Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer Engineering ZK & ROM Author & Instructor: Mohammad Sadeq Dousti 1 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0.  Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. They credit the original author(s); 2. Their work is used non-commercially; 3. They license their work under CC BY-NC-SA 4.0.  For further information, please consult: o o sa/4.0/legalcode sa/4.0/legalcode Copyright Notice 2 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  Some ZK Proofs o Proofs for GNI o Witness Independence o Witness Hiding o Proofs of Knowledge o Secure Identification  Random Oracle Model o Definition o Construction of Signature from Identification o Construction of Encryption from TDP Outline 3 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 Some ZK Proofs 4 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 Current state of complexity classes Graph Isomorphism (GI) Graph Non- Isomorphism (GNI) 5 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 Graph Non-Isomorphism (GNI) 6 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  Common Input: x = (G 0, G 1 ). o Let Vert = {1,…,n} be the set of vertices of G 0 and G 1.  Verifier (V): Pick a random bit b and a random permutation  over Vert. Send H =  (G b ) to P.  Prover (P): Send c to V, such that H ≅ G c.  Verification: c = b?  The above interactive protocol is an IPS: o Perfect completeness o Soundness error = ½. IPS #1 for GNI 7 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  If V acts honestly (picks b and  randomly), the following algorithm is a simulator for IPS #1: S(x): 1. Pick a random tape r for V. 2. Use r to pick b and  randomly. 3. Compute H =  (G b ). 4. Output (x, r, H, b).  Such proofs are called HVZK (Honest-Verifier ZK). IPS #1 is ZK for honest verifiers Assignment: Prove that the output of S is identically distributed with the view of (honest) V when x  GNI. 8 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  What if V* acts maliciously?  For instance, V* can select an arbitrary graph H whose vertices is Vert.  Two possible cases: 1. H is isomorphic neither with G 0 nor with G H is isomorphic either with G 0 or with G 1.  In case 1, P aborts the protocol. o V* obtains knowledge: “H ≇ G 0 ⋀ H ≇ G 1 ”.  In case 2, P sends a bit c. o V* obtains knowledge: “H ≅ G c ”. IPS #1 is not ZK in general Assignment: Explain why there exists no simulator for IPS #1 with the general verifier. 9 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  The verifier should prove that she acted honestly.  The verifier’s proof should satisfy two properties: 1. Show that the verifier “knows” whether H is isomorphic to G 0 or G Does not reveal which of G 0 or G 1 is isomorphic to H.  PROPERTY 1: The proof must be a proof of knowledge (PoK).  PROPERTY 2: The proof must be a witness independent (WI) proof. o The distribution of the proof is identical regardless of whether the witness is G 0 or G 1. o Any (perfect) ZK proof is WI, too. How to make IPS #1 zero knowledge? 10 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 IPS #2: A ZK IPS for GNI P P V V Common input: x = (G 0, G 1 ) WI-PoK for (H ≅ G 0 ⋁ H ≅ G 1 ) Sub-proof: H c 11 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  Up until now, we saw proofs of language membership. o The prover proves that the common input has a special property, making it eligible to belong to some language L. o Examples:  Input is a Blum integer.  Input is a pair of isomorphic graphs. ……  We can conceive of proofs of knowledge too, where an machine proves that it “knows” something. o Example: Machine M knows the factorization of N. o What does it mean for an machine to know something? What is a proof of knowledge (PoK)? 12 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  1 st attempt: Machine M knows s if it can output s. o Problem: The program of M is fixed. o M can know s during its internal computations. o The program of M may never be meant to output s.  Example: In the ZK proof for GI, the prover knows an isomorphism f between G 0 and G 1. o However, P never outputs f. Formalizing the knowledge of a machine 13 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  2 nd attempt: Machine M knows s if there exists a PPT machine K such that K M outputs s. o K has black-box access to M. o M is stateful. o K can set input/random tapes of M. o K can reset M to its initial state, or rewind it to an earlier stage. o K is called the “knowledge extractor”.  The above definition is very informal! o Specially, the existential quantifier is misplaced! o The formal definition can be found in [BG93]. o We try to exemplify the concept. Formalizing the knowledge of a machine (Cont’d) 14 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 Knowledge extractor for the ZK proof of GI 15 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 WI-PoK for (H ≅ G 0 ⋁ H ≅ G 1 ) 16 / 28 Prover’s Verification: d = 0: for some i  {0,1} J 0 =  0 (G i ) and J 1 =  1 (G 1  i ) d = 1: for some i  {0,1} J i =  (H) Prover’s Verification: d = 0: for some i  {0,1} J 0 =  0 (G i ) and J 1 =  1 (G 1  i ) d = 1: for some i  {0,1} J i =  (H) Assignment: 1.Show that this is an IPS for GI with soundness error ½. 2.Present the knowledge extractor for PoK. 3.Show that the protocol is PZK for GI. 4.Show that the protocol is WI for GI. Assignment: 1.Show that this is an IPS for GI with soundness error ½. 2.Present the knowledge extractor for PoK. 3.Show that the protocol is PZK for GI. 4.Show that the protocol is WI for GI.

Introduction to Modern Cryptography Sharif University Spring 2015 Parallel repetition ZK property is not preserved under parallel repetitions. In particular, this protocol is not ZK. 17 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 ZK Identification 18 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 ZK PoK for knowing a square root of I modulo N 19 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 Parallel repetition for t times This protocol is called the Fiat – Shamir or Feige – Fiat – Shamir (FFS) protocol. FFS also present a much more efficient version of this protocol. This protocol is called the Fiat – Shamir or Feige – Fiat – Shamir (FFS) protocol. FFS also present a much more efficient version of this protocol. 20 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 Random Oracles And Their Application 21 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 What are random oracles? 22 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 Application #1: From ID to Signature 23 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 Application #2: From TDP to Encryption 24 / 28 Assignment: Prove that this construction is an IND-CPA secure encryption. To this end, present a reduction from an adversary who breaks IND-CPA security to an adversary who inverts the family of TDP. Hint: See THEOREM 13.2 of [KL08, p. 470]. Assignment: Prove that this construction is an IND-CPA secure encryption. To this end, present a reduction from an adversary who breaks IND-CPA security to an adversary who inverts the family of TDP. Hint: See THEOREM 13.2 of [KL08, p. 470].

Introduction to Modern Cryptography Sharif University Spring 2015 Application #2: From TDP to Encryption (Cont’d) 25 / 28 Assignment: Prove that this construction is an IND-CCA secure encryption. To this end, present a reduction from an adversary who breaks IND-CCA security to an adversary who inverts the family of TDP or breaks the private-key encryption. Hint: See THEOREM 13.6 of [KL08, p. 474]. Assignment: Prove that this construction is an IND-CCA secure encryption. To this end, present a reduction from an adversary who breaks IND-CCA security to an adversary who inverts the family of TDP or breaks the private-key encryption. Hint: See THEOREM 13.6 of [KL08, p. 474].

Introduction to Modern Cryptography Sharif University Spring 2015 OAEP 26 / 28

Introduction to Modern Cryptography Sharif University Spring 2015 OAEP (Cont’d) [Wikipedia, User Ozga] 27 / 28

Introduction to Modern Cryptography Sharif University Spring 2015  [BG93] M. Bellare and O. Goldreich. On Defining Proofs of Knowledge, CRYPTO ’92,  [GMW91] O. Goldreich, S. Micali, A. Wigderson. Proofs that Yield Nothing but Their Validity or All Languages in NP Have Zero- Knowledge Proof Systems, JACM,  [FFS88] U. Feige, A. Fiat and A. Shamir. Zero-Knowledge Proofs of Identity, J. Cryptology,  [FOPS01] E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern. RSA–OAEP is Secure under the RSA Assumption. CRYPTO ’01,  [FS90] U. Feige and A. Shamir. Witness Indistinguishable and Witness Hiding Protocols. STOC ‘90,  [KL08] J. Katz and Y. Lindell. Introduction to Modern Cryptography: Principles and Protocols, CRC Press, References 28 / 28