1 / 59

Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge

Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge. Lecturer: Moni Naor. Recap of last week’s lecture. Notion of security: equivalence of semantic security and indistinguishability of encryptions in shared key and public-key cases

nicholaso
Download Presentation

Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foundations of CryptographyLecture 12: Commitment and Zero-Knowledge Lecturer:Moni Naor

  2. Recap of last week’s lecture • Notion of security: equivalence of semantic security and indistinguishability of encryptions in shared key and public-key cases • Properties of semantically secure cryptosystems • Constructions of semantically secure cryptosystems • Trapdoors • Factoring (Blum Goldwasser) • Decisional Diffie-Hellman • Shared key: pseudo-random functions

  3. The world so far Factoring is hard (BG Permutations) Trapdoor permutations Public-key Encryption (CPA) Pseudo-random generators Pseudo-random Functions Signature Schemes One-way functions Two guards Identification Pseudo-random Permutations Shared-key Encryption (CPA) and Authentication UOWHFs P  NP

  4. What’s next • Further notions of security • Non-malleability • Chosen ciphertext attacks • Protocols: • Zero-knowledge proof systems • Secure function evaluation

  5. Commitments • Define • Construct • Applications: • Coin-flipping • Zero-Knowledge

  6. String Commitment Protocols • Sender: Input X0,1n Receiver: no explicit input • Two Phases • Commit • Reveal • At the end of protocol: Receiver obtains X decides valid or not

  7. Commitment Schemes • Hiding: A computationally bounded receiver learns nothing about X. • Binding:s can only be “opened” to the value X. X Commit Phase Sender Receiver s X Reveal Phase Sender X Receiver v s, v, X Reveal Verification Algorithm yes/no

  8. Following Commit Phase • Receiver should not have gained any information about X • Information theoretic? • Computationally? • Sender should be bound to X • No two different and valid openings exist • It is computationally infeasible to find two different valid openings

  9. Both worlds? Cannot have best of both worlds: • Information theoretic secrecy following commit • Distribution of conversation independent of X • Perfect binding • No two different and valid openings exist whp

  10. Security Parameter Want • A family of protocols • Indexed by a security parameter Relationship between security parameter and size of hard problem

  11. Definition: Computational Secrecy • Indistinguishability of committed strings: Adversary A chooses X0, X1 0,1n receives commit phase to Xb for bR0,1 has to decide whetherb  0 or b  1. For any pptm A for X0 , X1 0,1n  PrA ‘1’  b  0- PrA ‘1’  b  1  is negligible

  12. ...Computational Secrecy • Equivalent to semantic security of committed strings: Whatever Adversary A can compute on committed string X0,1nso can A’ that does not participate in commit phase Aselects: • Distribution Dnon0,1n • Relation R(X,Y) - computable by ppt

  13. …Semantic Security  pptm ARA’ forXR Dn  PrR(X,A(commit))- Pr R(X,A’())   is negligible.

  14. Definition: Perfect Binding • For all Adversary A controlling the Sender, following commit phase • With high probability over random choices of Receiver There are no two different and valid openings to XandX’

  15. Protocol Show a string commitment protocol with • Indistinguishability of committed strings • Perfect Binding

  16. Idea Hide the value X in a linear function • PX + B • Who chooses/knows P and B? • If the sender: no binding • If the receiver: no hiding • Compromise: • receiver chooses P • Sender chooses B. But B has to be of special form.

  17. Tool: Pseudo-Random Sequence Generator G4n:0,1n 0,14n A cryptographically strong pseudo-random sequence generator

  18. The Protocol - Commit • Receiver: chooses PR0,14n • Sender: Input - X0,1n . Chooses SR0,1n Computes and sends Y  XP G4n(S) Computation is done in GF[24n]

  19. The Protocol - Reveal • Sender: sends S0,1n • Receiver: computes X  (Y-G4n(S))P-1 Computation is done in GF[24n]

  20. Binding Claim: the probability of a Sender being able to open equivocally is at most 2-n Sender can cheat given P iff  S1 ,S2, X1 , X20,1n and X1 X2s.t. Y  X1P G4n(S1)  X2P G4n(S2)  P(X1 - X2 )  G4n(S2) -G4n(S1)

  21. ...Binding There are 23n-1 possibilities for S1 ,S2and X1 - X2. Probability that P validates such a triple is 2-4n Probability that P validates any triple is 2-n There exists a universalP. Don’t know how to find it so Receiver chooses at random.

  22. Cryptographic Reductions Show how to use an adversary for breaking primitive 1 in order to break primitive 2 Important • Run time: how does T1 relate to T2 • Probability of success: how does 1 relate to 2 • Access to the system 1 vs. 2

  23. Secrecy Suppose Adversary A controlling the Receiver can distinguish whether (Y,P)corresponds toX0orX1    PrA(Y,P)  ‘1’  X0  - PrA(Y,P)  ‘1’  X1   Probability is over random choice ofS and random coins ofA.

  24. ...Secrecy Can useAto distinguish whether a givenstringZis G4n(S) or random Given P send ReceiverY  X1P  Z If Zisrandom so is Y! Let p1  PrA(Y,P)  ‘1’  X0  p2  PrA(Y,P)  ‘1’  X1  p3  PrA(Y,P)  ‘1’  Zis random

  25. …secrecy • By assumption  p1 - p2    Either p1 - p3  /2 or p2 - p3  /2 • In either case can construct a distinguisher for Z • Ifp1 - p3  /2giveReceiverY  X1PZ • If p2 - p3  /2giveReceiverY  X2PZ • Provide as the answer A(Y,P)

  26. Given input Z want to decide whether Z=G(s) or not Run A to get {X0,X1} get P Z Choose b 2R {0,1} and Compute Y= P¢ Xb + Z A A’ b’ If b’=b output “pseudo-random”

  27. An existential clump One-way functions  Pseudo-random generators  String commitment protocol Also: String commitment  one-way function

  28. Applications • Coin Flipping • Auctions • Zero Knowledge

  29. Coin Flipping Two parties want to agree on a random value R 0,1 • Should be random even if one party cheats • Potential Problem: one party knows the value before the other. Early Stopping. A B

  30. ...Coin Flipping Specification Result of the protocol could be 0,1, • For every PPTM Adversary controlling A (B), b0,1 Pr result of protocol is b]  1/2   is negligible in security parameter

  31. Coin Flipping Protocol • A selects rA R 0,1; Commits torA • B sends bit rB R 0,1 • Coin is rArB If A doesn’t open - result is  If A’s opening is invalid - result is 

  32. Coin flipping security •  adversary controlling A,b0,1 Pr result of protocol is b ]  1/2  2-n • For all PPTM adversary controlling B b0,1 Pr result of protocol is b ]  1/2   • is the advantage of distinguishing a commitment to 0 from a commitment to1 in the commitment protocol

  33. Dealing with early stopping Suppose  is not acceptable To limit the influence of one party: • Gradual release of the result • Commit to many bits • release one by one • Take majority of bits, substitute random values for early stopping values • However: for r rounds one party can influence result by 1/r

  34. Definition: Computational Binding • For all PPTM Adversary A controlling the Sender following commit phase • With high probability over random choices of Receiver The Sender cannot find no two different and valid openings to XandX’ Possible Advantage: perfect or statistical hiding

  35. Proof systems L = { (X, 1k) : X is a true mathematical assertion with a proof of length k} • What is a “proof”? Complexity theoretic insight: meaningless unless can be efficiently verified

  36. Proof systems For a language L, goal is to prove x  L Proof system for L is defined by a verification algorithm V • completeness:x  L   proof, V accepts (x, proof) true assertions have proofs • soundness:x  L   proof*, V rejects (x, proof*) false assertions have no proofs • efficiency:  x, proof, the machine running V(x, proof) is efficient: • runs in polynomial time in |x| • ?

  37. Classical Proofs • Recall: L  NP iff expressible as L = { x |  y, |y| < |x|k, (x, y)  RL } andRL P. • NP is the set of languages with classical proof systems (RL is the verifier) We wish to extend the notion.

  38. Interactive Proofs • Two new ingredients: • Randomness: verifier tosses coins • Should err with some small probability • Interaction: rather than simply “reading” the proof, verifier interacts with prover • Is the prover another TM? • Framework captures the classical NP proof systems:: • prover sends proof. • verifier runs algorithm for R No use of randomness

  39. Interactive Proofs Interactive proof system for L is an interactive protocol (P, V) Random tape Common input: x Prover Verifier . . . New issue: who knows the random tape # rounds and length of messages is poly(|x|) • New resources: • # of rounds • Length of message accept/reject

  40. Interactive Proofs Definition: an interactive proof system forL is an interactive protocol (P, V) • completeness:x  L: Pr[V accepts in an execution of (P, V)(x)]  2/3 • soundness:x  L   P* Pr[V accepts in an execution of (P*, V)(x)]  1/3 • efficiency: V is PPT machine • Can we reduce the error to any ? Perfect Completeness: V accepts with Prob 1

  41. Error Reduction • If we execute the protocol sequentially ℓ times let Ij =1 if jth run is correct and 0 otherwise The Ij’s are not necessarily independent of each other but, since can tolerate any prover* Pr[Ij =1 | any execution history] ¸ 2/3 If we compare to ℓ independent coins with probability 2/3 where we take majority of answers For any prover* the interactive proof stochastically dominates • Can argue the same for ℓ parallel executions Number of rounds is preserved

  42. Interactive Proofs IP = {L : L has an interactive proof system} • Captures more broadly what it means to be convinced a statement is true • But no certificate to store for future generations! • Clearly NP  IP. Potentially larger. How much larger? • IP with perfect soundness and completeness is NP • To go beyond NP randomness is essential • Perfect soundness in itself implies NP power • IP =PSPACE

  43. Interactive Proof Systemsrelevant to crypto • Let Lµ{0,1}* be a language • The Prover P, wants to convince the other party, Verifier V that XL • In our case: both parties are PPTM; • exchange messages and flip coins • Prover P may have some extra information W • At the end of the protocol Verifier V state {accept, reject} • For a given W the interaction between V and P induces a distribution of the transcripts Prover P Verifier V

  44. Witness Protection Programs A witness indistinguishable proof system for XL Prover p Verifier V • Completeness: if prover P has witness W - can construct effective proof that makes verifier V accept. • Soundness: if XLnoprover P*can succeed with high probability to make verifierV accept. • Witness Indistinguishability: for every V* and any witnesses W1andW2: distributions on transcripts are computationally indistinguishable. • No polynomial time test can distinguish the two

  45. Example: Hamiltonicity • Common input graph G=(V,E) • L is the language of graphs with Hamiltonian cycles G=(V,E) Lif and only if there is a cycle C=(i1,i2,  in) covering all nodes of V once and (ij,ij+1 )  E

  46. Example: Hamiltonicity • Common input graph G=(V,E) • L is the language of graphs with Hamiltonian cycles • WitnessW – a Hamiltonian Cycle C=(i1,i2,  in) • Protocol: • Prover P selects a random permutation  of the nodes Commits to the adjacency matrix of (G)=((V), (E)) • for each entry separately • VerifierVselects and sends a bit rR 0,1 • Prover P If r=0 then Popens all the commitments and sends  If r=1 thenP opens only the commitments corresponding to C • entries ( (ij),  (ij+1 )) • VerifierVaccepts if: r=0 and committed graph isomorphic to G r=1 and all opened slots are ’1’

  47. Analysis of Protocol • Completeness: prefect √ • Soundness: if there no cycle in G=(V,E), then • from binding property of the commitment scheme following commitment there is unique graph G’ either P* • Commits to graph G’ non-isomorphic to G • VerifierV rejects if r=0 • Commits to graph G’ isomorphic to G • VerifierV rejects if r=1 ProbabilityV accepts is bounded by ½ • Can reduce the error by repetition • Sequential • Parallel

  48. Obtaining Witness Indistinguishability • Key property: the distribution of the values opened in Step 3 is an efficiently computable function of • the Graph and • the challenge the verifier V sent in Step 2 for example: it could be a random permutation of 1..n

  49. Witness Indistinguishability Let G=(V,E), with two Hamiltonian cycles C1 and C2 • If there is a verifierV*that can distinguish between the case C1 and C2 are used, • then can use V* to distinguish between commitments to 1(G) and to 2(G) for some permutations 1and 2 • Witness Indistinguishability remains so under parallel execution • Hybrid argument • But what if there is a unique witness?

  50. Zero Knowledge • Each (cheating) verifierV* induces a distribution on transcripts on interaction with P • Zero-Knowledge Requirement: for all verifiersV* there exists a simulator S such that: • simulator S is a pptm (does not get witness W) • for all XLthe distributions on transcripts that V*’ induces and that S produces are computationally indistinguishable. Role of simulator similar to alternative adeversary in semantic security

More Related