Isolated Po K and Isolated ZK Ivan Damgrd

  • Slides: 31
Download presentation
Isolated Po. K and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs

Isolated Po. K and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs

Proofs of Knowledge (Review) Language L in NP. Instance x. Witness w. Prover (x,

Proofs of Knowledge (Review) Language L in NP. Instance x. Witness w. Prover (x, w) Verifier x Accept/Reject Completeness: Prover, Verifier honest ) Verifier outputs “Accept” W. O. P

Zero Knowledge (Review) Language L in NP. Instance x. Witness w. Verifier did Simulator

Zero Knowledge (Review) Language L in NP. Instance x. Witness w. Verifier did Simulator not learn anything x new. Prover (x, w) Verifier x ¼ Simulator ensures that verifier could have produced entire conversation on its own.

Knowledge Soundnes (Review) Language L in NP. Instance x. Witness w. Proverthe prover. Extractor

Knowledge Soundnes (Review) Language L in NP. Instance x. Witness w. Proverthe prover. Extractor recovers w from Verifier x If “Accept”, prover knows w. Extractor

Isolation? • Standard definitions assume isolation. • Prover can run a man-in-the-middle attack between

Isolation? • Standard definitions assume isolation. • Prover can run a man-in-the-middle attack between a “helper” and the verifier. • No non-trivial protocol can guarantee that the prover knows w. • Similar setting considered by Universal Composability. Helper Environment (x, w) Prover (? )) (x, w Verifier (x)

What can be done without full isolation? • Setup assumptions (CRS, KRK, …) can

What can be done without full isolation? • Setup assumptions (CRS, KRK, …) can be used to get UC security. • Partial Isolation: Assume prover is l-isolated during the proof. • Necessary condition: C>l. Environment (x, w) Verifier (x) Prover l bits C bits

Why Study Partial Isolation? n Often reasonable to assume that Prover has more bandwidth

Why Study Partial Isolation? n Often reasonable to assume that Prover has more bandwidth with Verifier than with other parties. ¡ ¡ ¡ n Prover and Verifier are in same room with no fast Internet connection to the outside. Prover is a tamper-proof hardware token and does not have a large antenna sticking out (motivated by [Katz 07]). Prover is a smart-card and Verifier can monitor powersupply to limit communication. Interesting theoretical question. Rewinding is possible, but not easy.

What can be done without full isolation? • An l-Isolated Po. K (l-IPo. K)

What can be done without full isolation? • An l-Isolated Po. K (l-IPo. K) is a protocol where no l-isolated cheating prover can succeed without knowing a witness. • Goal: Construct an IPo. K compiler. For any l, compile an l-IPo. K. • Concentrate on witness indistinguishable (WI) l-IPo. K protocols. Environment (x, w) Verifier (x) Prover l bits C bits

Definition: Knowledge Soundness of l-IPo. K • Stage 1: Prover and Environment communicate without

Definition: Knowledge Soundness of l-IPo. K • Stage 1: Prover and Environment communicate without restraint. • Stage 2: Prover is l-isolated. Prover and Verifier run protocol. • Stage 3: If verifier accepts, the extractor is given: • The code and coins of the prover • The transcript of the proof • The transcript of communication with the environment (inc. stage 1). Negligible probability of prover succeeding and extractor failing. Environment (x, w) l bits Prover (? ) Verifier (x) Extractor

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K protocol with a large communication/round complexity. n Lower bound on # of rounds in Black Box extractable l-IPo. K. n A construction of an l-IPo. K protocol with optimal communication complexity. n A non-black-box construction in the RO model with optimal communication/round complexity. n Zero Knowledge when the Verifier is only partially Isolated

Review: §-Protocols n Assume L 2 NP and § is a §-protocol for L.

Review: §-Protocols n Assume L 2 NP and § is a §-protocol for L. Prover (x, w) a Verifier (x) c z n Special Knowledge Soundness ¡ n Can recover w from any two accepting conversations (a, c, z) and (a, c’, z’) with c c’. Honest Verifier Zero Knowledge ¡ Implies Witness Indistinguishability.

Compiling an l-IPo. K from a §-Protocol n n Theorem: Repeating § with 1

Compiling an l-IPo. K from a §-Protocol n n Theorem: Repeating § with 1 bit challenges (l+·) times sequentially results in an l-IPo. K. Intuition: The prover cannot communicate even 1 bit on at least · rounds and hence must know the witness! Prover (x, w) a 1 c 1 z 1 a 2 c 2 z 2 …. . an cn zn Verifier (x)

Extractor Description n The extractor rewinds to each round i and tries the challenge

Extractor Description n The extractor rewinds to each round i and tries the challenge (1 -ci). ¡ ¡ Extractor ignores attempted communication with the environment. If the prover answers incorrectly (or does not answer), go to next round. n n ¡ Prover “expected help” from the environment. Prover would have answered incorrectly in the original execution on this challenge. Otherwise use (ai, ci, zi) and (ai, (1 -ci), z’i) to compute w. Prover Ignore! a 1 c 1 -c 1 1 z’ z 11 a 2 1 -c 2 z’ 2 Extractor (a 1, 1 -c 1, z’ 1) is rejecting

Soundness (Proof) n n We consider computationally unbounded provers and environments. Hence we can

Soundness (Proof) n n We consider computationally unbounded provers and environments. Hence we can consider deterministic provers and envrionments only. An execution of the protocol is fully determined by the verifier challenges c 1, c 2, c 3, …, cn. An execution is as a random path in a tree. An execution path is winning if it is accepting AND the extractor fails to recover a witness. C 1=0 C 2=1 C 3=0

Soundness (Proof) n On a winning path ¡ All edges are correct. ¡ All

Soundness (Proof) n On a winning path ¡ All edges are correct. ¡ All sibling edges are incorrect or communicating n If two winning paths diverge at a node N. Then both edges are correct and communicating. n There can be at most l such nodes on any path. Hence there at most 2 l winning paths out of 2 l+· total paths. n C 1=0 C 2=1 C 3=0 • An edge is correctthe prover gives a correct response on that challenge. • An edge is communicatingif the ) Probability of getting a winning execution is environment communicates with 1/2· the prover on that challenge.

Parameters O(l + ·) Round Complexity O((l + ·)|§|) Communication Complexity C O(|§|) Overhead

Parameters O(l + ·) Round Complexity O((l + ·)|§|) Communication Complexity C O(|§|) Overhead = C/l. Assume l is large.

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K protocol with a large communication/round complexity. n Lower bound on # of rounds in Black Box extractable l-IPo. K. n A construction of an l-IPo. K protocol with optimal communication complexity. n A non-black-box construction in the RO model with optimal communication/round complexity. n Zero Knowledge when the Verifier is only partially Isolated

Round Complexity of BB extractable l-IPo. K n n Prover and environment share a

Round Complexity of BB extractable l-IPo. K n n Prover and environment share a key k 2 to a PRF. The prover follows the protocol honestly. “Checks in” with the Environment before producing any output. Rewinding requires finding a collission on fk 1 or guessing fk 2 at a new input! Environment (k 2) Prover (x, w, k 1, k 2) Verifier (x) ¾ = fk (view) 1 ! = fk (¾) 2 Update view ¾ = fk 1(view) ! = fk (¾) 2 ! = fk (¾) Update view ¾ = fk 1(view) 2 If there are ½ rounds of communication then l/½ = O(log(·)) ) The number of rounds grows linearly with l.

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K protocol with a large communication/round complexity. n Number of rounds in BB extractable l-IPo. K is linear in l. n A construction of an l-IPo. K protocol with optimal communication complexity. n A non-black-box construction in the RO model with optimal communication/round complexity. n Zero Knowledge when the Verifier is only partially Isolated

Reducing the Communication n Task: Design an l-IPo. K where the communication complexity and

Reducing the Communication n Task: Design an l-IPo. K where the communication complexity and round complexity are both O(l). In other words, we need lots of short rounds. n If we start with a § protocol, then the flows (a, 0, z 0) and (a, 1, z 1) determine w. The values z 0 , z 1 can be thought of as a secret sharing of w. Easy to verify that a share is indeed a share of the witness. n Idea: Use a ramp secret sharing scheme to split z 0, z 1 into very short shares. On each round give out ones short share. Extractor collects enough shares to recover.

Efficient Protocol Prover (x, w) If Verifier asks for a à enough (random first

Efficient Protocol Prover (x, w) If Verifier asks for a à enough (random first message of §) blue/yellow z 0, z 1 Ãshares responses to c=0, 1 to break 0 0 (s [0], . . . , s [N])à SS(zquits. ; r ) secrecy, Prover 1 Happens w/ negligible (s 1[0], . . . , s [N])à SS(z 1; r 1) 0||r 0 when probability C 0 à commit(z ) 1||r 1) verifier is honest. C 1 à commit(z This is a single epoch with N =O(l/·) rounds. Protocol consists of M=O(·) epochs. Verifier Choose(x) ? So that expected number of received blue/yellow shares is less than (secrecy_threshold)/2. a, C 0, C 1 e 2{0, 1, ? } Se/[i]/? /? } b 2 {0, 1} / decommit(C b) Repeat i=1, …, N Verify: (a, b, zb) is accepting for § Collected shares Sb[i] match the decommitment.

Proof Intuition N =O(l/·) rounds. Prover (x, w) M=O(·) epochs. Verifier (x) a Ã

Proof Intuition N =O(l/·) rounds. Prover (x, w) M=O(·) epochs. Verifier (x) a à (random first message of §) z 0, z 1 à responses to c=0, 1 0 (s 0[0], . . . , s 0[N])à SS(z ; r 0) 1 (s 1[0], . . . , s [N])à SS(z 1; r 1) C 0 à commit(z 0, r 0) C 1 à commit(z 1, r 1) • Extractor rewinds to each round in each epoch and tries the other challenge. a, C 0, C 1 e 2{0, 1, ? } / /? } Repeat i=1, …, N • If Prover communicates, that share is lost. • Share might also be incorrect. • Thrm: On at least one epoch, extractor can recover other correct response and hence w. b 2 {0, 1} / Verify: (a, b, zb) is accepting for § Verify all shares Sb[i] Received match the decommitment

Parameters Assume l = (·|§|) O(l) Round Complexity O(l) Communication Complexity C O(1) Overhead

Parameters Assume l = (·|§|) O(l) Round Complexity O(l) Communication Complexity C O(1) Overhead = C/l.

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K protocol with a large communication/round complexity. n Number of rounds in BB extractable l-IPo. K is linear in l. n A construction of an l-IPo. K protocol with optimal communication complexity. n A non-black-box construction in the RO model with optimal communication/round complexity. n Zero Knowledge when the Verifier is only partially Isolated

Random Oracle Protocol Random Oracle H: {0, 1}* ! {0, 1}· Prover wins if

Random Oracle Protocol Random Oracle H: {0, 1}* ! {0, 1}· Prover wins if he queries oracle only on the challenge chosen by the verifier. The probability of this is 1/2·a. Protocol is WI (not ZK) Prover (x, w) Verifier (x) rà random string of length l + · For i=1, …, ·: aià (first message of §) zi 0, zi 1 responses ¾i 0 = H(zi 0, r, ri 0) ¾i 1 = H(zi 1, r, ri 1) {ai, ¾i 0, ¾i 1 }i=1, …, · c 1, c 2, …, c· {ri(ci), zi(ci) }i=1, …, · ci à {0, 1}

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K

Presentation Road-Map n Background, Motivation, Definition n A simple construction of an l-IPo. K protocol with a large communication/round complexity. n Number of rounds in BB extractable l-IPo. K is linear in l. n A construction of an l-IPo. K protocol with optimal communication complexity. n A non-black-box construction in the RO model with optimal communication/round complexity. n Zero Knowledge when the Verifier is only partially Isolated

l-Isolated Zero Knowledge (l-IZK) • Stage 1: Environment and Verifier/Simulator communicate arbitrarily. • Stage

l-Isolated Zero Knowledge (l-IZK) • Stage 1: Environment and Verifier/Simulator communicate arbitrarily. • Stage 2: Verifier is l-isolated. Prover and Verifier run proof. • Stage 3: Environment and Verifier/Simulator communicate arbitrarily. • Environment cannot distinguish left from right. Prover (x, w) ? Verifier (x) Simulator x Environment (x, w) l bits

IZK + IPo. K from WI IPo. K n n Use FLS paradigm to

IZK + IPo. K from WI IPo. K n n Use FLS paradigm to go from WI to IZK Use your favorite WI IPo. K, Perfectly Binding Commitments Prover (x, w) Verifier (x) C 0, C 1 C 0 Ã commit(m 0; r 0) C 1 Ã commit(m 1; r 1) WI IPo. K for one of (m 0||r 0) or (m 1||r 1) or w

Applications of IPo. K and IZK n Can prevent man-in-the-middle attacks on identification schemes

Applications of IPo. K and IZK n Can prevent man-in-the-middle attacks on identification schemes when the prover is partially isolated (use a WI IPo. K). n UC secure MPC under a “cave” assumption. We can implement ideal ZK Po. K in such a cave and so can do arbitrary UC-MPC using [CLOS 02]. n Would like to do UC-MPC when only one party is partially isolated at a given time. This is needed for tamper-proof hardware. can be accomplished using a WI-IPo. K (see e. Print 2007/332).

Open Questions n Open Questions: ¡ ¡ A BB protocol with overhead 1 +

Open Questions n Open Questions: ¡ ¡ A BB protocol with overhead 1 + o(1). A non-standard, non-black-box assumption to replace RO model in RO protocol

Thank You! QUESTIONS?

Thank You! QUESTIONS?