Hash Proof Systems and Password Protocols I Hash Proof Systems - PDF document

Hash Proof Systems and Password Protocols I – Hash Proof Systems David Pointcheval CNRS, Ecole normale sup´ erieure/PSL & INRIA 8th BIU Winter School – Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/51 Hard Subset Membership NP Language L ⊆ X : ( ∃R polynomial relation) ( x ∈ L ⊆ X ⇐ ⇒ ∃ w , R ( x , w ) = 1) Distinguisher between distributions: Adv L , X ( D ) = Pr[ D ( x ) = 1 | x $ $ ← L ] − Pr[ D ( x ) = 1 | x ← X\L ] Hard Subset Membership for L ⊆ X : ∀D polynomial, Adv L , X ( D ) negligible Example (Decisional Diffie-Hellman Problem) X = { ( G = g r , H = h s ) | r , s $ G = � g � = � h � ← Z q } = G × G L = { ( G = g r , H = h r ) | r $ ← Z q } = � ( g , h ) � CNRS/ENS/PSL/INRIA David Pointcheval 2/51 Proof of Membership For an NP-Language L ⊆ X defined by a polynomial relation R , such that x ∈ L ⇐ ⇒ ∃ w , R ( x , w ) = 1 with Hard Subset Membership A proof system between a prover P and a verifier V is Correct: for any x ∈ L , with a witness w such that R ( x , w ) = 1 P ( x , w ) is accepted by V with overwhelming probability Sound: for any x ∈ X\L (without any witness) any P ∗ ( x ) is accepted by V with negligible probability Zero-Knowledge: a simulator S can generate indistinguishable transcripts to V for any x ∈ L , without witness (for any x ∈ X , under the Hard Subset Membership) Simulation-Sound: sound for a new x ∈ X\L , after the view of simulated transcripts CNRS/ENS/PSL/INRIA David Pointcheval 3/51

Smooth Projective Hash Functions (SPHFs) [Cramer-Shoup – Eurocrypt ’02] HashKG hk Hash H $ hk ← HashKG () ProjKG x ∈ L H = pH if R ( x , w ) = 1 H ← Hash ( hk , x ) hp ← ProjKG ( hk ) pH ← ProjHash ( hp , x , w ) hp ProjHash pH correctness w CNRS/ENS/PSL/INRIA David Pointcheval 4/51 SPHF on Diffie-Hellman Pairs [Cramer-Shoup – Crypto ’98] Let G = � g � = � h � of prime order q X = { ( G = g r , H = h s ) | r , s $ ← Z q } = G × G L = { ( G = g r , H = h r ) | r $ ← Z q } = � ( g , h ) � SPHF for Diffie-Hellman Pairs hp ← g α h β = ProjKG ( hk ) ← Z 2 $ hk ← ( α, β ) q H ← G α H β = Hash ( hk , x = ( G , H )) pH ← hp r = ProjHash ( hp , x , w = r ) Correctness: H = ( g r ) α ( h r ) β = ( g α ) r ( h β ) r = hp r = pH Smoothness: H = ( g r ) α ( h s ) β = ( g α ) r ( h β ) s = hp r ( h s − r ) β (no information about β ) CNRS/ENS/PSL/INRIA David Pointcheval 5/51 Proof of Membership V P x , w x $ hk ← HashKG () hp hp ← ProjKG ( hk ) pH ← ProjHash ( hp , x , w ) pH H ← Hash ( hk , x ) accepts if H = pH Correctness: from the correctness of the SPHF Soundness: from the smoothness of the SPHF Honest-Verifier Zero-Knowledge CNRS/ENS/PSL/INRIA David Pointcheval 6/51

Outline Introduction Smooth Projective Hash Functions (SPHFs) 1 Definitions: CS/GL/KV SPHFs Matrix Formalism 2 Encryption and Proofs Public-Key Encryption Simulation-Soundness More Languages 3 Basic Languages Conjunctions and Disjunctions KV Disjunctions Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 7/51 Outline Introduction Smooth Projective Hash Functions (SPHFs) 1 Definitions: CS/GL/KV SPHFs Matrix Formalism Encryption and Proofs 2 Public-Key Encryption Simulation-Soundness More Languages 3 Basic Languages Conjunctions and Disjunctions KV Disjunctions Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 8/51 Outline Introduction Smooth Projective Hash Functions (SPHFs) 1 Definitions: CS/GL/KV SPHFs Matrix Formalism 2 Encryption and Proofs Public-Key Encryption Simulation-Soundness More Languages 3 Basic Languages Conjunctions and Disjunctions KV Disjunctions Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 9/51

Cramer-Shoup SPHFs Smooth Projective Hash Functions $ hk ← HashKG () hp ← ProjKG ( hk ) H ← Hash ( hk , x ) pH ← ProjHash ( hp , x , w ) Hash and ProjHash onto the set Π Correctness: ∀ x ∈ L , ∀ w such that R ( x , w ) = 1 ∀ hk ← HashKG () , hp ← ProjKG ( hk ) : Hash ( hk , x ) = ProjHash ( hp , x , w ) Smoothness: ∀ x ∈ X\L $ with the probability space hk ← HashKG () , hp ← ProjKG ( hk ) $ { ( hp , H ) | H ← Hash ( hk , x ) } ≈ { ( hp , H ) | H ← Π } CNRS/ENS/PSL/INRIA David Pointcheval 10/51 Gennaro-Lindell SPHFs [Gennaro-Lindell – Eurocrypt ’03] HashKG hk Hash H $ hk ← HashKG () H = pH if R ( x , w ) = 1 ProjKG x ∈ L H ← Hash ( hk , x ) hp ← ProjKG ( hk , x ) pH ← ProjHash ( hp , x , w ) hp ProjHash pH correctness w CNRS/ENS/PSL/INRIA David Pointcheval 11/51 Gennaro-Lindell SPHFs [Gennaro-Lindell – Eurocrypt ’03] Smooth Projective Hash Functions $ hk ← HashKG () hp ← ProjKG ( hk , x ) H ← Hash ( hk , x ) pH ← ProjHash ( hp , x , w ) Hash and ProjHash onto the set Π Correctness: ∀ x ∈ L , ∀ w such that R ( x , w ) = 1 ∀ hk ← HashKG () , hp ← ProjKG ( hk , x ) : Hash ( hk , x ) = ProjHash ( hp , x , w ) Smoothness: ∀ x ∈ X\L $ with the probability space hk ← HashKG () , hp ← ProjKG ( hk , x ) $ { ( hp , H ) | H ← Hash ( hk , x ) } ≈ { ( hp , H ) | H ← Π } CNRS/ENS/PSL/INRIA David Pointcheval 12/51

Proof of Membership If the statement x is known from the beginning by both parties V P x , w x $ hk ← HashKG () hp hp ← ProjKG ( hk , x ) pH ← ProjHash ( hp , x , w ) pH H ← Hash ( hk , x ) accepts if H = pH GL-SPHFs are enough for the Proof of Membership CNRS/ENS/PSL/INRIA David Pointcheval 13/51 Proof of Membership For Adaptive Statements V P x , w $ hk ← HashKG () hp hp ← ProjKG ( hk ) pH ← ProjHash ( hp , x , w ) x , pH H ← Hash ( hk , x ) accepts if H = pH CS-SPHFs not enough. . . The adversarial prover could choose x according to hp CNRS/ENS/PSL/INRIA David Pointcheval 14/51 Adaptive Smoothness CS-Smoothness $ ∀ x ∈ X\L , with the probability space hk ← HashKG () , hp ← ProjKG ( hk ) $ { ( hp , H ) | H ← Hash ( hk , x ) } ≈ { ( hp , H ) | H ← Π } When x is fixed, hk is randomly chosen If perfect indistinguishability for every word: no weak word If statistical indistinguishability only: weak words exist (can be found and used) Let hk ′ = ( hk , x ) , for x ← X\L , hp ′ = ( hp , ( x , h = Hash ( hk , x )) , $ Hash ′ ( hk ′ , x ) = Hash ( hk , x ) and ProjHash ′ ( hp ′ , x , w ) = ProjHash ( hp , x , w ) SPHF’ can still be CS-Smooth: hk ′ randomly chosen after x fixed, then x � = x w.h.p but the adversarial prover can cheat on x : by chosing x = x from the received hp ′ CNRS/ENS/PSL/INRIA David Pointcheval 15/51

Katz-Vaikuntanathan SPHFs [Katz-Vaikuntanathan – TCC ’11] KV-Smoothness $ ∀ f onto X\L , with the probability space hk ← HashKG () , hp ← ProjKG ( hk ) $ { ( hp , H ) | H ← Hash ( hk , f ( hp )) } ≈ { ( hp , H ) | H ← Π } There is no deterministic way to extract a wrong word from hp CNRS/ENS/PSL/INRIA David Pointcheval 16/51 Outline Introduction Smooth Projective Hash Functions (SPHFs) 1 Definitions: CS/GL/KV SPHFs Matrix Formalism Encryption and Proofs 2 Public-Key Encryption Simulation-Soundness More Languages 3 Basic Languages Conjunctions and Disjunctions KV Disjunctions Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 17/51 Matrix Formalism: Correctness [Benhamouda-Blazy-Chevalier-P.-Vergnaud – Crypto ’13] � g � � 1 � � ⊆ G 2 h = g a L = � Γ = λ h a � r � g r � � g � � � � x = = • r λ = θ = Γ · λ = r h r h ar � g � hp = g α × h β = � � � � α β • hk = α β hp = hk · Γ Γ θ h � � = α + a β hp hk H � g r � � g � g α h β • r � � � � H = hk • x = α β • = α β • • r = = hp • w = pH h r h � r � � � � � � � H ≡ α β · = r ( α + a β ) = α + a β · r ≡ pH ar CNRS/ENS/PSL/INRIA David Pointcheval 18/51

Matrix Formalism: Smoothness θ ∈ � Γ � : H fully determined by hp Γ θ θ = Γ · λ : H = hk · Γ · λ = hp · λ = pH θ �∈ � Γ � : H independent of hp Key hk is randomly chosen hp hk H H = hk · θ while hp = hk · Γ CNRS/ENS/PSL/INRIA David Pointcheval 19/51 Application: DDH and DLin Languages � 1 � DDH: { x = ( g r , h r ) } with h = g a = � � ⇒ Γ = , λ = r θ = Γ · λ a hp = hk · Γ � � ← Z 2 $ � � ⇒ g α h β hk = α β q ⇒ hp = α + a β H = hk · θ � x � ( u = g x , v = g y ) → θ = pH = hp · λ � � ⇒ u α v β ⇒ H = α x + β y y � � r ⇒ hp r ( g r , h r ) → θ = � α r + β ar � ⇒ pH = ar   λ 1 0 � r � DLin: { x = ( g r , h s , f r + s ) } , with h = g a , f = g b =  , λ = ⇒ Γ = 0 a  s b b Γ θ � α γ � ← Z 3 $ � α + γ b a β + γ b � ⇒ ( g α f γ , h β f γ ) hk = β q ⇒ hp =   x hk hp H  ⇒ H = ( u = g x , v = g y , w = g z ) → θ = � � ⇒ u α v β w γ y α x + β y + γ z  z   r ⇒ hp r 1 hp s ( g r , h s , f r + s ) → θ =  ⇒ pH = � α r + β ar + γ b ( r + s ) � ar  2 b ( r + s ) CNRS/ENS/PSL/INRIA David Pointcheval 20/51 Outline Introduction Smooth Projective Hash Functions (SPHFs) 1 Definitions: CS/GL/KV SPHFs Matrix Formalism 2 Encryption and Proofs Public-Key Encryption Simulation-Soundness More Languages 3 Basic Languages Conjunctions and Disjunctions KV Disjunctions Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 21/51