Presentation is loading. Please wait.

Presentation is loading. Please wait.

cryptographic protocols 2014, lecture 12 Getting full zero knowledge

Published bySiska Rachman Modified over 5 years ago

Similar presentations

Presentation on theme: "cryptographic protocols 2014, lecture 12 Getting full zero knowledge"— Presentation transcript:

1 cryptographic protocols 2014, lecture 12 Getting full zero knowledge
helger lipmaa, university of tartu

2 Up to now Introduction to the field Secure computation protocols
Introduction to malicious model Σ-protocols

3 this time Σ-protocols: short reminder
Constructing interactive zero knowledge protocols from Σ-protocols

4 Reminder: Σ-protocols
x, ω x 1st message: commitment a 2nd message: challenge c Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Requirement: c is chosen from publicly known challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol

5 Reminder: Σ-protocols
x, ω x 1st message: commitment a 2nd message: challenge c Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Completeness Special Soundness Special Honest-Verifier ZK (SHVZK)

6 recall: semihonest model
ω f x=Encoded(ω) Decode, obtain f (ω) Encoded(f(ω)) We know how to construct protocols for almost any task, that are secure under the assumption that Alice's input belongs to some public set S₁

7 half-way there: Σ-protocols
ω f x=Encoded(ω), a of PK(ω∈S₁) Honestly chosen c z of PK(ω∈S₁) If (a, c, z) is not an accepting view with input x, abort Decode, obtain f (ω) Encoded(f(ω)) Add a Σ-protocol that convinces Bob that x ∈ L, e.g., L = {x: x = Enc (ω) for some ω ∈ S₁}

8 ? Goal: full ZK ω f Arbitrary c Encoded(f(ω))
x=Encoded(ω), a of PK(ω∈S₁) Arbitrary c z of PK(ω∈S₁) If (a, c, z) is not an accepting view with input x, abort Decode, obtain f (ω) Encoded(f(ω)) Add some additional steps...

9 basic idea x, ω x 1st message: commitment a 2nd message: challenge c
Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Σ-protocol is only zero knowledge when c is completely random. This is since we start simulating by picking c randomly, and then choose (z, a). It suffices for c to be independent of a: Bob's best strategy is then to guess c Goal: guarantee c is independent of a

10 Quiz: how? Question: how to guarantee a and c are mutually independent? Hint: Internet is asynchronous, so one message (say c) must be sent first, but in a "hidden" form Content only revealed after second message (say a) is sent

11 First idea: encryption
x, ω, pk x, pk, sk C ← Enc(c; r) a Abort if C ≠ Enc (c; r) c, r Accepts iff prover knows ω such that (x, ω) ∈ R z Seems legit? c is independent of a since x = Enc (...) is sent to Alice first, and x has unique decryption a is independent of c since due to IND-CPA security, x reveals no information about c And those two properties are sufficient: no need to decrypt. Only ability to "open" encryption so one can verify what was inside

12 Commitment scheme A commitment scheme consists of three algorithms:
key generation Gen (...) → pk commitment Com (pk; c; r) → C verification algorithm Ver (pk; C, c, r)∈{0, 1}

13 commitment scheme public key pk C ← Com (pk; c, r) (c, r) r, m
pk ← Gen r, m C ← Com (pk; c, r) Output Ver(pk; C, c, r) Store C (c, r)

14 security goals of commitment
Computational hiding: IND-CPA: given c₀, c₁, pk and C = Com (pk; cb, r), it is difficult to guess b Perfect binding: for every C, there exists at most one c such that C = Com (pk; c, ·) for some r

15 IND-CPA PKC = PH Commitment
Theorem. Every IND-CPA secure cryptosystem is a perfectly hiding and computationally binding commitment scheme Proof. Obvious: perfect binding follows from unique decryption computational hiding follows from IND-CPA security

16 Refined: PH Commitment
x, ω, pk x, pk C ← Com(c; r) a Abort if Ver(C, c, r)=0 c, r Accepts iff prover knows ω such that (x, ω) ∈ R z Seems legit? c is independent of a since C = Com (c, r) is sent to Alice first, and Com is perfectly binding a is independent of c since due to IND-CPA security, C reveals no information about c Can you find a problem?

17 Accepts iff both (a, c, z) and (a, c*, z*) are accepting views
Special soundness x, ω, pk x, pk C ← Com(c; r) a Abort if Ver(C, c*, r*)=0 Abort if Ver(C, c, r)=0 c, r Accepts iff both (a, c, z) and (a, c*, z*) are accepting views z c* ≠ c, r* z* Can you find a problem?

18 Accepts iff both (a, c, z) and (a, c*, z*) are accepting views
Special soundness Problem. The used commitment scheme is perfectly binding: it cannot be the case that Ver (C, c, r) and Ver (C, c*, r*) both accept if c ≠ c* x, ω, pk x, pk C ← Com(c; r) a Abort if Ver(C, c*, r*)=0 Abort if Ver(C, c, r)=0 c, r Accepts iff both (a, c, z) and (a, c*, z*) are accepting views z c* ≠ c, r* z*

19 quiz: solution? Question: what do do?
Hint 1: commitment scheme should not be perfectly binding For every c ≠ c*, r there should exist r* such that Com (c, r) = Com (c*, r*) Hint 2: finding such collusions should be easy for extractor, but not for a (malicious/honest) verifier We need computational binding, where binding can be broken by a party who knows some "trapdoor"

20 Trapdoor commitment Perfect hiding:
Distribution of Com (pk; m, r) does not depend on m Computational binding: for every C, m, r, m* ≠ m, without knowing trapdoor sk it is computationally hard to find r*, such that C = Com (pk; m, r) = Com (pk; m*, r*) Trapdoor: given sk, m, r, m* ≠ m, it is computationally easy to find r* such that Com (pk; m, r) = Com (pk; m*, r*)

21 Choice of commitment scheme
We use a commitment scheme that is constructed from any Σ-protocol for some hard language We use the fact that in the final protocol we only need to commit to random messages The committed message = c of original protocol This scheme is used since it fits well: it has more than one usage

22 commitment from Σ-protocols
Pick any hard relation R', (X, Ω) ∈ R' public key X X c ← ℤp Use simulator of PK(Ω) to create accepting view (A, c, Z) Com (c, Z) := A Ver(A, c, Z)=1 iff it is an accepting view of PK(Ω) Store commitment A (c, Z)

23 Ver(A, c, Z)=1 iff A = h^(-c) g^Z
Example: DL based Pick random X = g^Ω public key X X c ← ℤp Z ← ℤp A ← h^(-c) g^Z Com (c, Z) := A Ver(A, c, Z)=1 iff A = h^(-c) g^Z Store commitment A (c, Z)

24 security of this commitment
Theorem. The commitment scheme of the last slide is computationally binding (if R' is hard), perfectly hiding, and trapdoor s. sound => comp. binding: assume adversary outputs (A, c, Z), (A, c*, Z*), c ≠ c*, such that both accept. But then we can use extractor to recover Ω, thus R' is not hard SHVZK => perfect hiding: follows since in real protocol, A is randomly chosen before c is chosen, and real protocol and simulator are indistinguishable Completeness => trapdoor: given Ω, one can start Σ-protocol with any A, and then find Z corresponding to any c such that (A, c, Z) is accepting

25 Finally: trapdoor Commitment
x, ω, X x, X A = Com(c, Z) a Abort if Ver(A, c, Z)=0 c, Z Accept if (a, c, z) is an accepting view of PK(ω) z Seems legit? c is independent of a since A = Com (c, Z) is sent to Alice first, and Com is binding a is independent of c since A reveals no information about c

26 Accepts iff both (a, c, z) and (a, c*, z*) are accepting views
soundness x, ω, X x, X, Ω A ← Com(c, Z) a Abort if Ver(A, c*, Z*)=0 Abort if Ver(A, c, Z)=0 c, Z Accepts iff both (a, c, z) and (a, c*, z*) are accepting views z c* ≠ c, Z* z* Can do due to knowledge of trapdoor

27 quiz: are we done? Guess: are we done? Answer:
we checked: soundness is ok but what about ZK? let's check... (not done)

28 basic idea x, ω x 1st message: commitment a 2nd message: challenge c
Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Goal: guarantee c is independent of a

29 problem with zk x, ω, X x, X A ← Com(c, Z) a c, Z z
Simulator S must be able to create accepting view (A; a; c, Z; z) without knowing ω It can use simulator S' of Σ-protocol, that has precise syntax; nothing else is known for any c, generate random z, and then a // out of order since c is random, then choosing random c guarantees correct distribution In the 4-round protocol, the verifier might try to cheat by choosing weird c If c is not random then z is not random, thus this strategy does not work anymore Solution: do in-order simulation but use some other "superpower"/trapdoor

30 Reminder: basic setting
x, ω, X x, X A ← Com(c, Z) a c, Z z x, td, X PK (I am P) ≈ PK (I am S) x, X A ← Com(c, Z) a c, Z z

31 IDEA: PK (I AM P oR S) crs = X, x, ω x, X Really are indistinguishable
C ← Com(c, Z) a of PK (ω ∨ Ω) c, Z z of PK (ω ∨ Ω) td is "secret key" corresponding to crs easiest case: crs = X, td = Ω Really are indistinguishable x, X A ← Com(c, Z) crs = X, x, td = Ω a of PK (ω ∨ Ω) c, Z z of PK (ω ∨ Ω)

32 Accept if (a, c, z) is an accepting view of PK(ω∨td)
getting zk crs = X, x, ω crs = X, x A ← Com (c, Z) a of PK (ω ∨ Ω) Abort if Ver(A, c, Z)=0 c, Z Accept if (a, c, z) is an accepting view of PK(ω∨td) z of PK (ω ∨ Ω) Seems legit? P knows ω but does not know Ω, so V is convinced P knows ω S knows Ω so can construct indistinguishable OR-proof, in-order Assumption: crs = X is generated so that no real party knows Ω

33 4-round ZK protocol crs = X, x, ω crs = X, x C (a₁, a₂) c, Z
c ← Ch.Set (A, Z) ← S' (X, c) // sim. C a₁ ← a of PK (ω: (x, ω) ∈ R) c₂ ← Ch.Set Create (a₂, z₂) by using simulator of PK (Ω: (X, Ω)∈R') crs = X, x, ω crs = X, x Abort if Ver (A, c, Z) = 0 c₁ ← c - c₂ mod |Ch.Set| z₁ ← z of PK (ω) (a₁, a₂) c, Z c₂ ← c - c₁ mod |Ch.Set| Accepts if (a₁, c₁, z₁) is an accepting view of PK(ω) and (a₂, c₂, z₂) is an accepting view of PK(Ω) (z₁, z₂, c₁)

34 security of 4-round protocol
Theorem. Assume Σ-protocol is complete, specially sound and SHVZK for language L. Assume the commitment scheme is computationally binding, perfectly hiding, and trapdoor. Then the protocol from the previous slide is a computationally sound and perfectly ZK 4-round proof for L. comp. sound: proven. Computationally sound, since omnipotent P can recover Ω by brute force ZK: proven. Perfect ZK, since P and S create same distribution.

35 What we have Four round zero-knowledge protocol for any poly-time decidable relation R I.e., any language L in NP Additional overhead compared to Σ-protocol for R is minimal One proof of knowledge of Ω, independent of R R' can be choosen so that this is efficient (e.g., knowledge of DL)

36 Are we there yet? Not yet completely...
We relied on the fact that there exists a public key crs = X for which nobody but the simulator knows the corresponding secret key td = Ω This assumption makes sense: simulator can simulate proof without knowing ω, so proof reveals no information about ω

37 4-round ZK in CRS model crs = X crs = X crs = X, x, ω crs = X, x
Create crs with trapdoor td crs = X crs = X crs = X, x, ω crs = X, x A ← Com(c, Z) a of PK (ω ∨ Ω) Abort if Ver(A, c, Z)=0 c, Z Accepts if (a, c, z) is accepting view z of PK (ω ∨ Ω)

38 common reference string
This is a general trust model, CRS model CRS Model = Trust Assumption some trusted party generates public crs together with trapdoor td crs is made available to all parties, while td is only available for simulator "Superpower" that the simulator has

39 Invalid objection Objection: CRS has to be generated by a trusted party use multi-party computation: generate crs jointly by many in the case of DL: h ← h₁h₂, jointly between P/V Or: use trusted hardware

40 Invalid objection Objection: trapdoor is still known to simulator
simulator is a mind experiment existence of simulator shows you can generate the protocol view without knowing ω Thus does not depend on ω, thus does not leak info

41 Valid objection Bad: we presented a 4-round ZK proof in the CRS model
There exist 1-round (non-interactive) ZK proofs so here CRS is unnecessary Can we construct 4-round ZK proofs without CRS? while it is known 4 rounds is needed in standard model

42 idea Let V create (X, Ω) ∈ R', and send X to P with her first message
Quiz: how can simulator obtain Ω from V? Answer: we let V to prove the knowledge of Ω to P Simulator of ZK protocol uses extractor of Σ- protocol to extract Ω from V in CRS model, V simulated, here V knows Ω and thus can execute PK(Ω)

43 4-round ZK in standard model
X, A of PK(Ω) x, ω x, new (X, Ω) a of PK (ω ∨ Ω), C of PK(Ω) Abort if Ver(A, C, Z)=0 Z of PK(Ω), c of PK (ω ∨ Ω) Accepts if (a, c, z) is accepting view of PK (ω ∨ Ω) since X is used once, it does not matter if information about it leaks, thus PK(Ω) can be HVZK z of PK (ω ∨ Ω) superpower: rewinding again

44 security of 4-round protocol
Theorem. Assume Σ-protocols for PK(ω) and PK(Ω) are complete, specially sound and SHVZK for language L and language L'. Assume L' is a hard language. Then the protocol from the previous slide is a computationally sound and perfectly ZK 4-round proof for L, without using the CRS model. ZK: Simulator uses extractor of PK (Ω) to obtain Ω and then executes PK (ω ∨ Ω) comp. sound: Assume prover succeeds in convincing verifier. Then we can use extractor to either extract ω or Ω from P. But since L' is a hard language, P knows Ω only with a negligible probability superpower: using rewinding in simulation

45 remarks Important: V should use any hard language L'
just choose L' that suits the rest of ZK proof if ZK proof is about graphs, use GI, etc... ... or just use something efficient (knowledge of DL)

46 remark on commitment scheme
We chose the concrete commitment scheme so that at the last step the number of modifications would be minimal There are many other commitment schemes available

47 jungle of interactive ZK
Zero-knowledge has many parameters Plain model, CRS model, random oracle model, bare public key model Standalone/concurrent/UC Resettable Computational or perfect soundness ... main problem: if several proofs are run in parallel, a message of one proof can be used in another proof. How to construct simulatable proofs becomes major hurdle you do not have to remember those notions, it's a jungle

48 non-interactive zk crs x, ω x, π Output Ver(crs, x, π)
π ← P(crs, x, ω) Output Ver(crs, x, π) x, π Output Ver(crs, x, π)

49 NIZK NIZK: ZK proof is a bit string
Verification can be done without interaction with prover Many verifiers verify the same proof whenever they need Example: e-voting, P = voter, V = voting server Here, CRS is the necessary superpower (can't rewind) Bonus: no problems with concurrency, ... NIZK is what we need in practice since we cannot interleave messages from different proofs: every proof is one message

50 Study outcomes Getting full ZK from Σ-protocols
Getting soundness - via commitment schemes Getting ZK - via OR proof and additional Σ- protocol

51 next lecture Pairings: one step further from homomorphic crypto
Enables to compute additions and one multiplication on encrypted values Some applications In two lectures: non-interactive ZK based on pairings

Download ppt "cryptographic protocols 2014, lecture 12 Getting full zero knowledge"

Similar presentations

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.

1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Similar presentations

Ads by Google