Online/Offline OR Composition of ∑-Protocols Michele Ciampi DIEM Università di Salerno ITALY Giuseppe Persiano DISA-MIS Università di Salerno ITALY Alessandra Scafuro Boston University and Northeastern University USA Luisa Siniscalchi DIEM Università di Salerno ITALY Ivan Visconti DIEM Università di Salerno ITALY
Proofs of Knowledge (PoKs) A fundamental crypto tool with many applications Identification Schemes Simulation-Based Security E-Voting Systems … Useful in cryptography when the witness is protected: Witness Indistinguishable (WI), Witness Hiding (WH), Zero Knowledge (ZK) e.g., prove knowledge of one thing OR another thing OR …
Proofs of Knowledge (PoKs) Observation: neither [LS90] nor [Schnorr89] need theorem+ witness Observation: [LS90] and [Schnorr89] need the theorem and witness only in the last round In theory In practice x∈L ∑-protocol for R x= gy P V gr c r+cy e.g. Discret Log [Schnorr89]) “(x, y) in RDlog” G NP-reduction x “(G, C) in RHAM” WI Proof of Knowledge of Hamiltonicity [Blum86, LapidotShamir90] P V m1 m2 m3
∑-protocol for relation R x P(w) V Completeness SHVZK Sim(x,c)⇒ Special Soundness a c z a’ c z’ ≡ x, (a c z) x, (a c’ z’) w: (x,w)∈ R
WI Proof of Knowledge of Hamiltonicity R0 OR R1 Consider the ∑-protocols 𝛴0 and 𝛴1 for R0 and R1 and compile them using [CramerDamgardSchoenmakers94] G NP-reduction (x0 V x1) WI Proof of Knowledge of Hamiltonicity [Blum86, LS90] P In theory In practice In both cases you get 3 rounds, WI and PoK “(G, C) in RHAM”
x0 and x1 are needed already No need to know any theorem R0 OR R1: The Gap In theory In practice G NP-reduction (x0 V x1) WI Proof of Knowledge of Hamiltonicity [Blum86, LS90] P Consider the ∑-protocols 𝛴0 and 𝛴1 for R0 and R1 and compile them using [CramerDamgardSchoenmakers94] “(G, C) in RHAM” x0 and x1 are needed already at the 1rd round No need to know any theorem already at the 1rd round
R0 OR R1: The Gap In theory In practice [LS90] [CDS94] Delayed-Input Completeness Completeness
Delayed-Input Completeness x (w) P V a c z
R0 OR R1: The Gap In theory In practice [LS90] [CDS94] Delayed-Input Completeness Adaptive-Input Proof of Knowledge Completeness Proof of Knowledge
Adaptive-Input PoK P* Extractor x x’ a x (a,c,z) c’ c x’ (a,c’,z’) z w witness for x
R0 OR R1: The Gap In theory In practice [LS90] [CDS94] Delayed-Input Completeness Adaptive-Input Proof of Knowledge Adaptive-Input Witness Indistinguishable Completeness Proof of Knowledge Witness Indistinguishable
Adaptive-Input WI (x,w1,w2) P (wb) V* a c z w1,w2 witnesses for x
R0 OR R1: The Gap In theory In practice [LS90] [CDS94] Delayed-Input Completeness Adaptive-Input Proof of Knowledge Adaptive-Input Witness Indistinguishable Assumption: OWP Completeness Proof of Knowledge Witness Indistinguishable Assumption: none
R0 OR R1: The Gap In theory In practice [LS90] [CDS94] Delayed-Input Completeness Adaptive-Input Proof of Knowledge Adaptive-Input Witness Indistinguishable Assumption: OWP Requires NP-reduction and gives Computational WI Completeness Proof of Knowledge Witness Indistinguishable Assumption: none No NP-reduction and gives Perfect WI
R0 OR R1: The Gap In theory In practice [LS90] [CDS94] Delayed-Input Completeness Adaptive-Input Proof of Knowledge Adaptive-Input Witness Indistinguishable Assumption: OWP Requires NP-reduction and gives Computational WI Applicable to All NP Completeness Proof of Knowledge Witness Indistinguishable Assumption: none No NP-reduction and gives Perfect WI Restricted to ∑-protocols
R0 OR R1 The Gap Recently Delayed-Input completeness is widely used A larger protocols using [CDS94] instead of [LS90] may have a worse round complexity e.g. [Pass – Eurocrypt 03], [KaOs – Crypto 04], [YuZh – Eurocrypt 07][ScVi – Eurocrypt 12][GRRV – FOCS 14]… [GMPP16 – tomorrow], [Kiayias0Z15 – CCS15], [BBKPV16 – eprint]… Recently Delayed-Input completeness is widely used
1) From PoK to Adaptive-Input PoK Our Results 1) From PoK to Adaptive-Input PoK 2) Bridging the gap
Our First Result: from PoK to Adaptive-Input PoK ∑-Protocols (in general) are not Adaptive-Input PoK x= gy P* gr c z=r+cy Extractor c’ x’= gy’ z’=r+c’y’ Issue observed in [BernhardPereiraWarinschi12] about weak Fiat-Shamir transform
Our Transform From PoK to Adaptive-Input PoK P V gr’ gr c z=r’+cr x= gy P gr c z=r+cy V gr’ z=r’+cr Our transform applies to the class described in [Cramer96, Maurer15, CramerDamgard98] e.g. Schnorr, Guillou–Quisquater, Diffie–Hellman, Multiplication proof for pedersen commitments, …
1) From PoK to Adaptive-Input PoK Our Results 1) From PoK to Adaptive-Input PoK 2) Bridging the gap
R0 OR R1: Bridging the Gap In theory In practice [LS90] [CDS94] Delayed-Input Completeness Adaptive-Input PoK Adaptive-Input WI Assumption: OWP Works with multiple OR compositions Requires NP-reduction and gives Computational WI Applicable to All NP Completeness Proof of Knowledge Witness Indistinguishable Assumption: none Works with multiple OR compositions No NP-reduction and gives Perfect WI Restricted to ∑-protocols [CPS+ TCC 2016-A] This work Semi-Delayed Input Completeness Proof of Knowledge Semi-Adaptive Input WI: one of two instances is adaptively chosen by V* Assumption: none Works with only one OR composition No NP-reduction and gives Perfect WI Restricted to (a large class of) ∑-protocols Delayed-Input Completeness: All input ∑-protocols have to be Delayed-Input Proof of Knowledge Adaptive-Input WI Assumption: DDH Works with multiple OR compositions No NP-reduction and gives Computational WI Restricted to (a large class of) ∑-protocols
Comparison: Summary Adaptive WI OWP Delayed-Input (all adaptive) Assumption Completeness Adaptive WI Adaptive PoK Online Efficiency [LS90] OWP Delayed-Input (all adaptive) k out of n NP-reduction [CDS94] / k out of n* Entire protocol [CPSSV16] Semi-Delayed Input (1 adaptive) This work DDH <=CDS94
Our Construction: Tools At least k are perfectly binding Sen Rec com=((com1, com2, …, comn), 𝚷) n-k commitments can be equivocated (K,N) Trapdoor Commitment ⅀: Delayed-Input ∑-protocol for the relation R Sim⅀: SHVZK simulator for ⅀ ComKN(m1, m2, …, mn) OpenKN(m1*, m2*, …, mn-k*) com dec
Our Construction: Main Idea e.g. k=1, n=2 R OR R P V x1,x2 P⅀ a1, a2 com=ComKN(a1, a2) c wb P⅀(xb,wb,a1, c) z1 Sim⅀(x1-b,c) a* z* a1 OpenKN(com, a*) dec -Is dec a valid opening for a* and a1 w.r.t com? -Is (a*, c ,z*) accepting for ⅀? -Is (a1, c ,z1) accepting for ⅀?
How to Construct an Efficient (K,N) Trapdoor Commitment (ga,gb,gab) ≈ (ga,gb,gc) How to Construct an Efficient (K,N) Trapdoor Commitment Ingredient 1: DDH DH tuple non-DH tuple
How to Construct an Efficient (K,N) Trapdoor Commitment Ingredient 2: Instance dependent trapdoor commitment (IDTC) from DDH Given T=(ga,gb,gc) Com(T,m) ⇒ dec, com Binding Perfect Hiding Computational If T is NDH Binding Computational Equivocal If T is DH Constructions of IDTC follow directly from known constructions of Trapdoor Commitments from ∑-Protocols [Dam10, HL10, DN02]
How to Construct an Efficient (K,N) Trapdoor Commitment At least k are perfectly binding Select T1, T2, …, Tn Run Com(Ti,mi) ⇒ (deci,comi) for i=1,…,n and send (com1, com2, …, comn) Prove with 𝚷 that at least k of the n tuples T1, T2, …, Tn are non-DH (prove with [CDS94]) Sen Rec (com1, com2, …, comn), 𝚷
Prove with 𝚷 that at least k of the n tuples T1, T2, …, Tn are non-DH e.g. k=1, n=2 T1=(ga1,gb1,gc1) T1’=(ga1,gb1,ga1・b1) T2’=(ga2,gb2,gc3) T2=(ga2,gb2,gc2) P V 𝚷CDS94: “T1’ is DH OR T2’ is DH” V accept ⇔ One out of T1, T2 is a non-DH tuple
More Results of Our Work Our previous construction woks for any (k,n) In the paper you can also find a construction that works for different NP-relations (e.g. RDlog or RDH) (This construction is non-trivial ad uses as a sub-protocol the construction showed before) We give also a compiler that transform a ∑-Protocol (belonging to the class described in [Cra96, Mau15, CD98]) in an Adaptive-Input PoK Open problem Is it possible to extend adaptive PoK to a larger class of ∑- Protocols?
thanks