CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11

Similar documents
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Lecture 15 - Zero Knowledge Proofs

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Entity Authentication

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

March 19: Zero-Knowledge (cont.) and Signatures

Lecture Notes 20: Zero-Knowledge Proofs

Notes on Zero Knowledge

Lecture 10: Zero-Knowledge Proofs

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 17: Constructions of Public-Key Encryption

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Lecture 26: Arthur-Merlin Games

Cryptographic Protocols Notes 2

From Secure MPC to Efficient Zero-Knowledge

Winter 2011 Josh Benaloh Brian LaMacchia

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Lecture 18: Zero-Knowledge Proofs

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

Lecture 15: Interactive Proofs

Homework 3 Solutions

Smooth Projective Hash Function and Its Applications

A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Linear Multi-Prover Interactive Proofs

Short Exponent Diffie-Hellman Problems

Solutions to homework 2

III. Authentication - identification protocols

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

On the CCA1-Security of Elgamal and Damgård s Elgamal

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Additive Combinatorics and Discrete Logarithm Based Range Protocols

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

1 Recap: Interactive Proofs

Introduction to Cryptography. Lecture 8

Question: Total Points: Score:

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Multiparty Computation

Commitment Schemes and Zero-Knowledge Protocols (2011)

A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

ECS 189A Final Cryptography Spring 2011

14 Diffie-Hellman Key Agreement

Interactive Zero-Knowledge with Restricted Random Oracles

CS151 Complexity Theory. Lecture 14 May 17, 2017

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Some ZK security proofs for Belenios

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Lecture 13: Seed-Dependent Key Derivation

1 Randomized Computation

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Lecture 3: Interactive Proofs and Zero-Knowledge

Improved OR-Composition of Sigma-Protocols

Notes on Complexity Theory Last updated: November, Lecture 10

On the Amortized Complexity of Zero Knowledge Protocols for Multiplicative Relations

George Danezis Microsoft Research, Cambridge, UK

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CPSC 467: Cryptography and Computer Security

Question 1. The Chinese University of Hong Kong, Spring 2018

Katz, Lindell Introduction to Modern Cryptrography

1 Number Theory Basics

Concurrent Knowledge Extraction in the Public-Key Model

1 Basic Number Theory

4-3 A Survey on Oblivious Transfer Protocols

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Statistically Secure Sigma Protocols with Abort

Additive Conditional Disclosure of Secrets

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based

CPA-Security. Definition: A private-key encryption scheme

Lecture 18: Message Authentication Codes & Digital Signa

On the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses

Cryptographic Protocols FS2011 1

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

On the Security of Classic Protocols for Unique Witness Relations

Computing on Encrypted Data

Probabilistically Checkable Arguments

Security Protocols and Application Final Exam

Lattice-Based Non-Interactive Arugment Systems

Digital Signatures. p1.

Non-Conversation-Based Zero Knowledge

Cryptography in the Multi-string Model

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Transcription:

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu

UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols: basics

Σ-PROTOCOLS: UP TO NOW We started from a very simple protocol for GI "intuitively" secure: complete, sound, ZK Formalized security requirements based on this concrete example Big promise: this is useful in general

THIS TIME Σ-protocols: short reminder Σ-protocols for DL based languages Composition of Σ-protocols Σ-protocols for "almost everything interesting" in the DL-world

REMINDER: Σ-PROTOCOLS x, ω 1st message: commitment a x 2nd message: challenge c 3rd message: response z Accepts iff prover knows ω such that (x, ω) R Requirement: c is chosen from publicly known challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol

REMINDER: Σ-PROTOCOLS x, ω 1st message: commitment a x 2nd message: challenge c 3rd message: response z Accepts iff prover knows ω such that (x, ω) R 1. Completeness 2. Special Soundness 3. Special Honest-Verifier ZK (SHVZK)

REMINDER: AUTHENTICATION pk, sk 1st message: commitment a pk 2nd message: challenge c 3rd message: response z Accepts iff prover knows sk such that (pk, sk) Gen GI protocol: sk = ω = secret isomorphism. Verifier convinced prover knows the secret key without any side information being leaked

NOTATION P has input (x, ω), V has input x Σ-protocol (P, V) is a proof of knowledge that P knows ω such that (x, ω) R for a public language L/relation R x L ω (x, ω) R Common notation: PK (ω: R (x, ω)) Secret values denoted by Greek letters We will now see: PK (ρ: h = g^ρ)

PROBLEM WITH GI Inefficient (for say authentication): having graphs as PK/SK is not efficient adjacency matrix: O (n²) bits Also we have many other elements of the protocols based on Elgamal. Better stick to the same cryptosystem Knowledge error κ = 1 / 2 Need to parallel-repeat protocol 40+ times to amplify

POK: KNOWLEDGE OF DL h = g^ρ, ρ 1st message: commitment a h 2nd message: challenge c 3rd message: response z Accepts iff prover knows ρ such that h = g^ρ Authentication: Proof of Knowledge of secret key corresponding to Elgamal PK h. General intepretation: PK of a discrete logarithm

IDEA GI: knowing isomorphism G₁ G₂ (knowing isomorphism G₁ H knowing isomorphism G₂ H for random H) Prover knows 0, 1 or 3 of isomorphisms DL: knowing DL of y = g^ρ (knowing DL of gʳ knowing DL of g^(ρ + r) for random r) φ:(g₁,g2) ψ:(g₁,h) ψφ ¹:(G2,H) ρ:h=g^ρ r:a=gʳ Prover knows 0, 1 or 3 of DL-s It is a bit like secret sharing r+ρ:ah=g^(ρ+r)

QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Accept if g^z = ah^c note: z = r or z = r + ρ plays the role of Gc z Completeness: g^z = g^(r + cρ) = ah^c

QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Special soundness. Extractor K(a, c, z, c* c, z*): // Accepting views, thus g^z = ah^c and g^(z*) = ah^(c*) 1. Return ρ (z - z*) / (c - c*) z Accept if g^z = ah^c Analysis. Divide the first verification equation with the second one: g^(z - z*) = h^(c - c*) Since c c*, h = g^((z - z*) / (c - c*)), thus extractor retrieves ρ correctly.

QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1} z r + cρ Accept if g^z = ah^c SHVZK. Simulator S (c): 1. Generate z Zp 2. Set a g^z / h^c 3. Return (a, z) z Analysis. First. (a, c, z) is accepting since a was generated so that the verification equation would accept. (tautology.) Second. In real execution (a, c, z) G {0, 1} Zp is completely random except that the verification equation holds. Thus in real execution one can start by generating c {0, 1}, z Zp, and then setting a g^z / h^c. Thus simulator's output is exactly from the same distribution as the real protocol's output

ON KNOWLEDGE ERROR We "hid" most of the technicalities "expected" poly-time extractor, etc Important: κ = 1 / 2 P* can guess V's challenge c with probability 1 / 2 We can decrease κ by using security amplification from Lecture 10 However, there is a much better way

QUIZ: IMPROVING Κ Question: how would you improve κ? without security amplification! Hint 1: κ = 1 / C C = challenge set, here C = {0, 1} Hint 2: the previous protocol did never require to have C = 2

QUIZ: KNOWLEDGE OF DL h = g^ρ, ρ r Zp a gʳ a h c {0, 1}ˢ z r + cρ Accept if g^z = ah^c z Completeness: g^z = g^(r + cρ) = ah^ρ

SECURITY PROOF All parts of security proof are same as before Only exception: In analysis of SHVZK, we get c {0, 1}ˢ both in the "protocol" and "simulator" case Simulator construction does not change Knowledge error: κ = 2 ˢ // probability P* guesses c

REMARKS In practice s = 40 may suffice Information-theoretic limit, not computational However, choosing s = 80 does not make the protocol less efficient This knowledge-of-dl (with variable s) Σ- protocol was proposed by Schnorr in 1991

COMPOSITION Another reason Σ-protocols are useful: they are extremely easy to compose... in a black-box way Automatic rules: 1. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) PK ((ω₁, ω₂): R₁ (x, ω₁) R₂ (x, ω₂)) 2. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) PK (ω: R₁ (x, ω) R₂ (x, ω)) Given those two rules (and suitable starting protocols), can "automatically" construct Σ-protocols for all languages in NP

"AND" COMPOSITION For i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Goal: construct protocol (P, V) for PK ((ω₁, ω₂): R₁ (x, ω₁) R₂ (x, ω₂)) (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ωᵢ, cᵢ; rᵢ) zᵢ Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

QUIZ: "AND" COMPOSITION (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

"AND" COMPOSITION: COMPLETENESS (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Completeness: Since both V₁ and V₂ accept, also V accepts Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

"AND": SPECIAL SOUNDNESS (x, ωᵢ): s.t. Rᵢ(x, ωᵢ) a₁ P₁ (x; r₁) a₂ P₂ (x; r₂) (a₁, a₂) x c C z₁ P₁ (x, ω₁, c; r₁) z₂ P₂ (x, ω₂, c; r₂) (z₁, z₂) Special soundness. Extractor K (a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*): 1. ω₁ K₁ (a₁, c, z₁, c*, z₁*) 1. ω₂ K₂ (a₂, c, z₂, c*, z₂*) 2. Return (ω₁, ω₂) Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

REMARKS We will see two different types of AND compositions 1. ω₁ and ω₂ are independent random variables Example: PK ((m, r): c = Enc (m; r)) Extraction works: Kᵢ obtains ωᵢ

TYPE 2 Type 2: Both protocols use the same secret Composition works given the secret is unique not a completely automatic composition: need to prove s.s. every single time Both extractors successful => they return same value Example: PK (r: c₁ = hʳ c₂ = gʳ)

POK: DDH WITNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ z Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c) Second type AND composition

DDH WITNESS: COMPLETENESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ z Completeness. Clear, since (a₁, c, z) is accepting view for PK (ρ: e₁ = h^ρ) and (a₂, c, z) is accepting view for PK (ρ: e₂ = g^ρ) Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)

DDH WITNESS: SPECIAL SOUNDNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C Special soundness. Extractor K (a₁, a₂, c, z, c*, z*): 1. // K₁ (a₁, c, z, c*, z*) = K₂ (a₂, c, z, c*, z*) 2. ρ (z - z*) / (c - c*) 3. Return ρ z r + cρ z Analysis. Simple corollary of knowledge of DL protocols. One gets "the same" ρ from the use of the same c in both verification equations Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)

DDH WITNESS: SPECIAL SOUNDNESS L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ} (g, h, e₁, e₂), ρ r Zp (a₁, a₂) (hʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z r + cρ SHVZK Simulator S (c): 1. z Zp, 2. (a₁, a₂) (h^z / e₁^c, g^z / e₂^c) 3. Return (a₁, a₂; c; z) z Analysis. Again, simple corollary. Acceptance is tautology. Distribution is the same since in both cases c and z are random and (a₁, a₂) just makes verification accept Accept if (h^z, g^z) = (a₁e₁^c, a₂e₂^c)

POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ (z₁, z₂) Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c) First type AND composition over two previous protocols

REMARKS AND-proof gives an easy way to get an AND of two Σ-protocols but its better to make it sure the result is correct by giving direct proof Example direct proofs were simple but sometimes it gets very tedious

OR-PROOF Assume that P knows a witness to one of x L₁ or x L₂ and wants to convince V in this Important: V should not get to know which witness P knows Example: L₀ = { e = Enc (0; ρ) for some ρ}, L₁ = { e = Enc (1; ρ) for some ρ} We know already how to construct protocols for both L = L₀ L₁ = {e = Enc (0; ρ) e = Enc (1; ρ) for some ρ} Verifier is convinced plaintext is Boolean

AND VS OR PROOF AND proof is simpler: R₁ R₂ is true iff both R₁ and R₂ are true Revealing in the proof that Rᵢ is true does not break ZK OR proof should not reveal which of R₁ and R₂ is true Additional layer of complexity

QUIZ: "OR" COMPOSITION For one i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) R₂ (x, ω)) (x, ω): s.t. Rᵢ(x, ω) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ω, c; rᵢ) zᵢ Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

QUIZ: "OR" COMPOSITION For one i {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ)) Problems: 1. Prover knows only witness ω for Rᵢ and thus cannot Goal: construct protocol (P, V) both for PK (ω: R₁ (x, execute branches of ω) R₂ (x, ω)) 2. Verifier should not know which branch P can execute (x, ω): s.t. Rᵢ(x, ω) aᵢ Pᵢ (x; rᵢ) aᵢ x cᵢ C zᵢ Pᵢ (x, ω, c; rᵢ) Quiz: zᵢ how can P run the branch, without knowing corresponding secret, such that V cannot distinguish it from the real run? Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept

ANSWER: USE SIMULATOR Need to run protocol without knowing witness? Answer: use the simulator Need it to be indistinguishable from real run? Answer: use the simulator

... WITH A TRICK Problem: P should run one branch unsimulated Simulated branch can be created out-of-order, unsimulated cannot be Recall "special" meant the simulator can start from c, then create the rest, while P has to start with a So one of two must use c provided by V Question: how?

... WITH A TRICK Idea: generate cᵢ first, then choose c3-i c - cᵢ One of c₁ and c₂ thus must be created "after" seeing c We really need the "special" ZK property

OR-PROOF (x, ω): R₁(x, ω) a₁ P₁ (x; r) c₂ C; (a₂, z₂) S₂ (c₂) (a₁, a₂) Assume wlog that P knows ω s.t. R₁ (x, ω) x c C = {0,..., C - 1} c₁ c - c₂ mod C z₁ P₁ (x, ω, c₁; r) (z₁, z₂, c₁) c₂ c - c₁ mod C Accept if both V₁ (x, a₁, c₁, z₁) and V₂ (x, a₂, c₂, z₂) accept Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) R₂ (x, ω))

SECURITY PROOF I will not give a full security proof, but it is easy Completeness: from completeness of first PK, and successful simulation of the second one Special soundness: OR-extractor runs extractors for both branches. One of them is successful, return this value SHVZK: since the first PK is SHVZK, and the second one is already simulated

POK: ELGAMAL PLAINTEXT IS BOOLEAN L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some ρ, μ {0, 1}} We depict prover when μ = 0, μ = 1 is dual (g, h, e₁, e₂), (μ, ρ) 1. r Zp 2. (a₁₁, a₁₂) (hʳ, gʳ) 3. c₂ Zp; z₂ Zp 4. a₂₁ g¹ h^(z₂) / e₁^(c₂) 5. a₂₂ g^(z₂) / e₂^(c₂) (a₁₁, a₁₂, a₂₁, a₂₂) c C (g, h, e₁, e₂) c₁ c - c₂ mod 2ˢ z₁ r + c₁ρ (c₁, z₁, z₂) c₂ c - c₁ mod C Accept if c₁ C, (h^(z₁), g^(z₁)) = (a₁₁e₁^(c₁), a₁₂e₂^(c₁)) (gh^(z₂), g^(z₂)) = (a₂₁e₁^(c₂), a₂₂e₂^(c₂))

SECURITY PROOF Left for homework

BOOLEAN CIRCUITS Another computation model Every node evaluates a Boolean function on its inputs Output of circuit: top value Complexity class of all Boolean functions that can be evaluated by circuits = class of efficient Boolean functions (P/poly) x y z

MONOTONE BOOLEAN CIRCUITS Consist of only and gates Can be used to evaluate any monotone Boolean function f (f (x) = 1 y > x) => f (y) = 1 What we saw is already sufficient to evaluate any monotone relation And in most protocols it is sufficient: if S is "valid input set" for a secure computation protocol then so is any S' S x y z

QUIZ: RANGE PROOF Assume protocol is secure for Bob if Alice's input belongs to range S = {0, 1,..., H - 1, H} E.g. e-voting: S = range of valid candidates Question: how would you construct PK ((μ, ρ): e = Enc (μ; ρ) μ S)? Hint: you are allowed to encrypt every bit of μ separately And assume initially H = 2ⁿ

ANSWER: RANGE PROOF Construct PK ({(μᵢ, ρᵢ)}: (e₁ = Enc (0; ρ₁) (e₁ = Enc (1; ρ₁))... (en = Enc (0; ρn) en = Enc (1; ρn))) e₁ = Enc (0; ρ₁) e₁ = Enc (1; ρ₁) en = Enc (0; ρn) en = Enc (1; ρn)

STUDY OUTCOMES Σ-protocols for DL-based languages Simple examples Composition rules "Everything interesting" has Σ-protocol

NEXT LECTURE How to build "real ZK" on top of Σ-protocols? Random Oracle Model? Interactive, four-message ZK

TUTORIAL Needed for exam Security proofs for "proof of Elgamal plaintext and randomizer"

POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ (z₁, z₂) Completeness. From composition, or directly: g^(z₁) h^(z₂) = gᵐ g^(cμ) hʳ h^(cρ) = a₁e₁^c g^(z₂) = gʳg^(cρ) = a₂e₂^c Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)

POK: ELGAMAL PLAINTEXT/RANDOMIZER (g, h, e₁, e₂), (μ, ρ) L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (z₁, z₂) (g, h, e₁, e₂) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) Analysis (direct). Verification eq gives us: (g^(z₁)h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c) (g^(z₁*)h^(z₂*), g^(z₂*)) = c (a₁e₁^(c*), C a₂e₂^(c*)) Divide first by second: (g^(z₁ - z₁*) h^(z₂ z₁ - z₂*), m g^(z₂ + cμ - z₂*)) = (e₁^(c - c*), e₂^(c - c*)) (g^((z₁ - z₁*) / (c - z₂ c*)) h^((z₂ r + cρ- z₂*) / (c - c*)), g^((z₂ - z₂*) / (c - c*))) = (e₁, e₂) Exponents matching mod p Special Soundness. From composition, or directly: Extractor K(a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*): 1. ρ (z₂ - z₂*) / (c - c*) // As before 2. μ (z₁ - z₁*) / (c - c*) 3. Return (μ, ρ) Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)

POK: ELGAMAL PLAINTEXT/RANDOMIZER L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)} (g, h, e₁, e₂), (μ, ρ) m, r Zp (a₁, a₂) (gᵐhʳ, gʳ) (a₁, a₂) (g, h, e₁, e₂) c C z₁ m + cμ z₂ r + cρ HVSZK (direct): Simulator S (c): 1. z₁, z₂ Zp 2. a₁ g^(z₁) h^(z₂) / e₁^c 3. a₂ g^(z₂) / e₂^c 4. Return (a₁, a₂, z₁, z₂) (z₁, z₂) Analysis (direct). Trivial. Verification accepts. Distribution is the same as in the real case too. Accept if (g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback