cryptographic protocols 2018, lecture 8cryptographic protocols 2018, lecture 8 sigma protocols...
Post on 27-Jul-2020
0 Views
Preview:
TRANSCRIPT
CRYPTOGRAPHIC PROTOCOLS 2018, LECTURE 8
Sigma protocols
Helger Lipmaa University of Tartu, Estonia
Lecture: 01.11.18Slides last modified: 03.11.18
UP TO NOW
UP TO NOW
Introduction to the field
UP TO NOW
Introduction to the field
Secure computation protocols
UP TO NOW
Introduction to the field
Secure computation protocols
Can do almost everything in semihonest model
UP TO NOW
Introduction to the field
Secure computation protocols
Can do almost everything in semihonest model
Introduction to malicious model
THIS TIME
THIS TIME
Reminder: malicious model
THIS TIME
Reminder: malicious modelZero knowledge: very basics
THIS TIME
Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols
THIS TIME
Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols
motivation
THIS TIME
Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols
motivationsecurity definitions
THIS TIME
Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols
motivationsecurity definitionsexamples
Note: remade slides compared to 2016 (no graphs anymore)
RECALL: "SECOND IDEA”
RECALL: "SECOND IDEA”
Do not reveal the witness
RECALL: "SECOND IDEA”
Do not reveal the witness
Instead let the party to prove that such a witness exists
RECALL: "SECOND IDEA”
Do not reveal the witness
Instead let the party to prove that such a witness exists
so that the proof does not reveal any side information apart from that
Zero-knowledge proof
REMARK: AUTHENTICATION
If the last idea sounds crazy, think about authentication
REMARK: AUTHENTICATION
If the last idea sounds crazy, think about authentication
pk, sk pk
REMARK: AUTHENTICATION
If the last idea sounds crazy, think about authentication
pk, skI am The Doctor
pk
REMARK: AUTHENTICATION
If the last idea sounds crazy, think about authentication
pk, skI am The Doctor
Prove it!
pk
REMARK: AUTHENTICATION
If the last idea sounds crazy, think about authentication
pk, skI am The Doctor
Prove it!
sk
pk
REMARK: AUTHENTICATION
If the last idea sounds crazy, think about authentication
pk, skI am The Doctor
Prove it!
sk
ZK proof of knowledge of sk
pk
ZK PROOF: SHORT DEFINITION
ZK PROOF: SHORT DEFINITION
Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejects
ZK PROOF: SHORT DEFINITION
Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:
ZK PROOF: SHORT DEFINITION
Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:
Completeness: honest V accepts honest P
ZK PROOF: SHORT DEFINITION
Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:
Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*
ZK PROOF: SHORT DEFINITION
Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:
Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*Zero-knowledge: malicious V* learns from the proof with a honest P that P is honest and nothing else
ZK PROOF: SHORT DEFINITION
Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:
Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*Zero-knowledge: malicious V* learns from the proof with a honest P that P is honest and nothing else
formal definitions are much more complicated, see the next lecture
RECALL: HOMOMORPHIC E-VOTING
Enc(f(ci))
Σf(ci)ci∈{0,...,C - 1}
Enc(Σf(ci))sk
pkpkVote collector: sees who sent which ciphertext,
cannot decrypt
Tallier: sees anonymous ciphertext, can decrypt
RECALL: HOMOMORPHIC E-VOTING
Enc(f(ci))
Σf(ci)ci∈{0,...,C - 1}
Enc(Σf(ci))sk
pkpkVote collector: sees who sent which ciphertext,
cannot decrypt
Tallier: sees anonymous ciphertext, can decrypt
+ ZK proof that the plaintext is f(ci)
for some i + ZK proof that decryption was
correct
no need for ZK proof (product of
public ciphertexts)
RECALL: MIXNET BASED E-VOTING
Ci=Enc(ci)
pk
pk
π: random permutationri - random randomizers
Ci’=Cπ(i) · Enc(0; ri)
π’: random permutationri' - random randomizers
Ci''=C'π'(i) · Enc(0; ri')
pk sk: threshold
{c i} in s
ome o
rder
RECALL: MIXNET BASED E-VOTING
Ci=Enc(ci)
pk
pk
π: random permutationri - random randomizers
Ci’=Cπ(i) · Enc(0; ri)
π’: random permutationri' - random randomizers
Ci''=C'π'(i) · Enc(0; ri')
pk sk: threshold
{c i} in s
ome o
rder
+ ZK proof that the the shuffle is
correct
RECALL: MIXNET BASED E-VOTING
Ci=Enc(ci)
pk
pk
π: random permutationri - random randomizers
Ci’=Cπ(i) · Enc(0; ri)
π’: random permutationri' - random randomizers
Ci''=C'π'(i) · Enc(0; ri')
pk sk: threshold
{c i} in s
ome o
rder
+ ZK proof that the the shuffle is
correct + ZK proof that decryption was
correct
NOTE ON DIFFICULTY
NOTE ON DIFFICULTY
Some ZK proofs are obviously much more complex than others
NOTE ON DIFFICULTY
Some ZK proofs are obviously much more complex than othersProof of correct decryption:
NOTE ON DIFFICULTY
Some ZK proofs are obviously much more complex than othersProof of correct decryption:
with Paillier, tallier can compute both m and rEasy exercise. Note: tallier knows sk
NOTE ON DIFFICULTY
Some ZK proofs are obviously much more complex than othersProof of correct decryption:
with Paillier, tallier can compute both m and rproof = (m, r) Easy exercise. Note: tallier knows sk
NOTE ON DIFFICULTY
Some ZK proofs are obviously much more complex than othersProof of correct decryption:
with Paillier, tallier can compute both m and rproof = (m, r)
Proof of correct shuffle: ???
Easy exercise. Note: tallier knows sk
GENERAL PROTOCOL DESIGN
GENERAL PROTOCOL DESIGN
Design a passively secure protocol
GENERAL PROTOCOL DESIGN
Design a passively secure protocolI.e., that protects privacy given participants follow the protocol
GENERAL PROTOCOL DESIGN
Design a passively secure protocolI.e., that protects privacy given participants follow the protocol... take any protocol we have seen up to now
GENERAL PROTOCOL DESIGN
Design a passively secure protocolI.e., that protects privacy given participants follow the protocol... take any protocol we have seen up to now
Make it secure in the malicious model by adding ZK proofs to all messages
of course this needs "some" care: you need to know which ZK to addefficiency, ...
PROOFS VS PROOFS OF KNOWLEDGE
PROOFS VS PROOFS OF KNOWLEDGE
ZK Proof:
PROOFS VS PROOFS OF KNOWLEDGE
ZK Proof:Complete: honest prover convinces honest verifier
PROOFS VS PROOFS OF KNOWLEDGE
ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifier
PROOFS VS PROOFS OF KNOWLEDGE
ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifierZero Knowledge: dishonest verifier only gets to know that honest prover is honest
PROOFS VS PROOFS OF KNOWLEDGE
ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifierZero Knowledge: dishonest verifier only gets to know that honest prover is honest
ZK Proof of Knowledge: (in addition)
PROOFS VS PROOFS OF KNOWLEDGE
ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifierZero Knowledge: dishonest verifier only gets to know that honest prover is honest
ZK Proof of Knowledge: (in addition)Proof of Knowledge (stronger soundness): honest prover convinces honest verifier that he knows "why he is honest" --- i.e., knows some secret "witness"
AUTHENTICATION, REVISITED
Prover P Verifier V
AUTHENTICATION, REVISITED
pk, sk pkProver P Verifier V
AUTHENTICATION, REVISITED
pk, skI am The Doctor
pkProver P Verifier V
AUTHENTICATION, REVISITED
pk, skI am The Doctor
Prove it!
pkProver P Verifier V
AUTHENTICATION, REVISITED
pk, skI am The Doctor
Prove it!
sk
pkProver P Verifier V
AUTHENTICATION, REVISITED
pk, skI am The Doctor
Prove it!
sk
ZK proof of knowledge of sk
pkProver P Verifier V
AUTHENTICATION, REVISITED
pk, skI am The Doctor
Prove it!
sk
ZK proof of knowledge of sk
pk
Proof: I can sign your document with Doctor's secret key. Leaks information (new signatures), not really ZK. ZK proofs do not make sense in this application
Proof of knowledge: I know sk (nothing else is leaked)
Prover P Verifier V
MOTIVATION BY EXAMPLES
MOTIVATION BY EXAMPLES
We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledge
MOTIVATION BY EXAMPLES
We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same sense
MOTIVATION BY EXAMPLES
We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same senseCommon name: Σ protocols
MOTIVATION BY EXAMPLES
We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same senseCommon name: Σ protocolsWe then formally define security of such protocols
Σ-PROTOCOL FOR DL
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DL
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of r
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of r
gx+rgr
gx
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + r
gx+rgr
gx
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + rProblem:
gx+rgr
gx
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + rProblem:
if verifier gets to know both r and z then she can compute x ← z - r
gx+rgr
gx
Σ-PROTOCOL FOR DL
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of r
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + r
gx+rgr
gx
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + rProblem:
gx+rgr
gx
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + rProblem:
If prover knows that say z is revealed, then she can sample it randomly
gx+rgr
gx
Σ-PROTOCOL FOR DL
Idea:• honest P succeeds always• malicious P fails w.p. 50%
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 3:
Idea:• honest P succeeds always• malicious P fails w.p. 50%
Σ-PROTOCOL FOR DL
DL proof: // proof of knowledge of DLprove that you know x such that pk = gx
QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 3:
first reveal gr and then let the verifier to pick whether she wants to see r or z ← x + r
gx+rgr
gx
with prob. 1/2
Idea:• honest P succeeds always• malicious P fails w.p. 50%
Σ-PROTOCOL FOR DL
pk = gx, sk = x pk
Σ-PROTOCOL FOR DL
pk = gx, sk = x pk1. r ←$ Zq
2. a ← gr
Σ-PROTOCOL FOR DL
pk = gx, sk = xa
pk1. r ←$ Zq
2. a ← gr
Σ-PROTOCOL FOR DL
pk = gx, sk = xa
pk1. r ←$ Zq
2. a ← gr
c ← {0, 1}
Σ-PROTOCOL FOR DL
pk = gx, sk = xa
c
pk1. r ←$ Zq
2. a ← gr
c ← {0, 1}
Σ-PROTOCOL FOR DL
pk = gx, sk = xa
c
pk1. r ←$ Zq
2. a ← gr
c ← {0, 1}
z ← c x + r
Σ-PROTOCOL FOR DL
pk = gx, sk = xa
c
pk1. r ←$ Zq
2. a ← gr
c ← {0, 1}
z ← c x + r
z
Σ-PROTOCOL FOR DL
pk = gx, sk = xa
c
pk1. r ←$ Zq
2. a ← gr
c ← {0, 1}
z ← c x + r
z
1. If gz = pkc a then accept2. else reject
KNOWLEDGE ERROR
KNOWLEDGE ERROR
Honest Prover is accepted with probability 1
KNOWLEDGE ERROR
Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2
KNOWLEDGE ERROR
Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κ
KNOWLEDGE ERROR
Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κEvery Σ-protocol has non-zero knowledge error
KNOWLEDGE ERROR
Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κEvery Σ-protocol has non-zero knowledge error
Prover can just guess Verifier's challenge and prepare first message accordingly
A BIT OF TERMINOLOGY
A BIT OF TERMINOLOGY
All such proofs are of type:
A BIT OF TERMINOLOGY
All such proofs are of type:does input inp belong to language L?
A BIT OF TERMINOLOGY
All such proofs are of type:does input inp belong to language L?
The prover knows a witness w
A BIT OF TERMINOLOGY
All such proofs are of type:does input inp belong to language L?
The prover knows a witness wProving inp ∈ L can be done efficiently, given w
A BIT OF TERMINOLOGY
All such proofs are of type:does input inp belong to language L?
The prover knows a witness wProving inp ∈ L can be done efficiently, given wProof of knowledge: Prover proves he knows w
A BIT OF TERMINOLOGY
All such proofs are of type:does input inp belong to language L?
The prover knows a witness wProving inp ∈ L can be done efficiently, given wProof of knowledge: Prover proves he knows w
DL proof: L = {pk ∈ G}inp = pkw = dlogg pk
Here, L is “trivial" but it’s a special case
A BIT OF TERMINOLOGY
All such proofs are of type:does input inp belong to language L?
The prover knows a witness wProving inp ∈ L can be done efficiently, given wProof of knowledge: Prover proves he knows w
DL proof: L = {pk ∈ G}inp = pkw = dlogg pk
Here, L is “trivial" but it’s a special case
DDH proof: L = {(h1, h2) ∈ G2}: ∃ x, (h1, h2)=(g1, g2)x}inp = (h1, h2)w = x
Σ-PROTOCOLS: SYNTAX
input, witness input
Σ-PROTOCOLS: SYNTAX
input, witness1st message: commitment a
input
Σ-PROTOCOLS: SYNTAX
input, witness1st message: commitment a
2nd message: challenge c
input
Σ-PROTOCOLS: SYNTAX
input, witness1st message: commitment a
2nd message: challenge c
3rd message: response z
input
Σ-PROTOCOLS: SYNTAX
input, witness1st message: commitment a
2nd message: challenge c
3rd message: response z
input
Σ-PROTOCOLS: SYNTAX
Requirement: c is chosen from some challenge set C randomly. (Does not depend on a!)Terminology: public coin protocol
Σ-PROTOCOLS: FORMAL DEFINITION
A protocol (P, V) is a Σ-protocol, if
1. it is a three-message public-coin protocol: it has three messages, with the prover starting, and the second message is completely random and independent of the first message
2. Security: it is complete, specially sound, and special honest-verifier zero knowledge
Definition
Σ-PROTOCOLS: FORMAL DEFINITION
A protocol (P, V) is a Σ-protocol, if
1. it is a three-message public-coin protocol: it has three messages, with the prover starting, and the second message is completely random and independent of the first message
2. Security: it is complete, specially sound, and special honest-verifier zero knowledge
Definition
input, witness1st message: commitment a
2nd message: challenge c
3rd message: response z
input
Σ-PROTOCOLS: SECURITY
1. Completeness 2. Special Soundness 3. Special Honest-Verifier ZK (SHVZK)
input, witness1st message: commitment a
2nd message: challenge c
3rd message: response z
input
Σ-PROTOCOLS: SECURITY
Completeness: if Prover is honest then honest Verifier always accepts.DL protocol has it
input, witness1st message: commitment a
2nd message: challenge c
3rd message: response z
input
Σ-PROTOCOLS: SECURITY
Special Soundness (with knowledge error κ): if Prover is dishonest then honest Verifier accepts with probability not much larger than κ.DL protocol has it (intuitively)
SPECIAL SOUNDNESS: MORE
SPECIAL SOUNDNESS: MORE
Our proof of special soundness for DL relied on the next (informal) fact:
SPECIAL SOUNDNESS: MORE
Our proof of special soundness for DL relied on the next (informal) fact:
If (possibly malicious) P* makes honest V always accept, then P* “knows” x such that y = gr and pk · y = gx + r and thus pk = gx
SPECIAL SOUNDNESS: MORE
Our proof of special soundness for DL relied on the next (informal) fact:
If (possibly malicious) P* makes honest V always accept, then P* “knows” x such that y = gr and pk · y = gx + r and thus pk = gx
We will next make this intuition more formal
SEMIFORMALLY: SPECIAL SOUNDNESS
SEMIFORMALLY: SPECIAL SOUNDNESS
Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κ
This guarantees κ is really the "limit"
SEMIFORMALLY: SPECIAL SOUNDNESS
Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κ
This guarantees κ is really the "limit"
SEMIFORMALLY: SPECIAL SOUNDNESS
Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κHowever, V is a pre-defined algorithm
=> we have a proof of knowledge
This guarantees κ is really the "limit"
SEMIFORMALLY: SPECIAL SOUNDNESS
Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κHowever, V is a pre-defined algorithm
We define a new algorithm, an extractor K, that communicates with P* and extracts x from P*
=> we have a proof of knowledge
This guarantees κ is really the "limit"
As in reductions, K can only communicate with P*. K does not know anything else about P* apart from what P* outputs
FORMALLY: SPECIAL SOUNDNESS
A Σ-protocol (P, V) is specially sound, if there exists a probabilistic expected poly-time extractor algorithm K, such that if a prover P* (possibly malicious) can make V to accept with a probability ε > κ, then K can --- after playing the role of V in possibly many instances of the protocol with P --- output the value of the witness
Definition
FORMALLY: SPECIAL SOUNDNESS
A Σ-protocol (P, V) is specially sound, if there exists a probabilistic expected poly-time extractor algorithm K, such that if a prover P* (possibly malicious) can make V to accept with a probability ε > κ, then K can --- after playing the role of V in possibly many instances of the protocol with P --- output the value of the witness
Definition
However, K must have some "superpower": otherwise V could do the same and extract witness. Here: rewinding
REMINDER: SPECIAL SOUNDNESS
input = pkwitness = x
a
c
input = pk1. r ←$ Zq
2. a ← gr
c ← {0, 1}
z ← c x + r
z
1. If gz = pkc a then accept2. else reject
REMINDER: SPECIAL SOUNDNESS
input = pkwitness = x
a
c
input = pk1. r ←$ Zq
2. a ← gr
c ← {0, 1}
z ← c x + r
z
1. If gz = pkc a then accept2. else reject
Intuition. Assume P* makes V to accept with probability 1.
Then y = gr and pk · y = gx + r
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x input = pk
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x
ainput = pk
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x
ainput = pk
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x
a
c
input = pk
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x
a
c
input = pk
z
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x
a
c
input = pk
zFormally, K plays V in the protocol. K does the following:
Execute the protocol once with c = 0. Store (a, 0, z)Create a breakpoint for prover directly after sending a
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x
ainput = pk
After that:Rewind P* to the breakpoint (the state P* was directly after sending a). Challenge with c* = 1, get P*'s answer, and store (a, 1, z*)
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x
a
c* ≠ c
input = pk
After that:Rewind P* to the breakpoint (the state P* was directly after sending a). Challenge with c* = 1, get P*'s answer, and store (a, 1, z*)
SPECIAL SOUNDNESS: REWINDING
input = pkwitness = x
a
c* ≠ c
input = pk
z*
After that:Rewind P* to the breakpoint (the state P* was directly after sending a). Challenge with c* = 1, get P*'s answer, and store (a, 1, z*)
REWINDING: ANALYSIS
input = pkwitness = x
a
c* ≠ c
input = pk
z*Since P* makes V accept with probability 1, this means that (a, 0, z) and (a, 1, z*) are both accepting viewsSince both views accept,
gz = pk0 · a gz* = pk1 · a
But then pk = gz* - z and thus x = z* - z
GENERAL K.E.
GENERAL K.E.
Previous analysis only works if ε = 1
GENERAL K.E.
Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κProbability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a,
P* (inp, ω, c) generates z
GENERAL K.E.
Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ
Construct a Boolean matrix AProbability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a,
P* (inp, ω, c) generates z
GENERAL K.E.
Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ
Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string c
Probability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a, P* (inp, ω, c) generates z
11
1 11
ω
c
GENERAL K.E.
Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ
Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string cKnown: fraction ε of entries are 1
Probability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a, P* (inp, ω, c) generates z
11
1 11
ω
c
GENERAL K.E.
Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ
Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string cKnown: fraction ε of entries are 1There exists a row with two 1-s iff
Probability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a, P* (inp, ω, c) generates z
11
1 11
ω
c
ε > κ := 1C , C := |{c} |
GENERAL K.E.
GENERAL K.E.
If P* makes V to accept with prob. ε > κ, K does:
GENERAL K.E.
If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting
view (a, c, z) 1 / ε expected steps
GENERAL K.E.
If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting
view (a, c, z)2. Generate random c* (but use the same ω) until V
accepts the resulting view (a, c*, z*)
1 / ε expected steps
GENERAL K.E.
If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting
view (a, c, z)2. Generate random c* (but use the same ω) until V
accepts the resulting view (a, c*, z*)
1. If c = c* then goto 1
1 / ε expected steps
Happens with some prob. p
GENERAL K.E.
If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting
view (a, c, z)2. Generate random c* (but use the same ω) until V
accepts the resulting view (a, c*, z*)
1. If c = c* then goto 1
3. Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before
1 / ε expected steps
Happens with some prob. p
GENERAL K.E.
If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting
view (a, c, z)2. Generate random c* (but use the same ω) until V
accepts the resulting view (a, c*, z*)
1. If c = c* then goto 1
3. Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before
Tprobes := the number of probed matrix entries before this happens
1 / ε expected steps
Happens with some prob. p
2 / (pε) expected steps
GENERAL K.E.
If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting
view (a, c, z)2. Generate random c* (but use the same ω) until V
accepts the resulting view (a, c*, z*)
1. If c = c* then goto 1
3. Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before
Tprobes := the number of probed matrix entries before this happens
47 6 52
13
2
35 4 61
ω
c
1 / ε expected steps
Happens with some prob. p
2 / (pε) expected steps
1 / ε expected steps
GENERAL EXTRACTOR
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such views
Expected: with small probability, the number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysis Expected: with small probability, the
number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:
Expected: with small probability, the number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:
Tprobes ≤ 2 / (ε - κ): expected number of runs
Expected: with small probability, the number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:
Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:
Expected: with small probability, the number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:
Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4
Expected: with small probability, the number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:
Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8
Expected: with small probability, the number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:
Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8ε = k-c, κ = 1 / q = 2-k: Tprobes ≤ 2 / (k-c - 2-k) ≈ 2 kc
Expected: with small probability, the number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:
Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8ε = k-c, κ = 1 / q = 2-k: Tprobes ≤ 2 / (k-c - 2-k) ≈ 2 kc
// If ε - κ is non-negligible then Tprobes is polynomial
Expected: with small probability, the number of steps can be very large
GENERAL EXTRACTOR
One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:
Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8ε = k-c, κ = 1 / q = 2-k: Tprobes ≤ 2 / (k-c - 2-k) ≈ 2 kc
// If ε - κ is non-negligible then Tprobes is polynomial k: security parameter
Expected: with small probability, the number of steps can be very large
SPECIAL SOUNDESS: SIMPLIFIED
SPECIAL SOUNDESS: SIMPLIFIED
Due to what we saw on last slides, we can somewhat simplify the special soundness definition
SPECIAL SOUNDESS: SIMPLIFIED
Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractor
SPECIAL SOUNDESS: SIMPLIFIED
Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractorWe can just assume that if we have already found two accepting views (a, c, z), (a, c*, z*) with c ≠ c*, then K can efficiently retrieve the witness
SPECIAL SOUNDESS: SIMPLIFIED
Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractorWe can just assume that if we have already found two accepting views (a, c, z), (a, c*, z*) with c ≠ c*, then K can efficiently retrieve the witnessWe can then use what we know to construct full extractor
SPECIAL SOUNDNESS: SIMPLIFIED
A Σ-protocol (P, V) is specially sound, if there exists a (deterministic) poly-time extractor algorithm K that, given two accepting views (a, c, z) and (a, c*, z*), such that c ≠ c*, can efficiently compute the value of the witness
Definition (simplified)
DL: PROOF OF SPECIAL SOUNDNESS
input = pkwitness = x
a
c
input = pk1. r ←$ Zq
2. a ← gr
c ← {0, 1}
z ← c x + r
z
1. If gz = pkc · a then accept2. else reject
Construction of extractor: Given accepting views (a, 0, z) and (a, 1, z*), K outputs x ← z* - z
Analysis: 1. Since a is the same and both views accept, gz = y and gz* = pk · y2. Thus pk = gz* - z
STUDY OUTCOMES
STUDY OUTCOMES
Main idea of ZK proofs
STUDY OUTCOMES
Main idea of ZK proofsExample, very natural, protocol with "intuitive" security
STUDY OUTCOMES
Main idea of ZK proofsExample, very natural, protocol with "intuitive" securityΣ-protocols: definition
STUDY OUTCOMES
Main idea of ZK proofsExample, very natural, protocol with "intuitive" securityΣ-protocols: definitionMotivation and analysis of special soundness
NEXT LECTURE
NEXT LECTURE
More efficient Σ-protocols based on DL
NEXT LECTURE
More efficient Σ-protocols based on DLΣ-protocols for various relations about Elgamal plaintexts
NEXT LECTURE
More efficient Σ-protocols based on DLΣ-protocols for various relations about Elgamal plaintexts
For example: Σ-protocol that Elgamal plaintext is in {0, 1}
NEXT LECTURE
More efficient Σ-protocols based on DLΣ-protocols for various relations about Elgamal plaintexts
For example: Σ-protocol that Elgamal plaintext is in {0, 1}
Σ-protocol for Circuit-SAT
top related