1 Concurrency and Zero-Knowledge Protocols Amit Sahai MIT Laboratory for Computer Science

2 Zero-knowledge Proofs [GMR85] One party (“the prover”) convinces another party (“the verifier”) that some assertion is true, The verifier learns nothing except that assertion is true!

3 Zero-knowledge Proofs (cont.) Vast applicability throughout Cryptography: Identification / Authentication Protocols: [GMR, FS, …] Prove knowledge without revealing it. “Next Generation” Protocols: [GMW] Key Escrow [M, MS, VvT, …] Electronic Elections [C, CF, C, OO, … ] Anonymous Credentials [C, CvH, LRSW, …] Dealerless Poker [GMW, BCR, C, …]

4Assumptions Almost all previous research assumes: Sequential communication At most 2 parties communicating at any given time Mutually aware, cooperating parties ProverVerifier

5 The Internet Ebay Yahoo

6 The Internet Concurrent, interleaved communication Mutually unaware parties, acting locally Ebay Yahoo

7 Challenge: Global Coordinated Attack Yahoo

8 Global Coordinated Attack Yahoo

9 Our Context: Zero Knowledge Prover Honest Verifier Corrupted Verifiers trying to extract Prover’s secrets.

10 The Goal Extend theory of Zero-Knowledge Protocols to provide security in Internet setting. [Dwork, Naor, Sahai -- STOC ‘98] [Dwork, Sahai -- Crypto ‘98] + Ongoing work

11Outline 1. Zero Knowledge: Definitions and example 2. What goes wrong 3. How to fix it

12 Interactive Proof System v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol where Prover tries to convince probabilistic Verifier that assertion x is true. When x is true, Verifier always accepts. When x is false, Verifier accepts only with negligible prob. no matter what strategy Prover uses.

13 (Ordinary) Zero-Knowledge [GMR] v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, can simulate interaction with any Verifier, w/o access to Prover. Formally, for every verifier, there is probabilistic efficient simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover.

14 Zero Knowledge [GMR] ? v1v1 p1p1 v2v2 pkpk accept/ reject v1v1 p1p1 v2v2 pkpk accept/ reject

15 When assertion is true, can simulate interaction with any Adversary, w/o access to Prover. V 1 V 2 … V n Concurrent Zero Knowledge Formally, for every Adversary, there is a probabilistic efficient simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Adversary’s actual view of interaction with Prover.

16 Deniable Message Authentication Monica Linda Bill

17 Example: Zero-Knowledge Proofs for NP

18 Cryptographic Commitment Public Key Encryption Scheme (PK,SK) Assume E PK is always one-to-one. To commit to a string x, I send y = E PK (x;r). To open the commitment, I reveal (x,r). Commitment is secret. Because E PK is 1:1, can’t change my mind about x.

19 The Power of NP NP is very useful cryptographically, e.g.: Say y=E PK (x;r) and y’=E PK’ (x’;r’). “y and y’ are encryptions of same message” is in NP! Say f is efficiently computable. “y’ is the encryption of f applied to the decryption of y”  NP If we could prove NP statements in ZK,...

20NP-Completeness Amazing thing about NP: There are languages complete for NP! e.g. Graph 3-Colorability

21 NP-Completeness (cont.) y=E PK (x;r) and y’=E PK’ (x;r’) “y and y’ are encryptions of same message” reduction

22 ZK Proof for Graph 3-Colorability Input: Graph G=(V=  1, …, n ,E). Prover Knows: 3-coloring c: V   R,B,G  First, Prover picks random permutation  :  R,B,G    R,B,G , and applies to c : 

23 ZK Proof (cont.) Prover Verifier Commit(  (c(1)), …, Commit(  (c(n)) e  (i,j)  R E Reveal  (c(i) and  (c(j) Verifier accepts if  (c(i)   (c(j)

24 ZK Proof (cont.)

25 Related Work Large body of work on Concurrent Security: Focus: Integrity/Consistency of System State Locking and preventing Deadlock, Starvation Preventing inconsistent data reads Synchronizing databases Our Focus: Completely Different Not state, but preventing information leakage from protocol abuse.

26 Problem: Coordinated Attacks Yahoo

27 Problem: Coordinated Attacks Yahoo

28 Problem: Coordinated Attacks Ebay Yahoo

29 Problem: Coordinated Attacks Yahoo

30 The Internet Ebay Yahoo

31 Modern Cryptography: Zero-Knowledge Proofs Amit Sahai MIT

32Cryptography Encryption, Digital Signatures, etc. Protocols! Identification, Authentication... Electronic Elections Pseudonym Systems... Today’s focus: Zero-Knowledge Proofs!

33Proofs What is a proof? Lemma 1: blah blah blah. Proof: blah blah blah Lemma 2: blah blah. Proof: blah blah blah blah blah blah blah blah blah! QED. © Microsoft Proof Wizard TM.

34Proofs What is a proof to a computer? Verify(assertion, Proof) = accept Verify(assertion, Proof) = reject What kinds of assertions+proofs can computers verify?

35 Example: Satisfiability Consider assertions of form: “Formula  is satisfiable” e.g.  = (x 1  x 2 )  (x 2  x 3 ) Proof = Satisfying Assingment x 1 = true, x 2 = false, x 3 = true Verify( , (a 1,a 2,a 3 )): Plug in a 1,a 2,a 3 into . Accept if  becomes true.

36NP NP = assertion “types” (aka languages) with proofs that are: efficiently computer-verifiable reasonable length Very rich class. e.g. Satisfiability  NP Not the end of the story!

37 Probabilistic Proofs Must proof be totally convincing? Alternative: If proof correct, Verifier accepts always If proof wrong, Verfier rejects with high prob.

38 Interactive Proofs Prover and Verifier talk back and forth. Prover tries to convince Verifier that assertion is true. If assertion is false, Prover fails with high prob. Now, Proof is a Protocol.

39 Interactive Proof System v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol where Prover tries to convince probabilistic Verifier that x is true. When x is true, Verifier accepts always. When x is false, Verifier rejects w.p. ( ) no matter what strategy Prover uses.

40 Interactive Proof System v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol where Prover tries to convince probabilistic Verifier that x is true. When x is true, Verifier accepts always. When x is false, Verifier rejects w.p. ( ) no matter what strategy Prover uses. 1/2

41 Zero Knowledge Prover convinces Verifier, but... Verifier learns nothing except that assertion is true! What does that mean??

42 Defining Zero Knowledge Natural Suggestion: Verifier should not be able to prove assertion to anyone else. …what if Verifier already knew how to prove assertion?...maybe Verifier learned something else...

43 Magic Tricks Magic tricks are like zero-knowledge proofs: Good magic tricks reveal nothing about how they work. What makes a magic trick good?

44 A Magic Trick Two balls: Purple and Red, otherwise identical Blindfolded Magician You give a random ball to magician

45 A Magic Trick (cont.) Magician tells you the color! Magician proves he can distinguish balls blindfolded. You learn nothing except this. Abracadabra, Goobedy goo! It is Red! Wow! He’s so cool!

46 A Magic Trick (cont.) You knew exactly what magician was going to do. And he did it! Since you knew to begin with, you could not have learned anything new! It’s Red! I knew he would say that.

47 Zero Knowledge Idea for definition: Verifier “knows” what is going to happen. CS-speak: Verifier can simulate it herself! Abracadabra, Goobedy goo! It is Red! Simulation

48 Zero-Knowledge Proof v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, Verifier can simulate her view of the interaction on her own. Formally, there is probabilistic poly-time simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover. Note: ZK for honest verifier only.

49 Zero Knowledge Proof ? v1v1 p1p1 v2v2 pkpk accept/ reject v1v1 p1p1 v2v2 pkpk accept/ reject

50 Dishonest Verifiers Ha ha!

51 Zero-Knowledge Proof v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, any Verifier can simulate her view of the interaction on her own. Formally, for every verifier, there is probabilistic poly- time simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover.

52 Zero-Knowledge Proofs for NP

53 Another Magic Trick Magician asks you to think of either “Apple” or “Banana” Magician then gives you a sealed box.

54 Mind Reading You tell Magician what you were thinking. I was thinking of a banana.

55 Banana Mind Reading (cont.) Magician tells you to open box, and read piece of paper in box. Magician proves he can predict what you will say. How did he do that!!

56 Mind Reading (cont.) Again, you knew what was going to happen.  Zero-Knowledge I was thinking of a banana. Simulation Banana

57 Mind Reading (cont.) But why was it convincing? Because Magician committed to his guess before you told him.

58 Cryptographic Commitment Public Key Encryption Scheme (PK,SK) Assume E PK is always one-to-one. To commit to a string x, I send y = E PK (x;r). To open the commitment, I reveal (x,r). Commitment is secret. Because E PK is 1:1, can’t change my mind about x.

59 The Power of NP NP is very useful cryptographically, e.g.: Say y=E PK (x;r) and y’=E PK’ (x’;r’). “y and y’ are encryptions of same message” is in NP! Say f is efficiently computable. “y’ is the encryption of f applied to the decryption of y”  NP If we could prove NP statements in ZK,...

60NP-Completeness Amazing thing about NP: There are languages complete for NP! e.g. Graph 3-Colorability

61 NP-Completeness (cont.) y=E PK (x;r) and y’=E PK’ (x;r’) “y and y’ are encryptions of same message” reduction

62 ZK Proof for Graph 3-Colorability Input: Graph G=(V=  1, …, n ,E). Prover Knows: 3-coloring c: V   R,B,G  First, Prover picks random permutation  :  R,B,G    R,B,G , and applies to c : 

63 ZK Proof (cont.) Prover Verifier Commit(  (c(1)), …, Commit(  (c(n)) e  (i,j)  R E Reveal  (c(i) and  (c(j) Verifier accepts if  (c(i)   (c(j)

64 ZK Proof (cont.)

65 ZK Proof: Analysis Suppose Graph is NOT 3-colorable. Then at least one edge where colors equal.  Verifier catches with prob. 1/m. Repeat protocol 100m times,  Verifier catches with prob. ( )

66 ZK Proof: Analysis (cont.) Why Zero-Knowledge? Verifier knows what will happen. Simulator: Pick e  (i,j)  R E Pick random different colors a,b. Commit to arbitrary values for all colors except for i and j. For i and j, commit to a,b. Imitate rest of protocol.

67Simulator

68 ZK Proof (Simulated)

69 ZK Proof: Analysis (cont.) Only difference between real & simulated: In real life, commitments are to valid coloring. In simulator, commitments are to invalid coloring. But commitments are secret, by security of encryption scheme.  Simulator output and real life are computationally indistinguishable.

70 ZK Proof: Analysis (cont.) This is proof of ZK for Honest Verifier. Same protocol ZK for Dishonest Verifiers. Proof: same idea, more technical. Not surprising... Verifier’s only job: pick random edge.

71 ZK Proof in a nutshell

72 Consequences

73Identification Most basic application of ZK: Identification. To prove identity, just prove in ZK that some graph is 3-colorable. 3-coloring is like password Even the computer you are logging on to will never find out your password!  Idea used to make signatures too.

74 Bigger Picture Anonymity: Anonymous Credentials Pseudonyms ( e-cash Fair exchange Distributed Encryption, Signatures General Multi-Party Computation Mental Poker

75 Mental Poker Want to play poker totally in your mind? No physical cards. No trusted dealer. Main Problem: How to deal cards fairly?

76 Mental Poker (cont.) Basic idea: Each player shuffles deck, by picking random permutation  i. Player i gets card  1 (  2 (..(  n (i))..). No player can control his card. Might as well pick random  i. Shuffle is random + hidden. But how does player i get proper card?

77 Mental Poker (cont.) Player i wants card  1 (  2 (..(  n (i))..) Player i asks for  n (i),  n-1 (  n (i)),... Say Player i needs  k (x): Use “Oblivious Transfer”: Player i finds out  k (x) for one value x. Player k does not learn x. Uses ZK as subroutine.

78 Mental Poker (cont.) Problem: Player k may not give correct  k (x). Solution: Every player commits at beginning to  k (1),…,  k (52) Player k proves in ZK that it gave correct value for  k (x)

79 Mental Poker (cont.) Problem: Player i may not ask for correct x. Solution: Player i proves in ZK that it is asking for correct x each time.  Each player gets proper random cards at end of “dealing” phase.

80 Mental Poker (cont.) At end of game, if Player i reveals card: Player n opens commitment to  n (i) Player n-1 opens commitment to  n-1 (  n (i))... Player 1 opens commitment to  1 (  2 (..(  n (i))..) All players verify.

81 Any Mental Game Using these techniques, can actually play any mental game! For any efficient function f, n players with secret inputs x 1,..., x n can: Learn y=f(x 1,..., x n ) s.t. No players learn anything except y. In particular, x 1,..., x n still secret. e.g. Two people can figure out who has bigger salary, without revealing salary!

82Conclusions Zero Knowledge Proofs Simple, beautiful idea. Fundamental to Cryptography Can prove all NP statements in ZK (assuming one-way functions exist) Have a great vacation!

83 Mental Poker (cont.) Player i needs  k (x). Use “Oblivious Transfer”: Player k commits to  k (1),…,  k (n) (at start) “Player i gets  k (x) without Player k finding out x” Player i proves in ZK that only got 1 value. Player k proves in ZK that value is consistent with commitment.

84 ZK Proof (cont.) Prover Verifier

85 ZK Proof (cont.) Prover Verifier

86 ZK Proof (cont.) Prover Verifier

87 ZK Proof (cont.) Prover Verifier

88 Example: G RAPH I SOMORPHISM [GMW86] Prover Verifier Claim: Protocol is an (honest ver) SZK proof. 3.

89 I love you. Mind Reading Two balls: Purple and Red, otherwise identical Blindfolded Magician You give a random ball to magician

90 A Magic Trick (cont.) You knew exactly what magician was going to do. He did it! Since you knew to begin with, you could not have learned anything new! It’s Red! I knew he would say that.

91 A Magic Trick

92 Interactive Proof System v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol where Prover tries to convince probabilistic Verifier that x is true. When x is true, Verifier accepts always. When x is false, Verifier rejects w.p. 1/2 no matter what strategy Prover uses.

93Philosophy Is my random number generator secure? System Designer for Hospital Will my protocols work securely together? Is it secure vs. attack A? Is it secure vs. attack B?

94 Holy Grail Guarantee: Nobody can break system in  100 years. Unfortunately, we don’t know how to do prove such theorems.  Need to make assumptions.

95 One Approach... It’s so complicated! It must be secure! Cryptosystem XYZ (Patent Pending)

96 One Approach… (cont.) Cryptosystem XYZ Broken 2 Days After Release!

97Examples PKCS #1 (Encryption Standard). DVD Encryption Digital Cellular Phone Encryption (GSM) … Lesson: Intuition often fails to hold for cryptography. Must be cautious!

98Assumptions Some assumptions have held up over the years. e.g. problems believed to be hard: Discrete Logarithm: Given y=g x (mod p), find x. RSA: Given y=x e (mod N=pq), find x. Key: Red = Secret, Blue = Known

99 Security Cryptographic Primitives RSA Discrete Log Assumptions “My encryption scheme is secure against CPA if RSA is hard to invert.”

100 Better Security Cryptographic Primitives RSA Discrete Log Assumptions One Way Functions Lattice Problems...

101 Better Security Cryptographic Primitives RSA Discrete Log Assumptions One Way Functions Lattice Problems... “My signature scheme is secure against CMA if One-Way Functions exist…” “One-Way Functions exist if either RSA is hard, or Discrete Log is hard, or …”

102Philosophy Cryptography: Systematically address as many concerns as we can. Will my protocols work securely together? Is it secure vs. attack A? Is it secure vs. attack B? Is my random number generator secure?

103 Randomness: Why? Example: Public-Key Encryption Deterministic Encryption? Two possible messages: “Attack!” “Retreat!”  Completely insecure!  Need Randomization. Many other examples throughout Crypto.

104Randomness True randomness hard to come by. Can get a source with moderate entropy. Mouse/Keyboard movements Radioactive decay Refine  a few truly random bits. Need many more!  Need to generate Pseudo-Random bits from a few truly random bits

105 Pseudo-Random Generator (PRG) Truly Random Seed Pseudo-Random Generator ……………Lots of pseudo-random bits…………… deterministic procedure

106Pseudo-Random? What are “good” pseudo-random bits? Statistical tests? Linear Congruential Generator(a,b,m,y 0 ): y n =ay n-1 +b (mod m) passes lots of tests. Insecure in practice! Need definition that guarantees security.

107 A.I. Turing Test

108 Cryptographic Turing Test ? Our System Perfectly Secure System

109 Def. for PRG ? Truly Random Bits Random Seed PRG

110 Is it good enough? Consider Encryption Scheme, secure if use truly random bits. Can we use Encryption w/PRG? Consider any poly-time attacker s.t.: Breaks Encryption w/PRG Fails vs. Encryption w/true random bits  Encryption + Attacker = Distinguisher for PRG.  Contradiction.

111 Reductions and Security Want: Assumption  Security How to prove? Use Contrapositive: Successful Attack  Break Assumption Must Give Reduction!