ZK with Rubik’s Cubes and Non-Abelian Groups Emmanuel Volte - Valérie Nachef - Jacques Patarin 20 novembre 2013
ZK with Rubik’s Cubes and Non-Abelian Groups Overview Authentication ZK with Interactive Proofs Problems based on Rubik’s cube or Non Abelian Groups
ZK with Rubik’s Cubes and Non-Abelian Groups ZK with Interactive Proofs
ZK with Rubik’s Cubes and Non-Abelian Groups Main motivations 1 Authentication with new kind of problems. 2 Compact size (fit in a pocket). 3 Hardware efficiency.
ZK with Rubik’s Cubes and Non-Abelian Groups Outline Problems of factorization in Non-Abelian Groups 1 Mathematical Notations Some Difficult Problems in Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 2 Example of ZK with IP : 3 colors Repositioning Group Protocol Generalizations 3 Rubik’s Cube 5 × 5 × 5 Any Set of Generators Number of Moves Variable S 41
ZK with Rubik’s Cubes and Non-Abelian Groups Problems of factorization in Non-Abelian Groups Mathematical Notations S n , Generators Symmetric Group : S X = group of permutation of a finite set X . If X = { 1 ; 2 ; . . . ; n } then S X = S n . ∀ σ, σ ′ ∈ S X , σσ ′ = σ ′ ◦ σ . � ... � : G group, ( g 1 , g 2 , . . . , g α ) ∈ G α � � g 1 , g 2 , . . . , g α � = H H subgroup of G g 1 , g 2 ,... g α ∈ H Set of Generators : { g 1 , . . . , g α } such that � g 1 , g 2 , . . . , g α � = G
ZK with Rubik’s Cubes and Non-Abelian Groups Problems of factorization in Non-Abelian Groups Mathematical Notations Group of the Rubik’s Cube 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 U U U U U U U U U 4 U 5 4 U 5 4 U 5 4 U 5 4 U 5 4 U 5 4 U 5 4 U 5 4 U 5 6 7 8 6 7 8 6 7 8 6 7 8 6 7 8 6 7 8 6 7 8 6 7 8 6 7 8 9 1011 9 1011 9 1011 9 1011 9 1011 9 1011 9 1011 9 1011 9 1011 171819 171819 171819 171819 171819 171819 171819 171819 171819 252627 252627 252627 252627 252627 252627 252627 252627 252627 333435 333435 333435 333435 333435 333435 333435 333435 333435 12 L 13 12 L 13 12 L 13 12 L 13 12 L 13 12 L 13 12 L 13 12 L 13 12 L 13 20 F 21 20 F 21 20 F 21 20 F 21 20 F 21 20 F 21 20 F 21 20 F 21 20 F 21 28 R 29 28 R 29 28 R 29 28 R 29 28 R 29 28 R 29 28 R 29 28 R 29 28 R 29 36 B 37 36 B 37 36 B 37 36 B 37 36 B 37 36 B 37 36 B 37 36 B 37 36 B 37 141516 141516 141516 141516 141516 141516 141516 141516 141516 222324 222324 222324 222324 222324 222324 222324 222324 222324 303132 303132 303132 303132 303132 303132 303132 303132 303132 383940 383940 383940 383940 383940 383940 383940 383940 383940 414243 414243 414243 414243 414243 414243 414243 414243 414243 44 D 45 44 D 45 44 D 45 44 D 45 44 D 45 44 D 45 44 D 45 44 D 45 44 D 45 464748 464748 464748 464748 464748 464748 464748 464748 464748
ZK with Rubik’s Cubes and Non-Abelian Groups Problems of factorization in Non-Abelian Groups Mathematical Notations Generators of the Rubik’s Cube’s Group Generators F = ( 17 , 19 , 24 , 22 )( 18 , 21 , 23 , 20 )( 6 , 25 , 43 , 16 )( 7 , 28 , 42 , 13 )( 8 , 30 , 41 , 11 ) B = ( 33 , 35 , 40 , 38 )( 34 , 37 , 39 , 36 )( 3 , 9 , 46 , 32 )( 2 , 12 , 47 , 29 )( 1 , 14 , 48 , 27 ) L = ( 9 , 11 , 16 , 14 )( 10 , 13 , 15 , 12 )( 1 , 17 , 41 , 40 )( 4 , 20 , 44 , 37 )( 6 , 22 , 46 , 35 ) R = ( 25 , 27 , 32 , 30 )( 26 , 29 , 31 , 28 )( 3 , 38 , 43 , 19 )( 5 , 36 , 45 , 21 )( 8 , 33 , 48 , 24 ) U = ( 1 , 3 , 8 , 6 )( 2 , 5 , 7 , 4 )( 9 , 33 , 25 , 17 )( 10 , 34 , 26 , 18 )( 11 , 35 , 27 , 19 ) D = ( 41 , 43 , 48 , 46 )( 42 , 45 , 47 , 44 )( 14 , 22 , 30 , 38 )( 15 , 23 , 31 , 39 )( 16 , 24 , 32 , 40 ) Rubik’s cube group G R = � F , B , L , R , U , D � ⊂ S 48 .
ZK with Rubik’s Cubes and Non-Abelian Groups Problems of factorization in Non-Abelian Groups Some Difficult Problems in Non-Abelian Groups General Notations for the Problems G : Non-Abelian Group F ⊂ G : set of generators. F = { f 1 ; f 2 ; . . . ; f α } , α ≥ 2 id ∈ G : initial position
ZK with Rubik’s Cubes and Non-Abelian Groups Problems of factorization in Non-Abelian Groups Some Difficult Problems in Non-Abelian Groups Two Difficult Problems Problem 1 : solve the puzzle. (not difficult) Given x 0 ∈ X , find d ∈ N ∗ , and ( i 1 , i 2 , . . . , i d ) ∈ { 1 ; 2 ; . . . ; α } d so that x 0 f i 1 f i 2 . . . f i d = id Problem 2 : solved the puzzle with a fixed number of moves. Given d ∈ N ∗ , x 0 ∈ X , find ( i 1 , i 2 , . . . , i d ) ∈ { 1 ; 2 ; . . . ; α } d so that x 0 f i 1 f i 2 . . . f i d = id Problem 3 : go from one position to another with a fixed number of moves. Given d ∈ N ∗ , ( x 0 , x d ) ∈ X 2 , find ( i 1 , i 2 , . . . , i d ) ∈ { 1 ; 2 ; . . . ; α } d so that x 0 f i 1 f i 2 . . . f i d = x d
ZK with Rubik’s Cubes and Non-Abelian Groups Problems of factorization in Non-Abelian Groups Some Difficult Problems in Non-Abelian Groups Complexity of problem 2 Complexity = O ( d α d / 2 )
ZK with Rubik’s Cubes and Non-Abelian Groups Problems of factorization in Non-Abelian Groups Some Difficult Problems in Non-Abelian Groups How to choose d Rubik’s 3 × 3 × 3 God’s number : 20 moves to unscramble from any position. | G R | ≈ 2 61 . α = 6 and d = 24 since 6 24 ≈ 2 60 ⇒ security in about 2 30 computations. General case We want d α d / 2 ≈ 2 80 and α d ≤ | G | . 2 4 6 8 10 12 14 16 50 100 9240 ( S 41 ) α d 146 74 58 50 46 42 40 38 28 24 12
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Example of ZK with IP : 3 colors Alice’s Secret Alice knows how to color a graph with 3 colors.
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Example of ZK with IP : 3 colors Melting Colors at Random − →
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Example of ZK with IP : 3 colors Hiding Colors with Commitments
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Example of ZK with IP : 3 colors Bob’s question
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Example of ZK with IP : 3 colors Alice’s answer
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Example of ZK with IP : 3 colors ZK Principes Correctness A legitimate prover is always accepted. Statistically Zero Knowledge There exists an efficient simulating algorithm U such that for every feasible Verifier strategy V , the distributions produced by the simulator and the proof protocol are statistically indistinguishable. Proof of zero knowledge with error knowledge α There is a knowledge extractor K and a polynomial Q such that : p = probability that K finds a valid witness for x using its access to a prover P ∗ , p x = probability that P ∗ convinces the honest verifier on x , if p x > α , then p ≥ Q ( p x − α ) .
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Repositioning Group Conjugation Definition Let G be a group. σ τ def ∀ ( σ, τ ) ∈ G 2 , = τ − 1 στ σ G def = { σ g | g ∈ G } . Proposition ( σ τ ) τ ′ = σ ττ ′ , σ τ σ ′ τ = ( σσ ′ ) τ ∀ ( σ, σ ′ , τ, τ ′ ) ∈ G 4 ,
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Repositioning Group Repositioning Group Definition Let F = { f 1 , . . . , f α } ⊂ G , where G is a group. Any subgroup H such that f 1 H = { h − 1 f 1 h | h ∈ H } = F is called a repositioning group of F . Proposition If F has a repositioning group H then for τ ∈ R H , P ( f i τ = f j ) = 1 ∀ ( i , j ) ∈ { 1 ; . . . ; α } 2 , α.
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Repositioning Group Repositioning Group of the Rubik’s Cube Definition Let H = � h 1 , h 2 � where RL − 1 ( 2 , 39 , 42 , 18 )( 7 , 34 , 47 , 23 ) h 1 = UD − 1 ( 13 , 37 , 29 , 21 )( 12 , 36 , 28 , 20 ) h 2 = Proposition f − − − − → x 1 x 0 If f ∈ R F and τ ∈ R H , then f τ is a random uniform variable in F . τ τ � � f τ − − − − → x 1 τ x 0 τ
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Protocol Protocol (notations) Public : A group G . A set F = { f 1 , . . . , f α } ⊂ G of generators of G R A repositioning group H ⊂ G such that f 1 H = F . d ∈ N , d ≥ 3 G ′ subgroup of G generated by F and H . G ′ = �F , H � . K a set of keys, | K | ≥ 2 80 . Secret key : i 1 , i 2 , . . . , i d ∈ { 1 , 2 , . . . , α } . Public key : x 0 = ( f i 1 f i 2 . . . f i d ) − 1
ZK with Rubik’s Cubes and Non-Abelian Groups Protocol of ZK with Rubik’s Cube 3 × 3 × 3 Protocol Protocol (first phase) : Prover Verifier Picks τ ∈ R H , σ 0 ∈ R G ′ , k ∗ , k 0 , k 1 , . . . , k d ∈ R K Computes ∀ j ∈ { 1 , . . . , d } , τ ) − 1 σ j − 1 σ j = ( f i j c 0 = Com k ∗ ( τ ) ∀ i ∈ { 0 , . . . d } , s i = Com k i ( σ i ) c 0 , s 0 , . . . , s d − − − − − − − − − →
Recommend
More recommend