Presentation is loading. Please wait.

Presentation is loading. Please wait.

cryptographic protocols 2016, lecture 13 Sigma protocols for DL

Similar presentations


Presentation on theme: "cryptographic protocols 2016, lecture 13 Sigma protocols for DL"— Presentation transcript:

1 cryptographic protocols 2016, lecture 13 Sigma protocols for DL
helger lipmaa, university of tartu

2 Up to now Introduction to the field Secure computation protocols
Introduction to malicious model Σ-protocols: basics

3 Σ-protocols: Up to now We started from a very simple protocol for GI
"intuitively" secure: complete, sound, ZK Formalized security requirements based on this concrete example Big promise: this is useful in general

4 this time Σ-protocols: short reminder
Σ-protocols for DL based languages Composition of Σ-protocols Σ-protocols for everything interesting

5 Reminder: Σ-protocols
x, ω x 1st message: commitment a 2nd message: challenge c Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Requirement: c is chosen from publicly known challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol

6 Reminder: Σ-protocols
x, ω x 1st message: commitment a 2nd message: challenge c Accepts iff prover knows ω such that (x, ω) ∈ R 3rd message: response z Completeness Special Soundness Special Honest-Verifier ZK (SHVZK)

7 Reminder: Authentication
pk, sk pk 1st message: commitment a 2nd message: challenge c Accepts iff prover knows sk such that (pk, sk) ∈ Gen 3rd message: response z GI protocol: sk = ω = secret isomorphism. Verifier convinced prover knows the secret key without any side information being leaked

8 problem with GI Inefficient (for say authentication):
having graphs as PK/SK is not efficient adjacency matrix: O (n2) bits Knowledge error κ = 1 / 2 Need to parallel-repeat protocol 40+ times to amplify Also we have many other elements of the protocols based on Elgamal. Better stick to the same cryptosystem

9 notation P has input (x, ω), V has input x
Σ-protocol (P, V) is a proof of knowledge that P knows ω such that (x, ω) ∈ R for a public language L/relation R x ∈ L ⇔ ∃ω (x, ω) ∈ R // ω is short Common notation: PK (ω: R (x, ω)) Secret values denoted by Greek letters We will now see (for Elgamal): PK (ρ: h = gρ)

10 POK: knowledge of dl h = gρ, ρ h 1st message: commitment a
2nd message: challenge c Accepts iff prover knows ρ such that h = gρ 3rd message: response z Authentication: Proof of Knowledge of secret key corresponding to Elgamal PK h. General intepretation: PK of a discrete logarithm

11 It is a bit like secret sharing
idea GI: knowing isomorphism G1 → G2 ⇔ (knowing isomorphism G1 → H ⇔ knowing isomorphism G2 → H for random H) Prover knows 0, 1 or 3 of isomorphisms DL: knowing DL of y = gρ ⇔ (knowing DL of gr ⇔ knowing DL of gρ + r for random r) Prover knows 0, 1 or 3 of DL-s φ:(G1,G2) ψ:(G1,H) ψφ⁻¹:(G2,H) never exactly 2 ρ:h=gρ r:a=gr r+ρ:ah=gr+ρ It is a bit like secret sharing

12 quiz: knowledge of dl h = gρ, ρ h a c ← {0, 1} z
r ← ℤp a ← gr h = gρ, ρ h a c ← {0, 1} Accept if gz = ahc z ← r + cρ z note: z = r + cρ plays the role of Gc Completeness: gz = gr + cρ = ahc

13 quiz: knowledge of dl h = gρ, ρ h a c ← {0, 1} z r ← ℤp a ← gr
Accept if gz = ahc z ← r + cρ z Analysis. Divide the first verification equation with the second one: gz - z* = hc - c* Since c ≠ c*, h = g(z - z*) / (c - c*), thus extractor retrieves ρ correctly. Special soundness. Extractor K(a, c, z, c* ≠ c, z*): // Accepting views, thus gz = ahc and gz* = ahc* Return ρ ← (z - z*) / (c - c*)

14 quiz: knowledge of dl h = gρ, ρ h a c ← {0, 1} z r ← ℤp a ← gr
Accept if gz = ahc z ← r + cρ z Analysis. First. (a, c, z) is accepting since a was generated so that the verification equation would accept. (tautology.) Second. In real execution (a, c, z) ∈ G × {0, 1} × ℤp is completely random except that the verification equation holds. Thus in real execution one can start by generating c ← {0, 1}, z ← ℤp, and then setting a ← gz / hc. Thus simulator's output is exactly from the same distribution as the real protocol's output SHVZK. Simulator S (c): Generate z ← ℤp Set a ← gz / hc Return (a, z)

15 On knowledge error We "hid" most of the technicalities
"expected" poly-time extractor, etc Important: κ = 1 / 2 P* can guess V's challenge c with probability 1 / 2 We can decrease κ by using security amplification from the last lecture However, there is a much better way

16 quiz: improving κ Question: how would you improve κ?
without security amplification! Hint 1: κ = 1 / |C| Hint 2: the previous protocol did never require to have |C| = 2 C = challenge set, here C = {0, 1}

17 Completeness: gz = gr + cρ = ahρ
quiz: knowledge of dl r ← ℤp a ← gr h = gρ, ρ h a c ← {0, 1}s Accept if gz = ahc z ← r + cρ z Completeness: gz = gr + cρ = ahρ

18 security proof All parts of security proof are same as before
Only exception: In analysis of SHVZK, we get c ← {0, 1}s both in the "protocol" and "simulator" case Simulator construction does not change Knowledge error: κ = 2-s // probability P* guesses c

19 remarks In practice s = 40 may suffice
Information-theoretic limit, not computational However, choosing s = 80 does not make the protocol significantly less efficient This knowledge-of-DL (with variable s) Σ- protocol was proposed by Schnorr in 1991

20 composition Another reason Σ-protocols are useful:
they are extremely easy to compose ... in a black-box way Automatic rules: PK (R1 (x, ω1)), PK (R2 (x, ω2)) → PK ((ω1, ω2): R1 (x, ω1) ∧ R2 (x, ω2)) PK (R1 (x, ω1)), PK (R2 (x, ω2)) → PK (ω: R1 (x, ω) ∨ R2 (x, ω)) Given those two rules (and suitable starting protocols), can "automatically" construct Σ-protocols for all languages in NP

21 this optimization is actually needed for some functionality
"and" composition Assume you know both ω1 and ω2 s.t. Ri (x, ωi) Run PK (ω1: R1 (x, ω1)) and PK (ω2: R2 (x, ω2)) in parallel Possible, since we know both witnesses Optimization: let V to use the same c in both cases assuming they come from the same set this optimization is actually needed for some functionality

22 "and" composition (x, ωi): s.t. Ri(x, ωi) x (a1, a2) c ← C (z1, z2)
a1 ← P₁ (x; r1) a2 ← P₂ (x; r2) x (a1, a2) c ← C z1 ← P1 (x, ω1, c; r1) z2 ← P2 (x, ω2, c; r2) Accept if both V1 (x, a1, c1, z1) and V2 (x, a2, c2, z2) accept (z1, z2)

23 Completeness: Since both V1 and V2 accept, also V accepts
"and": completeness (x, ωi): s.t. Ri(x, ωi) a1 ← P₁ (x; r1) a2 ← P₂ (x; r2) x (a1, a2) c ← C z1 ← P1 (x, ω1, c; r1) z2 ← P2 (x, ω2, c; r2) Accept if both V1 (x, a1, c1, z1) and V2 (x, a2, c2, z2) accept (z1, z2) Completeness: Since both V1 and V2 accept, also V accepts

24 “and”: special soundness
(x, ωi): s.t. Ri(x, ωi) a1 ← P₁ (x; r1) a2 ← P₂ (x; r2) x (a1, a2) c ← C z1 ← P1 (x, ω1, c; r1) z2 ← P2 (x, ω2, c; r2) Accept if both V1 (x, a1, c1, z1) and V2 (x, a2, c2, z2) accept (z1, z2) Special soundness. Extractor K (a1, a2, c, z1, z2, c*, z1*, z2*): ω1 ← K1 (a1, c, z1, c*, z1*) ω2 ← K2 (a2, c, z2, c*, z2*) Return (ω1, ω2)

25 remarks We will see two different types of AND compositions
ω1 and ω2 are independent random variables Example: PK ((α, β): e1 = hα ∧ e2 = gβ) Both protocols use the same secret Example: PK (α: e1 = hα ∧ e2 = gα) Not a completely automatic composition: have to prove special soundness every single time

26 POK: DDH witness (g, h, e1, e2), ρ (g, h, e1, e2)
L = {(g, h, e1, e2), s.t. (e1, e2) = (hρ, gρ) for some ρ} (g, h, e1, e2), ρ r ← ℤp (a1, a2) ← (hr, gr) (g, h, e1, e2) (a1, a2) c ← C z ← r + cρ Accept if (hz, gz) = (a1e1c, a2e2c) z Second type AND composition of two DL POKs

27 DDH witness: Completeness
L = {(g, h, e1, e2), s.t. (e1, e2) = (hρ, gρ) for some ρ} (g, h, e1, e2), ρ r ← ℤp (a1, a2) ← (hr, gr) (g, h, e1, e2) (a1, a2) c ← C z ← r + cρ Accept if (hz, gz) = (a1e1c, a2e2c) z Completeness. Clear, since (a1, c, z) is accepting view for PK (ρ: e1 = hρ) and (a2, c, z) is accepting view for PK (ρ: e2 = gρ) Second type AND composition of two DL POKs

28 DDH witness: spec. soundness
L = {(g, h, e1, e2), s.t. (e1, e2) = (hρ, gρ) for some ρ} (g, h, e1, e2), ρ r ← ℤp (a1, a2) ← (hr, gr) (g, h, e1, e2) (a1, a2) c ← C z ← r + cρ Accept if (hz, gz) = (a1e1c, a2e2c) z Special soundness. Extractor K (a1, a2, c, z, c*, z*): // K1 (a1, c, z, c*, z*) = K2 (a2, c, z, c*, z*) ρ ← (z - z*) / (c - c*) Return ρ Analysis. Simple corollary of knowledge of DL protocols. One gets "the same" ρ from the use of the same c in both verification equations Second type AND composition of two DL POKs

29 DDH witness: sHVZK (g, h, e1, e2), ρ (g, h, e1, e2)
L = {(g, h, e1, e2), s.t. (e1, e2) = (hρ, gρ) for some ρ} (g, h, e1, e2), ρ r ← ℤp (a1, a2) ← (hr, gr) (g, h, e1, e2) (a1, a2) c ← C z ← r + cρ Accept if (hz, gz) = (a1e1c, a2e2c) z SHVZK Simulator S (c): z ← ℤp, (a1, a2) ← (hz / e1c, gz / e2c) Return (a1, a2; c; z) Analysis. Again, simple corollary. Acceptance is tautology. Distribution is the same since in both cases c and z are random and (a1, a2) just makes verification accept Second type AND composition of two DL POKs

30 POK: Elgamal plaintext/randomizer
L = {(g, h, e1, e2), s.t. (e1, e2) = (gμ hρ, gρ) for some (μ, ρ)} (g, h, e1, e2), (μ, ρ) m, r ← ℤp (a1, a2) ← (gmhr, gr) (g, h, e1, e2) (a1, a2) c ← C z1 ← m + cμ z2 ← r + cρ Accept if (gz₁ hz₂, gz₂) = (a1e1c, a2e2c) (z1, z2)

31 remarks AND-proof gives an easy way to get an AND of two Σ-protocols
but its better to make it sure the result is correct by giving direct security proof Example direct security proofs were simple but sometimes it gets very tedious

32 Verifier is convinced plaintext is Boolean
or-proof Assume that P knows a witness to either x ∈ L1 or x ∈ L2 and wants to convince V in this Important: V should not get to know which witness P knows Example: L0 = { e = Enc (0; ρ) for some ρ}, L1 = { e = Enc (1; ρ) for some ρ} We know already how to construct protocols for both L = L0 ∪ L1 = {e = Enc (0; ρ) ∨ e = Enc (1; ρ) for some ρ} Verifier is convinced plaintext is Boolean

33 AND VS OR proof AND proof is simpler:
R1 ∧ R2 is true iff both R1 and R2 are true Revealing in the proof that Ri is true does not break ZK OR proof must not reveal which of R1 and R2 is true another one might or might not be false! Additional layer of complexity

34 quiz: "OR" composition x PK (x, ω): s.t. Ri(x, ω) ai ci ← C zᵢ
For one i ∈ {1, 2}: given protocol (Pi, Vi) for PK (ωi: Ri (x, ωi)) Problems: Prover knows only witness ω for Ri and thus cannot execute both branches of OR Verifier should not know which branch P can execute Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) ∨ R₂ (x, ω)) PK (x, ω): s.t. Ri(x, ω) ai ← Pi (x; ri) x ai ci ← C zi ← Pi (x, ω, c; ri) Accept if either V1 (x, a1, c1, z1) or V2 (x, a2, c2, z2) accepts Quiz: how can P run the branch, without knowing corresponding secret, such that V cannot distinguish it from the real run? zᵢ

35 answer: use simulator Need to run protocol without knowing witness?
Answer: use the simulator Need it to be indistinguishable from real run?

36 ... with a trick Problem: P should run one branch non- simulated
The simulated branch can be created out-of- order, while the “non-simulated" can’t So one of the two must use c provided by V Question: how? Recall "special" meant the simulator can start from c, then create the rest, while P has to start with a

37 We really need the "special" ZK property
... with a trick Idea: generate ci first, after seeing verifier's challenge c, choose c3 - i ← c - ci One of c1 and c2 thus must be created "after" seeing c We really need the "special" ZK property

38 OR-proof (x, ω): R1(x, ω) x a1 ← P1 (x; r) c2 ← C (a2, z2) ← S2 (c2)
Assume wlog that P knows ω s.t. R1 (x, ω) (x, ω): R1(x, ω) x (a1, a2) c ← C = {0, ..., |C| - 1} c1 ← c - c2 mod |C| z1 ← P1 (x, ω, c1; r) c2 ← c - c1 mod |C| Accept if both V1 (x, a1, c1, z1) and V2 (x, a2, c2, z2) accept (z1, z2, c1) Goal: construct protocol (P, V) for PK (ω: R1 (x, ω) ∨ R2 (x, ω))

39 security Proof I will not give a full security proof, but it is easy
Completeness: from completeness of first PK, and successful simulation of the second one Special soundness: OR-extractor runs extractors for both branches. One of them is successful, return this value SHVZK: since the first PK is SHVZK, and the second one is already simulated

40 POK: Elgamal plaintext is boolean
L = {(g, h, e1, e2), s.t. (e1, e2) = (gμ hρ, gρ) for some ρ ∈ ℤp, μ ∈ {0, 1}} r ← ℤp (a11, a12) ← (hr, gr) c2 ← C; z2 ← ℤp a21 ← g1 hz₂ / e₁c₂ a22 ← gz₂ / e₂c₂ We depict prover when μ = 0; μ = 1 is dual (g, h, e1, e2), (μ, ρ) (g, h, e1, e2) (a11, a12, a21, a22) c ← C c2 ← c - c1 mod |C| Accept if c1 ∈ C, (hz₁, gz₁) = (a11e1c₁, a12e2c₁), (ghz₂, gz₂) = (a21e1c₂, a22e2c₂) c₁ ← c - c2 mod |C| z1 ← r + c1 ρ (c1, z1, z2)

41 security proof Left for homework
Note: there exists a slightly more efficient Boolean proof that does not use simulation

42 Σ-Protocols for Boolean circuits
x,y,z x+y+2z-2 0,0,0 -2 0,0,1 0,1,0 -1 0,1,1 1 1,0,0 1,0,1 1,1,0 1,1,1 2 Each circuit can be built from NAND gates x NAND y = 1 iff x = 0 or y = 0 Easy to verify that NAND is observed: x NAND y = z iff x + y + 2z - 2 ∈ {0, 1} Corollary. Boolean proofs are sufficient to construct Σ-protocol for CIRCUIT-SAT Proof. Encrypt each wire value except the last one (which is 1). Prove that each wire value is Boolean. For each gate, prove that NAND is observed x y z

43 Study outcomes Σ-protocols for DL-based languages Simple examples
Composition rules Everything interesting has a Σ-protocol

44 next lecture How to build "real ZK" on top of Σ-protocols?
Interactive, four-message ZK

45 PK ((μ, ρ): c = Enc (μ; ρ) ∧ μ ∈ {0, 1, …, 2k - 1})
ideas for hW Assume the use of Elgamal Construct ∑-protocol for PK ((μ, ρ): c = Enc (μ; ρ)) “knowledge of plaintext and randomizer” For any k > 0, construct ∑-protocol for PK ((μ, ρ): c = Enc (μ; ρ) ∧ μ ∈ {0, 1, …, 2k - 1}) “range proof”. Hint: encrypt μ bitwise


Download ppt "cryptographic protocols 2016, lecture 13 Sigma protocols for DL"

Similar presentations


Ads by Google