Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs

Proofs of Knowledge (Review) Language L in NP. Instance x. Witness w. Prover (x,w) Verifier x Completeness: Prover, Verifier honest ) Verifier outputs “Accept” W.O.P Accept/Rejec t

Zero Knowledge (Review) Language L in NP. Instance x. Witness w. Verifier x Simulator ensures that verifier could have produced entire conversation on its own. Simulator x Prover (x,w) Verifier did not learn anything new. ¼

Knowledge Soundnes (Review) Language L in NP. Instance x. Witness w. Prover Verifier x Extractor recovers w from the prover. Extractor If “Accept”, prover knows w.

Isolation? Prover (x,w) Verifier (x) Standard definitions assume isolation. Prover can run a man-in-the-middle attack between a “helper” and the verifier. No non-trivial protocol can guarantee that the prover knows w. Similar setting considered by Universal Composability. Prover (?) Helper (x,w) Environment (x,w)

What can be done without full isolation? Verifier (x) Setup assumptions (CRS, KRK,…) can be used to get UC security. Partial Isolation: Assume prover is l -isolated during the proof. Necessary condition: C > l. Prover l bits C bits Environment (x,w)

Why Study Partial Isolation? Often reasonable to assume that Prover has more bandwidth with Verifier than with other parties.  Prover and Verifier are in same room with no fast Internet connection to the outside.  Prover is a tamper-proof hardware token and does not have a large antenna sticking out (motivated by [Katz07]).  Prover is a smart-card and Verifier can monitor power- supply to limit communication. Interesting theoretical question. Rewinding is possible, but not easy.

What can be done without full isolation? Verifier (x) An l -Isolated PoK ( l -IPoK) is a protocol where no l -isolated cheating prover can succeed without knowing a witness. Goal: Construct an IPoK compiler. For any l, compile an l -IPoK. Concentrate on witness indistinguishable (WI) l -IPoK protocols. Prover l bits C bits Environment (x,w)

Definition: Knowledge Soundness of l -IPoK Verifier (x) Stage 1: Prover and Environment communicate without restraint. Stage 2: Prover is l -isolated. Prover and Verifier run protocol. Stage 3: If verifier accepts, the extractor is given: The code and coins of the prover The transcript of the proof The transcript of communication with the environment (inc. stage 1). Negligible probability of prover succeeding and extractor failing. Prover (?) l bits Environment (x,w) Extractor

Presentation Road-Map Background, Motivation, Definition A simple construction of an l -IPoK protocol with a large communication/round complexity. Lower bound on # of rounds in Black Box extractable l -IPoK. A construction of an l -IPoK protocol with optimal communication complexity. A non-black-box construction in the RO model with optimal communication/round complexity. Zero Knowledge when the Verifier is only partially Isolated

Review: § -Protocols Assume L 2 NP and § is a § -protocol for L. Special Knowledge Soundness  Can recover w from any two accepting conversations (a,c,z) and (a,c’,z’) with c  c’. Honest Verifier Zero Knowledge  Implies Witness Indistinguishability. Prover (x, w)Verifier (x) a c z

Compiling an l -IPoK from a § -Protocol Theorem: Repeating § with 1 bit challenges ( l + · ) times sequentially results in an l- IPoK. Intuition: The prover cannot communicate even 1 bit on at least · rounds and hence must know the witness! Prover (x, w) Verifier (x) a1a1 c1c1 z1z1 a2a2 c2c2 z2z2 anan cncn znzn …..

z1z1 z’ 1 Extractor Description The extractor rewinds to each round i and tries the challenge (1-c i ).  Extractor ignores attempted communication with the environment.  If the prover answers incorrectly (or does not answer), go to next round. Prover “expected help” from the environment. Prover would have answered incorrectly in the original execution on this challenge.  Otherwise use (a i,c i,z i ) and (a i, (1-c i ), z’ i ) to compute w. Prover Extractor a1a1 1-c 1 a2a2 1-c 2 z’ 2 c1c1 Ignore! (a 1, 1-c 1, z’ 1 ) is rejecting

Soundness (Proof) We consider computationally unbounded provers and environments. Hence we can consider deterministic provers and envrionments only. An execution of the protocol is fully determined by the verifier challenges c 1, c 2, c 3,…,c n. An execution is as a random path in a tree. An execution path is winning if it is accepting AND the extractor fails to recover a witness. C 1 =0 C 2 =1 C 3 =0

Soundness (Proof) On a winning path  All edges are correct.  All sibling edges are incorrect or communicating If two winning paths diverge at a node N. Then both edges are correct and communicating. There can be at most l such nodes on any path. Hence there are at most 2 l winning paths out of 2 l + · total paths. ) Probability of getting a winning execution is 1/2 · C 1 =0 C 2 =1 C 3 =0 An edge is correct the prover gives a correct response on that challenge. An edge is communicating if the environment communicates with the prover on that challenge.

Parameters O( l + · ) Round Complexity O(( l + · )| § |) Communication Complexity C O(| § |) Overhead = C/ l. Assume l is large.

Presentation Road-Map Background, Motivation, Definition A simple construction of an l -IPoK protocol with a large communication/round complexity. Lower bound on # of rounds in Black Box extractable l -IPoK. A construction of an l -IPoK protocol with optimal communication complexity. A non-black-box construction in the RO model with optimal communication/round complexity. Zero Knowledge when the Verifier is only partially Isolated

Round Complexity of BB extractable l -IPoK Prover (x,w,k 1,k 2 ) Verifier (x) Environment (k 2 ) Prover and environment share a key k 2 to a PRF. The prover follows the protocol honestly. “Checks in” with the Environment before producing any output. Rewinding requires finding a collission on f k 1 or guessing f k 2 at a new input! ¾ = f k 1 (view) ! = f k 2 ( ¾ ) Update view ¾ = f k 1 (view) Update view ¾ = f k 1 (view) Update view ¾ = f k 1 (view) ! = f k 2 ( ¾ ) If there are ½ rounds of communication then l / ½ = O(log( · )) ) The number of rounds grows linearly with l.

Presentation Road-Map Background, Motivation, Definition A simple construction of an l -IPoK protocol with a large communication/round complexity. Number of rounds in BB extractable l -IPoK is linear in l. A construction of an l -IPoK protocol with optimal communication complexity. A non-black-box construction in the RO model with optimal communication/round complexity. Zero Knowledge when the Verifier is only partially Isolated

Reducing the Communication Task: Design an l -IPoK where the communication complexity and round complexity are both O( l ). In other words, we need lots of short rounds. If we start with a § protocol, then the flows (a,0,z 0 ) and (a,1,z 1 ) determine w. The values z 0,z 1 can be thought of as a secret sharing of w. Easy to verify that a share is indeed a share of the witness. Idea: Use a ramp secret sharing scheme to split z 0, z 1 into very short shares. On each round give out ones short share. Extractor collects enough shares to recover.

Ramp Secret Sharing Use a secret sharing scheme with rate ®  Share a message of ® N field elements using N shares.  Can recover if less than ® N shares missing.  Any ® N shares leak no information. Ramp version of Shamir Secret Sharing gives ® = 1/3, but share size is logarithmic in N. Can get constant sized (6 bit) shares and ® ¼ ¼. [CCGHV07] m SS(m;r) =®=® missingprivate

Efficient Protocol Prover (x,w) Verifier (x) a à (random first message of § ) z 0, z 1 à responses to c=0,1 (s 0 [0],...,s 0 [N]) à SS(z 0 ;r 0 ) (s 1 [0],...,s 1 [N]) à SS(z 1 ;r 1 ) C 0 à commit(z 0 ||r 0 ) C 1 à commit(z 1 ||r 1 ) a, C 0,C 1 e 2 {0,1, ? } } Repeat i=1,…,N S e [i]/ ? b 2 {0,1} decommit(C b ) Verify: (a,b,z b ) is accepting for § Collected shares S b [i] match the decommitment. ? / / Choose ? So that expected number of received blue/yellow shares is less than (secrecy_threshold)/2. This is a single epoch with N =O( l / · ) rounds. Protocol consists of M=O( · ) epochs. / If Verifier asks for enough blue/yellow shares to break secrecy, Prover quits. Happens w/ negligible probability when verifier is honest.

Proof Intuition Prover (x,w) Verifier (x) a à (random first message of § ) z 0, z 1 à responses to c=0,1 (s 0 [0],...,s 0 [N]) à SS(z 0 ;r 0 ) (s 1 [0],...,s 1 [N]) à SS(z 1 ;r 1 ) C 0 à commit(z 0,r 0 ) C 1 à commit(z 1, r 1 ) a, C 0,C 1 e 2 {0,1, ? } } Repeat i=1,…,N Verify: (a,b,z b ) is accepting for § Verify all shares S b [i] Received match the decommitment ? / / Extractor rewinds to each round in each epoch and tries the other challenge. If Prover communicates, that share is lost. Share might also be incorrect. Thrm: On at least one epoch, extractor can recover other correct response and hence w. b 2 {0,1} / N =O( l / · ) rounds. M=O( · ) epochs.

Parameters O( l ) Round Complexity O( l ) Communication Complexity C O(1) Overhead = C/ l. Assume l =  ( · | § |)

Presentation Road-Map Background, Motivation, Definition A simple construction of an l -IPoK protocol with a large communication/round complexity. Number of rounds in BB extractable l -IPoK is linear in l. A construction of an l -IPoK protocol with optimal communication complexity. A non-black-box construction in the RO model with optimal communication/round complexity. Zero Knowledge when the Verifier is only partially Isolated

Random Oracle Protocol Prover (x,w)Verifier (x) Random Oracle H: {0,1} * ! {0,1} · r à random string of length l + · For i=1,…, · : a i à (first message of § ) z i 0, z i 1 responses ¾ i 0 = H(z i 0, r, r i 0 ) ¾ i 1 = H(z i 1, r, r i 1 ) {a i, ¾ i 0, ¾ i 1 } i=1,…, · c 1, c 2, …, c · c i à {0,1} {r i (c i ), z i (c i ) } i=1,…, · Prover wins if he queries oracle only on the challenge chosen by the verifier. The probability of this is 1/2 · a. Protocol is WI (not ZK)

Presentation Road-Map Background, Motivation, Definition A simple construction of an l -IPoK protocol with a large communication/round complexity. Number of rounds in BB extractable l -IPoK is linear in l. A construction of an l -IPoK protocol with optimal communication complexity. A non-black-box construction in the RO model with optimal communication/round complexity. Zero Knowledge when the Verifier is only partially Isolated

l -Isolated Zero Knowledge ( l -IZK) Stage 1: Environment and Verifier/Simulator communicate arbitrarily. Stage 2: Verifier is l -isolated. Prover and Verifier run proof. Stage 3: Environment and Verifier/Simulator communicate arbitrarily. Environment cannot distinguish left from right. l bits Environment (x,w) Verifier (x) Prover (x,w) Simulator x l bits ?

IZK + IPoK from WI IPoK Use FLS paradigm to go from WI to IZK Use your favorite WI IPoK, Perfectly Binding Commitments Prover (x,w)Verifier (x) C 0,C 1 C 0 Ã commit(m 0 ;r 0 ) C 1 Ã commit(m 1 ;r 1 ) WI IPoK for one of (m 0 ||r 0 ) or (m 1 ||r 1 ) WI IPoK for one of (m 0 ||r 0 ) or (m 1 ||r 1 ) or w

Applications of IPoK and IZK Can prevent man-in-the-middle attacks on identification schemes when the prover is partially isolated (use a WI IPoK). UC secure MPC under a “cave” assumption. We can implement ideal ZK PoK in such a cave and so can do arbitrary UC-MPC using [CLOS02]. Would like to do UC-MPC when only one party is partially isolated at a given time. This is needed for tamper-proof hardware. can be accomplished using a WI-IPoK (see ePrint 2007/332).

Open Questions Open Questions:  A BB protocol with overhead 1 + o(1).  A non-standard, non-black-box assumption to replace RO model in RO protocol

Thank You! QUESTIONS?