On the Practical Use of Range Proofs S ebastien Canard, and Jacques - - PowerPoint PPT Presentation

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 1

On the Practical Use of Range Proofs

S´ ebastien Canard, and Jacques Traor´ e Orange Labs Amandine Jambert CNIL Iwen Coisel Universit´ e catholique de Louvain - Crypto Group Provable Privacy Workshop - July 10th, 2012

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 2

Zero-Knowledge Proof of Knowledge

◮ concept introduced by Feige, Fiat and Shamir ◮ permits to prove the knowledge of some secrets α1, . . . , αq,

verifying some given relation R, without revealing any information about the secrets Pok(α1, . . . , αq : R(α1, . . . , αq) = 1)

◮ several complex relation can be proven ◮ well-known schemes ◮ Fiat-Shamir, Schnorr, GPS ◮ security ◮ completeness ◮ soundness ◮ zero-knowledge

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 3

In Tribute to Jean-Jacques Quisquater

◮ Alice knows the secret opening the door between A and B ◮ Bob, sceptical, asks for a proof from Alice ◮ Alice, proud, wants to prove her knowledge without divulging it

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 3

In Tribute to Jean-Jacques Quisquater

◮ Alice knows the secret opening the door between A and B ◮ Bob, sceptical, asks for a proof from Alice ◮ Alice, proud, wants to prove her knowledge without divulging it

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 3

In Tribute to Jean-Jacques Quisquater

◮ Alice knows the secret opening the door between A and B ◮ Bob, sceptical, asks for a proof from Alice ◮ Alice, proud, wants to prove her knowledge without divulging it

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 3

In Tribute to Jean-Jacques Quisquater

◮ Alice knows the secret opening the door between A and B ◮ Bob, sceptical, asks for a proof from Alice ◮ Alice, proud, wants to prove her knowledge without divulging it

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 4

Introduction to Our Problem

◮ we study a secret sk ∈ Z∗

q

◮ it belongs to a public interval [a, b] where a, b ∈ Z∗

q, with a < b

◮ the secret sk is committed as Com = g skhr ◮ this can be replaced by a ciphertext on sk ◮ this is usually the case in e-voting ◮ Zero-knowledge proof of knowledge that sk ∈ [a, b]

Pok(sk, r : Com = g skhr ∧ α ∈ [a, b])

◮ set membership proofs ◮ this is a variant of range proofs ◮ the interval is replaced by a set Φ ◮ proof that sk ∈ Φ

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 5

Applications

◮ e-cash ◮ withdrawal of ℓ coins ◮ use of a counter j from 1 to ℓ during spendings ◮ proof that the counter j belongs to the interval [1, ℓ] ◮ e-vote ◮ n candidates for a vote ◮ each voter needs to prove that her private choice belongs to the

interval [1, n]

◮ anonymous credentials ◮ proof that the age of one user is greater than a given authorized

• ne, without revealing her true age

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 6

General Overview

Three main families of range proof exists

◮ based on mathematical properties of positive numbers

sk ∈ [a, b] → (sk − a) ≥ 0 and (b − sk) ≥ 0

◮ based on the decomposition of the secret in an adapted base

sk ∈ [0, uℓ[ if and only if sk = ℓ−1

i=0 xiui where

∀i ∈ [0, ℓ[, xi ∈ [0, u[

◮ based on the knowledge of a signature, assuming that all the

elements of the interval have been signed sk ∈ [a, b] if and only if ∃σ ∈ Σ s.t. σ = Sign(sk)

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 7

First Remarks

◮ well known techniques, largely studied ◮ case of restricted devices... ◮ hard to know which method should be used ◮ it depends on the size of the secret ◮ it depends on the size of the interval ◮ it depends on what should be improved (time vs. space, prover

• vs. verifier, etc.)

◮ remaining things to do ◮ it is essential to clearly know which method should be used,

depending on the constraints

◮ the improvement of these methods is of great importance to

• ptimize at most the obtained efficiency

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 8

Square Decomposition Method

◮ proposed by Boudot : a ≤ sk ≤ b iff sk − a ≥ 0 and b − sk ≥ 0 ◮ zero-knowledge completely described by Lipmaa

Lemma (Lagrange theorem)

Let X be an integer. Then X ≥ 0 if and only if it exists (x1, x2, x3, x4) ∈ Z4 : X = x2

1 + x2 2 + x2 3 + x2 4.

Lemma (Groth characterisation)

Let X be an integer which is not of the form 4n(8k + 7), where n, k ∈ N. Then X ≥ 0 if and only if ∃(x1, x2, x3) ∈ Z3 : X = x2

1 + x2 2 + x2 3.

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 9

Square Decomposition Method

◮ the Rabin and Shallit algorithm find such decompositions ◮ not very efficient... but it works

Pok

• sk, X, Y , r, r1, r2 : C = g skhr ∧ CX = g Xhr1 ∧ CY = g Y hr2

∧CXg a = g skhr1 ∧ CY g −b = g −skhr2 ∧ X ≥ 0 ∧ Y ≥ 0

• ◮ principle of the proof that an integer X is positive

◮ proof of knowledge of the different values (e.g. (x1, x2, x3, x4)) ◮ proof of reconstruction of the secret with these committed values ◮ C1 = gx1hr1 ◮ C x1

1

= gx2

1 hr1x1 is a commitment on x2

1

◮ 4

i=1 C xi i

is a commitment on the secret X

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 10

Binary Decomposition

◮ initially proposed by Bellare and Goldwasser for an interval [0, 2ℓ[ ◮ case of an interval [a, b] by Schoenmakers

Lemma (binary decomposition)

sk ∈ [0, 2ℓ[ if and only if sk = ℓ−1

i=0 xi2i where ∀i ∈ [0, ℓ[, xi ∈ [0, 1].

◮ computes Ci = g xihri for all i ∈ [0, ℓ[ where ri ∈R Zq ◮ both the prover and the verifier can compute

˜ C =

ℓ−1

• i=0

C 2i

i

= g skh

ℓ−1

i=0 2iri ◮ the prover and the verifier play the following interactive ZKPK

U1 = Pok(sk, t, r, r0, . . . , rℓ : (C0 = hr0 ∨ C0/g = hr0) ∧ . . . ∧ (Cℓ−1 = hrℓ−1 ∨ Cℓ−1/g = hrℓ−1) ∧ ˜ C = g skht ∧ C = g skhr)

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 11

Schnoenmakers Proof for [a, b]

Lemma (double binary decomposition)

Let B = b − a + 1, X = sk − a, k such that 2k ≤ B ≤ 2k+1 B0 = 2k+1 − B and Y = sk − a + B0 sk ∈ [a, b] iff X ∈ [0, 2k+1[ and Y ∈ [0, 2k+1[.

◮ prover produces a commitment CX (resp. CY ) on X (resp. Y ) ◮ remark that CXg a = g skhrX (resp. CY g a−B0 = g skhrY ). ◮ proof that X and Y belong to [0, 2k+1[. ◮ the global proof that sk ∈ [a, b] is

Pok(sk, X, Y , r, rX, rY : C = g skhr, CXg a = g skhrX ∧ CY g a−B0 = g skhrY ∧ X ∈ [0, 2k+1[∧Y ∈ [0, 2k+1[)

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 12

Multi-Base Decomposition Method

◮ due to Lipmaa, Asokan and Niemi, after a work from Damg˚

ard and Jurik

◮ generalization of the binary representation ◮ first given in the case of an interval [0, b]

Lemma (multi-base decomposition)

Let ℓ = ⌊log2 b⌋. Then, sk ∈ [0, b] if and only if sk = ℓ

i=0 bixi

where for all i ∈ [0, ℓ], xi ∈ {0, 1} and bi = ⌊(b + 2ℓ−i)/2ℓ−i+1⌋.

◮ example ◮ case b = 90 and sk = 80 ◮ ⌊log2 90⌋ = 6 ◮ b0 = 1, b1 = 1, b2 = 3, b3 = 6, b4 = 11, b5 = 23, and b6 = 45 ◮ sk = 80 = [

[0, 1, 0, 0, 1, 1, 1] ]90

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 13

Multi-Base Decomposition Method

◮ proof that sk ∈ [0, b] is similar to the binary case ◮ general case [a, b] ◮ use twice the proof for a secret in [0, b] ◮ new characterisation for [a, b] and a similar proof

= ⇒ better result

We still have to prove that sk ≥ a. We need a = [ [a0, . . . , aℓ] ]b and

Lemma

∃!i0 ∈ [0, ℓ]/ai0 = 0 ∧ ∀i > i0, ai = 1 This implies that ∀i ∈ [i0 + 1, ℓ], xi = 1, since sk ∈ [a, b]. ⇒

ℓ

• j=i0+1
• (xj = 0) ∨ (xj = 1)
• no longer needed

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 14

Multi-Base Decomposition

Lemma (Bit-by-bit Lemma)

Let a = [ [a0, · · · , aℓ] ]b and sk = [ [x0, · · · , xℓ] ]b. Then, a < x iff ∃i′ ∈ [0, ℓ]/ai′ = 0, xi′ = 1 and ∀j > i′, aj = xj

◮ If ai = 0, there are two possible cases ◮ if xi = 0 ⇒ prove it and continue ◮ if xi = 1 ⇒ prove it and it’s enough

(xi = 1) ∨

• (xi = 0) ∧ B
• .

◮ If ai = 1 then xi = 1 ⇒ prove it and continue

(xi = 1) ∧ B. Pok

• sk, t, r0, . . . , ri0 : ˜

C = g skht ∧ (C0 = hr0 ∨ C0/g = hr0) ∧ . . . ∧ (Ci0−1 = hri0−1 ∨ Ci0−1/g = hri0−1) ∧

• Ci0/g = hri0 ∨ (Ci0 = hri0 ∧ L)

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 15

Signature-Based Method

◮ based on a work from Teranishi and Sako ◮ proposed by Camenisch, Chaabouni and Shelat ◮ let Φ be a public set of some elements ◮ let CA be a designated authority ◮ owns a pair of signature keys (skCA, pkCA) ◮ produce a signature σi = SignskCA(i) on all the elements i ∈ Φ

Lemma (signature-based characterisation)

Let a, b, x be three integers and Σ be the set of all σk. Then, sk ∈ [a, b] if and only if ∃σ ∈ Σ such that σ = Sign(sk). Pok(sk, r, σsk : C = g skhr ∧ σsk = SignskCA(sk)).

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 16

Case of Boneh-Boyen Signature

◮ short signature scheme proposed by Boneh and Boyen ◮ based on bilinear pairings ◮ e : G1 × G2 −

→ GT where G1, G2, GT are of prime order q

◮ for all g1 ∈ G1, g2 ∈ G2, a, b ∈ Z∗

q, e(g a 1 , g b 2 ) = e(g1, g2)ab

◮ procedures ◮ secret key γ ∈ Z∗

q and public key w = g γ 2

◮ signature on a m ∈ Zq is σ = g 1/(γ+m)

1

◮ verification e(σ, wg m

2 ) = e(g1, g2)

◮ set membership proof ◮ pick at random v ∈ Z∗

q and computes V = σv x

◮ generation of the proof of knowledge

Pok(sk, r, v : C = g skhr ∧ e(V , w) = e(V , g)−ske(g, g)v)

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 17

Which Kind of Comparison

◮ it seems that the there is not ONE best solution ◮ it depends on the size of the secret, or the size of the interval ◮ different comparisons ◮ prover’s time complexity (in modular multiplications in G) ◮ verifier’s time complexity (in modular multiplications in G) ◮ space complexity (in bits) ◮ size of the public key (in bits) ◮ security level of 128 ◮ |q| = 256, |G| = 257, lZn = 3248, le = ls = 160

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 18

Comparison of the Methods

Figure : Verifier’s (on the left) and prover’s (on the right) efficiency comparison for different values of ℓ Figure : Caption for graphics

UCL Crypto Group

Microelectronics Laboratory

Range Proofs - Provable Privacy Workshop - July 10th, 2012 19

Thank you