July 8, 2004 IEEE - CEC '041 Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs Sultan Almuhammadi Nien Sui Dennis McLeod {salmuham, sui, sui,
July 8, 2004 IEEE - CEC '042 Keywords Security Privacy Zero-knowledge proofs Elliptic Curves
July 8, 2004 IEEE - CEC '043 Zero-Knowledge Proof!… Why bother? Peggy: "I know the password to the Federal Reserve System computers." Victor: " No, you don't" Peggy: " Yes, I do!" Victor: " Do not!" Peggy: " Do too!" Victor: " Prove it!" Peggy: " All right. I'll tell you". She whispers in Victor's ear.
July 8, 2004 IEEE - CEC '044 Zero-Knowledge Proof!… Why bother? Victor: "That's interesting. Now I know it too. I'm going to tell the Washington Post." Peggy: "Oops!!" Unfortunately, the usual way for Peggy to prove something to Victor is for Peggy to tell him. But then he knows it too, and can tell anyone else he wants to.
July 8, 2004 IEEE - CEC '045 Outline Introduction to Zero-Knowledge Proof Applications of ZKP to E-com Examples of ZK Proof Problems Classical Solutions Elliptic Curves EC Solutions Why EC? Current Research on ZKP Conclusion
July 8, 2004 IEEE - CEC '046 Introduction What is ZK proof? To prove knowledge of a secret without revealing any information about it. It must be: Zero-knowledge, and Proof.
July 8, 2004 IEEE - CEC '047 Introduction What is Zero-Knowledge? It is computationally infeasible to retrieve the secret using the information revealed in the proof (dialogue). If he deviates from the protocol, it doesn’t help the verifier to learn the secret. The verifier can build a simulator to generate a transcript of a similar dialogue of the proof.
July 8, 2004 IEEE - CEC '048 Introduction What about the Proof? It must be convincing! It must be highly unlikely that the prover can generate the dialogue without knowing the secret.
July 8, 2004 IEEE - CEC '049 Applications of ZKP to E-com. Identification schemes Multi-media security and digital watermarks Network privacy and anonymous communication Digital cash and off-line digital coin systems Electronic voting systems Public-key cryptographic systems
July 8, 2004 IEEE - CEC '0410 Examples of ZKP Zero-Knowledge Proof of: Discrete Logarithm Graph Isomorphism Square root of an integer modulo n Integer factorization
July 8, 2004 IEEE - CEC '0411 Discrete Logarithm Peggy, the prover, wants to prove in zero- knowledge that she knows the DL of a given number modulo n. i.e. to prove in zero-knowledge that she knows x such that g^x = b (mod n), for known b, g, n.
July 8, 2004 IEEE - CEC '0412 Graph Isomorphism Peggy wants to prove in zero-knowledge that two given graphs G1 and G2 are isomorphic. i.e. to prove that she knows a mapping f from G1 to G2 such that: (v1,v2) is an edge in G1 iff (f (v1), f (v2)) is an edge in G2 without revealing any information about f.
July 8, 2004 IEEE - CEC '0413 Square root of an integer modulo n Peggy wants to prove in zero-knowledge that she knows the square root of a given number modulo a large composite number n. i.e. to prove in zero-knowledge that she knows x such that x^2 = b (mod n), for known b, n.
July 8, 2004 IEEE - CEC '0414 Integer factorization Peggy wants to prove in zero-knowledge that a given number n is a product of two large primes. i.e. to prove in zero-knowledge that she knows p and q such that p * q = n, for a given n.
July 8, 2004 IEEE - CEC '0415 Classical Solutions Iterative ZK proof of DL problem Given n, generator g for F n, and b F n To prove in zero-knowledge that Peggy knows x such that g^x = b (mod n)
July 8, 2004 IEEE - CEC '0416 ZKP of DL problem hhP sends h = g^r mod n to V2 rPeggy generates random r1 ccV flips a coin c = H or T3 r, check g^r = hIf c = H, P sends r to V4 m, check g^m = bhmIf c = T, P sends m = x + r5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) g, b, ng, b, n, x0
July 8, 2004 IEEE - CEC '0417 Elliptic Curves Definition: an elliptic curve E over some field K is the set of all points (x, y) K K that satisfy the equation: y 2 = x 3 + ax + b Where a, b K
July 8, 2004 IEEE - CEC '0418 ZK Proofs Using EC EC vs. Multiplicative Groups Points (x,y) on the elliptic curve E/Fn instead of integers. Multiplication (m.B) instead of power (b^m). DL Problem in EC Given B, G E (Fn) {G is “generator” or its order contains large prime}, to find m such that m.G = B
July 8, 2004 IEEE - CEC '0419 ZK Proofs Using EC ZK proof of DL problem Given E/F n, G (generator, or its order contains large prime), and B = mG E. Peggy wants to prove in zero-knowledge that she knows m.
July 8, 2004 IEEE - CEC '0420 ZKP of DL problem Using EC AAP sends A = r G to V2 rPeggy generates random r1 ccV flips a coin c = H or T3 r, check r G = AIf c = H, P sends r to V4 x, check xG =A+BxIf c = T, P sends x = r + m5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) G, BG, B, m0
July 8, 2004 IEEE - CEC '0421 Why EC? EC is more secure for DL blocks Having DL as building blocks in ZK proofs, EC scheme is more secure than the classical scheme (using multiplicative groups). Breaking the scheme requires solving the DL problem.
July 8, 2004 IEEE - CEC '0422 Why EC? Time Complexity of Solving DL The classical DL problem in Fq* can be solved in sub- exponential time, L[1/3]. Exp[ O( (log q) 1/3 (log log q) 2/3 ) ] The best known algorithm to solve the DL problem in E/Fq (using giant-step baby-step approach and MOV reduction) takes exponential time, L[1], O(N 1/2 ) where N is the group order. Exp[ O(log q) ]
July 8, 2004 IEEE - CEC '0423 Why EC? Other Problems? EC schemes are more secure than the classical ones if they are based on only DL. If the EC scheme is not based on only DL, then weaker parts can be attacked in sub-exponential time, and hence EC gives no more security than the classical ones. (E.g. ZK proof of knowing square root of b mod n)
July 8, 2004 IEEE - CEC '0424 Example: Square root problem ZK proof of knowing square root of b mod n Given b and n, Peggy wants to prove in zero-knowledge that she knows x such that x^2 = b (mod n) EC version Given E/Fn (for composite n) and B E, Peggy wants to prove in zero-knowledge that she knows A E such that 2A = B
July 8, 2004 IEEE - CEC '0425 Example: x^2 = b mod n ssP sends s = r^2 mod n to V2 rPeggy generates random r1 ccV flips a coin c = H or T3 r, check r^2 = sIf c = H, P sends r to V4 m, check m^2 = sbmIf c = T, P sends m = r x5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) b, nb, n, x0
July 8, 2004 IEEE - CEC '0426 Example (EC version) : 2 A = B SSP sends S = 2R = R+R to V2 RPeggy generates random R1 ccV flips a coin c = H or T3 R, check 2R = SIf c = H, P sends R to V4 M, check 2M = S+BM If c = T, P sends M = R+A5 Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) BA, B0
July 8, 2004 IEEE - CEC '0427 Example (EC version) : 2 A = B SSP sends S = 2R = R+R to V2 RPeggy generates random R1 ccV flips a coin c = H or T3 R, check 2R = SIf c = H, P sends R to V4 M, check 2M = S+BM If c = T, P sends M = R+A5 Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) BA, B0 Solve for R in sub-exp A = M - R = T
July 8, 2004 IEEE - CEC '0428 Current Research on ZKP Iterative ZKPs VS. One-round ZKPs Challenge-and-response protocol
July 8, 2004 IEEE - CEC '0429 One-Round ZK proof of DL problem yV generates a random y1 C= g^yCV sends C = g^y (mod n)2 RR= C^xP sends R = C^x (mod n)3 V verifies that R = b^y (mod n) i.e. R = C^x = (g^y)^x = g^xy = (g^x)^y = b^y 4 Victor (V)Peggy (P) g, b, ng, b, n, x0
July 8, 2004 IEEE - CEC '0430 One-Round ZK proof of DL problem yV generates a random y1 C= yGCVictor sends C = yG2 RR= mCPeggy sends R = mC3 Victor verifies that yB = R i.e. yB = y(mG) = m(yG) = mC = R 4 Victor (V)Peggy (P) G, BG, B, m0
July 8, 2004 IEEE - CEC '0431 Conclusion Graph Isomorphism Factorization Square root DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems
July 8, 2004 IEEE - CEC '0432 Conclusion Graph Isomorphism Factorization Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems
July 8, 2004 IEEE - CEC '0433 Conclusion Graph Isomorphism Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems
July 8, 2004 IEEE - CEC '0434 Conclusion Graph Isomorphism Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems
July 8, 2004 IEEE - CEC '0435 Conclusion Graph Isomorphism No Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems
July 8, 2004 IEEE - CEC '0436 Conclusion YesGraph Isomorphism No Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems
July 8, 2004 IEEE - CEC '0437 Conclusion ?YesGraph Isomorphism No Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems
July 8, 2004 IEEE - CEC '0438 Conclusion ???YesGraph Isomorphism No Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems
July 8, 2004 IEEE - CEC '0439 References 1.Elliptic curve implementation of zero-knowledge blobs, Neal Koblitz, Journal of Cryptology, Vol. 4, 1991, Zero Knowledge Watermark Detection, Scott Craver, Princeton Univ. 3.Algebraic Aspects of Cryptography, Neal Koblitz, Springer Applied Cryptography, Bruce Schneier, Wiley pp The improbability that an elliptic curve has sub-exponential discrete log problem under the MOV algorithm, R. Balasubramaniam, N. Koblitz, Journal of Cryptology, 1998.
July 8, 2004 IEEE - CEC '0440 Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs Sultan Almuhammadi Nien Sui Dennis McLeod {salmuham, sui, sui,