Honest-Verifier Zero KnowledgeReal Zero Knowledge
MTAT.07.014 CryptographicProtocols
Helger Lipmaa
University of Tartu
MTAT.07.014 Cryptographic Protocols, L9+Last modified: December 17, 2012
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Outline I
1 Honest-Verifier Zero KnowledgeLecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. InteractiveZK
2 Real Zero KnowledgeLecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
References I
Blelloch, G. (1990).
Vector Models for Data-Parallel Computing.MIT Press.
Boneh, D. and Boyen, X. (2004).
Short Signatures without Random Oracles.In Cachin, C. and Camenisch, J., editors, EUROCRYPT 2004, volume 3027 of LNCS, pages 56–73,Interlaken, Switzerland. Springer, Heidelberg.
Camenisch, J., Chaabouni, R., and shelat, a. (2008).
Efficient Protocols for Set Membership and Range Proofs.In Pieprzyk, J., editor, ASIACRYPT 2008, volume 5350 of LNCS, pages 234–252, Melbourne, Australia.Springer, Heidelberg.
Canetti, R., Goldreich, O., and Halevi, S. (1998).
The Random Oracle Methodology, Revisited.In Vitter, J. S., editor, STOC 1998, pages 209–218, Dallas, Texas, USA.
Chaabouni, R., Lipmaa, H., and shelat, a. (2010).
Additive Combinatorics and Discrete Logarithm Based Range Protocols.In Steinfeld, R. and Hawkes, P., editors, ACISP 2010, volume 6168 of LNCS, pages 336–351, Sydney,Australia. Springer, Heidelberg.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
References II
Chaabouni, R., Lipmaa, H., and Zhang, B. (2012).
A Non-Interactive Range Proof with Constant Communication.In Keromytis, A., editor, FC 2012, volume 7397 of LNCS, pages 179–199, Bonaire, The Netherlands.Springer, Heidelberg.
Cramer, R., Damgard, I., and Schoenmakers, B. (1994).
Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols.In Desmedt, Y. G., editor, CRYPTO 1994, volume 839 of LNCS, pages 174–187, Santa Barbara, USA.Springer, Heidelberg.
Gennaro, R., Gentry, C., Parno, B., and Raykova, M. (2012).
Quadratic Span Programs and Succinct NIZKs without PCPs.Technical Report 2012/215, International Association for Cryptologic Research.Available at http://eprint.iacr.org/2012/215, last retrieved version from June 18, 2012.
Goldwasser, S. and Kalai, Y. T. (2003).
On the (In)security of the Fiat-Shamir Paradigm.In FOCS 2003, pages 102–113, Cambridge, MA, USA. IEEE, IEEE Computer Society Press.
Goldwasser, S., Micali, S., and Rackoff, C. (1985).
The Knowledge Complexity of Interactive Proof-Systems.In Sedgewick, R., editor, STOC 1985, pages 291–304, Providence, Rhode Island, USA. ACM Press.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
References III
Groth, J. (2010).
Short Pairing-Based Non-interactive Zero-Knowledge Arguments.In Abe, M., editor, ASIACRYPT 2010, volume 6477 of LNCS, pages 321–340, Singapore. Springer,Heidelberg.
Groth, J., Ostrovsky, R., and Sahai, A. (2006).
Perfect Non-Interactive Zero-Knowledge for NP.In Vaudenay, S., editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 338–359, St. Petersburg, Russia.Springer, Heidelberg.
Groth, J. and Sahai, A. (2008).
Efficient Non-interactive Proof Systems for Bilinear Groups.In Smart, N., editor, EUROCRYPT 2008, volume 4965 of LNCS, pages 415–432, Istanbul, Turkey.Springer, Heidelberg.
Lipmaa, H. (2012).
Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments.In Cramer, R., editor, TCC 2012, volume 7194 of LNCS, pages 169–189, Taormina, Italy. Springer,Heidelberg.
Lipmaa, H., Asokan, N., and Niemi, V. (2002).
Secure Vickrey Auctions without Threshold Trust.In Blaze, M., editor, FC 2002, volume 2357 of LNCS, pages 87–101, Southhampton Beach, Bermuda.Springer, Heidelberg.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
References IV
Lipmaa, H. and Zhang, B. (2012).
New Non-Interactive Zero-Knowledge Subset Sum, Decision Knapsack And Range Arguments.Technical Report 2012/548, International Association for Cryptologic Research.Available at http://eprint.iacr.org/2012/548.
Pedersen, T. P. (1991).
Non-Interactive And Information-Theoretic Secure Verifiable Secret Sharing.In Feigenbaum, J., editor, CRYPTO 1991, volume 576 of LNCS, pages 129–140, Santa Barbara, California,USA. Springer, Heidelberg, 1992.
Pratt, V. R. and Stockmeyer, L. J. (1976).
A Characterization of the Power of Vector Machines.Journal of Computer and System Sciences, 12(2):198–221.
Rial, A., Kohlweiss, M., and Preneel, B. (2009).
Universally Composable Adaptive Priced Oblivious Transfer.In Shacham, H. and Waters, B., editors, Pairing 2009, volume 5671 of LNCS, pages 231–247, Palo Alto,CA, USA. Springer, Heidelberg.
Scafuro, A. and Visconti, I. (2012).
On Round-Optimal Zero Knowledge in the Bare Public-Key Model.In Pointcheval, D. and Johansson, T., editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 153–171,Cambridge, UK. Springer, Heidelberg.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Lecture 9. Motivation: ZK. Σ-Protocols
Original ZK paper: [Goldwasser et al., 1985].Important Σ-protocol paper: [Cramer et al., 1994].
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
On Notation
We have always precisely specified the randomizersIt should be very clear by now how to pick them etcTo ease notation we will from now on often omitrandomizers (and public keys)Notation: [x ] means an encryption of x
by using a pk , understood from contextand usually a fresh public key
For example, [x + y ]← [x ][y ] means that one obtainencryption of [x + y ] by multiplying encryptions of xand y , and then rerandomizing the result
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Recap: Multiple-Candidate Elections
V voters 0, . . . ,V − 1; γ candidates 0, . . . , γ − 1
Voter Vi : pk, ci ∈ Zγ Vote Collector (pk) Tallier (sk)
Let [Ci ]← [(V + 1)ci ]
Signed by Vi : [Ci ]
If signature ok: [CΣ]←∏V−1
i=0 [Ci ]
Signed by VC: [CΣ]
If signature ok:T ← Dsk([CΣ]),Write T =
∑Tj(V + 1)j ,
Output (Tγ−1, . . . ,T0)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Security of MCE: Semihonest model
Assume parties follow the protocol. . .
Voter privacy: VC sees only ciphertextsCorrectness:
Verification of signatures guarantees that inputscome from correct partiesVC verifies that no voter votes twice, etcSummation/decrypt yield correct tally due toprevious discussion
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Security of MCE: Malicious model
Voter privacy: can be breached if VC andtallier collaborate, otherwise not
Organizational meansOutside of scope right now (e.g., use multipartycomputation)
Correctness:Voter i can encrypt 100(V + 1)ci , this counts as100 votes for ciVC can discard votes, modify votes, compute sumincorrectlyTallier can decrypt incorrectlyWe will deal with this part
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Semisimulatability is not an option
By using previous techniques forsemisimulatability, VC would “randomize”incorrect ballot Ci
But then CΣ is also random, and thus tallyingis impossible if at least one voter cheats
While “if some voter cheats, tallying does notsucceed” can be seen as some kind of securityguarantee, it is not sufficient
We want: if voter cheats, it is detected. Onecan still tally honest votes
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Kinds of Cheating, 1
Voter can “cheat” by outputting [Ci ] whereCi 6∈
{(V + 1)j : j ∈ Zγ
}VC can cheat by not summing correctly
Easier to deal: VC posts encrypted signed ballotstogether with (signed by him) sum on bulletinboard (In fact not so easy. . . )
Everybody checks that those votes belong tocorrect voters, every voter has cast at most oneballot. Every voter checks their vote is there.Everybody checks sum is correct
Tallier can cheat by decrypting incorrectly
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Kinds of Cheating, 2
Voter can “cheat” by outputting [Ci ] withCi 6∈
{(V + 1)j : j ∈ Zγ
}Voter must prove Ci is correct — without revealingCi
Tallier can cheat by decrypting incorrectlyTallier must prove decryption is correct — withoutrevealing his secret key
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Zero-Knowledge Proofs of Correctness
General idea: to achieve security in maliciousmodel, all parties parties prove correctness ofall their stepsZero-knowledge proof, informally:
Between prover and verifier (potentially many verifiers)
Completeness: honest verifier accepts honestproverSoundness: if honest verifier accepts, then proveris honestZero-knowledge: even malicious verifier learnsnothing else but truth of statement
Soundness and zero-knowledge are intuitivelyinconsistent requirements
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Simulatability
Intuitive meaning: verifier can reconstruct whatshe sees in protocol, given her legal output(protocol accepts/not), and her inputsMore technically: since we can’t force verifier,we design simulator who does it on her behalfSince simulator can create prover’s messagewithout knowing prover’s secrets, prover’s privacyis protectedSimulator must be more powerful than the realprover, otherwise the real prover could cheat
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Non-Interactive Protocols
All parties have access to common referencestring CRS
Simulator can create CRS with trapdoor thatenables him to extract prover’s secrets
In real protocol, CRS is generated by trustedthird party. Verifier cannot extractRealistic, but introduces a “trust assumption”
Not “standard model”
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Interactive Protocols
In the proof of soundness, an “extractor” canrewind prover, get prover’s messages with sameprover randomness, extract prover’s secrets
In real protocol, prover replies with differentrandomness, verifier cannot extract his secretsRealistic, no trust assumptions
Standard model
Interactivity is bad. . .
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Extraction and Proofs of Knowledge
In addition to soundness as before, we often want toprove that prover really knows what “he is talking about”Proof that encrypted candidate is correct convincesverifier in correctness, but she is not sure prover actuallyknows what has been encryptedProof of knowledge also convinces that prover knowscandidateProver “knows” candidate, if she can output candidateSince we cannot force prover, we construct a newmachine, extractor, who by manipulating prover outputshis secrets
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Σ-Protocols
3-message protocols where prover starts
Second message by verifier is completelyrandom (“public coin”)
Verifier either accepts or rejects
Completeness plus special versions ofsoundness, zero-knowledge
Proof of knowledge: special soundness withextractability
Usable in identification protocols,zero-knowledge, . . .
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Schnorr’s Identification Protocol I
Prover wants to prove he is authorized forsome task, without revealing his credentials
More precisely: assume verifier has public keypk, and prover wants to prover he knowscorresponding secret key sk (he is the owner ofsk)
Cyclic group of order q, generator g
sk← Zq, pk← g sk
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Schnorr’s Identification Protocol II
Prover (sk) Verifier (pk)
Let r ← Zq, a← g r
a
c ← {0, 1}κ
c
z ← c · sk + r
z
Accept if pkc · a ?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Schnorr’s ID Protocol: Completeness
Honest verifieralways acceptshonest prover
pkc · a = g c ·sk+r =g z
Thus honestverifier acceptshonest prover
Prover (sk) Verifier (pk)
Let r ← Zq, a← g r
a
c ← {0, 1}κ
c
z ← c · sk + r
z
Accept if pkc · a ?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Special Soundness
Special soundness: Assume extractor canrewind prover once, and that second timeprover will start with some randomness whileverifier uses different randomnesses, andconvince verifier both times. Then extractorcan extract prover’s secretOr:
There exists an efficient algorithm (extractor) that,given two accepting views (a, c , z) and (a, c∗, z∗),where c 6= c∗, outputs prover’s secret
Stronger than standard soundness
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Schnorr’s ID Protocol: Special Soundness
Assume verifier acceptsviews (a, c , z) and(a, c∗, z∗), where c 6= c∗
pkc · a = g z andpkc
∗ · a = g z∗
pkc−c∗
= g z−z∗
pk = g (z−z∗)/(c−c∗)
sk = (z − z∗)/(c − c∗)
Extractor has recoveredsk!
Prover (sk) Verifier (pk)
Let r ← Zq, a← g r
a
c ← {0, 1}κ
c
z ← c · sk + r
z
Accept if pkc · a ?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Honest-Verifier Special ZK
SHVZK: ZK if the verifier is honest (secondmessage completely random)
Required: one can simulate accepting (a, c , z)by first creating completely random (c , z) andthen creating a such that view (a, c , z) isaccepted
Thus if c is random, z must be random
Both weaker and stronger than standard ZK
Intuition: to achieve real ZK, in an upper levelprotocol the verifier first commits to c
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Schnorr’s ID Protocol: SHVZK
Simulator creates randomc ← {0, 1}κ, z ← Zq
From verification equation,pkc · a = g z , so simulator setsa← g z · pk−c . Thus (a, c , z)acceptsAs in real protocol, (a, c , z)are completely random,modulo the verificationequation
Real protocol: c is random,sk 6= 0, thus c · sk + r israndom (but not independent)
Prover (sk) Verifier (pk)
Let r ← Zq, a← g r
a
c ← {0, 1}κ
c
z ← c · sk + r
z
Accept if pkc · a ?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Lecture 10. More Sigma-Protocols
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Recap: Schnorr’s ID Protocol
Another interpretation: prover proves sheknows DL of pk
We denote this as PK (sk : pk = g sk)
As we saw, Schnorr’s protocol is complete,specially sound, and SHVZKIt is also a proof of knowledge
Not every ZK protocol is a POK, but specialsoundness implies extractability
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Proof: Elgamal plaintext is 0
Cyclic group of order q, generator g
sk← Zq, pk← g sk
Ciphertext: C = (gmhr , g r)
Proof goal: C = (C1,C2) = (hr , g r) for some rIn fact, POK: prover knows such rPK (r : (C1,C2) = (hr , g r ))
Proof idea:she proves in parallel that she knows DL of bothC1 and C2
equality of two DLs is achieved by using the same(c , z) in both cases
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Proof: Elgamal plaintext is 0
Prover (h, g ,C1,C2; r) Verifier (h, g ,C1,C2)
Let r ′ ← Zq, (a1, a2)← (hr′, g r ′)
(a1, a2)
c ← {0, 1}κ
c
z ← c · r + r ′
z
Accept if C c1 · a1
?= hz and C c
2 · a2?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Completeness
Prover (h, g ,C1,C2; r) Verifier (h, g ,C1,C2)
Let r ′ ← Zq, (a1, a2)← (hr′, g r ′)
(a1, a2)
c ← {0, 1}κ
c
z ← c · r + r ′
z
Accept if C c1 · a1
?= hz and C c
2 · a2?= g z
C c1 · a1 = hcr+r ′ = hz , C c
2 · a2 = g cr+r ′ = g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Special Soundness
Two views ((a1, a2), c , z), ((a1, a2), c∗, z∗), s.t.
C c1 · a1 = hz , C c
2 · a2 = g z ,
C c∗
1 · a1 = hz∗, C c∗
2 · a2 = g z∗ .
C c−c∗1 = hz−z
∗, thus
logh C1 = (z − z∗)/(c − c∗) =: r
C c−c∗2 = g z−z∗, thus
logg C2 = (z − z∗)/(c − c∗) =: r
Extractor recovers r s.t. (C1,C2) = (hr , g r)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
SHVZK
Simulator createsc ← {0, 1}κ, z ← Zq
He generates (a1, a2) suchthat verification holds
C c1 · a1 = hz : a1 ← hz · C−c1
C c2 · a2 = g z : a2 ← g z · C−c2
Clearly ((a1, a2), c , z) has thesame distribution as in realprotocol: all elements arerandom, modulo verificationequations
Prover (h, g ,C1,C2; r) Verifier (h, g ,C1,C2)
Let r ′ ← Zq, (a1, a2)← (hr′, g r ′)
(a1, a2)
c ← {0, 1}κ
c
z ← c · r + r ′
z
Accept if C c1 · a1
?= hz and C c
2 · a2?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Generalization: AND Proofs of Knowledge
If we have PK-s for two predicates P1 and P2,we construct PK for P1 ∧ P2 as follows
Prover constructs first messages fora1 ← PK (P1) and a2 ← PK (P2), and sends(a1, a2) to verifier
Verifier replies with single c ← {0, 1}κ
Prover constructs z1 and z2 such that (ai , c , zi)is an accepting PK for Pi . He sends (z1, z2) toverifier
Verifier verifies both (a1, c , z1) and (a2, c , z2)Exercise: prove completeness, special soundness, SHVZK
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
PK (r : (C1,C2) = Epk(1; r) = (ghr , g r))
Prover (h, g ,C1,C2; r) Verifier (h, g ,C1,C2)
Let r ′ ← Zq, (a1, a2)← (hr′, g r ′)
(a1, a2)
c ← {0, 1}κ
c
z ← c · r + r ′
z
Accept if (C1/g)c · a1?= hz and C c
2 · a2?= g z
Security proof: straightforwardHelger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
PK: Plaintext is Boolean
Proof goal: (C1,C2) encrypts either 0 or 1,without revealing which case is true
PK (r : (C1,C2) = Epk(0; r) ∨ (C1,C2) = Epk(1; r))
Needed when protocol is private/correct only ifprover has encrypted binary inputIdea:
One of two cases must be trueProver executes this case as normallyProver simulates second case as SHVZK simulatorVerifier’s c is split into two parts, one to be used ineither caseThe second part is the one prover chose himself beforethe proof (in simulation), the first part is truly random
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
PK: Plaintext is Boolean // Encrypts 0
Prover (h, g ,C1,C2; r) Verifier (h, g ,C1,C2)
Let r ′ ← Zq,(a11, a12)← (hr
′, g r ′),
c2 ← {0, 1}κ , z2 ← Zq,a21 ← hz2 · (C1/g)−c2,a22 ← g z2 · C−c2
2
(a11, a12, a21, a22)
c ← {0, 1}κ
c
c1 ← c − c2 mod 2κ,z1 ← c1 · r + r ′
(c1, z1, z2)
Accept if for c2 ← c − c1 mod 2κ,
C c1
1 · a11?= hz1, C c1
2 · a12?= g z1,
(C1/g)c2 · a21?= hz2, and C c2
2 · a22?= g z2
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Completeness
Eq 1/2 hold since Schnorr’s IDproof is complete
C c11 · a11=(hr )c1 · hr ′
=hc1r+r ′ = hz1
Eq 3/4 hold since proof(C1,C2) = Epk(1; r) is SHVZK.
(C1/g)c2 · a21
= (C1/g)c2 · hz1 · (C1/g)−c2
= hz1
Dual case is similar
Prover (h, g ,C1,C2; r) Verifier (h, g ,C1,C2)
Let r ′ ← Zq,(a11, a12)← (hr
′, g r ′),
c2 ← {0, 1}κ , z2 ← Zq,a21 ← hz2 · (C1/g)−c2,a22 ← g z2 · C−c2
2
(a11, a12, a21, a22)
c ← {0, 1}κ
c
c1 ← c − c2 mod 2κ,z1 ← c1 · r + r ′
(c1, z1, z2)
Accept if for c2 ← c − c1 mod 2κ,
C c1
1 · a11?= hz1, C c1
2 · a12?= g z1,
(C1/g)c2 · a21?= hz2, and C c2
2 · a22?= g z2
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Special Soundness
Let ((a11, a12, a21, a22), c , (c1, z1, z2)) and((a11, a12, a21, a22), c∗, (c∗1 , z
∗1 , z
∗2 )) be accepting,
c 6= c∗ and thus c1 6= c∗1 while c2 = c∗2C c1
1 · a11 = hz1 and Cc∗11 · a11 = hz
∗1 , thus
Cc1−c∗11 = hz1−z∗1 , thus
logh C1 = (z1 − z∗1 )/(c1 − c∗1 ) =: r
C c1
2 · a12 = hz1 and Cc∗12 · a12 = g z∗1 , thus
Cc1−c∗12 = g z1−z∗1 , thus
logg C2 = (z1 − z∗1 )/(c1 − c∗1 ) =: rDual case is dual // Then c2 6= c∗2 and c1 = c∗1
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
SHVZK
One half of the argument can be simulatedsince PK (C1 = Epk(0; r)) is SHVZK. Thesecond half is a simulation by itself!
Simulation algorithm:
c , c2, z1, z2 ← {0, 1}κ;c1 ← c − c2;
a11 ← hz1 · C−c1
1 ;
a12 ← g z1 · C−c1
1 ;a21 ← hz2 · (C1/g)−c2;
a22 ← g z2 · C−c2
2 ;
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Generalization: OR of two POKs
Let P1 and P2 be two predicates, we want toprove P1 ∨ P2
Assume P1 is true // dual case is similarProver simulates the P2 case by using randomc2, creates (a2, c2, z2)Prover creates a1 as in POK for P2, sends(a1, a2) to verifierAfter receiving c , prover sets c1 ← c − c2
mod 2κ, generates z2 as in P1
Prover sends (z1, z2) to verifierVerifier checks both proofs
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Recap
We know how to construct secure Σ-protocolsfor a simple primitive operation like knowledgeof DLWe know how to construct Σ-protocols forAND and OR of simpler Σ-protocolsWe can use AND and OR recursively manytimes to construct POK for any formula oftype (P1 ∧ P2) ∨ P3 ∨ . . .Plus we can use homomorphic properties(PK (r : c = Epk(g 1; r))Surprisingly powerful tools. . .
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
More Complex Example: Range Proof
In MC elections, correctness was guaranteedonly if encrypted votes belonged to[0, γ − 1] = {0, γ − 1}Range proof: show that encrypted valuebelongs to some public interval [L,H]
Well-studied research problem, also by us —our newest paper [Chaabouni et al., 2012] onthis topic was published FinancialCryptography 2012
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Range Proof with Lifted Elgamal
Simple example: for some t > 1,PK (m, r : c = Epk(m; r) ∧m ∈ [0, 2t − 1])
Write m =∑t−1
i=0 2imi
Prover sets ci = Epk(mi ; ri). Note
c ←∏t−1
i=0 c2i
i = Epk(∑
2imi ; . . . )Prover provesPK ((mi , ri)
t−1i=0 :
∧t−1i=0 (ci = Epk(mi ; ri) ∧ (mi =
0 ∨mi = 1))), then Dsk(c) ∈ [0, 2t − 1]It is easy to write down precise Σ-protocolbased on what we have already seen duringthis/previous lecture
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
General Range Proof
PK (m, r : c = Epk(m; r) ∧m ∈ [L,H])
Since we use homomorphic cryptosystem, wecan instead showPK (m, r : c ′ = Epk(m; r) ∧m ∈ [0,H − L]),and then compute c ← c ′ · Epk(L; 0)
Let t be such that 2t−1 < H − L + 1 ≤ 2t
Clearly m ∈ [0,H − L] iff m ∈ [0, 2t − 1] andH − L−m ∈ [0, 2t − 1]
Construct two range proofs for [0, 2t − 1] andthen AND them
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
More Efficient General Range Proof
Previous slide: need 2 special range proofsEasier way [Lipmaa et al., 2002,Chaabouni et al., 2010]:
m ∈ [0,H] iff m =∑blog2 Hc
i=1 bH+2i
2i+1 c ·mi withmi ∈ {0, 1}For example: m ∈ [0, 9] iffm = m1 + m2 + 2m3 + 5m4 for mi ∈ [0, 1]
m1 m2 m3 m4 m1 + m2 + 2m3 + 5m40 0 0 0 01 0 0 0 10 1 0 0 11 1 0 0 2
. . . . . . . . . . . . . . .1 1 1 1 9
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Lecture 11. More Σ-Protocols. InteractiveZK
More Σ-protocols.Some basic interactive ZK. (Some of it probably willbe left for the next lecture.)From the next lecture - pitfalls of interactive ZK.Non-interactive ZK.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Proof of Plaintext Knowledge
We want to avoid prover blindly copying (&modifying) another’s ciphertext withoutknowing what is inside
Auctions: I take your ciphertext and multiply itwith Epk(1) — resulting in your price +1I win, and I do pay the minimal possible amountE-voting: I do not vote for same/oppositecandidate as Justin Bieber without knowingcandidate
PK (m, r : c = Epk(m; r))earlier m was known, PK (r : c = Epk(m; r))
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Proof of Plaintext Knowledge
Prover (h, g ,C1,C2;m, r) Verifier (h, g ,C1,C2)
Let m′, r ′ ← Zq,(a1, a2)← (gm′hr
′, g r ′)
(a1, a2)
c ← {0, 1}κ
c
zm ← c ·m + m′, zr ← c · r + r ′
zm, zr
Accept if C c1 · a1
?= g zmhzr and C c
2 · a2?= g zr
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Completeness
Prover (h, g ,C1,C2;m, r) Verifier (h, g ,C1,C2)
Let m′, r ′ ← Zq,(a1, a2)← (gm′hr
′, g r ′)
(a1, a2)
c ← {0, 1}κ
c
zm ← c ·m + m′, zr ← c · r + r ′
zm, zr
Accept if C c1 · a1
?= g zmhzr and C c
2 · a2?= g zr
C c1 · a1 = (gmhr)c · gm′hr
′= g cm+m′hcr+r ′ = g zmhzr
C c2 · a2 = (g r)c · g r ′ = g cr+r ′ = g zr
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Special Soundness
C c1 · a1 = g zmhzr and C c∗
1 · a1 = g z∗mhz∗r for
c 6= c∗, thus C c−c∗1 = g zm−z∗mhzr−z
∗r , thus
C1 = g (zm−z∗m)/(c−c∗)h(zr−z∗r )/(c−c∗)
C c2 · a2 = g zr and C c∗
2 · a2 = g z∗r for c 6= c∗,thus C c−c∗
2 = g zr−z∗r , thusC2 = g (zr−z∗r )/(c−c∗)
Thus (C1,C2) = (gmhr , g r) form = (zm − z∗m)/(c − c∗) andr = (zr − z∗r )/(c − c∗)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Proof of Plaintext Knowledge: SHVZK
Prover (h, g ,C1,C2;m, r) Verifier (h, g ,C1,C2)
Let m′, r ′ ← Zq,(a1, a2)← (gm′hr
′, g r ′)
(a1, a2)
c ← {0, 1}κ
c
zm ← c ·m + m′, zr ← c · r + r ′
zm, zr
Accept if C c1 · a1
?= g zmhzr and C c
2 · a2?= g zr
As always: choose random c , zm, zr .
Select a1, a2 that satisfy verification equations
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Another Primitive POK: Multiplication
Lifted Elgamal
Assume prover needs to prove thatDsk(C1) · Dsk(C2) = Dsk(C3)
PK (m1,m2, r1, r2, r3 : C1 = Epk(m1; r1) ∧ C2 =Epk(m2; r2) ∧ C3 = Epk(m1m2; r3))
Idea: prover shows that C3/Cm1
2 encrypts 0
The proof will be somewhat different from theprevious ones since (say) m2 will not beextractable from it: thus not a complete proofof knowledge
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
POK: Multiplication
Prover (h, g ,C1,C2,C3;m1,m2, r1, r2, r3) Verifier (h, g ,C1,C2,C3)
Let m′1, r′1, r′2 ← Zq,
a1 ← Epk(m′1; r ′1), a2 ← Epk(m′1m2; r ′2)
(a1, a2)
c ← {0, 1}κ
c
m′′1 ← c ·m1 + m′1, r ′′1 ← c · r1 + r ′1,r ′′2 ← m′′1 · r2 − (c · r3 + r ′2)
m′′1 , r′′1 , r
′′2
Accept if C c1 · a1 = Epk(m′′1 ; r ′′1 ), and
Cm′′12 · (C c
3 · a2)−1 = Epk(0; r ′′2 )
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Multiplication POK: CompletenessProver (h, g ,C1,C2,C3;m1,m2, r1, r2, r3) Verifier (h, g ,C1,C2,C3)
Let m′1, r′1, r′2 ← Zq,
a1 ← Epk(m′1; r ′1), a2 ← Epk(m′1m2; r ′2)
(a1, a2)
c ← {0, 1}κ
c
m′′1 ← c ·m1 + m′1, r ′′1 ← c · r1 + r ′1,r ′′2 ← m′′1 · r2 − (c · r3 + r ′2)
m′′1 , r′′1 , r
′′2
Accept if C c1 · a1 = Epk(m′′1 ; r ′′1 ), and
Cm′′12 · (C c
3 · a2)−1 = Epk(0; r ′′2 )
C c1 · a1 = Epk(cm1; cr1) · Epk(m′1; r ′1) = Epk(m′′1 ; r ′′1 )
Cm′′12 · (C c
3 · a2)−1 = Epk(m′′1m2;m′′1r2) · Epk(−cm1m2;−cr3) ·Epk(−m′1m2;−r ′2) = Epk(0;m′′1r2 − cr3 − r ′2) = Epk(0; r ′′2 )
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Multiplication POK: Special Soundness
C c1 · a1 = Epk(m′′1 ; r ′′1 ) and C c∗
1 · a1 = Epk((m′′1)∗, (r ′′1 )∗)for c 6= c∗, thus C c−c∗
1 = Epk(m′′1 − (m′′1)∗, r ′′1 − (r ′′1 )∗),and thus C1 = Epk(m1; r1) withm1 ← (m′′1 − (m′′1)∗)/(c − c∗) andr1 ← (r ′′1 − (r ′′1 )∗)/(c − c∗)
Cm′′12 · (C c
3 · a2)−1 = Epk(0; r ′′2 ) and
C(m′′1 )∗
2 · (C c∗3 · a2)−1 = Epk(0; (r ′′2 )∗) for c 6= c∗, thus
Cm′′1−(m′′1 )∗
2 · C c∗−c3 = Epk(0; r ′′2 − (r ′′2 )∗). Thus
C3 = C(m′′1−(m′′1 )∗)/(c−c∗)2 · Epk(0; ((r ′′2 )∗ − r ′′2 )/(c − c∗)) =
Cm1
2 · Epk(0; · · · )Therefore C1 = Epk(m1; r1) and C3/C
m1
2 encrypts 0
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Remark on POK
Note: we did not extract (m2, r2,m3, r3), butthis can be done separately if needed
To be specific, we just have PK (m1, r1, r′ :
C1 = Epk(m1; r1) ∧ C3 = Cm1
2 · Epk(0; r ′))
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Multiplication POK: SHVZK
Prover (h, g ,C1,C2,C3;m1,m2, r1, r2, r3) Verifier (h, g ,C1,C2,C3)
Let m′1, r′1, r′2 ← Zq,
a1 ← Epk(m′1; r ′1), a2 ← Epk(m′1m2; r ′2)
(a1, a2)
c ← {0, 1}κ
c
m′′1 ← c ·m1 + m′1, r ′′1 ← c · r1 + r ′1,r ′′2 ← m′′1 · r2 − (c · r3 + r ′2)
m′′1 , r′′1 , r
′′2
Accept if C c1 · a1 = Epk(m′′1 ; r ′′1 ), and
Cm′′12 · (C c
3 · a2)−1 = Epk(0; r ′′2 )
Straightforward, like in the case of all previousΣ-protocols
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 9. Motivation: ZK. Σ-ProtocolsLecture 10. More Sigma-ProtocolsLecture 11. More Sigma-Protocols. Interactive ZK
Σ-Protocols and Paillier/DJ
Most of the protocols work unchanged in the caseof Paillier, but one has to consider a few thingsObviously one must use correct groups, andmultiplicative notion for randomnessesIt must be the case that 2κ is smaller than thesmallest factor of modulus n: otherwise it mayhappen that c 6= c∗, but gcd(c − c∗, n) 6= 1 andthus c − c∗ is not invertibleVerifier must check that all elements returned byprover on step 3 are coprime to n: otherwise suchelement times non-zero 1/(c − c∗) might be 0
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Real Zero Knowledge
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Real Zero Knowledge
Σ-protocols are 3-message, public-coin,specially sound, special honest verifier ZKprotocols
In real life, verifier is not honest and maychoose her message depending on the firstmessage of prover
We promised (orally) that this can be solved byletting verifier first commit to her message
This should also explain why we need specialsoundness, special HVZK
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Commitment Schemes
Assume that system parameters (group, generator,. . .) are fixed as gkEfficient algorithm Com(m; ·): chooses firstrandom r , then outputs (c , d)← Com(m; r) wherec is commitment and d is stateEfficient algorithm Open(c , d): given c and d ,outputs m and r such that c = Com(m; r)
We usually assume that d = (m, r) and Open justoutputs d that corresponds to this c .
Kind of like public-key encryption scheme withoutdecryption
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Perfectly Binding Commitment Schemes
Perfect Binding: for any (m1, r1,m2, r2) withm1 6= m2, Com(m1; r1) 6= Com(m2; r2)
Semantics: after committing to some value, thecommitment unambiguously binds the plaintext
Computational Hiding: for random r1, r2,distributions Com(m1;R) and Com(m2;R) arepolynomial-time indistinguishable
Semantics: seeing c does not give any informationabout m to a polynomial-time adversary
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
IND-CPA Cryptosystem is PBCS
Assume that system parameters and public keypk are given as gk
Secret key is not known to anybody.
Commitment: Com(m; ·) chooses random r forEncpk and outputs Encpk(m; r). The state isd = (m, r)
Open: Open(c , d) outputs d = (m, r). Verifierchecks that c = Encpk(m; r)
Example: Consider Elgamal
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
IND-CPA Cryptosystem is PBCS
Perfect binding: follows from the fact that pkuniquely fixes sk , and that decryption succeedsalways
If c = Encpk(m1; r1) = Encpk(m2; r2), thenDecsk(c) = m1 = m2, thus m1 = m2
Computational hiding: follows from theIND-CPA security
If one can guess m from Com(m; r) = Encpk(m; r),then one can break the cryptosystem.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Perfectly Hiding Commitment Schemes
Computational Binding: it iscomputationally hard to output (m1, r1,m2, r2)such that m1 6= m2 andCom(m1; r1) = Com(m2; r2)
Semantics: after committing to some value it isdifficult to open commitment to another value
Perfect Hiding: distributions Com(m1;R)and Com(m2;R) are equal
Semantics: seeing c does not give any informationabout m
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Pedersen Commitment
Fix cyclic group G of prime order q, generatorsg , h, nobody knows logg h
Commitments and randomnesses come from Zq
Com: To commit to m ∈ Zq, choose r ← Zq,and set Com(m; r)← gmhr . Save d ← (m, r)
Open(c , (m, r)): output m, r
Kind of like Elgamal but without decryptionability
Proposed in [Pedersen, 1991]
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Pedersen Commitment is Perfectly Hiding
Proof Sketch:
Fix any m and thus gm
Since r ← Zq, we have hr is a random elementof GIn cyclic group, fixed element times randomelement = random element
For fixed m, distribution of gmhr is uniformdistribution in G, thus does not depend on m
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Pedersen Commitment is Comp. Binding
Proof
Assume A is adversary that can break hidingproperty in time τ , with probability εConstruct next adversary A′ that computes DLin G:
Challenger sends to A′ random element h← GA′ sends g , h to AA returns m1, r1,m2, r2 such that m1 6= m2 andthus r1 6= r2, but gm1hr1 = gm2hr2
But then logg h = (m2 −m1)/(r1 − r2)A′ has computed DL of h
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Can’t get PB and PH
PB: Assume that Com(m1; r1) 6= Com(m2; r2)for any m1 6= m2
Then clearly distributions Com(m1; . . . ) andCom(m2; . . . ) are not equal — can bedistinguished by an omnipotent adversary
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Reminder: Zero-Knowledge
Complete: honest prover convinces honest verifierΣ-Protocol: same
Sound: dishonest prover has negligible chance toconvince honest verifer
Σ-Protocol: stronger (special soundness). One canextract verifier’s secret after two successul runs / onesuccessful rewind
ZK: simulator can simulate what verifier sees,without knowing prover’s secret inputs
Σ-Protocol: stronger (special) and weaker (HV):simulator can simulate what honest verifier sees, withoutknowing prover’s secret inputs, by choosing first randomsecond/third messages
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
“Straightforward” 4-Message ZKPOK
Prover (st = statement,w) Verifier
Let c ← {0, 1}80,r ← Rc ,(C , d)← Com(c , r)
C
Let a be first message of Σ-protocol
a
(c , r)
If C 6= Com(c , r) halt;Let z = z(st,w , a, c)
z
Accept if Σ-protocol would have accepted
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
TheoremAssume the Σ-protocol is complete, specially sound, andSHVZK for language L. Assume that the commitmentscheme is computationally binding, perfectly hiding, andtrapdoor.Then the straightforward 4-message protocol is acomplete, computationally sound andperfectly zero-knowledge proof of knowledge for languageL.
We are going to define “trapdoor” commitments duringthe proof.We will first show that this protocol satisfies otherproperties, explain why it is not zero-knowledge, and thenpropose a modified scheme.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
S.f. 4-message ZKPOK is Complete
Follows from the description, since Σ-protocolis complete
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
S.f. 4-message ZKPOK is Sound
We construct an extractor that after rewindingmalicious prover twice retrieves prover’s secretThe proof only works with a computationallybinding commitment scheme
Extractor must be able to compute c 6= c∗ suchthat Com(c ; r) = Com(c∗; r ∗)Since commitment is computationally binding,extractor needs some extra powerTrapdoor commitment: given some trapdoor td ,one can compute Com(0; r) and later open it toany valuePedersen commitment: td = x where h = g x
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Construction of Extractor
Prover (gk ; st = statement,w) Extractor (gk , td ; st,w)
Let c , c∗ ← {0, 1}80,r ← Rc ,(C , d)← Com(c , r),Choose r ∗ such that c = Com(c∗; r ∗)
C
Let a be first message of Σ-protocol
a
Step 1(c , r)
If C 6= Com(c ; r) halt;Let z = z(st,w , a, c)
z
Rewind prover to step 1(c∗, r ∗)
If C ∗ 6= Com(c∗; r ∗) halt;Let z∗ = z(st,w , a, c∗)
z∗
Reject if (a, c , z) or (a, c∗, z∗) is not acceptingUse the extractor of Σ-protocol to obtain w
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
4-message ZKPOK is Sound
If h = g x theng chr = g c+xr = g c∗+xr∗ = g c∗hr
∗
r ∗ = (c − c∗)/x + rKnowing (c , c∗, r , r ∗) means one can computex ← (c − c∗)/(r ∗ − r)Extractability assumption is necessary
Since Com is perfectly hiding, prover does nothave any information about c while sending a
a and c are mutually independent
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
4-message ZKPOK is Sound
After rewinding, extractor obtains twoaccepting views (a, c , z) and (a, c∗, z∗) withc 6= c∗
Thus he can use the special soundnessextractor of the Σ-protocol to recover w
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
4-message ZKPOK is ZK
The view is (C , a, (c , r), z).
Since we have Σ-protocol, verifier obtains anyadvantage only if c depends on a
But c is chosen and committed to before a waschosen
Thus, if Com is computationally binding andΣ-protocol is HVZK, the 4-message protocol isperfectly ZK
For formal proof we need to be able to simulateprover’s messages
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
4-message ZKPOK: Simulator?
The simulator has to simulate prover’sconversation in the ZK proof, without knowingprover’s input
In SHVZK case it was easy: since c wasrandom, simulator started by generating c
If verifier is malicious, simulator does not knowc before she sees it
Moreover, we only assume we are given anunderlying Σ-protocol for L. There thesimulator must start from creating c
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
4-message ZKPOK: Simulator?
Exercise: come up with a way how to use thatsimulator in our case.Modifying the 4-message ZKPOK is allowed but tryto be as efficient as possible.Hint: consider the extra powers the simulator hashere.Will give an answer later.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Lecture 12. More Real ZK
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Reminder: 4-Message ZKPOK
Prover (st = statement,w) Verifier
Let c ← {0, 1}80,r ← Rc ,(C , d)← Com(c , r)
C
Let a be first message of Σ-protocol
a
(c , r)
If C 6= Com(c , r) halt;Let z = z(st,w , a, c)
z
Accept if Σ-protocol would have accepted
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Reminder: Problem with ZK
To prove that this protocol is ZK, we need to constructZKIn Σ-protocol, this was easy:
c was guaranteed to be random, z was constructed to berandomSimulator always constructed first random (c , z) and thenconstructed a that made the verification to acceptSimulator’s extra power: construct messages out of order
Here the first message is commitment CNot random
Simulator must construct messages in orderThus, she must have some other extra power
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Knowledge of Trapdoor
Extra power: knowledge of trapdoorThat is, commitment trapdoor
We have seen it beforeExtractor in the same construction has this powerGiven trapdoor, extractor can create C first andthen open it to any message c of his choosing later
Here we need to use the trapdoor differentlySimulator impersonates prover, not verifierThus simulator does not create the commitmentThe thing we can use: simulator SΣ of theΣ-protocolWe do not know anything else about SΣ exceptthat he can simulate (a, c , z) out of order
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Idea: Use OR Proofs
We let the prover to prove that eitherthe statement is true, orhe knows the trapdoor
Since the prover does not know the trapdoor,the verifier is convinced the statement is true
The simulator can simulate it, by knowingtrapdoorRecall OR proofs:
The “not true” part was run by having SΣ firstgenerate (c , z)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
POK (x ,w : h = g x ∨ st(w))
Prover (pk , st = statement;w) Verifier (pk , st)
Let c ← {0, 1}80,r ← Rc ,(C , d)← Com(c , r)
C
Let a2 be first message of Σ-protocol for PK (st)Let (a1, c1, z1)← SΣ(pk , [h = hx ])
(a1, a2)
(c , r)
If C 6= Com(c , r) halt;c2 ← c − c1 mod 2κ;Let z2 = z(st, x , a2, c2)
(c1, z1, z2)
c2 ← c − c1 mod 2κ;Accept if both (a1, c1, z1) and (a2, c2, z2) are accepting
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Simulator
Simulator (pk , st = statement; x) Verifier (pk , st)
Let c ← {0, 1}80,r ← Rc ,(C , d)← Com(c , r)
C
Let a1 be first message of Σ-protocol for [h = g x ]Let (a2, c2, z2)← SΣ(pk , st(· · · ))
(a1, a2)
(c , r)
If C 6= Com(c , r) halt;c1 ← c − c2 mod 2κ;Let z1 = z([h = g x ],w , a1, c1)
(c1, z1, z2)
c2 ← c − c1 mod 2κ;Accept if both (a1, c1, z1) and (a2, c2, z2) are accepting
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Security Result
TheoremAssume the Σ-protocol is complete, specially sound,and SHVZK for language L. Assume that thecommitment scheme is computationally binding,perfectly hiding, and trapdoor.Then the above 4-message protocol is a complete,computationally sound and perfectly zero-knowledgeproof of knowledge for language L in the CRSmodel.One can avoid the CRS model. See the lecture notes athttps://services.brics.dk/java/courseadmin/CPT/documents/getDocument/Sigma.pdf?d=53899
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Reminder: CRS Model
CRS: a honestly generated stringpublic key + more
Trapdoor: secret key (+ more)Real participants do not know any trapdoorsSimulator knows the trapdoor
Uses this to simulate the view of verifier
We just constructed a 4-message perfect ZK POK inthe CRS model
One can construct NIZK in the CRS model4-message ZK not so usefulOnly to show how one construct it from any Σ-protocol
The CRS model itself is sometimes seen too strong
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Jungle of Interactive ZK
Model/Assumptions:Standard modelBare public key modelCRS modelRandom oracle model
Security definition:Standalone/concurrent/UC securityResettable securityPOK/not?Perfect vs computational zero knowledge
Number of rounds:Given model & definition, X rounds is necessary, we knowhow to do with Y
It’s a jungle — and not a pleasant one
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Reminder: PK (sk : pk = g sk)
Prover (sk) Verifier (pk)
Let r ← Zq, a← g r
a
c ← {0, 1}κ
c
z ← c · sk + r
z
Accept if pkc · a ?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Prover (sk) Adversary (pk) Verifier (pk)
Let r ← Zq, a← g r
a
a′ ← ag
a′
c ← {0, 1}κ
c
c
z ← c · sk + r
z
z ′ ← z + 1
z ′
Accept if pkc · a′ ?= g z ′
pkc · a′ = pkc · ag = g zg = g z+1 = g z ′
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Concurrent/UC ZK: Loopholes
The whole area is very complicated, since theattacker can mount many different sorts ofattacks
The attacker can run several instantiations of(possibly different) protocols in parallelShe can delay messages, send them to wronginstantiations, modify them. . .
For a recent paper, see forexample [Scafuro and Visconti, 2012]Non-interactive zero knowledge is by defaultconcurrent
You are done with one message: can’t reorder it,etc
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Non-Interactive Zero-Knowledge
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Non-Interactive Zero-Knowledge
NIZK: prover sends 1 message, everybody canlater check it in ZKWe constructed 4-message ZK protocols inCRS model
Interactive ZK possible also in the plain model
In practice, non-interactive ZK is betterExample, e-voting:
Tallier proves tally was done correctly. This shouldbe verifiable offline without interaction with tallierThe same with the provers proving their ballotswere correct
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
NIZK: Limitations
Simulator needs some advantageInteractive ZK: advantage can be the ability toreorder messages
Enables to achieve standard model security
Non-interactive ZK: can’t reorder, one message
It is known standard model NIZK for non-triviallanguages is impossible
Accepted trust assumption: CRS model
Alternative assumption: random oracle model
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
CRS Model with Commitments I
CRS is gk of commitment scheme
Simulator knows trapdoor that allows him toopen same commitment to different valuesPedersen commitment:
Assume h = g x
Com(c ; r) = g chr = g c+xr
C = Com(c ; r) = Com(c∗; r ∗) iff c + rx = c∗+ r ∗xIf simulator knows x , c , r he can open Com(c ; r) toCom(c∗; r ∗) by choosing r ∗ ← ((c − c∗) + rx)/x .
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
NIZK in CRS Model: state of the art
NIZK protocols in CRS model is a very profilicrecent research area
See [Groth et al., 2006, Groth and Sahai, 2008,Groth, 2010, Lipmaa, 2012] andeprint [Gennaro et al., 2012]
Machinery behind them is not very simple toexplain
Based on pairingsMost efficient protocols use “knowledgeassumptions”Will tackle the next time
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
NIZK: Random Oracle Model
Alternative to CRS modelAssumes access to random oracle: completelyrandom functionPro:
Efficient protocols, simple proofs, easy to explain.Convenient abstraction
Con:Random oracles do not exist, and there are protocolsthat are secure in ROM but not withoutROM [Canetti et al., 1998]In real life, one must use some instantiation of RO thatmay turn to be insecure (proof is not aboutinstantiations)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Random Oracles, Primitively
Function f : A→ B that is completely random
Description: log2(|B ||A|) = |A| · log2 |B | bitsFull description has exponential length
Can’t be handled by polynomial-time machines
If A = B = {0, 1}80, then 80 · 280 bits
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Random Oracles, Cleverer
We use f as a black boxIf we query f (i), we get back:
f (i) if f (i) has been queried beforeuniformly random element of B otherwise
Black box only memorizes the made queries
Main question: who will keep the black box?
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Fiat-Shamir Heuristic
Prover (C ,w) Verifier C
Let a← a(C ,w)
a
c ← {0, 1}κ
c
z ← z(C ,w , a, c)
z
Accept if Acceptable(a, c , z)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Fiat-Shamir Heuristic
Prover (C ,w) Verifier C
Let a← a(C ,w)
a
c ← RO(a)
c
z ← z(C ,w , a, c)
z
Accept if Acceptable(a, c , z)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Fiat-Shamir Heuristic
Prover (C ,w) Verifier C
Let a← a(C ,w),c ← RO(a),z ← z(C ,w , a, c)
(a, c , z)
c ← RO(a)
c
z ← (C ,w , a, c)
z
Accept if Acceptable(a, c , z)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Intuition
Since a is random, there ispoly(κ)/2κ = negl(κ) chance RO(a) has beenevaluated before
Thus, RO(a) is random w.h.p.Does not depend on a
If prover chooses same a as before, by specialsoundness verifier can obtain his secrets. Thusprover is motivated to choose random a
Thus (a, c , z) is an accepting view of HVΣ-protocol, but verifier can be malicious, thusit is ZK
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Recap: Schnorr’s NI Id Protocol I
Prover wants to prove he authorized for sometask, without revealing his credentials
More precisely: assume verifier has public keypk, and prover wants to prove he knowscorresponding secret key sk (he is the owner ofsk)
Cyclic group of order q, generator g
sk← Zq, pk← g sk
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Recap: Schnorr’s NI Id Protocol II
Prover (sk) Verifier (pk)
Let r ← Zq,a← g r
a
c ← {0, 1}κ
c
z ← c · sk + r
z
Accept if pkc · a ?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Schnorr’s NI Id Protocol
Prover (sk) Verifier (pk)
Let r ← Zq,a← g r ,c ← RO(a)z ← c · sk + r (a, c , z)
c ← {0, 1}κ
c
z ← c · sk + r
z
Accept if pkc · a ?= g z
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Further optimization
In all Σ-protocols, a is uniquely fixed by c , zand acceptance condition
Thus no need to transfer a, (c , z) is sufficient
Verifier can “recompute” a from verificationequations, but then must check c is computedcorrectly
pkc · a ?= g z iff a
?= g z · pk−c iff
RO(a)?= RO(g z · pk−c) iff c = RO(g z · pk−c)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Schnorr’s NI Id Protocol
Prover (sk) Verifier (pk)
Let r ← Zq,a← g r ,c ← RO(a)z ← c · sk + r (c , z)
Accept if c?= RO(g z · pk−c)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Perfect Zero Knowledge: Proof
Simulator creates random c , z and sets a such that(a, c , z) is accepting
a← g zpk−c
If RO was queried with g zpk−c before, abortOtherwise, set RO(g zpk−c) := c
c , z are random, so RO still looks randomIndistinguishable from real random functionAbility to program random oracles
Abort probability: poly(κ)/pThe same in interactive caseWith probability poly(κ)/p, verifier chooses an alreadyused c , then prover can cheatThus perfectly emulates the interactive case
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
More on Instantiating RO
Proofs go through only if RO is a random oracleSince RO does not exist/too long to forward, oneneeds to instantiate it with a real function
usually some hash function H , e.g., SHA3
Common paradigm in designing secure protocolsUnfortunately, it is known that there arecases [Canetti et al., 1998,Goldwasser and Kalai, 2003] where some protocolis secure in ROM, but insecure no matter whichreal function you replace RO withNIZK/CRS is the way to go
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Lecture 13. Groth-Sahai Proofs
Based on [Groth and Sahai, 2008].
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Groth-Sahai Proofs
Pairing-based NIZK proofs in CRS modelEfficient — but only “group-specific” languagesIn practice sufficient:
one usually needs ZK proof of the typeC1 = Com(m) ∧ C2 = Com(r) ∧ X = gmhr ∧ Y = g r
C1 = Com(XY ) ∧ C2 = Com(X ) ∧ C3 = Com(Y ), . . .
Given pairings, one can use such a group-specificformula to write down also signatures, etcGS proofs use several new proof techniques
dual-mode commitments: either perfectly binding orperfectly hidingtwo modes are indistinguishableperfect soundness proof: in one modeperfect ZK proof: in another mode
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Dual-Mode Commitment
Commitment scheme cannot be simultaneouslyperfectly hiding and perfectly bindingDual-mode commitment:
Commitment in the CRS modeGiven CRS generated by GB , commitment is perfectlybinding. Moreover, there exists a secret key such that thecommitment is decryptableGiven CRS generated by GH , commitment is perfectly hidingTwo CRSs are computationally indistinguishable
Idea:in real protocol, we use which mode is better in applicationWhile proving binding/hiding, we use different modesFor adversary, both modes look the same
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Elgamal-DMC for Group Elements
Gen(q,G, g , χ):Generate δ, γ ← Zq
crs ←(g , h← g δ,G2 ← gγ,G1 ← g δ·γ−χ = hγ/gχ)︸ ︷︷ ︸
DDH tuple iff χ = 0(g , h) is Elgamal public key, δ is Elgamal secret key
GB(q,G, g) := Gen(q,G, g , χ = 0) // Binding
GH(q,G, g) := Gen(q,G, g , χ = 1) // HidingCommitment Comcrs(m; ·, ·):
Given crs = (g , h,G2,G1) and m ∈ GGenerate r , t ← Zq
Comcrs(m; r , t) := (m · hrG t1 , g
rG t2 )
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Elgamal-DMC: CRS Indistinguishability
Binding CRS: (g , g δ, g γ, g δ·γ)︸ ︷︷ ︸DDH tuple
Hiding CRS: (g , g δ, g γ, g δ·γ−1)︸ ︷︷ ︸Not DDH tuple
Indistinguishable under the DDH assumptionBoth CRSs are indistinguishable from(g , g δ, gγ, gZq)Thus also from each other
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Elgamal-DMC: Security of GB Mode
CRS: (g , h = g δ, g γ, hγ)Commitment:
Given crs = (g , h,G2,G1) and m ∈ G, generater , t ← Zq
Comcrs(m; r , t) = (m · hrG t1 , g
rG t2 )
Com = (C1,C2) = (m · g (r+tγ)δ, g r+tγ)Perfect binding:
Decryption: C1/Cδ2 = m
Can be uniquely decrypted, perfectly binding
Computational hiding:follows from perfect hiding in GH mode and theindistinguishability of the CRS
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Elgamal-DMC: Security of GH Mode
CRS: (g , g δ, g γ, g δγ−1)Commitment:
Comcrs(m; r , t) = (m · hrG t1 , g
rG t2 )
Com = (C1,C2) = (m · g r ·δ+t(δ·γ−1), g r+tγ)Perfect hiding:
C1 and C2 are both uniformly randomAlso independent:Prr ,t [r · δ + t(δ · γ − 1) = a|r + tγ = b] =Prr ,t [(b−tγ)δ+t(δ·γ−1) = a] = Pr[b·δ−t = a] = 1/q
Computational binding:follows from perfect binding in GB mode and theindistinguishability of the CRS
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Linear (BBS) Cryptosystem
Bilinear group gk = (q,G1,G2,GT , e),Gi = 〈gi〉G (1κ, gk , i):
let δ1, δ2 ← (Z∗q)2
let pk← (fi = g1/δ1
i , hi = g1/δ2
i )
Encryption of m ∈ Gi :Generate random r , s ← Zq.Compute Epk(m; r , s)← (mg r+s
i , f ri , hsi ) ∈ G3
i
Decryption of c = (c1, c2, c3) ∈ G3i :
Set Dδ(c1, c2, c3)← c1/(cδ12 cδ2
3 ).
(Security based on DLIN assumption. Reminder from Lecture 6)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
BBS-Based DMC for Group Elements
Bilinear group gk = (q,G1,G2,GT , e), Gi = 〈gi〉G (1κ, gk , i):
let δ1, δ2 ← (Z∗q)2
let pk← (fi = g1/δ1
i , hi = g1/δ2
i )let γ1, γ2 ← Zq
let (G1,G2,G3)← (gγ1+γ2−χi , f γ1
i , hγ2
i )
Commitment of m ∈ Gi :Generate random r , s, t ← Zq
ComputeEpk(m; r , s, t)← (mg r+s
i G t1 , f
ri G
t2 , h
si G
t3 ) ∈ G3
i
Security proven as in the case of Elgamal-DMC. Based on
DLIN assumption
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
BBS-Based DMC for Exponents
Bilinear group gk = (q,G1,G2,GT , e), Gi = 〈gi〉G (1κ, gk , i): let δ1, δ2 ← (Z∗q)2 and
pk← (fi = g1/δ1
i , hi = g1/δ2
i ).
Let γ1, γ2 ← Zq. Let (E1,E2,E3)← (g γ1+γ2+1−χi , f γ1
i , hγ2
i )Commitment of m ∈ Zq:
generate random r , s ← Zq
compute Com(m; r , s)← (g r+si Em
1 , fri E
m2 , h
si E
m3 ) ∈ G3
i
Based on DLIN assumption. If χ = 1 then random encryption of 1 (thusperfectly hiding). If χ = 0 then (gi , fi , 1), (gi , 1, hi), (E1,E2,E3) form abasis of G 3
i , and thus gmi is their linear combination.
Choice of commitment scheme comes from later applications:
we need the fact that if χ = 1 then~E = Com(1; 0, 0) = Com(0; γ1, γ2) is a trapdoor commitment
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Groth-Sahai Proofs
NIZK proofs in CRS model for a large class ofpractical languagesRelations between committed values Xi , Yi and someconstantsCommitted values can be either group elements orexponentsDifferent instantiations based on concrete securityassumptions
SXDH, DLIN, . . .Commitment schemes and proof details depend onassumptionsGeneral idea does not change
We will use DLIN-based setting
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Groth-Sahai Proofs
E.g.: prove that you have committed to Xi , Yi , such that
n∏i=1
e(Ai ,Yi) ·n∏
i=1
n∏j=1
e(Xi ,Yi)aij = tT
where Xi ∈ G1, Yi ∈ G2 are variables and the rest areconstants, or
m∏i=1
Ayii ·
n∏j=1
Xbjj ·
m∏i=1
n∏j=1
Xyiγijj = T
where Xi ∈ G1, yi ∈ Zp and the rest are constants.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Groth-Sahai Proof for∏n
i=1 Axii = T
Assume Ai ∈ G1, T ∈ GT
CRS: (gk ; g2, f2, h2,E1,E2,E3)
~Ci := Com(xi ; ri1, ri2) = (g ri1+ri22 E xi
1 , fri1
2 E xi2 , h
ri22 E xi
3 ) ∈ G32
The Groth-Sahai proof for∏n
i=1 Axii = T is (π1, π2) := (
∏Ari1i ,∏
Ari2i )
The verifier checks that∏e(Ai ,Ci1) =e(π1π2, g2) · e(T ,E1)∏e(Ai ,Ci2) =e(π1, f2) · e(T ,E2)∏e(Ai ,Ci3) =e(π2, h2) · e(T ,E3)
Prover: 2n exp. Verifier: 3n + 6 pairings. Communication: 2 groupelements
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Explanation
Proof “maps” bilinear map f (a, b) = ab to bilinear map
F (~A, ~B) = (e(A1,B1), e(A2,B2), e(A3,B3)) in another algebraic domain
(π1, π2) compensates the fact that the commitments are randomized
Input relation:∏
Axii = T or
∏f (Ai , xi) = f (T , 1)
Verifier checks:∏ e(Ai ,Ci1)∏e(Ai ,Ci2)∏e(Ai ,Ci3)
=
e(π1π2, g2)e(T ,E1)e(π1, f2)e(T ,E2)e(π2, h2)e(T ,E3)
or ∏
F ((Ai ,Ai ,Ai),Com(xi)) =F ((π1π2, π1, π2), (g2, f2, h2))·F ((T ,T ,T ),Com(1))
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Completeness
~Ci := Com(xi ; ri1, ri2) = (g ri1+ri22 E xi
1 , fri1
2 E xi2 , h
ri22 E xi
3 ) ∈ G32
(π1, π2) := (∏
Ari1i ,∏
Ari2i )
First verification equation:∏
e(Ai ,Ci1) =∏e(Ai , g
ri1+ri22 E xi
1 ) =∏
e(Ai , gri12 )e(Ai , g
ri22 )e(Ai ,E
xi1 ) =∏
e(Ari1i , g2)e(Ari2
i , g2)e(Axii ,E1) =
e(∏
Ari1i , g2)e(
∏Ari2i , g2)e(
∏Axii ,E1) =
e(π1, g2)e(π2, g2)e(T ,E1) = e(π1π2, g2)e(T ,E1)
Other verification equations are similar
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Soundness
Assume we work in soundness setting (GB):
(E1,E2,E3) = (g γ1+γ2+12 , f γ1
2 , hγ2
2 ) for some γiAdlin forwards crs = (g1, g2, f2, h2,E1,E2,E3) toAs
Assume As produces n commitments ~Ci andaccepting proof (π1, π2)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Soundness
Assume Ai = g ai1 , T = g τ2 , (π1, π2) = (g s1
1 , gs2
1 )Com(xi) = (g ri1+ri2
2 E xi1 , f
ri12 E xi
2 , hri22 E xi
3 )From the first verification∏
e(Ai ,Ci1) = e(π1π2, g2)e(T ,E1):∏e(g ai
1 , gri1+ri22 E xi
1 ) =∏e(g s1+s2
1 , g2)e(g τ1 , gγ1+γ2+12 )
Working with DL:∑ai(ri1 + ri2 + xi(γ1 + γ2 + 1)) =
(s1 + s2) + (γ1 + γ2 + 1)τ
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Soundness
From the first verification:∑ai(ri1 + ri2 + xi(γ1 + γ2 + 1)) =
(s1 + s2) + (γ1 + γ2 + 1)τ
From the second and the third verification:∑ai(ri1 + xiγ1) = s1 + γ1τ∑ai(ri2 + xiγ2) = s2 + γ2τ
First − second − third gives:∑aixi = τ , thus
∏Axii = T
Thus, perfect soundnessWith GH :
computational soundness under DLIN
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Zero Knowledge
Assume that χ = 1
Let gk ← GBP(1κ)
The simulator S1(gk) constructs
crs ← (g1, g2, f1, f2, h1, h2, ~E ) together with atrapdoor td ← (γ1, γ2, δ1, δ2), where
fi = g1/δ1
i
hi = g1/δ2
i~E = (gγ1+γ2
2 , f γ12 , hγ2
2 )
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Zero Knowledge
Clearly, (E1,E2,E3) = (g γ1+γ2
2 , f γ1
2 , hγ2
2 ) =Com(1; 0, 0) = Com(0; γ1, γ2).
The prover can only open ~E as a commitment to 1The simulator, knowing td = (γ1, γ2, . . . ), can also
open ~E as a commitment to 0∏Axi = T can seen as proof
∏Axi · T−ζ = 1
~E is a commitment of ζ
The prover chooses xi correctly, sets ζ = 1In simulation, xi = ζ = 0
~Ci ← Com(0; ri1, ri2) = (g ri1+ri22 , f ri12 , hri22 )
The prover cannot choose ζ = 0, since shedoes not know the trapdoor
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Zero Knowledge∏
Axii = T : 2nd ver is
∏e(Ai ,Ci2) = e(π1, f2) · e(T ,E2)∏
Axii ·T−ζ = 1:
∏e(Ai ,Ci2) · e(T−1,E2) = e(π∗1, f2)·e(1,E2)//////////.
But∏
e(Ai ,Ci2) · e(T−1,E2) =∏
e(Ai , fri1
2 ) · e(T−1, f γ12 ) =∏
e(Ari1i , f2) · e(T−γ1 , f2) = e(
∏Ari1i · T
−γ1︸ ︷︷ ︸=:π∗1
, f2).
The simulator sets π∗1 :=∏n
i=1 Ari1i · T−γ1
Clearly,∏n
i=1 e(Ai ,Ci2)?= e(π∗1, f2) · e(T ,E2)
Analogously, π∗2 :=∏n
i=1 Ari2i · T−γ2
The simulated proof is (π∗1, π∗2)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Example
(D11,D12,D13) = Com(m; s1, s2) ∧ (D21,D22,D23) =Com(r ; t1, t2) ∧ C1 = gm
1 hr1 ∧ C2 = g r1 ?
gm1 hr1 = C1:
(π1, π2)← (g s11 ht1
1 , gs21 ht2
1 )Verification:e(g1,D11)e(h1,D21) = e(π1π2, g2)e(C1,E1),e(g1,D12)e(h1,D22) = e(π1, f2)e(C1,E2),e(g1,D13)e(h1,D23) = e(π2, h2)e(C1,E3)
g r1 = C2:
(π∗1, π∗2)← (g t1
1 , gt21 )
Verification:e(g1,D21) = e(π∗1π
∗2, g2)e(C2,E1),
e(g1,D22) = e(π∗1, f2)e(C2,E2),e(g1,D23) = e(π∗2, h2)e(C2,E3)
Full proof: (π1, π2, π∗1, π
∗2), verify both proofs
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Comparison with Fiat-Shamir Heuristic
Good: no random oraclesBad: less efficientVerification on the last slide: 21 pairingsVerification of Σ-protocol: just a few exp-sBut:
Σ-protocol: PK ((m, r) : C1 = gm1 hr1 ∧ C2 = g r
1 )
Here: PK ((m, r , s1, s2, t1, t2) : ~D1 = Com(m; s1, s2) ∧ ~D2 =Com(r ; t1, t2) ∧ C1 = gm
1 hr1 ∧ C2 = g r1 )
More complicated statement! But not too much more,Σ-protocol for the last statement is still more efficient thanGS. . .Note: that example was a particularly bad case (small n).With large n, the situation is better
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Proof-of-Knowledge?
Assume χ = 0 // Binding mode
f2 = g1/δ1
2 , h2 = g1/δ2
2~E = (g γ1+γ2+1
2 , f γ1
2 , hγ2
2 )~Ci = Com(xi ; r1, r2) = (g r1+r2
2 E xi1 , f
r12 E xi
2 , hs2E
xi3 )
~Ci = (gr1+r2+(γ1+γ2+1)xi2 , f r1+γ1xi
2 , hr2+γ2xi2 )
C1/(C δ1
2 C δ2
3 ) = g xi2
One can extract g xi2 (but not xi if it is large)
Kind of POK, but not reallyFor real POK: need to guarantee xi is small.Commit bits separately, use range proofs
If χ = 1: perfect hiding, not extractableHelger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Groth-Sahai for∏
X yii = T
Assume Xi and yi are both committed
fi = g1/δ1
i , hi = g1/δ2
i
(G1,G2,G3) = (g γ1+γ2−χ2 , f γ1
2 , hγ2
2 )ci = Com(Xi) =(Xig
Ri1+Ri2
i GRi3
1 , f Ri1
i GRi3
2 , hRi2
i GRi3
3 )
(E1,E2,E3) = (gγ∗1 +γ∗2 +1−χ2 , f
γ∗12 , h
γ∗22 )
di = Com(yi) = (gSi1+Si2i E yi
1 , fSi1
2 E yi2 , h
Si22 E yi
3 )Proof for
∏Axii = T included 3-dimensional
vectors since commitments are 3-dimensionalCurrent proof includes 3× 3 matrices:
1 element for every (cij , dik)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Brief Idea
Write
~c•~d :=
∏ e(ci1, di1)∏
e(ci1, di2)∏
e(ci1, di3)∏e(ci2, di1)
∏e(ci2, di2)
∏e(ci2, di3)∏
e(ci3, di1)∏
e(ci3, di2)∏
e(ci3, di3)
(“bilinear operation” with commitments)Construct a proof Π that compensates forrandomness in the definition of commitments
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Booooring DetailsThe proof is (~π, ~ψ, ~θ) where(
π11 π12 π13
π21 π22 π23
)←
(E∑
Ri1yi21 E
∑Ri1yi
22 E∑
Ri1yi23
E∑
Ri2yi21 E
∑Ri2yi
22 E∑
Ri2yi23
),
ψ1
ψ2
ψ3
←G
∑Ri3yi
1
G∑
Ri3yi2
G∑
Ri3yi3
,
θ11 θ12
θ21 θ22
θ31 θ32
← f
∑Ri1Si1
1 G∑
Ri3Si11 f
∑Ri1Si2
1 G∑
Ri3Si21
f∑
Ri2Si11 G
∑Ri3Si1
1 f∑
Ri2Si21 G
∑Ri3Si2
1∏X Si1i · f
∑(Ri1+Ri2)Si1
1 G∑
Ri3Si11
∏X Si2i · f
∑(Ri1+Ri2)Si2
1 G∑
Ri3Si21
The verification equation is∏ e(ci1, di1)
∏e(ci1, di2)
∏e(ci1, di3)∏
e(ci2, di1)∏
e(ci2, di2)∏
e(ci2, di3)∏e(ci3, di1)
∏e(ci3, di2)
∏e(ci3, di3)
?=
e(f1, π11) e(f1, π12) e(f1, π13)e(h1, π21) e(h1, π22) e(h1, π23)
e(g1, π11π21) e(g1, π12π22) e(g1, π13π23)
◦e(ψ1,E21) e(ψ1,E22) e(ψ1,E23)e(ψ2,E21) e(ψ2,E22) e(ψ2,E23)e(ψ3,E21) e(ψ3,E22) e(ψ3,E23)
◦e(θ11, f2) e(θ12, h2) e(θ11θ12, g2)e(θ21, f2) e(θ22, h2) e(θ21θ12, g2)e(θ31, f2) e(θ32, h2) e(θ31θ32, g2)
The prover needs to do 2n + 15 exponentiations,the verifier needs to do 9n + 27 pairings and 9n − 9multiplications in GT . The proof itself consists of15 group elements.
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Why This Is Interesting: Typical Goals
The committed elements satisfy requirement X
c1 = Com(X ), d2 = Com(y), X · (1/2)y = 1
c1 = Com(X ), c2 = Com(r), c3 = Com(s),c4 = Com(t),(c5, c6, c7) = (Xg r+s
2 G t1 , f
r2 G
t2 , h
s2G
t3 )
c = Enc(x), c2 = Com(x)
. . .Especially interesting since a lot of differentprimitives are based on pairings
GS proofs provide natural way to check that oneuses those primitives correctly in the protocol
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Example: E-voting
Voter encrypted Bi = Enc(g yi ), needs to proveyi ∈ {0, 1}yi ∈ {0, 1} iff y 2
i = yie(g yi
1 , gyi2 ) = e(g1, g2)y
2i = e(g1, g2)yi = e(g yi
1 , g2)We will use GS proofs for
∏e(Xi ,Yj)
aij = TProve thatC = Com(yi) ∧ e(g yi
1 , gyi2 )e(g yi
1 , g−12 ) = 1
To show that yi ∈ {0, . . . , γ − 1} for γ > 2,one can use generic range proof techniques
It is tedious but straightforward to write downcorresponding statement for GS proofs
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Example: Set Membership
Assume Alice has secret key s and has sent signatures ofa ∈ A for some A to BobBob sends to Alice C together with a GS proofC = Com(m) ∧ D = Com(S) ∧ S = Signs(m)
Boneh-Boyen signature [Boneh and Boyen, 2004]: for secret key
s and public key p = g s2 , Signs(m) = g
1/(s+m)1
Verification: e(S , g2)?= e(g1, p · gm
2 )
Since Bob cannot sign himself, this convinces Alice that Ccommits to some element from AAlice will not see m or S“Set membership” [Camenisch et al., 2008]:
Constructed a Σ-protocol (+Fiat-Shamir heuristic)GS proof is better: no RO, more natural (both BB and GS arepairing-based) [Rial et al., 2009]
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Lecture 14. Sublinear ZK
Some words about sublinear ZK [Groth, 2010,Lipmaa, 2012, Lipmaa and Zhang, 2012].
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Sublinear ZK: Motivation
Reminder:Groth-Sahai proofs enable to prove statements like∏n
i=1 Axii = T efficiently
Efficient: Θ(n) exponentiations (prover), Θ(n)pairings (verifier), Θ(n) communication
Such equations look highly parallelizable: SIMD
Can we somehow execute them in parallel, thusreducing some of the complexity parameters?Especially: can we reduce communication orverifier’s complexity?
Proved once, verified potentially many times
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Parallel Machine Model
Assume three n-parallel instructions (all 1 timeunit):
Parallel sum: ~a + ~bParallel product: ~a ◦ ~b = (a1 + b1, . . . , an + bn)
Arbitrary permutation: %(~a) = ~b, where bi = a%(i)
The first two instructions allow to executearbitrary SIMD instructions in parallelThird instructions takes care of inter-processorcommunicationWell-known machine model,see [Pratt and Stockmeyer, 1976,Blelloch, 1990]
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
NIZK for Circuit-SAT
Circuit-SAT: NP-complete languageGiven a circuit C : {0, 1}n → {0, 1}, does there exist anassignment ~x ∈ {0, 1}n such that C (~x) = 1?Wlog, assume all gates are NAND gates
Idea of NZ argument for Circuit-SAT:Commit to all inputs and wire values of the circuitProve that all values are BooleanProve that all gates are correctly followedProve that output is 1
With Groth-Sahai: complexity Θ(|C |)If using parallel machine model, can do withcommunication Θ(1) [Groth, 2010, Lipmaa, 2012,Lipmaa and Zhang, 2012, Gennaro et al., 2012]
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Circuit Description
Circuit has n gates, every gate i hasinputs Li and Ri , and output Ui . Un
is the output of the circuitThere are 2n + 1 wires. Every wire,except one we done by Rn+1, is equalto Li or Ri for i ∈ [n]Every gate has at least one outputwire Ui . There are n + 1 more wiresXi that correspond to inputs to thecircuit, and multiple outputsDenoteA = (L1, . . . , Ln,R1, . . . ,Rn,Rn+1),B = (U1, . . . ,Un,X1, . . . ,Xn+1)
out
6
4 5
1 2 3
i1 i2 i3 i4
X 1=L 1
X2 =
R1 X 3
=L 2
X4 =
R2 X 5
=L 3
X6 =
R3
U 1=L 4
U2 =
R4 X 7
=L 5
U3 =
R5
U 4=L 6
U5 =
R6
U6
=R
7
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Circuit Consistency
Circuit consistency will be givenby two permutations ξ and τInput consistency permutationξ : [2n + 1]→ [2n + 1]
For every (Ai1 , . . . ,Ait ) thathave to be equal, ξ permutesAi1 → · · · → Ait → Ai1
For other input nodes t, ξ(t) = tClearly, circuit is inconsistent iffor some j , Aξ(j) 6= Aj
L1
L1
L2
R1
L3
R2
L4
L4
L5
R4
L6
L6
R1
L2
R2
L3
R3
R3
R4
L5
R5
R5
R6
R6
R7
R7
out
6
4 5
1 2 3
i1 i2 i3 i4
X 1=L 1
X2 =
R1 X 3
=L 2
X4 =
R2 X 5
=L 3
X6 =
R3
U 1=L 4
U2 =
R4 X 7
=L 5
U3 =
R5
U 4=L 6
U5 =
R6
U6
=R
7
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Circuit Consistency
Circuit consistency will begiven by two permutations ξand τThroughput consistencypermutationτ : [2n + 1]→ [2n + 1]
Every wire is both an inputwire (is equal to some Ai) andan output wirte (is equal tosome Bj)Define τ(i) = jClearly circuit is inconsistentif for some j , Aτ−1(j) 6= Bj
out
6
4 5
1 2 3
i1 i2 i3 i4X 1
=L 1
X2 =
R1 X 3
=L 2
X4 =
R2 X 5
=L 3
X6 =
R3
U 1=L 4
U2 =
R4 X 7
=L 5
U3 =
R5
U 4=L 6
U5 =
R6
U6
=R
7
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Full Argument: Idea
Commit to A, A′ = (R1, . . . ,Rn, L1, . . . , Ln,Rn+1),A′′ = (R1, . . . ,Rn, 0, . . . , 0,Rn+1, B andB ′ = (U1, . . . ,Un, 0, . . . , 0)Check all values are Boolean: A ◦ A = ACheck A and A′ are consistent (permutationargument)Check A′ and A′′ are consistent (product argument)Check B and B ′ are consistent (product argument)Check that NANDs are observed and Un = 1:A′′ ◦ A = (11, . . . , 1n−1, 2n, 1n+1, . . . , 12n+1)− B ′
Check that ξ is observed (permutation argumentwith A,A)Check that τ is observed (permutation argumentwith A,B)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Implementation Details
Tuple commitment scheme: Com(a1, . . . , an; r) isΘ(1) group elements
Com(~a; r) = hr∏n
i=1 gaii
Single secret key x ∈ Zq
h = g , gi = g x i [Groth, 2010]
h = g , gi = g xλi [Lipmaa, 2012]: better efficiency, if(λi) is progression-free
h = gυ, gi = g xλi [Lipmaa and Zhang, 2012]: moreclear exposition
Sum argument: Com(~a) · Com(~b) = Com(~a + ~b)
Product argument: verify that ~c = ~a ◦ ~bPermutation argument: verify that ~b = %(~a)
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Product Argument: Briefly
Want: ~a ◦ ~b − ~c ◦~1 = 0 // homogeneous formAs in Groth-Sahai, transform this equation todifferent domain
Bilinear operation ◦ to bilinear operation •,A • B = e(A,B)Vector ~a to commitment Com(~a; ra)Add a special term π to compensate for randomness
Verification equation: e(g1, π) =
e(Com(~a; ra),Com(~b; rb))/e(Com(~c ; rc),Com(~1; 0))Prover: compute π such that verification holds
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Honest-Verifier Zero KnowledgeReal Zero Knowledge
Lecture 12. More Real ZKLecture 13. Groth-Sahai ProofsLecture 14. Sublinear ZK
Product Argument: Some Details
logg1Com(~a; ra) = logg1
(g ra
1 ·∏
g aixλi
1
)= ra +
∑aix
λi
Verification equation after DL: logg2π = (ra +
∑aix
λi ) ·(rb +
∑bix
λi )− (rc + cixλi ) · (
∑xλi ) = Fcond(x) + Farg(x),
where Fcond(x) :=∑
(aibi − ci)x2λi and Farg (x) has
Θ(λn − λ1) monomials
If prover is honest, Fcond(x) ≡ 0
Prover proves that she knows how to represent logg2π as a
polynomial of type Farg (x) = α +∑βix
λi +∑
i 6=j γijxλi+λj
Works if {2λi} ∪ ({0} ∪ {λi} ∪ {λi + λj : i 6= j}) = ∅
Progression-free set: a set Λ = {λi} that does nothave progressions of length 3{2λi} ∪ {λi + λj : i 6= j} = ∅
Helger Lipmaa MTAT.07.014 Cryptographic Protocols
Top Related