590 likes | 618 Views
Explore commitment schemes, security notions, and cryptographic principles. Learn about commitment definition, constructions, applications like coin-flipping, and distinguish between information-theoretic and computational secrecy. Discover protocols for secure function evaluation and zero-knowledge proofs systems.
E N D
Foundations of CryptographyLecture 12: Commitment and Zero-Knowledge Lecturer:Moni Naor
Recap of last week’s lecture • Notion of security: equivalence of semantic security and indistinguishability of encryptions in shared key and public-key cases • Properties of semantically secure cryptosystems • Constructions of semantically secure cryptosystems • Trapdoors • Factoring (Blum Goldwasser) • Decisional Diffie-Hellman • Shared key: pseudo-random functions
The world so far Factoring is hard (BG Permutations) Trapdoor permutations Public-key Encryption (CPA) Pseudo-random generators Pseudo-random Functions Signature Schemes One-way functions Two guards Identification Pseudo-random Permutations Shared-key Encryption (CPA) and Authentication UOWHFs P NP
What’s next • Further notions of security • Non-malleability • Chosen ciphertext attacks • Protocols: • Zero-knowledge proof systems • Secure function evaluation
Commitments • Define • Construct • Applications: • Coin-flipping • Zero-Knowledge
String Commitment Protocols • Sender: Input X0,1n Receiver: no explicit input • Two Phases • Commit • Reveal • At the end of protocol: Receiver obtains X decides valid or not
Commitment Schemes • Hiding: A computationally bounded receiver learns nothing about X. • Binding:s can only be “opened” to the value X. X Commit Phase Sender Receiver s X Reveal Phase Sender X Receiver v s, v, X Reveal Verification Algorithm yes/no
Following Commit Phase • Receiver should not have gained any information about X • Information theoretic? • Computationally? • Sender should be bound to X • No two different and valid openings exist • It is computationally infeasible to find two different valid openings
Both worlds? Cannot have best of both worlds: • Information theoretic secrecy following commit • Distribution of conversation independent of X • Perfect binding • No two different and valid openings exist whp
Security Parameter Want • A family of protocols • Indexed by a security parameter Relationship between security parameter and size of hard problem
Definition: Computational Secrecy • Indistinguishability of committed strings: Adversary A chooses X0, X1 0,1n receives commit phase to Xb for bR0,1 has to decide whetherb 0 or b 1. For any pptm A for X0 , X1 0,1n PrA ‘1’ b 0- PrA ‘1’ b 1 is negligible
...Computational Secrecy • Equivalent to semantic security of committed strings: Whatever Adversary A can compute on committed string X0,1nso can A’ that does not participate in commit phase Aselects: • Distribution Dnon0,1n • Relation R(X,Y) - computable by ppt
…Semantic Security pptm ARA’ forXR Dn PrR(X,A(commit))- Pr R(X,A’()) is negligible.
Definition: Perfect Binding • For all Adversary A controlling the Sender, following commit phase • With high probability over random choices of Receiver There are no two different and valid openings to XandX’
Protocol Show a string commitment protocol with • Indistinguishability of committed strings • Perfect Binding
Idea Hide the value X in a linear function • PX + B • Who chooses/knows P and B? • If the sender: no binding • If the receiver: no hiding • Compromise: • receiver chooses P • Sender chooses B. But B has to be of special form.
Tool: Pseudo-Random Sequence Generator G4n:0,1n 0,14n A cryptographically strong pseudo-random sequence generator
The Protocol - Commit • Receiver: chooses PR0,14n • Sender: Input - X0,1n . Chooses SR0,1n Computes and sends Y XP G4n(S) Computation is done in GF[24n]
The Protocol - Reveal • Sender: sends S0,1n • Receiver: computes X (Y-G4n(S))P-1 Computation is done in GF[24n]
Binding Claim: the probability of a Sender being able to open equivocally is at most 2-n Sender can cheat given P iff S1 ,S2, X1 , X20,1n and X1 X2s.t. Y X1P G4n(S1) X2P G4n(S2) P(X1 - X2 ) G4n(S2) -G4n(S1)
...Binding There are 23n-1 possibilities for S1 ,S2and X1 - X2. Probability that P validates such a triple is 2-4n Probability that P validates any triple is 2-n There exists a universalP. Don’t know how to find it so Receiver chooses at random.
Cryptographic Reductions Show how to use an adversary for breaking primitive 1 in order to break primitive 2 Important • Run time: how does T1 relate to T2 • Probability of success: how does 1 relate to 2 • Access to the system 1 vs. 2
Secrecy Suppose Adversary A controlling the Receiver can distinguish whether (Y,P)corresponds toX0orX1 PrA(Y,P) ‘1’ X0 - PrA(Y,P) ‘1’ X1 Probability is over random choice ofS and random coins ofA.
...Secrecy Can useAto distinguish whether a givenstringZis G4n(S) or random Given P send ReceiverY X1P Z If Zisrandom so is Y! Let p1 PrA(Y,P) ‘1’ X0 p2 PrA(Y,P) ‘1’ X1 p3 PrA(Y,P) ‘1’ Zis random
…secrecy • By assumption p1 - p2 Either p1 - p3 /2 or p2 - p3 /2 • In either case can construct a distinguisher for Z • Ifp1 - p3 /2giveReceiverY X1PZ • If p2 - p3 /2giveReceiverY X2PZ • Provide as the answer A(Y,P)
Given input Z want to decide whether Z=G(s) or not Run A to get {X0,X1} get P Z Choose b 2R {0,1} and Compute Y= P¢ Xb + Z A A’ b’ If b’=b output “pseudo-random”
An existential clump One-way functions Pseudo-random generators String commitment protocol Also: String commitment one-way function
Applications • Coin Flipping • Auctions • Zero Knowledge
Coin Flipping Two parties want to agree on a random value R 0,1 • Should be random even if one party cheats • Potential Problem: one party knows the value before the other. Early Stopping. A B
...Coin Flipping Specification Result of the protocol could be 0,1, • For every PPTM Adversary controlling A (B), b0,1 Pr result of protocol is b] 1/2 is negligible in security parameter
Coin Flipping Protocol • A selects rA R 0,1; Commits torA • B sends bit rB R 0,1 • Coin is rArB If A doesn’t open - result is If A’s opening is invalid - result is
Coin flipping security • adversary controlling A,b0,1 Pr result of protocol is b ] 1/2 2-n • For all PPTM adversary controlling B b0,1 Pr result of protocol is b ] 1/2 • is the advantage of distinguishing a commitment to 0 from a commitment to1 in the commitment protocol
Dealing with early stopping Suppose is not acceptable To limit the influence of one party: • Gradual release of the result • Commit to many bits • release one by one • Take majority of bits, substitute random values for early stopping values • However: for r rounds one party can influence result by 1/r
Definition: Computational Binding • For all PPTM Adversary A controlling the Sender following commit phase • With high probability over random choices of Receiver The Sender cannot find no two different and valid openings to XandX’ Possible Advantage: perfect or statistical hiding
Proof systems L = { (X, 1k) : X is a true mathematical assertion with a proof of length k} • What is a “proof”? Complexity theoretic insight: meaningless unless can be efficiently verified
Proof systems For a language L, goal is to prove x L Proof system for L is defined by a verification algorithm V • completeness:x L proof, V accepts (x, proof) true assertions have proofs • soundness:x L proof*, V rejects (x, proof*) false assertions have no proofs • efficiency: x, proof, the machine running V(x, proof) is efficient: • runs in polynomial time in |x| • ?
Classical Proofs • Recall: L NP iff expressible as L = { x | y, |y| < |x|k, (x, y) RL } andRL P. • NP is the set of languages with classical proof systems (RL is the verifier) We wish to extend the notion.
Interactive Proofs • Two new ingredients: • Randomness: verifier tosses coins • Should err with some small probability • Interaction: rather than simply “reading” the proof, verifier interacts with prover • Is the prover another TM? • Framework captures the classical NP proof systems:: • prover sends proof. • verifier runs algorithm for R No use of randomness
Interactive Proofs Interactive proof system for L is an interactive protocol (P, V) Random tape Common input: x Prover Verifier . . . New issue: who knows the random tape # rounds and length of messages is poly(|x|) • New resources: • # of rounds • Length of message accept/reject
Interactive Proofs Definition: an interactive proof system forL is an interactive protocol (P, V) • completeness:x L: Pr[V accepts in an execution of (P, V)(x)] 2/3 • soundness:x L P* Pr[V accepts in an execution of (P*, V)(x)] 1/3 • efficiency: V is PPT machine • Can we reduce the error to any ? Perfect Completeness: V accepts with Prob 1
Error Reduction • If we execute the protocol sequentially ℓ times let Ij =1 if jth run is correct and 0 otherwise The Ij’s are not necessarily independent of each other but, since can tolerate any prover* Pr[Ij =1 | any execution history] ¸ 2/3 If we compare to ℓ independent coins with probability 2/3 where we take majority of answers For any prover* the interactive proof stochastically dominates • Can argue the same for ℓ parallel executions Number of rounds is preserved
Interactive Proofs IP = {L : L has an interactive proof system} • Captures more broadly what it means to be convinced a statement is true • But no certificate to store for future generations! • Clearly NP IP. Potentially larger. How much larger? • IP with perfect soundness and completeness is NP • To go beyond NP randomness is essential • Perfect soundness in itself implies NP power • IP =PSPACE
Interactive Proof Systemsrelevant to crypto • Let Lµ{0,1}* be a language • The Prover P, wants to convince the other party, Verifier V that XL • In our case: both parties are PPTM; • exchange messages and flip coins • Prover P may have some extra information W • At the end of the protocol Verifier V state {accept, reject} • For a given W the interaction between V and P induces a distribution of the transcripts Prover P Verifier V
Witness Protection Programs A witness indistinguishable proof system for XL Prover p Verifier V • Completeness: if prover P has witness W - can construct effective proof that makes verifier V accept. • Soundness: if XLnoprover P*can succeed with high probability to make verifierV accept. • Witness Indistinguishability: for every V* and any witnesses W1andW2: distributions on transcripts are computationally indistinguishable. • No polynomial time test can distinguish the two
Example: Hamiltonicity • Common input graph G=(V,E) • L is the language of graphs with Hamiltonian cycles G=(V,E) Lif and only if there is a cycle C=(i1,i2, in) covering all nodes of V once and (ij,ij+1 ) E
Example: Hamiltonicity • Common input graph G=(V,E) • L is the language of graphs with Hamiltonian cycles • WitnessW – a Hamiltonian Cycle C=(i1,i2, in) • Protocol: • Prover P selects a random permutation of the nodes Commits to the adjacency matrix of (G)=((V), (E)) • for each entry separately • VerifierVselects and sends a bit rR 0,1 • Prover P If r=0 then Popens all the commitments and sends If r=1 thenP opens only the commitments corresponding to C • entries ( (ij), (ij+1 )) • VerifierVaccepts if: r=0 and committed graph isomorphic to G r=1 and all opened slots are ’1’
Analysis of Protocol • Completeness: prefect √ • Soundness: if there no cycle in G=(V,E), then • from binding property of the commitment scheme following commitment there is unique graph G’ either P* • Commits to graph G’ non-isomorphic to G • VerifierV rejects if r=0 • Commits to graph G’ isomorphic to G • VerifierV rejects if r=1 ProbabilityV accepts is bounded by ½ • Can reduce the error by repetition • Sequential • Parallel
Obtaining Witness Indistinguishability • Key property: the distribution of the values opened in Step 3 is an efficiently computable function of • the Graph and • the challenge the verifier V sent in Step 2 for example: it could be a random permutation of 1..n
Witness Indistinguishability Let G=(V,E), with two Hamiltonian cycles C1 and C2 • If there is a verifierV*that can distinguish between the case C1 and C2 are used, • then can use V* to distinguish between commitments to 1(G) and to 2(G) for some permutations 1and 2 • Witness Indistinguishability remains so under parallel execution • Hybrid argument • But what if there is a unique witness?
Zero Knowledge • Each (cheating) verifierV* induces a distribution on transcripts on interaction with P • Zero-Knowledge Requirement: for all verifiersV* there exists a simulator S such that: • simulator S is a pptm (does not get witness W) • for all XLthe distributions on transcripts that V*’ induces and that S produces are computationally indistinguishable. Role of simulator similar to alternative adeversary in semantic security