Add to collection(s) Add to saved
  1. Math

Document

advertisement 
CRYPTOGRAPHIC
PROTOCOLS 2014, LECTURE 11
Sigma protocols for DL
helger lipmaa, university of tartu
UP TO NOW
Introduction to the field
Secure computation protocols
Introduction to malicious model
Σ-protocols: basics
Σ-PROTOCOLS: UP TO NOW
We started from a very simple protocol for GI
"intuitively" secure: complete, sound, ZK
Formalized security requirements
based on this concrete example
Big promise: this is useful in general
THIS TIME
Σ-protocols: short reminder
Σ-protocols for DL based languages
Composition of Σ-protocols
Σ-protocols for "almost everything interesting"
in the DL-world
REMINDER: Σ-PROTOCOLS
x, ω
1st message: commitment a
x
2nd message: challenge c
3rd message: response z
Requirement: c is chosen from publicly known
challenge set C randomly. (Does not depend on a!)
Terminology: public coin protocol
Accepts iff
prover knows
ω such that
(x, ω) ∈ R
REMINDER: Σ-PROTOCOLS
x, ω
1st message: commitment a
x
2nd message: challenge c
3rd message: response z
Accepts iff
prover knows
ω such that
(x, ω) ∈ R
1. Completeness
2. Special Soundness
3. Special Honest-Verifier ZK (SHVZK)
REMINDER: AUTHENTICATION
pk, sk
1st message: commitment a
pk
2nd message: challenge c
3rd message: response z
Accepts iff
prover knows
sk such that
(pk, sk) ∈ Gen
GI protocol: sk = ω = secret isomorphism.
Verifier convinced prover knows the secret key without any side information being leaked
NOTATION
P has input (x, ω), V has input x
Σ-protocol (P, V) is a proof of knowledge that P knows
ω such that (x, ω) ∈ R for a public language L/relation R
x∈L
ω (x, ω) ∈ R
Common notation: PK (ω: R (x, ω))
Secret values denoted by Greek letters
We will now see: PK (ρ: h = g^ρ)
PROBLEM WITH GI
Inefficient (for say authentication):
having graphs as PK/SK is not efficient
adjacency matrix: O (n²) bits
Also we have many other elements of the protocols based on Elgamal.
Better stick to the same cryptosystem
Knowledge error κ = 1 / 2
Need to parallel-repeat protocol 40+ times to
amplify
POK: KNOWLEDGE OF DL
h = g^ρ, ρ
1st message: commitment a
h
2nd message: challenge c
3rd message: response z
Accepts iff
prover knows
ρ such that
h = g^ρ
Authentication: Proof of Knowledge of secret key corresponding to Elgamal PK h.
General intepretation: PK of a discrete logarithm
IDEA
GI: knowing isomorphism G₁ → G₂
(knowing isomorphism G₁ → H
φ:(G₁,G2)
knowing
isomorphism G₂ → H for random H)
ψ:(G₁,H)
Prover knows 0, 1 or 3 of isomorphisms
DL: knowing DL of y = g^ρ
of gʳ
ψφ⁻¹:(G2,H)
ρ:h=g^ρ
(knowing DL
knowing DL of g^(ρ + r) for random r)
Prover knows 0, 1 or 3 of DL-s
It is a bit like secret sharing
r:a=gʳ
r+ρ:ah=g^(ρ+r)
QUIZ: KNOWLEDGE OF DL
h = g^ρ, ρ
r ← ℤp
a ← gʳ
a
h
c ← {0, 1}
Accept if
g^z = ah^c
z ← r + cρ
note: z = r or z = r + ρ plays the role of Gc
z
Completeness: g^z = g^(r + cρ) = ah^c
QUIZ: KNOWLEDGE OF DL
h = g^ρ, ρ
r ← ℤp
a ← gʳ
a
h
c ← {0, 1}
Accept if
g^z = ah^c
z ← r + cρ
z
Analysis. Divide the first verification
Special soundness.
equation with the second one:
Extractor K(a, c, z, c* ≠ c, z*):
g^(z - z*) = h^(c - c*)
// Accepting views, thus g^z = ah^c and g^(z*) = ah^(c*)
Since c ≠ c*, h = g^((z - z*) / (c - c*)), thus
1. Return ρ ← (z - z*) / (c - c*)
extractor retrieves ρ correctly.
QUIZ: KNOWLEDGE OF DL
h = g^ρ, ρ
r ← ℤp
a ← gʳ
a
h
c ← {0, 1}
z ← r + cρ
Accept if
g^z = ah^c
Analysis. First. (a, c, z)zis accepting since a was generated so that the
verification equation would accept. (tautology.)
SHVZK.
Simulator S (c):
Second. In real execution (a, c, z) ∈ G × {0, 1} × ℤp is completely random
1. Generate z ← ℤp except that the verification equation holds. Thus in real execution one
2. Set a ← g^z / h^c can start by generating c ← {0, 1}, z ← ℤp, and then setting a ← g^z / h^c.
3. Return (a, z)
Thus simulator's output is exactly from the same distribution as the real
protocol's output
ON KNOWLEDGE ERROR
We "hid" most of the technicalities
"expected" poly-time extractor, etc
Important: κ = 1 / 2
P* can guess V's challenge c with probability 1 / 2
We can decrease κ by using security amplification
from Lecture 10
However, there is a much better way
QUIZ: IMPROVING Κ
Question: how would you improve κ?
without security amplification!
Hint 1:
κ = 1 / |C|
C = challenge set, here C = {0, 1}
Hint 2:
the previous protocol did never require to have |
C| = 2
QUIZ: KNOWLEDGE OF DL
h = g^ρ, ρ
r ← ℤp
a ← gʳ
a
h
c ← {0, 1}ˢ
Accept if
g^z = ah^c
z ← r + cρ
z
Completeness: g^z = g^(r + cρ) = ah^ρ
SECURITY PROOF
All parts of security proof are same as before
Only exception:
In analysis of SHVZK, we get c ← {0, 1}ˢ both in the
"protocol" and "simulator" case
Simulator construction does not change
Knowledge error: κ = 2⁻ˢ // probability P* guesses c
REMARKS
In practice s = 40 may suffice
Information-theoretic limit, not computational
However, choosing s = 80 does not make the
protocol less efficient
This knowledge-of-DL (with variable s) Σprotocol was proposed by Schnorr in 1991
COMPOSITION
Another reason Σ-protocols are useful:
they are extremely easy to compose
... in a black-box way
Automatic rules:
1. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) → PK ((ω₁, ω₂): R₁ (x, ω₁) ∧ R₂ (x, ω₂))
2. PK (R₁ (x, ω₁)), PK (R₂ (x, ω₂)) → PK (ω: R₁ (x, ω) ∨ R₂ (x, ω))
Given those two rules (and suitable starting protocols), can
"automatically" construct Σ-protocols for all languages in NP
"AND" COMPOSITION
For i ∈ {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ))
Goal: construct protocol (P, V) for PK ((ω₁, ω₂): R₁ (x, ω₁) ∧ R₂ (x, ω₂))
(x, ωᵢ): s.t. Rᵢ(x, ωᵢ)
aᵢ ← Pᵢ (x; rᵢ)
aᵢ
x
cᵢ ← C
zᵢ ← Pᵢ (x, ωᵢ, cᵢ; rᵢ)
zᵢ
Accept if both
V₁ (x, a₁, c₁, z₁) and
V₂ (x, a₂, c₂, z₂)
accept
QUIZ: "AND" COMPOSITION
(x, ωᵢ): s.t. Rᵢ(x, ωᵢ)
a₁ ← P₁ (x; r₁)
a₂ ← P₂ (x; r₂)
(a₁, a₂)
x
c←C
z₁ ← P₁ (x, ω₁, c; r₁)
z₂ ← P₂ (x, ω₂, c; r₂)
(z₁, z₂)
Accept if both
V₁ (x, a₁, c₁, z₁) and
V₂ (x, a₂, c₂, z₂)
accept
"AND" COMPOSITION: COMPLETENESS
(x, ωᵢ): s.t. Rᵢ(x, ωᵢ)
a₁ ← P₁ (x; r₁)
a₂ ← P₂ (x; r₂)
(a₁, a₂)
x
c←C
z₁ ← P₁ (x, ω₁, c; r₁)
z₂ ← P₂ (x, ω₂, c; r₂)
(z₁, z₂)
Completeness: Since both V₁ and V₂ accept, also V accepts
Accept if both
V₁ (x, a₁, c₁, z₁) and
V₂ (x, a₂, c₂, z₂)
accept
"AND": SPECIAL SOUNDNESS
(x, ωᵢ): s.t. Rᵢ(x, ωᵢ)
a₁ ← P₁ (x; r₁)
a₂ ← P₂ (x; r₂)
(a₁, a₂)
x
c←C
z₁ ← P₁ (x, ω₁, c; r₁)
z₂ ← P₂ (x, ω₂, c; r₂)
(z₁, z₂)
Special soundness.
Extractor K (a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*):
1. ω₁ ← K₁ (a₁, c, z₁, c*, z₁*)
1. ω₂ ← K₂ (a₂, c, z₂, c*, z₂*)
2. Return (ω₁, ω₂)
Accept if both
V₁ (x, a₁, c₁, z₁) and
V₂ (x, a₂, c₂, z₂)
accept
REMARKS
We will see two different types of AND
compositions
1. ω₁ and ω₂ are independent random variables
Example: PK ((m, r): c = Enc (m; r))
Extraction works: Kᵢ obtains ωᵢ
TYPE 2
Type 2: Both protocols use the same secret
Composition works given the secret is unique
not a completely automatic composition: need to
prove s.s. every single time
Both extractors successful => they return same
value
Example: PK (r: c₁ = hʳ ∧ c₂ = gʳ)
POK: DDH WITNESS
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ}
(g, h, e₁, e₂), ρ
r ← ℤp
(a₁, a₂) ← (hʳ, gʳ)
(a₁, a₂)
(g, h, e₁, e₂)
c←C
z ← r + cρ
z
Accept if
(h^z, g^z) = (a₁e₁^c, a₂e₂^c)
Second type AND composition
DDH WITNESS: COMPLETENESS
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ}
(g, h, e₁, e₂), ρ
r ← ℤp
(a₁, a₂) ← (hʳ, gʳ)
(a₁, a₂)
(g, h, e₁, e₂)
c←C
z ← r + cρ
z
Completeness.
Clear, since (a₁, c, z) is accepting view for PK (ρ: e₁ = h^ρ)
and (a₂, c, z) is accepting view for PK (ρ: e₂ = g^ρ)
Accept if
(h^z, g^z) = (a₁e₁^c, a₂e₂^c)
DDH WITNESS: SPECIAL SOUNDNESS
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ}
(g, h, e₁, e₂), ρ
r ← ℤp
(a₁, a₂) ← (hʳ, gʳ)
(a₁, a₂)
(g, h, e₁, e₂)
c←C
z ← r + cρ
z
Special soundness.
Extractor K (a₁, a₂, c, z, c*, z*):
1. // K₁ (a₁, c, z, c*, z*) = K₂ (a₂, c, z, c*, z*)
2. ρ ← (z - z*) / (c - c*)
3. Return ρ
Analysis. Simple corollary of
knowledge of DL protocols.
One gets "the same" ρ from
the use of the same c in both
verification equations
Accept if
(h^z, g^z) = (a₁e₁^c, a₂e₂^c)
DDH WITNESS: SPECIAL SOUNDNESS
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (h^ρ, g^ρ) for some ρ}
(g, h, e₁, e₂), ρ
r ← ℤp
(a₁, a₂) ← (hʳ, gʳ)
(a₁, a₂)
(g, h, e₁, e₂)
c←C
z ← r + cρ
z
SHVZK
Simulator S (c):
1. z ← ℤp,
2. (a₁, a₂) ← (h^z / e₁^c, g^z / e₂^c)
3. Return (a₁, a₂; c; z)
Analysis. Again, simple corollary.
Accept if
Acceptance is tautology.
(h^z, g^z) = (a₁e₁^c, a₂e₂^c)
Distribution is the same since in
both cases c and z are random and
(a₁, a₂) just makes verification accept
POK: ELGAMAL PLAINTEXT/RANDOMIZER
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)}
(g, h, e₁, e₂), (μ, ρ)
m, r ← ℤp
(a₁, a₂) ← (gᵐhʳ, gʳ)
(a₁, a₂)
(g, h, e₁, e₂)
c←C
z₁ ← m + cμ
z₂ ← r + cρ
(z₁, z₂)
Accept if
(g^(z₁) h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)
First type AND composition over two previous protocols
REMARKS
AND-proof gives an easy way to get an AND of
two Σ-protocols
but its better to make it sure the result is
correct by giving direct proof
Example direct proofs were simple
but sometimes it gets very tedious
OR-PROOF
Assume that P knows a witness to one of x ∈ L₁ or x ∈ L₂ and
wants to convince V in this
Important: V should not get to know which witness P knows
Example:
L₀ = { e = Enc (0; ρ) for some ρ}, L₁ = { e = Enc (1; ρ) for some ρ}
We know already how to construct protocols for both
L = L₀ ∪ L₁ = {e = Enc (0; ρ) ∨ e = Enc (1; ρ) for some ρ}
Verifier is convinced plaintext is Boolean
AND VS OR PROOF
AND proof is simpler:
R₁ ∧ R₂ is true iff both R₁ and R₂ are true
Revealing in the proof that Rᵢ is true does not
break ZK
OR proof should not reveal which of R₁ and R₂ is
true
Additional layer of complexity
QUIZ: "OR" COMPOSITION
For one i ∈ {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ))
Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) ∨ R₂ (x, ω))
(x, ω): s.t. Rᵢ(x, ω)
aᵢ ← Pᵢ (x; rᵢ)
aᵢ
x
cᵢ ← C
zᵢ ← Pᵢ (x, ω, c; rᵢ)
zᵢ
Accept if both
V₁ (x, a₁, c₁, z₁) and
V₂ (x, a₂, c₂, z₂)
accept
QUIZ: "OR" COMPOSITION
For one i ∈ {1, 2}: given protocol (Pᵢ, Vᵢ) for PK (ωᵢ: Rᵢ (x, ωᵢ))
Problems:
1. Prover knows only witness ω for Rᵢ and thus cannot
Goal: construct protocol
(P, V) both
for PK
(ω: R₁ (x,
execute
branches
of ω)
∨ ∨ R₂ (x, ω))
2. Verifier should not know which branch P can execute
(x, ω): s.t. Rᵢ(x, ω)
aᵢ ← Pᵢ (x; rᵢ)
aᵢ
x
cᵢ ← C
zᵢ ← Pᵢ (x, ω, c; rᵢ)
Quiz:
zᵢ
how can P run the branch, without knowing corresponding
secret, such that V cannot distinguish it from the real run?
Accept if both
V₁ (x, a₁, c₁, z₁) and
V₂ (x, a₂, c₂, z₂)
accept
ANSWER: USE SIMULATOR
Need to run protocol without knowing witness?
Answer: use the simulator
Need it to be indistinguishable from real run?
Answer: use the simulator
... WITH A TRICK
Problem: P should run one branch unsimulated
Simulated branch can be created out-of-order,
unsimulated cannot be
Recall "special" meant the simulator can start from c, then create the rest, while P has to start with a
So one of two must use c provided by V
Question: how?
... WITH A TRICK
Idea: generate cᵢ first, then choose c3-i ← c - cᵢ
One of c₁ and c₂ thus must be created "after"
seeing c
We really need the "special" ZK property
OR-PROOF
(x, ω): R₁(x, ω)
a₁ ← P₁ (x; r)
c₂ ← C; (a₂, z₂) ← S₂ (c₂)
Assume wlog that P knows ω s.t. R₁ (x, ω)
(a₁, a₂)
x
c ← C = {0, ..., |C| - 1}
c₁ ← c - c₂ mod |C|
z₁ ← P₁ (x, ω, c₁; r)
(z₁, z₂, c₁)
Goal: construct protocol (P, V) for PK (ω: R₁ (x, ω) ∨ R₂ (x, ω))
c₂ ← c - c₁ mod |C|
Accept if both
V₁ (x, a₁, c₁, z₁) and
V₂ (x, a₂, c₂, z₂) accept
SECURITY PROOF
I will not give a full security proof, but it is easy
Completeness: from completeness of first PK, and
successful simulation of the second one
Special soundness: OR-extractor runs extractors for
both branches. One of them is successful, return this value
SHVZK: since the first PK is SHVZK, and the second
one is already simulated
POK: ELGAMAL PLAINTEXT IS BOOLEAN
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some ρ, μ ∈ {0, 1}}
We depict prover when μ = 0, μ = 1 is dual
(g, h, e₁, e₂), (μ, ρ)
1.
2.
3.
4.
5.
r ← ℤp
(a₁₁, a₁₂) ← (hʳ, gʳ)
c₂ ← ℤp; z₂ ← ℤp
a₂₁ ← g¹ h^(z₂) / e₁^(c₂)
a₂₂ ← g^(z₂) / e₂^(c₂)
(g, h, e₁, e₂)
(a₁₁, a₁₂, a₂₁, a₂₂)
c←C
c₁ ← c - c₂ mod 2ˢ
z₁ ← r + c₁ρ
(c₁, z₁, z₂)
c₂ ← c - c₁ mod |C|
Accept if c₁ ∈ C,
(h^(z₁), g^(z₁)) = (a₁₁e₁^(c₁), a₁₂e₂^(c₁))
(gh^(z₂), g^(z₂)) = (a₂₁e₁^(c₂), a₂₂e₂^(c₂))
SECURITY PROOF
Left for homework
BOOLEAN CIRCUITS
Another computation model
∧
Every node evaluates a Boolean
function on its inputs
⊕
∨
Output of circuit: top value
Complexity class of all Boolean
functions that can be evaluated
by circuits = class of efficient
Boolean functions (P/poly)
∧
∨
x
y
∧
z
MONOTONE BOOLEAN CIRCUITS
∧
Consist of only ∧ and ∨ gates
Can be used to evaluate any monotone
Boolean function f
∧
∨
(f (x) = 1 ∧ y > x) => f (y) = 1
What we saw is already sufficient to evaluate
any monotone relation
∧
∨
∧
And in most protocols it is sufficient:
if S is "valid input set" for a secure
computation protocol then so is any S'
S
x
y
z
QUIZ: RANGE PROOF
Assume protocol is secure for Bob if Alice's input
belongs to range S = {0, 1, ..., H - 1, H}
E.g. e-voting: S = range of valid candidates
Question: how would you construct PK ((μ, ρ): e =
Enc (μ; ρ) ∧ μ ∈ S)?
Hint: you are allowed to encrypt every bit of μ
separately
And assume initially H = 2ⁿ
ANSWER: RANGE PROOF
Construct PK ({(μᵢ, ρᵢ)}: (e₁ = Enc (0; ρ₁) ∨ (e₁ =
Enc (1; ρ₁)) ∧ ... ∧ (en = Enc (0; ρn) ∨ en = Enc (1;
ρn)))
∧
∨
e₁ = Enc (0; ρ₁)
∨
e₁ = Enc (1; ρ₁)
∨
en = Enc (0; ρn)
en = Enc (1; ρn)
STUDY OUTCOMES
Σ-protocols for DL-based languages
Simple examples
Composition rules
"Everything interesting" has Σ-protocol
NEXT LECTURE
How to build "real ZK" on top of Σ-protocols?
Random Oracle Model?
Interactive, four-message ZK
TUTORIAL
Needed for exam
Security proofs for "proof of Elgamal plaintext
and randomizer"
POK: ELGAMAL PLAINTEXT/RANDOMIZER
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)}
(g, h, e₁, e₂), (μ, ρ)
m, r ← ℤp
(a₁, a₂) ← (gᵐhʳ, gʳ)
(a₁, a₂)
(g, h, e₁, e₂)
c←C
z₁ ← m + cμ
z₂ ← r + cρ
(z₁, z₂)
Completeness. From composition, or directly:
g^(z₁) h^(z₂) = gᵐ g^(cμ) hʳ h^(cρ) = a₁e₁^c
g^(z₂) = gʳg^(cρ) = a₂e₂^c
Accept if
(g^(z₁) h^(z₂), g^(z₂))
= (a₁e₁^c, a₂e₂^c)
POK: ELGAMAL PLAINTEXT/RANDOMIZER
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)}
m, r ← ℤp
(g, h, e₁, e₂)
(a₁, a₂) ← (gᵐhʳ, gʳ) (a₁, a₂)
Analysis (direct). Verification eq gives us:
(g^(z₁)h^(z₂), g^(z₂)) = (a₁e₁^c, a₂e₂^c)
(g^(z₁*)h^(z₂*), g^(z₂*)) =c(a₁e₁^(c*),
← C a₂e₂^(c*))
Divide first by second:
(g^(z₁ - z₁*) h^(z₂z₁- z₂*),
← mg^(z₂
+ cμ - z₂*)) = (e₁^(c - c*), e₂^(c - c*))
(g^((z₁ - z₁*) / (c -z₂
c*))
←h^((z₂
r + cρ- z₂*) / (c - c*)), g^((z₂ - z₂*) / (c - c*))) = (e₁, e₂)
Exponents matching mod p
(g, h, e₁, e₂), (μ, ρ)
(z₁, z₂)
Special Soundness.
From composition, or directly:
Extractor K(a₁, a₂, c, z₁, z₂, c*, z₁*, z₂*):
1. ρ ← (z₂ - z₂*) / (c - c*)
// As before
2. μ ← (z₁ - z₁*) / (c - c*)
3. Return (μ, ρ)
Accept if
(g^(z₁) h^(z₂), g^(z₂))
= (a₁e₁^c, a₂e₂^c)
POK: ELGAMAL PLAINTEXT/RANDOMIZER
L = {(g, h, e₁, e₂), s.t. (e₁, e₂) = (g^μ h^ρ, g^ρ) for some (μ, ρ)}
(g, h, e₁, e₂), (μ, ρ)
m, r ← ℤp
(a₁, a₂) ← (gᵐhʳ, gʳ)
(a₁, a₂)
(g, h, e₁, e₂)
c←C
z₁ ← m + cμ
z₂ ← r + cρ
HVSZK (direct):
Simulator S (c):
1. z₁, z₂ ← ℤp
2. a₁ ← g^(z₁) h^(z₂) / e₁^c
3. a₂ ← g^(z₂) / e₂^c
4. Return (a₁, a₂, z₁, z₂)
(z₁, z₂)
Analysis (direct). Trivial.
Verification accepts.
Distribution is the same as in
the real case too.
Accept if
(g^(z₁) h^(z₂), g^(z₂))
= (a₁e₁^c, a₂e₂^c)
Related documents
ENC1102: Argument and Persuasion (LMS)
ENC1102: Argument and Persuasion (LMS)
Download
advertisement