mtat 07 005 cryptographic protocols
play

MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge - PDF document

Zero-Knowledge Two-Party Protocols MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of Tartu MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge


  1. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Can you color it by using three colors? ( NP -complete problem) Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Yes, you can! Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  2. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Yes, you can! But how to prove that without revealing the coloring? Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Step 1.1: shuffle the colors. (3-coloring remains a 3-coloring) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  3. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Step 1.2: Encrypt all colors by using a “secure” cryptosystem. Use different key for every vertex. Send encrypted graph to Verifier. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Step 1.3: Verifier picks a random edge. Prover sends encryption keys, corresponding to the endpoints of this edge. Verifier checks that corresponding colors are correct and not equal. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  4. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability What next? Take the original coloring again. . . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Step 2.1: shuffle the colors again. . . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  5. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Step 2.2: Encrypt all colors by using a “secure” cryptosystem. Use different key for every vertex. Send encrypted graph to Verifier. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph 3-Colorability Step 2.3: Verifier picks a random edge. Prover sends encryption keys, corresponding to the endpoints of this edge. Verifier checks that corresponding colors are correct and not equal. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  6. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments 3COL: Formal Description 1 Do k times: Prover permutes randomly the 3-coloring 1 Encrypt every vertex color by using a new random key 2 Verifier picks a random edge 3 Prover sends the corresponding keys to verifier 4 Verifier halts with a reject if vertices are incorrect 5 2 Verifier halts with an accept Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments 3COL: Informal analysis Correctness: Clear Soundness: If Prover does not know a 3-coloring, at every step there is at least one edge with equally colored end-points. Verifier picks 1 this edge with probability ≥ | E | If k = | E | 2 , the probability that a cheating Prover passes is � � | E | 2 1 − 1 1 ≤ ≈ √ e · e k | E | Note: The same probability pops up when talking about the birthday paradox E is the set of edges, | E | is the number of edges, e = 2 . 71 . . . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  7. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments 3COL Is ZK: Informal analysis Intuitively clear if the cryptosystem is “secure”: In every step, Verifier sees two random but inequal colors Drawn randomly from a set of cardinality 3 · 2 = 6 She could have chosen these two colors herself, with exactly the same probability! As we later see, this is exactly what is meant by zero-knowledge Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments 3COL: Conclusion Hopefully you gained some intuition Did you gain some knowledge? May be not Although you should now be able to amaze your friends with 1337 graph 3-coloring skills Even without a computer and in a pub! Can’t tell — we don’t know yet what is knowledge Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  8. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments What Is Knowledge? Hard to define—it is easier to define what is gain of knowledge I tell you 1 + 1 = 2. Do you gain knowledge? Most of you don’t � I tell you the factors of a random 2048-bit composite number. Do you gain knowledge? Yes, if you cannot compute the factors by yourself Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments ZK ≈ Proving With Minimal Disclosure I prove that I know the factors of some integer, without revealing them. I prove that two graphs G 1 and G 2 are isomorphic without revealing the isomorphism. Graph isomorphism is a well-known hard problem I prove that G 1 and G 2 are non-isomorphic, without revealing you why In general: I convince you that some fact is true, without you getting to know anything else but that this fact is true Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  9. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Knowledge � =Information Information: You are revealed an unknown object. Factors of 2 2 41 − 1: no new information Properties of information are studied in information theory Knowledge: You are revealed results of calculations, that you cannot perform yourself, on a publicly-known object. Factors of 2 2 41 − 1: probably new knowledge Factors of a randomly generated 1024-bit integer: new knowledge, assuming that factoring is hard The terminology might be confusing. . . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Zero-knowledge: Intuition ZK protocol : protocol between verifier V and prover P Big intuition : Zero-knowledge is a property of prover P : Given a common input x with prover P , whatever any efficient machine V ∗ can calculate, based on the interaction with P , can be calculated based on x alone I.e., interaction with P can be simulated Interactive proof system : P convinces honest V that x ∈ L iff x ∈ L Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  10. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Notation If A is an algorithm, then the notation a ← A ( b ) refers to the computation of the output “ a ”, on input bit string “ b ”. For a set V , v ← V denotes uniform and random selection of an element v from V . Blue variables are known only to P , brown variables are known only to V , green variables are known to both from the start of the protocol Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments IP System For formal definition of ZK, one must define an interactive proof system (IP system) IP system captures the completeness/soundness properties but not privacy properties IP system consists of two interactive machines that both have private (read-only) input, (read-only) random string, read-write working space, (write-only) output Machines communicate by sending messages Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  11. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Preliminaries: Interactive Protocols A protocol takes several steps of communications, where in every step one participant sends a message to another one An interactive protocol IP is a pair ( P , V ), where at every step one participant decides, based on the previous communication, private and common inputs, and on the contents of the random tape, what would be the next message We assume that P is computationally unbounded V is computationally bounded In interactive proofs, V is bounded and P is not. In interactive arguments, P is bounded and V is not. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Interactive Proof System: Definition (Semiformal) Language L has an interactive proof system if there is such an interactive machine V , so that V accepts a correct Prover with a large probability V is not a fool: she accepts a malicious Prover with a small probability (Even if Prover is omnipotent) Let IP be the set of languages that have IP proofs Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  12. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Interactive Proof System: Definition (Formal) Definition Language L has an interactive proof system if there is an interactive machine V , such that ∃ P , so that ∀ x ∈ L , V “accepts” x , after a single run of ( P , V ), with probability ≥ 2 / 3 ∀ P ∗ , where ( P ∗ , V ) is an IP: For all x �∈ L , the probability that V “accepts”, after a single run of ( P ∗ , V ), is < 1 / 3 Probabilities are taken over the coin tosses of P , V (Recall that P does not have to be computationally bounded. Also, “cheating” probabilities decrease exponentially after a constant number of protocol repetition.) Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph Non-isomorphism Are these two graphs non-isomorphic? Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  13. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph Non-isomorphism No! They are isomorphic: we can show an isomorphism (mapping between the nodes). But how to show non-isomorphism? I.e.: How to convince verifier that graphs are non-isomorphic, without sending too much information? Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: Graph Non-isomorphism Recall: problem is in NP if we know a short witness For graph isomorphism ( GI ), we can exhibit a short π Thus GI ∈ NP It is not known whether GNI ∈ NP We will show that GNI ∈ IP Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  14. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments IP System for GNI Common input ( G 1 , G 2 ). Iterate the next step for i = 1 . . . k : 1 V chooses a random α i ← { 1 , 2 } , and a random graph G ′ i from the set of graphs that are isomorphic to G α i . She sends G ′ i to P 2 (Omnipotent) P finds a graph G β i , s.t. G β i and G ′ i are isomorphic, and sends β i to V Intuition: P can guess α i iff graphs are non-isomorphic V accepts iff β i = α i , ∀ i Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Correctness of IP System for GNI When ( G 1 , G 2 ) ∈ GNI : P can distinguish isomorphic copies of graph G 1 from isomorphic copies of G 2 ; then V accepts with probability 1 Honest P is accepted always Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  15. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Correctness of IP System for GNI When ( G 1 , G 2 ) �∈ GNI : An isomorphic copy of G 1 is always an isomorphic copy of G 2 . Thus the best strategy for P is to toss a coin, and hence the cheating probability is again 2 − k Dishonest P is accepted with probability 2 − k Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Back to ZK and Formal Definition Let us have an interactive proof system ( P , V ) When is ( P , V ) zero-knowledge? Important notion: view P V ( x ) — view of V when interacting with P on common input x view P V ( x ) is equal to the concatenation of all messages sent in this protocol, prefixed with all random coin tosses of V View of the previous protocol: ( α 1 , . . . , α k ) || ( G ′ 1 , β 1 , . . . , G ′ k , β k ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  16. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Formal Definition of ZK: First Try Definition Let ( P , V ) be an IP system for language L . ( P , V ) is (perfect) zero-knowledge if for every PPT (probabilistic polynomial-time) machine V ∗ there exists a PPT simulator M ∗ , s.t. for every x ∈ L the following two random variables are identically distributed: V ∗ ( x ) — the view of V ∗ when interacting with P . view P M ∗ ( x ) — the output of M ∗ . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example, the case of GNI V ’s view of the previous protocol: ( α 1 , . . . , α k ) || ( G ′ 1 , β 1 , . . . , G ′ k , β k ) Thus this protocol for GNI is ZK if there exists an omnipotent simulator Sim who on input a pair of isomorphic graphs ( G 1 , G 2 ), without interacting with P and for an arbitrary strategy of V ∗ produces an output distribution “close” to the view of V . Intuitively possible, but. . . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  17. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Formal Definition: Details Too strong a requirement! No non-trivial languages have such proofs. Modification: M ∗ can output ⊥ with probability ≤ 1 2 . If M ∗ ( x ) � = ⊥ then view P V ∗ ( x ) = M ∗ ( x ). (Perfect ZK) Alternate modification: { view P V ∗ ( x ) } x ∈ L and { M ∗ ( x ) } x ∈ L are statistically close. (Statistical ZK) Statistical distance between two distributions is negligible Yet another: { view P V ∗ ( x ) } x ∈ L and { M ∗ ( x ) } x ∈ L cannot be distinguished in probabilistic polynomial time. — Computational ZK Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Formal Definitions: Intuition Perfect ZK: The distributions view P V ∗ ( x ) and M ∗ ( x ) are equal Statistical ZK: The distributions view P V ∗ ( x ) and M ∗ ( x ) are close Even an omnipotent adversary cannot distinguish, given that the protocol is executed (sequentially) not more than a polynomial number of times Computational ZK: The distributions view P V ∗ ( x ) and M ∗ ( x ) cannot be distinguished by a PPT adversary Even after a polynomial number of executions Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  18. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Complexity Classification The classes of languages that have computational/statistical/perfect zero-knowledge proofs: BPP⊂ Believed that � = PZK ⊆ SZK⊂ Believed that � = CZK = IP . BPP ⊆ PZK : Trivial, uses no interaction: PZK can verify by himself whether x ∈ L . Reminder: BPP — set of problems that can be decided by probabilistic polynomial-time Turing machines Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Example: GI ∈ PZK P knows an isomorphism φ : G 1 → G 2 . Protocol 1 P generates a random permutation π of G 2 -s vertices. She sends G ′ ← π ( G 2 ) to V . 2 V generates a random σ ← { 0 , 1 } and sends it to P. 3 If σ = 1 , P sets τ ← π ◦ φ , otherwise she sets τ ← π . She sends τ to V . 4 V checks that τ ( G σ ) = G ′ . Intuition: π ( φ ( G 1 )) = φ ( G 2 ) = G ′ . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  19. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments NP ⊆ CZK To show that there are CZK proofs for every NP -language, it is sufficient to show a proof for one concrete NP -complete language A graph G can be colored with c colors when there exists an coloring of the vertices of G with c colors so that for no edge, the vertices connected to this edge are colored with the same color The chromatic number of G , χ ( G ): minimum c so that G can be colored with c colors 3COL : the set of graphs with χ ( G ) ≤ 3. This language is NP -complete. Say the colors are R, G, B. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Reminder: CZK Protocol for 3COL Common input: G . P wants to prove that she knows a coloring C : V ( G ) → { R , G , B } in CZK. Iterate the next protocol | E ( G ) | 2 times: P chooses a random permutation π of colors. She encrypts the color π ( C ( v )) for every vertex v , using a probabilistic public-key cryptosystem, by using a different key for every vertex. P sends to V all ciphertexts together with the correspondence between them and the vertices V chooses a random edge e = ( v 1 , v 2 ), and sends e to P P sends the decryption keys D v 1 and D v 2 to V V computes π ( C ( v 1 )) and π ( C ( v 2 )) and verifies that they are different Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  20. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Completeness/Soundness of The Protocol for 3COL Completeness: If P knows the corresponding 3-coloring, V will never detect an incorrectly colored edge. Thus, V will accept with probability 1 Soundness: If χ ( G ) > 3 then π ( C ( v 1 )) = π ( C ( v 2 )) in all steps with probability ≥ | E | − 1 . After | E | 2 steps the probability that V will accept is exponentially small Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Is GNI in CZK ? Previously presented IP system for GNI is not zero-knowledge: V can submit an arbitrary graph H not necessarily isomorphic to G 1 or to G 2 and thus get to know additional information V needs to decide if H is isomorphic to G i for some other reason Modify the protocol for GNI by letting V to prove in PZK that G ′ i is either isomorphic to G 1 or to G 2 Doable, since GI ∈ PZK Problem Work out the disjunctive PZK proof Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  21. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Second Lecture Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Black-Box Zero-Knowledge Intuition: A protocol is black-box zero-knowledge, if the simulator does not use the code of the prover. That is, if one can construct a simulator that just uses the prover as an oracle. A protocol is non-black-box zero-knowledge, if it has a simulator who uses the internal structure of the prover. Barak, 2001: non-black-box zero-knowledge is more powerful than black-box zero-knowledge. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  22. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Zero-Knowledge: Limitations Black-box ZK protocols require at least four moves unless the underlying language is trivial (in BPP ). Thus, in principle, none of the three-move protocols handled here can be black-box ZK. Non-BB ZK protocols: at least three moves for non-trivial languages. Four-move (black-box) ZK protocols exist. The very efficient procedure for turning identification schemes into signature schemes, presented later, cannot be used if the identification scheme is ZK (the simulation used for proving the ZK-ness can be used to forge the signature). Thus, a real ZK protocol cannot be used to construct such a signature scheme. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Honest Verifier Zero-Knowledge A party is honest/nonmalicious/curious-but-honest when he follows the protocol (though tries to deduce new information from it) ( P , V ) is honest verifier ZK if it is ZK with respect to honest V : There exists a PPT simulator M ∗ , such that for every x ∈ L , view P V ( x ) ≈ M ∗ ( x ). Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  23. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Honest Verifier ZK: Motivation 1 General ZK protocols are far less efficient while HVZK is achievable in 3 rounds. 2 HVZK is sufficient in several applications. 3 There exist efficient transformation methods for turning certain classes of HVZK protocols into ZK protocols. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Proofs of Knowledge: Motivation IP proof: shows that a property holds (non-constructive) Proof of knowledge: shows that the verifier knows the corresponding witness (constructive) In security proofs, we can assume that the prover knows a short witness, not that it is able to generate it on fly Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  24. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments ZK Proof of Knowledge: Definition Definition Π is a ZK proof of knowledge iff Π is an interactive proof system with zero-knowledge property Proof of knowledge: If P can make V accept then there is a knowledge extractor that, given oracle access to P , and for any x ∈ L , can extract a witness ω such that ( x , ω ) ∈ L . Knowledge extractor M ∗ can rewind P : i.e., execute the protocol ( P , M ∗ ) several times, with the same common input x and the same random tape of P . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Proofs of Knowledge: Notation Denote a proof of knowledge of ω , s.t. R ( x , ω ) = 1 by PK ( R ( x , ω ) = 1) Greek letters denote variables, knowledge of which is proved Latin letters denote variables that are either in public knowledge or secretly owned by some party PK ( y = g ω ): proof of knowledge of the discrete logarithm PK ( y = E K ( µ ; ρ ) ∧ µ � = 0) (proof of knowledge of encrypted non-zero message µ ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  25. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Knowledge Extractor in CZK Protocol for 3COL M ∗ executes the 3COL protocol | E ( G ) | times, in every time choosing a different edge ( v 1 , v 2 ) ∈ E ( G ) during the first step of the protocol Every time using the same random tape of P At the end, M ∗ has π ( C ( v 1 )) for every vertex v of the graph G ω := π ◦ C is a valid three-coloring of G Thus M ∗ has extracted a witness ω , s.t. ( x , ω ) ∈ 3COL This can be a different witness compared to the one, used by P . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Σ-Protocols: Idea “challenge-response” proof of knowledge: P sends a random-looking element to V , V challenges P with a uniformly random bit-string, P responds Three security requirements: completeness, special soundness, special honest-verifier zero-knowledge Such a three-round protocol is known as a Σ-protocol Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  26. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Σ-Protocols: Notation The pair ( x , ω ) ∈ R , where R ⊂ { 0 , 1 } ∗ × { 0 , 1 } ∗ is a publicly known, typically (but not necessarily) efficiently verifiable relation. Let R W ( x ) := { ω : ( x , ω ) ∈ R } and R X := { x : R W ( x ) � = ∅} . E.g.: R W ( x ) is the set of secret keys corresponding to public key x , and R X is the set of public keys that have a corresponding secret key. Simplification: assume that all witnesses ω correspond to some value x , s.t. ( x , ω ) ∈ R . I.e., R X is the set of public keys. (For some well-known schemes like the Guillou-Quisquater, this is not the case!) Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Σ-Protocols: General Description P V a ← a ( x , ω, Randomtape P ) a c c ← c ( Randomtape V ) z ← z ( x , ω, Randomtape P , c ) z ? φ ( x , a , c , z ) = accept a : initial message . t P = | a | is the authentication length . c : challenge , c ← { 0 , 1 } t V of length t V . z : reply (may reuse a ). Finally, V invokes a polynomial time computable predicate φ to check whether the conversation ( v , a , c , z ) is accepting . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  27. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Reminder: ( G q , ◦ ) Definition ( G q , ◦ ) is a multiplicative cyclic group of prime order q iff Group: Associative, with a unit, with inverse elements Multiplicative: a ◦ b is written as ab . Cyclic: exists a generator g such that for every element h ∈ G q , exists a ω , s.t. h = g ω . Order q : For any group element g , g q = 1; if g � = 1 and q is a prime then g q ′ � = 1 for 1 ≤ q ′ < q . In particular, ( ∀ α ) ( g α = g α mod q ). Cyclic with prime order q : exists a generator g such that for every element h ∈ G q , exists a unique ω ∈ Z q , s.t. h = g ω . In particular, Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Reminder: ( G q , ◦ ) Example Let p , q be two large primes s.t. q | ( p − 1). Let G q be the unique subgroup of Z p ∗ of order q . Let g be the generator of G q . Other settings are possible; the most popular alternative involves elliptic curve groups where G q can be represented by using ≈ log 2 q bits. In the next we will abstract away the concrete group and assume that G q is a multiplicative cyclic group of order q (with some hardness assumptions). Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  28. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments G q : Additional Assumptions And Usefulness Efficiently computable isomorphism φ ( a ) : Z q → G q : given a generator g , a �→ g a = φ ( a ). φ is isomorphism: φ ( a ) φ ( b ) = g a g b = g a + b = φ ( a + b ), φ (0) = g 0 = 1, φ ( − a ) = g − a = 1 / g a = φ ( a ) − 1 Discrete Logarithm Assumption: φ − 1 is intractable to compute. I.e., given ( g , g a ), it is difficult to find a . Samplability: it is easy to pick a random element from G q Follows from isomorphism: sample a ← Z q and compute b ← g a ; since a is a random element of Z q then b is a random element of G q Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Random Self-Reducibility Of DL Theorem Fix a generator g ∈ G q . Assume that DL in basis g can be efficiently computed for a fraction δ ∈ (0 , 1) of values h ∈ G q . Then DL in basis g can be efficiently computed for any value h ∈ G q . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  29. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Random Self-Reducibility Of DL Proof. Assume A is an algorithm that computes DL in fraction δ of values h ∈ G q . Construct the next algorithm B : given ( g , h ) as an input, B does the following up to t times. Generate random r ← Z q . Give input ( g , h · g r ) to A . With probability δ , A returns the discrete logarithm d of h · g r . Then, d = DL ( h · g r ) = DL ( h ) + r and thus DL ( h ) = d − r . In this case, return d − r . Otherwise, repeat. W.p. 1 − (1 − δ ) t , B returns DL ( h ). If we want to achieve success probability to be ε then we have to set t = log(1 − ε ) log(1 − δ ) . For example if ε = 2 − 80 and δ = 2 − 8 then t < 14168 < 2 14 . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Σ-Protocol for Knowledge of DL Cyclic multiplicative group G q of order q , generator g . Let ω ← Z q and let h := g ω . Let x = ( G q , g , h ) be the common input, ω be the private input to P . The corresponding (unique) witness is ω ∈ Z q such that g ω = h . The relation R consists of all such pairs, R = ( g ω , ω ). Next, we show a Σ-protocol for PK ( h = g ω ). Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  30. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Σ-Protocol for Knowledge of DL Let p , q be two large primes s.t. q | ( p − 1). Let G q be the unique subgroup of Z ∗ p of order q . Let g be the generator of G q . Like always, other settings are possible Let ω ← Z q and let h := g ω . Let x = ( G q , g , h ) be the common input, ω be the private input to P . The corresponding (unique) witness is ω ∈ Z q such that g ω = h . The relation R consists of all such pairs, R = ( g ω , ω ). Next, we show a Σ-protocol for PK ( h = g ω ). Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Schnorr’s PK ( h = g ω ) [Schnorr, 1991] Let h = g ω . Let x = ( G q , g , h ) be the common input, ω is the private input to P . P V r ← Z q ; a := g r a c ← { 0 , 1 } 80 c z ← c ω + r z ? g z = ah c Completeness : g z = g c ω + r = g r ( g ω ) c = ah c . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  31. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Schnorr’s Proof of Knowledge: Efficiency Communication: ≈ | p | + t + | q | . On-line: one | q | × 80 bit multiplication (and one t -bit addition). Random number generation and exponentiation can be done off-line, during the processor’s idle time. If the scheme is used only for identification, where the prover has to reply to the challenge in a few seconds, the security parameter t V can be lowered, say, to 48 bits. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Security Properties: Special Soundness (1/2) Let x ∈ { 0 , 1 } ∗ be a string. A pair of accepting conversations ( x , a , c , z ) and ( x , a , c ′ , z ′ ) with c � = c ′ is called a collision . Collision occurs if the same person starts identification two times with the same first message, is answered by a different second message, and is accepted both times ( P , V ) has the special soundness property if the following holds: Given a collision for a public key x , there exists an efficient algorithm that on input of a collision for x outputs a witness ω such that ( x , ω ) ∈ R . ( NB! These security definitions are “simplified” ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  32. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Special Soundness (2/2) Intuitively, special soundness guarantees that P does not have an incentive to start the same protocol twice with the same message. She must include some randomness to not reveal her secret. Corresponds to the “proof of knowledge” property, but somewhat stronger. Knowledge extractor has to execute P only twice to extract the witness. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Schnorr’s Proof of Knowledge: Special Soundness Theorem Schnorr’s POK is specially sound. Proof. Given two accepting conversations ( x , a , c , z ) and ( x , a , c ′ , z ′ ) with c � = c ′ , we have that g z = ah c and g z ′ = ah c ′ . Then ω can be computed as ω ← z − z ′ c − c ′ , since z − z ′ c − c ′ = ( c ω + r ) − ( c ′ ω + r ) = ( c − c ′ ) ω = ω . c − c ′ c − c ′ Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  33. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Schnorr’s Proof of Knowledge: Special HVZK Some simulator M ∗ must be able to generate an accepting conversation without communicating with Prover With the same distribution as “real” conversations “Special HVZK”: this is achieved by first selecting randomly the second and the third message from corresponding domains, and then selecting the first message, s.t. the verification accepts Stronger than “non-special” HVZK Select c , z ← Z q , compute a ← g z · h − c . Then ( x , a , c , z ) is an accepting conversation with the correct distribution. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Σ-Protocol for PK ( A 1 ∧ A 2 ). Assume you are given a Σ-protocol for PK ( A 1 ) and PK ( A 2 ), where A 1 and A 2 are some predicates To construct a Σ-protocol for PK ( A 1 ∧ A 2 ) Run Σ-protocols for PK ( A 1 ) and PK ( A 2 ) in parallel Use the same challenge in both Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  34. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Σ-Protocol for PK ( A 1 ∨ A 2 ). Assume A 1 is true (the second case is dual) P does: Generate a 1 as in PK ( A 1 ). Run the simulator to produce valid view ( a 2 , c 2 , z 2 ) as in PK ( A 2 ). Send ( a 1 , a 2 ) to V . V generates a random c ← { 0 , 1 } 80 and sends it to P P computes c 1 ← c − c 2 mod 2 80 , and z 1 as it would be computed in PK ( A 1 ) after the first messages a 1 , c 1 . P sends ( c 1 , z 1 , z 2 ) to V V sets c 2 ← c − c 1 mod 2 80 . For i ∈ { 1 , 2 } , V performs the check, as done in PK ( A i ), on ( a i , c i , z i ). He also checks that c 1 ∈ Z 2 80 . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Application: Identification Schemes To get access, prove that you know your secret key Smart doors: use smart-card to get in ATM: identify yourself as a legal customer Common problem : must avoid re-execution of the protocol Verifier 1 cannot use the gained knowledge to impersonate you in another protocol run with Verifier 2 . Use, e.g., Schnorr’s Σ-protocol PK ( h = g ω ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  35. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Third Lecture Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Concept: random oracle Random oracle H = random function For every x , H ( x ) is randomly drawn from the output domain Implementation: H is a subroutine with initially empty database ( a , c ). H ( a ) returns c if ( a , c ) is in the database for some c . Otherwise H generates uniformly a new c , adds ( a , c ) to the database and returns newly generated c . In practice, a secure hash function (e.g., SHA256) is used Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  36. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Non-Interactive ZK (NIZK) A ZK protocol is non-interactive, if it consists of only one step: prover sending some information to verifier NIZK protocols exist only if P and V have access to some common, publicly available source of random strings (beacon) NIZK honest-verifier protocols exist also in random-oracle model Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments NIZK with Random Oracles Assume H is a random oracle. Specially HVZK, specially sound Σ-protocol ( P , V ) can be converted into a NIZK proof ( a , c , z ) by using the next general method: P V a ← a ( x , ω, Randomtape P ) c ← H ( a ) z ← z ( x , ω, Randomtape P , c ) ( x , a , c , z ) ? c = H ( a ) φ ( x , a , c , z ) accepts? c is random, but depends on a . It is NIZK only when H is a random oracle. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  37. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments NIZK with Random Oracles Assume H is a random oracle. Specially HVZK, specially sound Σ-protocol ( P , V ) can be converted into a NIZK proof ( a , c , z ) by using the next general method: P V a ← a ( x , ω, Randomtape P ) c ← H ( a ) z ← z ( x , ω, Randomtape P , c ) ( x , a , c , z ) ? c = H ( a ) φ ( x , a , c , z ) accepts? Thanks to special HVZK property, the NIZK proof can be usually shortened to ( c , z ). ( a can computed from ( c , z ) by following the simulation algorithm) Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments NIZK: Minimal Assumptions NIZK does not exist in the standard model (3 rounds were minimum) NIZK exists in the random oracle model (yeah, so what?) NIZK exists also in a somewhat weaker model where parties share a common random string ( common reference string model ) Simulator is given the power to create a new CRS with a potential trapdoor in it. (We will see a model, related to CRS, a bit later) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  38. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Signature Schemes Signature scheme — a tuple of probabilistic algorithms (Gen , Sign , Vrfy) over a message space M , such that: The key-generation algorithm Gen outputs a public key pk and a secret key sk . The signing algorithm Sign takes as input signer’s secret key sk and a message m ∈ M and returns signature σ . Verification algorithm Vrfy takes as input signer’s public key pk, a message m ∈ M , and a signature σ and returns accept or reject. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Signature Schemes — Completeness Definition A signature scheme is complete if for all ( sk , pk) output by Gen and all m ∈ M , we have Vrfy pk ( m , Sign sk ( m )) = accept . We say that a signature σ on m is valid if Vrfy pk ( m , σ ) = accept. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  39. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Security of A Signature Scheme: Intuition An adversary is asked to forge a signature: i.e., to produce a message m with a candidate signature σ , such that Vrfy pk ( m , σ ) = accept. In real life situations, adversary can be more powerful: it may be able to request signatures to some messages that she likes. Her quest then is to generate a valid pair ( m , σ ) that she has not seen before. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Security of A Signature Scheme: Intuition Access to the oracle corresponds to the training session for the adversary and makes the signature scheme even stronger. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  40. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Security of A Signature Scheme Definition Let ∆ := (Gen , Sign , Vrfy) be a signature scheme. An adversial forging algorithm F is said to ( t , q h , q s , ε ) -forge ∆ if F runs in time at most t , makes at most q h hash queries and in total at most q s signing queries, and furthermore Adv forge ( F ) := Pr[(pk , sk ) ← Gen; H ← Ω; ∆ ( m , σ ) ← F Sign sk ( · ) , H ( · ) (pk) : σ �∈ Σ( m ) ∧ Vrfy pk ( m , σ ) = accept] ≥ ε , where Σ( m ) is the set of signatures received from Sign sk ( m ). A signature scheme is ( t , q h , q s , ε ) -unforgeable if no forger can ( t , q h , q s , ε )-forge it. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Application of ZK: Signature Scheme Assume H is a random oracle. Specially HVZK and specially sound Σ-protocol ( P , V ) can be converted into the generic signature scheme Sign ( P ) by using the next general method: P V a ← a ( x , ω, Randomtape P ) c ← H ( m , a ) z ← z ( x , ω, Randomtape P , c ) ( m , a , c , z ) ? = H ( m , a ) c φ ( x , a , c , z ) accepts? Signature of m is equal to ( a , c , z ) H is a RO: c is “random”, but “depends” on ( m , a ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  41. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Security of Resulting Signature Scheme Fix a signature scheme Sign ( P ). An adversary ( q , t , ε ) -forges P ’s signature if it works in time t and with success probability ε , can generate a tuple ( m , a , c , z ) such that φ ( m , a , c , z ) accepts. Adversary is allowed to ask P to sign up to q different messages (not equal to m ). Lemma (Forking lemma [Pointcheval and Stern, 2000]).) Assume that some algorithm A ( q , t , ε ) -forges a signature ( m , a , c , z ) , with ε ≥ 7 q / 2 k , where k is the security parameter. Then there exists another machine, that with oracle access to A, can produce a collision ( m , a , c , z ) , ( m , a , c ′ , z ′ ) , with c � = c ′ , in expected time t ′ ≤ 84480 tq /ε . E.g.: ε = 2 − 50 , q = 2 40 , then t ′ ≤ 2 77 t . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Schnorr’s Signature Scheme Let h := g ω . Let x = ( G q , g , h ) be the common input, ω is the private input to P . P V r ← Z q ; a := g r c ← H ( m , a ) ( m ; a , c , z ) z ← c ω + r c ? = H ( m , a ) ? = ah c g z Check: g z = g c ω + r = g r ( g ω ) c = g ω h c = ah c . Schnorr’s scheme is very well known, DSA (official signature standard) is based on it. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  42. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Beware the RO In practice, H is a standard hash function In such a case, the conversion scheme looses provable security For some concrete identification schemes, the conversion works if H is the random oracle, but not for any instantiation of H by a real hash function [Goldwasser and Kalai, 2003]. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Schnorr’s Signature Scheme: Efficiency P has to perform on-line one H evaluation, one 160-bit multiplication and one addition. Communication can be reduced: P sends ( m , c , z ) and V verifies that s = H ( m , g z h − c ). Thanks to the special HVZK property Same trick works for any converted signature scheme Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  43. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Background: Decision-Diffie Hellman Groups Let G q be a finite, cyclic group of prime order q in which the group operation is represented multiplicatively; furthermore, let g be a generator of G q . E.g.: let p , q be two large primes such that q | ( p − 1), then G q a multiplicative subgroup of Z ∗ p of order q , and g a generator of G q . A distinguishing algorithm A is said to ( t , ε )-break DDH (Decisional Diffie-Hellman) in group G q if A runs in time at most t and furthermore Adv ddh G q ( A ) := | Pr[ x , y , z ← Z q : A ( g , g x , g y , g z ) = 1] − Pr[ x , y ← Z q : A ( g , g x , g y , g xy ) = 1] | ≥ ε , where the probability is taken over the choice of random variables and the coin tosses of A . We say that G q is a ( t , ε )-DDH group if no algorithm ( t , ε )-breaks DDH in G q . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang 2003 [Katz and Wang, 2003]: Signature Scheme With Better Reduction Let g 1 , g 2 be two generators of G q , s.t. nobody knows their mutual discrete logarithms. Prover has a secret key ω ← Z q . Let ( h 1 , h 2 ) be Prover’s public key, where h 1 := g 1 ω , h 2 := g 2 ω . Prover proves that he knows that ( g 1 , g 2 , h 1 , h 2 ) is a valid Decisional Diffie-Hellman (DDH) tuple. The resulting NIZK proof has tighter reduction than Schnorr’s signature. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  44. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Σ-Protocol for Valid DDH Tuple Common input: x = ( G q , g 1 , g 2 , h 1 , h 2 ); ω is the private input of P . Prover proves that ( g 1 , g 2 , h 1 , h 2 ) is a valid Diffie-Hellman tuple. P V r ; a 2 ← g 2 r r ← Z q ; a 1 ← g 1 ( a 1 , a 2 ) c ← { 0 , 1 } 80 c z ← c ω + r z c ∧ g 2 ? ? z z c = a 1 h 1 = a 2 h 2 g 1 i ) c = g ω i = g c ω + r Correctness: g z i h c i = a i h c = g r i ( g ω i . i ω ∧ ( h 2 ) = g 2 This is a typical PK ( A 1 ∧ A 2 ): PK (( h 1 ) = g 1 ω ). Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang Signature Scheme: Final Construction Let x = ( G q , g 1 , g 2 , h 1 , h 2 ) be the common input, ω be the private input to P . Prover proves, by using the Fiat-Shamir heuristic, that ( g 1 , g 2 , h 1 , h 2 ) is a valid Diffie-Hellman tuple. P V r ← Z q ; a 1 := g 1 r ; a 2 := g 2 r c ← H ( m , a 1 , a 2 ) ( m ; c , z ) z ← c ω + r c ? = H ( PK , g 1 z h 1 − c , g 2 z h 2 − c , m ) (As in Schnorr’s signature, a i do not have to be sent.) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  45. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang Signature Scheme: Security Claim Theorem Let G q be a ( t ′ , ε ′ ) -DDH group with | G q | = q such that exponentiation in G takes time t exp . Then the Katz-Wang signature scheme is ( t , q h , q s , ε ) -unforgeable in the random oracle model, where t ≤ t ′ − 2 . 4( q s + 1) t exp and ( F ) − q s q h q − 1 + ( q h + 1) q − 1 . G q ( A ) ≥ Adv forge Adv ddh ∆ Tighter reduction is achieved since the security proof does not rely on knowledge extractors. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang: Proof Idea (1/2) S H A Input Output Assume that A is the forger. We do not know anything about its interior, but we know that: given a random DDH tuple as an input, a signing oracle that signs queried messages, and a random oracle, A outputs a new signature pair with probability ε . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  46. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang: Proof Idea (2/2) Distinguisher D S H A I O Distinguisher D executes A , and simulates input (perfectly if given a DDH tuple), hash oracle (perfectly), signing oracle (with some small error) and reads A ’s output. If D gets DDH tuple then D has success whenever A has success (except in the case of this small error). If D does not get DDH tuple then D has success with a very small probability. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang Proof Longer Intuition Given a forger F that, given certain input distribution, and certain input-output behaviour of the oracles, is guaranteed to forge the signature scheme. We construct a distinguisher that feeds F in a public key (with correct distribution if its own input was a DDH tuple), and emulates the oracles so that their input-output behaviour did not change (except with the probability of abort). Therefore, if the input is a DDH tuple then F guaranteed to output a forgery with probability ε − Pr[aborting]. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  47. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang Proof Longer Intuition If the input is not a DDH tuple then F can produce forgery with a very small probability. The difference between those two forgeries gives the advantage of D . In simulation of Sign-queries, since D does not know the secret key, he attempts to simulate a correct signature by using the ZK property of the ZK proof that a tuple is a DDH tuple. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang: Proof (1/4) Let F be a signature forger who ( t , q h , q s , ε )-forges. Construct the following distinguisher D that is given as input a tuple PK := ( g 1 , g 2 , y 1 , y 2 ) and who has to decide if it is a DDH tuple. D gives PK to F as a public key, and then executes F step-by-step, except that If F makes a hash query H ( PK , a 1 , a 2 , m ) then D returns a uniformly random value from Z q if such a hash query was previously not made, or the result of the previous hash query, otherwise. If F makes a signature query on some m then D tries to simulate the ZK proof that PK is a DDH tuple: D chooses 1 y − c 2 y − c random c , z ← Z q , computes a 1 ← g z and a 2 ← g z 2 . 1 If H had previously been queried on ( PK , a 1 , a 2 , m ) then D aborts; otherwise, D sets H ( PK , a 1 , a 2 , m ) := c and outputs the signature ( c , z ). Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  48. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang: Proof (2/4) At some point, F outputs its forgery ( ˜ m , ˜ σ = (˜ c , ˜ z )), where ˜ σ was not previously the response to a query Sign( ˜ m ). Letting 1 y − ˜ c 2 y − ˜ c a 1 = g ˜ z a 2 = g ˜ z ˜ and ˜ 2 , assume also that D has previously 1 m ). Now, D outputs 1 if queried H ( PK , ˜ a 1 , ˜ a 2 , ˜ H ( PK , ˜ a 1 , ˜ a 2 , ˜ m ) = ˜ c (i.e., verification succeeds), and 0, otherwise. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang: Proof (3/4) What is the probability that D outputs 1? If PK is a DDH tuple then D perfectly simulates F except when D aborts. Abort can occur during any signing query, and in every signing query, the probability of abort is upper bounded by q h / | G q | . Therefore, F outputs a forgery with probability ε − q s q h / q . If PK is a random tuple then with probability 1 − 1 / q it is not a DDH tuple. In this case, for any query H ( PK , a 1 , a 2 , m ) made by 1 y − c F there exists at most one c for which exists an z s.t. a 1 = g z 1 2 y − c and a 2 = g z (look at the linear equations over Z q in the 2 exponent). Thus F outputs a forgery (and D outputs 1) with probability at most 1 / q + q h / q . Thus the success probability of D is ( ε − q s q h / q ) − (1 / q + q h / q ) = ε ′ . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  49. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Katz-Wang: Proof (4/4) The running time of D includes the running time of F and is otherwise dominated by the two multi-exponentiations that are performed for each signing query plus those done at the verifying the output. Assuming that multi-exponentiation takes time 1 . 2 t exp , we are done. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Signature Conversion: Beware The RO Note how H was us in the proof: H () is assumed to be random The points at which H is queried is assumed to be known Forger can reprogram H by setting H () = c at will, as soon as H () was not queried at the same argument before, and c is uniformly random. Not very realistic! Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  50. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fourth Lecture Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fourth Lecture Home assignments: Problem 1 Prove that the previously presented PK ( A 1 ∨ A 2 ) is secure (define what is secure, define what is expected) 2 Prove that GNI has a CZK proof (with all the details). Present a proof of knowledge. 3 Pick one NP-complete problem from http://en.wikipedia.org/wiki/NP-complete that has not been tackled yet. Present a CZK proof for it. (Coordinate so that everybody has a different problem.) For some problems, the task is easy, for some, it is difficult. Pick the one you like. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  51. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Witness Hiding Let ( P , V ) be any Σ-protocol for some relation R (HV)ZK guarantees that no information whatsoever is revealed in case of any fixed common input v (in the case of honest verifier) Witness hiding: malicious verifier gets at most a negligible advantage when trying to compute any ω in R W ( x ), compared to the situation before the start of the protocol Difference: Witness hiding only guarantees that no useful information is given away in the average, even if the verifier is malicious Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Witness Hiding: Schnorr’s Scheme Until recently, it was not known if Schnorr’s scheme is witness hiding. In 2002, Schnorr’s scheme’s security against impersonation has been finally proven [Mihir Bellare, 2002]. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  52. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Witness Indistinguishability Definition Let x ∈ L and let ω 1 , ω 2 be two witnesses. For a honest prover P and an arbitrary PPT V ∗ , let view ( x , ω i ) denote the view of V ∗ on the protocol execution if P uses witness ω i . Protocol ( P , V ) is witness indistinguishable if view ( x , ω 1 ) ≈ c view ( x , ω 2 ). That is, the views of V ∗ that correspond to P using witnesses ω 1 and ω 2 are computationally indistinguishable. Theorem Any zero-knowledge protocol is WI. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments NIZK In CRS Common Random String Assumption: P and V share a uniformly random string σ . Weaker/more reasonable than RO: RO does not exist at all, but σ can be generated by a Trusted Third Party. Involves trust in TTP, but so does PKI, and e-banking. It is well-known that NIZK exists in the CRS model. (We will not prove it, but use it as as fact.) Idea: take a Σ protocol, but compute its second message as a cryptographic function over the first message and the CRS. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  53. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments NIZK In CRS: Robustness Standard CRS: allows the simulator to create a new random string Definition: CRS is part of the protocol transcript that the simulator simulates This might be too strong. . . Same-string NIZK [De Santis et al., 2001]: works also when the simulator uses the same CRS as the prover Same-string NIZK proofs (with omnipotent P ) are impossible for hard-on-average NP -complete languages Same-string NIZK arguments (with comp bounded P ) exist for NP given a one-way trapdoor permutation Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Zaps: Definition Zap is a 2-message protocol for proving membership of x ∈ L , where L is a language in NP , satisfying the following conditions. Let the first message be ρ , the second message be z = z ( x , ω, ρ ) and the acceptance/rejection function be φ ( x , ρ, z ). Assume that ρ is a random string (i.e., a zap is a public coin protocol). Completeness Given x , a witness ω , and a first message ρ , a PPT (in | x | ) prover can generate a proof z that is accepted by verifier. Soundness ρ [( ∃ x ′ �∈ L , z ) s.t. φ ( x ′ , ρ, z ) = accept ] = negligible ( | x | ) . Pr Witness-Indistinguishability Let ω 1 , ω 2 ∈ R ( x ). Then ∀ ρ , the distributions of z ( x , ω 1 , ρ ) and z ( x , ω 2 , ρ ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols are (non-uniform) PPT indistinguishable.

  54. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Zaps: Assumptions Assume the existence of a NIZK proof system for NP in the common random string model. For common input x , let the common random string have length ℓ := ℓ ( | x | ). Assume that on any input y �∈ L of length | x | , the NIZK errs with probability at most ε nizk . Let k = k ( | x | ) = | ρ | and m := k /ℓ be such that nizk > ε zap ε k /ℓ 2 | x | + ℓ , where ε zap is the desirable soundness guarantee of the zap Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Zaps: Dwork-Naor Construction First message, V → P : Verifier sends a m ℓ = k -bit string b 1 . . . b k = B 1 . . . B m , where | B j | = ℓ . Second message, P → V : Choose C = C 1 . . . C ℓ ← { 0 , 1 } ℓ . For j ∈ { 1 , . . . , m } , define σ j ← B j ⊕ C . Let z i be a (randomly chosen) second message of the protocol that corresponds to the common random string σ i . Send to verifier ( x , C , z 1 , . . . , z m ) . Accept iff each m NIZKs z 1 , . . . , z m lead to acceptance. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  55. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments DN Protocol: Soundness Theorem The Dwork-Naor protocol is sound. Proof. Fix an x �∈ L and a random C = C 1 . . . C ℓ . Since B j ’s are random then also σ j ’s are. Thus ∀ i , each copy of NIZK proof rejects w.p. at most ε nizk . Since b i ’s are independent then proofs z i are independent and thus the probability that all m = k /ℓ copies fail is at most ε m nizk . The number of possible values of x �∈ L and c is at most 2 ℓ + | x | . nizk = 2 ℓ + | x | ε k /ℓ Hence, if 2 ℓ + | x | ε m nizk ≤ ε zap (which we assumed) then Pr ρ [ ∃ ( x �∈ L , C , z ) φ ( x , C , z ) = accept ] ≤ ε zap . Helger Lipmaa MTAT.07.005 Cryptographic Protocols In particular, there exists a � ρ n that provides soundness against all x �∈ L n : ∀ x �∈ L n , z ( x , � ρ n , z ) = reject . First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments DN Protocol: Witness Indistinguishability I Theorem The Dwork-Naor protocol is WI. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  56. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments DN Protocol: Witness Indistinguishability II Proof. We provide the proof for every ρ . Thus, fix any ρ . Let ω 1 , ω 2 be two witnesses for x ∈ L . Hybrid argument: in Game i , ω 1 is used in the first i copies of NIZK proofs and ω 2 is used in the last m − i copies. Let D i be the distribution of the second message in Game i ; it only depends on the random choices made by prover. Let T be a distinguisher between ω 1 and ω 2 , let T ( i ) denote T ’s output in Game i . Assume that for some j , for some fixed p ∈ Z [ y ], 1 Pr[ T ( j − 1) = 1 − T ( j ) = 1] ≥ p ( | x | ) . (Probability over random choices of P , T .) We now show that underlying NIZK ( P ∗ , V ∗ ) is not WI. Let Helger Lipmaa MTAT.07.005 Cryptographic Protocols r ← { 0 , 1 } ℓ . Choose u ← { ω 1 , ω 2 } and give u to P ∗ . Let P ∗ generate a proof z on witness u and common random string r . First Lecture: Main Notions Using ω 1 and ω 2 , construct a simulated transcript of the DN Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes protocol as follows. Denote ρ = B 1 . . . B m , set C = r ⊕ B j , then Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments σ j = C ⊕ B j = r is truly random by choice of r . DN Protocol Is A Zap For i < j , choose z i according to the witness ω 1 and σ i . For i > j , choose z i according to the witness ω 2 and σ i . Set z j ← z that is a random message corresponding to ( x , u , r ). Theorem Run T on resulting transcript Z = ( z 1 , . . . , z m ). Since r is The Dwork-Naor protocol is a zap. uniformly random then C is uniformly random, thus Z is a uniformly random element of either D j − 1 (if u = ω 2 ) or D j (if Proof. u = ω 1 ). Thus, T can be used to distinguish these two cases, and Completeness follows from the completeness of underlying NIZK thus also to guess whether u = ω 1 or u = ω 2 . system. Soundness and WI were proven before. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  57. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fifth Lecture: Applications/Commitments Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments More Applications of Σ-protocols Aside from identification and signing, Σ-protocols are also extensively used to prove the correctness of behavior in many protocols. For example: Blind signature/digital cash protocols Electronic voting Electronic auctions . . . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  58. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Background: Commitment Schemes Using a random value r , prover commits to m by sending C ( m ; r ) to V Later, P reveals m and possibly some other information; V can verify that m is the value that was previously committed Hiding property: V gets no information about m from C ( m ; r ) Computational/statistical hiding depending on whether V is computationally bounded or not Binding property: P cannot generate ( m ′ , r ′ ), m ′ � = m in the plaintext set, s.t. C ( m ; r ) = C ( m ′ ; r ′ ) Computational/statistical binding depending on whether P is computationally bounded or not Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Notation Notation : From now on, R denotes the set of all random coins (e.g., Z q ). For a set Z , Z also denotes a uniform distribution on Z . G ( Z ) denotes the distribution that one gets by first choosing a random element z of Z and then returning the value of G ( z ). Example C ( m ; R ) denotes the distribution that one gets by first selecting r ← R and then computing C ( m ; r ). A ( C ( m ; R )) denotes the distribution that one first gets by selecting x according to the distribution C ( m ; R ) and then returning A ( x ). Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  59. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Hiding: Formal Definition Hiding property : V gets no information about m from C ( m ; R ) Define two experiments Exp 0 and Exp 1 : In Exp b , A selects a message tuple ( m 0 , m 1 ) and obtains C ( m b ; R ). A ’s task is to distinguish Exp 0 from Exp 1 : � � A = 1 : Exp 1 � � A = 1 : Exp 0 �� � . Adv Hide � Pr ( A ) := − Pr C C is computationally hiding if no computationally bounded (i.e., PPT) A can distinguish Exp 0 and Exp 1 with a high probability. C is statistically hiding if the same holds even for an unbounded A Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Pseudorandom Generators Function G from M to N , | M | ≪ | N | , such that its output — on random input — is indistinguishable from random string Formally, we have two experiments: In Exp 0 , A obtains an element from N . In Exp 1 , A obtains an element from G ( M ). A ’s success is defined as � � � = � Pr[ A = 1 : Exp 1 ] − Pr[ A = 1 : Exp 0 ] | Pr[ A ( N ) = 1] − Pr[ A ( G ( M )) = 1] | . G is a PRG if any efficient A has a very small success probability. Fact : one can construct a PRG from any one-way function [ ? ]. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  60. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Naor: C-H Commitments from Any PRG Let G : { 0 , 1 } k → { 0 , 1 } 3 k be a pseudorandom generator For a bit m and a s ← { 0 , 1 } k , define � ( r , G ( s )) , b = 0 , C ( m ; s ) := ( r , G ( s ) ⊕ r ) , b = 1 , where r ← { 0 , 1 } 3 k . As a protocol: V selects r ← { 0 , 1 } 3 k , sends to P . P selects s ← { 0 , 1 } k , sends to V . Opening: P sends s to V . Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Naor Commitment: Security Computationally Hiding: If r ← { 0 , 1 } 3 k is uniformly random then C (0; { 0 , 1 } k ) = ( { 0 , 1 } 3 k , G ( { 0 , 1 } k )) and C (1; { 0 , 1 } k ) = { ( r , G ( { 0 , 1 } k ) ⊕ r ) : r ← { 0 , 1 } 3 k } are computationally indistinguishable. Statistically Binding: If r � = G ( s 1 ) ⊕ G ( s 2 ) for some s i then there are no strings that can arise as both commitments to 0 and to 1. The probability of the bad case is less than 2 − k . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  61. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Naor Commitments: Properties Computationally hiding Statistically binding Positive: Can construct from any one-way function/PRG Some OWF-s can be very efficient: e.g., use a block cipher Negative: Interactive: r is chosen by V Commits only to a single bit Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Statistically Hiding Commitment from Any OWF Naor’s scheme is computationally hiding It was shown relatively recently (Eurocrypt 2005) that one can construct statistically hiding commitment based on any OWF Too complicated for this course Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  62. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Pedersen’s Commitment Scheme [Pedersen, 1991] Assume G q is a finite cyclic group of prime order q . Set-up Let h be a generator of G q . Let g ← G q s.t. nobody knows log g h and g � = 1. Commitment C K ( m ; r ) = g m h r mod p where r ← Z q Opening Reveal m and r Assumes that DL is hard. Positive: Commits to up to log 2 | G q | = log 2 q bits Non-interactive Negative: “Algebraic” requirement (no block ciphers) Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Pedersen’s Commitment: Security Proof Commitment: C K ( m ; r ) = g m h r mod p where r ← Z q Theorem Assume that DL is hard in group G q . Pedersen’s commitment scheme is unconditionally hiding and computationally binding. Proof. Unconditional hiding: Since r is a random element of Z q then g m h r is a random element of G q , independently of the choice of m . Computational binding: Given ( m ; r ), ( m ′ ; r ′ ), s.t. g m h r = g m ′ h r ′ , m � = m ′ mod q , one can compute g ← h ( r − r ′ ) / ( m ′ − m ) . (This is valid since m � = m ′ , q is prime and therefore ( m ′ − m ) − 1 exists.) Therefore, the adversary has computed the DL of g in base h . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  63. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Reminder: Σ-Protocols Let ( P , V ) be a specially-sound, specially HVZK Σ-protocol that proves the knowledge of some secret unknown to the committer. In particular, view of ( P , V ) is of form ( a , c , z ). Special soundness: given two accepting views ( a , c , z ) and ( a , c ′ , z ′ ) one can compute the secret Special HVZK: one can simulate an accepting view on common input x and on any challenge c by computing corresponding ( a , z ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments HVZK to Trapdoor Commitment: [Damg˚ ard, 2000] “Auxiliary string model”: verifier has secret key sk , committer knows the corresponding public key pk. It is assumed that sk exists and that committer knows it. Trapdoor commitment: by knowing sk , verifier herself can open a commitment to different messages. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  64. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments HVZK to Trapdoor Commitment: [Damg˚ ard 2000] Let ( P , V ) be a specially-sound, specially HVZK Σ-protocol that proves the knowledge of sk . In particular, view of ( P , V ) is of form ( a , c , z ). Commitment scheme: Let m be the message to be committed, simulate an accepting view ( a , m , z ) with m as the challenge. Commit a . Decommit: output ( m , z ). Binding: if committer opens a to m ′ � = m then by the special soundness assumption, she can compute the secret sk Hiding: since simulation is indistinguishable from the real view and in the real protocol, a does not depend on m Trapdoor: since V knows the secret then she can open the commitment a with any m ! Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Application: Joint Coin Tossing Alice and Bob want to decide on something by tossing a coin over a phone. How to do this securely? Solution: Alice commits to a random bit b A ← { 0 , 1 } , and sends C ( b A ; r ) to Bob Bob selects a random bit b B ← { 0 , 1 } and sends it to Alice Alice decommits b A Alice and Bob compute the coin toss as b A ⊕ b B Alice can refuse to open her message when she does not like Bob’s � Partially solved with fair exchange protocols � Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  65. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Meta-application: Artificial Synchronicity In real life, protocols are asynchronous, no two messages are received simultaneously Easier to design secure protocols in synchronous setting Simulate synchronocity: Alice commits to her message, Bob sends his, Alice opens hers Alice’s and Bob’s messages are independent � Alice can refuse to open her message when she does not like Bob’s � Partially solved with fair exchange protocols � Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments HVZK: Protocols about Commitments Pedersen commitment scheme. Proof that P knows how to open y = C ( µ ; ρ ) = g µ h ρ : P V n ← G q , s ← G q , a ← g n h s a c ← { 0 , 1 } 80 c z ← c µ + n , v ← c ρ + s z , v ? g z h v = ay c Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  66. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Commitment + Σ-Protocol ⇒ ZK Design a 3-round Σ-protocol between P and V : P sends the first and the third steps, V sends a random string on the second step. In practice, hard to guarantee that V does not cheat Solution: V selects his challenge c and commits to it before seeing P ’s first messages P sends then her first message, V opens his commitment, and P sends her second message Proof: since Σ was HVZK and c does not depend on P ’s messages. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Simple POK: c 1 , c 2 Commit to Same Value Recall Pedersen: C ( m ; r ) = g m h r Want to prove in HVZK that c 1 and c 2 commit to the same value. How? Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  67. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Simple POK: c 1 , c 2 Commit to Same Value If c 1 and c 2 commit to same value then c 1 / c 2 commits to zero P proves that c 1 / c 2 is a commitment of 0 i.e., that he knows log h c 1 / c 2 . Assume c i = g m h ri . Use Schnorr’s protocol for the knowledge of a DL of c 1 / c 2 : P V s ← Z q , a ← h s a c ← { 0 , 1 } 80 c z ← c ( r 1 − r 2 ) + s z ? h z = a ( c 1 / c 2 ) c Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Another POK: c 1 And c 2 Commit to Different Values Complementary idea: prove that c 1 / c 2 = g m 1 − m 2 h r 1 − r 2 does not commit to 0, i.e., that c 1 / c 2 = g m h r for non-zero m P chooses s ← Z q , and sends C 1 ← ( c 1 / c 2 ) s = g m · s h r · s and C 2 ← h r · s to V In parallel, P and V engage in a HVZK POK that P knows such ( α, β, γ ) that C 1 = ( c 1 / c 2 ) α , C 1 = g β h γ and C 2 = h γ . Verifier accepts iff the HVZK POK accepts and C 1 � = C 2 . Problem Prove that it is special HVZK, special sound, complete. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  68. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Back to the past: 3COL Simpler ZK proof for 3COL : Prover commits the colors of all edges For every edge, she proves in ZK that The two vertex colors are valid The two vertex colors are different Problem Write down a precise protocol and a precise proof of security. What are the underlying computational assumptions? Compare it with the proof from the first lecture. Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Composition of ZK Sequential composition: If A proves to B in ZK that Φ 1 is true and after its end, C proves to D in ZK that Φ 2 is true then the whole system is ZK (since the first proof is ZK, it does not reveal any information) What about parallel composition ? Common attack: man-in-the-middle If A proves that Φ 1 is true to B , then M acts in the middle, modifying the messages by A suitably, and interacting with B so that B believes that M can prove that Φ 1 or some related claim is true Not every ZK protocol is composable Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  69. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Where Can MIM Be Bad? Assume an hypothetical (sealed-bid) e-auction protocol where first every user commits to his/her bid b i . Then auctioneer commits to the database of all bids b i . Then all bidders open commitments, auctioneer decides the winner. Not secure: You can copy the bids of other bidders. In the case of Pedersen’s commitments, you can compute from C ( b i ) the value C ( b i + 1) without knowing b i Solution 1: let everybody prove that they know what they bid in ZK Problem 2: as we show next, just ZK is not sufficient Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments MIM Attack: Example P proves that he knows DL ω of h = g ω : P V r ← Z q ; a := g r a c ← { 0 , 1 } 80 c z ← c ω + r z ? g z = ah c V forwards a to V ′ . After receiving c from V ′ , V forwards it to P . After receiving z from P , V forwards z + c to V . V ′ is convinced that V knows DL ( g ω +1 )! Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  70. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Non-Malleable ZK Protocol is non-malleable if in any man-in-the-middle situation between prover A and honest verifier B there exists a simulator S that can simulate the view of honest B , interacting with man-in-the-middle M , without communicating with A . Previous slide showed that Schnorr’s proof is malleable. Even simpler: Previous poof that ( g , g a , g b , g ab ) is a DDH tuple is not non-malleable: based on it, M can generate say a proof that he knows the DL of g a Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Non-Malleable ZK Current NMZK protocols are extremely inefficient: a promising area of research (papers in FOCS, STOC, 2005) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  71. First Lecture: Main Notions Second Lecture: Proofs of Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Non-Malleable NIZK NIZK: no interaction, thus non-malleability has to defined differently Basic idea: Π is a NIZK for claim Φ if after seeing Π, an efficient adversary does not gain any power to prove any new claims, except presenting the string Π to prove Φ This is also a very strong claim: If Π i = ( a i , H ( a i ) , z i ) is a NIZK for Φ i , then Π = ( a 1 , a 2 ; H ( a 1 , a 2 ); z 1 , z 2 ) is a NIZK for Φ 1 ∧ Φ 2 . But given Π, one can often easily construct Π i by reprogramming H ! See [Sahai, 1999] (NIZK in CRS model) Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Sixth Lecture: Homomorphic Protocols For a simple handout of the corresponding lecture in MIT, see http://web.mit.edu/6.857/OldStuff/Fall02/handouts/ L15-voting.pdf Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  72. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Recap Thus far, we have seen what are zero-knowledge protocols Big promise: they can be applied “everywhere” Examples up to now: Signature schemes Identification protocols Joint coin tossing (well, didn’t use ZK) This lecture: some concrete protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Simple Example: Veto Assume Alice and have to decide on some issue Vetoing: decision is taken only if everybody supports it Privacy: minimal amount of information about votes will be leaked If Alice votes for then the result will be equal to Bob’s vote ⇒ Bob’s privacy cannot be protected here If Alice votes against then result will be “no” independently of Bob’s input ⇒ Alice should get no information Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  73. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Mathematical Formulation: Veto = AND Assume the private inputs are b A and b B The common output must be f ( x , y ) := x ∧ y Nothing else than f ( x , y ) should become public In general case, every party can have a different private output f i ( x 1 , . . . , x n ) Then the task is: given private inputs b i , party i should learn f i ( b 1 , . . . , b n ) and nothing else Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Homomorphic Encryption Assume Π = ( G , E , D ) is a homomorphic public-key cryptosystem, such that (sk , pk) ← G is the key generation E pk ( m ; r ) = c is the randomized encryption algorithm D sk ( c ) = m is the decryption algorithm and D sk ( E pk ( m ; r )) = m for all m , r and (sk , pk) ∈ G D sk ( E pk ( m 1 ; r 1 ) · E pk ( m 2 ; r 2 )) = m 1 + m 2 for every m 1 , m 2 , r 1 , r 2 , where + is defined in some additive group G . Π is IND-CPA secure (defined later) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  74. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Homomorphic Encryption Denote by M the set of valid plaintexts, by R the set of valid random coins and by C the set of valid ciphertexts. All three sets can depend on (sk , pk). Rerandomization: For any m and r , ( E pk ( m ; r ) · E pk (0; R ) = ( E pk ( m ; R ). Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Homomorphic Encryption: Basic Properties D sk ( E pk ( m 1 ; r 1 ) · E pk ( m 2 ; r 2 )) = m 1 + m 2 (by definition) Computation of an encryption of m 1 + m 2 does not need the knowledge of m 1 or m 2 For m ∈ M and α ∈ Z |M| , D sk ( E pk ( m ; r ) α ) = α · m (by definition of exponentiation) Intuitively, somebody has to know α to compute E pk ( α · m 2 ) If M is multiplicative then D sk ( E pk ( m ; r ) α ) = m α For encrypted E pk ( f t ), one can compute encryption of f ( x ) = f t x t + f t − 1 x t − 1 + · · · + f 1 x + f 0 on an arbitrary point x it as follows: E pk ( f ( x )) = E pk ( f t ) x t · E pk ( f t − 1 ) x t − 1 · · · · · E pk ( f 0 ) . If M is multiplicative then f ( x ) = f tx t · f t − 1 x t − 1 · · · · · f 1 x · f 0 . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  75. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols ElGamal Encryption Assume a cyclic group G q of prime order q . Let g be its generator. G : let sk ← Z q and pk := h = g sk . Encryption of message m ∈ G q : generate random r ← Z q . Compute E pk ( m ; r ) := ( mh r , g r ) Decryption of ciphertext c = ( c 1 , c 2 ) ∈ G q 2 : set D sk ( c 1 , c 2 ) := c 1 / c sk 2 . Correctness: D sk ( E pk ( m ; r )) = D sk ( mh r , g r ) = mh r / ( g r ) sk = m ( g sk ) r / ( g sk ) r = m . Homomorphism in group G q (e.g., a multiplicative subgroup of Z ∗ p , with q | ( p − 1), or an elliptic curve group) where DL is assumed to be hard: E pk ( m 1 ; r 1 ) · E pk ( m 2 ; r 2 ) = ( m 1 m 2 h r 1 + r 2 , g r 1 + r 2 ) = E pk ( m 1 · m 2 ; r 1 + r 2 ). Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols IND-CPA Security Assume Π = ( G , E , D ) is a PKC. Let A be an efficient adversary. Experiment 1 Experiment 2 Set (sk , pk) ← G . Send pk to A . Set (sk , pk) ← G . Send pk to A . Obtain ( m 1 , m 2 ) ← A (pk). Obtain ( m 1 , m 2 ) ← A (pk). Output E pk ( m 1 ; r ) for r ← R . Output E pk ( m 2 ; r ) for r ← R . Advantage of A : � � Adv indcpa � Pr[ A = 1 : Exp1] − Pr[ A = 1 : Exp2] � . ( A ) := Π Π is IND-CPA secure if no efficient A has non-negligible Adv indcpa ( A ). Π Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  76. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols ElGamal Is IND-CPA Secure Theorem Assume that DDH is hard in G q . Then ElGamal is IND-CPA secure. Remark: in the case of homomorphic cryptosystems, ( m 1 , m 2 ) do not have to be chosen by A . Given any ( m ′ 1 , m ′ 2 ) and an E pk ( m ′ b ; · ), he can first transform it to E pk ( m b ; · ) by using affine operations, and then continue with this value. We will prove that ElGamal is secure in the next sense: one cannot efficiently distinguish between random encryptions of 1 and a random element of M . It is a well-known but not completely trivial fact that this security notion is polynomially equivalent to IND-CPA. Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols ElGamal Is IND-CPA Secure I First part. Assume that A can break the “weak” IND-CPA security with some probability. Construct the next DDH distinguisher D . Given a y quadruple ( g 1 , g 2 , g 3 , g 4 ), where g 2 ← g x 1 , g 3 ← g 1 for random x and y , and either g 4 ← g xy or g 4 ← g z 1 for random z , D does: 1 First note that in the case of ElGamal, if ( c 1 , c 2 ) = ( mh r , g r ) = E pk ( m ; r ) then ( g , h , c 2 , c 1 ) is a DDH tuple iff m = 1. Thus, ( g 4 , g 3 ) is either a random encryption of 1 or a random encryption of a random element from M . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  77. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols ElGamal Is IND-CPA Secure I Continuation. Now, D handles to A g 1 as the generator and g 2 as the public key. D handles ( c 1 , c 2 ) := ( g 4 , g 3 ) to A . (Recall that ( c 1 , c 2 ) is a random encryption of 1 or of a random element from M .) A returns b ′ ∈ { 1 , 2 } (a guess of which experiment is running). D returns b ′ . Note that D got a DDH tuple iff ( g 4 , g 3 ) is an encryption of 1 and thus D has the same success in breaking DDH as A has in breaking the “weaker” version of IND-CPA. D is a very lazy distinguisher! Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Paillier’s Encryption G : Generate two independent random large prime numbers p and q Set n = pq and λ = lcm( p − 1 , q − 1) // least common multiplier For function L ( u ) := u − 1 n , define µ := ( L (( n + 1) λ mod n 2 )) − 1 mod n . The public key is pk = n , the private key is sk = ( λ, µ ) Encryption of m ∈ Z n with pk = n : Select random r ← Z ∗ n 2 . Compute c ← ( n + 1) m r n mod n 2 Decryption of c ∈ Z ∗ n 2 with sk = ( λ, µ ): Set m ← L ( c λ mod n 2 ) · µ mod n . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  78. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Correctness of Paillier Decryption For sk = ( λ, µ ) and pk = n , D sk ( E pk ( m ; r )) ≡ D sk (( n + 1) m r n mod n 2 ) ≡ L (( n + 1) λ m r λ n mod n ) (mod n 2 ) . L (( n + 1) λ mod n ) But now, ( n + 1) x ≡ xn + 1 (mod n 2 ) (by binomial law). Also r is from Z ∗ n 2 , and thus has order n ( p − 1)( q − 1). In particular, r λ n ≡ 1 (mod n 2 ).Thus D sk ( E pk ( m ; r )) ≡ λ m (mod n 2 ) . λ ≡ m Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Paillier: Homomorphism Clearly, n · (1 + n ) m 2 · r 2 E pk ( m 1 ; r 1 ) · E pk ( m 2 ; r 2 ) ≡ (1 + n ) m 1 r 1 n ≡ (1 + n ) m 1 + m 2 ( r 1 r 2 ) n ≡ E pk ( m 1 + m 2 ; r 1 · r 2 ) (mod n 2 ) . Thus the Paillier cryptosystem is homomorphic in Z n 2 . Important since computing DL (i.e., division) in Z n 2 is easy. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  79. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Security of Paillier Recall: x is an n -th residue modulo n 2 iff there exists an y such that y n ≡ x mod n 2 . Definition Decisional Composite Residuosity Assumption: Distinguish a random n -th residue from a random n -th non-residue modulo n 2 . Equivalent (with small error): Distinguish a random n -th residue from a random element of C = Z n 2 . Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Security of Paillier Theorem Assume that DCRA is true. Then Paillier is IND-CPA secure. Sketch. Idea: random encryption of 0 is a random n -th residue; random encryption of a random element in M is a random element of C . Proof goes along the same lines as the security proof of ElGamal. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  80. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Back to Veto. . . Simplify: two parties, assume parties follow the protocol Alice and Bob need to compute b A ∧ b B Idea: Alice sends E pk ( b A ; r A ), r A ← Z q , to Bob Bob computes c ← E pk ( b A ; r A ) bB · E pk (0; r B ), and sends it to Alice Alice decrypts c and sends the result to Bob Correctness (Paillier): D sk ( c ) = b A b B = b A ∧ b B if b A and b B are Boolean. Correctness (ElGamal): assume that Alice codes “no” by 1 ∈ M and “yes” by some other element of M . Assume Bob codes ‘no” by 0 ∈ Z n and ‘yes” by some other element of Z n . bB in G q . some other value codes “yes”. Then D sk ( c ) = b A Thus if b A = 1 or b B = 0 then D sk ( c ) = 1, otherwise D sk ( c ) � = 1. Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Seventh Lecture: Security of Two-Party Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  81. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Recap: Why Paillier Works? Carmichael function: λ ( p k ) = p k − 1 ( p − 1) for p ≥ 3 or k ≤ 2, λ (2 k ) = 2 k − 2 for k ≥ 3, and λ ( p k 1 1 . . . p k t t ) = lcm( λ ( p k 1 1 ) , . . . , λ ( p k t t )) Theorem (Carmichael Theorem) If gcd( a , n ) = 1 then a λ ( n ) ≡ 1 (mod n ) . Full proof is 6+ pages. Recall n = pq and λ := lcm( p − 1 , q − 1). Why r λ n ≡ 1 (mod n 2 )? First, λ ( n 2 ) = λ ( p 2 q 2 ) = lcm( λ ( p 2 ) , λ ( q 2 )) = lcm( p ( p − 1) , q ( q − 1)) = pq · lcm( p − 1 , q − 1) = n · lcm( p − 1 , q − 1). By Carmichael Theorem, r n · lcm( p − 1 , q − 1) ≡ r λ ( n 2 ) ≡ 1 mod n 2 Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Security of Veto Protocol Previous veto protocol is secure if Alice/Bob follow the protocol What if they do not follow? Alice/Bob can answer “yes” instead of “no” and vice versa Can’t protect against it. . . and why should they? Alice/Bob can “halt” at some point Hard to protect against. . . (fair exchange) Alice/Bob can do something else incorrectly Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  82. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Attacks on Veto Protocol (With Paillier:) Alice encrypts a value not in { 0 , 1 } Bob sends to Alice any message (that can depend on Alice’s message) Alice sends an incorrect message to Bob Alice/Bob halt at some point Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Security of Two-Party Computations We saw parties can do at least three different kind of attacks: Input substitution Halting Some other incorrect operation during their step We said that first two attacks cannot be avoided — but why? Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  83. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Paradigm of Real/Ideal World What was the functionality of the veto protocol? Alice and Bob obtain b A ∧ b B and nothing else Functionality, written down in a more formal setting. Assume there is a TTP Trent. In the ideal world, Alice and Bob handle their inputs to Trent. Trent returns their corresponding outputs to Alice and Bob. This is clearly what we want to achieve: we cannot protect against attacks that also exist in the ideal world. Caveat! This model is not yet precise. Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Real/Ideal World: Synchronicity The previous ideal world is too ideal: in the real model one of the two parties can halt the protocol after getting his or her private output E.g., Alice can halt the protocol after receiving b A ∧ b B . Correction to the model. In the ideal model, Alice and Bob handle their inputs to Trent. Trent returns their corresponding outputs to Alice. Alice can then send a special “halt” command to Trent. If Trent receives it, he does nothing. Otherwise Trent sends an output to Bob. (One can always exchange Alice and Bob.) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  84. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Attacks Possible in Ideal Model Alice or Bob forwards a wrong input to Trent Alice sends “halt” to Bob A real model protocol can be insecure w.r.t. these two attacks. All other attacks should be impossible. But how to define it? Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Defining Secure Two-Party Computation Syntax/functionality: Define the legal inputs of Alice and Bob Define the private outputs of Alice and Bob This defines the ideal model Definition (Security) Protocol is secure if given any two parties A 1 and A 2 executing it such at A i is semihonest for some i ∈ { 1 , 2 } , there exists a pair ( A ′ 1 , A ′ 2 ), A i = A ′ i , executing the functionality in the ideal model, such that the joint view distributions of the parties in the real and ideal model are computationally indistinguishable. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  85. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Defining Secure Two-Party Computation Definition (Security, equivalent) Protocol is secure if given any two parties A 1 and A 2 executing it such at A i is semihonest for some i ∈ { 1 , 2 } , there exists a simulator Sim , that only given the value f i ( b 1 , b 2 ) can simulate the view of A 3 − i in the protocol without interacting with A i . Theorem Two definitions of security are equivalent. (See [Goldreich, 2004].) Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Security of Veto-Paillier in Semihonest Model Recall: Alice sends c 1 ← E pk ( b A ; R ) to Bob, Bob returns bB c 2 ← c 1 · E pk (0; R ), Alice sets o A ← D sk ( c 2 ) and sends o A to Bob. This protocol is secure only if both parties are semihonest: Sketch. Bob sees one ciphertext c 1 . If Paillier is IND-CPA secure then he cannot guess b A . Alice sees E pk ( b A b B ; R ). Thus even if Alice is omnipotent, even then she cannot violate the privacy of Bob. Problem Construct simulators. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  86. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Security of Veto-Paillier in Malicious Model First round: Alice can send a value b ′ A �∈ { 0 , 1 } Make Alice to prove in ZK that b ′ A ∈ { 0 , 1 } Second round: Bob can send a value that is not equal to bB c 1 E pk (0; R ) for some b B ∈ { 0 , 1 } bB Make Bob to prove in ZK that c 2 = c 1 E pk (0; R ) for some b B ∈ { 0 , 1 } Alice can forward a value that is not equal to decryption of c 2 Make Alice to prove in ZK that o A = D sk ( c 2 ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Another Example: Secure Scalar Product Alice has vector ( x 1 , . . . , x m ) ∈ { 0 , 1 } m , Bob has vector ( y 1 , . . . , y m ) ∈ { 0 , 1 } m Functionality: Alice obtains � m i =1 x i · y i For simplicity, assume Bob has no private output Protocol (with Paillier): Alice generates a new key pair (sk , pk) ← G , and sends ( c 1 , . . . , c m ), where c i ← E pk ( x i ; R ), to Bob Bob responds with c ← � m yi i =1 c i · E pk (0; R ) Alice decrypts c Malicious model: add ZK proofs Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  87. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Oblivious Transfer: Definition Bob has a database ( b 1 , . . . , b m ), Alice has an index i ∈ { 1 , . . . , m } Alice retrieves b i . Bob obtains no output A fundamental primitive: As we will see later, one can be any two-party protocol on oblivious transfer Independent applications from secure databases to . . . Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols AIR OT Protocol by [Aiello et al., 2001] Let Π = ( G , E , D ) be a homomorphic cryptosystem where q := |M| is a large prime The only known such cryptosystem is ElGamal with M = G q Thus we also need to map an index i to a group element, we have chosen the map i �→ g i for a generator g ∈ G q . We also need to assume that b j are group elements Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  88. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols OT Protocol by [Aiello et al., 2001]: Description Alice does: Create (sk , pk) ← G . Send pk, c ← E pk ( g i ; R ) to Bob Bob does for every j ∈ { 1 , . . . , m } : Send to Alice c j ← ( c / E pk ( g j ; R )) Z q · E pk ( b j ; R ) . Alice recovers b i ← D sk ( c i ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols OT Protocol by [Aiello et al., 2001]: Correctness Z q / E pk ( g j ; R )) D sk ( c j ) = D sk (( c · E pk ( b j ; R ) ) ���� E pk ( g i ; R ) � �� � E pk ( g i − j ; R ) � �� � E pk ( g Z q ( i − j ) ; R ) � �� � E pk ( g Z q ( i − j ) · b j ; R ) = D sk ( E pk ( g Z q ( i − j ) · b j ; R )) = g Z q ( i − j ) · b j . Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  89. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols OT Protocol by [Aiello et al., 2001]: Correctness D sk ( c j ) = D sk ( E pk ( g Z q ( i − j ) · b j ; R )) = g Z q ( i − j ) · b j . If i = j then g Z q ( i − j ) = g Z q · 0 = 1 and thus D sk ( c i ) = 1 · b i = b i . For i � = j , g i − j � = 1 is a generator of G q . A generator to a random power from | G q | is a random element in G q , thus g Z q ( i − j ) = G q , and thus D sk ( c i ) = G q · b j = G q , since a random element times a fixed element is a random element. Thus � b i , j = i , D sk ( c j ) = j � = i . G q , (This holds even if j �∈ [1 , m ].) Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Eighth Lecture: OT Continues Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  90. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols OT: Security Definitions Standard security: as previously, comparison to ideal model. The AIR protocol is not secure in this sense. “Relaxed security”/Privacy: only require privacy for Alice Alice’s security: distribution of Alice’s messages, corresponding to any two indices i and j , are the same/comp. ind. Bob’s security: comparison with the ideal model Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols AIR OT Protocol: Reminder Alice does: Create (sk , pk) ← G . Send pk, c ← E pk ( g i ; R ) to Bob Bob does for every j ∈ { 1 , . . . , m } : Send to Alice c j ← ( c / E pk ( g j ; R )) Z q · E pk ( b j ; R ) . Alice recovers b i ← D sk ( c i ) Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  91. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols AIR Is “Relaxed” Secure Proof. Alice’s security: Distribution of messages corresponding to i / j is E pk ( g i ; R )/ E pk ( g j ; R ). Assuming that Π is IND-CPA secure, Bob cannot distinguish those distributions. Bob’s security: the claim is that Bob is secure against unbounded adversaries. Therefore we can also construct an unbounded simulator that can extract Alice’s input i from c = E pk ( g i ; R ). Simulator does the following on inputs c = E pk ( g i ; R ), i and b i , for j ∈ [1 , m ]: If j � = i then set c j ← E pk ( M ; R ) else set c j ← E pk ( b i ; R ). Send ( c 1 , . . . , c m ) to Alice. Clearly simulator’s output is equal to Bob’s output in the real protocol and it does not depend on b j for j � = i . Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols AIR With Paillier? AIR with ElGamal is inconvenient: we had to assume that b j ∈ G q . Can we apply AIR on top of Paillier? No! The reason is that n = p 1 p 2 = |M| is composite in the case of Paillier: If gcd( i , n ) = 1 and i � = 0 then i Z n = Z n If gcd( i , n ) � = 1 then i Z n is a strict subgroup of Z n Concrete attack: Attacker chooses i such that i ≡ j 1 (mod p 1 ) and i ≡ j 2 (mod p 2 ) Then D sk ( c j k ) = ( i − j k ) Z n + b j k , but p k | ( i − j k ) and thus D sk ( c j k ) ≡ b j k (mod p k ). See [Laur and Lipmaa, 2005] for a remedy. Helger Lipmaa MTAT.07.005 Cryptographic Protocols

  92. Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Full Security For OT? Problem How exactly is “relaxed security” weaker than standard security? Why is the previous protocol not fully secure? Construct an oblivious transfer protocol based on AIR that is secure with comparison to the ideal model. Full proof. Extra points for efficiency. (Think of how Alice/Bob can cheat in AIR, and what exactly should be prevented.) Helger Lipmaa MTAT.07.005 Cryptographic Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Zero-Knowledge Eighth Lecture: OT Continues Two-Party Protocols Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Length-Flexible Cryptosystems: Damg˚ ard-Jurik G : Generate two independent random large prime numbers p and q Set n = pq The public key is pk = n , the private key is sk = ( p , q , . . . ) For any integer s ≥ 1: Encryption of m ∈ Z ns with pk = n : n 2 . Compute c ← ( n + 1) m r ns Select random r ← Z ∗ mod n s +1 Important: | c | / | m | ≈ ( s + 1) / s Decryption: can be done efficiently [Damg˚ ard and Jurik, 2001] Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Recommend


More recommend