Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge

Recap of last week’s lecture Notion of security: equivalence of semantic security and indistinguishability of encryptions in shared key and public-key cases Properties of semantically secure cryptosystems Constructions of semantically secure cryptosystems –Trapdoors –Factoring (Blum Goldwasser) –Decisional Diffie-Hellman –Shared key: pseudo-random functions

The world so far Pseudo-random generators Signature Schemes UOWHFs One-way functions Two guards Identification P  NP Pseudo-random Permutations Pseudo-random Functions Shared-key Encryption (CPA) and Authentication Trapdoor permutations Public-key Encryption (CPA) Factoring is hard (BG Permutations)

What’s next Further notions of security –Non-malleability –Chosen ciphertext attacks Protocols: –Zero-knowledge proof systems –Secure function evaluation

Commitments Define Construct Applications: –Coin-flipping –Zero-Knowledge

String Commitment Protocols Sender: Input X  0,1  n Receiver: no explicit input Two Phases –Commit –Reveal At the end of protocol: Receiver obtains X decides valid or not

Commitment Schemes – Hiding: A computationally bounded receiver learns nothing about X. – Binding: s can only be “opened” to the value X. Receiver Sender Commit Phase Sender Receiver X s Reveal Phase v X X Reveal Verification Algorithm s, v, X yes/no

Receiver Commit Phase Reveal Phase Sender Receiver X Commitment Protocol Receiver can verify X was the value in the box Sender is bound to X X Sender

Following Commit Phase Receiver should not have gained any information about X –Information theoretic? –Computationally? Sender should be bound to X –No two different and valid openings exist –It is computationally infeasible to find two different valid openings

Both worlds? Cannot have best of both worlds: Information theoretic secrecy following commit –Distribution of conversation independent of X Perfect binding –No two different and valid openings exist whp

Security Parameter Want A family of protocols Indexed by a security parameter Relationship between security parameter and size of hard problem

Definition: Computational Secrecy Indistinguishability of committed strings: Adversary A chooses X 0, X 1  0,1  n receives commit phase to X b for b  R  0,1  has to decide whether b  0 or b  1. For any pptm A for X 0, X 1  0,1  n  Pr  A  ‘1’  b  0  - Pr  A  ‘1’  b  1   is negligible

...Computational Secrecy Equivalent to semantic security of committed strings: Whatever Adversary A can compute on committed string X  0,1  n so can A’ that does not participate in commit phase A selects: Distribution D n on  0,1  n Relation R(X,Y) - computable by ppt

…Semantic Security  pptm A  R  A’ for X  R D n  Pr  R(X,A(commit))  - Pr  R(X,A’(  ))   is negligible.

Definition: Perfect Binding For all Adversary A controlling the Sender, following commit phase With high probability over random choices of Receiver There are no two different and valid openings to X and X’

Protocol Show a string commitment protocol with Indistinguishability of committed strings Perfect Binding

Idea Hide the value X in a linear function –PX + B Who chooses/knows P and B? –If the sender: no binding –If the receiver: no hiding Compromise: –receiver chooses P –Sender chooses B. But B has to be of special form.

Tool: Pseudo-Random Sequence Generator G 4n :  0,1  n  0,1  4n A cryptographically strong pseudo-random sequence generator

The Protocol - Commit Receiver: chooses P  R  0,1  4n Sender: Input - X  0,1  n. Chooses S  R  0,1  n Computes and sends Y  X  P  G 4n (S) Computation is done in GF[2 4n ]

The Protocol - Reveal Sender: sends S  0,1  n Receiver: computes X  (Y- G 4n (S))  P -1 Computation is done in GF[2 4n ]

Binding Claim : the probability of a Sender being able to open equivocally is at most 2 -n Sender can cheat given P iff  S 1, S 2, X 1, X 2  0,1  n and X 1  X 2 s.t. Y  X 1  P  G 4n (S 1 )  X 2  P  G 4n (S 2 )  P  (X 1 - X 2 )  G 4n (S 2 ) - G 4n (S 1 )

...Binding There are 2 3n -1 possibilities for S 1, S 2 and X 1 - X 2. Probability that P validates such a triple is 2 -4n Probability that P validates any triple is 2 -n There exists a universal P. Don’t know how to find it so Receiver chooses at random.

Cryptographic Reductions Show how to use an adversary for breaking primitive 1 in order to break primitive 2 Important Run time: how does T 1 relate to T 2 Probability of success: how does  1 relate to  2 Access to the system 1 vs. 2

Secrecy Suppose Adversary A controlling the Receiver can distinguish whether (Y,P) corresponds to X 0 or X 1    Pr  A(Y,P)  ‘1’  X 0  - Pr  A(Y,P)  ‘1’  X 1   Probability is over random choice of S and random coins of A.

...Secrecy Can use A to distinguish whether a given string Z is G 4n (S) or random Given P send Receiver Y  X 1  P  Z If Z is random so is Y ! Let p 1  Pr  A(Y,P)  ‘1’  X 0  p 2  Pr  A(Y,P)  ‘1’  X 1  p 3  Pr  A(Y,P)  ‘1’  Z is random 

…secrecy By assumption  p 1 - p 2    Either  p 1 - p 3   /2 or  p 2 - p 3   /2 In either case can construct a distinguisher for Z –If  p 1 - p 3   /2 give Receiver Y  X 1  P  Z –If  p 2 - p 3   /2 give Receiver Y  X 2  P  Z –Provide as the answer A(Y,P)

Given input Z want to decide whether Z=G(s) or not Run A to get {X 0,X 1 } get P b’ If b’=b output “pseudo-random” Choose b 2 R {0,1} and Compute Y= P ¢ X b + Z A’A Z

An existential clump One-way functions  Pseudo-random generators  String commitment protocol Also: String commitment  one-way function

Applications Coin Flipping Auctions Zero Knowledge

Coin Flipping Two parties want to agree on a random value  R  0,1  Should be random even if one party cheats Potential Problem: one party knows the value before the other. Early Stopping. AB

...Coin Flipping Specification Result of the protocol could be  0,1,  For every PPTM Adversary controlling A ( B ),  b   0,1  Pr  result of protocol is b]  1/2    is negligible in security parameter

Coin Flipping Protocol A selects r A  R  0,1  ; Commits to r A B sends bit r B  R  0,1  Coin is r A  r B If A doesn’t open - result is  If A’s opening is invalid - result is 

Coin flipping security  adversary controlling A,  b   0,1  Pr  result of protocol is b ]  1/2  2 -n For all PPTM adversary controlling B  b   0,1  Pr  result of protocol is b ]  1/2    is the advantage of distinguishing a commitment to 0 from a commitment to 1 in the commitment protocol

Dealing with early stopping Suppose  is not acceptable To limit the influence of one party: Gradual release of the result –Commit to many bits –release one by one –Take majority of bits, substitute random values for early stopping values However: for r rounds one party can influence result by 1/  r

Definition: Computational Binding For all PPTM Adversary A controlling the Sender following commit phase With high probability over random choices of Receiver The Sender cannot find no two different and valid openings to X and X’ Possible Advantage : perfect or statistical hiding

Proof systems L = { (X, 1 k ) : X is a true mathematical assertion with a proof of length k} What is a “proof”? Complexity theoretic insight: meaningless unless can be efficiently verified

Proof systems For a language L, goal is to prove x  L Proof system for L is defined by a verification algorithm V – completeness: x  L   proof, V accepts (x, proof) true assertions have proofs – soundness: x  L   proof*, V rejects (x, proof*) false assertions have no proofs – efficiency :  x, proof, the machine running V(x, proof) is efficient: runs in polynomial time in |x| ?

Classical Proofs Recall: L  NP iff expressible as L = { x |  y, |y| < |x| k, (x, y)  R L } and R L  P. NP is the set of languages with classical proof systems ( R L is the verifier) We wish to extend the notion.

Interactive Proofs Two new ingredients: – Randomness : verifier tosses coins Should err with some small probability – Interaction : rather than simply “ reading ” the proof, verifier interacts with prover Is the prover another TM? Framework captures the classical NP proof systems:: –prover sends proof. –verifier runs algorithm for R No use of randomness

Interactive Proofs Interactive proof system for L is an interactive protocol (P, V) ProverVerifier Common input : x accept/ reject # rounds and length of messages is poly(|x|) Random tape New resources: # of rounds Length of message New issue: who knows the random tape

Interactive Proofs Definition: an interactive proof system for L is an interactive protocol (P, V) – completeness: x  L: Pr[V accepts in an execution of (P, V)(x)]  2/3 – soundness: x  L   P* Pr[V accepts in an execution of (P*, V)(x)]  1/3 – efficiency : V is PPT machine Can we reduce the error to any  ? Perfect Completeness: V accepts with Prob 1

Error Reduction If we execute the protocol sequentially ℓ times let I j =1 if j th run is correct and 0 otherwise The I j ’s are not necessarily independent of each other but, since can tolerate any prover* Pr[I j =1 | any execution history ] ¸ 2/3 If we compare to ℓ independent coins with probability 2/3 where we take majority of answers For any prover* the interactive proof stochastically dominates Can argue the same for ℓ parallel executions Number of rounds is preserved

Interactive Proofs IP = {L : L has an interactive proof system } –Captures more broadly what it means to be convinced a statement is true But no certificate to store for future generations! –Clearly NP  IP. Potentially larger. How much larger? –IP with perfect soundness and completeness is NP To go beyond NP randomness is essential Perfect soundness in itself implies NP power –IP =PSPACE

Interactive Proof Systems relevant to crypto Let L µ {0,1} * be a language The Prover P, wants to convince the other party, Verifier V that X  L In our case: both parties are PPTM; –exchange messages and flip coins Prover P may have some extra information W At the end of the protocol Verifier V state  {accept, reject} For a given W the interaction between V and P induces a distribution of the transcripts Prover PVerifier V

Witness Protection Programs A witness indistinguishable proof system for X  L Prover p  Verifier V Completeness : if prover P has witness W - can construct effective proof that makes verifier V accept. Soundness : if X  L no prover P* can succeed with high probability to make verifier V accept. Witness Indistinguishability : for every V* and any witnesses W 1 and W 2 : distributions on transcripts are computationally indistinguishable. –No polynomial time test can distinguish the two

Example: Hamiltonicity Common input graph G=(V,E) L is the language of graphs with Hamiltonian cycles G=(V,E)  L if and only if there is a cycle C=(i 1,i 2,  i n ) covering all nodes of V once and ( i j,i j+1 )  E

Example: Hamiltonicity Common input graph G=(V,E) L is the language of graphs with Hamiltonian cycles Witness W – a Hamiltonian Cycle C=(i 1,i 2,  i n ) Protocol: –Prover P selects a random permutation  of the nodes Commits to the adjacency matrix of  (G)=(  (V),  (E)) for each entry separately –Verifier V selects and sends a bit r  R  0,1  –Prover P If r=0 then P opens all the commitments and sends  If r=1 then P opens only the commitments corresponding to C entries (  (i j ),  (i j+1 )) –Verifier V accepts if: r=0 and committed graph isomorphic to G r=1 and all opened slots are ’1’

Analysis of Protocol Completeness : prefect √ Soundness : if there no cycle in G=(V,E), then – from binding property of the commitment scheme following commitment there is unique graph G’ either P* –Commits to graph G’ non-isomorphic to G Verifier V rejects if r=0 –Commits to graph G’ isomorphic to G Verifier V rejects if r=1 Probability V accepts is bounded by ½ Can reduce the error by repetition –Sequential –Parallel

Obtaining Witness Indistinguishability Key property: the distribution of the values opened in Step 3 is an efficiently computable function of –the Graph and –the challenge the verifier V sent in Step 2 for example: it could be a random permutation of 1..n

Witness Indistinguishability Let G=(V,E), with two Hamiltonian cycles C 1 and C 2 If there is a verifier V* that can distinguish between the case C 1 and C 2 are used, –then can use V* to distinguish between commitments to  1 (G) and to  2 (G) for some permutations  1 and  2 Witness Indistinguishability remains so under parallel execution –Hybrid argument But what if there is a unique witness?

Zero Knowledge Each (cheating) verifier V* induces a distribution on transcripts on interaction with P Zero-Knowledge Requirement: for all verifiers V* there exists a simulator S such that: –simulator S is a pptm (does not get witness W ) – for all X  L the distributions on transcripts that V* ’ induces and that S produces are computationally indistinguishable. Role of simulator similar to alternative adeversary in semantic security

Simulation Zero-Knowledge: Simulator S plays P role in interaction with V* guess r’  R  0,1  –If r’=0 Selects a random permutation  of the nodes Commits to the adjacency matrix of  (G)=(  (V),  (E)) –If r’=1 Selects a random cycle C Commits to the adjacency matrix of C (the rest of the edge slots are 0 ) Receive r  0,1  from V* –If r’=r proceed as planed –Otherwise rewind V* and start from scratch Claim : Simulator stops in expected constant number of trials Proof : if not can use V* to distinguish between commitment to G and C Claim : Distributions of (S, V*) and ( P, V*) are indistinguishable Proof : if not can distinguish between commitment to G and C

Theorem : if one-way functions exist, then for any language L in NP there exists a Zero-Knowledge Proof System for L. Via reduction to Hamiltonicity Witnesses mapped to witnesses

Motivation for Zero-knowledge Can turn any protocol that works well when the parties are benign (but curious) into one that works well when the parties are malicious Need further property: proof of knowledge – Possible to extract the witness from a successful prover

Question: zero-knowledge protocol for subset sum Give a direct protocol (i.e. not through a reduction to hamiltoncity) for the subset sum problem Subset sum problem: given –n numbers 0 ≤ a 1, a 2,…, a n < 2 m –Target sum T –Is there a subset S ⊆ {1,...,n} such that ∑ i  S a i,=T mod 2 m

What happens if… There is extra information about X : –Both A and A’ get h(X) for some polynomial time computable function h –h might not be invertible Relation R is not polynomial time Try to encrypt information about the secret key

Further Issues What about errors in decryption? Is the this the ultimate definition –Does it capture all the ways where encryption is used?

Example: Interactive Authentication P wants to convince V that he is approving message m P has a public key K P of an encryption scheme E. To authenticate a message m: V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he choose

Is it Safe? Definition of security: Existential unforgeability against adaptive chosen message attack –Adversary can ask to authenticate any sequence of messages m 1, m 2, … –Has to succeed in making V accept a message m not authenticated –Has complete contrl ove the channels Intuition of security: if E does not leak information about plaintext –Nothing is leaked about r Several problems: if E is “just” semantically secure against chosen plaintext attacks: –Adversary might change c=E(m ° r, K P ) into c’=E(m’ ° r, K P ) Malleability –not sufficient to verify correct form of ciphertext in simulation Closer to a chosen ciphertext attack

Sources Goldreich’s Foundations of Cryptography, volume 1