Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols

IntroductionProofs of Knowledge

Secret SharingMain Result

Extensions, applications, open problems

Proof of Partial Knowledge and SimplifiedDesign of Witness Hiding Protocols

Mauricio Quezada

Miércoles 7 de Septiembre, 2011

Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols




Outline

1 Proofs of Knowledge2 Secret Sharing schemes3 Main Result4 Extensions, applications, open problems





Requirements

A Proof of Knowledge with a few special propertiesAn Access Structure for n participantsSecret Sharing with the dual of the previous accessstructure





Proofs of Knowledge

Let a binary relation R = {(x,w)}The witness set w(x) is the set of w′ such that(x,w′) ∈ R

Let P a Proof of Knowledge protocol, in which there is acommon input x (of length k bits) to a prover P and averifier V , and a private input w to P . The prover triesto convince the verifier that w ∈ w(x).





Some restrictions

Assume that P is a three round public coin protocol

Conversations will be ordererd triples of the form

m1, c,m2

Where c is called the challenge, uniformly random bitschosen by the verifier

Also, assume that completeness holds with probability 1

I.e., if indeed w ∈ w(x), then the verifier always accepts





Some restrictions

P has the special soundness property:1 The length of c is such that the number of possible

values of c is super-polynomial in k2 For any prover P ∗, given two conversations between P ∗

and V , (m1, c,m2) and (m1, c′,m2), where c 6= c′, an

element of w(x) can be computed in polynomial time.

Also, is Honest Verifier Zero Knowledge





Witness Indistinguishability and Witness Hiding

A protocol is witness indistinguishable (WI) ifconversations generated with same x, but differentelements from w(x) have indistinguishable distributions

Even a cheating verifier can’t tell which witness theprover is using

A protocol is witness hiding (WH), if it does not helpeven a cheating verifier to compute a witness for x withnon-negligible probability when x is generated under acertain distribution





WI, WH and PoK. Proposition 1

Let P a three round public coin proof of knowledge for arelation R. If P is honest verifier zero-knowledge proof, thenP is witness indistinguishable





Secret Sharing

A Secret Sharing scheme is a method by which a secret s canbe distributed among n participants by giving a share to eachone.

The subsets of participants which can reconstruct s arecalled qualified setsThe collection of qualified sets is called the accessstructure for the schemeMonotone access structure property: If A is a qualifiedset, then any set containing A is also qualified





Access structures

Definition (Dual structures)

Let Γ be an access structure containing subsets of a set M . IfA ⊆M , A denotes the complement of A in M . Now the dualaccess structure, Γ∗ is defined as follows:

A ∈ Γ∗ iff A /∈ Γ





Access structures

The dual Γ∗ of a monotone access structure is monotone,and satisfies (Γ∗)∗ = Γ

Let Γ be monotone. A is qualified in Γ exactly when ithas a non-empty intersection with every qualified set in Γ∗





Notations

Let D(s) denote the joint probability distribution of allshares resulting from distributing the secret s.For a set of A participants, DA(s) denotes the restrictionof D to shares in A.As a secret sharing scheme S(k) is perfect, DA(s) isindependent from s for any non-qualified set AWill be denoted DA whenever A is non-qualified





Requirements

1 All shares in S(k) have length polynomial in k

2 Distribution, reconstruction of a secret can be done inpolynomial time

3 Verification can be done in polynomial time in k

4 A set of non-qualified shares can be completed to a fullset of shares according to D(s) and consistent to s (guessin how much time)

5 For any non-qualified set A, the probability distributionDA is such that shares in A are independent anduniformly chosen





Perfect Secret Sharing

A perfect secret sharing scheme satisfying 1 to 4 is calledsemi-smooth. If 5 is also satisfied, then is called smooth.

Which protocol would be a good example?





Notations

Let R be a binary relationLet Γ = {Γ(k)} a family of access structures on n(k)participantsLet RΓ be a relation defined as follows:((x1, . . . , xm), (w1, . . . , wm)) ∈ RΓ iff all xi are of thesame length and the set of indices i for which(xi, wi) ∈ R corresponds to a qualified set in Γ(k)

In a PoK for RΓ, the prover proves to know witnesses toa set corresponding to a qualified set in Γ(k).





Main Result

Let P be a three round public coin honest verifierzero-knowledge proof of knowledge for a relation R withspecial soundness property.Let Γ = {Γ(k)} be a family of monotone accessstructures and let {S(k)} be a family of smooth secretsharing schemes

Such that the access structure of S(k) is Γ(k)∗

Then exists a three round public coin witnessindistinguishable proof of knowledge for relation RΓ





Proof

A basic approach in the following is to interpret achallenge as a share (remember that the challenge is themessage sent by the verifier)If c is a challenge, share(c) will denote the correspondingshare.A ∈ Γ denotes the set of indices for which P knows awitness for xi

The protocol is as follows:





The protocol (1/4)

For each i ∈ A, P runs simulator S on input xi toproduce conversations (mi

1, ci,mi2).

For each i ∈ A, P determines mi1 as what the prover in

P would send as m1 given a witness for input xi.P then sends the values mi

1, i = 1, . . . , n to V





The protocol (2/4)

V chooses a t-bit string s at random and sends it to P

Note: t is the length of shares in S(k)





The protocol (3/4)Consider the set of shares {share(ci) | i ∈ A} thatcorrespond to the ciAs A is not qualified in Γ∗, P can complete these sharesto a full set of shares (req. 4)For A, P now forms challenges ci for indices i ∈ A, suchthat share(ci) corresponds to the share produced in thecompletion process.In step 1, S has produced a final message, mi

2 in P fori ∈ A

For i ∈ A, P knows a witness for xi, then can find a validmi

2 for mi1 and ci by running the prover from P

Finally, P sends the set of messages ci,mi2, i = 1, . . . , n

to VMauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols




The protocol (4/4)

V checks that all conversations (mi1, ci,m

i2) now

produced would lead to acceptance by the verifier of P ,and shares share(ci) are consistent with secret s.It accepts iff these checks are satisfied





Properties

Completeness: trivialSoundness: Assume that some prover P ∗ for a given firstmessage {mi

1 | i = 1, . . . , n} can answer correctly anon-negligible fraction of possible choices of s

As there are 2t possible values of s, any polynomialfraction contains at least 2 values of s. Call them s, s′

For any qualified set B in Γ∗, there must be an i ∈ B,such that share(ci) 6= share(c′i)Then we could compute a witness for xi (by specialsoundness property)So P ∗ knows a witness in every qualified set of Γ∗





PropertiesWitness Indistinguishability: The distribution of theconversation is independent of which qualified set A ∈ Γthe prover uses.

The distribution of each mi1 depends only on xi, and is

the same of the prover of P (using that P is HVZK)Hence the verifier’s choice of s is independent of AAs {share(ci)} is constructed by completing a set ofshares in a non-qualified set, the joint distribution issimply D(s).Then the joint distribution of the ci’s is independent of AFinally, the first proposition implies that the distributionof mi

2 depends only on xi,mi1 and ci and therefore

independent of A.





Extensions

Three-round protocol can be generalizedAnother types of PoK, like special honest verifierzero-knowledge with a SS semi-smooth protocolUsing invulnerable generators for a relation R lead todesigning protocols satisfying WIThen, using this technique we could turn a PoK protocolinto a WI protocol





Applications (the typical example)

Suppose we have n executives of a company, with publicand private key (xi, wi)

Certain groups of them can do specific actions: takingdecisions on behalf of the company, etc.We want to make them doing that actions as a qualifiedgroup, not revealing anything else about their identitiesThis makes good sense, if they are to assumeresponsability on behalf of the company, rather thanpersonally





Open problems

The main theorem holds for ordinary soundness propertyin P?Can be generalized to other types of protocols than publiccoin protocols?





References

1 Proofs of Partial Knowledge and Simplified Design ofWitness Hiding Protocols. Ronald Cramer, IvanDamgardm Berry Schoenmakers. CRYPTO ‘94.


Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols

Education

Transcript of Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols