Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya - PowerPoint PPT Presentation

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios Papadopoulos 3 Roberto Tamassia 1 Nikos Triandopoulos 4 1 Brown University 2 Microsoft Research 3 University of Maryland 4 Stevens Institute of Technology Research supported in part by the US National Science Foundation

Data Outsourcing OWNER SERVER query answer CLIENTS

Verifiable data outsourcing (static) OWNER SERVER θ θ query σ answer, proof CLIENTS

Verifiable data outsourcing (dynamic) OWNER SERVER Upd θ’ state query σ’ answer, proof CLIENTS

Challenge: Proof Leaking Information r c a x Merkle tree with items stored in sorted order at the leaves. Proof of x : (( a , L ) , ( b , R )). Verification: h ( h ( a , h ( x ) , c ) = r Proof leaks rank of item.

Zone enumeration attack Primary resolver Secondary resolver θ Zone names: θ a.com b.com w.com pk,H(.) answer, q.com proof H(a.com) a5bb 23ce H(b.com) 23ce a5bb H(w.com) fae1 fae1 CLIENTS [GNPRVZ– NDSS15, RFC 5155]

Zone enumeration attack Primary resolver Secondary resolver θ Zone names: θ a.com b.com w.com pk,H(.) ⊥ , q.com 23ce H(a.com) a5bb 23ce a5bb H(b.com) 23ce a5bb H(w.com) fae1 fae1 CLIENTS [Bernstein11–nsec3walker]

Cryptographic accumulator [Benaloh and del Mare93] σ ← acc(Set X ). Efficient and succinct proof for x ∈ X , x / ∈ X . Proofs are publicly computable and verifiable. Soundness: Forging proof for an element is infeasible. Traditional proofs are leaky.

In this work Formal model for zero-knowledge universal dynamic accumulators. Efficient construction for zero-knowledge accumulators. Efficient construction for : 1. is-subset 2. difference 3. union 4. intersection

Our Model OWNER SERVER Upd θ’ state query σ’ answer, proof CLIENTS

Soundness Adversary Challenger pk Set X 0 Setup Digests σ 0 , θ 0 Update U i Repeat { λ times σ i+1, Upd i j , query*, answer*, proof* Figure: Probability that Verify accepts but answer ∗ is not correct wrt query ∗ on X j is negligible

Zero-Knowledge Challenger Adversary Simulator pk pk Set X 0 Client σ 0 Client σ 0 query query { { answer,proof answer,proof U i Notify Update { { σ i+1 σ i+1 Guess Figure: Probability that Adversary guesses correctly if it is talking to a challenger or a simulator is negligible

Zero Knowledge Accumulator

Query X = { x 1 , . . . , x N } = set of elements Client Query : Is element x ∈ X ? Server Response : answer = 1 indication yes and answer = 0 indicating no + proof

Set Representation A set X = { x 1 , . . . , x N } represented using its characteristic polynomial Ch X [ z ] = � N i =1 ( z + x i ) Bilinear Map: • λ ∈ N is the security parameter of the scheme • G , G 1 multiplicative cyclic groups of prime order p • p is a large k -bit prime • g is a random generator of G • e : G × G → G 1 is computable bilinear nondegenerate map • e ( g a , g b ) = e ( g , g ) ab .

Keygen and Setup (Owner) (sk , pk) ← KeyGen(1 λ ) • Generate bilinear parameters pub = ( p , G , G 1 , e , g ). O (poly( λ )) $ − Z ∗ • Choose s ← p . • Set sk = s and pk = ( g s , pub ). ( σ 0 , θ 0 , state 0 ) ← Setup(sk , X 0 ) $ • Choose r − Z ∗ ← p . • Set σ 0 = g r · Ch X ( s ) . O ( N ) • Set θ 0 = ( g , g s , g s 2 , . . . , g s N , r ). O ( N ) • Set state 0 = X .

Query (Server) (answer , proof) ← PerformQuery( X j , θ j , query ) • if query = x ∈ X : r · Ch X ( s ) 1 ( s + x ) . O ( N log N ) s + x = g set answer = 1 and proof = ( σ j )

Query (Server) (answer , proof) ← PerformQuery( X j , θ j , query ) • if query = x ∈ X : r · Ch X ( s ) 1 ( s + x ) . O ( N log N ) s + x = g set answer = 1 and proof = ( σ j ) • if query = x / ∈ X :

Query (Server) (answer , proof) ← PerformQuery( X j , θ j , query ) • if query = x ∈ X : r · Ch X ( s ) 1 ( s + x ) . O ( N log N ) s + x = g set answer = 1 and proof = ( σ j ) • if query = x / ∈ X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [ z ] , q 2 [ z ] such that q 1 [ z ]Ch X [ z ] + q 2 [ z ]( z + x ) = 1. O ( N log 2 N log log N )

Query (Server) (answer , proof) ← PerformQuery( X j , θ j , query ) • if query = x ∈ X : r · Ch X ( s ) 1 ( s + x ) . O ( N log N ) s + x = g set answer = 1 and proof = ( σ j ) • if query = x / ∈ X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [ z ] , q 2 [ z ] such that q 1 [ z ]Ch X [ z ] + q 2 [ z ]( z + x ) = 1. O ( N log 2 N log log N ) $ − Z ∗ 2. Pick a random γ ← p

Query (Server) (answer , proof) ← PerformQuery( X j , θ j , query ) • if query = x ∈ X : r · Ch X ( s ) 1 ( s + x ) . O ( N log N ) s + x = g set answer = 1 and proof = ( σ j ) • if query = x / ∈ X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [ z ] , q 2 [ z ] such that q 1 [ z ]Ch X [ z ] + q 2 [ z ]( z + x ) = 1. O ( N log 2 N log log N ) $ − Z ∗ 2. Pick a random γ ← p 3. Set q ′ 1 [ z ] = q 1 [ z ] + γ · ( z + x )

Query (Server) (answer , proof) ← PerformQuery( X j , θ j , query ) • if query = x ∈ X : r · Ch X ( s ) 1 ( s + x ) . O ( N log N ) s + x = g set answer = 1 and proof = ( σ j ) • if query = x / ∈ X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [ z ] , q 2 [ z ] such that q 1 [ z ]Ch X [ z ] + q 2 [ z ]( z + x ) = 1. O ( N log 2 N log log N ) $ − Z ∗ 2. Pick a random γ ← p 3. Set q ′ 1 [ z ] = q 1 [ z ] + γ · ( z + x ) 4. Set q ′ 2 [ z ] = q 2 [ z ] − γ · Ch X [ z ].

Query (Server) (answer , proof) ← PerformQuery( X j , θ j , query ) • if query = x ∈ X : r · Ch X ( s ) 1 ( s + x ) . O ( N log N ) s + x = g set answer = 1 and proof = ( σ j ) • if query = x / ∈ X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [ z ] , q 2 [ z ] such that q 1 [ z ]Ch X [ z ] + q 2 [ z ]( z + x ) = 1. O ( N log 2 N log log N ) $ − Z ∗ 2. Pick a random γ ← p 3. Set q ′ 1 [ z ] = q 1 [ z ] + γ · ( z + x ) 4. Set q ′ 2 [ z ] = q 2 [ z ] − γ · Ch X [ z ]. 1 ( s ) r − 1 , W 2 = g q ′ 5. Set W 1 := g q ′ 2 ( s ) .

Query (Server) (answer , proof) ← PerformQuery( X j , θ j , query ) • if query = x ∈ X : r · Ch X ( s ) 1 ( s + x ) . O ( N log N ) s + x = g set answer = 1 and proof = ( σ j ) • if query = x / ∈ X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [ z ] , q 2 [ z ] such that q 1 [ z ]Ch X [ z ] + q 2 [ z ]( z + x ) = 1. O ( N log 2 N log log N ) $ − Z ∗ 2. Pick a random γ ← p 3. Set q ′ 1 [ z ] = q 1 [ z ] + γ · ( z + x ) 4. Set q ′ 2 [ z ] = q 2 [ z ] − γ · Ch X [ z ]. 1 ( s ) r − 1 , W 2 = g q ′ 5. Set W 1 := g q ′ 2 ( s ) . 6. Set proof := ( W 1 , W 2 ) and answer = 0.

Verification (Client) (accept / reject) ← Verify(pk , σ j , query , answer , proof) • Let query = x . • If answer = 1, return accept if e ( σ j , g ) = e (proof , g x · pk). O (1) • if answer = 0, return accept if e ( W 1 , σ j ) e ( W 2 , g x · pk) = e ( g , g ). O (1) • Return reject otherwise.

Update ( X i +1 , σ i +1 , upd i , state i +1 ) ← Update(sk , state i , σ i , θ i , X i , u i ) Owner: $ • Choose r ′ − Z ∗ ← p . • If x is to be inserted: 1. Compute σ i +1 = σ ( s + x ) r ′ . O (1) i • If x is to be deleted: r ′ 1. Compute σ i +1 = σ s + x . O (1) i • Set upd i = ( r ′ ) and state i +1 = X i +1 . Server: Store the inserted/deleted element and upd i = ( r ′ ). O (1)

Privacy comes almost for free [Nguyen05 – No Privacy] This work Setup N MUL N MUL Update 1MUL 2MUL Witness (Member) N MUL + ( N − 1)ADD N MUL + ( N − 1)ADD Witness (Non-Member) N MUL + ( N − 1)ADD ( N + 1)MUL + ( N − 1)ADD Verify (Member) 1(MUL + ADD + PAIR) 1(MUL + ADD + PAIR) Verify (Non-Member) 2(MUL + ADD + PAIR) 1(MUL + ADD + ADD 1 ) + 2PAIR Witness Update (Member) 1(MUL + ADD) 2MUL + 1ADD Witness Update (Non-Member) 2MUL + 1ADD ( N + 1)MUL + ( N − 1)ADD Figure: ADD = point addition MUL = scalar multiplication in the elliptic curve group G , ADD 1 = point addition in G 1 and PAIR a pairing computation, whereas N is the size of the set.

Set Algebra : Union

Query {X 1 , . . . , X m } = set collection Client Query : Return union of sets 2 , 5 , 9 Server Response : answer = X 2 ∪ X 5 ∪ X 9 + proof Let X 2 = { a , b , d } , X 5 = { d , f } , X 9 = { a , c } answer = { a , c , b , d , f }

Completeness Conditions Superset condition: X 2 ⊆ answer ∧ X 5 ⊆ answer ∧ X 9 ⊆ answer. Technique: Generalization of set membership. Membership condition: answer ⊆ ˜ U where ˜ U = X 2 ⊎ X 5 ⊎ X 9 .

Proving membership Multiset union: ˜ U = { a , a , c , c , b , d , d , f } 1. Compute U ( s ) = g ( r 2 r 5 r 9 )( s + a ) 2 ( s + c )( s + b )( s + d ) 2 ( s + f ) U ← g ( r 2 r 5 r 9 )Ch ˜ σ ˜

Proving membership Multiset union: ˜ U = { a , a , c , c , b , d , d , f } 1. Compute U ( s ) = g ( r 2 r 5 r 9 )( s + a ) 2 ( s + c )( s + b )( s + d ) 2 ( s + f ) U ← g ( r 2 r 5 r 9 )Ch ˜ σ ˜ 2. Prove σ ˜ U is correctly computed

Proving membership Multiset union: ˜ U = { a , a , c , c , b , d , d , f } 1. Compute U ( s ) = g ( r 2 r 5 r 9 )( s + a ) 2 ( s + c )( s + b )( s + d ) 2 ( s + f ) U ← g ( r 2 r 5 r 9 )Ch ˜ σ ˜ 2. Prove σ ˜ U is correctly computed 3. Prove answer ⊆ ˜ U using σ ˜ U