MTAT.07.014 Cryptographic Protocols · PDF file Lecture 9. Motivation: ZK. -Protocols Lecture...

Click here to load reader

  • date post

    20-Mar-2020
  • Category

    Documents

  • view

    2
  • download

    0

Embed Size (px)

Transcript of MTAT.07.014 Cryptographic Protocols · PDF file Lecture 9. Motivation: ZK. -Protocols Lecture...

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    MTAT.07.014 Cryptographic Protocols

    Helger Lipmaa

    University of Tartu

    MTAT.07.014 Cryptographic Protocols, L9+ Last modified: December 17, 2012

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    Outline I

    1 Honest-Verifier Zero Knowledge Lecture 9. Motivation: ZK. Σ-Protocols Lecture 10. More Sigma-Protocols Lecture 11. More Sigma-Protocols. Interactive ZK

    2 Real Zero Knowledge Lecture 12. More Real ZK Lecture 13. Groth-Sahai Proofs Lecture 14. Sublinear ZK

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    References I

    Blelloch, G. (1990).

    Vector Models for Data-Parallel Computing. MIT Press.

    Boneh, D. and Boyen, X. (2004).

    Short Signatures without Random Oracles. In Cachin, C. and Camenisch, J., editors, EUROCRYPT 2004, volume 3027 of LNCS, pages 56–73, Interlaken, Switzerland. Springer, Heidelberg.

    Camenisch, J., Chaabouni, R., and shelat, a. (2008).

    Efficient Protocols for Set Membership and Range Proofs. In Pieprzyk, J., editor, ASIACRYPT 2008, volume 5350 of LNCS, pages 234–252, Melbourne, Australia. Springer, Heidelberg.

    Canetti, R., Goldreich, O., and Halevi, S. (1998).

    The Random Oracle Methodology, Revisited. In Vitter, J. S., editor, STOC 1998, pages 209–218, Dallas, Texas, USA.

    Chaabouni, R., Lipmaa, H., and shelat, a. (2010).

    Additive Combinatorics and Discrete Logarithm Based Range Protocols. In Steinfeld, R. and Hawkes, P., editors, ACISP 2010, volume 6168 of LNCS, pages 336–351, Sydney, Australia. Springer, Heidelberg.

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    References II

    Chaabouni, R., Lipmaa, H., and Zhang, B. (2012).

    A Non-Interactive Range Proof with Constant Communication. In Keromytis, A., editor, FC 2012, volume 7397 of LNCS, pages 179–199, Bonaire, The Netherlands. Springer, Heidelberg.

    Cramer, R., Damg̊ard, I., and Schoenmakers, B. (1994).

    Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In Desmedt, Y. G., editor, CRYPTO 1994, volume 839 of LNCS, pages 174–187, Santa Barbara, USA. Springer, Heidelberg.

    Gennaro, R., Gentry, C., Parno, B., and Raykova, M. (2012).

    Quadratic Span Programs and Succinct NIZKs without PCPs. Technical Report 2012/215, International Association for Cryptologic Research. Available at http://eprint.iacr.org/2012/215, last retrieved version from June 18, 2012.

    Goldwasser, S. and Kalai, Y. T. (2003).

    On the (In)security of the Fiat-Shamir Paradigm. In FOCS 2003, pages 102–113, Cambridge, MA, USA. IEEE, IEEE Computer Society Press.

    Goldwasser, S., Micali, S., and Rackoff, C. (1985).

    The Knowledge Complexity of Interactive Proof-Systems. In Sedgewick, R., editor, STOC 1985, pages 291–304, Providence, Rhode Island, USA. ACM Press.

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    References III

    Groth, J. (2010).

    Short Pairing-Based Non-interactive Zero-Knowledge Arguments. In Abe, M., editor, ASIACRYPT 2010, volume 6477 of LNCS, pages 321–340, Singapore. Springer, Heidelberg.

    Groth, J., Ostrovsky, R., and Sahai, A. (2006).

    Perfect Non-Interactive Zero-Knowledge for NP. In Vaudenay, S., editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 338–359, St. Petersburg, Russia. Springer, Heidelberg.

    Groth, J. and Sahai, A. (2008).

    Efficient Non-interactive Proof Systems for Bilinear Groups. In Smart, N., editor, EUROCRYPT 2008, volume 4965 of LNCS, pages 415–432, Istanbul, Turkey. Springer, Heidelberg.

    Lipmaa, H. (2012).

    Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments. In Cramer, R., editor, TCC 2012, volume 7194 of LNCS, pages 169–189, Taormina, Italy. Springer, Heidelberg.

    Lipmaa, H., Asokan, N., and Niemi, V. (2002).

    Secure Vickrey Auctions without Threshold Trust. In Blaze, M., editor, FC 2002, volume 2357 of LNCS, pages 87–101, Southhampton Beach, Bermuda. Springer, Heidelberg.

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    References IV

    Lipmaa, H. and Zhang, B. (2012).

    New Non-Interactive Zero-Knowledge Subset Sum, Decision Knapsack And Range Arguments. Technical Report 2012/548, International Association for Cryptologic Research. Available at http://eprint.iacr.org/2012/548.

    Pedersen, T. P. (1991).

    Non-Interactive And Information-Theoretic Secure Verifiable Secret Sharing. In Feigenbaum, J., editor, CRYPTO 1991, volume 576 of LNCS, pages 129–140, Santa Barbara, California, USA. Springer, Heidelberg, 1992.

    Pratt, V. R. and Stockmeyer, L. J. (1976).

    A Characterization of the Power of Vector Machines. Journal of Computer and System Sciences, 12(2):198–221.

    Rial, A., Kohlweiss, M., and Preneel, B. (2009).

    Universally Composable Adaptive Priced Oblivious Transfer. In Shacham, H. and Waters, B., editors, Pairing 2009, volume 5671 of LNCS, pages 231–247, Palo Alto, CA, USA. Springer, Heidelberg.

    Scafuro, A. and Visconti, I. (2012).

    On Round-Optimal Zero Knowledge in the Bare Public-Key Model. In Pointcheval, D. and Johansson, T., editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 153–171, Cambridge, UK. Springer, Heidelberg.

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    Lecture 9. Motivation: ZK. Σ-Protocols Lecture 10. More Sigma-Protocols Lecture 11. More Sigma-Protocols. Interactive ZK

    Lecture 9. Motivation: ZK. Σ-Protocols

    Original ZK paper: [Goldwasser et al., 1985]. Important Σ-protocol paper: [Cramer et al., 1994].

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    Lecture 9. Motivation: ZK. Σ-Protocols Lecture 10. More Sigma-Protocols Lecture 11. More Sigma-Protocols. Interactive ZK

    On Notation

    We have always precisely specified the randomizers It should be very clear by now how to pick them etc To ease notation we will from now on often omit randomizers (and public keys) Notation: [x ] means an encryption of x

    by using a pk , understood from context and usually a fresh public key

    For example, [x + y ]← [x ][y ] means that one obtain encryption of [x + y ] by multiplying encryptions of x and y , and then rerandomizing the result

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    Lecture 9. Motivation: ZK. Σ-Protocols Lecture 10. More Sigma-Protocols Lecture 11. More Sigma-Protocols. Interactive ZK

    Recap: Multiple-Candidate Elections

    V voters 0, . . . ,V − 1; γ candidates 0, . . . , γ − 1

    Voter Vi : pk, ci ∈ Zγ Vote Collector (pk) Tallier (sk)

    Let [Ci ]← [(V + 1)ci ]

    Signed by Vi : [Ci ]

    If signature ok: [CΣ]← ∏V−1

    i=0 [Ci ]

    Signed by VC: [CΣ]

    If signature ok: T ← Dsk([CΣ]), Write T =

    ∑ Tj(V + 1)

    j , Output (Tγ−1, . . . ,T0)

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    Lecture 9. Motivation: ZK. Σ-Protocols Lecture 10. More Sigma-Protocols Lecture 11. More Sigma-Protocols. Interactive ZK

    Security of MCE: Semihonest model

    Assume parties follow the protocol. . .

    Voter privacy: VC sees only ciphertexts Correctness:

    Verification of signatures guarantees that inputs come from correct parties VC verifies that no voter votes twice, etc Summation/decrypt yield correct tally due to previous discussion

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    Lecture 9. Motivation: ZK. Σ-Protocols Lecture 10. More Sigma-Protocols Lecture 11. More Sigma-Protocols. Interactive ZK

    Security of MCE: Malicious model

    Voter privacy: can be breached if VC and tallier collaborate, otherwise not

    Organizational means Outside of scope right now (e.g., use multiparty computation)

    Correctness: Voter i can encrypt 100(V + 1)ci , this counts as 100 votes for ci VC can discard votes, modify votes, compute sum incorrectly Tallier can decrypt incorrectly We will deal with this part

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    Lecture 9. Motivation: ZK. Σ-Protocols Lecture 10. More Sigma-Protocols Lecture 11. More Sigma-Protocols. Interactive ZK

    Semisimulatability is not an option

    By using previous techniques for semisimulatability, VC would “randomize” incorrect ballot Ci But then CΣ is also random, and thus tallying is impossible if at least one voter cheats

    While “if some voter cheats, tallying does not succeed” can be seen as some kind of security guarantee, it is not sufficient

    We want: if voter cheats, it is detected. One can still tally honest votes

    Helger Lipmaa MTAT.07.014 Cryptographic Protocols

  • Honest-Verifier Zero Knowledge Real Zero Knowledge

    Lecture 9. Motivation: ZK. Σ-Protocols Lecture 10. More Sigma-Protocols Lecture 11.