TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University

In this talk: 3 simple ideas from  Jawurek, Kerschbaum, Orlandi  Zero-Knowledge from Garbled Circuits, CCS 2013  Frederiksen, Nielsen, Orlandi  Privacy-Free Garbled Circuits, EUROCRYPT 2015  Chuo, Orlandi  The Simplest OT Protocol, ePrint (next week?)

Jawurek, Ferschbaum, Orlandi CCS 2013 Zero-Knowledge from Garbled Circuits

Zero-Knowledge Protocols  IP/ZK – GMR85  Revolutionary idea in cryptography and CS  Soundness:  even a corrupted P cannot prove false statements  Zero-Knowledge:  even a corrupted V only learns that the statement is true (and not why)  Important in practice  Authentication  Essential component in complex protocols  What about efficiency?

Zero-Knowledge Protocols  Many examples of efficient ZK for algebraic languages  Discret Logarithm  RSA  Lattice ...  What about non-algebraic statements?  How do I prove ”I know x s.t. y=SHA(x)”?  This work tries to fill this gap!

Related Work  IKOS’07  ZK from (honest majority) MPC  First step towards the ”MPC in the head” approach  Efficient NIZK/SNARK (GOS06,GGPPR13,…)  Non-interactive  Require heavy public key operations per gate 

Zero-Knowledge vs Secure 2PC A B f,xf,y f(x,y) P V x,w R(x,w) = true x

Garbled Circuits Ev De Gb En f x [F] e d [X] [Z] z Correct if z=f(x) Values in a box are “garbled”

OT [F y ] x e [X] [Z][Z] ([F y ],e,d)  Gb( f(·,y) ) z  De([Z],d) [Z]  Ev([F y ],[X]) 2PC from GC (Yao’s protocol) Alice Bob Soundness: If A is corrupted and [Z*]  A([F],[X]), then De([Z*],d) is either f(x) or “  ” B could garble a “malicious” function g≠f e.g. g(x)= lsb(x)

2PC secure against active adversaries? How can Bob prove that he garbled f without revealing any extra information?  Plenty of (costly) solutions are known for 2PC  Zero-Knowledge  Cut-and-choose  Etc.  Can we do better for ZK?

ZK based on GC  The main idea:  In ZK the verifier (Bob) has no secrets!  After the protocol, Bob can reveal all his randomness.  Alice can simply check that Bob behaved honestly by redoing his entire computation.

OT [F] we [W] Com([Z]) ([F],e,d)  Gb( f,r ) z  De([Z],d) [Z]  Ev([F],[W]) Prover Verifier If [F]=Gb(f,r) (and check OTs) [Z] Prover work ~ 2x passive Yao (else abort) reveal r, e Verifier work ~ Passive Yao Communication ~ Passive Yao

CCS Implementations  Code not open-source, but easily reproducible  FastGC garbled circuits implementation  Smart-Tillich optimized circuits: AES, MD5, SHA…  GCParser to combine the two above  SCAPI for implementing OT (using elliptic curves)

Runtime (rough estimates)  Proof of “c=AES(k,m)” for secret k and public (c,m)  AES: 35k gates (7k ANDs/28k XORs)  Communication: 204kB (98% GC)  Runtime:  OT: 29.4ms (Using Chou-Orlandi OT) (|w|=128)  Garbling: 721µs (Using JustGarble GaXR)  Eval: 273 µs  Total (Garble+OT+Eval+Garble) ~ 31.2ms (+network)

Frederiksen, Nielsen, Orlandi EUROCRYPT 2015 Privacy-Free Garbled Circuits

Garbled Circuits Ev De Gb En f x [F] e d [X] [Z] z Correct if z=f(x)

Main idea  In 2PC GC ensure that evaluator does not learn internal values  In Yao garbled circuits evaluation must be oblivious  But in ZK the prover knows all the input bits!  He also knows all internal wires values  Can we optimize?  Yes!

Garbling Schemes without Privacy  Conceptual contribution:  Natural separation between privacy and authenticity  Concrete efficiency:  Better constants in garbled circuit Can we construct garbling schemes tailored to specific applications, which are more efficient than Yao’s original construction?

Garbling a Circuit ([F],e,d)  Gb(f) K 1 0,K 1 1  Choose 2 random keys K i 0,K i 1 for each input wire  For each gate compute  (Z 0,Z 1,gg)  Gb(L 0,L 1,R 0,R 1 )  Output  e=(K i 0,K i 1 ) for all input wires  d=(Z 0,Z 1 )  [F]=(gg i ) for all gates i K 2 0,K 2 1 Z 0,Z 1 K i 0,K i 1

Evaluating a GC [Z]  Ev([F],[X]) K1aK1a  Parse [X] as (K 1 x1,K 2 x2,…) for all input wires  Parse [F] as (gg 1,gg 2, …) for all gates  For each gate compute  Z g(a,b)  Ev(L a,R b,gg)  Output  [Z]=Z’ K2bK2b Z’ KicKic

Garbling a Gate AND/XOR L 0,L 1 R 0,R 1 Z 0,Z 1  A (privacy-free) garbled gate is a gadget that given two inputs keys gives you the right output key (and nothing else)  (Z 0,Z 1,gg)  Gb(L 0,L 1,R 0,R 1 )  Z g(a,b)  Ev(L a,R b,gg)  //and not Z 1-g(a,b)

Garbling w/o free-XOR (GRR1) Gb_AND(L 0,L 1,R 0,R 1 )  Output keys:  Z 1 = H(L 1,R 1 )  Z 0 = H(L 0 )  Send:  C = Z 0 ⊕ H(R 0 ) Ev_AND(L x, R y, C)  If(x = y = 1) output Z 1 = H(L x, R y )  If(x = 0) output Z 0 = H(L x )  If(y = 0) output Z 0 = C ⊕ H(R y )

Garbling w/o free-XOR (GRR1) Gb_XOR(L 0,L 1,R 0,R 1 )  Output keys:  Z 0 = L 0 ⊕ R 0  Z 1 = L 0 ⊕ R 1  Send:  C = L 0 ⊕ R 0 ⊕ L 1 ⊕ R 1 Ev_XOR(L a, R b, C)  If(a = 0) output Z (a ⊕ b) = L a ⊕ R b  If(a = 1) output Z (a ⊕ b) = C ⊕ L a ⊕ R b

Conclusions & Open Problems  Still a lot to be done with garbling schemes!  Other specific purpose garbling schemes?  Non-interactive ZK (w/o PKE/gate)?

Chou, Orlandi coming soon on ePrint The Simplest Oblivious Transfer Protocol

Diffie Hellman Key Exchange X = g x K = H(Y x ) m Y = g y C = E(K,m) K = H(X y ) m = D(K,C) There is another key K’ = H( (X/Y) x ) which Bob cannot compute!

X = g x The Simplest OT protocol K 0 = H(Y x ) K 1 = H((X/Y) x ) m 0,m 1 C 0 = E(K 0,m 0 ) C 1 = E(K 1,m 1 ) b=0 : Y = g y b=1 : Y = X/g y b Y K b = H(X y ) m b = D(K b,C b ) E(( α, β ), m) = ( α + m, ( α + m) β )

The Simplest OT Protocol  Complexity:  Communication: 1ge/OT + 2 ctxt/OT + 1ge  Computation: 3 exp/OT + 3 H/OT + 2 exp  Security:  UC vs. active adversary with programmable RO  Performances: ~5000 OT/s  Implementation based on Bernstein’s Curve25519