Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
-
Upload
mauricio-quezada -
Category
Education
-
view
461 -
download
0
description
Transcript of Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Proof of Partial Knowledge and SimplifiedDesign of Witness Hiding Protocols
Mauricio Quezada
Miércoles 7 de Septiembre, 2011
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Outline
1 Proofs of Knowledge2 Secret Sharing schemes3 Main Result4 Extensions, applications, open problems
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Requirements
A Proof of Knowledge with a few special propertiesAn Access Structure for n participantsSecret Sharing with the dual of the previous accessstructure
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Proofs of Knowledge
Let a binary relation R = {(x,w)}The witness set w(x) is the set of w′ such that(x,w′) ∈ R
Let P a Proof of Knowledge protocol, in which there is acommon input x (of length k bits) to a prover P and averifier V , and a private input w to P . The prover triesto convince the verifier that w ∈ w(x).
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Some restrictions
Assume that P is a three round public coin protocol
Conversations will be ordererd triples of the form
m1, c,m2
Where c is called the challenge, uniformly random bitschosen by the verifier
Also, assume that completeness holds with probability 1
I.e., if indeed w ∈ w(x), then the verifier always accepts
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Some restrictions
P has the special soundness property:1 The length of c is such that the number of possible
values of c is super-polynomial in k2 For any prover P ∗, given two conversations between P ∗
and V , (m1, c,m2) and (m1, c′,m2), where c 6= c′, an
element of w(x) can be computed in polynomial time.
Also, is Honest Verifier Zero Knowledge
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Witness Indistinguishability and Witness Hiding
A protocol is witness indistinguishable (WI) ifconversations generated with same x, but differentelements from w(x) have indistinguishable distributions
Even a cheating verifier can’t tell which witness theprover is using
A protocol is witness hiding (WH), if it does not helpeven a cheating verifier to compute a witness for x withnon-negligible probability when x is generated under acertain distribution
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
WI, WH and PoK. Proposition 1
Let P a three round public coin proof of knowledge for arelation R. If P is honest verifier zero-knowledge proof, thenP is witness indistinguishable
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Secret Sharing
A Secret Sharing scheme is a method by which a secret s canbe distributed among n participants by giving a share to eachone.
The subsets of participants which can reconstruct s arecalled qualified setsThe collection of qualified sets is called the accessstructure for the schemeMonotone access structure property: If A is a qualifiedset, then any set containing A is also qualified
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Access structures
Definition (Dual structures)
Let Γ be an access structure containing subsets of a set M . IfA ⊆M , A denotes the complement of A in M . Now the dualaccess structure, Γ∗ is defined as follows:
A ∈ Γ∗ iff A /∈ Γ
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Access structures
The dual Γ∗ of a monotone access structure is monotone,and satisfies (Γ∗)∗ = Γ
Let Γ be monotone. A is qualified in Γ exactly when ithas a non-empty intersection with every qualified set in Γ∗
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Notations
Let D(s) denote the joint probability distribution of allshares resulting from distributing the secret s.For a set of A participants, DA(s) denotes the restrictionof D to shares in A.As a secret sharing scheme S(k) is perfect, DA(s) isindependent from s for any non-qualified set AWill be denoted DA whenever A is non-qualified
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Requirements
1 All shares in S(k) have length polynomial in k
2 Distribution, reconstruction of a secret can be done inpolynomial time
3 Verification can be done in polynomial time in k
4 A set of non-qualified shares can be completed to a fullset of shares according to D(s) and consistent to s (guessin how much time)
5 For any non-qualified set A, the probability distributionDA is such that shares in A are independent anduniformly chosen
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Perfect Secret Sharing
A perfect secret sharing scheme satisfying 1 to 4 is calledsemi-smooth. If 5 is also satisfied, then is called smooth.
Which protocol would be a good example?
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Notations
Let R be a binary relationLet Γ = {Γ(k)} a family of access structures on n(k)participantsLet RΓ be a relation defined as follows:((x1, . . . , xm), (w1, . . . , wm)) ∈ RΓ iff all xi are of thesame length and the set of indices i for which(xi, wi) ∈ R corresponds to a qualified set in Γ(k)
In a PoK for RΓ, the prover proves to know witnesses toa set corresponding to a qualified set in Γ(k).
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Main Result
Let P be a three round public coin honest verifierzero-knowledge proof of knowledge for a relation R withspecial soundness property.Let Γ = {Γ(k)} be a family of monotone accessstructures and let {S(k)} be a family of smooth secretsharing schemes
Such that the access structure of S(k) is Γ(k)∗
Then exists a three round public coin witnessindistinguishable proof of knowledge for relation RΓ
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Proof
A basic approach in the following is to interpret achallenge as a share (remember that the challenge is themessage sent by the verifier)If c is a challenge, share(c) will denote the correspondingshare.A ∈ Γ denotes the set of indices for which P knows awitness for xi
The protocol is as follows:
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
The protocol (1/4)
For each i ∈ A, P runs simulator S on input xi toproduce conversations (mi
1, ci,mi2).
For each i ∈ A, P determines mi1 as what the prover in
P would send as m1 given a witness for input xi.P then sends the values mi
1, i = 1, . . . , n to V
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
The protocol (2/4)
V chooses a t-bit string s at random and sends it to P
Note: t is the length of shares in S(k)
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
The protocol (3/4)Consider the set of shares {share(ci) | i ∈ A} thatcorrespond to the ciAs A is not qualified in Γ∗, P can complete these sharesto a full set of shares (req. 4)For A, P now forms challenges ci for indices i ∈ A, suchthat share(ci) corresponds to the share produced in thecompletion process.In step 1, S has produced a final message, mi
2 in P fori ∈ A
For i ∈ A, P knows a witness for xi, then can find a validmi
2 for mi1 and ci by running the prover from P
Finally, P sends the set of messages ci,mi2, i = 1, . . . , n
to VMauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
The protocol (4/4)
V checks that all conversations (mi1, ci,m
i2) now
produced would lead to acceptance by the verifier of P ,and shares share(ci) are consistent with secret s.It accepts iff these checks are satisfied
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Properties
Completeness: trivialSoundness: Assume that some prover P ∗ for a given firstmessage {mi
1 | i = 1, . . . , n} can answer correctly anon-negligible fraction of possible choices of s
As there are 2t possible values of s, any polynomialfraction contains at least 2 values of s. Call them s, s′
For any qualified set B in Γ∗, there must be an i ∈ B,such that share(ci) 6= share(c′i)Then we could compute a witness for xi (by specialsoundness property)So P ∗ knows a witness in every qualified set of Γ∗
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
PropertiesWitness Indistinguishability: The distribution of theconversation is independent of which qualified set A ∈ Γthe prover uses.
The distribution of each mi1 depends only on xi, and is
the same of the prover of P (using that P is HVZK)Hence the verifier’s choice of s is independent of AAs {share(ci)} is constructed by completing a set ofshares in a non-qualified set, the joint distribution issimply D(s).Then the joint distribution of the ci’s is independent of AFinally, the first proposition implies that the distributionof mi
2 depends only on xi,mi1 and ci and therefore
independent of A.
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Extensions
Three-round protocol can be generalizedAnother types of PoK, like special honest verifierzero-knowledge with a SS semi-smooth protocolUsing invulnerable generators for a relation R lead todesigning protocols satisfying WIThen, using this technique we could turn a PoK protocolinto a WI protocol
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Applications (the typical example)
Suppose we have n executives of a company, with publicand private key (xi, wi)
Certain groups of them can do specific actions: takingdecisions on behalf of the company, etc.We want to make them doing that actions as a qualifiedgroup, not revealing anything else about their identitiesThis makes good sense, if they are to assumeresponsability on behalf of the company, rather thanpersonally
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
Open problems
The main theorem holds for ordinary soundness propertyin P?Can be generalized to other types of protocols than publiccoin protocols?
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols
IntroductionProofs of Knowledge
Secret SharingMain Result
Extensions, applications, open problems
References
1 Proofs of Partial Knowledge and Simplified Design ofWitness Hiding Protocols. Ronald Cramer, IvanDamgardm Berry Schoenmakers. CRYPTO ‘94.
Mauricio Quezada Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols