CRYPTOGRAPHIC PROTOCOLS 2018, LECTURE 8CRYPTOGRAPHIC PROTOCOLS 2018, LECTURE 8 Sigma protocols Helger Lipmaa University of Tartu, Estonia Lecture: 01.11.18 Slides last modiﬁed: 03.11.18

CRYPTOGRAPHIC PROTOCOLS 2018, LECTURE 8

Sigma protocols

Helger Lipmaa University of Tartu, Estonia

Lecture: 01.11.18Slides last modified: 03.11.18

UP TO NOW

UP TO NOW

Introduction to the field

UP TO NOW


Secure computation protocols

UP TO NOW



Can do almost everything in semihonest model

UP TO NOW



Can do almost everything in semihonest model

Introduction to malicious model

THIS TIME

THIS TIME

Reminder: malicious model

THIS TIME

Reminder: malicious modelZero knowledge: very basics

THIS TIME

Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols

THIS TIME


motivation

THIS TIME


motivationsecurity definitions

THIS TIME


motivationsecurity definitionsexamples

Note: remade slides compared to 2016 (no graphs anymore)

RECALL: "SECOND IDEA”


Do not reveal the witness



Instead let the party to prove that such a witness exists



Instead let the party to prove that such a witness exists

so that the proof does not reveal any side information apart from that

Zero-knowledge proof

REMARK: AUTHENTICATION

If the last idea sounds crazy, think about authentication



pk, sk pk



pk, skI am The Doctor

pk




Prove it!

pk




Prove it!

sk

pk




Prove it!

sk

ZK proof of knowledge of sk

pk

ZK PROOF: SHORT DEFINITION


Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejects


Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:



Completeness: honest V accepts honest P



Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*



Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*Zero-knowledge: malicious V* learns from the proof with a honest P that P is honest and nothing else



Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*Zero-knowledge: malicious V* learns from the proof with a honest P that P is honest and nothing else

formal definitions are much more complicated, see the next lecture

RECALL: HOMOMORPHIC E-VOTING

Enc(f(ci))

Σf(ci)ci∈{0,...,C - 1}

Enc(Σf(ci))sk

pkpkVote collector: sees who sent which ciphertext,

cannot decrypt

Tallier: sees anonymous ciphertext, can decrypt

RECALL: HOMOMORPHIC E-VOTING

Enc(f(ci))

Σf(ci)ci∈{0,...,C - 1}

Enc(Σf(ci))sk

pkpkVote collector: sees who sent which ciphertext,

cannot decrypt

Tallier: sees anonymous ciphertext, can decrypt

+ ZK proof that the plaintext is f(ci)

for some i + ZK proof that decryption was

correct

no need for ZK proof (product of

public ciphertexts)

RECALL: MIXNET BASED E-VOTING

Ci=Enc(ci)

pk

pk

π: random permutationri - random randomizers

Ci’=Cπ(i) · Enc(0; ri)

π’: random permutationri' - random randomizers

Ci''=C'π'(i) · Enc(0; ri')

pk sk: threshold

{c i} in s

ome o

rder


Ci=Enc(ci)

pk

pk




Ci''=C'π'(i) · Enc(0; ri')

pk sk: threshold

{c i} in s

ome o

rder

+ ZK proof that the the shuffle is

correct


Ci=Enc(ci)

pk

pk




Ci''=C'π'(i) · Enc(0; ri')

pk sk: threshold

{c i} in s

ome o

rder

+ ZK proof that the the shuffle is

correct + ZK proof that decryption was

correct

NOTE ON DIFFICULTY

NOTE ON DIFFICULTY

Some ZK proofs are obviously much more complex than others

NOTE ON DIFFICULTY

Some ZK proofs are obviously much more complex than othersProof of correct decryption:

NOTE ON DIFFICULTY


with Paillier, tallier can compute both m and rEasy exercise. Note: tallier knows sk

NOTE ON DIFFICULTY


with Paillier, tallier can compute both m and rproof = (m, r) Easy exercise. Note: tallier knows sk

NOTE ON DIFFICULTY


with Paillier, tallier can compute both m and rproof = (m, r)

Proof of correct shuffle: ???

Easy exercise. Note: tallier knows sk

GENERAL PROTOCOL DESIGN


Design a passively secure protocol


Design a passively secure protocolI.e., that protects privacy given participants follow the protocol


Design a passively secure protocolI.e., that protects privacy given participants follow the protocol... take any protocol we have seen up to now


Design a passively secure protocolI.e., that protects privacy given participants follow the protocol... take any protocol we have seen up to now

Make it secure in the malicious model by adding ZK proofs to all messages

of course this needs "some" care: you need to know which ZK to addefficiency, ...

PROOFS VS PROOFS OF KNOWLEDGE


ZK Proof:


ZK Proof:Complete: honest prover convinces honest verifier


ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifier


ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifierZero Knowledge: dishonest verifier only gets to know that honest prover is honest



ZK Proof of Knowledge: (in addition)



ZK Proof of Knowledge: (in addition)Proof of Knowledge (stronger soundness): honest prover convinces honest verifier that he knows "why he is honest" --- i.e., knows some secret "witness"

AUTHENTICATION, REVISITED

Prover P Verifier V


pk, sk pkProver P Verifier V



pkProver P Verifier V



Prove it!




Prove it!

sk




Prove it!

sk





Prove it!

sk


pk

Proof: I can sign your document with Doctor's secret key. Leaks information (new signatures), not really ZK. ZK proofs do not make sense in this application

Proof of knowledge: I know sk (nothing else is leaked)

Prover P Verifier V

MOTIVATION BY EXAMPLES


We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledge


We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same sense


We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same senseCommon name: Σ protocols


We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same senseCommon name: Σ protocolsWe then formally define security of such protocols

Σ-PROTOCOL FOR DL

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DL

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?

Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of r

Σ-PROTOCOL FOR DL



gx+rgr

gx

Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + r

gx+rgr

gx

Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + rProblem:

gx+rgr

gx

Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + rProblem:

if verifier gets to know both r and z then she can compute x ← z - r

gx+rgr

gx

Σ-PROTOCOL FOR DL

Σ-PROTOCOL FOR DL



Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + r

gx+rgr

gx

Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + rProblem:

gx+rgr

gx

Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + rProblem:

If prover knows that say z is revealed, then she can sample it randomly

gx+rgr

gx

Σ-PROTOCOL FOR DL

Idea:• honest P succeeds always• malicious P fails w.p. 50%

Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 3:


Σ-PROTOCOL FOR DL


QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 3:

first reveal gr and then let the verifier to pick whether she wants to see r or z ← x + r

gx+rgr

gx

with prob. 1/2


Σ-PROTOCOL FOR DL

pk = gx, sk = x pk

Σ-PROTOCOL FOR DL

pk = gx, sk = x pk1. r ←$ Zq

2. a ← gr

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

pk1. r ←$ Zq

2. a ← gr

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

c

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

c

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

c

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

z

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

c

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

z

1. If gz = pkc a then accept2. else reject

KNOWLEDGE ERROR

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κ

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κEvery Σ-protocol has non-zero knowledge error

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κEvery Σ-protocol has non-zero knowledge error

Prover can just guess Verifier's challenge and prepare first message accordingly

A BIT OF TERMINOLOGY


All such proofs are of type:


All such proofs are of type:does input inp belong to language L?



The prover knows a witness w



The prover knows a witness wProving inp ∈ L can be done efficiently, given w



The prover knows a witness wProving inp ∈ L can be done efficiently, given wProof of knowledge: Prover proves he knows w




DL proof: L = {pk ∈ G}inp = pkw = dlogg pk

Here, L is “trivial" but it’s a special case




DL proof: L = {pk ∈ G}inp = pkw = dlogg pk

Here, L is “trivial" but it’s a special case

DDH proof: L = {(h1, h2) ∈ G2}: ∃ x, (h1, h2)=(g1, g2)x}inp = (h1, h2)w = x

Σ-PROTOCOLS: SYNTAX

input, witness input


input, witness1st message: commitment a

input



2nd message: challenge c

input




3rd message: response z

input





input


Requirement: c is chosen from some challenge set C randomly. (Does not depend on a!)Terminology: public coin protocol

Σ-PROTOCOLS: FORMAL DEFINITION

A protocol (P, V) is a Σ-protocol, if

1. it is a three-message public-coin protocol: it has three messages, with the prover starting, and the second message is completely random and independent of the first message

2. Security: it is complete, specially sound, and special honest-verifier zero knowledge

Definition

Σ-PROTOCOLS: FORMAL DEFINITION

A protocol (P, V) is a Σ-protocol, if

1. it is a three-message public-coin protocol: it has three messages, with the prover starting, and the second message is completely random and independent of the first message

2. Security: it is complete, specially sound, and special honest-verifier zero knowledge

Definition




input

Σ-PROTOCOLS: SECURITY

1. Completeness 2. Special Soundness 3. Special Honest-Verifier ZK (SHVZK)




input


Completeness: if Prover is honest then honest Verifier always accepts.DL protocol has it




input


Special Soundness (with knowledge error κ): if Prover is dishonest then honest Verifier accepts with probability not much larger than κ.DL protocol has it (intuitively)

SPECIAL SOUNDNESS: MORE


Our proof of special soundness for DL relied on the next (informal) fact:



If (possibly malicious) P* makes honest V always accept, then P* “knows” x such that y = gr and pk · y = gx + r and thus pk = gx



If (possibly malicious) P* makes honest V always accept, then P* “knows” x such that y = gr and pk · y = gx + r and thus pk = gx

We will next make this intuition more formal

SEMIFORMALLY: SPECIAL SOUNDNESS


Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κ

This guarantees κ is really the "limit"


Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κ



Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κHowever, V is a pre-defined algorithm

=> we have a proof of knowledge



Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κHowever, V is a pre-defined algorithm

We define a new algorithm, an extractor K, that communicates with P* and extracts x from P*

=> we have a proof of knowledge


As in reductions, K can only communicate with P*. K does not know anything else about P* apart from what P* outputs

FORMALLY: SPECIAL SOUNDNESS

A Σ-protocol (P, V) is specially sound, if there exists a probabilistic expected poly-time extractor algorithm K, such that if a prover P* (possibly malicious) can make V to accept with a probability ε > κ, then K can --- after playing the role of V in possibly many instances of the protocol with P --- output the value of the witness

Definition

FORMALLY: SPECIAL SOUNDNESS

A Σ-protocol (P, V) is specially sound, if there exists a probabilistic expected poly-time extractor algorithm K, such that if a prover P* (possibly malicious) can make V to accept with a probability ε > κ, then K can --- after playing the role of V in possibly many instances of the protocol with P --- output the value of the witness

Definition

However, K must have some "superpower": otherwise V could do the same and extract witness. Here: rewinding

REMINDER: SPECIAL SOUNDNESS

input = pkwitness = x

a

c

input = pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

z


REMINDER: SPECIAL SOUNDNESS


a

c


2. a ← gr

c ← {0, 1}

z ← c x + r

z


Intuition. Assume P* makes V to accept with probability 1.

Then y = gr and pk · y = gx + r

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x input = pk



ainput = pk



ainput = pk



a

c

input = pk



a

c

input = pk

z



a

c

input = pk

zFormally, K plays V in the protocol. K does the following:

Execute the protocol once with c = 0. Store (a, 0, z)Create a breakpoint for prover directly after sending a



ainput = pk

After that:Rewind P* to the breakpoint (the state P* was directly after sending a). Challenge with c* = 1, get P*'s answer, and store (a, 1, z*)



a

c* ≠ c

input = pk




a

c* ≠ c

input = pk

z*


REWINDING: ANALYSIS


a

c* ≠ c

input = pk

z*Since P* makes V accept with probability 1, this means that (a, 0, z) and (a, 1, z*) are both accepting viewsSince both views accept,

gz = pk0 · a gz* = pk1 · a

But then pk = gz* - z and thus x = z* - z

GENERAL K.E.

GENERAL K.E.

Previous analysis only works if ε = 1

GENERAL K.E.

Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κProbability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a,

P* (inp, ω, c) generates z

GENERAL K.E.

Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ

Construct a Boolean matrix AProbability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a,

P* (inp, ω, c) generates z

GENERAL K.E.


Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string c

Probability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a, P* (inp, ω, c) generates z

11

1 11

ω

c

GENERAL K.E.


Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string cKnown: fraction ε of entries are 1


11

1 11

ω

c

GENERAL K.E.


Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string cKnown: fraction ε of entries are 1There exists a row with two 1-s iff


11

1 11

ω

c

ε > κ := 1C , C := |{c} |

GENERAL K.E.

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting

view (a, c, z) 1 / ε expected steps

GENERAL K.E.


view (a, c, z)2. Generate random c* (but use the same ω) until V

accepts the resulting view (a, c*, z*)

1 / ε expected steps

GENERAL K.E.




1. If c = c* then goto 1


Happens with some prob. p

GENERAL K.E.





3. Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before



GENERAL K.E.






Tprobes := the number of probed matrix entries before this happens



2 / (pε) expected steps

GENERAL K.E.






Tprobes := the number of probed matrix entries before this happens

47 6 52

13

2

35 4 61

ω

c



2 / (pε) expected steps


GENERAL EXTRACTOR

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such views

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysis Expected: with small probability, the

number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:


GENERAL EXTRACTOR


Tprobes ≤ 2 / (ε - κ): expected number of runs


GENERAL EXTRACTOR


Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:


GENERAL EXTRACTOR


Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4


GENERAL EXTRACTOR


Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8


GENERAL EXTRACTOR


Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8ε = k-c, κ = 1 / q = 2-k: Tprobes ≤ 2 / (k-c - 2-k) ≈ 2 kc


GENERAL EXTRACTOR



// If ε - κ is non-negligible then Tprobes is polynomial


GENERAL EXTRACTOR



// If ε - κ is non-negligible then Tprobes is polynomial k: security parameter


SPECIAL SOUNDESS: SIMPLIFIED


Due to what we saw on last slides, we can somewhat simplify the special soundness definition


Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractor


Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractorWe can just assume that if we have already found two accepting views (a, c, z), (a, c*, z*) with c ≠ c*, then K can efficiently retrieve the witness


Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractorWe can just assume that if we have already found two accepting views (a, c, z), (a, c*, z*) with c ≠ c*, then K can efficiently retrieve the witnessWe can then use what we know to construct full extractor

SPECIAL SOUNDNESS: SIMPLIFIED

A Σ-protocol (P, V) is specially sound, if there exists a (deterministic) poly-time extractor algorithm K that, given two accepting views (a, c, z) and (a, c*, z*), such that c ≠ c*, can efficiently compute the value of the witness

Definition (simplified)

DL: PROOF OF SPECIAL SOUNDNESS


a

c


2. a ← gr

c ← {0, 1}

z ← c x + r

z

1. If gz = pkc · a then accept2. else reject

Construction of extractor: Given accepting views (a, 0, z) and (a, 1, z*), K outputs x ← z* - z

Analysis: 1. Since a is the same and both views accept, gz = y and gz* = pk · y2. Thus pk = gz* - z

STUDY OUTCOMES

STUDY OUTCOMES

Main idea of ZK proofs

STUDY OUTCOMES

Main idea of ZK proofsExample, very natural, protocol with "intuitive" security

STUDY OUTCOMES

Main idea of ZK proofsExample, very natural, protocol with "intuitive" securityΣ-protocols: definition

STUDY OUTCOMES

Main idea of ZK proofsExample, very natural, protocol with "intuitive" securityΣ-protocols: definitionMotivation and analysis of special soundness

NEXT LECTURE

NEXT LECTURE

More efficient Σ-protocols based on DL

NEXT LECTURE

More efficient Σ-protocols based on DLΣ-protocols for various relations about Elgamal plaintexts

NEXT LECTURE


For example: Σ-protocol that Elgamal plaintext is in {0, 1}

NEXT LECTURE


For example: Σ-protocol that Elgamal plaintext is in {0, 1}

Σ-protocol for Circuit-SAT

Documents

CRYPTOGRAPHIC PROTOCOLS 2018, LECTURE 8CRYPTOGRAPHIC PROTOCOLS 2018, LECTURE 8 Sigma protocols Helger Lipmaa University of Tartu, Estonia Lecture: 01.11.18 Slides last modiﬁed: 03.11.18