Zero-Knowledge Zero-Knowledge Two-Party Protocols Two-Party Protocols Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Introduction to Zero-Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Helger Lipmaa 2 Two-Party Protocols University of Tartu Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols MTAT.07.005 Cryptographic Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions First Lecture: Main Notions Second Lecture: Proofs of Knowledge Second Lecture: Proofs of Knowledge Zero-Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Third Lecture: NIZK + Signature Schemes Two-Party Protocols Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fifth Lecture: Applications/Commitments First Lecture See [Goldwasser et al., 1989] for the original paper. Helger Lipmaa MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions First Lecture: Main Notions Second Lecture: Proofs of Knowledge Second Lecture: Proofs of Knowledge Zero-Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Third Lecture: NIZK + Signature Schemes Two-Party Protocols Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fifth Lecture: Applications/Commitments Preliminaries Motivation: Need for Framework I assume you have seen different primitives How to design a secure primitive? How to see a forest? Block ciphers, stream ciphers A typical security definition looks like this: Hash functions Signature schemes: Public-key cryptosystems Even with the ability to sign a limited number of messages Signature schemes himself, an attacker should not gain the ability to sign new (Crypto I or an equivalent course. . . ) messages Public-key cryptosystems: For every type of primitive, you have hopefully seen some Even with the extra ability to encrypt/decrypt a limited representatives, a security definition, and sometimes an attack number of chosen message/ciphertexts (except c ), an attacker showing that the representatives are not secure should not gain the ability to decrypt c E.g., vanilla RSA is not a secure signature scheme (We may go over those definitions later if necessary. . . ) Seeing a protocol transcript does not help in cheating in the same protocol Helger Lipmaa MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions First Lecture: Main Notions Second Lecture: Proofs of Knowledge Second Lecture: Proofs of Knowledge Zero-Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Third Lecture: NIZK + Signature Schemes Two-Party Protocols Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fifth Lecture: Applications/Commitments Example: Identification Motivation: Further Generalisation Take any reasonably complex protocol Two parties, Alice and Bob Think of an electronic payment/e-voting/identification Alice needs to prove to Bob that she is Alice protocol. . . One possibility: prove that you know Alice’s secrets What happens if the participants misbehave? Without telling those secrets to Bob! You might lose your money. . . Or get your vote miscounted. . . Or start talking with an enemy. . . Need to enforce correct behaviour but how? Helger Lipmaa MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols
First Lecture: Main Notions First Lecture: Main Notions Second Lecture: Proofs of Knowledge Second Lecture: Proofs of Knowledge Zero-Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Third Lecture: NIZK + Signature Schemes Two-Party Protocols Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fifth Lecture: Applications/Commitments Generic Idea: Correctness Proofs Zero-Knowledge Proofs for Correctness Behaviour All participants prove that they behave correctly Honest Prover convinces Verifier in his case E.g., identification: prove that you know the secret Dishonest Prover has a negligible chance in convincing Verifier After every message, verify the proof Verifier does not gain any new knowledge—except the Privacy: the proof must not reveal any extra knowledge on thruthfulness of the proven fact the secrets of a participant to another one Otherwise Prover is not motivated to participate E.g., identification: secrets must stay secret Helger Lipmaa MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions First Lecture: Main Notions Second Lecture: Proofs of Knowledge Second Lecture: Proofs of Knowledge Zero-Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Third Lecture: NIZK + Signature Schemes Two-Party Protocols Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fifth Lecture: Applications/Commitments Reminders from Basic Complexity Theory Reminders from Basic Complexity Theory Reduction: Language L ′ can be reduced to language L in P : the class of all languages L that can be solved in polynomial time: i.e., exists a machine M working in time polynomial time if, given a machine that solves L in time f ( | x | ), there exists a machine that solves L ′ in time p ( f ( | x | )) p ( | x | ) for some polynomial p ∈ Z [ y ], such that M ( x ) = accept iff x ∈ L for some p ∈ Z [ y ]. Language L is NP -complete if BPP : the class of all languages L that can be solved in L ∈ NP probabilistic polynomial time: i.e., exists a probabilistic Any language L ′ ∈ NP can be reduced to language L machine M working in time p ( | x | ) for some polynomial p ∈ Z [ y ], such that M ( x ) = accept iff x ∈ L For an NP -language L , L can also be seen as a relation, L = { ( x , ω ) } , where ω is an NP -witness that x ∈ L . Definition of NP : x ∈ L iff ∃ ω , s.t. for some polynomial-time machine A , A ( x , ω ) = Accept. Helger Lipmaa MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions First Lecture: Main Notions Second Lecture: Proofs of Knowledge Second Lecture: Proofs of Knowledge Zero-Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Third Lecture: NIZK + Signature Schemes Two-Party Protocols Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fifth Lecture: Applications/Commitments ZK: General Problem Statement Usage Example: Identification Let L be some language (set of words), let x be an Private key: x , public key: h = g x (encrypted) value I want to prove you that I know the secret x How to prove that x ∈ L without giving out any additional I.e., that I know discrete logarithm of h = g x knowledge? Privacy: Without revealing x itself! x is positive? x is a full square? x is a prime? x is a private Recall that computing discrete logarithms is assumed to be key, corresponding to public key h ? hard Generally: How to prove that “I know an x such that x ∈ L ” Thus, given public key g x , the knowledge of the secret key x Bad solution : Send x to verifier. Verifier sees x and can test identifies Prover that x ∈ L ; but this gives away more knowledge than is Fineprint: as already mentioned, zero-knowledge might be an necessary overkill in this case Sometimes—if L / ∈ NP —also impractical Helger Lipmaa MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions First Lecture: Main Notions Second Lecture: Proofs of Knowledge Second Lecture: Proofs of Knowledge Zero-Knowledge Zero-Knowledge Third Lecture: NIZK + Signature Schemes Third Lecture: NIZK + Signature Schemes Two-Party Protocols Two-Party Protocols Fourth Lecture: Witness Hiding/Zaps Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments Fifth Lecture: Applications/Commitments Unreasonable Usefulness of ZK Unreasonable Usefulness of ZK Praised by many (not only cryptographers) Counter-intuitive—how can you prove, e.g., that x is a “A rich new framework for addressing the question of what composite number, without revealing its factorisation? constitutes a mathematical proof” Not only possible and efficient, but actually the dominant Hated by students strategy in cryptographic protocol design Lectures on ZK tend to result in zero-knowledge for students Sometimes even overused Unless you draw a lot of pictures! Signature scheme: Verifier can get to know “something” as long as she will not be able to forge a new signature Identification scheme: the same, as long as she will not be able to identify himself as the prover Even in such cases, one often uses “zero-knowledgish” techniques Helger Lipmaa MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols
Recommend
More recommend