure MPC to Efficient Zero-Knowledge

III. Authentication - identification protocols

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

Cryptographic Protocols Notes 2

Solutions to homework 2

Short Exponent Diffie-Hellman Problems

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Homework 3 Solutions

Smooth Projective Hash Function and Its Applications

A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL

Linear Multi-Prover Interactive Proofs

Multiparty Computation

Introduction to Cryptography. Lecture 8

Lecture 18: Zero-Knowledge Proofs

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

On the CCA1-Security of Elgamal and Damgård s Elgamal

14 Diffie-Hellman Key Agreement

Additive Combinatorics and Discrete Logarithm Based Range Protocols

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 15: Interactive Proofs

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Question: Total Points: Score:

1 Recap: Interactive Proofs

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 3: Interactive Proofs and Zero-Knowledge

1 Basic Number Theory

ECS 189A Final Cryptography Spring 2011

CS151 Complexity Theory. Lecture 14 May 17, 2017

Computing on Encrypted Data

Interactive Zero-Knowledge with Restricted Random Oracles

Some ZK security proofs for Belenios

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations

George Danezis Microsoft Research, Cambridge, UK

Non-interactive Zaps and New Techniques for NIZK

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Improved OR-Composition of Sigma-Protocols

Statistically Secure Sigma Protocols with Abort

Commitment Schemes and Zero-Knowledge Protocols (2011)

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lecture 13: Seed-Dependent Key Derivation

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Katz, Lindell Introduction to Modern Cryptrography

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

1 Number Theory Basics

Interactive protocols & zero-knowledge

Concurrent Knowledge Extraction in the Public-Key Model

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

4-3 A Survey on Oblivious Transfer Protocols

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

CPSC 467b: Cryptography and Computer Security

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Lecture Note 3 Date:

CPA-Security. Definition: A private-key encryption scheme

Additive Conditional Disclosure of Secrets

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

On the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Cryptographic Protocols FS2011 1

Lecture 18: Message Authentication Codes & Digital Signa

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Elliptic Curve Cryptography

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Authentication. Chapter Message Authentication

Proofs of Ignorance and Applications to 2-Message Witness Hiding

Transcription:

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu

UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols: basics

Σ-PROTOCOLS: UP TO NOW We started from a very simple protocol for GI "intuitively" secure: complete, sound, ZK Formalized security requirements based on this concrete example Big promise: this is useful in general

THIS TIME Σ-protocols: short reminder Σ-protocols for DL based languages Composition of Σ-protocols Σ-protocols for everything interesting

REMINDER: Σ-PROTOCOLS x, ω 1st message: commitment a x 2nd message: challenge c 3rd message: response z Accepts iff prover knows ω such that (x, ω) R Requirement: c is chosen from publicly known challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol

REMINDER: Σ-PROTOCOLS x, ω 1st message: commitment a x 2nd message: challenge c 3rd message: response z Accepts iff prover knows ω such that (x, ω) R 1. Completeness 2. Special Soundness 3. Special Honest-Verifier ZK (SHVZK)

REMINDER: AUTHENTICATION pk, sk 1st message: commitment a pk 2nd message: challenge c 3rd message: response z Accepts iff prover knows sk such that (pk, sk) Gen GI protocol: sk = ω = secret isomorphism. Verifier convinced prover knows the secret key without any side information being leaked

PROBLEM WITH GI Inefficient (for say authentication): having graphs as PK/SK is not efficient adjacency matrix: O (n²) bits Also we have many other elements of the protocols based on Elgamal. Better stick to the same cryptosystem Knowledge error κ = 1 / 2 Need to parallel-repeat protocol 40+ times to amplify

NOTATION P has input (x, ω), V has input x Σ-protocol (P, V) is a proof of knowledge that P knows ω such that (x, ω) R for a public language L/relation R x L ω (x, ω) R // ω is short Common notation: PK (ω: R (x, ω)) Secret values denoted by Greek letters We will now see (for Elgamal): PK (ρ: h = g^ρ)

POK: KNOWLEDGE OF DL h = g^ρ, ρ 1st message: commitment a h 2nd message: challenge c 3rd message: response z Accepts iff prover knows ρ such that h = g^ρ Authentication: Proof of Knowledge of secret key corresponding to Elgamal PK h. General intepretation: PK of a discrete logarithm

IDEA GI: knowing isomorphism G₁ G₂ (knowing isomorphism G₁ H knowing isomorphism G₂ H for random H) Prover knows 0, 1 or 3 of isomorphisms never exactly 2 DL: knowing DL of y = g^ρ (knowing DL of gʳ knowing DL of g^(ρ + r) for random r) φ:(g₁,g2) ψ:(g₁,h) ψφ ¹:(G2,H) ρ:h=g^ρ r:a=gʳ Prover knows 0, 1 or 3 of DL-s It is a bit like secret sharing r+ρ:ah=g^(ρ+r)

QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Accept if g^z = ah^c note: z = r or z = r + ρ plays the role of Gc z Completeness: g^z = g^(r + cρ) = ah^c

QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Special soundness. Extractor K(a, c, z, c* c, z*): // Accepting views, thus g^z = ah^c and g^(z*) = ah^(c*) 1. Return ρ (z - z*) / (c - c*) z Accept if g^z = ah^c Analysis. Divide the first verification equation with the second one: g^(z - z*) = h^(c - c*) Since c c*, h = g^((z - z*) / (c - c*)), thus extractor retrieves ρ correctly.

QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Accept if g^z = ah^c SHVZK. Simulator S (c): 1. Generate z Zp 2. Set a g^z / h^c 3. Return (a, z) z Analysis. First. (a, c, z) is accepting since a was generated so that the verification equation would accept. (tautology.) Second. In real execution (a, c, z) G {0, 1} Zp is completely random except that the verification equation holds. Thus in real execution one can start by generating c {0, 1}, z Zp, and then setting a g^z / h^c. Thus simulator's output is exactly from the same distribution as the real protocol's output

ON KNOWLEDGE ERROR We "hid" most of the technicalities "expected" poly-time extractor, etc Important: κ = 1 / 2 P* can guess V's challenge c with probability 1 / 2 We can decrease κ by using security amplification from Lecture 11 However, there is a much better way

QUIZ: IMPROVING Κ Question: how would you improve κ? without security amplification! Hint 1: κ = 1 / C C = challenge set, here C = {0, 1} Hint 2: the previous protocol did never require to have C = 2

QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1}ˢ z r + cρ Accept if g^z = ah^c z Completeness: g^z = g^(r + cρ) = ah^ρ

SECURITY PROOF All parts of security proof are same as before Only exception: In analysis of SHVZK, we get c {0, 1}ˢ both in the "protocol" and "simulator" case Simulator construction does not change Knowledge error: κ = 2 ˢ // probability P* guesses c

REMARKS In practice s = 40 may suffice Information-theoretic limit, not computational However, choosing s = 80 does not make the protocol significantly less efficient This knowledge-of-dl (with variable s) Σ- protocol was proposed by Schnorr in 1991

COMPOSITION Another reason Σ-protocols are useful: they are extremely easy to compose... in a black-box way Automatic rules: 1. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) PK ((ω₁, ω₂): R₁ (x, ω₁) R₂ (x, ω₂)) 2. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) PK (ω: R₁ (x, ω) R₂ (x, ω)) Given those two rules (and suitable starting protocols), can "automatically" construct Σ-protocols for all languages in NP

"AND" COMPOSITION Assume you know both ω₁ and ω₂ s.t. Rᵢ (x, ωᵢ) Run PK (ω₁: R₁ (x, ω₁)) and PK (ω₂: R₂ (x, ω₂)) in parallel Possible, since we know both witnesses Optimization: let V to use the same c in both cases assuming they come from the same set this optimization is actually needed for some functionality

"AND" COMPOSITION (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

"AND": COMPLETENESS (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Completeness: Since both V₁ and V₂ accept, also V accepts Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

"AND": SPECIAL SOUNDNESS (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Special soundness. Extractor K (a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*): 1. ω₁ K₁ (a₁, c, z₁, c*, z₁*) 1. ω₂ K₂ (a₂, c, z₂, c*, z₂*) 2. Return (ω₁, ω₂) Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

REMARKS We will see two different types of AND compositions 1. ω₁ and ω₂ are independent random variables Example: PK ((µ, ρ): e = Enc (µ; ρ)) Extraction works: Kᵢ obtains ωᵢ {µ, ρ}

TYPE 2 Type 2: Both protocols use the same secret Composition works given the secret is unique Need to use the same challenge c₁ = c₂ in both times Means that the third message is also same Both extractors successful => they return same value Not a completely automatic composition: have to prove special soundness every single time

POK: DDH WITNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) z r + cρ c C z Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c) Second type AND composition of two DL POKs

DDH WITNESS: COMPLETENESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) z r + cρ c C z Completeness. Clear, since (a₁, c, z) is accepting view for PK (ρ: e₁ = h^ρ) and (a₂, c, z) is accepting view for PK (ρ: e₂ = g^ρ) Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)

DDH WITNESS: SPECIAL SOUNDNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C Special soundness. Extractor K (a₁, a₂, c, z, c*, z*): 1. // K₁ (a₁, c, z, c*, z*) = K₂ (a₂, c, z, c*, z*) 2. ρ (z - z*) / (c - c*) 3. Return ρ z r + cρ z Analysis. Simple corollary of knowledge of DL protocols. One gets "the same" ρ from the use of the same c in both verification equations Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)

DDH WITNESS: SPECIAL SOUNDNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) z r + cρ c C SHVZK Simulator S (c): 1. z Zp, 2. (a₁, a₂) (h^z / e₁^c, g^z / e₂^c) 3. Return (a₁, a₂; c; z) z Analysis. Again, simple corollary. Acceptance is tautology. Distribution is the same since in both cases c and z are random and (a₁, a₂) just makes verification accept Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)

POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^µ h^ρ, g^ρ) for some (µ, ρ)} (g, h, e₁, e₂), (µ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cµ z₂ r + cρ (z₁, z₂) Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c) First type AND composition over two previous protocols

REMARKS AND-proof gives an easy way to get an AND of two Σ-protocols but its better to make it sure the result is correct by giving direct security proof Example direct security proofs were simple but sometimes it gets very tedious

OR-PROOF Assume that P knows a witness to either x L₁ or x L₂ and wants to convince V in this Important: V should not get to know which witness P knows Example: L₀ = { e = Enc (0; ρ) for some ρ}, L₁ = { e = Enc (1; ρ) for some ρ} We know already how to construct protocols for both L = L₀ L₁ = {e = Enc (0; ρ) e = Enc (1; ρ) for some ρ} Verifier is convinced plaintext is Boolean

AND VS OR PROOF AND proof is simpler: R₁ R₂ is true iff both R₁ and R₂ are true Revealing in the proof that Rᵢ is true does not break ZK OR proof must not reveal which of R₁ and R₂ is true Additional layer of complexity

QUIZ: "OR" COMPOSITION (x, ω): s.t. Rᵢ(x, ω) For one i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Problems: 1. Prover knows only witness ω for Rᵢ and thus cannot Goal: construct protocol execute (P, V) both for PK branches (ω: R₁ (x, of ω) OR R₂ (x, ω)) 2. Verifier should not know which branch P can execute aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ω, c; rᵢ) Quiz: how can P run the branch, without knowing corresponding secret, such that V cannot distinguish it from the real run? zᵢ Accept if either V₁ (x, a₁, c₁, z₁) or V₂ (x, a₂, c₂, z₂) accepts

ANSWER: USE SIMULATOR Need to run protocol without knowing witness? Answer: use the simulator Need it to be indistinguishable from real run? Answer: use the simulator

... WITH A TRICK Problem: P should run one branch unsimulated Simulated branch can be created out-of-order, "unsimulated" cannot be Recall "special" meant the simulator can start from c, then create the rest, while P has to start with a So one of two must use c provided by V Question: how?

... WITH A TRICK Idea: generate cᵢ first, after seeing verifier's challenge c, choose c3-i c - cᵢ One of c₁ and c₂ thus must be created "after" seeing c We really need the "special" ZK property

OR-PROOF (x, ω): R₁(x, ω) a₁ P₁ (x; r) c₂ C; (a₂, z₂) S₂ (c₂) (a₁, a₂) Assume wlog that P knows ω s.t. R₁ (x, ω) x c C = {0,..., C - 1} c₁ c - c₂ mod C z₁ P₁ (x, ω, c₁; r) (z₁, z₂, c₁) c₂ c - c₁ mod C Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) R₂ (x, ω))

SECURITY PROOF I will not give a full security proof, but it is easy Completeness: from completeness of first PK, and successful simulation of the second one Special soundness: OR-extractor runs extractors for both branches. One of them is successful, return this value SHVZK: since the first PK is SHVZK, and the second one is already simulated

POK: ELGAMAL PLAINTEXT IS BOOLEAN L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^µ h^ρ, g^ρ) for some ρ Zp, µ {0, 1}} We depict prover when µ = 0; µ = 1 is dual (g, h, e₁, e₂), (µ, ρ) 1. r Zp 2. (a₁₁, a₁₂) (hʳ, gʳ) 3. c₂ C; z₂ Zp 4. a₂₁ g¹ h^(z₂) / e₁^(c₂) 5. a₂₂ g^(z₂) / e₂^(c₂) (a₁₁, a₁₂, a₂₁, a₂₂) c C (g, h, e₁, e₂) c₁ c - c₂ mod C z₁ r + c₁ ρ (c₁, z₁, z₂) c₂ c - c₁ mod C Accept if c₁ C, (h^(z₁), g^(z₁)) = (a₁₁e₁^(c₁), a₁₂e₂^(c₁)) (gh^(z₂), g^(z₂)) = (a₂₁e₁^(c₂), a₂₂e₂^(c₂))

SECURITY PROOF Left for homework Note: there exists a slightly more efficient Boolean proof that does not use simulation

Σ-PROTOCOLS FOR BOOLEAN CIRCUITS Each circuit can be built from NAND gates x NAND y = 1 iff x = 0 or y = 0 x,y z 0,0 1 Easy to verify that NAND is observed: 0,1 1 1,0 1 x NAND y = z iff x + y + 2z - 2 {0, 1} 1,1 0 Corollary. Boolean proofs are sufficient to construct Σ-protocol for CIRCUIT-SAT Proof. Encrypt each wire value except the last one (which is 1). Prove that each wire value is Boolean. For each gate, prove that NAND is observed x y z

STUDY OUTCOMES Σ-protocols for DL-based languages Simple examples Composition rules Everything interesting has a Σ-protocol

NEXT LECTURE How to build "real ZK" on top of Σ-protocols? Random Oracle Model? Interactive, four-message ZK

TUTORIAL Needed for exam 1. Security proofs for "proof of Elgamal plaintext and randomizer" 2. Range proof

POK: ELGAMAL PLAINTEXT&RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^µ h^ρ, g^ρ) for some (µ, ρ)} (g, h, e₁, e₂), (µ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cµ z₂ r + cρ // corresponds to first witness // corresponds to second witness (z₁, z₂) Completeness. From composition, or directly: g^(z₁) h^(z₂) = gᵐ g^(cµ) hʳ h^(cρ) = a₁e₁^c g^(z₂) = gʳg^(cρ) = a₂e₂^c Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)

POK: ELGAMAL PLAINTEXT&RANDOMIZER (g, h, e₁, e₂), (µ, ρ) L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^µ h^ρ, g^ρ) for some (µ, ρ)} (z₁, z₂) (g, h, e₁, e₂) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) Analysis (direct). Verification eq gives us: (g^(z₁)h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c) (g^(z₁*)h^(z₂*), g^(z₂*)) = c (a₁e₁^(c*), C a₂e₂^(c*)) Divide first by second: (g^(z₁ - z₁*) h^(z₂ z₁ - z₂*), m g^(z₂ + cµ - z₂*)) = (e₁^(c - c*), e₂^(c - c*)) (g^((z₁ - z₁*) / (c - z₂ c*)) h^((z₂ r + cρ- z₂*) / (c - c*)), g^((z₂ - z₂*) / (c - c*))) = (e₁, e₂) Exponents matching mod p Special Soundness. From composition, or directly: Extractor K(a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*): 1. ρ (z₂ - z₂*) / (c - c*) // As before 2. µ (z₁ - z₁*) / (c - c*) 3. Return (µ, ρ) Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)

POK: ELGAMAL PLAINTEXT&RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^µ h^ρ, g^ρ) for some (µ, ρ)} (g, h, e₁, e₂), (µ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cµ z₂ r + cρ HVSZK (direct): Simulator S (c): 1. z₁, z₂ Zp 2. a₁ g^(z₁) h^(z₂) / e₁^c 3. a₂ g^(z₂) / e₂^c 4. Return (a₁, a₂, z₁, z₂) (z₁, z₂) Analysis (direct). Trivial. Verification accepts. Distribution is the same as in the real case too. Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)

QUIZ: RANGE PROOF Assume protocol is secure for Bob if Alice's input belongs to range S := {0, 1,..., H - 1} E.g., e-voting: S = range of valid candidates Question: how would you construct PK ((µ, ρ): e = Enc (µ; ρ) µ S)? Hint: you are allowed to encrypt every bit of µ separately And assume initially H = 2ⁿ

ANSWER: RANGE PROOF Construct PK ({(µᵢ, ρᵢ)}: (e₁ = Enc (0; ρ₁) (e₁ = Enc (1; ρ₁))... (en = Enc (0; ρn) en = Enc (1; ρn))) e₁ = Enc (0; ρ₁) e₁ = Enc (1; ρ₁) en = Enc (0; ρn) en = Enc (1; ρn)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback