1 / 34

Sigma Protocols and (Non-Interactive) Zero Knowledge

Sigma Protocols and (Non-Interactive) Zero Knowledge. What is zero-knowledge?. Zero-knowledge proof : “ a method by which one party […] can prove to another party […] that a […] statement is true, without conveying any [further] information ” Wikipedia, en.wikipedia.org.

rmclaughlin
Download Presentation

Sigma Protocols and (Non-Interactive) Zero Knowledge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sigma Protocols and (Non-Interactive) Zero Knowledge

  2. What is zero-knowledge? Zero-knowledge proof: “a method by which one party […] can prove to another party […] that a […] statement is true, without conveying any [further] information” Wikipedia, en.wikipedia.org Preuve à divulgation nulle de connaissance: “un protocole […] danslequeluneentité […] prouve […] à uneautreentité […] qu’une pro-position estvraie sans […] révéleruneautre information.” Wikipedia, fr.wikipedia.org

  3. So far chg resp Prover Verifier • No anonymity: • or • Anonymity in a ring: • Anonymity and traceability: • Now: Deniability/Zero-Knowledge!

  4. Sigma () protocols • Setup: we have a secret witness and a public statement and a function • Idea: Prover must prove she has suchthat without revealing anything else • Example 1: finite fields Group withp prime, iff. protocol Prover Verifier I know the discrete log of ;

  5. Sigma () protocols • Setup: witness , statement, function • Idea: Prover proves she has s.t. , but no more • Example 2: RSA Modulus , order, co-primewith iff. protocol Prover Verifier ; I know the message encrypted in

  6. Sigma () protocols • Setup: witness , statement, function • Idea: Prover proves she has s.t. , but no more • Example 3: Composition Group withp prime, iff. protocol Prover Verifier ; I have the corresponding to one of

  7. Contents • Commitment Schemes • Sigma Protocols • Structure • Properties • Schnorr’s protocol • Composition of Sigma Protocols • Parallel composition • AND composition • EQ and OR compositions • The Fiat-Shamir heuristic

  8. Commitment Schemes Bob Alice Alice Bob • Example: • Alice and Bob must agree who will clean tonight • They are at their offices. Each tosses a coin & they call: • If tosses are the same, then Alice cleans • If tosses are different, then Bob cleans • Who talks first?

  9. Commitment Schemes Alice Bob Alice Bob • Alice and Bob toss • Alice talks first Bob says he tossed the same value • Bob talks first Alice says she tossed the opposite value • How can we avoid this?

  10. Commitment Schemes Bob cleans Alice Bob • Commitment: an envelope with a strange seal • Alice talks first • Commit phase: she hides toss in envelope, gives it to Bob • Bob reveals toss • Reveal phase: Alice tells Bob how to unseal envelope

  11. Commitment Schemes Alice Bob • Properties: • Hiding: The content of the envelope is not visible Bob doesn’t know anything about Alice’s toss • Binding: Alice can’t change the content in the envelope Alice can’t cheat after getting Bob’s toss

  12. Commitment Schemes Input …………………… Random Check Alice Bob • Formally: • Commitment hiding: • Commitment binding:

  13. Pedersen Commitments …………………… Random Check Alice Bob • Setup: , prime field, \ , unknown • Commitment of input value : • Choose random witness • Compute • Binding: from = we have Thus we have Impossible

  14. Pedersen Commitments …………………… Random Check Alice Bob • Setup: , prime field, \ , unknown • Commitment of input value : • Choose random witness • Compute • Hiding:

  15. DLog-based Commitments …………………… Random Check Alice Bob • Setup: prime, prime, with • Commitment of input value : (no randomness) • Computationally hiding: DLog • Perfectly binding by construction

  16. Contents • Commitment Schemes • Sigma Protocols • Structure • Properties • Schnorr’s protocol • Composition of Sigma Protocols • Parallel composition • AND composition • EQ and OR compositions • The Fiat-Shamir heuristic

  17. Sigma Protocols: Structure Commitment: Witness Challenge: Statement Statement Prover Verifier Response: • Relation associatedwith NP-language L • If () , theniswitness for • E.g.:

  18. Sigma Protocols: Properties Witness Statement Statement Prover Verifier • Completeness: • Always accept prover with s.t. • (Special) soundness: • From (), and () with can getwith • Honest verifier zero-knowledge (HVZK): • PPT Sim. s.t. suchthat:

  19. Schnorr’s Protocol • Setup: prime, prime, with Prover Verifier Check: • Completeness:

  20. Schnorr’s Protocol • Setup: prime, prime, with Prover Verifier Check: • Special Soundness: Given and withfind : :

  21. Schnorr’s Protocol • Setup: prime, prime, with Prover Verifier Check: • HVZK: • of same distribution • Simulator: generate . Nowcompute: • The conversation is valid and identically distributed

  22. Contents • Commitment Schemes • Sigma Protocols • Structure • Properties • Schnorr’s protocol • Composition of Sigma Protocols • Parallel composition • AND composition • EQ and OR compositions • The Fiat-Shamir heuristic

  23. Parallel Composition • Goal: larger challenge space Witness Statement Statement Prover Verifier • Verification is done in parallel: • Verify: Accept iff. and • Verify:

  24. AND Composition • Goal: Proof for more than 1 witness Statement Statement Prover Verifier • Verification is done as follows: • Verify: Accept iff. and • Verify:

  25. EQ-Composition • Goal: Prove your witness fulfills two conditions Witness Prover Verifier • Verification is done as follows: • Verify: Accept iff. and • Verify:

  26. OR-Composition • Goal: the witness fulfills one of twoconditions We won’t reveal which, however Either Prover Verifier • Idea: split challenge in two, do one proof, simulate other • Verification is done as follows: • Check: • Verify: Accept iff. and and • Verify:

  27. OR-Composition of Schnorr • Setup: , primes, with Prover ? Verifier ? ? Real Simulated Simulation as in HVZK Real Schnorr protocol run

  28. Contents • Commitment Schemes • Sigma Protocols • Structure • Properties • Schnorr’s protocol • Composition of Sigma Protocols • Parallel composition • AND composition • EQ and OR compositions • The Fiat-Shamir heuristic

  29. The Fiat-Shamir Heuristic • So far: interactive protocols, need random challenge • If Prover can choose challenge, she can replay, she can choose , or otherconvenient challenges • Choose clever way to control challenge! Fiat-Shamir heuristic Prover Prover Verifier Verifier

  30. Signatures from protocols • Recall: SScheme = (KGen, Sign, Vf) • Correctness: honest signatures should always verify • Unforgeability: cannot sign fresh message without sk • Setup: , primes, with Check: • Secure if H outputs pseudorandom strings!

  31. Further reading • Zero-Knowledge Proofs of Knowledge: S. Brands, ‘97: “Rapid Demonstration of Linear Relations Connec-ted by Boolean Operators” U. Feige, A. Fiat, A. Shamir, ‘88: “Zero Knowledge Proofs of Identity” • Trapdoor commitment schemes Di Crescenzo, Ishai, Ostrovsky, ‘98: “Non-interactive and Non-Malleable Commitment” Fischlin, Fischlin, 2000: “Efficient Non-Malleable Commitment Schemes”

  32. Some exercises: • Commitment schemes: • What if the receiver knows for the Pedersen commitment? • What are the properties of the following commitment scheme? Setup: prime, prime, with • Commit for : • Sigma protocols: • Show that the following protocol is a Sigma protocol: Modulus , order, co-primewith Verifier Prover

  33. Some more exercises: • Is the following protocol a Sigma protocol? Setup: prime, prime, with Verifier Prover • How can a malicious verifier find the value of in the protocolabove?

  34. Thanks!

More Related