CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu
UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols: basics
Σ-PROTOCOLS: UP TO NOW We started from a very simple protocol for GI "intuitively" secure: complete, sound, ZK Formalized security requirements based on this concrete example Big promise: this is useful in general
THIS TIME Σ-protocols: short reminder Σ-protocols for DL based languages Composition of Σ-protocols Σ-protocols for "almost everything interesting" in the DL-world
REMINDER: Σ-PROTOCOLS x, ω 1st message: commitment a x 2nd message: challenge c 3rd message: response z Accepts iff prover knows ω such that (x, ω) R Requirement: c is chosen from publicly known challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol
REMINDER: Σ-PROTOCOLS x, ω 1st message: commitment a x 2nd message: challenge c 3rd message: response z Accepts iff prover knows ω such that (x, ω) R 1. Completeness 2. Special Soundness 3. Special Honest-Verifier ZK (SHVZK)
REMINDER: AUTHENTICATION pk, sk 1st message: commitment a pk 2nd message: challenge c 3rd message: response z Accepts iff prover knows sk such that (pk, sk) Gen GI protocol: sk = ω = secret isomorphism. Verifier convinced prover knows the secret key without any side information being leaked
NOTATION P has input (x, ω), V has input x Σ-protocol (P, V) is a proof of knowledge that P knows ω such that (x, ω) R for a public language L/relation R x L ω (x, ω) R Common notation: PK (ω: R (x, ω)) Secret values denoted by Greek letters We will now see: PK (ρ: h = g^ρ)
PROBLEM WITH GI Inefficient (for say authentication): having graphs as PK/SK is not efficient adjacency matrix: O (n²) bits Also we have many other elements of the protocols based on Elgamal. Better stick to the same cryptosystem Knowledge error κ = 1 / 2 Need to parallel-repeat protocol 40+ times to amplify
POK: KNOWLEDGE OF DL h = g^ρ, ρ 1st message: commitment a h 2nd message: challenge c 3rd message: response z Accepts iff prover knows ρ such that h = g^ρ Authentication: Proof of Knowledge of secret key corresponding to Elgamal PK h. General intepretation: PK of a discrete logarithm
IDEA GI: knowing isomorphism G₁ G₂ (knowing isomorphism G₁ H knowing isomorphism G₂ H for random H) Prover knows 0, 1 or 3 of isomorphisms DL: knowing DL of y = g^ρ (knowing DL of gʳ knowing DL of g^(ρ + r) for random r) φ:(g₁,g2) ψ:(g₁,h) ψφ ¹:(G2,H) ρ:h=g^ρ r:a=gʳ Prover knows 0, 1 or 3 of DL-s It is a bit like secret sharing r+ρ:ah=g^(ρ+r)
QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Accept if g^z = ah^c note: z = r or z = r + ρ plays the role of Gc z Completeness: g^z = g^(r + cρ) = ah^c
QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Special soundness. Extractor K(a, c, z, c* c, z*): // Accepting views, thus g^z = ah^c and g^(z*) = ah^(c*) 1. Return ρ (z - z*) / (c - c*) z Accept if g^z = ah^c Analysis. Divide the first verification equation with the second one: g^(z - z*) = h^(c - c*) Since c c*, h = g^((z - z*) / (c - c*)), thus extractor retrieves ρ correctly.
QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Accept if g^z = ah^c SHVZK. Simulator S (c): 1. Generate z Zp 2. Set a g^z / h^c 3. Return (a, z) z Analysis. First. (a, c, z) is accepting since a was generated so that the verification equation would accept. (tautology.) Second. In real execution (a, c, z) G {0, 1} Zp is completely random except that the verification equation holds. Thus in real execution one can start by generating c {0, 1}, z Zp, and then setting a g^z / h^c. Thus simulator's output is exactly from the same distribution as the real protocol's output
ON KNOWLEDGE ERROR We "hid" most of the technicalities "expected" poly-time extractor, etc Important: κ = 1 / 2 P* can guess V's challenge c with probability 1 / 2 We can decrease κ by using security amplification from Lecture 10 However, there is a much better way
QUIZ: IMPROVING Κ Question: how would you improve κ? without security amplification! Hint 1: κ = 1 / C C = challenge set, here C = {0, 1} Hint 2: the previous protocol did never require to have C = 2
QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1}ˢ z r + cρ Accept if g^z = ah^c z Completeness: g^z = g^(r + cρ) = ah^ρ
SECURITY PROOF All parts of security proof are same as before Only exception: In analysis of SHVZK, we get c {0, 1}ˢ both in the "protocol" and "simulator" case Simulator construction does not change Knowledge error: κ = 2 ˢ // probability P* guesses c
REMARKS In practice s = 40 may suffice Information-theoretic limit, not computational However, choosing s = 80 does not make the protocol less efficient This knowledge-of-dl (with variable s) Σ- protocol was proposed by Schnorr in 1991
COMPOSITION Another reason Σ-protocols are useful: they are extremely easy to compose... in a black-box way Automatic rules: 1. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) PK ((ω₁, ω₂): R₁ (x, ω₁) R₂ (x, ω₂)) 2. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) PK (ω: R₁ (x, ω) R₂ (x, ω)) Given those two rules (and suitable starting protocols), can "automatically" construct Σ-protocols for all languages in NP
"AND" COMPOSITION For i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Goal: construct protocol (P, V) for PK ((ω₁, ω₂): R₁ (x, ω₁) R₂ (x, ω₂)) (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ωᵢ, cᵢ; rᵢ) zᵢ Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
QUIZ: "AND" COMPOSITION (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
"AND" COMPOSITION: COMPLETENESS (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Completeness: Since both V₁ and V₂ accept, also V accepts Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
"AND": SPECIAL SOUNDNESS (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Special soundness. Extractor K (a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*): 1. ω₁ K₁ (a₁, c, z₁, c*, z₁*) 1. ω₂ K₂ (a₂, c, z₂, c*, z₂*) 2. Return (ω₁, ω₂) Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
REMARKS We will see two different types of AND compositions 1. ω₁ and ω₂ are independent random variables Example: PK ((m, r): c = Enc (m; r)) Extraction works: Kᵢ obtains ωᵢ
TYPE 2 Type 2: Both protocols use the same secret Composition works given the secret is unique not a completely automatic composition: need to prove s.s. every single time Both extractors successful => they return same value Example: PK (r: c₁ = hʳ c₂ = gʳ)
POK: DDH WITNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ z Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c) Second type AND composition
DDH WITNESS: COMPLETENESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ z Completeness. Clear, since (a₁, c, z) is accepting view for PK (ρ: e₁ = h^ρ) and (a₂, c, z) is accepting view for PK (ρ: e₂ = g^ρ) Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)
DDH WITNESS: SPECIAL SOUNDNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C Special soundness. Extractor K (a₁, a₂, c, z, c*, z*): 1. // K₁ (a₁, c, z, c*, z*) = K₂ (a₂, c, z, c*, z*) 2. ρ (z - z*) / (c - c*) 3. Return ρ z r + cρ z Analysis. Simple corollary of knowledge of DL protocols. One gets "the same" ρ from the use of the same c in both verification equations Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)
DDH WITNESS: SPECIAL SOUNDNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ SHVZK Simulator S (c): 1. z Zp, 2. (a₁, a₂) (h^z / e₁^c, g^z / e₂^c) 3. Return (a₁, a₂; c; z) z Analysis. Again, simple corollary. Acceptance is tautology. Distribution is the same since in both cases c and z are random and (a₁, a₂) just makes verification accept Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)
POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ (z₁, z₂) Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c) First type AND composition over two previous protocols
REMARKS AND-proof gives an easy way to get an AND of two Σ-protocols but its better to make it sure the result is correct by giving direct proof Example direct proofs were simple but sometimes it gets very tedious
OR-PROOF Assume that P knows a witness to one of x L₁ or x L₂ and wants to convince V in this Important: V should not get to know which witness P knows Example: L₀ = { e = Enc (0; ρ) for some ρ}, L₁ = { e = Enc (1; ρ) for some ρ} We know already how to construct protocols for both L = L₀ L₁ = {e = Enc (0; ρ) e = Enc (1; ρ) for some ρ} Verifier is convinced plaintext is Boolean
AND VS OR PROOF AND proof is simpler: R₁ R₂ is true iff both R₁ and R₂ are true Revealing in the proof that Rᵢ is true does not break ZK OR proof should not reveal which of R₁ and R₂ is true Additional layer of complexity
QUIZ: "OR" COMPOSITION For one i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) R₂ (x, ω)) (x, ω): s.t. Rᵢ(x, ω) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ω, c; rᵢ) zᵢ Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
QUIZ: "OR" COMPOSITION For one i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Problems: 1. Prover knows only witness ω for Rᵢ and thus cannot Goal: construct protocol (P, V) both for PK (ω: R₁ (x, execute branches of ω) R₂ (x, ω)) 2. Verifier should not know which branch P can execute (x, ω): s.t. Rᵢ(x, ω) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ω, c; rᵢ) Quiz: zᵢ how can P run the branch, without knowing corresponding secret, such that V cannot distinguish it from the real run? Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept
ANSWER: USE SIMULATOR Need to run protocol without knowing witness? Answer: use the simulator Need it to be indistinguishable from real run? Answer: use the simulator
... WITH A TRICK Problem: P should run one branch unsimulated Simulated branch can be created out-of-order, unsimulated cannot be Recall "special" meant the simulator can start from c, then create the rest, while P has to start with a So one of two must use c provided by V Question: how?
... WITH A TRICK Idea: generate cᵢ first, then choose c3-i c - cᵢ One of c₁ and c₂ thus must be created "after" seeing c We really need the "special" ZK property
OR-PROOF (x, ω): R₁(x, ω) a₁ P₁ (x; r) c₂ C; (a₂, z₂) S₂ (c₂) (a₁, a₂) Assume wlog that P knows ω s.t. R₁ (x, ω) x c C = {0,..., C - 1} c₁ c - c₂ mod C z₁ P₁ (x, ω, c₁; r) (z₁, z₂, c₁) c₂ c - c₁ mod C Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) R₂ (x, ω))
SECURITY PROOF I will not give a full security proof, but it is easy Completeness: from completeness of first PK, and successful simulation of the second one Special soundness: OR-extractor runs extractors for both branches. One of them is successful, return this value SHVZK: since the first PK is SHVZK, and the second one is already simulated
POK: ELGAMAL PLAINTEXT IS BOOLEAN L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some ρ, μ {0, 1}} We depict prover when μ = 0, μ = 1 is dual (g, h, e₁, e₂), (μ, ρ) 1. r Zp 2. (a₁₁, a₁₂) (hʳ, gʳ) 3. c₂ Zp; z₂ Zp 4. a₂₁ g¹ h^(z₂) / e₁^(c₂) 5. a₂₂ g^(z₂) / e₂^(c₂) (a₁₁, a₁₂, a₂₁, a₂₂) c C (g, h, e₁, e₂) c₁ c - c₂ mod 2ˢ z₁ r + c₁ρ (c₁, z₁, z₂) c₂ c - c₁ mod C Accept if c₁ C, (h^(z₁), g^(z₁)) = (a₁₁e₁^(c₁), a₁₂e₂^(c₁)) (gh^(z₂), g^(z₂)) = (a₂₁e₁^(c₂), a₂₂e₂^(c₂))
SECURITY PROOF Left for homework
BOOLEAN CIRCUITS Another computation model Every node evaluates a Boolean function on its inputs Output of circuit: top value Complexity class of all Boolean functions that can be evaluated by circuits = class of efficient Boolean functions (P/poly) x y z
MONOTONE BOOLEAN CIRCUITS Consist of only and gates Can be used to evaluate any monotone Boolean function f (f (x) = 1 y > x) => f (y) = 1 What we saw is already sufficient to evaluate any monotone relation And in most protocols it is sufficient: if S is "valid input set" for a secure computation protocol then so is any S' S x y z
QUIZ: RANGE PROOF Assume protocol is secure for Bob if Alice's input belongs to range S = {0, 1,..., H - 1, H} E.g. e-voting: S = range of valid candidates Question: how would you construct PK ((μ, ρ): e = Enc (μ; ρ) μ S)? Hint: you are allowed to encrypt every bit of μ separately And assume initially H = 2ⁿ
ANSWER: RANGE PROOF Construct PK ({(μᵢ, ρᵢ)}: (e₁ = Enc (0; ρ₁) (e₁ = Enc (1; ρ₁))... (en = Enc (0; ρn) en = Enc (1; ρn))) e₁ = Enc (0; ρ₁) e₁ = Enc (1; ρ₁) en = Enc (0; ρn) en = Enc (1; ρn)
STUDY OUTCOMES Σ-protocols for DL-based languages Simple examples Composition rules "Everything interesting" has Σ-protocol
NEXT LECTURE How to build "real ZK" on top of Σ-protocols? Random Oracle Model? Interactive, four-message ZK
TUTORIAL Needed for exam Security proofs for "proof of Elgamal plaintext and randomizer"
POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ (z₁, z₂) Completeness. From composition, or directly: g^(z₁) h^(z₂) = gᵐ g^(cμ) hʳ h^(cρ) = a₁e₁^c g^(z₂) = gʳg^(cρ) = a₂e₂^c Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)
POK: ELGAMAL PLAINTEXT/RANDOMIZER (g, h, e₁, e₂), (μ, ρ) L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (z₁, z₂) (g, h, e₁, e₂) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) Analysis (direct). Verification eq gives us: (g^(z₁)h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c) (g^(z₁*)h^(z₂*), g^(z₂*)) = c (a₁e₁^(c*), C a₂e₂^(c*)) Divide first by second: (g^(z₁ - z₁*) h^(z₂ z₁ - z₂*), m g^(z₂ + cμ - z₂*)) = (e₁^(c - c*), e₂^(c - c*)) (g^((z₁ - z₁*) / (c - z₂ c*)) h^((z₂ r + cρ- z₂*) / (c - c*)), g^((z₂ - z₂*) / (c - c*))) = (e₁, e₂) Exponents matching mod p Special Soundness. From composition, or directly: Extractor K(a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*): 1. ρ (z₂ - z₂*) / (c - c*) // As before 2. μ (z₁ - z₁*) / (c - c*) 3. Return (μ, ρ) Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)
POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ HVSZK (direct): Simulator S (c): 1. z₁, z₂ Zp 2. a₁ g^(z₁) h^(z₂) / e₁^c 3. a₂ g^(z₂) / e₂^c 4. Return (a₁, a₂, z₁, z₂) (z₁, z₂) Analysis (direct). Trivial. Verification accepts. Distribution is the same as in the real case too. Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)