CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 11 Sigma protocols Helger Lipmaa University of Tartu, Estonia UP TO NOW Introduction to the field Secure computation protocols Can do almost everything in semihonest model Introduction to malicious model THIS TIME Reminder: zero knowledge and malicious model Σ-Protocols: a particular kind of "ZK" protocols motivation security definitions examples REMINDER: GENERAL PROTOCOL DESIGN Design a passively secure protocol I.e., that protects privacy given participants follow the protocol ... take any protocol we have seen up to now Make it secure in the malicious model by adding ZK proofs to all messages of course this needs "some" care: you need to know which ZK to add efficiency, ... PROOFS VS PROOFS OF KNOWLEDGE ZK Proof: Complete: honest prover convinces honest verifier Sound: dishonest prover does not convince honest verifier Zero Knowledge: dishonest verifier only gets to know that honest prover is honest ZK Proof of Knowledge: (in addition) Proof of Knowledge (stronger soundness): honest prover convinces honest verifier that he knows "why he is honest" --- i.e., knows some secret "witness" REMINDER: AUTHENTICATION Prover P Verifier V pk, sk pk I am The Doctor Prove it! sk ZK proof of knowledge of sk Proof: I can sign your document with Doctor's secret key. Leaks information (new signatures), not really ZK. ZK proofs do not make sense in this application Proof of knowledge: I know sk (nothing else is leaked) MOTIVATION BY EXAMPLES We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledge We will later see other protocols that are "secure" in the same sense Common name: Σ-protocols We then formally define security of such protocols GRAPH ISOMORPHISM Two graphs G₁ = (V₁, E₁) and G₂ = (V₂, E₂) are isomorphic if there exists a map φ: V₁ → V₂ such that 1. φ is bijection 2. (v₁, v₂) E₁ iff (φ(v₁), φ(v₂)) E₂ We write then G₂ = φ (G₁) Best known algorithm for GI [Babai, 2015]: Intuitively: isomorphism is a consistent renaming of vertices, together with edges between them time 2^((log n)^(O (1))) --- thus hard problem (not poly-time) Like factoring, not known to be in P or NP-complete Better classical algorithm but no known efficient quantum algorithm QUIZ: GRAPH ISOMORPHISM Are those graphs isomorphic? If so, find isomorphism ANSWER: GRAPH ISOMORPHISM yes! in fact two isomorphisms (two nodes are "indistinguishable": they can be mapped to each other) REMINDER: ADJACENCY MATRIX 1 Fix a graph G with n vertices 2 Construct n×n matrix A = (aij), such that aij = 1 when there is edge i→j and aij = 0 otherwise A is the adjacency matrix of G Compact way of representing graph G Intuitively: isomorphic graphs have adjacency matrices with consistent row/column permutations 3 4 6 5 1 2 3 4 5 6 1 0 1 1 0 0 0 2 1 0 1 1 1 0 3 1 1 0 0 0 1 4 0 1 0 0 0 1 5 0 1 0 0 0 1 6 0 0 1 1 1 0 QUIZ: Σ-PROTOCOL FOR GI QUIZ: can you think of any kind of protocol that convinces verifier that G₁ prover knows isomorphism, without revealing it? :-) G₂ QUIZ: Σ-PROTOCOL FOR GI QUIZ: can you think of any kind of protocol that convinces verifier that G₁ prover knows isomorphism, without prob. 1/2 revealing it? :-) G₂ prob. 1/2 H Hint: let prover to prove that for a third graph he knows that this is isomorphic to either of these two graphs ANSWER: Σ-PROTOCOL FOR GI Prover creates a random isomorphic copy H of G₁ Verifier asks Prover to reveal, for random c, the isomorphism between H and Gc Clearly, honest Prover succeeds always If G₁ and G₂ are not isomorphic, Prover fails with probability 1/2 Random isomorphic copy of G with adj. matrix A: a graph whose adjacency matrix is a random row/column permutation of A Σ-PROTOCOL FOR GI 1. Generate random isomorphism ψ pk = (G₁, G₂), sk = φ 2. H ← ψ(G₁) pk = (G₁, G₂) H c 1. c ← {1, 2} σ G₁ 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ φ G2 ψ H ψ·φ⁻¹ 1. If H = σ(Gc) then accept 2. else reject Σ-PROTOCOL FOR GI: COMPLETENESS 1. Generate random isomorphism ψ pk = (G₁, G₂), sk = φ 2. H ← ψ(G₁) Completeness: if G₂ = φ(G₁) then H = ψ(G₁) = ψ(φ ⁻ ¹(G₂)) Thus honest Verifier always accepts honest pk = (G₁, G₂) H c 1. c ← {1, 2} σ G₁ 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ φ G2 ψ H ψ·φ⁻¹ 1. If H = σ(Gc) then accept 2. else reject Σ-PROTOCOL FOR GI: SOUNDNESS 1. Generate random isomorphism ψ pk = (G₁, G₂), sk = φ 2. H ← ψ(G₁) Soundness (imprecise): If G₁ and G₂ are not isomorphic, then H cannot be isomorphic to both. Then with probability 1/2 (when c corresponds to Gc that pk = (G₁, G₂) H is not isomorphic with), Verifier rejects H c 1. c ← {1, 2} σ G₁ 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ φ G2 ψ H ψ·φ⁻¹ 1. If H = σ(Gc) then accept 2. else reject Σ-PROTOCOL FOR GI: POK 1. Generate random isomorphism ψ pk = (G₁, G₂), sk = φ 2. H ← ψ(G₁) H c Proof of knowledge (imprecise): assume that Prover can make Verifier to accept with probability 1. Then Prover can create H, and isomorphism between G₁ and H, and G₂ and pk = (G₁, G₂) H. Thus G₁ and G₂ are isomorphic 1. c ← {1, 2} σ G₁ 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ φ G2 ψ H ψ·φ⁻¹ 1. If H = σ(Gc) then accept 2. else reject Σ-PROTOCOL FOR GI: ZK 1. Generate random isomorphism ψ pk = (G₁, G₂), sk = φ 2. H ← ψ(G₁) ZK (imprecise): Verifier only sees a random isomorphic copy of G₁, and an isomorphism from this copy to Gc. Intuitively no information leaked pk = (G₁, G₂) H c 1. c ← {1, 2} σ G₁ 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ φ G2 ψ H ψ·φ⁻¹ 1. If H = σ(Gc) then accept 2. else reject KNOWLEDGE ERROR Honest Prover accepted with probability 1 Dishonest Prover accepted with non-zero probability κ = 1/2 Def (informal). Κnowledge error = κ Every Σ-protocol has non-zero knowledge error Prover can just guess Verifier's challenge and prepare first message accordingly A BIT OF TERMINOLOGY All such proofs are of type: does input x belong to language L? The prover knows a witness w Proving x L can be done efficiently, given w Proof of knowledge: Prover proves he knows w GI: L = {(G₁, G₂): φ: G₂ = φ(G₁)} x = (G₁, G₂) w=φ Σ-PROTOCOLS: SYNTAX input, witness 1st message: commitment a input 2nd message: challenge c 3rd message: response z Requirement: c is chosen from some challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol Σ-PROTOCOLS: FORMAL DEFINITION Definition A protocol (P, V) is a Σ-protocol, if 1. it is a three-message public-coin protocol: it has three messages, with the prover starting, and the second message is completely random and independent of the first message 2. Security: it is complete, specially sound, and special honest-verifier zero knowledge Σ-PROTOCOLS: SECURITY input, witness 1st message: commitment a input 2nd message: challenge c 3rd message: response z 1. Completeness 2. Special Soundness 3. Special Honest-Verifier ZK (SHVZK) Σ-PROTOCOLS: SECURITY input, witness 1st message: commitment a input 2nd message: challenge c 3rd message: response z Completeness: if Prover is honest then honest Verifier always accepts. GI protocol has it Σ-PROTOCOLS: SECURITY input, witness 1st message: commitment a input 2nd message: challenge c 3rd message: response z Special Soundness (with knowledge error κ): if Prover is dishonest then honest Verifier accepts with probability not much larger than κ. GI protocol has it (intuitively) SPECIAL SOUNDNESS: MORE Our proof of special soundness for GI relied on the next (informal) fact: If (possibly malicious) P* makes honest V always accept, then P* knows isomorphism between both H and G₁, and between H and G₂ We will next make this intuition more formal SEMIFORMALLY: SPECIAL SOUNDNESS Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κ This guarantees κ is really the "limit" Then V can "extract" the witness (here, φ) from P* in time, related to ε - κ => we have a proof of knowledge However, V is a pre-defined algorithm We need to define a new algorithm, an extractor K, that communicates with P* and extracts φ from P* As in reductions, K can only communicate with P*. K does not know anything else about P* apart from what P* outputs FORMALLY: SPECIAL SOUNDNESS Definition A Σ-protocol (P, V) is specially sound, if there exists a probabilistic expected poly-time extractor algorithm K, such that if a prover P* (possibly malicious) can make V to accept with a probability ε > κ, then K can --- after playing the role of V in possibly many instances of the protocol with P --- output the value of the witness However, K must have some "superpower": otherwise V could do the same and extract witness. Here: rewinding REMINDER: SPECIAL SOUNDNESS input = (G₁, G₂) witness = φ 1. Generate random isomorphism ψ 2. H ← ψ(G₁) Intuition. Assume P* makes V to accept with probability 1. Then H is both isomorphic to G₁ and G₂ input = (G₁, G₂) H c 1. c ← {1, 2} σ 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ 1. If H = σ(Gc) then accept 2. else reject SPECIAL SOUNDNESS: REWINDING input = (G₁, G₂) witness = φ input = (G₁, G₂) H c σ Formally, K plays V in the protocol. K does the following: Execute the protocol once with c = 1. Store (H, c, σ) Create a breakpoint for prover directly after sending H SPECIAL SOUNDNESS: REWINDING input = (G₁, G₂) witness = φ input = (G₁, G₂) H c* ≠ c σ* After that: Rewind P* to the breakpoint (the state P* was directly after sending H). Challenge with c* = 2, get P*'s answer, and store (H, c*, σ*) REWINDING: ANALYSIS input = (G₁, G₂) witness = φ input = (G₁, G₂) H c* ≠ c σ* G₁ φ G2 σ H σ* Since P* makes V accept with probability 1, this means that (H, c, σ) and (H, c*, σ*) are both accepting views Since H is the same and both views accept, H = σ(G₁) = σ*(G₂) But then φ = (σ*)⁻¹ · σ is the isomorphism between G₁ and G₂ GENERAL K Assume P* makes V to accept with prob. ε > κ Probability ε is both over the randomness ω of P* and c of V Construct a Boolean matrix A P* (x, ω) generates a, P* (x, ω, c) generates z A[ω,c] = 1 iff V accepts given that P* has random c string ω and verifier has random string c 1 ω Fraction ε of entries are 1 1 There exists a row with two 1-s iff ε > κ := 1 / |{c}| 1 1 1 GENERAL K If P* makes V to accept with prob. ε > κ, K does: 1 / ε expected steps 1. Generate random (ω, c) until V accepts the resulting view (a, c, z) 2. Generate random c* (but use the same ω) until V accepts c the resulting view (a, c*, z*) 47 3. If c = c* then goto 1 Happens with some prob. p ω 1 / ε expected steps 6 5 2 2 1 35 3 4 6 1 4. Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before Tprobes := the number of probed matrix entries before this happens 2 / (pε) expected steps GENERAL Ε One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such views Expected: with small probability, the number of steps can be very large Will omit precise analysis Answer: Tprobes = 2 / (ε - κ): expected number of runs SPECIAL SOUNDESS: SIMPLIFIED Due to what we saw on last slides, we can somewhat simplify the special soundness definition We know the relation between ε - κ and the running time of extractor We can just assume that if we have already found two accepting views (a, c, z), (a, c*, z*) with c ≠ c*, then K can efficiently retrieve the witness We can then use what we know to construct full extractor SPECIAL SOUNDNESS: SIMPLIFIED Definition (simplified) A Σ-protocol (P, V) is specially sound, if there exists a (deterministic) poly-time extractor algorithm K that, given two accepting views (a, c, z) and (a, c*, z*), such that c ≠ c*, can efficiently compute the value of the witness GI: PROOF OF SPECIAL SOUNDNESS input = (G₁, G₂) witness = φ 1. Generate random isomorphism ψ 2. H ← ψ(G₁) input = (G₁, G₂) H c 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ 1. c ← {1, 2} σ 1. If H = σ(Gc) then accept 2. else reject Construction of extractor: Given accepting views (H, c, σ) and (H, c*, σ*) with c ≠ c*, K outputs φ ← (σ*)⁻¹ · σ Analysis: 1. Since H is the same and both views accept, H = σ(G₁) = σ*(G₂) 2. Thus φ is an isomorphism between G₁ and G₂ IDEA OF SHVZK input = (G₁, G₂) witness = φ 1. Generate random isomorphism ψ 2. H ← ψ(G₁) input = (G₁, G₂) H c 1. c ← {1, 2} σ 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ ZK (idea, imprecise): Verifier only sees a random isomorphic copy of G₁, and an isomorphism from this copy to Gc. Intuitively no information leaked 1. If H = σ(Gc) then accept 2. else reject IDEA OF SHVZK input = (G₁, G₂) witness = φ ZK (idea, semiprecise): 1. Generate random for any given c, Verifier can create a random isomorphism ψ input isomorphism σ, and set H ← σ(Gc). Clearly, (H,=c,(G₁, σ) isG₂) 2. H ← ψ(G₁) accepting. H Moreover, it has the same distribution as the real view: in both cases (H, c, σ) are random variables that have only one verification). 1. c(they ← {1,satisfy 2} c restriction This means V can create an accepting view herself, without knowing witness => he will gain no new information σ by seeing accepting view. 1. If c = 1 then σ ← ψ 2. else σ ← ψ · φ ⁻ ¹ 1. If H = σ(Gc) then accept 2. else reject Since V is a well-defined algorithm, we again define a new algorithm - that efficiently simulates Verifier's view FORMALLY: SHVZK Definition A Σ-protocol (P, V) is SHVZK, if there exists a probabilistic poly-time simulator algorithm S that can, for any c, generate first a random z, and then a suitable a, such that 1. (a, c, z) accepts, and 2. if c is random then (a, c, z) has the same distribution as the real protocol views S must have a "superpower": otherwise dishonest prover could also simulate the view. Here the superpower is out-of-order execution SHVZK: COMMENTS SHVZK is both stronger and weaker than "zero-knowledge" Weaker: It is honest verifier. It only guarantees ZK against a verifier that chooses c randomly and independently of a Stronger: It is special. It allows to simulate the view by using very strict well-defined algorithm We will make us of both "specials" (soundness, ZK) in following lectures to construct interesting protocols SECURITY AMPLIFICATION In practice κ = 1 / 2 is way too big Simple solution: run the same protocol in parallel s times If P honest: honest V accepts always Completeness and ZK clearly carry over If P dishonest: the probability that V accepts in all runs is κˢ = 2⁻ ˢ Universal remedy, however it makes protocol slower It is better to start with smaller κ before the amplification WHY Σ-PROTOCOLS? Security definitions correspond to intuition behind a very natural protocol Can construct efficiently for many problems Halfway there: soundness against malicious prover, zero-knowledge against honest verifier Can get, by adding a few extra steps, get a four-message ZK out from any Σ-protocol in a black-box way: it does not depend much on the concrete Σ-protocol Since we know how to construct Σ-protocols for NP-complete protocols (see Hamiltonian path in last slides), this means we can construct four-message ZK protocols for any language in NP STUDY OUTCOMES Reminder: ZK Example, very natural, protocol with "intuitive" security Σ-protocols: definition Motivations behind definition For example: why special soundness? (from natural protocol) NEXT LECTURE Σ-protocols based on DL For example: knowledge of DL (knowledge of Elgamal sk) Various stuff about Elgamal plaintexts For example: Σ-protocol that Elgamal plaintext is in {0, 1} TUTORIAL The following material is presented in tutorial It may be required for exam! HAMILTONIAN PATH A Hamiltonian path in graph G is a path that visits every vertex exactly once Hamiltonian cycle: HP that is a cycle HP problem: does Hamiltonian path exist in this graph? Known to be NP-complete QUIZ: HAMILTONIAN PATH Question: Does HC or at least HP exist in this graph? If not, how many edges would you need to add to get HP/HC? ANSWER: HAMILTONIAN PATH Question: Does HC or at least HP exist in this graph? If not, how many edges would you need to add to get HP/HC? Answer: Previous graph has HP but no HC. It suffices to add one edge to get HC QUIZ: Σ-PROTOCOL FOR HP Assume Prover knows Hamiltonian path in G Question: How can Prover convince Verifier in this? Hint: use the fact we can solve GI ANSWER: Σ-PROTOCOL FOR HP Prover creates a random isomorphic copy H of G, and sends to Verifier its encrypted edges Actually "committed" (see lecture 13) Checkpk (d, a, r): Verifier selects random c 1. if Encpk (a, r) = d return 1 If c = 1: P reveals H and the isomorphism 2. else return 0 If c = 2: Prover opens encrypted edges of H that correspond to HP. Verifier checks this opening is correct Honest Prover succeeds always If G has no Hamiltonian path, Prover fails with probability 1/2 Σ-PROTOCOL FOR HP input = G witness = HP 1. 2. 3. 4. Generate random isomorphism φ H ← φ(G), let h be the adj matrix of H Choose random public key pk for all i, j: 1. rij ← new randomness 2. dij ← Encpk(hij; rij) a = (pk, {dij for all edges}) c z 1. If c = 1 then z ← (φ, {rij for all edges i→j}) 2. else z ← {(i, j, rij): i→j is part of HP} input = G c ← {1, 2} 1. if c = 1: for all i, j: if Checkpk(dij, 1, rij) = 1: hij ← 1 else if Checkpk(dij, 0, rij) = 1: hij ← 0 else: reject If H = z (G) then accept else reject 2. else if c = 2: Check that (i, j) in z are a valid HP for all (i, j, rij) in z: if Checkpk(dij, 1, rij) = 0: reject Accept TASK prove security of this protocol!