1 / 38

Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications

Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications. Lecturer: Moni Naor. Recap of last week’s lecture. String Commitment Definition Construction from pseudo-random generators Coin Flipping Zero-knowledge Interactive Proofs

hanne
Download Presentation

Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Foundations of CryptographyLecture 13: Zero-Knowledge Variants and Applications Lecturer:Moni Naor

  2. Recap of last week’s lecture • String Commitment • Definition • Construction from pseudo-random generators • Coin Flipping • Zero-knowledge Interactive Proofs • Interactive Proofs and the cryptographic setting • Definition of zero-knowledge proofs • Construction of a zk proof system for Hamiltonicity

  3. Question: zero-knowledge protocol for subset sum • Give a direct protocol (i.e. not through a reduction to hamiltoncity) for the subset sum problem • Subset sum problem: given • n numbers 0 ≤ a1,a2 ,…,an <2m • Target sum T • Is there a subset S⊆ {1,...,n} such that ∑ i S ai,=T mod 2m

  4. The world so far Factoring is hard (BG Permutations) Trapdoor permutations Public-key Encryption (CPA) Pseudo-random generators Pseudo-random Functions Signature Schemes One-way functions String Commitment Pseudo-random Permutations Shared-key Encryption (CPA) and Authentication UOWHFs Zero-Knowledge for all of NP P  NP

  5. What’s next More of zero-knowledge: • Black-box simulation • Proofs of knowledge • Public-key Identification • Perfect and Statistical Zero-knowledge • Authentication via encryption • Malleability

  6. Zero Knowledge • Each (cheating) verifierV* induces a distribution on transcripts on interaction with P • Zero-Knowledge Requirement: for all verifiersV* there exists a simulator S such that: • simulator S is a pptm (does not get witness W) • for all XLthe distributions on transcripts that V*’ induces and that S produces are computationally indistinguishable. Role of simulator similar to alternative adversary A’ in semantic security

  7. Black-box Zero-Knowledge • Order of quantifier: for for all verifiersV* there exists a simulator S • Black-box simulation: there exists a simulator S that is good for allverifiersV* • S interacts with V* as an oracle: SV* • Can see V*’s reaction to various messages but not its internal state Almost all known zero-knowledge protocols are black-box

  8. Protocol Hamiltonicity • Common input graph G=(V,E) • L is the language of graphs with Hamiltonian cycles • WitnessW – a Hamiltonian Cycle C=(i1,i2,  in) • Protocol: • Prover P selects a random permutation  of the nodes Commits to the adjacency matrix of (G)=((V), (E)) • for each entry separately • VerifierVselects and sends a bit rR 0,1 • Prover P If r=0 then Popens all the commitments and sends  If r=1 thenP opens only the commitments corresponding to C • entries ( (ij),  (ij+1 )) • VerifierVaccepts if: r=0 and committed graph isomorphic to G r=1 and all opened slots are ’1’

  9. Reducing probability of cheating To reduce the probability of cheating • Run the protocol k times sequentially • Verifier accepts if prover succeeds in all k runs Probability of cheating: 2-k Zero-knowledge: • The simulator builds the transcript one iteration at a time • The rewinding is to the end of the previous iteration

  10. Knowledge of a Hamiltonian Cycle Can a verifier succeed in the protocol withoutknowing a witness W (a Hamiltonian cycle)? • What does ‘know’ mean? • In the NP context: you give the cycle, so the question does not arise. New notion: proof of knowledge • There exists an extractor so that for any Prover P* that succeeds in the protocol produces a cycle • Extractor should be a ppt. • Gets to interact with P* as a black-box and may rewind it • Success of extraction should be similar to success of P*

  11. Hamiltonicity protocol is a proof of knowledge The extractor: • Run P* for the first step • Given the commitments, following step 1 run the protocol twice • with r=0 and r=1 • If succeeds in both: can extract a cycle • If at least one case fails – in a real execution prover fails with probability at least ½ • If probability of extraction failing is , probability of success in protocol is at most 1-/2 • If protocol is repeated k times: non-negligible probability of success implies probability (1 – negligible) of extraction

  12. Applications of proofs of knowledge • A goal in itself: Sudoku example. www.wisdom.weizmann.ac.il/~naor/PAPERS/SUDOKU_DEMO/ • Identification: • I know a secret that only the claimed entity should know • Allows for public-key identification • Important as an internal component of protocols • To be able to make sense out of intuitions “Player has a value”

  13. Public-key identification • Generation: G:{0,1}*  {0,1}* x {0,1}* mapping random bits to public key Kp and secret key Ks • Identification: prover and verifier both know Kp and prover knows Ks • Interactive protocol at the end verifier accept/rejects • Completeness: a prover who knows Ks always makes the verifier accepts • Unforgeability: for any polynomial ℓ • If adversary controls V* for ℓ identification sessions • Can act as it wishes • Tries to act as prover P* and make real verifier accept Has negligible probability of succeeding • Insecure against online transfers: mafia scam or man-in-the-middle Parallel? Concurrent? Sequential?

  14. Public-key identification • Public-key: Y=f(X)secretX 2 {0,1}k where f is a one-way function • To identify: run zero-knowledge proof of knowledge for inverse of Y • Prover knows X • Since f is in P can reduce to Hamiltonicty • Unforgeability: without any sessions as verifier: • A forger will be caught whp • Else can extract from it X, violating the hardness of f. • If forger succeeds after ℓ sessions as verifier • Run the simulator S for ℓ sessions and the run the extraction • Receiver cannot prove that interaction took place • Bug or feature?

  15. Public-key identification Can use witness indistinguishability instead of zero-knowledge • Public-key: Y0=f(X0)and Y1=f(X1)where f is a one-way function. Secret key: X0or X1 • To identify: run a witness-indistinguishable proof of knowledge for inverse of Y0or Y1 • Prover knows X0or X1 • Since f is in P can reduce to Hamiltonicty • Unforgeability: given a forger A, can use it to invert f • run it knowing one of the inverses. • Then run the extractor on the forging session and extract an inverse to Y0or Y1. • If known inverse more likely to be extracted: violated WI • Ow successful inversion with probability 1/2

  16. Protocol for quadratic residuosity • Given y, N where N=P¢Q want to prove that y is a quadratic residue: there exist x such that x2 = y mod N Zero-knowledge protocol for Prover who knows x • Prover: choose random r 2R ZN* and send z=r2 mod N • Verifier: send b2R {0,1} • Prover: send v = xbr mod N • Verifier: check that v2 = yb z mod N

  17. Analysis of Protocol • Completeness: perfect √ • Soundness: if there exist v0 and v1 such that • v02 = y0 z mod N and • v12 = y z mod N then v1/v0 is square root of y. • Probability of cheating is at most ½ • Zero-knowledge – simulator for V*: • guess b’R 0,1and selectv 2R ZN* • Send z = v2/yb’ • Obtain b0,1 from V* • If b’=b proceed as planned: send v • Otherwise rewind V* and start from scratch Also proof of knowledge

  18. Claim: for every V* (not necessarily ppt) Simulator stops in expected constant number of trials Proof: given z, distribution on b’ is unbiased Half the cases b’= b Claim: Distributions of (S,V*) and (P,V*) are indistinguishable Identical Protocol is perfect zero-knowledge proof system Statistical (prefect) zk: the distribution of the simulator is -close to the actual distribution  is negligible in the security parameter. In Perfect zk =0

  19. Statistical Zero-Knowledge So if statistical zero-knowledge is so good, why not use it all the time? Definition: L is a promise problem SZK={L|L has a statistical zero-knowledgeprotocol} HVSZK={L|L has an honest verifier statistical zero-knowledgeprotocol} Clearly: SZK µ HVSZK since any protocol good against all verifiers is good against honest ones as well

  20. Promise Problems A promise problem L is similar to a language recognition problem except that there is a set A • if x 2 A then should report correctly whether x 2 L or not • if x 2 A then do not care how algorithm responds Example: unique sat A={|either  is not statisfiable or  has a unique satisfying assumption} If A={0,1}n, then this is the usual language recognition problem O satisfying assignments 1 satisfying assignment

  21. Public Coins: Arthur-Merlin Games • Definition of IP permits the verifier to keep its coin-flips private • necessary feature? • The quadratic residue protocol we saw breaks without it • New characters: Arthur as the verifier and Merlin as the prover

  22. Public CoinsArthur-Merlin Games • Arthur-Merlin game: interactive protocol in which coin-flips are public • Arthur (verifier) may as well just send the results of coin-flips. No point in doing any computation until the final step • If more complicated computation are need, Merlin (prover) can perform by himslef any computation Arthur would have done • Merlin does not know in advance the coin flips • Complexity Class defined by limiting the # of rounds: • AM[k] = Arthur-Merlin game with k rounds, Arthur goes first • MA[k] = Arthur-Merlin game with k rounds, Merlin goes first Theorem: AM[k] (MA[k]) equals AM[2] (MA[2]) with perfect completeness.

  23. Relationship between The Complexity classes EXP PSPACE=IP #P PH If NP µ Co-AM then the polynomial-time hierarchy collapses S2P 2P Δ2P AM Co-AM Under current world view: No Co-NP-Complete can have anAM protocol MA Co-MA NP coNP BPP P

  24. A mechanism for showing non-hardness of problems • By placing a problem in AM Å Co-AM one demonstrates that the problem is not NP-Complete according to the current world view • Alternatively, one can view it as a method for showing impossibility of certain types of protocols Example: Graph Isomorphism

  25. Statistical Zero-Knowledge Theorem: if a language L has a statistical zero-knowledge proof system, then L 2 AM Å Co-AM Conclusion: if interested in zero-knowledge proofs for all languages in NP need to either • Relax notion of proof: argument • Prover is assumed to be a polynomial time machine • Having access to some secret information • Such protocols exists assuming a certain kind of commitment exists • Based on one-way permutations. Now functions! • Another possible relaxation of proof: assume that there are two provers who do not exchange information during the execution of the protocol This led to PCP

  26. Exercise: Commitment with two provers • Suggest a commitment protocol for two provers • They agree on a random string before the beginning of the protocol • Verifier/receiver talks to both of them • They are assumed not to talk to each other during the execution of the protocol • How to enforce? • Only one of them needs to know the string x to which they are committing • Define the properties of the protocol

  27. Everlasting Security Advantage of statistical/perfect proofs and arguments: • The computational assumptions and limitation on the adversary are made only for a fixed time period. Bounded storage model

  28. Significance of public coins protocol • If there is a trusted source of randomness that broadcasts after the initial commitments are made • Beacon • For instance: sub spots Can have a “non-interactive” protocol • If there is a publicly available random function h • Only access is via Standard Interface Can turn identification protocol into a signature protocol • Coins for challenge derived from message m to be signed and first round message. Signature: (c1, c3) . c2 = h(c1,m) • Fiat-Shamir signatures P: c1 V: c2 -random P:c3

  29. Common heuristic • Replace publicly available random function h with some concrete and fixed function • Proof of security goes away • There are examples of schemes that are secure but any instantiation of h makes them insecure

  30. Interactive Authentication Pwants to convince V that he is approving message m Phas a public key KP of an encryption scheme E. To authenticate a message m: • V  P: Choose r 2R {0,1}n. Send c=E(m°r, KP) • PV: Receiving c Decrypt c using KS Verify that prefix of plaintext is m. If yes - sendr. V is satisfied if he receives the samer he choose

  31. Is it Safe? • Definition of security: Existential unforgeability against adaptive chosen message attack • Adversary can ask to authenticate any sequence of messages m1,m2, … • Has to succeed in making V accept a message m not authenticated • Has complete control over the channels • Intuition of security: if Edoes not leak information about plaintext • Nothing is leaked about r • Several problems: if E is “just” semantically secure against chosen plaintext attacks: • Adversary might change c=E(m°r, KP) into c’=E(m’°r, KP) • Malleability • not sufficient to verify correct form of ciphertext in simulation • Closer to a chosen ciphertext attack

  32. No receipts • Can the verifier convince third party that the prover approved a certain message?

  33. Authentication and Non-Repudiation • Key idea of modern cryptography [Diffie-Hellman]: can make authentication (signatures) transferable to third party - Non-repudiation. • Essential to contract signing, e-commerce… • Digital Signatures: last 25 years major effort in • Research • Notions of security • Computationally efficient constructions • Technology, Infrastructure (PKI), Commerce, Legal

  34. Isnon-repudiation always desirable? Not necessarily so: • Privacy of conversation, no (verifiable) record. • Do you want everything you ever said to be held against you? • If Bob pays for the authentication, shouldn't be able to transfer it for free • Perhaps can gain efficiency • Alternative: (Plausible) Deniability • If the recipient (or any recipient) could have generated the conversation himself • or an indistinguishable one

  35. Deniable Authentication Setting: • Sender has a public key known to receiver • Want to an authentication scheme such that the receiver keeps no receipt of conversation. This means: • Any receiver could have generated the conversation itself. • There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. • Exactly as in Zero-Knowledge! • An example where zero-knowledge is theends, not the means! Proof of security consists of Unforgeability and Deniability

  36. A Public Key Authentication Protocol P has a public key PK of an encryption scheme E. To authenticate a message m: • V P: Choose r R {0,1}n and random bits 2{0,1}* Send Y=E(PK, m°r, ) • P V: Verify that prefix of plaintext is indeed m. If yes - send r. V accepts iff the receivedr’=r Is it Unforgeable? Is it Deniable

  37. Security of the scheme Unforgeability: depends on the strength of E • Sensitive to malleability: • if given E(PK, m°r, ) can generate E(PK, m’°r’, ’) where m’ is related to m andr’ is related to x then can forge. • The protocol allows a chosen ciphertext attack on E. • Even of the post-processing kind! • Can prove that any strategy for existential forgery can be translated into a CCA strategy on E • Works even against concurrent executions. Deniability: does Vretain a receipt?? • It does not retain one for an honestV • Need to prove knowledge of r We will see encryption schemes satisfying the desired requirements

More Related