Presentation is loading. Please wait.

Presentation is loading. Please wait.

July 8, 2004 IEEE - CEC '041 Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs Sultan Almuhammadi Nien Sui Dennis.

Published byTrevor Darrell Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "July 8, 2004 IEEE - CEC '041 Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs Sultan Almuhammadi Nien Sui Dennis."— Presentation transcript:

1 July 8, 2004 IEEE - CEC '041 Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs Sultan Almuhammadi Nien Sui Dennis McLeod E-mail: {salmuham, sui, mcleod}@usc.edualmuham, sui, mcleod}@usc.edu

2 July 8, 2004 IEEE - CEC '042 Keywords  Security  Privacy  Zero-knowledge proofs  Elliptic Curves

3 July 8, 2004 IEEE - CEC '043 Zero-Knowledge Proof!… Why bother? Peggy: "I know the password to the Federal Reserve System computers." Victor: " No, you don't" Peggy: " Yes, I do!" Victor: " Do not!" Peggy: " Do too!" Victor: " Prove it!" Peggy: " All right. I'll tell you". She whispers in Victor's ear.

4 July 8, 2004 IEEE - CEC '044 Zero-Knowledge Proof!… Why bother? Victor: "That's interesting. Now I know it too. I'm going to tell the Washington Post." Peggy: "Oops!!" Unfortunately, the usual way for Peggy to prove something to Victor is for Peggy to tell him. But then he knows it too, and can tell anyone else he wants to.

5 July 8, 2004 IEEE - CEC '045 Outline  Introduction to Zero-Knowledge Proof  Applications of ZKP to E-com  Examples of ZK Proof Problems  Classical Solutions  Elliptic Curves  EC Solutions  Why EC?  Current Research on ZKP  Conclusion

6 July 8, 2004 IEEE - CEC '046 Introduction  What is ZK proof? To prove knowledge of a secret without revealing any information about it. It must be: Zero-knowledge, and Proof.

7 July 8, 2004 IEEE - CEC '047 Introduction  What is Zero-Knowledge? It is computationally infeasible to retrieve the secret using the information revealed in the proof (dialogue). If he deviates from the protocol, it doesn’t help the verifier to learn the secret. The verifier can build a simulator to generate a transcript of a similar dialogue of the proof.

8 July 8, 2004 IEEE - CEC '048 Introduction  What about the Proof? It must be convincing! It must be highly unlikely that the prover can generate the dialogue without knowing the secret.

9 July 8, 2004 IEEE - CEC '049 Applications of ZKP to E-com.  Identification schemes  Multi-media security and digital watermarks  Network privacy and anonymous communication  Digital cash and off-line digital coin systems  Electronic voting systems  Public-key cryptographic systems

10 July 8, 2004 IEEE - CEC '0410 Examples of ZKP Zero-Knowledge Proof of:  Discrete Logarithm  Graph Isomorphism  Square root of an integer modulo n  Integer factorization

11 July 8, 2004 IEEE - CEC '0411 Discrete Logarithm Peggy, the prover, wants to prove in zero- knowledge that she knows the DL of a given number modulo n. i.e. to prove in zero-knowledge that she knows x such that g^x = b (mod n), for known b, g, n.

12 July 8, 2004 IEEE - CEC '0412 Graph Isomorphism Peggy wants to prove in zero-knowledge that two given graphs G1 and G2 are isomorphic. i.e. to prove that she knows a mapping f from G1 to G2 such that: (v1,v2) is an edge in G1 iff (f (v1), f (v2)) is an edge in G2 without revealing any information about f.

13 July 8, 2004 IEEE - CEC '0413 Square root of an integer modulo n Peggy wants to prove in zero-knowledge that she knows the square root of a given number modulo a large composite number n. i.e. to prove in zero-knowledge that she knows x such that x^2 = b (mod n), for known b, n.

14 July 8, 2004 IEEE - CEC '0414 Integer factorization Peggy wants to prove in zero-knowledge that a given number n is a product of two large primes. i.e. to prove in zero-knowledge that she knows p and q such that p * q = n, for a given n.

15 July 8, 2004 IEEE - CEC '0415 Classical Solutions  Iterative ZK proof of DL problem Given n, generator g for F n, and b  F n To prove in zero-knowledge that Peggy knows x such that g^x = b (mod n)

16 July 8, 2004 IEEE - CEC '0416 ZKP of DL problem hhP sends h = g^r mod n to V2 rPeggy generates random r1 ccV flips a coin c = H or T3 r, check g^r = hIf c = H, P sends r to V4 m, check g^m = bhmIf c = T, P sends m = x + r5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) g, b, ng, b, n, x0

17 July 8, 2004 IEEE - CEC '0417 Elliptic Curves Definition: an elliptic curve E over some field K is the set of all points (x, y)  K  K that satisfy the equation: y 2 = x 3 + ax + b Where a, b  K

18 July 8, 2004 IEEE - CEC '0418 ZK Proofs Using EC  EC vs. Multiplicative Groups Points (x,y) on the elliptic curve E/Fn instead of integers. Multiplication (m.B) instead of power (b^m).  DL Problem in EC Given B, G  E (Fn) {G is “generator” or its order contains large prime}, to find m such that m.G = B

19 July 8, 2004 IEEE - CEC '0419 ZK Proofs Using EC  ZK proof of DL problem Given E/F n, G (generator, or its order contains large prime), and B = mG  E. Peggy wants to prove in zero-knowledge that she knows m.

20 July 8, 2004 IEEE - CEC '0420 ZKP of DL problem Using EC AAP sends A = r G to V2 rPeggy generates random r1 ccV flips a coin c = H or T3 r, check r G = AIf c = H, P sends r to V4 x, check xG =A+BxIf c = T, P sends x = r + m5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) G, BG, B, m0

21 July 8, 2004 IEEE - CEC '0421 Why EC?  EC is more secure for DL blocks Having DL as building blocks in ZK proofs, EC scheme is more secure than the classical scheme (using multiplicative groups). Breaking the scheme requires solving the DL problem.

22 July 8, 2004 IEEE - CEC '0422 Why EC?  Time Complexity of Solving DL The classical DL problem in Fq* can be solved in sub- exponential time, L[1/3]. Exp[ O( (log q) 1/3 (log log q) 2/3 ) ] The best known algorithm to solve the DL problem in E/Fq (using giant-step baby-step approach and MOV reduction) takes exponential time, L[1], O(N 1/2 ) where N is the group order. Exp[ O(log q) ]

23 July 8, 2004 IEEE - CEC '0423 Why EC?  Other Problems? EC schemes are more secure than the classical ones if they are based on only DL. If the EC scheme is not based on only DL, then weaker parts can be attacked in sub-exponential time, and hence EC gives no more security than the classical ones. (E.g. ZK proof of knowing square root of b mod n)

24 July 8, 2004 IEEE - CEC '0424 Example: Square root problem  ZK proof of knowing square root of b mod n Given b and n, Peggy wants to prove in zero-knowledge that she knows x such that x^2 = b (mod n)  EC version Given E/Fn (for composite n) and B  E, Peggy wants to prove in zero-knowledge that she knows A  E such that 2A = B

25 July 8, 2004 IEEE - CEC '0425 Example: x^2 = b mod n ssP sends s = r^2 mod n to V2 rPeggy generates random r1 ccV flips a coin c = H or T3 r, check r^2 = sIf c = H, P sends r to V4 m, check m^2 = sbmIf c = T, P sends m = r x5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) b, nb, n, x0

26 July 8, 2004 IEEE - CEC '0426 Example (EC version) : 2 A = B SSP sends S = 2R = R+R to V2 RPeggy generates random R1 ccV flips a coin c = H or T3 R, check 2R = SIf c = H, P sends R to V4 M, check 2M = S+BM If c = T, P sends M = R+A5 Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) BA, B0

27 July 8, 2004 IEEE - CEC '0427 Example (EC version) : 2 A = B SSP sends S = 2R = R+R to V2 RPeggy generates random R1 ccV flips a coin c = H or T3 R, check 2R = SIf c = H, P sends R to V4 M, check 2M = S+BM If c = T, P sends M = R+A5 Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) BA, B0 Solve for R in sub-exp A = M - R = T

28 July 8, 2004 IEEE - CEC '0428 Current Research on ZKP  Iterative ZKPs VS.  One-round ZKPs Challenge-and-response protocol

29 July 8, 2004 IEEE - CEC '0429 One-Round ZK proof of DL problem yV generates a random y1 C= g^yCV sends C = g^y (mod n)2 RR= C^xP sends R = C^x (mod n)3 V verifies that R = b^y (mod n) i.e. R = C^x = (g^y)^x = g^xy = (g^x)^y = b^y 4 Victor (V)Peggy (P) g, b, ng, b, n, x0

30 July 8, 2004 IEEE - CEC '0430 One-Round ZK proof of DL problem yV generates a random y1 C= yGCVictor sends C = yG2 RR= mCPeggy sends R = mC3 Victor verifies that yB = R i.e. yB = y(mG) = m(yG) = mC = R 4 Victor (V)Peggy (P) G, BG, B, m0

31 July 8, 2004 IEEE - CEC '0431 Conclusion Graph Isomorphism Factorization Square root DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems

32 July 8, 2004 IEEE - CEC '0432 Conclusion Graph Isomorphism Factorization Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems

33 July 8, 2004 IEEE - CEC '0433 Conclusion Graph Isomorphism Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems

34 July 8, 2004 IEEE - CEC '0434 Conclusion Graph Isomorphism Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems

35 July 8, 2004 IEEE - CEC '0435 Conclusion Graph Isomorphism No Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems

36 July 8, 2004 IEEE - CEC '0436 Conclusion YesGraph Isomorphism No Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems

37 July 8, 2004 IEEE - CEC '0437 Conclusion ?YesGraph Isomorphism No Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems

38 July 8, 2004 IEEE - CEC '0438 Conclusion ???YesGraph Isomorphism No Yes Factorization NoYes Square root Yes DL EC security advantage ECClassical (one-round) Classical (iterative) ZK Proof Problems

39 July 8, 2004 IEEE - CEC '0439 References 1.Elliptic curve implementation of zero-knowledge blobs, Neal Koblitz, Journal of Cryptology, Vol. 4, 1991, 207-213. 2.Zero Knowledge Watermark Detection, Scott Craver, Princeton Univ. 3.Algebraic Aspects of Cryptography, Neal Koblitz, Springer. 1998. 4.Applied Cryptography, Bruce Schneier, Wiley. 1996. pp 101-111. 5.The improbability that an elliptic curve has sub-exponential discrete log problem under the MOV algorithm, R. Balasubramaniam, N. Koblitz, Journal of Cryptology, 1998.

40 July 8, 2004 IEEE - CEC '0440 Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs Sultan Almuhammadi Nien Sui Dennis McLeod E-mail: {salmuham, sui, mcleod}@usc.edualmuham, sui, mcleod}@usc.edu

Download ppt "July 8, 2004 IEEE - CEC '041 Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs Sultan Almuhammadi Nien Sui Dennis."

Similar presentations

Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,

Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1.

Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454.

Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Digital Envelopes, Zero Knowledge, and other wonders of modern cryptography (How computational complexity enables digital security & privacy) Guy Rothblum.

Digital Envelopes, Zero Knowledge, and other wonders of modern cryptography (How computational complexity enables digital security & privacy) Guy Rothblum.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
233-234233-234 Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)

Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
The Power of Randomness in Computation 呂及人中研院資訊所.

The Power of Randomness in Computation 呂及人中研院資訊所.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Similar presentations

Ads by Google