A Machine-Checked Formalization of -Protocols eguelin 1 Santiago - PowerPoint PPT Presentation

A Machine-Checked Formalization of Σ-Protocols eguelin 1 Santiago Zanella-B´ Gilles Barthe 1 Daniel Hedin 1 egoire 2 Sylvain Heraud 2 Benjamin Gr´ 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - M´ editerran´ ee, France 2010.07.18 CSF 2010

Zero-Knowledge Proofs Peggy Victor 2/32

Zero-Knowledge Proofs Peggy Victor 2/32

Zero-Knowledge Proofs Peggy Victor 2/32

If you ever need to explain this to your kids How to Explain Zero-Knowledge Protocols to your Children Jean-Jacques Quisquater, Louis C. Guillou. CRYPTO’89 3/32

Properties of Zero-Knowledge Proofs Completeness A honest prover always convinces a honest verifier Soundness A dishonest prover (almost) never convinces a verifier Zero-Knowledge A verifier doesn’t learn anything from playing the protocol 4/32

Σ -Protocols Knowledge Relation R Prover knows x , w s.t. R ( x , w ) / Verifier knows only x Prover Verifier Computes commitment r r c Samples challenge c Computes response s s Accepts/rejects response 5/32

Schnorr Protocol Primes p , q such that q | ( p − 1) , g generator of Z p R = { ( x , w ) | x = g w } ⊆ Z p × Z q Prover Verifier ← Z q ; r ← g k r k $ c ← [0 .. q − 1] c $ g s = r x c ? s s ← k + cw 6/32

Okamoto Protocol Primes p , q such that q | ( p − 1) , g 1 , 2 generators of Z q R = { ( x , ( w 1 , w 2 )) | x = g w 1 1 g w 2 2 } ⊆ Z p × ( Z q × Z q ) Prover Verifier ← Z q ; r ← g k 1 1 g k 2 r k 1 , 2 $ 2 c ← [0 .. q − 1] c $ g s 1 1 g s 2 = ( r 1 x c , r 2 x c ) ? s ← ( k 1 + cw 1 , k 2 + cw 2 ) s 2 7/32

Fiat-Shamir Protocol RSA modulus N = pq R = { ( x , w ) | x = w 2 } ⊆ Z ∗ N × Z ∗ N Prover Verifier ← Z ∗ N ; r ← k 2 r k $ c c ← [0 .. 1] $ s ← k · w c s s 2 = r x c ? 8/32

Guillou-Quisquater Protocol RSA modulus N = pq , public exponent e R = { ( x , w ) | x = w e } ⊆ Z ∗ N × Z ∗ N Prover Verifier ← Z ∗ N ; r ← k e k r $ c c ← [0 .. e − 1] $ s ← k · w c s s e = r x c ? 9/32

CertiCrypt: machine-checked crypto proofs Certified framework for building and verifying crypto proofs in the Coq proof assistant Combination of programming language techniques and cryptographic-specific tools Game-based methodology, natural to cryptographers Several case studies: Encryption schemes: ElGamal, Hashed ElGamal, OAEP, IBE Signature schemes: FDH, BLS In this talk: Zero-Knowledge proofs 10/32

Inside CertiCrypt Semantics and cost model of probabilistic programs Standard tools to reason about probabilistic programs Semantics-preserving program transformations Observational equivalence Relational Hoare Logic Characterization of PPT programs 11/32

pWhile: a Probabilistic Programming Language I ::= V ← E assignment | V ← DE random sampling $ | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call C ::= skip nop | I ; C sequence x ← d : sample x according to distribution d $ Typically the uniform distribution on a finite set (e.g. [0 .. n ]) Deep Embedding Syntax of programs formalized as an inductive type Allows automation through reflection 12/32

Semantics Measure Monad —courtesy of Christine Paulin Distributions represented as functions of type def D ( A ) = ( A → [0 , 1]) → [0 , 1] s.t. 1 f ≤ g = ⇒ µ ( f ) ≤ µ ( g ); 2 µ ( 1 − f ) ≤ 1 − µ ( f ); 3 f ≤ 1 − g = ⇒ µ ( f + g ) = µ ( f ) + µ ( g ); 4 µ ( k × f ) = k × µ ( f ); 5 ∀ f : N m → ( A m → [0 , 1]) . µ (sup f ) ≤ sup ( λ n . µ ( f ( n )) All arithmetic is in the unit interval [0 , 1] def unit : A → D ( A ) = λ x . λ f . f x def bind : D ( A ) → ( A → D ( B )) → D ( B ) = λµ. λ F . λ f . µ ( λ x . F x f ) 13/32

Semantics Programs map an initial memory to a distribution on final memories � c ∈ C � : M → D ( M ) To compute probabilities, just measure the characteristic function of the event: def Pr [ c , m : A ] = � c � m 1 A Let c = x ← { 0 , 1 } ; y ← { 0 , 1 } $ $ � f ( m { 0 , 0 / x , y } ) + f ( m { 0 , 1 / x , y } ) + � c � m f = 1 � f ( m { 1 , 0 / x , y } ) + f ( m { 1 , 1 / x , y } ) 4 Pr [ c , m : x ≤ y ] = � c � m 1 ( x ≤ y ) = 3 / 4 Instrumented semantics to characterize efficient (PPT) programs: � c ∈ C � : M → D ( M × N ) 14/32

Semantics Programs map an initial memory to a distribution on final memories � c ∈ C � : M → D ( M ) To compute probabilities, just measure the characteristic function of the event: def Pr [ c , m : A ] = � c � m 1 A Let c = x ← { 0 , 1 } ; y ← { 0 , 1 } $ $ � f ( m { 0 , 0 / x , y } ) + f ( m { 0 , 1 / x , y } ) + � c � m f = 1 � f ( m { 1 , 0 / x , y } ) + f ( m { 1 , 1 / x , y } ) 4 Pr [ c , m : x ≤ y ] = � c � m 1 ( x ≤ y ) = 3 / 4 Instrumented semantics to characterize efficient (PPT) programs: � c ∈ C � : M → D ( M × N ) 14/32

Observational Equivalence Formal definition def f = X g ∀ m 1 m 2 , m 1 = X m 2 = ⇒ f m 1 = g m 2 = � c 1 ≃ I def ∀ m 1 m 2 f g , m 1 = I m 2 ∧ f = O g = ⇒ O c 2 = � c 1 � m 1 f = � c 2 � m 2 g Example ← { 0 , 1 } k ; y ← x ⊕ z ≃ { z } ← { 0 , 1 } k ; x ← y ⊕ z � x { x , y , z } y $ $ Useful to relate probabilities � c 1 ≃ I fv( E ) ⊆ O m 1 = I m 2 O c 2 Pr [ c 1 , m 1 : A ] = Pr [ c 2 , m 2 : A ] Only a Partial Equivalence Relation � c ≃ I O c not true in general Generalizes information flow security (take I = O = V low ) 15/32

Observational Equivalence Formal definition def f = X g ∀ m 1 m 2 , m 1 = X m 2 = ⇒ f m 1 = g m 2 = � c 1 ≃ I def ∀ m 1 m 2 f g , m 1 = I m 2 ∧ f = O g = ⇒ O c 2 = � c 1 � m 1 f = � c 2 � m 2 g Example ← { 0 , 1 } k ; y ← x ⊕ z ≃ { z } ← { 0 , 1 } k ; x ← y ⊕ z � x { x , y , z } y $ $ Useful to relate probabilities � c 1 ≃ I fv( E ) ⊆ O m 1 = I m 2 O c 2 Pr [ c 1 , m 1 : A ] = Pr [ c 2 , m 2 : A ] Only a Partial Equivalence Relation � c ≃ I O c not true in general Generalizes information flow security (take I = O = V low ) 15/32

Proving program equivalence Goal � c 1 ≃ I O c 2 A Relational Hoare Logic generalized to arbitrary relations 2 : Φ ′ ⇒ Φ ′′ � c 1 ∼ c 2 : Φ ⇒ Φ ′ � c ′ 1 ∼ c ′ [ Seq ] � c 1 ; c ′ 1 ∼ c 2 ; c ′ 2 : Φ ⇒ Φ ′′ � c 2 ∼ c 3 : Ψ ′ ⇒ Φ ′ � c 1 ∼ c 2 : Ψ ⇒ Φ [ Comp ] � c 1 ∼ c 3 : Ψ ◦ Ψ ′ ⇒ Φ ◦ Φ ′ . . . 16/32

Proving program equivalence Goal � c 1 ≃ I O c 2 Mechanized program transformations Transformation: T ( c 1 , c 2 , I , O ) = ( c ′ 1 , c ′ 2 , I ′ , O ′ ) Soundness theorem T ( c 1 , c 2 , I , O ) = ( c ′ 1 , c ′ 2 , I ′ , O ′ ) � c ′ 1 ≃ I ′ O ′ c ′ 2 � c 1 ≃ I O c 2 Reflection-based Coq tactic (replace reasoning by computation) 16/32

Proving program equivalence Goal � c 1 ≃ I O c 2 Mechanized program transformations Dead code elimination ( deadcode ) Constant folding and propagation ( ep ) Procedure call inlining ( inline ) Code movement ( swap ) Common suffix/prefix elimination ( eqobs hd , eqobs tl ) 16/32

Proving program equivalence Goal � c ≃ I O c An –incomplete– tactic for self-equivalence ( eqobs in ) Does � c ≃ I O c hold? Analyze dependencies to compute I ′ s.t. � c ≃ I ′ O c Check that I ′ ⊆ I Think about type systems for information flow security 16/32

Formalizing Σ -Protocols Prover Verifier Computes commitment r r c Samples challenge c Computes response s s Accepts/rejects response The protocols we consider are public-coin 17/32

Formalizing Σ -Protocols Prover Verifier ( r , state ) ← P 1 ( x , w ) r c c ← V 1 ( x , r ) s ← P 2 ( x , w , state , c ) s b ← V 2 ( x , r , c , s ) The protocols we consider are public-coin 17/32

Formalizing Σ -Protocols Prover Verifier ( r , state ) ← P 1 ( x , w ) r c c ← C $ s ← P 2 ( x , w , state , c ) s b ← V 2 ( x , r , c , s ) The protocols we consider are public-coin 17/32

Formalizing Σ -Protocols A Σ-protocol is given by: Types for x , w , r , s , state A knowledge relation R A challenge set C Procedures P 1 , P 2 , V 2 The protocol can be seen as a program protocol ( x , w ) : ( r , state ) ← P 1 ( x , w ); c ← C ; $ s ← P 2 ( x , w , state , c ); b ← V 2 ( x , r , c , s ) 18/32

Formalizing Σ -Protocols Completeness ∀ x , w . R ( x , w ) = ⇒ Pr [protocol( x , w ) : b = true] = 1 Soundness ∃ KE . ∀ x , r , c 1 , c 2 , s 1 , s 2 .  x ∈ dom( R )   c 1 � = c 2  = ⇒ ( x , r , c 1 , s 1 ) accepting   ( x , r , c 2 , s 2 ) accepting  Pr [ w ← KE( x , r , c 1 , c 2 , s 1 , s 2 ) : R ( x , w )] = 1 19/32

Honest-Verifier ZK vs. Special Honest-Verifier ZK protocol ( x , w ) : protocol ( x , w , c ) : ( r , state ) ← P 1 ( x , w ); ( r , state ) ← P 1 ( x , w ); ← C ; s ← P 2 ( x , w , state , c ); c $ b ← V 2 ( x , r , c , s ) s ← P 2 ( x , w , state , c ); b ← V 2 ( x , r , c , s ) Special Honest-Verifier ZK ∃ S . ∀ x , w , c . R ( x , w ) = ⇒ � protocol( x , w , c ) ≃ { x , c } { r , c , s } ( r , s ) ← S( x , c ) Honest-Verifier ZK ∃ S . ∀ x , w . R ( x , w ) = ⇒ � protocol( x , w ) ≃ { x } { r , c , s } ( r , c , s ) ← S( x ) 20/32