Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
-
date post
20-Dec-2015 -
Category
Documents
-
view
221 -
download
1
Transcript of Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Lecturer: Moni Naor
Foundations of Cryptography
Lecture 12: Commitment and Zero-Knowledge
Recap of last week’s lecture• Notion of security: equivalence of semantic security
and indistinguishability of encryptions in shared key and public-key cases
• Properties of semantically secure cryptosystems• Constructions of semantically secure cryptosystems
– Trapdoors– Factoring (Blum Goldwasser)– Decisional Diffie-Hellman– Shared key: pseudo-random functions
The world so far
Pseudo-random generators
Signature Schemes
UOWHFs
One-way functions
Two guards Identification
P NP
Pseudo-random Permutations
Pseudo-random Functions
Shared-key Encryption (CPA) and Authentication
Trapdoor permutations
Public-key Encryption (CPA)
Factoring is hard (BG Permutations)
What’s next
• Further notions of security – Non-malleability– Chosen ciphertext attacks
• Protocols:– Zero-knowledge proof systems– Secure function evaluation
Commitments
• Define • Construct• Applications:
– Coin-flipping– Zero-Knowledge
String Commitment Protocols
• Sender: Input X0,1n
Receiver: no explicit input• Two Phases
– Commit– Reveal
• At the end of protocol: Receiver obtains X decides valid or not
Commitment Schemes
– Hiding: A computationally bounded receiver learns nothing about X.
– Binding: s can only be “opened” to the value X.
ReceiverSenderCommit
Phase
Sender ReceiverX
s
Reveal
Phase v
X
X
Reveal Verification Algorithm
s, v, X
yes/no
Following Commit Phase
• Receiver should not have gained any information about X– Information theoretic?– Computationally?
• Sender should be bound to X– No two different and valid openings exist– It is computationally infeasible to find two different valid
openings
Both worlds?
Cannot have best of both worlds:• Information theoretic secrecy following commit
– Distribution of conversation independent of X • Perfect binding
– No two different and valid openings exist whp
Security Parameter
Want • A family of protocols • Indexed by a security parameter
Relationship between security parameter andsize of hard problem
Definition: Computational Secrecy
• Indistinguishability of committed strings:Adversary A chooses X0, X1 0,1n
receives commit phase to Xb for bR0,1
has to decide whether b 0 or b 1.
For any pptm A for X0 , X1 0,1n
PrA ‘1’ b 0 - PrA ‘1’ b 1
is negligible
...Computational Secrecy
• Equivalent to semantic security of committed strings:
Whatever Adversary A can compute on committed string X 0,1n so can A’ that does not participate in commit phase
A selects:• Distribution Dn on 0,1n
• Relation R(X,Y) - computable by ppt
…Semantic Security
pptm A R A’ for XR Dn
PrR(X,A(commit)) - Pr R(X,A’())
is negligible.
Definition: Perfect Binding
• For all Adversary A controlling the Sender, following commit phase
• With high probability over random choices of Receiver
There are no two different and valid openings to X and X’
Protocol
Show a string commitment protocol with
• Indistinguishability of committed strings
• Perfect Binding
Idea
Hide the value X in a linear function– PX + B
• Who chooses/knows P and B?– If the sender: no binding– If the receiver: no hiding
• Compromise: – receiver chooses P– Sender chooses B. But B has to be of special form.
Tool: Pseudo-Random Sequence Generator
G4n:0,1n 0,14n
A cryptographically strong pseudo-random sequence generator
The Protocol - Commit
• Receiver: chooses PR0,14n
• Sender: Input - X0,1n . Chooses SR0,1n
Computes and sends Y XP G4n(S)
Computation is done in GF[24n]
The Protocol - Reveal
• Sender: sends S0,1n
• Receiver: computes
X (Y- G4n(S))P-1
Computation is done in GF[24n]
Binding
Claim: the probability of a Sender being able to open equivocally is at most 2-n
Sender can cheat given P iff S1 , S2 , X1 , X2 0,1n and X1 X2 s.t.
Y X1P G4n(S1) X2P G4n(S2)
P(X1 - X2 ) G4n(S2) - G4n(S1)
...Binding
There are 23n -1 possibilities for S1 , S2 and X1 - X2 .
Probability that P validates such a triple is 2-4n
Probability that P validates any triple is 2-n
There exists a universal P. Don’t know how to find it so Receiver chooses at random.
Cryptographic Reductions
Show how to use an adversary for breaking primitive 1 in order to break primitive 2
Important• Run time: how does T1 relate to T2
• Probability of success: how does 1 relate to 2
• Access to the system 1 vs. 2
Secrecy
Suppose Adversary A controlling the Receiver can distinguish whether (Y,P) corresponds to X0 or X1
PrA(Y,P) ‘1’ X0
- PrA(Y,P) ‘1’ X1
Probability is over random choice of S and random coins of A.
...SecrecyCan use A to distinguish whether a given string Z is
G4n(S)
or random
Given P send Receiver Y X1P Z
If Z is random so is Y!Let p1 PrA(Y,P) ‘1’ X0
p2 PrA(Y,P) ‘1’ X1
p3 PrA(Y,P) ‘1’ Z is random
…secrecy
• By assumption p1 - p2
Either p1 - p3 /2
or p2 - p3 /2• In either case can construct a distinguisher for Z
– If p1 - p3 /2 give Receiver Y X1 PZ
– If p2 - p3 /2 give Receiver Y X2 PZ
– Provide as the answer A(Y,P)
• Given input Z want to decide whether Z=G(s) or not
• Run A to get {X0,X1} get P
b’
If b’=b output “pseudo-random”
Choose b 2R {0,1} and
Compute Y= P¢ Xb + Z
A’A
Z
An existential clump
One-way functions
Pseudo-random generators
String commitment protocol
Also: String commitment one-way function
Applications
• Coin Flipping• Auctions• Zero Knowledge
Coin Flipping
Two parties want to agree on a random value R 0,1• Should be random even if one party cheats
• Potential Problem: one party knows the value before the other. Early Stopping.
A B
...Coin Flipping Specification
Result of the protocol could be 0,1,• For every PPTM Adversary controlling A (B), b 0,1
Pr result of protocol is b] 1/2
is negligible in security parameter
Coin Flipping Protocol
• A selects rA R 0,1;
Commits to rA
• B sends bit rB R 0,1
• Coin is rA rB
If A doesn’t open - result is If A’s opening is invalid - result is
Coin flipping security• adversary controlling A, b 0,1
Pr result of protocol is b ] 1/2 2-n
• For all PPTM adversary controlling B b 0,1
Pr result of protocol is b ] 1/2
is the advantage of distinguishing a commitment to 0
from a commitment to 1 in the commitment protocol
Dealing with early stopping
Suppose is not acceptableTo limit the influence of one party:• Gradual release of the result
– Commit to many bits– release one by one– Take majority of bits, substitute random values for early
stopping values• However: for r rounds one party can influence result
by 1/r
Definition: Computational Binding
• For all PPTM Adversary A controlling the Sender following commit phase
• With high probability over random choices of Receiver
The Sender cannot find no two different and valid openings to X and X’
Possible Advantage: perfect or statistical hiding
Proof systems
L = { (X, 1k) : X is a true mathematical assertion with a proof of length k}
• What is a “proof”?
Complexity theoretic insight: meaningless unless can be efficiently verified
Proof systems
For a language L, goal is to prove x L
Proof system for L is defined by a verification algorithm V – completeness: x L proof, V accepts (x, proof)
true assertions have proofs
– soundness: x L proof*, V rejects (x, proof*)false assertions have no proofs
– efficiency: x, proof, the machine running V(x, proof) is efficient:
• runs in polynomial time in |x|• ?
Classical Proofs
• Recall: L NP iff expressible asL = { x | y, |y| < |x|k, (x, y) RL } and RL P.
• NP is the set of languages with classical proof systems (RL is the verifier)
We wish to extend the notion.
Interactive Proofs
• Two new ingredients:– Randomness: verifier tosses coins
• Should err with some small probability – Interaction: rather than simply “reading” the proof,
verifier interacts with prover• Is the prover another TM?
• Framework captures the classical NP proof systems:: – prover sends proof. – verifier runs algorithm for RNo use of randomness
Interactive Proofs
Interactive proof system for L is an interactive protocol (P, V)
Prover Verifier
.
.
.
Common input: x
accept/reject
# rounds and length of messages is poly(|x|)
Random tape
New resources:
• # of rounds
•Length of message
New issue: who knows the random tape
Interactive Proofs
Definition: an interactive proof system for L is an interactive protocol (P, V)– completeness: x L:
Pr[V accepts in an execution of (P, V)(x)] 2/3– soundness: x L P*Pr[V accepts in an execution of (P*, V)(x)] 1/3
– efficiency: V is PPT machine
• Can we reduce the error to any ?
Perfect Completeness: V accepts with Prob 1
Error Reduction• If we execute the protocol sequentially ℓ times let
Ij =1 if jth run is correct and 0 otherwiseThe Ij’s are not necessarily independent of each other but,
since can tolerate any prover*
Pr[Ij =1 | any execution history] ¸ 2/3
If we compare to ℓ independent coins with probability 2/3 where we take majority of answers
For any prover* the interactive proof stochastically dominates
• Can argue the same for ℓ parallel executionsNumber of rounds is preserved
Interactive ProofsIP = {L : L has an interactive proof system}
– Captures more broadly what it means to be convinced a statement is true
• But no certificate to store for future generations!– Clearly NP IP. Potentially larger. How much larger? – IP with perfect soundness and completeness is NP
• To go beyond NP randomness is essential• Perfect soundness in itself implies NP power
– IP =PSPACE
Interactive Proof Systemsrelevant to crypto
• Let L µ {0,1}* be a language• The Prover P, wants to convince the other party, Verifier V that X L• In our case: both parties are PPTM;
– exchange messages and flip coins
• Prover P may have some extra information W• At the end of the protocol Verifier V state {accept, reject}
• For a given W the interaction between V and P induces a distribution of the transcripts
Prover P Verifier V
Witness Protection ProgramsA witness indistinguishable proof system for XL
Prover p Verifier V• Completeness: if prover P has witness W - can
construct effective proof that makes verifier V accept.• Soundness: if XL no prover P* can succeed with
high probability to make verifier V accept.• Witness Indistinguishability: for every V* and any
witnesses W1 and W2: distributions on transcripts are computationally indistinguishable.– No polynomial time test can distinguish the two
Example: Hamiltonicity• Common input graph G=(V,E)• L is the language of graphs with Hamiltonian cycles
G=(V,E) L if and only if there is a cycle C=(i1,i2, in) covering all nodes of V once and (ij,ij+1 ) E
Example: Hamiltonicity• Common input graph G=(V,E)• L is the language of graphs with Hamiltonian cycles• Witness W – a Hamiltonian Cycle C=(i1,i2, in)• Protocol:
– Prover P selects a random permutation of the nodes Commits to the adjacency matrix of (G)=((V), (E))
• for each entry separately– Verifier V selects and sends a bit r R 0,1– Prover P
If r=0 then P opens all the commitments and sends If r=1 then P opens only the commitments corresponding to C• entries ( (ij), (ij+1 ))
– Verifier V accepts if: r=0 and committed graph isomorphic to G r=1 and all opened slots are ’1’
Analysis of Protocol• Completeness: prefect √• Soundness: if there no cycle in G=(V,E), then
– from binding property of the commitment scheme following commitment there is unique graph G’
either P*– Commits to graph G’ non-isomorphic to G
• Verifier V rejects if r=0– Commits to graph G’ isomorphic to G
• Verifier V rejects if r=1Probability V accepts is bounded by ½
• Can reduce the error by repetition– Sequential– Parallel
Obtaining Witness Indistinguishability
• Key property: the distribution of the values opened in Step 3 is an efficiently computable function of – the Graph and – the challenge the verifier V sent in Step 2
for example: it could be a random permutation of 1..n
Witness IndistinguishabilityLet G=(V,E), with two Hamiltonian cycles C1 and C2• If there is a verifier V* that can distinguish between the
case C1 and C2 are used, – then can use V* to distinguish between commitments to 1(G)
and to 2(G) for some permutations 1 and 2
• Witness Indistinguishability remains so under parallel execution– Hybrid argument
• But what if there is a unique witness?
Zero Knowledge• Each (cheating) verifier V* induces a distribution on
transcripts on interaction with P• Zero-Knowledge Requirement: for all verifiers V*
there exists a simulator S such that:– simulator S is a pptm (does not get witness W)– for all XL the distributions on transcripts that V* ’
induces and that S produces are computationally indistinguishable.
Role of simulator similar to alternative adeversary in semantic security
SimulationZero-Knowledge: • Simulator S plays P role in interaction with V* • guess r’ R 0,1
– If r’=0 Selects a random permutation of the nodesCommits to the adjacency matrix of (G)=((V), (E))
– If r’=1 Selects a random cycle C Commits to the adjacency matrix of C (the rest of the edge slots are 0)
• Receive r0,1 from V* – If r’=r proceed as planed – Otherwise rewind V* and start from scratch
Claim: Simulator stops in expected constant number of trials Proof: if not can use V* to distinguish between commitment to G and C
Claim: Distributions of (S, V*) and (P, V*) are indistinguishableProof: if not can distinguish between commitment to G and C
Theorem: if one-way functions exist, then for any language L in NP there exists a Zero-Knowledge Proof System for L.
Via reduction to HamiltonicityWitnesses mapped to witnesses
Motivation for Zero-knowledge
• Can turn any protocol that works well when the parties are benign (but curious) into one that works well when the parties are malicious
• Need further property: proof of knowledge– Possible to extract the witness from a successful
prover
Question: zero-knowledge protocol for subset sum
• Give a direct protocol (i.e. not through a reduction to hamiltoncity) for the subset sum problem
• Subset sum problem: given – n numbers 0 ≤ a1, a2 ,…, an < 2m
– Target sum T – Is there a subset S⊆ {1,...,n} such that
∑ i S ai,=T mod 2m
What happens if…
• There is extra information about X:– Both A and A’ get h(X) for some polynomial time
computable function h– h might not be invertible
• Relation R is not polynomial time
• Try to encrypt information about the secret key
Further Issues
• What about errors in decryption?
• Is the this the ultimate definition– Does it capture all the ways where encryption is used?
Example: Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.
To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose
Is it Safe?• Definition of security: Existential unforgeability against adaptive
chosen message attack– Adversary can ask to authenticate any sequence of messages m1, m2, …– Has to succeed in making V accept a message m not authenticated– Has complete contrl ove the channels
• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r
• Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
• Malleability– not sufficient to verify correct form of ciphertext in simulation
• Closer to a chosen ciphertext attack
Sources
• Goldreich’s Foundations of Cryptography, volume 1