cryptographic protocols 2014, lecture 12 Getting full zero knowledge helger lipmaa, university of tartu

Up to now Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols

this time Σ-protocols: short reminder Constructing interactive zero knowledge protocols from Σ-protocols

Reminder: Σ-protocols x, ω x 1st message: commitment a 2nd message: challenge c Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Requirement: c is chosen from publicly known challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol

Reminder: Σ-protocols x, ω x 1st message: commitment a 2nd message: challenge c Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Completeness Special Soundness Special Honest-Verifier ZK (SHVZK)

recall: semihonest model ω f x=Encoded(ω) Decode, obtain f (ω) Encoded(f(ω)) We know how to construct protocols for almost any task, that are secure under the assumption that Alice's input belongs to some public set S₁

half-way there: Σ-protocols ω f x=Encoded(ω), a of PK(ω∈S₁) Honestly chosen c z of PK(ω∈S₁) If (a, c, z) is not an accepting view with input x, abort Decode, obtain f (ω) Encoded(f(ω)) Add a Σ-protocol that convinces Bob that x ∈ L, e.g., L = {x: x = Enc (ω) for some ω ∈ S₁}

? Goal: full ZK ω f Arbitrary c Encoded(f(ω)) x=Encoded(ω), a of PK(ω∈S₁) Arbitrary c z of PK(ω∈S₁) If (a, c, z) is not an accepting view with input x, abort Decode, obtain f (ω) Encoded(f(ω)) Add some additional steps...

basic idea x, ω x 1st message: commitment a 2nd message: challenge c Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Σ-protocol is only zero knowledge when c is completely random. This is since we start simulating by picking c randomly, and then choose (z, a). It suffices for c to be independent of a: Bob's best strategy is then to guess c Goal: guarantee c is independent of a

Quiz: how? Question: how to guarantee a and c are mutually independent? Hint: Internet is asynchronous, so one message (say c) must be sent first, but in a "hidden" form Content only revealed after second message (say a) is sent

First idea: encryption x, ω, pk x, pk, sk C ← Enc(c; r) a Abort if C ≠ Enc (c; r) c, r Accepts iff prover knows ω such that (x, ω) ∈ R z Seems legit? c is independent of a since x = Enc (...) is sent to Alice first, and x has unique decryption a is independent of c since due to IND-CPA security, x reveals no information about c And those two properties are sufficient: no need to decrypt. Only ability to "open" encryption so one can verify what was inside

Commitment scheme A commitment scheme consists of three algorithms: key generation Gen (...) → pk commitment Com (pk; c; r) → C verification algorithm Ver (pk; C, c, r)∈{0, 1}

commitment scheme public key pk C ← Com (pk; c, r) (c, r) r, m pk ← Gen r, m C ← Com (pk; c, r) Output Ver(pk; C, c, r) Store C (c, r)

security goals of commitment Computational hiding: IND-CPA: given c₀, c₁, pk and C = Com (pk; cb, r), it is difficult to guess b Perfect binding: for every C, there exists at most one c such that C = Com (pk; c, ·) for some r

IND-CPA PKC = PH Commitment Theorem. Every IND-CPA secure cryptosystem is a perfectly hiding and computationally binding commitment scheme Proof. Obvious: perfect binding follows from unique decryption computational hiding follows from IND-CPA security

Refined: PH Commitment x, ω, pk x, pk C ← Com(c; r) a Abort if Ver(C, c, r)=0 c, r Accepts iff prover knows ω such that (x, ω) ∈ R z Seems legit? c is independent of a since C = Com (c, r) is sent to Alice first, and Com is perfectly binding a is independent of c since due to IND-CPA security, C reveals no information about c Can you find a problem?

Accepts iff both (a, c, z) and (a, c*, z*) are accepting views Special soundness x, ω, pk x, pk C ← Com(c; r) a Abort if Ver(C, c*, r*)=0 Abort if Ver(C, c, r)=0 c, r Accepts iff both (a, c, z) and (a, c*, z*) are accepting views z c* ≠ c, r* z* Can you find a problem?

Accepts iff both (a, c, z) and (a, c*, z*) are accepting views Special soundness Problem. The used commitment scheme is perfectly binding: it cannot be the case that Ver (C, c, r) and Ver (C, c*, r*) both accept if c ≠ c* x, ω, pk x, pk C ← Com(c; r) a Abort if Ver(C, c*, r*)=0 Abort if Ver(C, c, r)=0 c, r Accepts iff both (a, c, z) and (a, c*, z*) are accepting views z c* ≠ c, r* z*

quiz: solution? Question: what do do? Hint 1: commitment scheme should not be perfectly binding For every c ≠ c*, r there should exist r* such that Com (c, r) = Com (c*, r*) Hint 2: finding such collusions should be easy for extractor, but not for a (malicious/honest) verifier We need computational binding, where binding can be broken by a party who knows some "trapdoor"

Trapdoor commitment Perfect hiding: Distribution of Com (pk; m, r) does not depend on m Computational binding: for every C, m, r, m* ≠ m, without knowing trapdoor sk it is computationally hard to find r*, such that C = Com (pk; m, r) = Com (pk; m*, r*) Trapdoor: given sk, m, r, m* ≠ m, it is computationally easy to find r* such that Com (pk; m, r) = Com (pk; m*, r*)

Choice of commitment scheme We use a commitment scheme that is constructed from any Σ-protocol for some hard language We use the fact that in the final protocol we only need to commit to random messages The committed message = c of original protocol This scheme is used since it fits well: it has more than one usage

commitment from Σ-protocols Pick any hard relation R', (X, Ω) ∈ R' public key X X c ← ℤp Use simulator of PK(Ω) to create accepting view (A, c, Z) Com (c, Z) := A Ver(A, c, Z)=1 iff it is an accepting view of PK(Ω) Store commitment A (c, Z)

Ver(A, c, Z)=1 iff A = h^(-c) g^Z Example: DL based Pick random X = g^Ω public key X X c ← ℤp Z ← ℤp A ← h^(-c) g^Z Com (c, Z) := A Ver(A, c, Z)=1 iff A = h^(-c) g^Z Store commitment A (c, Z)

security of this commitment Theorem. The commitment scheme of the last slide is computationally binding (if R' is hard), perfectly hiding, and trapdoor s. sound => comp. binding: assume adversary outputs (A, c, Z), (A, c*, Z*), c ≠ c*, such that both accept. But then we can use extractor to recover Ω, thus R' is not hard SHVZK => perfect hiding: follows since in real protocol, A is randomly chosen before c is chosen, and real protocol and simulator are indistinguishable Completeness => trapdoor: given Ω, one can start Σ-protocol with any A, and then find Z corresponding to any c such that (A, c, Z) is accepting

Finally: trapdoor Commitment x, ω, X x, X A = Com(c, Z) a Abort if Ver(A, c, Z)=0 c, Z Accept if (a, c, z) is an accepting view of PK(ω) z Seems legit? c is independent of a since A = Com (c, Z) is sent to Alice first, and Com is binding a is independent of c since A reveals no information about c

Accepts iff both (a, c, z) and (a, c*, z*) are accepting views soundness x, ω, X x, X, Ω A ← Com(c, Z) a Abort if Ver(A, c*, Z*)=0 Abort if Ver(A, c, Z)=0 c, Z Accepts iff both (a, c, z) and (a, c*, z*) are accepting views z c* ≠ c, Z* z* Can do due to knowledge of trapdoor

quiz: are we done? Guess: are we done? Answer: we checked: soundness is ok but what about ZK? let's check... (not done)

basic idea x, ω x 1st message: commitment a 2nd message: challenge c Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Goal: guarantee c is independent of a

problem with zk x, ω, X x, X A ← Com(c, Z) a c, Z z Simulator S must be able to create accepting view (A; a; c, Z; z) without knowing ω It can use simulator S' of Σ-protocol, that has precise syntax; nothing else is known for any c, generate random z, and then a // out of order since c is random, then choosing random c guarantees correct distribution In the 4-round protocol, the verifier might try to cheat by choosing weird c If c is not random then z is not random, thus this strategy does not work anymore Solution: do in-order simulation but use some other "superpower"/trapdoor

Reminder: basic setting x, ω, X x, X A ← Com(c, Z) a c, Z z x, td, X PK (I am P) ≈ PK (I am S) x, X A ← Com(c, Z) a c, Z z

IDEA: PK (I AM P oR S) crs = X, x, ω x, X Really are indistinguishable C ← Com(c, Z) a of PK (ω ∨ Ω) c, Z z of PK (ω ∨ Ω) td is "secret key" corresponding to crs easiest case: crs = X, td = Ω Really are indistinguishable x, X A ← Com(c, Z) crs = X, x, td = Ω a of PK (ω ∨ Ω) c, Z z of PK (ω ∨ Ω)

Accept if (a, c, z) is an accepting view of PK(ω∨td) getting zk crs = X, x, ω crs = X, x A ← Com (c, Z) a of PK (ω ∨ Ω) Abort if Ver(A, c, Z)=0 c, Z Accept if (a, c, z) is an accepting view of PK(ω∨td) z of PK (ω ∨ Ω) Seems legit? P knows ω but does not know Ω, so V is convinced P knows ω S knows Ω so can construct indistinguishable OR-proof, in-order Assumption: crs = X is generated so that no real party knows Ω

4-round ZK protocol crs = X, x, ω crs = X, x C (a₁, a₂) c, Z c ← Ch.Set (A, Z) ← S' (X, c) // sim. C a₁ ← a of PK (ω: (x, ω) ∈ R) c₂ ← Ch.Set Create (a₂, z₂) by using simulator of PK (Ω: (X, Ω)∈R') crs = X, x, ω crs = X, x Abort if Ver (A, c, Z) = 0 c₁ ← c - c₂ mod |Ch.Set| z₁ ← z of PK (ω) (a₁, a₂) c, Z c₂ ← c - c₁ mod |Ch.Set| Accepts if (a₁, c₁, z₁) is an accepting view of PK(ω) and (a₂, c₂, z₂) is an accepting view of PK(Ω) (z₁, z₂, c₁)

security of 4-round protocol Theorem. Assume Σ-protocol is complete, specially sound and SHVZK for language L. Assume the commitment scheme is computationally binding, perfectly hiding, and trapdoor. Then the protocol from the previous slide is a computationally sound and perfectly ZK 4-round proof for L. comp. sound: proven. Computationally sound, since omnipotent P can recover Ω by brute force ZK: proven. Perfect ZK, since P and S create same distribution.

What we have Four round zero-knowledge protocol for any poly-time decidable relation R I.e., any language L in NP Additional overhead compared to Σ-protocol for R is minimal One proof of knowledge of Ω, independent of R R' can be choosen so that this is efficient (e.g., knowledge of DL)

Are we there yet? Not yet completely... We relied on the fact that there exists a public key crs = X for which nobody but the simulator knows the corresponding secret key td = Ω This assumption makes sense: simulator can simulate proof without knowing ω, so proof reveals no information about ω

4-round ZK in CRS model crs = X crs = X crs = X, x, ω crs = X, x Create crs with trapdoor td crs = X crs = X crs = X, x, ω crs = X, x A ← Com(c, Z) a of PK (ω ∨ Ω) Abort if Ver(A, c, Z)=0 c, Z Accepts if (a, c, z) is accepting view z of PK (ω ∨ Ω)

common reference string This is a general trust model, CRS model CRS Model = Trust Assumption some trusted party generates public crs together with trapdoor td crs is made available to all parties, while td is only available for simulator "Superpower" that the simulator has

Invalid objection Objection: CRS has to be generated by a trusted party use multi-party computation: generate crs jointly by many in the case of DL: h ← h₁h₂, jointly between P/V Or: use trusted hardware

Invalid objection Objection: trapdoor is still known to simulator simulator is a mind experiment existence of simulator shows you can generate the protocol view without knowing ω Thus does not depend on ω, thus does not leak info

Valid objection Bad: we presented a 4-round ZK proof in the CRS model There exist 1-round (non-interactive) ZK proofs so here CRS is unnecessary Can we construct 4-round ZK proofs without CRS? while it is known 4 rounds is needed in standard model

idea Let V create (X, Ω) ∈ R', and send X to P with her first message Quiz: how can simulator obtain Ω from V? Answer: we let V to prove the knowledge of Ω to P Simulator of ZK protocol uses extractor of Σ- protocol to extract Ω from V in CRS model, V simulated, here V knows Ω and thus can execute PK(Ω)

4-round ZK in standard model X, A of PK(Ω) x, ω x, new (X, Ω) a of PK (ω ∨ Ω), C of PK(Ω) Abort if Ver(A, C, Z)=0 Z of PK(Ω), c of PK (ω ∨ Ω) Accepts if (a, c, z) is accepting view of PK (ω ∨ Ω) since X is used once, it does not matter if information about it leaks, thus PK(Ω) can be HVZK z of PK (ω ∨ Ω) superpower: rewinding again

security of 4-round protocol Theorem. Assume Σ-protocols for PK(ω) and PK(Ω) are complete, specially sound and SHVZK for language L and language L'. Assume L' is a hard language. Then the protocol from the previous slide is a computationally sound and perfectly ZK 4-round proof for L, without using the CRS model. ZK: Simulator uses extractor of PK (Ω) to obtain Ω and then executes PK (ω ∨ Ω) comp. sound: Assume prover succeeds in convincing verifier. Then we can use extractor to either extract ω or Ω from P. But since L' is a hard language, P knows Ω only with a negligible probability superpower: using rewinding in simulation

remarks Important: V should use any hard language L' just choose L' that suits the rest of ZK proof if ZK proof is about graphs, use GI, etc... ... or just use something efficient (knowledge of DL)

remark on commitment scheme We chose the concrete commitment scheme so that at the last step the number of modifications would be minimal There are many other commitment schemes available

jungle of interactive ZK Zero-knowledge has many parameters Plain model, CRS model, random oracle model, bare public key model Standalone/concurrent/UC Resettable Computational or perfect soundness ... main problem: if several proofs are run in parallel, a message of one proof can be used in another proof. How to construct simulatable proofs becomes major hurdle you do not have to remember those notions, it's a jungle

non-interactive zk crs x, ω x, π Output Ver(crs, x, π) π ← P(crs, x, ω) Output Ver(crs, x, π) x, π Output Ver(crs, x, π)

NIZK NIZK: ZK proof is a bit string Verification can be done without interaction with prover Many verifiers verify the same proof whenever they need Example: e-voting, P = voter, V = voting server Here, CRS is the necessary superpower (can't rewind) Bonus: no problems with concurrency, ... NIZK is what we need in practice since we cannot interleave messages from different proofs: every proof is one message

Study outcomes Getting full ZK from Σ-protocols Getting soundness - via commitment schemes Getting ZK - via OR proof and additional Σ- protocol

next lecture Pairings: one step further from homomorphic crypto Enables to compute additions and one multiplication on encrypted values Some applications In two lectures: non-interactive ZK based on pairings