Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a - PowerPoint PPT Presentation

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S´ (1) Orange Labs, Caen, France (2) ´ Ecole Normale Sup´ erieure, Paris, France PKC 2014, March 26, 2014

Agenda � Zero-Knowledge Proofs of Knowledge � Delegation of Proofs of Knowledge � Conclusion PKC 2014 – p 2

Zero-Knowledge Proofs of Knowledge PKC 2014 – p 3

Zero-Knowledge Proofs of Knowledge � Zero-Knowledge Proofs of Knowledge enable a prover P to convince a verifier V that: − a statement is true. − he knows a witness for this fact. � They must fulfil the following properties: − Completeness. − Zero-Knowledge: Nothing but the validity of the statement is revealed. − Soundness: P knows a witness. PKC 2014 – p 4

Schnorr protocol � Example: the Schnorr protocol for proving knowledge of α such that V = [ α ] A in a group G of prime order p . P V R $ ← Z p , R ← [ k ] A − − − − − → k c c ← { 0 , 1 } l ← − − − − − s ? s ← k + c · α − − − − − → [ s ] A = R + [ c ] V PKC 2014 – p 5

Schnorr protocol � Example: the Schnorr protocol for proving knowledge of α such that V = [ α ] A in a group G of prime order p . P V R $ ← Z p , R ← [ k ] A − − − − − → k c c ← { 0 , 1 } l ← − − − − − s ? s ← k + c · α − − − − − → [ s ] A = R + [ c ] V PKC 2014 – p 5

Applications � These proofs have played a significant role in cryptography: − Group Signature − E-cash − Direct Anonymous Attestation − Voting − ... � Indeed, these primitives require to prove that some public elements are well-formed. PKC 2014 – p 6

Discrete-Log Relation Sets � Such complex primitives usually deal with a Discrete-Log Relations Set (DLRS, as defined by Kiayias, Tsiounis and Yung): Relations Commitments V 1 = [ α 1 ] A 1 , 1 − − − − − → R 1 ← [ k 1 ] A 1 , 1 PKC 2014 – p 7

Discrete-Log Relation Sets � Such complex primitives usually deal with a Discrete-Log Relations Set (DLRS, as defined by Kiayias, Tsiounis and Yung): Relations Commitments V 1 = [ α 1 ] A 1 , 1 − − − − − → R 1 ← [ k 1 ] A 1 , 1 ∧ V 2 = [ α 1 ] A 2 , 1 − − − − − → R 2 ← [ k 1 ] A 2 , 1 PKC 2014 – p 7

Discrete-Log Relation Sets � Such complex primitives usually deal with a Discrete-Log Relations Set (DLRS, as defined by Kiayias, Tsiounis and Yung): Relations Commitments V 1 = [ α 1 ] A 1 , 1 − − − − − → R 1 ← [ k 1 ] A 1 , 1 ∧ V 2 = [ α 1 ] A 2 , 1 − − − − − → R 2 ← [ k 1 ] A 2 , 1 ∧ V 3 = [ α 1 ] A 3 , 1 + [ α 2 ] A 3 , 2 − − − − − → R 3 ← [ k 1 ] A 3 , 1 + [ k 2 ] A 3 , 2 PKC 2014 – p 7

Discrete-Log Relation Sets � Such complex primitives usually deal with a Discrete-Log Relations Set (DLRS, as defined by Kiayias, Tsiounis and Yung): Relations Commitments V 1 = [ α 1 ] A 1 , 1 − − − − − → R 1 ← [ k 1 ] A 1 , 1 ∧ V 2 = [ α 1 ] A 2 , 1 − − − − − → R 2 ← [ k 1 ] A 2 , 1 ∧ V 3 = [ α 1 ] A 3 , 1 + [ α 2 ] A 3 , 2 − − − − − → R 3 ← [ k 1 ] A 3 , 1 + [ k 2 ] A 3 , 2 ∧ ... − − − − − → ... V r = � R r = � ∧ [ α j ] A j , r − − − − − → [ k j ] A j , r j ∈I r j ∈I r � The number of commitments grows with the one of relations. PKC 2014 – p 7

Constrained devices � The pair (phone/SIM card) is suitable for proving knowledge. − The phone is powerful enough for computing the commitments. − The secret values can be stored in the SIM card. � But: − The SIM card is not able to compute the commitments. − The phone is not fully trusted. = ⇒ How can we delegate these computations? PKC 2014 – p 8

Methodology � We split the prover P into 2 entities: − A trusted but constrained one ( e . g . the SIM card) − A more powerful but not fully trusted one ( e . g . the phone) � The phone may have access to additional information but cannot recover the secret values. � The proof must remain zero-knowledge w . r . t . the verifier V . PKC 2014 – p 9

An example: D.A.A. � A Direct Anonymous Attestation (D.A.A) enables members of a group to anonymously sign on behalf of the group. � The signer is split into a trusted entity (the TPM) and a not fully trusted one (the Host): − Anonymity w.r.t the Host is not required. − Non-frameability is required. � The Host can have access to the member’s certificate but not to his secret key. PKC 2014 – p 10

Delegation of Proofs of Knowledge PKC 2014 – p 11

Bilinear groups � Most efficient implementations of the previous primitives use bilinear groups. � Bilinear groups are a set of 3 groups G 1 , G 2 and G T of prime order p along with a map e such that: ∀ ( X , � X ) ∈ G 1 × G 2 and a , b ∈ Z p e ([ a ] X , [ b ] � X ) = e ( X , � X ) a · b 1 , e ( X 1 + X 2 , � X ) = e ( X 1 , � X ) · e ( X 2 , � ∀ ( X 1 , X 2 ) ∈ G 2 X ) PKC 2014 – p 12

A first Step � To prove knowledge of α such that : V 1 = [ α ] A 1 , V 2 = [ α ] A 2 , ..., V n = [ α ] A n with A i ∈ G 1 � We can compute the commitment in G 2 :  R 1 ← [ k ] A 1    R 2 ← [ k ] A 2 ⇒ � R ← [ k ] � G , for some � = G ∈ G 2  ...   R n ← [ k ] A n � Transmit c and s = k + c · α as in the Schnorr protocol. � And verify it in G T , for all 1 ≤ i ≤ n : e ([ s ] A i , � = e ( A i , � R ) · e ( V i , � ? G ) c G ) PKC 2014 – p 13

A first Step � The SIM card only has to compute one scalar multiplication, instead of n . � The verification now involves pairings but in many cases the verifier will be able to perform them quickly. � The proof is sound, but not zero-knowledge! − From � R we can recover [ α ] � G ⇒ it cannot be sent to V . − From [ α ] � G we cannot recover α ⇒ it can be sent to the phone. � D.A.A. Example: Knowledge of [ α ] � G does not allow the Host to impersonate the TPM. = ⇒ Security of the scheme is ensured. PKC 2014 – p 14

Making the proof Zero-Knowledge � To make the proof zero-knowledge, the phone will bind � R to each A i : $ ← Z p , B i ← [ b − 1 ] A i and � B i ← [ b i ] � ∀ 1 ≤ i ≤ n : b i R i � ( B i , � B i ) are sent to V which can check the proof: e ([ s ] A i , � = e ( B i , � B i ) · e ( V i , � ? G ) c G ) � The proof is now zero-knowledge but we must extend it to more complex relations: � m V = [ α j ] A j j =1 PKC 2014 – p 15

A first protocol � To remain zero-knowledge, the phone must bind the different commitments � R j ← [ k j ] � G . A j ← [ � � If we knew the elements � a k ] � G where A j = [ a j ] G , the k � = j phone could: � m $ − select t 1 , ..., t m − 1 ← Z p and t m ∈ Z p such that t j = 0. j =1 − compute and send B j ← [ b − 1 ] A j and � B j ← [ b j ]( � R j +[ t j ] � A j ) j � V could check that: � m � m G ) c · [ s j ] A j , � = e ( V , � e ( B j , � ? e ( G ) B j ) j =1 j =1 PKC 2014 – p 16

A second protocol � Knowledge of � A j is a strong assumption but: − If m = 1, � A j = � G − If m = 2 then { � A j } j = { A j } j when using a symmetric pairing. � We need to modify this solution to suit the other cases. The phone: $ − selects t 1 , ... t m ← Z p (without any condition). � m [ t j ] A j , B j and � B j ← [ b j ]( � R j + [ t j ] � − computes and sends H ← G ) j =1 � Verification is similar: � m � m G ) c · [ s j ] A j , � = e ( V , � e ( B j , � ? e ( H + G ) B j ) j =1 j =1 PKC 2014 – p 17

In summary � For a relation: � m V = [ α j ] A j j =1 � The SIM card computes: R j ← [ k j ] � � G � The commitments received by V are: � m ] A j and � B j ← [ b j ]( � R j + [ t j ] � [ t j ] A j , B j ← [ b − 1 H ← G ) j j =1 PKC 2014 – p 18

In summary � For a relation: � m V = [ α j ] A j j =1 � The SIM card computes: R j ← [ k j ] � � G � The commitments received by V are: � m [ t j ] A j , B j ← [ b − 1 ] A j and � B j ← [ b j ]( � R j + [ t j ] � H ← G ) j j =1 � The factors ( b j ) j bind the elements � R j to the basis ( A j ) j . ⇒ else, V would learn [ α j ] � = G PKC 2014 – p 18

In summary � For a relation: � m V = [ α j ] A j j =1 � The SIM card computes: R j ← [ k j ] � � G � The commitments received by V are: � m [ t j ] A j , B j ← [ b − 1 ] A j and � B j ← [ b j ]( � R j + [ t j ] � H ← G ) j j =1 � The factors ( t j ) j bind the elements � R j together. ⇒ else, V would learn e ( A j , � = G ) α j PKC 2014 – p 18

In summary � For a relation: � m V = [ α j ] A j j =1 � The SIM card computes: R j ← [ k j ] � � G � The commitments received by V are: � m [ t j ] A j , B j ← [ b − 1 ] A j and � B j ← [ b j ]( � R j + [ t j ] � H ← G ) j j =1 � These additional factors must be cancelled. = ⇒ else, V could not check the validity of the proof. PKC 2014 – p 18

Security � The proof is complete. � The proof is sound. � The proof is zero-knowledge w.r.t. V . � The proof only leaks [ α 1 ] � G , ..., [ α m ] � G to the phone. PKC 2014 – p 19