Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic protocols 2016, Lecture 12 Sigma protocols

Published byΕιρηναίος Παπαγεωργίου Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptographic protocols 2016, Lecture 12 Sigma protocols"— Presentation transcript:

1 Cryptographic protocols 2016, Lecture 12 Sigma protocols
Helger Lipmaa University of Tartu, Estonia

2 Up to now Introduction to the field Secure computation protocols
Can do almost everything in semihonest model Introduction to malicious model

3 this time Reminder: zero knowledge and malicious model
Σ-Protocols: a particular kind of "ZK" protocols motivation security definitions examples

4 reminder: General protocol design
Design a passively secure protocol I.e., that protects privacy given participants follow the protocol ... take any protocol we have seen up to now Make it secure in the malicious model by adding ZK proofs to all messages of course this needs "some" care: you need to know which ZK to add efficiency, ...

5 proofs vs proofs of knowledge
ZK Proof: Complete: honest prover convinces honest verifier Sound: dishonest prover does not convince honest verifier Zero Knowledge: dishonest verifier only gets to know that honest prover is honest ZK Proof of Knowledge: (in addition) Proof of Knowledge (stronger soundness): honest prover convinces honest verifier that he knows "why he is honest" --- i.e., knows some secret "witness"

6 reminder: authentication
Verifier V Prover P pk, sk pk I am The Doctor Prove it! sk ZK proof of knowledge of sk Proof: I can sign your document with Doctor's secret key. Leaks information (new signatures), not really ZK. ZK proofs do not make sense in this application Proof of knowledge: I know sk (nothing else is leaked)

7 motivation by examples
We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledge We will later see other protocols that are "secure" in the same sense Common name: Σ protocols We then formally define security of such protocols

8 graph isomorphism Two graphs G1 = (V1, E1) and G2 = (V2, E2) are isomorphic if there exists a map φ: V1 → V2 such that φ is bijection (v1, v2) ∈ E1 iff (φ(v1), φ(v2)) ∈ E2 We write then G2 = φ (G1) Best known algorithm for GI [Babai, 2015]: time 2(log n)^(O (1)) --- thus hard problem (not poly-time) Like factoring, not known to be in P or NP-complete Better classical algorithm than for factoring but no known efficient quantum algorithm Intuitively: isomorphism is a consistent renaming of vertices, together with edges between them

9 QuiZ: graph isomorphism
Are those graphs isomorphic? If so, find isomorphism

10 answer: graph isomorphism
yes! in fact two isomorphisms (two nodes are "indistinguishable": they can be mapped to each other)

11 reminder: adjacency matrix
1 Fix a graph G with n vertices Construct n×n matrix A = (aij), such that aij = 1 when there is edge i→j and aij = 0 otherwise A is the adjacency matrix of G Compact way of representing graph G 2 3 4 5 6 1 2 3 4 5 6 Intuitively: isomorphic graphs have adjacency matrices with consistent row/column permutations

12 QUIZ: Σ-protocol for GI
QUIZ: can you think of any kind of protocol that convinces verifier that prover knows isomorphism, without revealing it? :-) G1 G2

13 QUIZ: Σ-protocol for GI
QUIZ: can you think of any kind of protocol that convinces verifier that prover knows isomorphism, without revealing it? :-) Hint: let prover to prove that for a third graph he knows that this is isomorphic to either of these two graphs G1 G2 prob. 1/2 prob. 1/2 H

14 answer: Σ-protocol for GI
Prover creates a random isomorphic copy H of G₁ Verifier asks Prover to reveal, for random c, the isomorphism between H and Gc Clearly, honest Prover succeeds always If G1 and G2 are not isomorphic, Prover fails with probability 1/2 Random isomorphic copy of G with adj. matrix A: a graph whose adjacency matrix is a random row/column permutation of A

15 Σ-protocol for GI G1 G2 H H c σ pk = (G1, G2), sk = φ pk = (G1, G2)
Generate random isomorphism ψ H ← ψ(G1) pk = (G1, G2), sk = φ pk = (G1, G2) H c c ← {1, 2} σ If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ (Gc) then accept else reject G1 G2 H ψ ψ · φ-1 φ

16 Σ-protocol for GI: completeness
if G2 = φ (G1) then H = ψ (G1) = ψ (φ-1 (G2)) Thus honest Verifier always accepts honest Prover Generate random isomorphism ψ H ← ψ(G1) pk = (G1, G2), sk = φ pk = (G1, G2) H c c ← {1, 2} σ If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ (Gc) then accept else reject G1 G2 H ψ ψ · φ-1 φ

17 Σ-protocol for GI: soundness
Soundness (imprecise): If G1 and G2 are not isomorphic, then H cannot be isomorphic to both. Then with probability 1/2 (when c corresponds to Gc that H is not isomorphic with), Verifier rejects Generate random isomorphism ψ H ← ψ(G1) pk = (G1, G2), sk = φ pk = (G1, G2) H c c ← {1, 2} σ If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ (Gc) then accept else reject G1 G2 H ψ ψ · φ-1 φ

18 Σ-protocol for GI: POK G1 G2 H H c σ pk = (G1, G2), sk = φ
Proof of knowledge (imprecise): assume that Prover can make Verifier to accept with probability 1. Then Prover can create H, and isomorphism between G1 and H, and G2 and H. Thus G1 and G2 are isomorphic Generate random isomorphism ψ H ← ψ(G1) pk = (G1, G2), sk = φ pk = (G1, G2) H c c ← {1, 2} σ If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ (Gc) then accept else reject G1 G2 H ψ ψ · φ-1 φ

19 Σ-protocol for GI: ZK G1 G2 H H c σ pk = (G1, G2), sk = φ
ZK (imprecise): Verifier only sees a random isomorphic copy of G1, and an isomorphism from this copy to Gc. Intuitively no information leaked Generate random isomorphism ψ H ← ψ(G1) pk = (G1, G2), sk = φ pk = (G1, G2) H c c ← {1, 2} σ If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ (Gc) then accept else reject G1 G2 H ψ ψ · φ-1 φ

20 knowledge error Honest Prover is accepted with probability 1
Dishonest Prover is accepted with non-zero probability κ = 1/2 Def (informal). Κnowledge error = κ Every Σ-protocol has non-zero knowledge error Prover can just guess Verifier's challenge and prepare first message accordingly

21 a bit of terminology All such proofs are of type:
does input x belong to language L? The prover knows a witness w Proving x ∈ L can be done efficiently, given w Proof of knowledge: Prover proves he knows w GI: L = {(G1, G2): ∃φ such that G2 = φ(G1)} x = (G1, G2) w = φ

22 Σ-protocols: syntax input, witness input 1st message: commitment a
2nd message: challenge c 3rd message: response z Requirement: c is chosen from some challenge set C randomly. (Does not depend on a!) Terminology: public coin protocol

23 Σ-protocols: formal definition
A protocol (P, V) is a Σ-protocol, if it is a three-message public-coin protocol: it has three messages, with the prover starting, and the second message is completely random and independent of the first message Security: it is complete, specially sound, and special honest-verifier zero knowledge

24 Σ-protocols: security
input, witness input 1st message: commitment a 2nd message: challenge c 3rd message: response z Completeness Special Soundness Special Honest-Verifier ZK (SHVZK)

25 Σ-protocols: security
input, witness input 1st message: commitment a 2nd message: challenge c 3rd message: response z Completeness: if Prover is honest then honest Verifier always accepts. GI protocol has it

26 Σ-protocols: security
input, witness input 1st message: commitment a 2nd message: challenge c 3rd message: response z Special Soundness (with knowledge error κ): if Prover is dishonest then honest Verifier accepts with probability not much larger than κ. GI protocol has it (intuitively)

27 special soundness: more
Our proof of special soundness for GI relied on the next (informal) fact: If (possibly malicious) P* makes honest V always accept, then P* “knows” isomorphism between both H and G1, and between H and G2 We will next make this intuition more formal

28 semiFOrmally: special soundness
Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κ Then V can "extract" the witness (here, φ) from P* in time, related to ε - κ However, V is a pre-defined algorithm We define a new algorithm, an extractor K, that communicates with P* and extracts φ from P* This guarantees κ is really the "limit" => we have a proof of knowledge As in reductions, K can only communicate with P*. K does not know anything else about P* apart from what P* outputs

29 FOrmally: special soundness
Definition A Σ-protocol (P, V) is specially sound, if there exists a probabilistic expected poly-time extractor algorithm K, such that if a prover P* (possibly malicious) can make V to accept with a probability ε > κ, then K can --- after playing the role of V in possibly many instances of the protocol with P --- output the value of the witness However, K must have some "superpower": otherwise V could do the same and extract witness. Here: rewinding

30 Reminder: special soundness
Intuition. Assume P* makes V to accept with probability 1. Then H is both isomorphic to G1 and G2 Generate random isomorphism ψ H ← ψ (G1) input = (G1, G2) witness = φ input = (G1, G2) H c c ← {1, 2} σ If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ(Gc) then accept else reject

31 special soundness: rewinding
input = (G1, G2) witness = φ input = (G1, G2) H c σ Formally, K plays V in the protocol. K does the following: Execute the protocol once with c = 1. Store (H, c, σ) Create a breakpoint for prover directly after sending H

32 special soundness: rewinding
input = (G1, G2) witness = φ input = (G1, G2) H c* ≠ c σ* After that: Rewind P* to the breakpoint (the state P* was directly after sending H). Challenge with c* = 2, get P*'s answer, and store (H, c*, σ*)

33 rewinding: analysis G₁ G2 H H c* ≠ c σ* input = (G₁, G₂) witness = φ
Since P* makes V accept with probability 1, this means that (H, c, σ) and (H, c*, σ*) are both accepting views Since H is the same and both views accept, H = σ (G1) = σ* (G2) But then φ = (σ*)-1 · σ is the isomorphism between G1 and G2 G₁ φ G2 σ σ* H

34 general K.e. Assume P* makes V to accept with prob. ε > κ
Construct a Boolean matrix A Aω, c = 1 iff V accepts given that P* has random string ω and verifier has random string c Fraction ε of entries are 1 There exists a row with two 1-s iff ε > κ := 1 / |{c}| Probability ε is both over the randomness ω of P* and c of V P* (x, ω) generates a, P* (x, ω, c) generates z c 1 ω

35 Happens with some prob. p
general K.e. If P* makes V to accept with prob. ε > κ, K does: Generate random (ω, c) until V accepts the resulting view (a, c, z) Generate random c* (but use the same ω) until V accepts the resulting view (a, c*, z*) If c = c* then goto 1 Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before Tprobes := the number of probed matrix entries before this happens 1 / ε expected steps 47 6 5 2 1 3 35 4 ω c 1 / ε expected steps Happens with some prob. p 2 / (pε) expected steps

36 general ε One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such views Will omit precise analysis Answer: Tprobes ≤ 2 / (ε - κ): expected number of runs Expected: with small probability, the number of steps can be very large

37 Special soundess: simplified
Due to what we saw on last slides, we can somewhat simplify the special soundness definition We know the relation between ε - κ and the running time of extractor We can just assume that if we have already found two accepting views (a, c, z), (a, c*, z*) with c ≠ c*, then K can efficiently retrieve the witness We can then use what we know to construct full extractor

38 special soundness: simplified
Definition (simplified) A Σ-protocol (P, V) is specially sound, if there exists a (deterministic) poly-time extractor algorithm K that, given two accepting views (a, c, z) and (a, c*, z*), such that c ≠ c*, can efficiently compute the value of the witness

39 GI: proof of special soundness
Generate random isomorphism ψ H ← ψ(G1) input = (G1, G2) witness = φ input = (G1, G2) H c c ← {1, 2} If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ(Gc) then accept else reject σ Construction of extractor: Given accepting views (H, c, σ) and (H, c*, σ*) with c ≠ c*, K outputs φ ← (σ*)-1 · σ Analysis: Since H is the same and both views accept, H = σ(G1) = σ*(G2) Thus φ is an isomorphism between G1 and G2

40 Idea of SHVZK H c σ input = (G1, G2) witness = φ input = (G1, G2)
Generate random isomorphism ψ H ← ψ(G1) input = (G1, G2) witness = φ input = (G1, G2) H c c ← {1, 2} σ If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ (Gc) then accept else reject ZK (idea, imprecise): Verifier only sees a random isomorphic copy of G1, and an isomorphism from this copy to Gc. Intuitively no information leaked

41 Idea of SHVZK H c σ input = (G1, G2) witness = φ input = (G₁, G₂)
ZK (idea, semiprecise): for any given c, Verifier can create a random isomorphism σ, and set H ← σ (Gc). Clearly, (H, c, σ) is accepting. Moreover, it has the same distribution as the real view: in both cases (H, c, σ) are random variables that have only one restriction (they satisfy verification). This means V can create an accepting view herself, without knowing witness => he will gain no new information by seeing accepting view. Generate random isomorphism ψ H ← ψ(G1) input = (G1, G2) witness = φ input = (G₁, G₂) H c c ← {1, 2} σ If c = 1 then σ ← ψ else σ ← ψ · φ-1 If H = σ(Gc) then accept else reject Since V is a well-defined algorithm, we again define a new algorithm - that efficiently simulates Verifier's view

42 FOrmally: sHVZK Definition
A Σ-protocol (P, V) is SHVZK, if there exists a probabilistic poly-time simulator algorithm S that can, for any c, generate first a random z, and then a suitable a, such that (a, c, z) accepts, and if c is random then (a, c, z) has the same distribution as the real protocol views S must have a "superpower": otherwise dishonest prover could also simulate the view. Here the superpower is out-of-order execution

43 SHVZK: comments Weaker:
SHVZK is both stronger and weaker than "zero- knowledge" Weaker: It is honest verifier. It only guarantees ZK against a verifier that chooses c randomly and independently of a Stronger: It is special. It allows to simulate the view by using very strict well-defined algorithm We will make us of both "specials" (soundness, ZK) in following lectures to construct interesting protocols

44 security amplification
In practice κ = 1 / 2 is way too big Simple solution: run the same protocol in parallel s times If P honest: honest V accepts always If P dishonest: the probability that V accepts in all runs is κs = 2-s Universal remedy, however it makes protocol slower Completeness and ZK clearly carry over It is better to start with smaller κ before the amplification

45 why σ-protocols? Security definitions correspond to intuition behind a very natural protocol Can construct efficiently for many problems Can get, by adding a few extra steps, a four- message ZK out from any Σ-protocol in a black-box way: it does not depend much on the concrete Σ-protocol Halfway there: soundness against malicious prover, zero-knowledge against honest verifier Since we know how to construct Σ-protocols for NP-complete protocols (see Hamiltonian path in the πlast slides), this means we can construct four-message ZK protocols for any language in NP

46 Study outcomes Reminder: ZK
Example, very natural, protocol with "intuitive" security Σ-protocols: definition Motivations behind definition For example: why special soundness? (from natural protocol)

47 next lecture Σ-protocols based on DL
For example: knowledge of DL (knowledge of Elgamal sk) Various stuff about Elgamal plaintexts For example: Σ-protocol that Elgamal plaintext is in {0, 1}

48 tutorial The following material is presented in tutorial
It may be required for exam!

49 Hamiltonian path A Hamiltonian path in graph G is a path that visits every vertex exactly once Hamiltonian cycle: HP that is a cycle HP problem: does Hamiltonian path exist in this graph? Known to be NP-complete

50 QuiZ: hamiltonian path
Question: Does HC or at least HP exist in this graph? If not, how many edges would you need to add to get HP/HC?

51 answer: hamiltonian path
Question: Does HC or at least HP exist in this graph? If not, how many edges would you need to add to get HP/HC? Answer: Previous graph has HP but no HC. It suffices to add one edge to get HC

52 Quiz: Σ-protocol for HP
Assume Prover knows Hamiltonian path in G Question: How can Prover convince Verifier in this? Hint: use the fact we can solve GI

53 answer: Σ-protocol for HP
Prover creates a random isomorphic copy H of G, and sends to Verifier its encrypted edges Verifier selects random c If c = 1: P reveals H and the isomorphism If c = 2: Prover opens encrypted edges of H that correspond to HP. Verifier checks this opening is correct Honest Prover succeeds always If G has no Hamiltonian path, Prover fails with probability 1/2 Actually "committed" (see future lectures) Checkpk (d, a, r): if Encpk (a, r) = d return 1 else return 0

54 a = (pk, {dij for all edges})
Σ-protocol for HP Generate random isomorphism φ H ← φ(G), let h be the adj matrix of H Choose random public key pk for all i, j: rij ← new randomness dij ← Encpk(hij; rij) input = G witness = HP input = G a = (pk, {dij for all edges}) c ← {1, 2} if c = 1: for all i, j: if Checkpk(dij, 1, rij) = 1: hij ← 1 else if Checkpk(dij, 0, rij) = 1: hij ← 0 else: reject If H = z (G) then accept else reject else if c = 2: Check that (i, j) in z are a valid HP for all (i, j, rij) in z: if Checkpk(dij, 1, rij) = 0: reject Accept c If c = 1 then z ← (φ, {rij for all edges i→j}) else z ← {(i, j, rij): i→j is part of HP} z

55 task prove security of this protocol!

Download ppt "Cryptographic protocols 2016, Lecture 12 Sigma protocols"

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.

Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Similar presentations

Ads by Google