Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

Published bySybil White Modified over 9 years ago

Similar presentations

Presentation on theme: "CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs."— Presentation transcript:

1 CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs

2 CS426Fall 2010/Lecture 352 Readings for This Lecture Optional: –Haveli and Micali: “Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing”Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing Jean-Jacques et al.: How to explain Zero-Knowledge Protocols to Your ChildrenHow to explain Zero-Knowledge Protocols to Your Children This lecture’s topics won’t be in the final exam

3 3 Commitment schemes An electronic way to temporarily hide a value that cannot be changed –Stage 1 (Commit) Sender locks a message in a box and sends the locked box to another party called the Receiver –State 2 (Reveal) the Sender proves to the Receiver that the message in the box is a certain message Usage scenarios: flipping fair coins, bidding for a contract CS426Fall 2010/Lecture 35

4 4 Types of commitment Bit commitment Integer commitment String commitment CS426Fall 2010/Lecture 35

5 5 Security properties of commitment schemes Hiding –at the end of Stage 1, no adversarial receiver learns any information about the committed value Binding –at the end of Stage 1, no adversarial sender can successfully reveal two different values in Stage 2 CS426Fall 2010/Lecture 35

6 6 A broken commitment scheme Using encryption –Stage 1 (Commit) the Sender generates a key k and sends E k [M] to the Receiver –State 2 (Reveal) the Sender sends k to the Receiver, the Receiver can decrypt the message What is wrong using the above as a commitment scheme? Is it hiding? Is this binding? CS426Fall 2010/Lecture 35

7 7 Formalizing Security Properties of Commitment schemes Two kinds of adversaries –those with infinite computation power and those with limited computation power Unconditional hiding –the commitment phase does not leak any information about the committed message, in the information theoretical sense (similar to perfect secrecy) Computational hiding –an adversary with limited computation power cannot learn anything about the committed message (similar to semantic security) CS426Fall 2010/Lecture 35

8 8 Formalizing Security Properties of Commitment schemes Unconditional binding –after the commitment phase, an infinite powerful adversary sender cannot reveal two different values Computational binding –after the commitment phase, an adversary with limited computation power cannot reveal two different values No commitment scheme can be both unconditional hiding and unconditional binding CS426Fall 2010/Lecture 35

9 9 Another (also broken) commitment scheme Using a one-way function H –Stage 1 (Commit) the Sender sends c=H(M) to the Receiver –State 2 (Reveal) the Sender sends M to the Receiver, the Receiver verifies that c=H(M) What is wrong using this as a commitment scheme? Is it binding? Is it hiding? CS426Fall 2010/Lecture 35

10 Commitment Schemes Using Cryptographic Hash Functions A scheme likely secure enough in practice, but difficult to prove security (assuming only H is one-way and strongly collision-resistant) –To commit to message M, choose random, fixed- length r,send H(r || M) –To open commitment, send r, M –Receiver cannot fully recover M. Is this computational or information theoretic hiding? –Sender cannot find another M’ to open. Is this computational or information theoretic binding? CS426Fall 2010/Lecture 3510 Commitment must be randomized.

11 For Provably Secure Commitment Scheme based on Cryptogrpahic Hash See Haveli and Micali: –“Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing” –Uses Universal Hashing ( a family of hash functions with some properties) CS426Fall 2010/Lecture 3511

12 CS426Fall 2010/Lecture 3512 The Pederson Commitment Scheme Public parameters: (p,g,h) –p:large prime (1024 bit) –g:a number in [2, p-1] –h:another element such that log g h is unknown Protocol –To commit to x, committer chooses random r and sends (g x h r mod p) to the receiver. –To open, the committer sends x and r to the receiver Benefits: –One can prove many things about the committed value without opening it

13 13 Pedersen Commitment Scheme (cont.) Unconditionally hiding –Given a commitment c, every value x is equally likely to be the value committed in c. –For example, given x,r, and any x’, there exists r’ such that g x h r = g x’ h r’, in fact r = (x-x’)a -1 + r mod q. Computationally binding –Suppose the sender open another value x’ ≠ x. That is, the sender find x’ and r’ such that c = g x’ h r’ mod p. Now the sender knows x,r,x’, and r’ s.t., g x h r = g x’ h r’ (mod p), the sender can compute log g (h) = (x’-x)·(r-r’) -1. Assume DL is hard, the sender cannot open the commitment with another value. CS426Fall 2010/Lecture 35

14 14 Properties of Interactive Zero- Knowledge Proofs Zero-knowledge Proof of Knowledge –Proving knowing a secret, without revealing any information about the secret. Completeness –Given honest prover and honest verifier, the protocol succeeds with overwhelming probability Soundness –No one who doesn’t know the secret can convince the verifier with nonnegligible probability Zero knowledge –The proof does not leak any additional information CS426Fall 2010/Lecture 35

15 Intuitive Explanation of ZK CS426Fall 2010/Lecture 3515 See the paper “How to explain Zero-Knowledge Protocols to Your Children” –http://sparrow.ece.cmu.edu/group/630- f08/readings/ZK-IntroPaper.pdf

16 16 Schnorr Protocol (ZK Proof of Knowing Discrete Log) System parameter: p, q, g –We have g q = 1 mod p Public identity: c = g a mod p Private authenticator: a Protocol 1. P: picks random r in [1..q], sends d = g r mod p, 2. V: sends random challenge e in [1..2 t ] 3. P: sends y=r- ea (mod q) 4. V: accepts if d = g y c e mod p CS426Fall 2010/Lecture 35

17 17 Security of Schnorr Protocol - Soundness Probability of forge: 1/2 t –The prover who does not know a can cheat by guess e –Set d= c e g y at the first step We build a knowledge extractor as follows. Suppose the prover is challenged twice with on same c, first with e1, second with e2. –Send e1, receive y1 such that g y1 c e1 = d –Send e2, receive y2 such that g y2 c e2 = d –g y1-y2 =c e2-e1, output log g (c) = (y1-y2)·(e2-e1) -1 CS426Fall 2010/Lecture 35

18 18 Pedersen Commitment – ZK Prove know how to open Public commitment c = g x h r (mod p) Private knowledge x,r Protocol: 1. P: picks random y, s in [1..q], sends d = g y h s mod p 2. V: sends random challenge e in [1..q] 3. P: sends u=y+ex, v=s+er (mod q) 4. V: accepts if g u h v = dc e (mod p) Security property – similar to Schnorr protocol CS426Fall 2010/Lecture 35

19 Other Things One Can Prove in ZK fashion with Pederson Commitments The committed value is a bit. The committed value is in a range. Two committed values equal Two committed values satisfy some linear relations And many more CS426Fall 2010/Lecture 3519

20 CS426Fall 2010/Lecture 3520 Coming Attractions … Network Security Defenses

Download ppt "CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs."

Similar presentations

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454.

Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

Similar presentations

Ads by Google