NIZKs with an untrusted CRS: Security in the face of parameter - - PowerPoint PPT Presentation

nizks with an untrusted crs security in the face of
SMART_READER_LITE
LIVE PREVIEW

NIZKs with an untrusted CRS: Security in the face of parameter - - PowerPoint PPT Presentation

Sep 20, 2023 135 likes •580 views

NIZKs with an untrusted CRS: Security in the face of parameter subversion Mihir Bellare Alessandra Scafuro Georg Fuchsbauer Asiacrypt 2016 Motivation 2013 compromised security not covered by standard model here: parameter

slide-1
SLIDE 1

NIZKs with an untrusted CRS: Security in the face of parameter subversion

Mihir Bellare Georg Fuchsbauer Alessandra Scafuro Asiacrypt 2016

slide-2
SLIDE 2

Motivation

  • 2013
  • compromised security not covered by standard model
  • here: parameter subversion
slide-3
SLIDE 3

Motivation

  • 2013
  • compromised security not covered by standard model
  • here: parameter subversion
  • example: Dual EC RNG

– “trusted” parameters P, Q – int’l standard; NSA paid RSA $10 million – knowledge of logQ P ⇒ predictable [ShuFer07] ⇒ break TLS [CFN+14]

slide-4
SLIDE 4

Motivation

  • 2013
  • compromised security not covered by standard model
  • here: parameter subversion
  • goal: subversion resistance
  • this work: NIZK, relies on common reference string (

)

  • example: zk-SNARK parameters

for Zerocash ( ) [BCG+14]

slide-5
SLIDE 5

Related work

NIZK

  • 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14]
  • NIZK in bare PK model [Wee07]
  • CRS via multiparty computation [KKZZ14, BSCG+15]
  • UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]
slide-6
SLIDE 6

Related work

NIZK

  • 2-move ZK protocols [BLV03, Pass03, BP04, BCPR14]
  • NIZK in bare PK model [Wee07]
  • CRS via multiparty computation [KKZZ14, BSCG+15]
  • UC w/ adv. CRS [CPs07], multiple CRSs [GO07, GGJS11]

Subversion

  • Algorithm-substitution attacks [BPR14, AMV15]
  • Kleptography [YY96, YY97], cliptography [RTYZ16]
  • Backdoored blockciphers [RP97, PG97, Pat99]
slide-7
SLIDE 7

Non-interactive proofs

Prover: x, w Verifier: x

π

/× crs

  • let L ∈ NP
  • prove x ∈ L
slide-8
SLIDE 8

Non-interactive proofs

Prover: x, w Verifier: x

π

Soundness:

π ⇒ x ∈ L crs

slide-9
SLIDE 9

Non-interactive proofs

Prover: x, w Verifier: x

Witness-indistinguishability:

π[w] ≈c π[w′]

π

crs

slide-10
SLIDE 10

Non-interactive proofs

Prover: x, w Verifier: x

π

crs

Simulator: x, w

×

crs′ π′ Zero-knowledge:

slide-11
SLIDE 11

Non-interactive proofs

Prover: x, w Verifier: x

π

crs

Zero-knowledge:

≈s

Simulator: x, w

×

crs′ π′

slide-12
SLIDE 12

Subversion-resistant NI proofs

Prover: x, w Verifier: x

π

Subversion Soundness:

π ⇒ x ∈ L crs

slide-13
SLIDE 13

Subversion-resistant NI proofs

Prover: x, w Verifier: x

π

Subversion WI:

π[w] ≈c π[w′] crs

slide-14
SLIDE 14

Non-interactive proofs

Prover: x, w Verifier: x

π

crs

Zero-knowledge:

≈s

Simulator: x, w

×

crs′ π′

slide-15
SLIDE 15

Subversion-resistant NI proofs

Prover: x, w Verifier: x

π

crs

Simulator: x, w

×

crs′,$′ π′ $ Subversion ZK:

≈s

slide-16
SLIDE 16

Subversion-resistant NI proofs

Prover: x, w Verifier: x

π

crs

Simulator: x, w

×

π′ $

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
slide-17
SLIDE 17

Our results

S-SND S-ZK S-WI SND ZK WI ❄ ❄ ❄ ✲ ✲

slide-18
SLIDE 18

Our results

S-SND S-ZK S-WI SND ZK WI ❄ ❄ ❄ ✲ ✲

slide-19
SLIDE 19

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

slide-20
SLIDE 20

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

Prover: x, w Verifier: x

ε

slide-21
SLIDE 21

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

Prover: x, w Verifier: x

w

w witness for x?

slide-22
SLIDE 22

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ?

? ?

slide-23
SLIDE 23

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×

x, π

Breaking S-SND:

π ∧ x / ∈ L crs

(if L is non-trivial)

slide-24
SLIDE 24

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×

x, π′

Breaking S-SND:

π ∧ x / ∈ L crs′

(if L is non-trivial)

slide-25
SLIDE 25

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×
  • ?
slide-26
SLIDE 26

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×
  • DLin

Non-interactive Zaps [GOS06]

  • NI WI proofs
  • without CRS

No CRS ⇒ subversion-resistant

slide-27
SLIDE 27

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×
  • DLin
  • ?
slide-28
SLIDE 28

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×
  • DLin
  • ?
  • implies 2-move ZK (verifier chooses CRS)

⇒ only achieved under extractability assumpt’s [BCPR14]

  • construction under new knowledge of exponent assumption
slide-29
SLIDE 29

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
slide-30
SLIDE 30

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • KEA: ∀

(g, h) → → (gs, hs)

slide-31
SLIDE 31

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • KEA: ∀

(g, h) → → (gs, hs)

→ → s

slide-32
SLIDE 32

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • KEA: ∀

(g, h) → → (gs, hs)

→ → s idea: crs trapdoor

slide-33
SLIDE 33

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • KEA: ∀

(g, h) → → (gs, hs)

→ → s Prove: x ∈ L ∨ “I know s” idea: crs trapdoor

Zap!

slide-34
SLIDE 34

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • KEA: ∀

(g, h) → → (gs, hs)

→ → s Prove: x ∈ L ∨ “I know s” idea: crs trapdoor

who chooses h?

slide-35
SLIDE 35

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • DH-KEA:

→ (gs, hs, h = gη)

→ → s OR → η Prove: x ∈ L ∨ “I know s or η”

slide-36
SLIDE 36

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • crs = (gs, hs, h = gη)

Prove: x ∈ L ∨ “I know s or η”

prove knowledge how?

slide-37
SLIDE 37

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • crs = (gs, hs, h = gη)

Prove: x ∈ L ∨ “I know s or η”

prove knowledge how? Enc(pk, s)

slide-38
SLIDE 38

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • crs = (gs, hs, h = gη)

Prove: x ∈ L ∨ “I know s or η”

prove knowledge how? Enc(pk, s) pk

?

slide-39
SLIDE 39

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • crs = (gs, hs, h = gη)

Prove: x ∈ L ∨ “I know s or η”

prove knowledge how? Enc(pk, s) pk

slide-40
SLIDE 40

Achieving SND + S-ZK

π

∀ ∃ ∀ :

  • crs, $,
  • ≈c
  • crs ′, $′,
  • crs = (gs, hs, h = gη)

Prove: x ∈ L ∨ “I know s or η”

prove knowledge how? Enc(pk, s) pk + KEA-proof of sk

slide-41
SLIDE 41

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×
  • DLin
  • DH-KEA
slide-42
SLIDE 42

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×
  • DLin
  • DH-KEA
  • NIZK
slide-43
SLIDE 43

Our results

Standard Subversion-resistant Possible? Assumpt’s: SND ZK WI S-SND S-ZK S-WI

  • ×
  • DLin
  • DH-KEA
  • NIZK

QUESTIONS? THANK YOU!