Lecturer: Moni Naor

1
Foundations of CryptographyLecture 13
Zero-Knowledge Variants and Applications

• Lecturer Moni Naor

2
Recap of last weeks lecture

• String Commitment
• Definition
• Construction from pseudo-random generators
• Coin Flipping
• Zero-knowledge Interactive Proofs
• Interactive Proofs and the cryptographic setting
• Definition of zero-knowledge proofs
• Construction of a zk proof system for
  Hamiltonicity

3
(No Transcript)
4
Question zero-knowledge protocol for subset sum

• Give a direct protocol (i.e. not through a
  reduction to hamiltoncity) for the subset sum
  problem
• Subset sum problem given
• n numbers 0 a1, a2 ,, an lt 2m
• Target sum T
• Is there a subset S? 1,...,n such that
• ? i ?S ai,T mod 2m

5
The world so far
Trapdoor permutations
Public-key Encryption (CPA)
Factoring is hard (BG Permutations)
Pseudo-random generators
Pseudo-random Functions
Signature Schemes
One-way functions
String Commitment
Pseudo-random Permutations
Shared-key Encryption (CPA) and Authentication
UOWHFs
Zero-Knowledge for all of NP
P ? NP
6
Whats next

• More of zero-knowledge
• Black-box simulation
• Proofs of knowledge
• Public-key Identification
• Perfect and Statistical Zero-knowledge
• Authentication via encryption
• Malleability

7
Zero Knowledge

• Each (cheating) verifier V induces a
  distribution on transcripts on interaction with
  P
• Zero-Knowledge Requirement for all verifiers V
  there exists a simulator S such that
• simulator S is a pptm (does not get witness W)
• for all X?L the distributions on transcripts
  that V induces and that S produces are
  computationally indistinguishable.
• Role of simulator similar to alternative
  adversary A in semantic security

8
Black-box Zero-Knowledge

• Order of quantifier for for all verifiers V
  there exists a simulator S
• Black-box simulation there exists a simulator S
  that is good for all verifiers V
• S interacts with V as an oracle SV
• Can see Vs reaction to various messages but not
  its internal state
• Almost all known zero-knowledge protocols are
  black-box

9
Protocol Hamiltonicity

• Common input graph G(V,E)
• L is the language of graphs with Hamiltonian
  cycles
• Witness W a Hamiltonian Cycle C(i1,i2, ? in)
• Protocol
• Prover P selects a random permutation ? of the
  nodes
• Commits to the adjacency matrix of
  ?(G)(?(V), ?(E))
• for each entry separately
• Verifier V selects and sends a bit r ?R ?0,1?
• Prover P
• If r0 then P opens all the commitments and sends
  ?
• If r1 then P opens only the commitments
  corresponding to C
• entries (? (ij), ? (ij1 ))
• Verifier V accepts if r0 and committed graph
  isomorphic to G
• r1 and all opened
  slots are 1

10
Reducing probability of cheating

• To reduce the probability of cheating
• Run the protocol k times sequentially
• Verifier accepts if prover succeeds in all k runs
• Probability of cheating 2-k
• Zero-knowledge
• The simulator builds the transcript one iteration
  at a time
• The rewinding is to the end of the previous
  iteration

11
Knowledge of a Hamiltonian Cycle

• Can a verifier succeed in the protocol without
  knowing a witness W (a Hamiltonian cycle)?
• What does know mean?
• In the NP context you give the cycle, so the
  question does not arise.
• New notion proof of knowledge
• There exists an extractor so that for any Prover
  P that succeeds in the protocol produces a cycle
• Extractor should be a ppt.
• Gets to interact with P as a black-box and may
  rewind it
• Success of extraction should be similar to
  success of P

12
Hamiltonicity protocol is a proof of knowledge

• The extractor
• Run P for the first step
• Given the commitments, following step 1 run the
  protocol twice
• with r 0 and r 1
• If succeeds in both can extract a cycle
• If at least one case fails in a real execution
  prover fails with probability at least ½
• If probability of extraction failing is ?,
  probability of success in protocol is at most
  1-?/2
• If protocol is repeated k times non-negligible
  probability of success implies probability (1
  negligible) of extraction

13
Applications of proofs of knowledge

• A goal in itself Sudoku example.
• www.wisdom.weizmann.ac.il/naor/PAPERS/SUDOKU_DEMO
  /
• Identification
• I know a secret that only the claimed entity
  should know
• Allows for public-key identification
• Important as an internal component of protocols
• To be able to make sense out of intuitions
  Player has a value

14
Public-key identification

• Generation G0,1 ? 0,1 x 0,1 mapping
  random bits to public key Kp and secret key Ks
• Identification prover and verifier both know Kp
  and prover knows Ks
• Interactive protocol at the end verifier
  accept/rejects
• Completeness a prover who knows Ks always makes
  the verifier accepts
• Unforgeability for any polynomial l
• If adversary controls V for l identification
  sessions
• Can act as it wishes
• Tries to act as prover P and make real verifier
  accept
• Has negligible probability of succeeding
• Insecure against online transfers mafia scam or
  man-in-the-middle

Parallel? Concurrent? Sequential?
15
Public-key identification

• Public-key Yf(X) secret X 2 0,1k where f is
  a one-way function
• To identify run zero-knowledge proof of
  knowledge for inverse of Y
• Prover knows X
• Since f is in P can reduce to Hamiltonicty
• Unforgeability without any sessions as verifier
• A forger will be caught whp
• Else can extract from it X, violating the
  hardness of f.
• If forger succeeds after l sessions as verifier
• Run the simulator S for l sessions and the run
  the extraction
• Receiver cannot prove that interaction took place
• Bug or feature?

16
Public-key identification

• Can use witness indistinguishability instead of
  zero-knowledge
• Public-key Y0f(X0) and Y1f(X1) where f is a
  one-way function. Secret key X0 or X1
• To identify run a witness-indistinguishable
  proof of knowledge for inverse of Y0 or Y1
• Prover knows X0 or X1
• Since f is in P can reduce to Hamiltonicty
• Unforgeability given a forger A, can use it to
  invert f
• run it knowing one of the inverses.
• Then run the extractor on the forging session and
  extract an inverse to Y0 or Y1.
• If known inverse more likely to be extracted
  violated WI
• Ow successful inversion with probability 1/2

17
Commitment Schemes

• Hiding A computationally bounded receiver learns
  nothing about X.
• Binding s can only be opened to the value X.

X
Commit Phase
Sender
Receiver
s
X
Reveal Phase
Sender
X
Receiver
v
s, v, X
Reveal Verification Algorithm
yes/no
18
Protocol for quadratic residuosity

• Given y, N where NPQ want to prove that y is a
  quadratic residue
• there exist x such that x2 y mod N
• Zero-knowledge protocol for Prover who knows x
• Prover choose random r 2R ZN and send zr2 mod
  N
• Verifier send b2R 0,1
• Prover send v xbr mod N
• Verifier check that v2 yb z mod N

19
Analysis of Protocol

• Completeness perfect v
• Soundness if there exist v0 and v1 such that
• v02 y0 z mod N
• and
• v12 y z mod N
• then v1/v0 is square root of y.
• Probability of cheating is at most ½
• Zero-knowledge simulator for V
• guess b ?R ?0,1? and select v 2R ZN
• Send z v2/yb
• Obtain b??0,1? from V
• If bb proceed as planned send v
• Otherwise rewind V and start from scratch

Also proof of knowledge
20

• Claim for every V (not necessarily ppt)
  Simulator stops in expected constant number of
  trials
• Proof given z, distribution on b is unbiased
• Half the cases b b
• Claim Distributions of (S, V) and (P, V) are
  indistinguishable Identical
• Protocol is perfect zero-knowledge proof system
• Statistical (prefect) zk the distribution of the
  simulator is ?-close to the actual distribution
• ? is negligible in the security parameter. In
  Perfect zk ?0

21
Statistical Zero-Knowledge

• So if statistical zero-knowledge is so good, why
  not use it all the time?
• Definition L is a promise problem
• SZKLL has a statistical zero-knowledge
  protocol
• HVSZKLL has an honest verifier statistical
  zero-knowledge protocol
• Clearly SZK µ HVSZK
• since any protocol good against all verifiers is
  good against honest ones as well

22
Promise Problems

• A promise problem L is similar to a language
  recognition problem except that there is a set A
• if x 2 A then should report correctly whether x 2
  L or not
• if x 2 A then do not care how algorithm responds
• Example unique sat
• A?either ? is not statisfiable or ? has a
  unique satisfying assumption
• If A0,1n, then this is the usual language
  recognition problem

O satisfying assignments
1 satisfying assignment
23
Public Coins Arthur-Merlin Games

• Definition of IP permits the verifier to keep its
  coin-flips private
• necessary feature?
• The quadratic residue protocol we saw breaks
  without it
• New characters Arthur as the verifier and Merlin
  as the prover

24
Public CoinsArthur-Merlin Games

• Arthur-Merlin game interactive protocol in which
  coin-flips are public
• Arthur (verifier) may as well just send the
  results of coin-flips. No point in doing any
  computation until the final step
• If more complicated computation are need, Merlin
  (prover) can perform by himslef any computation
  Arthur would have done
• Merlin does not know in advance the coin flips
• Complexity Class defined by limiting the of
  rounds
• AMk Arthur-Merlin game with k rounds, Arthur
  goes first
• MAk Arthur-Merlin game with k rounds, Merlin
  goes first
• Theorem AMk (MAk) equals AM2 (MA2) with
  perfect completeness.

25
Relationship between The Complexity classes
EXP
PSPACEIP
P
PH
If NP µ Co-AM then the polynomial-time hierarchy
collapses
S2P
?2P
?2P
AM
Co-AM
Under current world view No Co-NP-Complete can
have an AM protocol
MA
Co-MA
NP
coNP
BPP
P
26
A mechanism for showing non-hardness of problems

• By placing a problem in AM Å Co-AM one
  demonstrates that the problem is not NP-Complete
  according to the current world view
• Alternatively, one can view it as a method for
  showing impossibility of certain types of
  protocols

Example Graph Isomorphism
27
Statistical Zero-Knowledge

• Theorem if a language L has a statistical
  zero-knowledge proof system, then L 2 AM Å Co-AM
• Conclusion if interested in zero-knowledge
  proofs for all languages in NP need to either
• Relax notion of proof argument
• Prover is assumed to be a polynomial time
  machine
• Having access to some secret information
• Such protocols exists assuming a certain kind of
  commitment exists
• Based on one-way permutations. Now functions!
• Another possible relaxation of proof assume that
  there are two provers who do not exchange
  information during the execution of the protocol

This led to PCP
28
Exercise Commitment with two provers

• Suggest a commitment protocol for two provers
• They agree on a random string before the
  beginning of the protocol
• Verifier/receiver talks to both of them
• They are assumed not to talk to each other during
  the execution of the protocol
• How to enforce?
• Only one of them needs to know the string x to
  which they are committing
• Define the properties of the protocol

29
Everlasting Security

• Advantage of statistical/perfect proofs and
  arguments
• The computational assumptions and limitation on
  the adversary are made only for a fixed time
  period.
• Bounded storage model

30
Significance of public coins protocol

• If there is a trusted source of randomness that
  broadcasts after the initial commitments are made
• Beacon
• For instance sub spots
• Can have a non-interactive protocol
• If there is a publicly available random function
  h
• Only access is via Standard Interface
• Can turn identification protocol into a signature
  protocol
• Coins for challenge derived from message m to be
  signed and first round message. Signature (c1,
  c3) . c2 h(c1,m)
• Fiat-Shamir signatures

P c1 V c2 -random Pc3
31
Common heuristic

• Replace publicly available random function h with
  some concrete and fixed function
• Proof of security goes away
• There are examples of schemes that are secure but
  any instantiation of h makes them insecure

32
Interactive Authentication

• P wants to convince V that he is approving
  message m
• P has a public key KP of an encryption scheme E.
• To authenticate a message m
• V ? P Choose r 2R 0,1n.
• Send cE(m r, KP)
• P ? V Receiving c
• Decrypt c using KS
• Verify that prefix of
  plaintext is m.
• If yes - send r.
• V is satisfied if he receives the same r he choose

33
Is it Safe?

• Definition of security Existential
  unforgeability against adaptive chosen message
  attack
• Adversary can ask to authenticate any sequence of
  messages m1, m2,
• Has to succeed in making V accept a message m not
  authenticated
• Has complete control over the channels
• Intuition of security if E does not leak
  information about plaintext
• Nothing is leaked about r
• Several problems if E is just semantically
  secure against chosen plaintext attacks
• Adversary might change cE(m r, KP) into
  cE(m r, KP)
• Malleability
• not sufficient to verify correct form of
  ciphertext in simulation
• Closer to a chosen ciphertext attack

34
No receipts

• Can the verifier convince third party that the
  prover approved a certain message?

35
Authentication and Non-Repudiation

• Key idea of modern cryptography Diffie-Hellman
  
• can make authentication (signatures) transferable
  to third party - Non-repudiation.
• Essential to contract signing, e-commerce
• Digital Signatures last 25 years major effort in
• Research
• Notions of security
• Computationally efficient constructions
• Technology, Infrastructure (PKI), Commerce, Legal

36
Is non-repudiation always desirable?

• Not necessarily so
• Privacy of conversation, no (verifiable) record.
• Do you want everything you ever said to be held
  against you?
• If Bob pays for the authentication, shouldn't be
  able to transfer it for free
• Perhaps can gain efficiency

Alternative (Plausible) Deniability If the
recipient (or any recipient) could have generated
the conversation himself or an indistinguishable
one
37
Deniable Authentication

• Setting
• Sender has a public key known to receiver
• Want to an authentication scheme such that the
  receiver keeps no receipt of conversation.
• This means
• Any receiver could have generated the
  conversation itself.
• There is a simulator that for any message m and
  verifier V generates an indistinguishable
  conversation.
• Exactly as in Zero-Knowledge!
• An example where zero-knowledge is the ends, not
  the means!
• Proof of security consists of Unforgeability and
  Deniability

38
A Public Key Authentication Protocol

• P has a public key PK of an encryption scheme E.
• To authenticate a message m
• V ? P Choose r ?R 0,1n and random bits
  ?20,1
• Send YE(PK, mr, ?)
• P ? V Verify that prefix of plaintext is
  indeed m.
• If yes - send r.
• V accepts iff the received rr
• Is it Unforgeable? Is it Deniable

39
Security of the scheme

• Unforgeability depends on the strength of E
• Sensitive to malleability
• if given E(PK, mr, ?) can generate E(PK, mr,
  ?) where m is related to m and r is related to
  x then can forge.
• The protocol allows a chosen ciphertext attack on
  E.
• Even of the post-processing kind!
• Can prove that any strategy for existential
  forgery can be translated into a CCA strategy on
  E
• Works even against concurrent executions.
• Deniability does V retain a receipt??
• It does not retain one for an honest V
• Need to prove knowledge of r

We will see encryption schemes satisfying the
desired requirements