On the Practical Use of Range Proofs S ebastien Canard, and Jacques - PowerPoint PPT Presentation

On the Practical Use of Range Proofs S´ ebastien Canard, and Jacques Traor´ e Orange Labs Amandine Jambert CNIL Iwen Coisel Universit´ e catholique de Louvain - Crypto Group Provable Privacy Workshop - July 10th, 2012 UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 1 Microelectronics Laboratory

Zero-Knowledge Proof of Knowledge ◮ concept introduced by Feige, Fiat and Shamir ◮ permits to prove the knowledge of some secrets α 1 , . . . , α q , verifying some given relation R , without revealing any information about the secrets Pok ( α 1 , . . . , α q : R ( α 1 , . . . , α q ) = 1) ◮ several complex relation can be proven ◮ well-known schemes ◮ Fiat-Shamir, Schnorr, GPS ◮ security ◮ completeness ◮ soundness ◮ zero-knowledge UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 2 Microelectronics Laboratory

In Tribute to Jean-Jacques Quisquater ◮ Alice knows the secret opening the door between A and B ◮ Bob, sceptical, asks for a proof from Alice ◮ Alice, proud, wants to prove her knowledge without divulging it UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 3 Microelectronics Laboratory

In Tribute to Jean-Jacques Quisquater ◮ Alice knows the secret opening the door between A and B ◮ Bob, sceptical, asks for a proof from Alice ◮ Alice, proud, wants to prove her knowledge without divulging it UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 3 Microelectronics Laboratory

In Tribute to Jean-Jacques Quisquater ◮ Alice knows the secret opening the door between A and B ◮ Bob, sceptical, asks for a proof from Alice ◮ Alice, proud, wants to prove her knowledge without divulging it UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 3 Microelectronics Laboratory

In Tribute to Jean-Jacques Quisquater ◮ Alice knows the secret opening the door between A and B ◮ Bob, sceptical, asks for a proof from Alice ◮ Alice, proud, wants to prove her knowledge without divulging it UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 3 Microelectronics Laboratory

Introduction to Our Problem ◮ we study a secret sk ∈ Z ∗ q ◮ it belongs to a public interval [ a , b ] where a , b ∈ Z ∗ q , with a < b ◮ the secret sk is committed as Com = g sk h r ◮ this can be replaced by a ciphertext on sk ◮ this is usually the case in e-voting ◮ Zero-knowledge proof of knowledge that sk ∈ [ a , b ] Pok (sk , r : Com = g sk h r ∧ α ∈ [ a , b ]) ◮ set membership proofs ◮ this is a variant of range proofs ◮ the interval is replaced by a set Φ ◮ proof that sk ∈ Φ UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 4 Microelectronics Laboratory

Applications ◮ e-cash ◮ withdrawal of ℓ coins ◮ use of a counter j from 1 to ℓ during spendings ◮ proof that the counter j belongs to the interval [1 , ℓ ] ◮ e-vote ◮ n candidates for a vote ◮ each voter needs to prove that her private choice belongs to the interval [1 , n ] ◮ anonymous credentials ◮ proof that the age of one user is greater than a given authorized one, without revealing her true age UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 5 Microelectronics Laboratory

General Overview Three main families of range proof exists ◮ based on mathematical properties of positive numbers sk ∈ [ a , b ] → (sk − a ) ≥ 0 and ( b − sk) ≥ 0 ◮ based on the decomposition of the secret in an adapted base i =0 x i u i where sk ∈ [0 , u ℓ [ if and only if sk = � ℓ − 1 ∀ i ∈ [0 , ℓ [ , x i ∈ [0 , u [ ◮ based on the knowledge of a signature, assuming that all the elements of the interval have been signed sk ∈ [ a , b ] if and only if ∃ σ ∈ Σ s.t. σ = Sign (sk) UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 6 Microelectronics Laboratory

First Remarks ◮ well known techniques, largely studied ◮ case of restricted devices... ◮ hard to know which method should be used ◮ it depends on the size of the secret ◮ it depends on the size of the interval ◮ it depends on what should be improved (time vs. space, prover vs. verifier, etc.) ◮ remaining things to do ◮ it is essential to clearly know which method should be used, depending on the constraints ◮ the improvement of these methods is of great importance to optimize at most the obtained efficiency UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 7 Microelectronics Laboratory

Square Decomposition Method ◮ proposed by Boudot : a ≤ sk ≤ b iff sk − a ≥ 0 and b − sk ≥ 0 ◮ zero-knowledge completely described by Lipmaa Lemma (Lagrange theorem) Let X be an integer. Then X ≥ 0 if and only if it exists ( x 1 , x 2 , x 3 , x 4 ) ∈ Z 4 : X = x 2 1 + x 2 2 + x 2 3 + x 2 4 . Lemma (Groth characterisation) Let X be an integer which is not of the form 4 n (8 k + 7) , where n , k ∈ N . Then X ≥ 0 if and only if ∃ ( x 1 , x 2 , x 3 ) ∈ Z 3 : X = x 2 1 + x 2 2 + x 2 3 . UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 8 Microelectronics Laboratory

Square Decomposition Method ◮ the Rabin and Shallit algorithm find such decompositions ◮ not very efficient... but it works sk , X , Y , r , r 1 , r 2 : C = g sk h r ∧ C X = g X h r 1 ∧ C Y = g Y h r 2 � Pok ∧ C X g a = g sk h r 1 ∧ C Y g − b = g − sk h r 2 ∧ X ≥ 0 ∧ Y ≥ 0 � ◮ principle of the proof that an integer X is positive ◮ proof of knowledge of the different values ( e.g. ( x 1 , x 2 , x 3 , x 4 )) ◮ proof of reconstruction of the secret with these committed values ◮ C 1 = g x 1 h r 1 = g x 2 ◮ C x 1 1 h r 1 x 1 is a commitment on x 2 1 1 ◮ � 4 i =1 C x i is a commitment on the secret X i UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 9 Microelectronics Laboratory

Binary Decomposition ◮ initially proposed by Bellare and Goldwasser for an interval [0 , 2 ℓ [ ◮ case of an interval [ a , b ] by Schoenmakers Lemma (binary decomposition) sk ∈ [0 , 2 ℓ [ if and only if sk = � ℓ − 1 i =0 x i 2 i where ∀ i ∈ [0 , ℓ [ , x i ∈ [0 , 1] . ◮ computes C i = g x i h r i for all i ∈ [0 , ℓ [ where r i ∈ R Z q ◮ both the prover and the verifier can compute ℓ − 1 C 2 i � ℓ − 1 i =0 2 i r i ˜ � = g sk h C = i i =0 ◮ the prover and the verifier play the following interactive ZKPK Pok (sk , t , r , r 0 , . . . , r ℓ : ( C 0 = h r 0 ∨ C 0 / g = h r 0 ) ∧ . . . ∧ U 1 = C = g sk h t ∧ C = g sk h r ) ( C ℓ − 1 = h r ℓ − 1 ∨ C ℓ − 1 / g = h r ℓ − 1 ) ∧ ˜ UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 10 Microelectronics Laboratory

Schnoenmakers Proof for [ a , b ] Lemma (double binary decomposition) Let B = b − a + 1 , X = sk − a, k such that 2 k ≤ B ≤ 2 k +1 B 0 = 2 k +1 − B and Y = sk − a + B 0 sk ∈ [ a , b ] iff X ∈ [0 , 2 k +1 [ and Y ∈ [0 , 2 k +1 [ . ◮ prover produces a commitment C X (resp. C Y ) on X (resp. Y ) ◮ remark that C X g a = g sk h r X (resp. C Y g a − B 0 = g sk h r Y ). ◮ proof that X and Y belong to [0 , 2 k +1 [. ◮ the global proof that sk ∈ [ a , b ] is Pok (sk , X , Y , r , r X , r Y : C = g sk h r , C X g a = g sk h r X ∧ C Y g a − B 0 = g sk h r Y ∧ X ∈ [0 , 2 k +1 [ ∧ Y ∈ [0 , 2 k +1 [) UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 11 Microelectronics Laboratory

Multi-Base Decomposition Method ◮ due to Lipmaa, Asokan and Niemi, after a work from Damg˚ ard and Jurik ◮ generalization of the binary representation ◮ first given in the case of an interval [0 , b ] Lemma (multi-base decomposition) Let ℓ = ⌊ log 2 b ⌋ . Then, sk ∈ [0 , b ] if and only if sk = � ℓ i =0 b i x i where for all i ∈ [0 , ℓ ] , x i ∈ { 0 , 1 } and b i = ⌊ ( b + 2 ℓ − i ) / 2 ℓ − i +1 ⌋ . ◮ example ◮ case b = 90 and sk = 80 ◮ ⌊ log 2 90 ⌋ = 6 ◮ b 0 = 1, b 1 = 1, b 2 = 3, b 3 = 6, b 4 = 11, b 5 = 23, and b 6 = 45 ◮ sk = 80 = [ [0 , 1 , 0 , 0 , 1 , 1 , 1] ] 90 UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 12 Microelectronics Laboratory

Multi-Base Decomposition Method ◮ proof that sk ∈ [0 , b ] is similar to the binary case ◮ general case [ a , b ] ◮ use twice the proof for a secret in [0 , b ] ◮ new characterisation for [ a , b ] and a similar proof = ⇒ better result We still have to prove that sk ≥ a . We need a = [ [ a 0 , . . . , a ℓ ] ] b and Lemma ∃ ! i 0 ∈ [0 , ℓ ] / a i 0 = 0 ∧ ∀ i > i 0 , a i = 1 This implies that ∀ i ∈ [ i 0 + 1 , ℓ ] , x i = 1, since sk ∈ [ a , b ]. ℓ � � � ⇒ ( x j = 0) ∨ ( x j = 1) no longer needed j = i 0 +1 UCL Crypto Group Range Proofs - Provable Privacy Workshop - July 10th, 2012 13 Microelectronics Laboratory