TOWARDS PRACTICAL GENERIC ZEROKNOWLEDGE Claudio Orlandi Aarhus University

TOWARDS PRACTICAL (GENERIC) ZERO-KNOWLEDGE Claudio Orlandi – Aarhus University

In this talk: 3 simple ideas from Jawurek, Kerschbaum, Orlandi � Zero-Knowledge from Garbled Circuits, CCS 2013 Frederiksen, Nielsen, Orlandi � Privacy-Free Garbled Circuits, EUROCRYPT 2015 Chuo, Orlandi � The Simplest OT Protocol, e. Print (next week? )

Zero-Knowledge from Garbled Circuits Jawurek, Ferschbaum, Orlandi CCS 2013

Zero-Knowledge Protocols IP/ZK – GMR 85 � Soundness: � even a corrupted V only learns that the statement is true (and not why) Important in practice � � even a corrupted P cannot prove false statements Zero-Knowledge: � Revolutionary idea in cryptography and CS Authentication Essential component in complex protocols What about efficiency?

Zero-Knowledge Protocols Many examples of efficient ZK for algebraic languages � Discret Logarithm � RSA � Lattice �. . . What about non-algebraic statements? � How do I prove ”I know x s. t. y=SHA(x)”? This work tries to fill this gap!

Related Work IKOS’ 07 � ZK from (honest majority) MPC � First step towards the ”MPC in the head” approach Efficient NIZK/SNARK (GOS 06, GGPPR 13, …) � Non-interactive � Require heavy public key operations per gate

Zero-Knowledge vs Secure 2 PC x, w x f, y P V A B R(x, w) = true f(x, y)

Garbled Circuits Values in a box are “garbled” d f [F] Gb [X] e x Ev [Z] De z En Correct if z=f(x)

2 PC from GC (Yao’s protocol) Alice x [X] Soundness: e OT then [Z] Ev([Fy], [X]) De([Z*], d) is either f(x) or “ ” ([Fy], e, d) Gb( f(·, y) ) B could garble a If A is corrupted and [Z*] A([F], [X]), Bob [Fy] “malicious” function g≠f [Z] e. g. g(x)= lsb(x) z De([Z], d)

2 PC secure against active adversaries? How can Bob prove that he garbled f without revealing any extra information? Plenty of (costly) solutions are known for 2 PC � Zero-Knowledge � Cut-and-choose � Etc. Can we do better for ZK?

ZK based on GC The main idea: � In ZK the verifier (Bob) has no secrets! � After the protocol, Bob can reveal all his randomness. � Alice can simply check that Bob behaved honestly by redoing his entire computation.

Prover w e Verifier ([F], e, d) Gb( f, r ) OT Prover work ~[F] Communication 2 x passive ~ Yao Verifier work ~ Passive Yao Com([Z]) Passive Yao [W] [Z] Ev([F], [W]) reveal r, e If [F]=Gb(f, r) (and check OTs) [Z] z De([Z], d) (else abort)

CCS Implementations Code not open-source, but easily reproducible � Fast. GC garbled circuits implementation � Smart-Tillich optimized circuits: AES, MD 5, SHA… � GCParser � SCAPI to combine the two above for implementing OT (using elliptic curves)

Runtime (rough estimates) Proof of “c=AES(k, m)” for secret k and public (c, m) AES: 35 k gates (7 k ANDs/28 k XORs) Communication: 204 k. B (98% GC) Runtime: � OT: 29. 4 ms (Using Chou-Orlandi OT) (|w|=128) � Garbling: 721µs (Using Just. Garble Ga. XR) � Eval: 273 µs � Total (Garble+OT+Eval+Garble) ~ 31. 2 ms (+network)

Privacy-Free Garbled Circuits Frederiksen, Nielsen, Orlandi EUROCRYPT 2015

Garbled Circuits d f [F] Gb [X] e x Ev [Z] De z En Correct if z=f(x)

Main idea In 2 PC GC ensure that evaluator does not learn internal values � In Yao garbled circuits evaluation must be oblivious But in ZK the prover knows all the input bits! � He also knows all internal wires values Can we optimize? � Yes!

Garbling Schemes without Privacy Conceptual contribution: � Natural separation between privacy and authenticity Concrete efficiency: � Better constants in garbled circuit Can we construct garbling schemes tailored to specific applications, which are more efficient than Yao’s original construction?

Garbling a Circuit ([F], e, d) Gb(f) K 10, K 11 K 20, K 21 Ki 0, Ki 1 Choose 2 random keys Ki 0, Ki 1 for each input wire For each gate compute � (Z 0, Z 1, gg) Gb(L 0, L 1, R 0, R 1) Output � e=(Ki 0, Ki 1) for all input wires � d=(Z 0, Z 1) Z 0, Z 1 � [F]=(ggi) for all gates i

Evaluating a GC [Z] Ev([F], [X]) K 1 a K 2 b K ic Parse [X] as (K 1 x 1, K 2 x 2 , …) for all input wires Parse [F] as (gg 1, gg 2, …) for all gates For each gate compute � Zg(a, b) Z’ Output � [Z]=Z’ Ev(La, Rb, gg)

Garbling a Gate L 0, L 1 R 0, R 1 AND/XO R Z 0, Z 1 A (privacy-free) garbled gate is a gadget that given two inputs keys gives you the right output key (and nothing else) (Z 0, Z 1, gg) Gb(L 0, L 1, R 0, R 1) Zg(a, b) Ev(La, Rb, gg) //and not Z 1 -g(a, b)

Garbling w/o free-XOR (GRR 1) Gb_AND(L 0, L 1, R 0, R 1) Output keys: = H(L 1, R 1) � Z 0 = H(L 0) Ev_AND(Lx, Ry, C) If(x = y = 1) � Z 1 output Z 1 = H(Lx, Ry) Send: �C = Z 0 ⊕ H(R 0) If(x = 0) output Z 0 = H(Lx) If(y = 0) output Z 0 = C ⊕ H(Ry)

Garbling w/o free-XOR (GRR 1) Gb_XOR(L 0, L 1, R 0, R 1) Output keys: � Z 0 Ev_XOR(La, Rb, C) If(a = 0) output Z(a⊕b) = La ⊕ Rb Send: = L 0 ⊕ R 0 � Z 1 = L 0 ⊕ R 1 �C = L 0⊕R 0⊕L 1⊕R 1 If(a = 1) output Z(a⊕b) = C⊕La⊕R b

Conclusions & Open Problems Still a lot to be done with garbling schemes! Other specific purpose garbling schemes? Non-interactive ZK (w/o PKE/gate)?

The Simplest Oblivious Transfer Protocol Chou, Orlandi coming soon on e. Print

Diffie Hellman Key Exchange m X = gx Y = gy K = H(Yx) There is another key K’ = H( (X/Y)x ) which Bob cannot compute! K = H(Xy) C = E(K, m) m = D(K, C)

The Simplest OT protocol m 0, m 1 X = gx b b=0 : Y = gy b=1 : Y = X/gy Y K 0 = H(Yx) K 1 = H((X/Y)x) E((α, β), m) = (α+ m, (α+ m)β) Kb = H(Xy) C 0 = E(K 0, m 0) C 1 = E(K 1, m 1) mb = D(Kb, Cb)

The Simplest OT Protocol Complexity: � Communication: 1 ge/OT + 2 ctxt/OT + 1 ge � Computation: 3 exp/OT + 3 H/OT + 2 exp Security: � UC vs. active adversary with programmable RO Performances: ~5000 OT/s � Implementation based on Bernstein’s Curve 25519