MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge - - PDF document

Zero-Knowledge Two-Party Protocols

MTAT.07.005 Cryptographic Protocols

Introduction to Zero-Knowledge Helger Lipmaa

University of Tartu

MTAT.07.005 Cryptographic Protocols

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols

Outline

1 Zero-Knowledge

First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

2 Two-Party Protocols

Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

See [Goldwasser et al., 1989] for the original paper.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

First Lecture

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Preliminaries

I assume you have seen different primitives

Block ciphers, stream ciphers Hash functions Public-key cryptosystems Signature schemes

(Crypto I or an equivalent course. . . ) For every type of primitive, you have hopefully seen some representatives, a security definition, and sometimes an attack showing that the representatives are not secure

E.g., vanilla RSA is not a secure signature scheme

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Motivation: Need for Framework

How to design a secure primitive? How to see a forest? A typical security definition looks like this:

Signature schemes: Even with the ability to sign a limited number of messages himself, an attacker should not gain the ability to sign new messages Public-key cryptosystems: Even with the extra ability to encrypt/decrypt a limited number of chosen message/ciphertexts (except c), an attacker should not gain the ability to decrypt c (We may go over those definitions later if necessary. . . )

Seeing a protocol transcript does not help in cheating in the same protocol

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Identification

Two parties, Alice and Bob Alice needs to prove to Bob that she is Alice One possibility: prove that you know Alice’s secrets

Without telling those secrets to Bob!

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Motivation: Further Generalisation

Take any reasonably complex protocol

Think of an electronic payment/e-voting/identification

• protocol. . .

What happens if the participants misbehave?

You might lose your money. . . Or get your vote miscounted. . . Or start talking with an enemy. . .

Need to enforce correct behaviour but how?

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Generic Idea: Correctness Proofs

All participants prove that they behave correctly

E.g., identification: prove that you know the secret

After every message, verify the proof Privacy: the proof must not reveal any extra knowledge on the secrets of a participant to another one

E.g., identification: secrets must stay secret

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Zero-Knowledge Proofs for Correctness Behaviour

Honest Prover convinces Verifier in his case Dishonest Prover has a negligible chance in convincing Verifier Verifier does not gain any new knowledge—except the thruthfulness of the proven fact

Otherwise Prover is not motivated to participate

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Reminders from Basic Complexity Theory

P: the class of all languages L that can be solved in polynomial time: i.e., exists a machine M working in time p(|x|) for some polynomial p ∈ Z[y], such that M(x) = accept iff x ∈ L BPP: the class of all languages L that can be solved in probabilistic polynomial time: i.e., exists a probabilistic machine M working in time p(|x|) for some polynomial p ∈ Z[y], such that M(x) = accept iff x ∈ L For an NP-language L, L can also be seen as a relation, L = {(x, ω)}, where ω is an NP-witness that x ∈ L.

Definition of NP: x ∈ L iff ∃ω, s.t. for some polynomial-time machine A, A(x, ω) = Accept.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Reminders from Basic Complexity Theory

Reduction: Language L′ can be reduced to language L in polynomial time if, given a machine that solves L in time f (|x|), there exists a machine that solves L′ in time p(f (|x|)) for some p ∈ Z[y]. Language L is NP-complete if

L ∈ NP Any language L′ ∈ NP can be reduced to language L

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

ZK: General Problem Statement

Let L be some language (set of words), let x be an (encrypted) value How to prove that x ∈ L without giving out any additional knowledge?

x is positive? x is a full square? x is a prime? x is a private key, corresponding to public key h?

Generally: How to prove that “I know an x such that x ∈ L” Bad solution: Send x to verifier. Verifier sees x and can test that x ∈ L; but this gives away more knowledge than is necessary

Sometimes—if L / ∈ NP—also impractical

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Usage Example: Identification

Private key: x, public key: h = g x I want to prove you that I know the secret x

I.e., that I know discrete logarithm of h = g x

Privacy: Without revealing x itself! Recall that computing discrete logarithms is assumed to be hard

Thus, given public key g x, the knowledge of the secret key x identifies Prover Fineprint: as already mentioned, zero-knowledge might be an

• verkill in this case

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Unreasonable Usefulness of ZK

Counter-intuitive—how can you prove, e.g., that x is a composite number, without revealing its factorisation? Not only possible and efficient, but actually the dominant strategy in cryptographic protocol design Sometimes even overused

Signature scheme: Verifier can get to know “something” as long as she will not be able to forge a new signature Identification scheme: the same, as long as she will not be able to identify himself as the prover

Even in such cases, one often uses “zero-knowledgish” techniques

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Unreasonable Usefulness of ZK

Praised by many (not only cryptographers)

“A rich new framework for addressing the question of what constitutes a mathematical proof”

Hated by students

Lectures on ZK tend to result in zero-knowledge for students Unless you draw a lot of pictures!

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Can you color it by using three colors? (NP-complete problem)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Yes, you can!

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Yes, you can! But how to prove that without revealing the coloring?

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Step 1.1: shuffle the colors. (3-coloring remains a 3-coloring)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Step 1.2: Encrypt all colors by using a “secure” cryptosystem. Use different key for every vertex. Send encrypted graph to Verifier.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Step 1.3: Verifier picks a random edge. Prover sends encryption keys, corresponding to the endpoints of this edge. Verifier checks that corresponding colors are correct and not equal.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

What next? Take the original coloring again. . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Step 2.1: shuffle the colors again. . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Step 2.2: Encrypt all colors by using a “secure” cryptosystem. Use different key for every vertex. Send encrypted graph to Verifier.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph 3-Colorability

Step 2.3: Verifier picks a random edge. Prover sends encryption keys, corresponding to the endpoints of this edge. Verifier checks that corresponding colors are correct and not equal.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

3COL: Formal Description

1 Do k times: 1

Prover permutes randomly the 3-coloring

2

Encrypt every vertex color by using a new random key

3

Verifier picks a random edge

4

Prover sends the corresponding keys to verifier

5

Verifier halts with a reject if vertices are incorrect

2 Verifier halts with an accept Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

3COL: Informal analysis

Correctness: Clear Soundness:

If Prover does not know a 3-coloring, at every step there is at least one edge with equally colored end-points. Verifier picks this edge with probability ≥

1 |E|

If k = |E|2, the probability that a cheating Prover passes is ≤

• 1 − 1

|E| |E|2 ≈ 1 √e · ek Note: The same probability pops up when talking about the birthday paradox E is the set of edges, |E| is the number of edges, e = 2.71 . . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

3COL Is ZK: Informal analysis

Intuitively clear if the cryptosystem is “secure”: In every step, Verifier sees two random but inequal colors

Drawn randomly from a set of cardinality 3 · 2 = 6

She could have chosen these two colors herself, with exactly the same probability! As we later see, this is exactly what is meant by zero-knowledge

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

3COL: Conclusion

Hopefully you gained some intuition Did you gain some knowledge? May be not

Although you should now be able to amaze your friends with 1337 graph 3-coloring skills Even without a computer and in a pub!

Can’t tell — we don’t know yet what is knowledge

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

What Is Knowledge?

Hard to define—it is easier to define what is gain of knowledge I tell you 1 + 1 = 2. Do you gain knowledge?

Most of you don’t

I tell you the factors of a random 2048-bit composite number. Do you gain knowledge?

Yes, if you cannot compute the factors by yourself

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

ZK ≈ Proving With Minimal Disclosure

I prove that I know the factors of some integer, without revealing them. I prove that two graphs G1 and G2 are isomorphic without revealing the isomorphism.

Graph isomorphism is a well-known hard problem

I prove that G1 and G2 are non-isomorphic, without revealing you why In general: I convince you that some fact is true, without you getting to know anything else but that this fact is true

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Knowledge=Information

Information: You are revealed an unknown object. Factors of 2241 − 1: no new information Properties of information are studied in information theory Knowledge: You are revealed results of calculations, that you cannot perform yourself, on a publicly-known object. Factors of 2241 − 1: probably new knowledge Factors of a randomly generated 1024-bit integer: new knowledge, assuming that factoring is hard The terminology might be confusing. . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Zero-knowledge: Intuition

ZK protocol: protocol between verifier V and prover P Big intuition: Zero-knowledge is a property of prover P:

Given a common input x with prover P, whatever any efficient machine V ∗ can calculate, based on the interaction with P, can be calculated based on x alone

I.e., interaction with P can be simulated Interactive proof system: P convinces honest V that x ∈ L iff x ∈ L

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Notation

If A is an algorithm, then the notation a ← A(b) refers to the computation of the output “a”, on input bit string “b”. For a set V , v ← V denotes uniform and random selection of an element v from V . Blue variables are known only to P, brown variables are known

• nly to V , green variables are known to both from the start of

the protocol

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

IP System

For formal definition of ZK, one must define an interactive proof system (IP system) IP system captures the completeness/soundness properties but not privacy properties IP system consists of two interactive machines that both have private

(read-only) input, (read-only) random string, read-write working space, (write-only) output

Machines communicate by sending messages

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Preliminaries: Interactive Protocols

A protocol takes several steps of communications, where in every step one participant sends a message to another one An interactive protocol IP is a pair (P, V ), where at every step one participant decides, based on the previous communication, private and common inputs, and on the contents of the random tape, what would be the next message We assume that P is computationally unbounded V is computationally bounded In interactive proofs, V is bounded and P is not. In interactive arguments, P is bounded and V is not.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Interactive Proof System: Definition (Semiformal)

Language L has an interactive proof system if there is such an interactive machine V , so that V accepts a correct Prover with a large probability V is not a fool: she accepts a malicious Prover with a small probability (Even if Prover is omnipotent) Let IP be the set of languages that have IP proofs

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Interactive Proof System: Definition (Formal)

Definition Language L has an interactive proof system if there is an interactive machine V , such that ∃P, so that ∀x ∈ L, V “accepts” x, after a single run of (P, V ), with probability ≥ 2/3 ∀P∗, where (P∗, V ) is an IP: For all x ∈ L, the probability that V “accepts”, after a single run of (P∗, V ), is < 1/3

Probabilities are taken over the coin tosses of P, V

(Recall that P does not have to be computationally bounded. Also, “cheating” probabilities decrease exponentially after a constant number of protocol repetition.)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph Non-isomorphism

Are these two graphs non-isomorphic?

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph Non-isomorphism

No! They are isomorphic: we can show an isomorphism (mapping between the nodes). But how to show non-isomorphism? I.e.: How to convince verifier that graphs are non-isomorphic, without sending too much information?

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: Graph Non-isomorphism

Recall: problem is in NP if we know a short witness

For graph isomorphism (GI), we can exhibit a short π Thus GI ∈ NP

It is not known whether GNI ∈ NP We will show that GNI ∈ IP

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

IP System for GNI

Common input (G1, G2). Iterate the next step for i = 1 . . . k:

1 V chooses a random αi ← {1, 2}, and a random graph G ′

i

from the set of graphs that are isomorphic to Gαi. She sends G ′

i to P

2 (Omnipotent) P finds a graph Gβi, s.t. Gβi and G ′

i are

isomorphic, and sends βi to V

Intuition: P can guess αi iff graphs are non-isomorphic

V accepts iff βi = αi, ∀i

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Correctness of IP System for GNI

When (G1, G2) ∈ GNI:

P can distinguish isomorphic copies of graph G1 from isomorphic copies of G2; then V accepts with probability 1

Honest P is accepted always

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Correctness of IP System for GNI

When (G1, G2) ∈ GNI:

An isomorphic copy of G1 is always an isomorphic copy of G2. Thus the best strategy for P is to toss a coin, and hence the cheating probability is again 2−k

Dishonest P is accepted with probability 2−k

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Back to ZK and Formal Definition

Let us have an interactive proof system (P, V ) When is (P, V ) zero-knowledge? Important notion: viewP

V (x) — view of V when interacting

with P on common input x

viewP

V (x) is equal to the concatenation of all messages sent in

this protocol, prefixed with all random coin tosses of V

View of the previous protocol: (α1, . . . , αk)||(G ′

1, β1, . . . , G ′ k, βk)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Formal Definition of ZK: First Try

Definition Let (P, V ) be an IP system for language L. (P, V ) is (perfect) zero-knowledge if for every PPT (probabilistic polynomial-time) machine V ∗ there exists a PPT simulator M∗, s.t. for every x ∈ L the following two random variables are identically distributed: viewP

V ∗(x) — the view of V ∗ when interacting with P.

M∗(x) — the output of M∗.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example, the case of GNI

V ’s view of the previous protocol: (α1, . . . , αk)||(G ′

1, β1, . . . , G ′ k, βk)

Thus this protocol for GNI is ZK if there exists an omnipotent simulator Sim who

• n input a pair of isomorphic graphs (G1, G2),

without interacting with P and for an arbitrary strategy of V ∗

produces an output distribution “close” to the view of V . Intuitively possible, but. . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Formal Definition: Details

Too strong a requirement! No non-trivial languages have such proofs. Modification: M∗ can output ⊥ with probability ≤ 1

• 2. If

M∗(x) = ⊥ then viewP

V ∗(x) = M∗(x). (Perfect ZK)

Alternate modification: {viewP

V ∗(x)}x∈L and {M∗(x)}x∈L are

statistically close. (Statistical ZK)

Statistical distance between two distributions is negligible

Yet another: {viewP

V ∗(x)}x∈L and {M∗(x)}x∈L cannot be

distinguished in probabilistic polynomial time. — Computational ZK

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Formal Definitions: Intuition

Perfect ZK: The distributions viewP

V ∗(x) and M∗(x) are equal

Statistical ZK: The distributions viewP

V ∗(x) and M∗(x) are close

Even an omnipotent adversary cannot distinguish, given that the protocol is executed (sequentially) not more than a polynomial number of times Computational ZK: The distributions viewP

V ∗(x) and M∗(x)

cannot be distinguished by a PPT adversary Even after a polynomial number of executions

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Complexity Classification

The classes of languages that have computational/statistical/perfect zero-knowledge proofs: BPP⊂Believed that =PZK ⊆ SZK⊂Believed that =CZK = IP . BPP ⊆ PZK: Trivial, uses no interaction: PZK can verify by himself whether x ∈ L. Reminder: BPP — set of problems that can be decided by probabilistic polynomial-time Turing machines

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Example: GI ∈ PZK

P knows an isomorphism φ : G1 → G2. Protocol

1 P generates a random permutation π of G2-s vertices. She

sends G ′ ← π(G2) to V .

2 V generates a random σ ← {0, 1} and sends it to P. 3 If σ = 1, P sets τ ← π ◦ φ, otherwise she sets τ ← π. She

sends τ to V .

4 V checks that τ(Gσ) = G ′.

Intuition: π(φ(G1)) = φ(G2) = G ′.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

NP ⊆ CZK

To show that there are CZK proofs for every NP-language, it is sufficient to show a proof for one concrete NP-complete language A graph G can be colored with c colors when there exists an coloring of the vertices of G with c colors so that for no edge, the vertices connected to this edge are colored with the same color The chromatic number of G, χ(G): minimum c so that G can be colored with c colors 3COL: the set of graphs with χ(G) ≤ 3. This language is NP-complete. Say the colors are R, G, B.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Reminder: CZK Protocol for 3COL

Common input: G. P wants to prove that she knows a coloring C : V (G) → {R, G, B} in CZK. Iterate the next protocol |E(G)|2 times:

P chooses a random permutation π of colors. She encrypts the color π(C(v)) for every vertex v, using a probabilistic public-key cryptosystem, by using a different key for every vertex. P sends to V all ciphertexts together with the correspondence between them and the vertices V chooses a random edge e = (v1, v2), and sends e to P P sends the decryption keys Dv1 and Dv2 to V V computes π(C(v1)) and π(C(v2)) and verifies that they are different

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Completeness/Soundness of The Protocol for 3COL

Completeness: If P knows the corresponding 3-coloring, V will never detect an incorrectly colored edge. Thus, V will accept with probability 1 Soundness: If χ(G) > 3 then π(C(v1)) = π(C(v2)) in all steps with probability ≥ |E|−1. After |E|2 steps the probability that V will accept is exponentially small

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Is GNI in CZK?

Previously presented IP system for GNI is not zero-knowledge: V can submit an arbitrary graph H not necessarily isomorphic to G1 or to G2 and thus get to know additional information

V needs to decide if H is isomorphic to Gi for some other reason

Modify the protocol for GNI by letting V to prove in PZK that G ′

i is either isomorphic to G1 or to G2

Doable, since GI ∈ PZK

Problem Work out the disjunctive PZK proof

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Second Lecture

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Black-Box Zero-Knowledge

Intuition: A protocol is black-box zero-knowledge, if the simulator does not use the code of the prover. That is, if one can construct a simulator that just uses the prover as an oracle. A protocol is non-black-box zero-knowledge, if it has a simulator who uses the internal structure of the prover. Barak, 2001: non-black-box zero-knowledge is more powerful than black-box zero-knowledge.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Zero-Knowledge: Limitations

Black-box ZK protocols require at least four moves unless the underlying language is trivial (in BPP). Thus, in principle, none of the three-move protocols handled here can be black-box ZK. Non-BB ZK protocols: at least three moves for non-trivial languages. Four-move (black-box) ZK protocols exist. The very efficient procedure for turning identification schemes into signature schemes, presented later, cannot be used if the identification scheme is ZK (the simulation used for proving the ZK-ness can be used to forge the signature). Thus, a real ZK protocol cannot be used to construct such a signature scheme.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Honest Verifier Zero-Knowledge

A party is honest/nonmalicious/curious-but-honest when he follows the protocol (though tries to deduce new information from it) (P, V ) is honest verifier ZK if it is ZK with respect to honest V :

There exists a PPT simulator M∗, such that for every x ∈ L, viewP

V (x) ≈ M∗(x).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Honest Verifier ZK: Motivation

1 General ZK protocols are far less efficient while HVZK is

achievable in 3 rounds.

2 HVZK is sufficient in several applications. 3 There exist efficient transformation methods for turning

certain classes of HVZK protocols into ZK protocols.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Proofs of Knowledge: Motivation

IP proof: shows that a property holds (non-constructive) Proof of knowledge: shows that the verifier knows the corresponding witness (constructive)

In security proofs, we can assume that the prover knows a short witness, not that it is able to generate it on fly

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

ZK Proof of Knowledge: Definition

Definition Π is a ZK proof of knowledge iff Π is an interactive proof system with zero-knowledge property Proof of knowledge: If P can make V accept then there is a knowledge extractor that, given oracle access to P, and for any x ∈ L, can extract a witness ω such that (x, ω) ∈ L. Knowledge extractor M∗ can rewind P: i.e., execute the protocol (P, M∗) several times, with the same common input x and the same random tape of P.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Proofs of Knowledge: Notation

Denote a proof of knowledge of ω, s.t. R(x, ω) = 1 by PK(R(x, ω) = 1) Greek letters denote variables, knowledge of which is proved Latin letters denote variables that are either in public knowledge or secretly owned by some party PK(y = g ω): proof of knowledge of the discrete logarithm PK(y = EK(µ; ρ) ∧ µ = 0) (proof of knowledge of encrypted non-zero message µ)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Knowledge Extractor in CZK Protocol for 3COL

M∗ executes the 3COL protocol |E(G)| times, in every time choosing a different edge (v1, v2) ∈ E(G) during the first step

• f the protocol

Every time using the same random tape of P

At the end, M∗ has π(C(v1)) for every vertex v of the graph G ω := π ◦ C is a valid three-coloring of G Thus M∗ has extracted a witness ω, s.t. (x, ω) ∈ 3COL

This can be a different witness compared to the one, used by P.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Σ-Protocols: Idea

“challenge-response” proof of knowledge:

P sends a random-looking element to V , V challenges P with a uniformly random bit-string, P responds

Three security requirements: completeness, special soundness, special honest-verifier zero-knowledge Such a three-round protocol is known as a Σ-protocol

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Σ-Protocols: Notation

The pair (x, ω) ∈ R, where R ⊂ {0, 1}∗ × {0, 1}∗ is a publicly known, typically (but not necessarily) efficiently verifiable

• relation. Let

RW (x) := {ω : (x, ω) ∈ R} and RX := {x : RW (x) = ∅} . E.g.: RW (x) is the set of secret keys corresponding to public key x, and RX is the set of public keys that have a corresponding secret key. Simplification: assume that all witnesses ω correspond to some value x, s.t. (x, ω) ∈ R. I.e., RX is the set of public

• keys. (For some well-known schemes like the Guillou-Quisquater,

this is not the case!)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Σ-Protocols: General Description P V

a ← a(x, ω, RandomtapeP) a c ← c(RandomtapeV ) c z ← z(x, ω, RandomtapeP, c) z φ(x, a, c, z)

?

= accept

a: initial message. tP = |a| is the authentication length. c: challenge, c ← {0, 1}tV of length tV . z: reply (may reuse a). Finally, V invokes a polynomial time computable predicate φ to check whether the conversation (v, a, c, z) is accepting.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Reminder: (Gq, ◦)

Definition (Gq, ◦) is a multiplicative cyclic group of prime order q iff Group: Associative, with a unit, with inverse elements Multiplicative: a ◦ b is written as ab. Cyclic: exists a generator g such that for every element h ∈ Gq, exists a ω, s.t. h = g ω. Order q: For any group element g, g q = 1; if g = 1 and q is a prime then gq′ = 1 for 1 ≤ q′ < q. In particular, (∀α) (gα = gα mod q). Cyclic with prime order q: exists a generator g such that for every element h ∈ Gq, exists a unique ω ∈ Zq, s.t. h = g ω. In particular,

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Reminder: (Gq, ◦)

Example Let p, q be two large primes s.t. q | (p − 1). Let Gq be the unique subgroup of Zp∗ of order q. Let g be the generator of Gq. Other settings are possible; the most popular alternative involves elliptic curve groups where Gq can be represented by using ≈ log2 q bits. In the next we will abstract away the concrete group and assume that Gq is a multiplicative cyclic group of order q (with some hardness assumptions).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Gq: Additional Assumptions And Usefulness

Efficiently computable isomorphism φ(a) : Zq → Gq: given a generator g, a → ga = φ(a).

φ is isomorphism: φ(a)φ(b) = g ag b = g a+b = φ(a + b), φ(0) = g 0 = 1, φ(−a) = g −a = 1/g a = φ(a)−1

Discrete Logarithm Assumption: φ−1 is intractable to

• compute. I.e., given (g, ga), it is difficult to find a.

Samplability: it is easy to pick a random element from Gq

Follows from isomorphism: sample a ← Zq and compute b ← g a; since a is a random element of Zq then b is a random element of Gq

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Random Self-Reducibility Of DL

Theorem Fix a generator g ∈ Gq. Assume that DL in basis g can be efficiently computed for a fraction δ ∈ (0, 1) of values h ∈ Gq. Then DL in basis g can be efficiently computed for any value h ∈ Gq.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Random Self-Reducibility Of DL

Proof. Assume A is an algorithm that computes DL in fraction δ of values h ∈ Gq. Construct the next algorithm B: given (g, h) as an input, B does the following up to t times. Generate random r ← Zq. Give input (g, h · gr) to A. With probability δ, A returns the discrete logarithm d of h · gr. Then, d = DL(h · gr) = DL(h) + r and thus DL(h) = d − r. In this case, return d − r. Otherwise, repeat. W.p. 1 − (1 − δ)t, B returns DL(h). If we want to achieve success probability to be ε then we have to set t = log(1−ε)

log(1−δ).

For example if ε = 2−80 and δ = 2−8 then t < 14168 < 214.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Σ-Protocol for Knowledge of DL

Cyclic multiplicative group Gq of order q, generator g. Let ω ← Zq and let h := g ω. Let x = (Gq, g, h) be the common input, ω be the private input to P.

The corresponding (unique) witness is ω ∈ Zq such that g ω = h. The relation R consists of all such pairs, R = (g ω, ω).

Next, we show a Σ-protocol for PK(h = g ω).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Σ-Protocol for Knowledge of DL

Let p, q be two large primes s.t. q | (p − 1). Let Gq be the unique subgroup of Z∗

p of order q. Let g be the generator of

Gq.

Like always, other settings are possible

Let ω ← Zq and let h := g ω. Let x = (Gq, g, h) be the common input, ω be the private input to P.

The corresponding (unique) witness is ω ∈ Zq such that g ω = h. The relation R consists of all such pairs, R = (g ω, ω).

Next, we show a Σ-protocol for PK(h = g ω).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Schnorr’s PK(h = g ω) [Schnorr, 1991]

Let h = gω. Let x = (Gq, g, h) be the common input, ω is the private input to P.

P V

r ← Zq; a := g r a c ← {0, 1}80 c z ← cω + r z g z

?

= ahc

Completeness: gz = gcω+r = g r(g ω)c = ahc.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Schnorr’s Proof of Knowledge: Efficiency

Communication: ≈ |p| + t + |q|. On-line: one |q| × 80 bit multiplication (and one t-bit addition). Random number generation and exponentiation can be done off-line, during the processor’s idle time. If the scheme is used only for identification, where the prover has to reply to the challenge in a few seconds, the security parameter tV can be lowered, say, to 48 bits.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Security Properties: Special Soundness (1/2)

Let x ∈ {0, 1}∗ be a string. A pair of accepting conversations (x, a, c, z) and (x, a, c′, z′) with c = c′ is called a collision.

Collision occurs if the same person starts identification two times with the same first message, is answered by a different second message, and is accepted both times

(P, V ) has the special soundness property if the following holds:

Given a collision for a public key x, there exists an efficient algorithm that on input of a collision for x outputs a witness ω such that (x, ω) ∈ R.

(NB! These security definitions are “simplified”)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Special Soundness (2/2)

Intuitively, special soundness guarantees that P does not have an incentive to start the same protocol twice with the same message.

She must include some randomness to not reveal her secret.

Corresponds to the “proof of knowledge” property, but somewhat stronger.

Knowledge extractor has to execute P only twice to extract the witness.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Schnorr’s Proof of Knowledge: Special Soundness

Theorem Schnorr’s POK is specially sound. Proof. Given two accepting conversations (x, a, c, z) and (x, a, c′, z′) with c = c′, we have that gz = ahc and gz′ = ahc′. Then ω can be computed as ω ← z − z′ c − c′ , since z − z′ c − c′ = (cω + r) − (c′ω + r) c − c′ = (c − c′)ω c − c′ = ω .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Schnorr’s Proof of Knowledge: Special HVZK

Some simulator M∗ must be able to generate an accepting conversation without communicating with Prover

With the same distribution as “real” conversations “Special HVZK”: this is achieved by first selecting randomly the second and the third message from corresponding domains, and then selecting the first message, s.t. the verification accepts Stronger than “non-special” HVZK

Select c, z ← Zq, compute a ← gz · h−c. Then (x, a, c, z) is an accepting conversation with the correct distribution.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Σ-Protocol for PK(A1 ∧ A2).

Assume you are given a Σ-protocol for PK(A1) and PK(A2), where A1 and A2 are some predicates To construct a Σ-protocol for PK(A1 ∧ A2)

Run Σ-protocols for PK(A1) and PK(A2) in parallel Use the same challenge in both

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Σ-Protocol for PK(A1 ∨ A2).

Assume A1 is true (the second case is dual) P does: Generate a1 as in PK(A1). Run the simulator to produce valid view (a2, c2, z2) as in PK(A2). Send (a1, a2) to V . V generates a random c ← {0, 1}80 and sends it to P P computes c1 ← c − c2 mod 280, and z1 as it would be computed in PK(A1) after the first messages a1, c1. P sends (c1, z1, z2) to V V sets c2 ← c − c1 mod 280. For i ∈ {1, 2}, V performs the check, as done in PK(Ai), on (ai, ci, zi). He also checks that c1 ∈ Z280.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Application: Identification Schemes

To get access, prove that you know your secret key

Smart doors: use smart-card to get in ATM: identify yourself as a legal customer

Common problem: must avoid re-execution of the protocol

Verifier1 cannot use the gained knowledge to impersonate you in another protocol run with Verifier2.

Use, e.g., Schnorr’s Σ-protocol PK(h = g ω)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Third Lecture

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Concept: random oracle

Random oracle H = random function

For every x, H(x) is randomly drawn from the output domain

Implementation:

H is a subroutine with initially empty database (a, c). H(a) returns c if (a, c) is in the database for some c. Otherwise H generates uniformly a new c, adds (a, c) to the database and returns newly generated c.

In practice, a secure hash function (e.g., SHA256) is used

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Non-Interactive ZK (NIZK)

A ZK protocol is non-interactive, if it consists of only one step: prover sending some information to verifier NIZK protocols exist only if P and V have access to some common, publicly available source of random strings (beacon) NIZK honest-verifier protocols exist also in random-oracle model

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

NIZK with Random Oracles

Assume H is a random oracle. Specially HVZK, specially sound Σ-protocol (P, V ) can be converted into a NIZK proof (a, c, z) by using the next general method:

a ← a(x, ω, RandomtapeP)

P V

(x, a, c, z) z ← z(x, ω, RandomtapeP, c) φ(x, a, c, z) accepts? c ← H(a) c

?

= H(a)

c is random, but depends on a. It is NIZK only when H is a random oracle.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

NIZK with Random Oracles

Assume H is a random oracle. Specially HVZK, specially sound Σ-protocol (P, V ) can be converted into a NIZK proof (a, c, z) by using the next general method:

a ← a(x, ω, RandomtapeP)

P V

(x, a, c, z) z ← z(x, ω, RandomtapeP, c) φ(x, a, c, z) accepts? c ← H(a) c

?

= H(a)

Thanks to special HVZK property, the NIZK proof can be usually shortened to (c, z). (a can computed from (c, z) by following the simulation algorithm)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

NIZK: Minimal Assumptions

NIZK does not exist in the standard model (3 rounds were minimum) NIZK exists in the random oracle model (yeah, so what?) NIZK exists also in a somewhat weaker model where parties share a common random string (common reference string model)

Simulator is given the power to create a new CRS with a potential trapdoor in it.

(We will see a model, related to CRS, a bit later)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Signature Schemes

Signature scheme — a tuple of probabilistic algorithms (Gen, Sign, Vrfy) over a message space M, such that: The key-generation algorithm Gen outputs a public key pk and a secret key sk. The signing algorithm Sign takes as input signer’s secret key sk and a message m ∈ M and returns signature σ. Verification algorithm Vrfy takes as input signer’s public key pk, a message m ∈ M, and a signature σ and returns accept

• r reject.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Signature Schemes — Completeness

Definition A signature scheme is complete if for all (sk, pk) output by Gen and all m ∈ M, we have Vrfypk(m, Signsk(m)) = accept . We say that a signature σ on m is valid if Vrfypk(m, σ) = accept.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Security of A Signature Scheme: Intuition

An adversary is asked to forge a signature: i.e., to produce a message m with a candidate signature σ, such that Vrfypk(m, σ) = accept. In real life situations, adversary can be more powerful: it may be able to request signatures to some messages that she likes. Her quest then is to generate a valid pair (m, σ) that she has not seen before.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Security of A Signature Scheme: Intuition

Access to the oracle corresponds to the training session for the adversary and makes the signature scheme even stronger.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Security of A Signature Scheme

Definition Let ∆ := (Gen, Sign, Vrfy) be a signature scheme. An adversial forging algorithm F is said to (t, qh, qs, ε)-forge ∆ if F runs in time at most t, makes at most qh hash queries and in total at most qs signing queries, and furthermore Advforge

∆

(F) := Pr[(pk, sk) ← Gen; H ← Ω; (m, σ) ← FSignsk(·),H(·)(pk) : σ ∈ Σ(m) ∧ Vrfypk(m, σ) = accept] ≥ ε , where Σ(m) is the set of signatures received from Signsk(m). A signature scheme is (t, qh, qs, ε)-unforgeable if no forger can (t, qh, qs, ε)-forge it.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Application of ZK: Signature Scheme

Assume H is a random oracle. Specially HVZK and specially sound Σ-protocol (P, V ) can be converted into the generic signature scheme Sign(P) by using the next general method:

a ← a(x, ω, RandomtapeP)

P V

(m, a, c, z) z ← z(x, ω, RandomtapeP, c) c ← H(m, a) φ(x, a, c, z) accepts? c

?

= H(m, a)

Signature of m is equal to (a, c, z) H is a RO: c is “random”, but “depends” on (m, a)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Security of Resulting Signature Scheme

Fix a signature scheme Sign(P). An adversary (q, t, ε)-forges P’s signature if it works in time t and with success probability ε, can generate a tuple (m, a, c, z) such that φ(m, a, c, z) accepts. Adversary is allowed to ask P to sign up to q different messages (not equal to m). Lemma (Forking lemma [Pointcheval and Stern, 2000]).) Assume that some algorithm A (q, t, ε)-forges a signature (m, a, c, z), with ε ≥ 7q/2k, where k is the security parameter. Then there exists another machine, that with oracle access to A, can produce a collision (m, a, c, z), (m, a, c′, z′), with c = c′, in expected time t′ ≤ 84480tq/ε. E.g.: ε = 2−50, q = 240, then t′ ≤ 277t.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Schnorr’s Signature Scheme

Let h := gω. Let x = (Gq, g, h) be the common input, ω is the private input to P. (m; a, c, z)

P V

z ← cω + r c ← H(m, a) r ← Zq; a := g r c ? = H(m, a) gz

?

= ahc Check: gz = gcω+r = g r(g ω)c = g ωhc = ahc. Schnorr’s scheme is very well known, DSA (official signature standard) is based on it.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Beware the RO

In practice, H is a standard hash function In such a case, the conversion scheme looses provable security For some concrete identification schemes, the conversion works if H is the random oracle, but not for any instantiation

• f H by a real hash function [Goldwasser and Kalai, 2003].

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Schnorr’s Signature Scheme: Efficiency

P has to perform on-line one H evaluation, one 160-bit multiplication and one addition. Communication can be reduced: P sends (m, c, z) and V verifies that s = H(m, gzh−c).

Thanks to the special HVZK property Same trick works for any converted signature scheme

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Background: Decision-Diffie Hellman Groups

Let Gq be a finite, cyclic group of prime order q in which the group

• peration is represented multiplicatively; furthermore, let g be a

generator of Gq. E.g.: let p, q be two large primes such that q|(p − 1), then Gq a multiplicative subgroup of Z∗

p of order q, and

g a generator of Gq. A distinguishing algorithm A is said to (t, ε)-break DDH (Decisional Diffie-Hellman) in group Gq if A runs in time at most t and furthermore Advddh

Gq (A) := | Pr[x, y, z ← Zq : A(g, gx, gy, gz) = 1]−

Pr[x, y ← Zq : A(g, gx, gy, gxy) = 1]| ≥ ε , where the probability is taken over the choice of random variables and the coin tosses of A. We say that Gq is a (t, ε)-DDH group if no algorithm (t, ε)-breaks DDH in Gq.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang 2003 [Katz and Wang, 2003]: Signature Scheme With Better Reduction

Let g1, g2 be two generators of Gq, s.t. nobody knows their mutual discrete logarithms. Prover has a secret key ω ← Zq. Let (h1, h2) be Prover’s public key, where h1 := g1

ω,

h2 := g2

ω.

Prover proves that he knows that (g1, g2, h1, h2) is a valid Decisional Diffie-Hellman (DDH) tuple. The resulting NIZK proof has tighter reduction than Schnorr’s signature.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Σ-Protocol for Valid DDH Tuple

Common input: x = (Gq, g1, g2, h1, h2); ω is the private input of P. Prover proves that (g1, g2, h1, h2) is a valid Diffie-Hellman tuple.

P V

r ← Zq; a1 ← g1

r; a2 ← g2 r

(a1, a2) c ← {0, 1}80 c z ← cω + r z g1

z ?

= a1h1

c ∧ g2 z ?

= a2h2

c

Correctness: gz

i = gcω+r i

= g r

i(g ω i )c = g ω i hc i = aihc i .

This is a typical PK(A1 ∧ A2): PK((h1) = g1

ω ∧ (h2) = g2 ω). Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang Signature Scheme: Final Construction

Let x = (Gq, g1, g2, h1, h2) be the common input, ω be the private input to P. Prover proves, by using the Fiat-Shamir heuristic, that (g1, g2, h1, h2) is a valid Diffie-Hellman tuple. (m; c, z)

P V

z ← cω + r c ← H(m, a1, a2) r ← Zq; a1 := g1r; a2 := g2r c ? = H(PK, g1zh1−c, g2zh2−c, m) (As in Schnorr’s signature, ai do not have to be sent.)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang Signature Scheme: Security Claim

Theorem Let Gq be a (t′, ε′)-DDH group with |Gq| = q such that exponentiation in G takes time texp. Then the Katz-Wang signature scheme is (t, qh, qs, ε)-unforgeable in the random oracle model, where t ≤ t′ − 2.4(qs + 1)texp and Advddh

Gq (A) ≥Advforge ∆

(F) − qsqhq−1 + (qh + 1)q−1 . Tighter reduction is achieved since the security proof does not rely

• n knowledge extractors.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang: Proof Idea (1/2)

Output Input

A

H S

Assume that A is the forger. We do not know anything about its interior, but we know that: given a random DDH tuple as an input, a signing oracle that signs queried messages, and a random

• racle, A outputs a new signature pair with probability ε.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang: Proof Idea (2/2)

O H S I

Distinguisher D A

Distinguisher D executes A, and simulates input (perfectly if given a DDH tuple), hash oracle (perfectly), signing oracle (with some small error) and reads A’s output. If D gets DDH tuple then D has success whenever A has success (except in the case of this small error). If D does not get DDH tuple then D has success with a very small probability.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang Proof

Longer Intuition

Given a forger F that, given certain input distribution, and certain input-output behaviour of the oracles, is guaranteed to forge the signature scheme. We construct a distinguisher that feeds F in a public key (with correct distribution if its own input was a DDH tuple), and emulates the oracles so that their input-output behaviour did not change (except with the probability of abort). Therefore, if the input is a DDH tuple then F guaranteed to

• utput a forgery with probability ε − Pr[aborting].

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang Proof

Longer Intuition

If the input is not a DDH tuple then F can produce forgery with a very small probability. The difference between those two forgeries gives the advantage of D. In simulation of Sign-queries, since D does not know the secret key, he attempts to simulate a correct signature by using the ZK property of the ZK proof that a tuple is a DDH tuple.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang: Proof (1/4)

Let F be a signature forger who (t, qh, qs, ε)-forges. Construct the following distinguisher D that is given as input a tuple PK := (g1, g2, y1, y2) and who has to decide if it is a DDH tuple. D gives PK to F as a public key, and then executes F step-by-step, except that If F makes a hash query H(PK, a1, a2, m) then D returns a uniformly random value from Zq if such a hash query was previously not made, or the result of the previous hash query,

• therwise.

If F makes a signature query on some m then D tries to simulate the ZK proof that PK is a DDH tuple: D chooses random c, z ← Zq, computes a1 ← gz

1 y−c 1

and a2 ← gz

2 y−c 2 .

If H had previously been queried on (PK, a1, a2, m) then D aborts; otherwise, D sets H(PK, a1, a2, m) := c and outputs the signature (c, z).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang: Proof (2/4)

At some point, F outputs its forgery ( ˜ m, ˜ σ = (˜ c, ˜ z)), where ˜ σ was not previously the response to a query Sign( ˜ m). Letting ˜ a1 = g ˜

z 1 y−˜ c 1

and ˜ a2 = g ˜

z 2 y−˜ c 2 , assume also that D has previously

queried H(PK, ˜ a1, ˜ a2, ˜ m). Now, D outputs 1 if H(PK, ˜ a1, ˜ a2, ˜ m) = ˜ c (i.e., verification succeeds), and 0, otherwise.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang: Proof (3/4)

What is the probability that D outputs 1? If PK is a DDH tuple then D perfectly simulates F except when D aborts. Abort can

• ccur during any signing query, and in every signing query, the

probability of abort is upper bounded by qh/|Gq|. Therefore, F

• utputs a forgery with probability ε − qsqh/q.

If PK is a random tuple then with probability 1 − 1/q it is not a DDH tuple. In this case, for any query H(PK, a1, a2, m) made by F there exists at most one c for which exists an z s.t. a1 = gz

1 y−c 1

and a2 = gz

2 y−c 2

(look at the linear equations over Zq in the exponent). Thus F outputs a forgery (and D outputs 1) with probability at most 1/q + qh/q. Thus the success probability of D is (ε − qsqh/q) − (1/q + qh/q) = ε′.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Katz-Wang: Proof (4/4)

The running time of D includes the running time of F and is

• therwise dominated by the two multi-exponentiations that are

performed for each signing query plus those done at the verifying the output. Assuming that multi-exponentiation takes time 1.2texp, we are done.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Signature Conversion: Beware The RO

Note how H was us in the proof: H() is assumed to be random The points at which H is queried is assumed to be known Forger can reprogram H by setting H() = c at will, as soon as H() was not queried at the same argument before, and c is uniformly random. Not very realistic!

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Fourth Lecture

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Fourth Lecture

Home assignments: Problem

1 Prove that the previously presented PK(A1 ∨ A2) is secure

(define what is secure, define what is expected)

2 Prove that GNI has a CZK proof (with all the details).

Present a proof of knowledge.

3 Pick one NP-complete problem from

http://en.wikipedia.org/wiki/NP-complete that has not been tackled yet. Present a CZK proof for it. (Coordinate so that everybody has a different problem.)

For some problems, the task is easy, for some, it is difficult. Pick the one you like.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Witness Hiding

Let (P, V ) be any Σ-protocol for some relation R (HV)ZK guarantees that no information whatsoever is revealed in case of any fixed common input v (in the case of honest verifier) Witness hiding: malicious verifier gets at most a negligible advantage when trying to compute any ω in RW (x), compared to the situation before the start of the protocol Difference: Witness hiding only guarantees that no useful information is given away in the average, even if the verifier is malicious

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Witness Hiding: Schnorr’s Scheme

Until recently, it was not known if Schnorr’s scheme is witness hiding. In 2002, Schnorr’s scheme’s security against impersonation has been finally proven [Mihir Bellare, 2002].

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Witness Indistinguishability

Definition Let x ∈ L and let ω1, ω2 be two witnesses. For a honest prover P and an arbitrary PPT V ∗, let view(x, ωi) denote the view of V ∗ on the protocol execution if P uses witness ωi. Protocol (P, V ) is witness indistinguishable if view(x, ω1) ≈c view(x, ω2). That is, the views of V ∗ that correspond to P using witnesses ω1 and ω2 are computationally indistinguishable. Theorem Any zero-knowledge protocol is WI.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

NIZK In CRS

Common Random String Assumption: P and V share a uniformly random string σ. Weaker/more reasonable than RO: RO does not exist at all, but σ can be generated by a Trusted Third Party.

Involves trust in TTP, but so does PKI, and e-banking.

It is well-known that NIZK exists in the CRS model. (We will not prove it, but use it as as fact.)

Idea: take a Σ protocol, but compute its second message as a cryptographic function over the first message and the CRS.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

NIZK In CRS: Robustness

Standard CRS: allows the simulator to create a new random string

Definition: CRS is part of the protocol transcript that the simulator simulates

This might be too strong. . . Same-string NIZK [De Santis et al., 2001]: works also when the simulator uses the same CRS as the prover

Same-string NIZK proofs (with omnipotent P) are impossible for hard-on-average NP-complete languages Same-string NIZK arguments (with comp bounded P) exist for NP given a one-way trapdoor permutation

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Zaps: Definition

Zap is a 2-message protocol for proving membership of x ∈ L, where L is a language in NP, satisfying the following conditions. Let the first message be ρ, the second message be z = z(x, ω, ρ) and the acceptance/rejection function be φ(x, ρ, z). Assume that ρ is a random string (i.e., a zap is a public coin protocol). Completeness Given x, a witness ω, and a first message ρ, a PPT (in |x|) prover can generate a proof z that is accepted by verifier. Soundness Pr

ρ [(∃x′ ∈ L, z) s.t. φ(x′, ρ, z) = accept] = negligible(|x|) .

Witness-Indistinguishability Let ω1, ω2 ∈ R(x). Then ∀ρ, the distributions of z(x, ω1, ρ) and z(x, ω2, ρ) are (non-uniform) PPT indistinguishable.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Zaps: Assumptions

Assume the existence of a NIZK proof system for NP in the common random string model. For common input x, let the common random string have length ℓ := ℓ(|x|). Assume that on any input y ∈ L of length |x|, the NIZK errs with probability at most εnizk. Let k = k(|x|) = |ρ| and m := k/ℓ be such that εk/ℓ

nizk > εzap

2|x|+ℓ , where εzap is the desirable soundness guarantee of the zap

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Zaps: Dwork-Naor Construction

First message, V → P: Verifier sends a mℓ = k-bit string b1 . . . bk = B1 . . . Bm, where |Bj| = ℓ. Second message, P → V : Choose C = C1 . . . Cℓ ← {0, 1}ℓ. For j ∈ {1, . . . , m}, define σj ← Bj ⊕ C . Let zi be a (randomly chosen) second message of the protocol that corresponds to the common random string σi. Send to verifier (x, C, z1, . . . , zm) . Accept iff each m NIZKs z1, . . . , zm lead to acceptance.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

DN Protocol: Soundness

Theorem The Dwork-Naor protocol is sound. Proof. Fix an x ∈ L and a random C = C1 . . . Cℓ. Since Bj’s are random then also σj’s are. Thus ∀i, each copy of NIZK proof rejects w.p. at most εnizk. Since bi’s are independent then proofs zi are independent and thus the probability that all m = k/ℓ copies fail is at most εm

nizk.

The number of possible values of x ∈ L and c is at most 2ℓ+|x|. Hence, if 2ℓ+|x|εm

nizk = 2ℓ+|x|εk/ℓ nizk ≤ εzap (which we assumed) then

Pr

ρ [∃(x ∈ L, C, z)φ(x, C, z) = accept] ≤ εzap .

In particular, there exists a ρn that provides soundness against all x ∈ Ln: ∀x ∈ Ln, z(x, ρn, z) = reject.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

DN Protocol: Witness Indistinguishability I

Theorem The Dwork-Naor protocol is WI.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

DN Protocol: Witness Indistinguishability II

Proof. We provide the proof for every ρ. Thus, fix any ρ. Let ω1, ω2 be two witnesses for x ∈ L. Hybrid argument: in Game i, ω1 is used in the first i copies of NIZK proofs and ω2 is used in the last m − i

• copies. Let Di be the distribution of the second message in Game

i; it only depends on the random choices made by prover. Let T be a distinguisher between ω1 and ω2, let T(i) denote T’s output in Game i. Assume that for some j, for some fixed p ∈ Z[y], Pr[T(j − 1) = 1 − T(j) = 1] ≥ 1 p(|x|) . (Probability over random choices of P, T.) We now show that underlying NIZK (P∗, V ∗) is not WI. Let r ← {0, 1}ℓ. Choose u ← {ω1, ω2} and give u to P∗. Let P∗ generate a proof z on witness u and common random string r. Using ω1 and ω2, construct a simulated transcript of the DN protocol as follows. Denote ρ = B1 . . . Bm, set C = r ⊕ Bj, then σj = C ⊕ Bj = r is truly random by choice of r. For i < j, choose zi according to the witness ω1 and σi. For i > j, choose zi according to the witness ω2 and σi. Set zj ← z that is a random message corresponding to (x, u, r). Run T on resulting transcript Z = (z1, . . . , zm). Since r is uniformly random then C is uniformly random, thus Z is a uniformly random element of either Dj−1 (if u = ω2) or Dj (if u = ω1). Thus, T can be used to distinguish these two cases, and thus also to guess whether u = ω1 or u = ω2.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

DN Protocol Is A Zap

Theorem The Dwork-Naor protocol is a zap. Proof. Completeness follows from the completeness of underlying NIZK

• system. Soundness and WI were proven before.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Fifth Lecture: Applications/Commitments

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

More Applications of Σ-protocols

Aside from identification and signing, Σ-protocols are also extensively used to prove the correctness of behavior in many

• protocols. For example:

Blind signature/digital cash protocols Electronic voting Electronic auctions . . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Background: Commitment Schemes

Using a random value r, prover commits to m by sending C(m; r) to V Later, P reveals m and possibly some other information; V can verify that m is the value that was previously committed Hiding property: V gets no information about m from C(m; r)

Computational/statistical hiding depending on whether V is computationally bounded or not

Binding property: P cannot generate (m′, r′), m′ = m in the plaintext set, s.t. C(m; r) = C(m′; r′)

Computational/statistical binding depending on whether P is computationally bounded or not

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Notation

Notation: From now on, R denotes the set of all random coins (e.g., Zq). For a set Z, Z also denotes a uniform distribution on

• Z. G(Z) denotes the distribution that one gets by first choosing a

random element z of Z and then returning the value of G(z). Example C(m; R) denotes the distribution that one gets by first selecting r ← R and then computing C(m; r). A(C(m; R)) denotes the distribution that one first gets by selecting x according to the distribution C(m; R) and then returning A(x).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Hiding: Formal Definition

Hiding property: V gets no information about m from C(m; R) Define two experiments Exp0 and Exp1: In Expb, A selects a message tuple (m0, m1) and obtains C(mb; R). A’s task is to distinguish Exp0 from Exp1: AdvHide

C

(A) :=

• Pr
• A = 1 : Exp1

− Pr

• A = 1 : Exp0

. C is computationally hiding if no computationally bounded (i.e., PPT) A can distinguish Exp0 and Exp1 with a high probability. C is statistically hiding if the same holds even for an unbounded A

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Pseudorandom Generators

Function G from M to N, |M| ≪ |N|, such that its output —

• n random input — is indistinguishable from random string

Formally, we have two experiments: In Exp0, A obtains an element from N. In Exp1, A obtains an element from G(M). A’s success is defined as

• Pr[A = 1 : Exp1] − Pr[A = 1 : Exp0]
• =

|Pr[A(N) = 1] − Pr[A(G(M)) = 1]| . G is a PRG if any efficient A has a very small success probability. Fact: one can construct a PRG from any one-way function [?].

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Naor: C-H Commitments from Any PRG

Let G : {0, 1}k → {0, 1}3k be a pseudorandom generator For a bit m and a s ← {0, 1}k, define C(m; s) :=

• (r, G(s)) ,

b = 0 , (r, G(s) ⊕ r) , b = 1 , where r ← {0, 1}3k. As a protocol: V selects r ← {0, 1}3k, sends to P. P selects s ← {0, 1}k, sends to V . Opening: P sends s to V .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Naor Commitment: Security

Computationally Hiding: If r ← {0, 1}3k is uniformly random then C(0; {0, 1}k) = ({0, 1}3k, G({0, 1}k)) and C(1; {0, 1}k) = {(r, G({0, 1}k) ⊕ r) : r ← {0, 1}3k} are computationally indistinguishable. Statistically Binding: If r = G(s1) ⊕ G(s2) for some si then there are no strings that can arise as both commitments to 0 and to 1. The probability of the bad case is less than 2−k.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Naor Commitments: Properties

Computationally hiding Statistically binding Positive: Can construct from any one-way function/PRG Some OWF-s can be very efficient: e.g., use a block cipher Negative: Interactive: r is chosen by V Commits only to a single bit

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Statistically Hiding Commitment from Any OWF

Naor’s scheme is computationally hiding It was shown relatively recently (Eurocrypt 2005) that one can construct statistically hiding commitment based on any OWF Too complicated for this course

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Pedersen’s Commitment Scheme [Pedersen, 1991]

Assume Gq is a finite cyclic group of prime order q. Set-up Let h be a generator of Gq. Let g ← Gq s.t. nobody knows logg h and g = 1. Commitment CK(m; r) = g mhr mod p where r ← Zq Opening Reveal m and r Assumes that DL is hard. Positive: Commits to up to log2 |Gq| = log2 q bits Non-interactive Negative: “Algebraic” requirement (no block ciphers)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Pedersen’s Commitment: Security Proof

Commitment: CK(m; r) = g mhr mod p where r ← Zq Theorem Assume that DL is hard in group Gq. Pedersen’s commitment scheme is unconditionally hiding and computationally binding. Proof. Unconditional hiding: Since r is a random element of Zq then g mhr is a random element of Gq, independently of the choice of m. Computational binding: Given (m; r), (m′; r′), s.t. gmhr = gm′hr′, m = m′ mod q, one can compute g ← h(r−r′)/(m′−m). (This is valid since m = m′, q is prime and therefore (m′ − m)−1 exists.) Therefore, the adversary has computed the DL of g in base h.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Reminder: Σ-Protocols

Let (P, V ) be a specially-sound, specially HVZK Σ-protocol that proves the knowledge of some secret unknown to the

• committer. In particular, view of (P, V ) is of form (a, c, z).

Special soundness: given two accepting views (a, c, z) and (a, c′, z′) one can compute the secret Special HVZK: one can simulate an accepting view on common input x and on any challenge c by computing corresponding (a, z)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

HVZK to Trapdoor Commitment: [Damg˚ ard, 2000]

“Auxiliary string model”: verifier has secret key sk, committer knows the corresponding public key pk. It is assumed that sk exists and that committer knows it. Trapdoor commitment: by knowing sk, verifier herself can open a commitment to different messages.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

HVZK to Trapdoor Commitment: [Damg˚ ard 2000]

Let (P, V ) be a specially-sound, specially HVZK Σ-protocol that proves the knowledge of sk. In particular, view of (P, V ) is of form (a, c, z). Commitment scheme: Let m be the message to be committed, simulate an accepting view (a, m, z) with m as the challenge. Commit a. Decommit: output (m, z). Binding: if committer opens a to m′ = m then by the special soundness assumption, she can compute the secret sk Hiding: since simulation is indistinguishable from the real view and in the real protocol, a does not depend on m Trapdoor: since V knows the secret then she can open the commitment a with any m!

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Application: Joint Coin Tossing

Alice and Bob want to decide on something by tossing a coin

• ver a phone. How to do this securely?

Solution: Alice commits to a random bit bA ← {0, 1}, and sends C(bA; r) to Bob Bob selects a random bit bB ← {0, 1} and sends it to Alice Alice decommits bA Alice and Bob compute the coin toss as bA ⊕ bB Alice can refuse to open her message when she does not like Bob’s

Partially solved with fair exchange protocols

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Meta-application: Artificial Synchronicity

In real life, protocols are asynchronous, no two messages are received simultaneously Easier to design secure protocols in synchronous setting Simulate synchronocity: Alice commits to her message, Bob sends his, Alice opens hers Alice’s and Bob’s messages are independent Alice can refuse to open her message when she does not like Bob’s

Partially solved with fair exchange protocols

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

HVZK: Protocols about Commitments

Pedersen commitment scheme. Proof that P knows how to open y = C(µ; ρ) = g µhρ:

P V

n ← Gq, s ← Gq, a ← g nhs a c ← {0, 1}80 c z ← cµ + n, v ← cρ + s z, v g zhv

?

= ay c

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Commitment + Σ-Protocol ⇒ ZK

Design a 3-round Σ-protocol between P and V :

P sends the first and the third steps, V sends a random string

• n the second step.

In practice, hard to guarantee that V does not cheat Solution:

V selects his challenge c and commits to it before seeing P’s first messages P sends then her first message, V opens his commitment, and P sends her second message

Proof: since Σ was HVZK and c does not depend on P’s messages.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Simple POK: c1, c2 Commit to Same Value

Recall Pedersen: C(m; r) = g mhr Want to prove in HVZK that c1 and c2 commit to the same

• value. How?

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Simple POK: c1, c2 Commit to Same Value

If c1 and c2 commit to same value then c1/c2 commits to zero P proves that c1/c2 is a commitment of 0 i.e., that he knows logh c1/c2. Assume ci = g mhri. Use Schnorr’s protocol for the knowledge of a DL of c1/c2:

P V

s ← Zq, a ← hs a c ← {0, 1}80 c z ← c(r1 − r2) + s z hz

?

= a(c1/c2)c

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Another POK: c1 And c2 Commit to Different Values

Complementary idea: prove that c1/c2 = g m1−m2hr1−r2 does not commit to 0, i.e., that c1/c2 = g mhr for non-zero m P chooses s ← Zq, and sends C1 ← (c1/c2)s = g m·shr·s and C2 ← hr·s to V In parallel, P and V engage in a HVZK POK that P knows such (α, β, γ) that C1 = (c1/c2)α, C1 = g βhγ and C2 = hγ. Verifier accepts iff the HVZK POK accepts and C1 = C2. Problem Prove that it is special HVZK, special sound, complete.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Back to the past: 3COL

Simpler ZK proof for 3COL: Prover commits the colors of all edges For every edge, she proves in ZK that

The two vertex colors are valid The two vertex colors are different

Problem Write down a precise protocol and a precise proof of security. What are the underlying computational assumptions? Compare it with the proof from the first lecture.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Composition of ZK

Sequential composition: If A proves to B in ZK that Φ1 is true and after its end, C proves to D in ZK that Φ2 is true then the whole system is ZK (since the first proof is ZK, it does not reveal any information) What about parallel composition? Common attack: man-in-the-middle

If A proves that Φ1 is true to B, then M acts in the middle, modifying the messages by A suitably, and interacting with B so that B believes that M can prove that Φ1 or some related claim is true

Not every ZK protocol is composable

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Where Can MIM Be Bad?

Assume an hypothetical (sealed-bid) e-auction protocol where first every user commits to his/her bid bi. Then auctioneer commits to the database of all bids bi. Then all bidders open commitments, auctioneer decides the winner. Not secure: You can copy the bids of other bidders. In the case of Pedersen’s commitments, you can compute from C(bi) the value C(bi + 1) without knowing bi Solution 1: let everybody prove that they know what they bid in ZK Problem 2: as we show next, just ZK is not sufficient

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

MIM Attack: Example

P proves that he knows DL ω of h = g ω:

P V

r ← Zq; a := g r a c ← {0, 1}80 c z ← cω + r z g z

?

= ahc

V forwards a to V ′. After receiving c from V ′, V forwards it to P. After receiving z from P, V forwards z + c to V . V ′ is convinced that V knows DL(g ω+1)!

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Non-Malleable ZK

Protocol is non-malleable if in any man-in-the-middle situation between prover A and honest verifier B there exists a simulator S that can simulate the view of honest B, interacting with man-in-the-middle M, without communicating with A. Previous slide showed that Schnorr’s proof is malleable. Even simpler: Previous poof that (g, ga, gb, gab) is a DDH tuple is not non-malleable: based on it, M can generate say a proof that he knows the DL of ga

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Non-Malleable ZK

Current NMZK protocols are extremely inefficient: a promising area of research (papers in FOCS, STOC, 2005)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Third Lecture: NIZK + Signature Schemes Fourth Lecture: Witness Hiding/Zaps Fifth Lecture: Applications/Commitments

Non-Malleable NIZK

NIZK: no interaction, thus non-malleability has to defined differently Basic idea: Π is a NIZK for claim Φ if after seeing Π, an efficient adversary does not gain any power to prove any new claims, except presenting the string Π to prove Φ This is also a very strong claim: If Πi = (ai, H(ai), zi) is a NIZK for Φi, then Π = (a1, a2; H(a1, a2); z1, z2) is a NIZK for Φ1 ∧ Φ2. But given Π, one can often easily construct Πi by reprogramming H! See [Sahai, 1999] (NIZK in CRS model)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Sixth Lecture: Homomorphic Protocols

For a simple handout of the corresponding lecture in MIT, see http://web.mit.edu/6.857/OldStuff/Fall02/handouts/ L15-voting.pdf

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Recap

Thus far, we have seen what are zero-knowledge protocols Big promise: they can be applied “everywhere” Examples up to now:

Signature schemes Identification protocols Joint coin tossing (well, didn’t use ZK)

This lecture: some concrete protocols

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Simple Example: Veto

Assume Alice and have to decide on some issue Vetoing: decision is taken only if everybody supports it Privacy: minimal amount of information about votes will be leaked

If Alice votes for then the result will be equal to Bob’s vote ⇒ Bob’s privacy cannot be protected here If Alice votes against then result will be “no” independently of Bob’s input ⇒ Alice should get no information

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Mathematical Formulation: Veto = AND

Assume the private inputs are bA and bB The common output must be f (x, y) := x ∧ y Nothing else than f (x, y) should become public In general case, every party can have a different private output fi(x1, . . . , xn) Then the task is: given private inputs bi, party i should learn fi(b1, . . . , bn) and nothing else

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Homomorphic Encryption

Assume Π = (G, E, D) is a homomorphic public-key cryptosystem, such that (sk, pk) ← G is the key generation Epk(m; r) = c is the randomized encryption algorithm Dsk(c) = m is the decryption algorithm and Dsk(Epk(m; r)) = m for all m, r and (sk, pk) ∈ G Dsk(Epk(m1; r1) · Epk(m2; r2)) = m1 + m2 for every m1, m2, r1, r2, where + is defined in some additive group G. Π is IND-CPA secure (defined later)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Homomorphic Encryption

Denote by M the set of valid plaintexts, by R the set of valid random coins and by C the set of valid ciphertexts. All three sets can depend on (sk, pk). Rerandomization: For any m and r, (Epk(m; r) · Epk(0; R) = (Epk(m; R).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Homomorphic Encryption: Basic Properties

Dsk(Epk(m1; r1) · Epk(m2; r2)) = m1 + m2 (by definition)

Computation of an encryption of m1 + m2 does not need the knowledge of m1 or m2

For m ∈ M and α ∈ Z|M|, Dsk(Epk(m; r)α) = α · m (by definition of exponentiation)

Intuitively, somebody has to know α to compute Epk(α · m2) If M is multiplicative then Dsk(Epk(m; r)α) = mα

For encrypted Epk(ft), one can compute encryption of f (x) = ftxt + ft−1xt−1 + · · · + f1x + f0 on an arbitrary point x it as follows: Epk(f (x)) = Epk(ft)xt · Epk(ft−1)xt−1 · · · · · Epk(f0) . If M is multiplicative then f (x) = ftxt · ft−1xt−1 · · · · · f1x · f0.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

ElGamal Encryption

Assume a cyclic group Gq of prime order q. Let g be its generator. G: let sk ← Zq and pk := h = gsk. Encryption of message m ∈ Gq: generate random r ← Zq. Compute Epk(m; r) := (mhr, g r) Decryption of ciphertext c = (c1, c2) ∈ Gq2: set Dsk(c1, c2) := c1/csk

2 .

Correctness:Dsk(Epk(m; r)) = Dsk(mhr, g r) = mhr/(g r)sk = m(gsk)r/(gsk)r = m. Homomorphism in group Gq (e.g., a multiplicative subgroup of Z∗

p,

with q|(p − 1), or an elliptic curve group) where DL is assumed to be hard: Epk(m1; r1) · Epk(m2; r2) = (m1m2hr1+r2, g r1+r2) = Epk(m1 · m2; r1 + r2).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

IND-CPA Security

Assume Π = (G, E, D) is a PKC. Let A be an efficient adversary. Experiment 1 Set (sk, pk) ← G. Send pk to A. Obtain (m1, m2) ← A(pk). Output Epk(m1; r) for r ← R. Experiment 2 Set (sk, pk) ← G. Send pk to A. Obtain (m1, m2) ← A(pk). Output Epk(m2; r) for r ← R. Advantage of A: Advindcpa

Π

(A) :=

• Pr[A = 1 : Exp1] − Pr[A = 1 : Exp2]
• .

Π is IND-CPA secure if no efficient A has non-negligible Advindcpa

Π

(A).

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

ElGamal Is IND-CPA Secure

Theorem Assume that DDH is hard in Gq. Then ElGamal is IND-CPA secure. Remark: in the case of homomorphic cryptosystems, (m1, m2) do not have to be chosen by A. Given any (m′

1, m′ 2) and an

Epk(m′

b; ·), he can first transform it to Epk(mb; ·) by using affine

• perations, and then continue with this value.

We will prove that ElGamal is secure in the next sense: one cannot efficiently distinguish between random encryptions of 1 and a random element of M. It is a well-known but not completely trivial fact that this security notion is polynomially equivalent to IND-CPA.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

ElGamal Is IND-CPA Secure I

First part. Assume that A can break the “weak” IND-CPA security with some

• probability. Construct the next DDH distinguisher D. Given a

quadruple (g1, g2, g3, g4), where g2 ← g x

1, g3 ← g

y

1 for random x

and y, and either g4 ← gxy

1

• r g4 ← g z

1 for random z, D does:

First note that in the case of ElGamal, if (c1, c2) = (mhr, g r) = Epk(m; r) then (g, h, c2, c1) is a DDH tuple iff m = 1. Thus, (g4, g3) is either a random encryption of 1 or a random encryption of a random element from M.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

ElGamal Is IND-CPA Secure I

Continuation. Now, D handles to A g1 as the generator and g2 as the public key. D handles (c1, c2) := (g4, g3) to A. (Recall that (c1, c2) is a random encryption of 1 or of a random element from M.) A returns b′ ∈ {1, 2} (a guess of which experiment is running). D returns b′. Note that D got a DDH tuple iff (g4, g3) is an encryption of 1 and thus D has the same success in breaking DDH as A has in breaking the “weaker” version of IND-CPA. D is a very lazy distinguisher!

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Paillier’s Encryption

G:

Generate two independent random large prime numbers p and q Set n = pq and λ = lcm(p − 1, q − 1) // least common multiplier For function L(u) := u−1

n , define

µ := (L((n + 1)λ mod n2))−1 mod n. The public key is pk = n, the private key is sk = (λ, µ)

Encryption of m ∈ Zn with pk = n: Select random r ← Z∗

n2.

Compute c ← (n + 1)mr n mod n2 Decryption of c ∈ Z∗

n2 with sk = (λ, µ):

Set m ← L(cλ mod n2) · µ mod n.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Correctness of Paillier Decryption

For sk = (λ, µ) and pk = n, Dsk(Epk(m; r)) ≡Dsk((n + 1)mr n mod n2) ≡L((n + 1)λmrλn mod n) L((n + 1)λ mod n) (mod n2) . But now, (n + 1)x ≡ xn + 1 (mod n2) (by binomial law). Also r is from Z∗

n2, and thus has order n(p − 1)(q − 1). In

particular, rλn ≡ 1 (mod n2).Thus Dsk(Epk(m; r)) ≡ λm λ ≡ m (mod n2) .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Paillier: Homomorphism

Clearly, Epk(m1; r1) · Epk(m2; r2) ≡(1 + n)m1r1

n · (1 + n)m2 · r2 n

≡(1 + n)m1+m2(r1r2)n ≡Epk(m1 + m2; r1 · r2) (mod n2) . Thus the Paillier cryptosystem is homomorphic in Zn2. Important since computing DL (i.e., division) in Zn2 is easy.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Security of Paillier

Recall: x is an n-th residue modulo n2 iff there exists an y such that y n ≡ x mod n2. Definition Decisional Composite Residuosity Assumption: Distinguish a random n-th residue from a random n-th non-residue modulo n2. Equivalent (with small error): Distinguish a random n-th residue from a random element of C = Zn2.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Security of Paillier

Theorem Assume that DCRA is true. Then Paillier is IND-CPA secure. Sketch. Idea: random encryption of 0 is a random n-th residue; random encryption of a random element in M is a random element of C. Proof goes along the same lines as the security proof of ElGamal.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Back to Veto. . .

Simplify: two parties, assume parties follow the protocol Alice and Bob need to compute bA ∧ bB Idea:

Alice sends Epk(bA; rA), rA ← Zq, to Bob Bob computes c ← Epk(bA; rA)bB · Epk(0; rB), and sends it to Alice Alice decrypts c and sends the result to Bob

Correctness (Paillier): Dsk(c) = bAbB = bA ∧ bB if bA and bB are Boolean. Correctness (ElGamal): assume that Alice codes “no” by 1 ∈ M and “yes” by some other element of M. Assume Bob codes ‘no” by 0 ∈ Zn and ‘yes” by some other element of Zn. some other value codes “yes”. Then Dsk(c) = bA

bB in Gq.

Thus if bA = 1 or bB = 0 then Dsk(c) = 1, otherwise Dsk(c) = 1.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Seventh Lecture: Security of Two-Party Protocols

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Recap: Why Paillier Works?

Carmichael function: λ(pk) = pk−1(p − 1) for p ≥ 3 or k ≤ 2, λ(2k) = 2k−2 for k ≥ 3, and λ(pk1

1 . . . pkt t ) = lcm(λ(pk1 1 ), . . . , λ(pkt t ))

Theorem (Carmichael Theorem) If gcd(a, n) = 1 then aλ(n) ≡ 1 (mod n). Full proof is 6+ pages. Recall n = pq and λ := lcm(p − 1, q − 1). Why r λn ≡ 1 (mod n2)? First, λ(n2) = λ(p2q2) = lcm(λ(p2), λ(q2)) = lcm(p(p − 1), q(q − 1)) = pq · lcm(p − 1, q − 1) = n · lcm(p − 1, q − 1). By Carmichael Theorem, r n·lcm(p−1,q−1) ≡ rλ(n2) ≡ 1 mod n2

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Security of Veto Protocol

Previous veto protocol is secure if Alice/Bob follow the protocol What if they do not follow?

Alice/Bob can answer “yes” instead of “no” and vice versa

Can’t protect against it. . . and why should they?

Alice/Bob can “halt” at some point

Hard to protect against. . . (fair exchange)

Alice/Bob can do something else incorrectly

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Attacks on Veto Protocol

(With Paillier:) Alice encrypts a value not in {0, 1} Bob sends to Alice any message (that can depend on Alice’s message) Alice sends an incorrect message to Bob Alice/Bob halt at some point

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Security of Two-Party Computations

We saw parties can do at least three different kind of attacks: Input substitution Halting Some other incorrect operation during their step We said that first two attacks cannot be avoided — but why?

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Paradigm of Real/Ideal World

What was the functionality of the veto protocol? Alice and Bob obtain bA ∧ bB and nothing else Functionality, written down in a more formal setting. Assume there is a TTP Trent. In the ideal world, Alice and Bob handle their inputs to Trent. Trent returns their corresponding outputs to Alice and Bob. This is clearly what we want to achieve: we cannot protect against attacks that also exist in the ideal world. Caveat! This model is not yet precise.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Real/Ideal World: Synchronicity

The previous ideal world is too ideal: in the real model one of the two parties can halt the protocol after getting his or her private output E.g., Alice can halt the protocol after receiving bA ∧ bB. Correction to the model. In the ideal model, Alice and Bob handle their inputs to Trent. Trent returns their corresponding outputs to Alice. Alice can then send a special “halt” command to Trent. If Trent receives it, he does

• nothing. Otherwise Trent sends an output to Bob.

(One can always exchange Alice and Bob.)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Attacks Possible in Ideal Model

Alice or Bob forwards a wrong input to Trent Alice sends “halt” to Bob A real model protocol can be insecure w.r.t. these two attacks. All

• ther attacks should be impossible.

But how to define it?

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Defining Secure Two-Party Computation

Syntax/functionality: Define the legal inputs of Alice and Bob Define the private outputs of Alice and Bob This defines the ideal model Definition (Security) Protocol is secure if given any two parties A1 and A2 executing it such at Ai is semihonest for some i ∈ {1, 2}, there exists a pair (A′

1, A′ 2), Ai = A′ i, executing the functionality in the ideal model,

such that the joint view distributions of the parties in the real and ideal model are computationally indistinguishable.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Defining Secure Two-Party Computation

Definition (Security, equivalent) Protocol is secure if given any two parties A1 and A2 executing it such at Ai is semihonest for some i ∈ {1, 2}, there exists a simulator Sim, that only given the value fi(b1, b2) can simulate the view of A3−i in the protocol without interacting with Ai. Theorem Two definitions of security are equivalent. (See [Goldreich, 2004].)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Security of Veto-Paillier in Semihonest Model

Recall: Alice sends c1 ← Epk(bA; R) to Bob, Bob returns c2 ← c

bB

1 · Epk(0; R), Alice sets oA ← Dsk(c2) and sends oA to Bob.

This protocol is secure only if both parties are semihonest: Sketch. Bob sees one ciphertext c1. If Paillier is IND-CPA secure then he cannot guess bA. Alice sees Epk(bAbB; R). Thus even if Alice is omnipotent, even then she cannot violate the privacy of Bob. Problem Construct simulators.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Security of Veto-Paillier in Malicious Model

First round: Alice can send a value b′

A ∈ {0, 1}

Make Alice to prove in ZK that b′

A ∈ {0, 1}

Second round: Bob can send a value that is not equal to c

bB

1 Epk(0; R) for some bB ∈ {0, 1}

Make Bob to prove in ZK that c2 = c

bB

1 Epk(0; R) for some

bB ∈ {0, 1}

Alice can forward a value that is not equal to decryption of c2

Make Alice to prove in ZK that oA = Dsk(c2)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Another Example: Secure Scalar Product

Alice has vector (x1, . . . , xm) ∈ {0, 1}m, Bob has vector (y1, . . . , ym) ∈ {0, 1}m Functionality: Alice obtains m

i=1 xi · yi

For simplicity, assume Bob has no private output Protocol (with Paillier):

Alice generates a new key pair (sk, pk) ← G, and sends (c1, . . . , cm), where ci ← Epk(xi; R), to Bob Bob responds with c ← m

i=1 c

yi

i · Epk(0; R)

Alice decrypts c

Malicious model: add ZK proofs

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Oblivious Transfer: Definition

Bob has a database (b1, . . . , bm), Alice has an index i ∈ {1, . . . , m} Alice retrieves bi. Bob obtains no output A fundamental primitive:

As we will see later, one can be any two-party protocol on

• blivious transfer

Independent applications from secure databases to . . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

AIR OT Protocol by [Aiello et al., 2001]

Let Π = (G, E, D) be a homomorphic cryptosystem where q := |M| is a large prime The only known such cryptosystem is ElGamal with M = Gq Thus we also need to map an index i to a group element, we have chosen the map i → g i for a generator g ∈ Gq. We also need to assume that bj are group elements

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

OT Protocol by [Aiello et al., 2001]: Description

Alice does: Create (sk, pk) ← G. Send pk, c ← Epk(g i; R) to Bob Bob does for every j ∈ {1, . . . , m}: Send to Alice cj ← (c/Epk(gj; R))Zq · Epk(bj; R) . Alice recovers bi ← Dsk(ci)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

OT Protocol by [Aiello et al., 2001]: Correctness

Dsk(cj) =Dsk(( c

• Epk(gi;R)

/Epk(gj; R))

• Epk(gi−j;R)

Zq

• Epk(gZq(i−j);R)

·Epk(bj; R)

• Epk(gZq(i−j)·bj;R)

) =Dsk(Epk(gZq(i−j) · bj; R)) = gZq(i−j) · bj .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

OT Protocol by [Aiello et al., 2001]: Correctness

Dsk(cj) = Dsk(Epk(gZq(i−j) · bj; R)) = gZq(i−j) · bj . If i = j then gZq(i−j) = gZq·0 = 1 and thus Dsk(ci) = 1 · bi = bi. For i = j, g i−j = 1 is a generator of Gq. A generator to a random power from |Gq| is a random element in Gq, thus gZq(i−j) = Gq, and thus Dsk(ci) = Gq · bj = Gq, since a random element times a fixed element is a random element. Thus Dsk(cj) =

• bi ,

j = i , Gq , j = i . (This holds even if j ∈ [1, m].)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Eighth Lecture: OT Continues

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

OT: Security Definitions

Standard security: as previously, comparison to ideal model. The AIR protocol is not secure in this sense. “Relaxed security”/Privacy: only require privacy for Alice

Alice’s security: distribution of Alice’s messages, corresponding to any two indices i and j, are the same/comp. ind. Bob’s security: comparison with the ideal model

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

AIR OT Protocol: Reminder

Alice does: Create (sk, pk) ← G. Send pk, c ← Epk(g i; R) to Bob Bob does for every j ∈ {1, . . . , m}: Send to Alice cj ← (c/Epk(gj; R))Zq · Epk(bj; R) . Alice recovers bi ← Dsk(ci)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

AIR Is “Relaxed” Secure

Proof. Alice’s security: Distribution of messages corresponding to i/j is Epk(g i; R)/Epk(g j; R). Assuming that Π is IND-CPA secure, Bob cannot distinguish those distributions. Bob’s security: the claim is that Bob is secure against unbounded

• adversaries. Therefore we can also construct an unbounded

simulator that can extract Alice’s input i from c = Epk(g i; R). Simulator does the following on inputs c = Epk(g i; R), i and bi, for j ∈ [1, m]: If j = i then set cj ← Epk(M; R) else set cj ← Epk(bi; R). Send (c1, . . . , cm) to Alice. Clearly simulator’s output is equal to Bob’s output in the real protocol and it does not depend on bj for j = i.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

AIR With Paillier?

AIR with ElGamal is inconvenient: we had to assume that bj ∈ Gq. Can we apply AIR on top of Paillier? No! The reason is that n = p1p2 = |M| is composite in the case of Paillier:

If gcd(i, n) = 1 and i = 0 then iZn = Zn If gcd(i, n) = 1 then iZn is a strict subgroup of Zn

Concrete attack: Attacker chooses i such that i ≡ j1 (mod p1) and i ≡ j2 (mod p2) Then Dsk(cjk) = (i − jk)Zn + bjk, but pk | (i − jk) and thus Dsk(cjk) ≡ bjk (mod pk). See [Laur and Lipmaa, 2005] for a remedy.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Full Security For OT?

Problem How exactly is “relaxed security” weaker than standard security? Why is the previous protocol not fully secure? Construct an oblivious transfer protocol based on AIR that is secure with comparison to the ideal model. Full proof. Extra points for efficiency. (Think of how Alice/Bob can cheat in AIR, and what exactly should be prevented.)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Length-Flexible Cryptosystems: Damg˚ ard-Jurik

G:

Generate two independent random large prime numbers p and q Set n = pq The public key is pk = n, the private key is sk = (p, q, . . . )

For any integer s ≥ 1: Encryption of m ∈ Zns with pk = n: Select random r ← Z∗

• n2. Compute c ← (n + 1)mr ns

mod ns+1

Important: |c|/|m| ≈ (s + 1)/s

Decryption: can be done efficiently [Damg˚ ard and Jurik, 2001]

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

DJ: Homomorphism And Beyond

Let k := ⌈log2 n⌉ ∀s ≥ 1: encrypts plaintext of s · k bits to a ciphertext of (s + 1)k bits. E s

pk(m1)E s pk(m2) = E s pk(m1 + m2), thus also

E s+1

pk

• m1
• (s+1)k
• (s+1)k
• E s

pk( s·k

• m2 ) =

(s+2)k

• E s+1

pk

• m1E s

pk(m2)

• (s+1)k
• .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Communication Efficient Oblivious Transfer [Lipmaa, 2005]

General idea: Use a length-flexible additively homomorphic public-key cryptosystem. Alice knows the secret key, Bob knows the public key. Bob operates on ciphertexts, sent by Alice. The length parameter s grows in the process.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Generic Idea (α = 2)

b(1, 1) b(1, 2) b(1, 3) b(1, 4) b(2, 1) b(2, 2) b(2, 3) b(2, 4) b(3, 1) b(3, 2) b(3, 3) b(3, 4) b(4, 1) b(4, 2) b(4, 3) b(4, 4) β11 = β12 = β13 = β14 = Es

K (0)

Es

K (1)

Es

K (0)

⇒ ⇒ ⇒ ⇒

w11 = Q i βb(1,i) 1i = Es K (b(1, σ1)) w12 = Q i βb(2,i) 1i = Es K (b(2, σ1)) w13 = Q i βb(3,i) 1i = Es K (b(3, σ1)) w14 = Q i βb(4,i) 1i = Es K (b(4, σ1))

Es

K (0)

sk bits (s + 1)k bits sk bits sk bits sk bits Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Generic Idea (α = 2)

b(1, 1) b(1, 2) b(1, 3) b(1, 4) b(2, 1) b(2, 2) b(2, 3) b(2, 4) b(3, 1) b(3, 2) b(3, 3) b(3, 4) b(4, 1) b(4, 2) b(4, 3) b(4, 4) β11 = β12 = β13 = β14 = Es

K (0)

Es

K (0)

Es

K (1)

Es

K (0)

Chooser sends {βjt = Es

K (σj =? t)} to Sender

β21 = Es+1

K

(0) β22 = Es+1

K

(0) β23 = Es+1

K

(1) β24 = Es+1

K

(0)

⇒ ⇒ ⇒ ⇒

w11 = Q i βb(1,i) 1i = Es K (b(1, σ1)) w12 = Q i βb(2,i) 1i = Es K (b(2, σ1)) w13 = Q i βb(3,i) 1i = Es K (b(3, σ1)) w14 = Q i βb(4,i) 1i = Es K (b(4, σ1))

⇒

Chooser sends: Pα

j=1

Pm1/α

t=1

(s + j)k bits Sender sends (s + α)k bits

w2 = Q i βw1i 2i = Es+1 K (Es K (b(σ1, σ2)))

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Communication

Suitable for ℓ-bit strings. Chooser sends α(s + α+1

2 )m1/αk bits.

s · k ≈ ℓ, thus (ℓα + α · α+1

2 k)m1/α bits.

Optimal if α = Θ(log m): Θ(k · log2 m + ℓ · log m) bits. Very good if ℓ = LARGE: Θ(ℓ · log m) bits. [Lipmaa, 2005] discusses various optimisations

For small ℓ, pack several database elements into one plaintext, and assume µ is a lopsided hyperrectangle.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Alice’s Privacy In OT: Generic Transformation

The previous protocol is Alice-secure but not Bob-secure (Alice gets information about more than one database element): computationally private information retrieval Generic transformation CPIR→OT:

Alice sends the first message of the AIR protocol to Bob, but instead of sending (c1, . . . , cm) to Alice, Bob stores the results. In parallel, apply the CPIR protocol to obtain ci.

Clearly the resulting protocol is Alice-secure and Bob-secure, has as many rounds as the CPIR and only slightly increased communication.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Advanced example: Vickrey Auctions

One auctioneer sells one item of goods Many bidders Vickrey auctions: sealed second-price auctions

Sealed: Every bidder puts his/her bid in envelope and gives it to auctioneer. Second-price: Auctioneer opens all the envelopes at the same

• time. The winner is the highest bidder. The cost of the item is

the second highest bid.

Vickrey auctions satisfy nice economical properties (e.g., truthful bidding)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Advanced example: Vickrey Auctions

You have a limited number of options: bidding µ ∈ [0, H] You bid by encrypting your bid and sending it to some center Goal I: seller S should not be able to decrypt your bid; but she should get to know the second highest bid X2 Solution: Encrypt by using the public key of another center A but send encryption to S See [Lipmaa et al., 2002].

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Advanced example: Vickrey Auctions

Assume E is homomorphic: Epk(m)Epk(m′) = Epk(m + m′) Instead of bid µ, encrypt Bµ, where B is the maximum number of bidders S multiplies all ciphertexts, obtaining c ← Epk(

i Bµi). Due

to the choice of B, this is equal to Epk(

j αjBj), where αj is

the number of bidders who bid j S sends c to A, who decrypts c, and obtains all values αj. A calculates the second highest bid X2, and sends X2 to S S announces X2 to bidders

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Advanced example: Auctions, 3

Previous potocol works only when different parties are semihonest Standard solution: Add NIZK proofs of knowledge that every step was correct

Same methodology used in almost all cryptographic protocols!

Every bidder NIZK-proves that it encrypted a valid bid Bµ, µ ∈ [0, H] And: A NIZK-proves that he computed X2 correctly

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Simple Scheme

2 Send bids in shuffled order 1 Bid bi encrypted with A-s key 4 Send acknowledgment 5 Acknowledge that you are/are not a winner 3 Decrypt bids, send X2 to S

S will not get any extra information, but S can increase X2 P → S interaction is quite large

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Simple Scheme → Secure Scheme

Add correctness proofs

2 Send bids in shuffled order 1 Bid bi encrypted with A-s key 4 Send acknowledgment 5 Acknowledge that you are/are not a winner 3 Decrypt bids, send X2 to S

Just add NIZK proofs of knowledge

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

PK(y = Epk(Bµ; ρ) ∧ (µ ∈ [0, H]))

Denote Hj := ⌊(H + 2j)/2j+1⌋, j = 0 . . . ⌊log2 H⌋. Then µ ∈ [0, H] ⇐ ⇒ µ =

⌊log2 H⌋

• j=0

µjHj for some µj ∈ {0, 1} . (1) For example, µ ∈ [0, 10] ⇐ ⇒ µ = 5µ0 + 3µ1 + µ2 + µ3 and µ ∈ [0, 9] ⇐ ⇒ µ = 5µ0 + 2µ1 + µ2 + µ3. NIZK proof of knowledge of µj for which the right side (1) holds

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

How to Prove That X2 Is Correct?

You have y = Epk(

• j

αjBj) . You must NIZK-prove that PK(y = Epk(µ; ρ)∧µ = Bµ1+BX2+µ2∧µ1 > X2∧µ2 < Bx2) . Doable in honest-verifier computational zero-knowledge, but inefficient

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Auction Protocol: Security Properties

If A and S do not cooperate: A will not be able to change the highest bid or bidder S will not get to know anything about the bids A will know the statistics (how many bid j) but no individual bids System can be strengthened: even cooperating A and S will not be able to change the highest bid or bidder

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

E-Voting

Some security requirements:

Correctness: One vote for voter, only valid voters can vote, correct vote counting, . . . Privacy: nobody gets to know individual voter’s votes No vote buying

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

E-Voting

E-voting: can do analogously. Bidder = voter, bid = vote S must get to know αj, so instead of X2 a NIZK proof of its correctness A will send to her the sum

j αjBj with a proof

• f correct decryption (simpler!)

Problem: Can we trust that S and A do not to cooperate? If not, another possibility is to share the trust among a larger number of authorities

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Detour: Integer Commitment Schemes

Integer commitment scheme: like a commitment scheme but for given (m1, r1), hard to find (m2, r2), m1 = m2 over integers, such that C(m1; r1) = C(m2; r2) [Fujisaki, Okamoto], [Damg˚ ard and Fujisaki, 2002] — statistically hiding, computationally binding The known ICS-s are homomorphic, C(m1; r1)C(m2; r2) = C(m1 + m2; r1 + r2) There exist efficient honest-verifier statistical zero-knowledge (HVSZK) proofs of knowledge that y3 commits to a product/sum of integers, commited to by y1 and y2

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Detour: Integer Commitment Schemes

[Lipmaa, 2003]: given an ICS C, can construct efficient HVSZK arguments of knowledge for all languages in bounded arithmetic PK(h = C(µ; ρ) ∧ µ ≥ 0):

Use Lagrange’s theorem that every nonnegative integer is a sum of four squares Prove that h = C(µ; ρ) ∧ h1 = C(ω1; ρ1) ∧ · · · ∧ h4 = C(ω4; ρ4) ∧ µ = ω2

1 + · · · + ω2 4

[Groth, 2004] Prove that 4µ + 1 is a sum of three squares

PK(h = C(µ; ρ) ∧ µ = Bν ∧ ν ∈ [0, H]):

[Lipmaa]: Assume B is a prime. Prove that (µ | BH)∧(µ ≥ 0) [Damg˚ ard, Groth, Salomonsen]: Assume B = p2, p is a prime. Prove, for an extra h1, that h1 = C(ω; ρ1), µ = ω2, ω | pH

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

First, Home Problems

1 Prove that the previously presented PK(A1 ∨ A2) is secure

(define what is secure, define what is expected)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Σ-Protocol for PK(A1 ∨ A2).

Assume A1 is true (the second case is dual) P does: Generate a1 as in PK(A1). Run the simulator to produce valid view (a2, c2, z2) as in PK(A2). Send (a1, a2) to V . V generates a random c ← {0, 1}80 and sends it to P P computes c1 ← c − c2 mod 280, and z1 as it would be computed in PK(A1) after the first messages a1, c1. P sends (c1, z1, z2) to V V sets c2 ← c − c1 mod 280. For i ∈ {1, 2}, V performs the check, as done in PK(Ai), on (ai, ci, zi). He also checks that c1 ∈ Z280.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Answer to Problem 1

What is required: Assuming that we have Σ protocols for A1 and A2, show that the previous protocol is a Σ protocol for A1 ∨ A2

Three-round (P, V , P): obvious Public coin (the second message is a random string): obvious Completeness (see next) Special soundness (see next) Special HVZK (see next)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

PK(A1 ∨ A2) is complete

Proof. Assume A1 is true (the second case is dual). If P and V are honest then V accepts if the checks in PK(Ai) of the triples (ai, ci, zi) succeed and if c1 ∈ Z280. But then check on (a1, c1, z1) succeeds since (a1, c1, z1) is computed as in PK(a1), and check on (a2, c2, z2) succeeds since it is generated by a simulator of PK(a2). (Note that c1 and c2 are random.)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

PK(A1 ∨ A2) Is Specially Sound

Proof. Assume adversary sees (a1, a2; c; c1, z1, z2) and (a1, a2; c′; c′

1, z′ 1, z′ 2), such that verification accepts in both tuples

and c = c′. That means that A1-verification of (a1; c1; z1) and (a1; c′

1; z′ 1) succeeds and that A2-verification of (a2; c2; z2) and

(a2; c′

2; z′ 2) succeeds and that c1, c′ 1 ∈ Z280.Now if c1 = c′ 1 then

adversary sees a collision for PK(A1), and because PK(A1) is specially sound then adversary can extract the secret corresponding to PK(A1).If c1 = c′

1 then because c = c′, we have c2 = c′ 2 and

dually adversary can extract the secret corresponding to PK(A2).In total, adversary can either extract a secret corresponding to A1 or to A2, which means she can extract a secret corresponding to A1 ∨ A2.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

PK(A1 ∨ A2) is Special HVZK

Proof. The view of the protocol is (a1, a2; c; c1, z1, z2). Define Sim that does the following: Generate random ˜ c1, ˜ c2 ← {0, 1}80, set ˜ c ← ˜ c1 + ˜ c2 mod 280. Use the simulator for Ai to generate ˜ zi and then an ˜ ai such that (˜ ai; ˜ ci; ˜ zi) has the same distribution as (˜ ai; ˜ ci; ˜ zi), where ˜ c2 = ˜ c − ˜ c1 mod 280, in the real Σ protocol for Ai. Output (˜ a1, ˜ a2; ˜ c; ˜ c1, ˜ z1, ˜ z2). This clearly has the same distribution as the output of the real protocol.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Problem 2

Prove that GNI has a CZK proof (with all the details). Present a proof of knowledge. Quick hint: http://www.google.com/search?q= "zero-knowledge+proof"+"graph+non+isomorphism" E.g.: http://www.daimi.au.dk/∼ivan/CPT1.pdf; since the proof is accessible from there, we will not present it next Note: every PZK proof is also a CZK proof. . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

ZK Proof for GNI

First lecture: P transfers to V a graph that is either isomorphic to G0 or G1, V chooses one of them and sends its isomorphic copy H to P, prover guesses which graph is the resulting graph isomorphic to. (Do k times.) Second lecture: If V is not honest—H is not isomorphic to Gi—then V gets extra information. Solution: V proves in ZK that H is either isomorphic to G0 or to G1 A full detailed proof of this would have been ok!E.g., see http://www.daimi.au.dk/∼ivan/CPT1.pdf But you can find on the Internet other solutions: any detailed proof that makes me to believe you understand the question would have been ok, too.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

ZK Proof for GNI: A Bit More Detailed

Verifier generates H that is a random isomorphic copy of Gα for α ← {0, 1}. He generates k random bits αi, and random isomorphic copies (Hi

0, Hi 1) of graphs (Gαi, Gαi⊕1). He sends

all generated graphs to Prover. Prover sends k random bits bi to V . For each i ∈ [k], V does: if bi = 0 send isomorphism between (Hi

0, Hi 1) and (Gαi, Gαi⊕1), otherwise send isomorphism

between H and one of Hi

0, Hi 1.

P checks the isomorphisms. Compute b such that Gb is isomorphic to H and send b to V . V accepts if α = b.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Tenth Lecture: Securing All Two-Party Protocols

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Recap

We have seen two items: Zero-knowledge: how to prove that you behave correctly Homomorphic protocols: efficient two-party protocols for certain tasks, secure in semihonest model If we combain HP & ZK, we get efficient two-party protocols for certain tasks, secure in malicious model Today: efficient(?) two-party protocols for all tasks, in semihonest model

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Setting

Two parties, Alice and Bob, have inputs α and β, correspondingly Functionality: Alice learns A(α, β), Bob learns B(α, β) Neither party learns more in the semihonest model Can decompose: First run a protocol where Alice learns A(α, β) and Bob learns nothing, then a second protocol where Bob learns B(α, β). Thus we will consider the case where B(α, β) = ⊥ Wlog, A(α, β) : {0, 1}m × {0, 1}n → {0, 1} /* run x protocols in parallel if output is longer */

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

High level idea

Every function A : {0, 1}m × {0, 1}n → {0, 1} can be decomposed as a Boolean circuit Idea:

Bob garbles the Boolean circuit for A, together with his inputs, and handles the circuit to Alice Alice obtains from Bob the key that corresponds to one possible Alice’s input Alice “runs” this circuit on this key Alice obtains from Bob the real output, corresponding to the garbled output

Bob garbles the circuit, corresponding to his concrete input β Alice should not be able to obtain Bob’s input β or run the circuit on two different inputs α, α′

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Example

Millionaire’s problem: Who has more toys? I.e., A(α, β) = 1 iff α > β in Z2ℓ Boolean way: (αℓ−1 = 1∧βℓ−1 = 0)∨(αℓ−1 = βℓ−1∧αℓ−2 = 1∧βℓ−2 = 0)∨. . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Obtaining The Input Key

Alice has m inputs αi. Bob generates 2m keys Ki0 and Ki1, ∀i ∈ [m] For i ∈ [m], Alice uses an 2

1

• OT to obtain Kiαi

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Obtaining The Output Key

Running the circuit, Alice has one output key Kout Assume that Bob has before also transfered EKout(answer)

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Garbling The Circuit

Every gate ψ is constructed so that if you know input keys then you get to know output keys E.g., ∧ gate:

Alice gets to know the key K ψ

• ut,1 corresponding to 1 if both

his keys correspond to the 1-input keys K ψ

1,1, K ψ 2,1 of this gate

Otherwise, Alice gets to know the key corresponding to 0 Alice should not get to know to what does the new key correspond

Basic idea: encrypt K ψ

• ut by using K ψ

1 , K ψ 2 . Store a randomly

• rdered table table that corresponds to EK ψ

1,i,K ψ 2,j(K ψ

• ut,i∧j for

i, j ∈ {0, 1} Call this table a Yao gate Alice later tries to decrypt all four values ⇐ It is needed that

• ne can detect that K ψ
• ut,i∧j is correct

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Construction

Bob creates key pairs for all bits of all inputs and for each “wire” of the circuit Given these key pairs, Bob turns gates into Yao gates. Bob gives Alice all Yao gates, keys corresponding to his inputs. Alice obtains keys corresponding to her inputs. Alice computes Yao gate, until she gets the output keys. Alice converts output keys to correct answers.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

What if Bob cheats?

Recent research (Katz-Ostrovsky, 2004) etc: it is possible to design two-party protocols, secure in the malicious model, for any computable A in five rounds However: is it practical? It is not even practical in semihonest model, except for functions of special type For protocol, seen previously, homomorphic solutions are much more efficient

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

New Home Problems

L5 had a protocol for proving that c1 and c2 commit to different values (mod q). Write this protocol down in details. Prove security. Problem from L8: how exactly is relaxed security weaker than full security (give a precise and not too long answer. Describe an example weakness that is allowed against relaxed secure protocols but not in the ideal case). Describe a fully secure version of AIR. Mind efficiency. From L9: write down the precise protocol for PK(y = Epk(Bµ; ρ) ∧ µ ∈ [0, H])), prove its security. Assume Alice has two m-bit inputs and Bob has two n-bit

• inputs. Write down a Boolean circuit for deciding the second

largest input among those four. Compute the complexity of this circuit.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

Grading

7 problems Student’s points = 6 best problem results From those who pass, 10% best students get A, 25% next get B, 30% next get C, 25% next get D, 10% next get E (http://www.ajaleht.ut.ee/138749) Where the percentages can be far from precise. . .

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

References I

Aiello, W., Ishai, Y., and Reingold, O. (2001). Priced Oblivious Transfer: How to Sell Digital Goods. In Pfitzmann, B., editor, Advances in Cryptology — EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 119–135, Innsbruck, Austria. Springer-Verlag. Damg˚ ard, I. (2000). Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. In Preneel, B., editor, Advances in Cryptology — EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 418–430, Bruges, Belgium. Springer-Verlag. Damg˚ ard, I. and Fujisaki, E. (2002). An Integer Commitment Scheme Based on Groups with Hidden Order. In Zheng, Y., editor, Advances on Cryptology — ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 125–142, Queenstown, New Zealand. Springer-Verlag. Damg˚ ard, I. and Jurik, M. (2001). A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In Kim, K., editor, Public Key Cryptography 2001, volume 1992 of Lecture Notes in Computer Science, pages 119–136, Cheju Island, Korea. Springer-Verlag. Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

References II

De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., and Sahai, A. (2001). Robust Non-interactive Zero Knowledge. In Kilian, J., editor, Advances in Cryptology — CRYPTO 2001, 21st Annual International Cryptology Conference, volume 2139 of Lecture Notes in Computer Science, pages 566–598, Santa Barbara, USA. Springer-Verlag. Goldreich, O. (2004). Foundations of Cryptography: Basic Applications. Cambridge University Press. Goldwasser, S. and Kalai, Y. T. (2003). On the (In)security of the Fiat-Shamir Paradigm. In 44th Annual Symposium on Foundations of Computer Science, pages 102–113, Cambridge, MA, USA. IEEE, IEEE Computer Society Press. Goldwasser, S., Micali, S., and Rackoff, C. (1989). The Knowledge Complexity of Interactive Proof Systems. SIAM Journal of Computing, 18(1):186–208. Katz, J. and Wang, N. (2003). Efficiency Improvements for Signature Schemes with Tight Security Reductions. In 10th ACM Conference on Computer and Communications Security, pages 155–164, Washington, D.C.,

• USA. ACM Press.

Helger Lipmaa MTAT.07.005 Cryptographic Protocols

Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

References III

Laur, S. and Lipmaa, H. (2005). Additive Conditional Disclosure of Secrets And Applications. Technical Report 2005/378, IACR. Lipmaa, H. (2005). An Oblivious Transfer Protocol with Log-Squared Communication. In Zhou, J. and Lopez, J., editors, The 8th Information Security Conference (ISC’05), volume 3650 of Lecture Notes in Computer Science, pages 314–328, Singapore. Springer-Verlag. Lipmaa, H., Asokan, N., and Niemi, V. (2002). Secure Vickrey Auctions without Threshold Trust. In Blaze, M., editor, Financial Cryptography — Sixth International Conference, volume 2357 of Lecture Notes in Computer Science, pages 87–101, Southhampton Beach, Bermuda. Springer-Verlag. Mihir Bellare, A. P. (2002). GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks. In Yung, M., editor, Advances in Cryptology — CRYPTO 2002, 22nd Annual International Cryptology Conference, volume 2442 of Lecture Notes in Computer Science, pages 162–177, Santa Barbara, USA. Springer-Verlag. Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge Two-Party Protocols Sixth Lecture: Homomorphic Protocols Seventh Lecture: Security of Two-Party Protocols Eighth Lecture: OT Continues Nineth Lecture: Voting/Auctions Tenth Lecture: Securing All Two-Party Protocols

References IV

Pedersen, T. P. (1991). Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Feigenbaum, J., editor, Advances in Cryptology—CRYPTO ’91, volume 576 of Lecture Notes in Computer Science, pages 129–140, Santa Barbara, California, USA. Springer-Verlag, 1992. Pointcheval, D. and Stern, J. (2000). Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology, 13(3):361–396. Sahai, A. (1999). Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security. In 40th Annual Symposium on Foundations of Computer Science, pages 543–553, New York, NY, USA. IEEE Computer Society. Schnorr, C.-P. (1991). Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3):161–174. Helger Lipmaa MTAT.07.005 Cryptographic Protocols