-
Notifications
You must be signed in to change notification settings - Fork 5
/
2020-1 Cryptographic Protocols.fex
1664 lines (1585 loc) · 62 KB
/
2020-1 Cryptographic Protocols.fex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
mathematical foundations
===
group <G; *>:
non empty set with binary association
(1) * is associative like x*(y*z) = (x*y)*z
(2) e is the neutral element like x*e = e*x = x
(3) x^ is the inverse x*x^ = x^ * x = e
for * commutative (x*y = y*x) then abelian group
for * denoted as +, inverse as -, e as 0 then additive
for * denoted as *, inverse as ^-1, e as 1 then multiplicative
examples:
<Z, +> are integers with addition
<R \ {0}; *> are reals with multiplication
<Z_n; op_n> are integers with operation over modulo
order:
number of elements in G = |G|
ord(x) is least k such that x^k = e
ord(x) |G| (divides group order)
hence also x^|G| = e
cyclic:
if finite group has generator <g>
such that G = {g^0, g^1, ...}
isomorphic:
if bijection v:: G -> H exists such that
v(x * y) = v(x) * v(y)
groups are "the same", only element name differs
construct groups:
<Z_m*; *_m> as {x element_of Z | 0 <= x < m, gcd(x,m) = 1}
group because gcd(x,m) implies (3); (1), (2) trivial
if m is prime, |G| = m-1 & all entries are generators
if m = pq for p,q primes, |G| = (p-1)(q-1)
modulo:
congruency:
x, y congruent mod (m) if same reminder
hence x-y mod m = 0
inverse:
x*y mod m = 1
hence x*y, 1 congruent mod (m)
coprime:
if gcd(x,y) = 1
can use EEA for a*x + b*y = 1
fermat's little theorem:
x^p = x (for p prime group order)
hence also x^(p-1) = 1
extended euclidian algorithm (EEA):
calculates a*x + b*y = ggt(x,y)
works in two steps
find ggt(x,y):
write x = 1*y + d_1
because x,y known, calculate d_1 trivially
write y = e_1*d_1 + d_2
choose biggest e_1 such that e_1*d_1 <= y
calculation of d_2 again trivial
continue d_1 = e_2*d_2 + d_3, d_2 = e_3*d_3 + d_4, ...
until reminder d_x = 0, hence d_(x-1)
reconstruct a,b:
assuming d5 is 0, hence d4 is ggt(x,y)
write d4 = d2 - e3*d3
replace d3 with d1 - e2*d2
continue until no more d* on the left
you end up with a*x + b*y
properties:
a*x mod m = 1
hence a is inverse of x
any a, a' that fulfill a*x mod m = 1 are congruent
RSA:
generate public key k_pub, private key k_priv
messages x encrypted with k_pub can be decrypted with k_priv
pair generation:
choose primes p,q
get m = pq, phi = (p-1)*(q-1) = |Z_m|
choose e such that gcd(e,f) = 1
use EEA to get d*e + k*phi = 1
(n, e) as public key, (n, d) as private key
message transfer:
encryption with x^e = c
decryption with c^d = x^(e*d) = x^(-k*phi+1) = x
because x^phi = 1 due to phi = ord(|Z_m|)
security:
assumption that it is hard to factor m into p,q
only known to be hard in some models of computation
needs to be randomized for real applications
chinese remainder theorem (CRT):
given x mod m1 = a1, x mod m2 = a2, ...
there is unique x <= M = m1 * m2 * ...
unique solution:
let M_i = M / m_i, hence gcd(Mi, mi) = 1
then M_i mod m_j = 0 for j!=i
for N_i inverse of M_i
solution x = sum_of a_i*M_i*N_i mod M
example:
given equations in form x mod n_i = a_i
like x mod 3 = 2, x mod 4 = 5, x mod 7 = -3
calculate M = mul_of(n_i)
like M = 3*4*7 = 84
find inverse Ni of M/n_i * N_i mod n_i = 1
like 84/3 * N_i mod 3 = 1 => N_i = 1
like N_1 = 1, N_2 = 1, N_3 = 3
calculate x = sum_of a_i*M_i*N_i mod M
like x = 2*28*1 + 5*21*1 + -3*12*3 mod 84 = 53
isomorphic groups:
for m = pq <Z_m*,*_m> isomorphic to <Z_p* x Z_q*, *_pq>
CRT allows to prove this isomorphism
for p=3,q=5, hence m=15
7 -> (1,2) with (7 mod 3, 7 mod 5)
(1,2) -> 7 with CRT on x mod 3 = 1, x mod 5 = 2
quadratic residue (QR):
numbers which are the result of a square
else called a quadratic non-residue (QnR)
a is QR iff there_is r such that r^2 mod m = a
QnR * QR = QnR; QR*QR = QnR*QnR = QR
find QRs:
square each number from 1 up to (m+1)/2 for Z_m
calculate negative equivalent for > (m+1)/2
for root 5, n = 14 => 14 - 5 must also be a root
number of QRs:
exactly (p-1)/2 for |Z_p*| = p-1
hence each QR has two square roots r,r'
it holds that r mod p = r' mod p
legendre symbol:
(a/p) (written as a fraction)
1 iff a QR over mod p
0 iff a divides p over mod p
-1 iff a QnR over mod p
satisfies multiplication rules
euler's criterion:
(a/p) = a^((p-1)/2)
because (x^2)^((p-1)/2) = x^(p-1) = 1 (fermats little theorem)
it can be shown that all other numbers must equal -1
for p=5 (p-1)/2 = 2
1 -> 1^2 = 1, 2 -> 2^2 = 4, 3 -> 3^2 = 9, 4 -> 4^2 = 16
verify that this indeed results in 1, -1, -1, 1
four square roots for Z_m*:
for m = pq <Z_m*,*_m> isomorphic to <Z_p* x Z_q*, *_pq>
implies that r^2 = a <=> (R_p(r^2), R_q(r^2)) = (R_p(a), R_q(a))
hence four square roots for each QR in Z_m*
for p=3,q=5, (1,4) are QR in Z_3, Z_5; hence 4 is QR in Z_m
QR breaks RSA:
assume A, which given a can calculate r^2 = a mod m
B chooses random r, asks A to solve a = r^2
A returns either r' = r or -r (randomly, bc a hides info about r)
if A returns r' == r, B has to abort (hence success p only 1/2)
else B calculates gcd(r+r', m) to get one of the primes
works bc (r-r')(r+r') = 0, each being a multiple of one of primes
two dimensional polynomials:
of the form f_00 + f_01x + f_10y + f_11xy + ...
fact 1:
f(x, y_0) is one-dimensional polynomial of degree t
because (f_00 + f_01*y0 + ...)x^0 + (f_10 + f_11*y0 + ...)x^1 + ...
fact 2:
(t)^2 values, t combinations uniquely define polynomial of degree d = t-1
choose d x values, and d y values
choose z_ij for each x/y combination
construct polynomial with lagrange-interpolation
show the polynomial in this form can only exist once
language L classification:
using turing machine (TM) model
for input z, s(z) measures number of steps
t(n) = max{s(z) for all |z| <= n}
halting problem in neither of the presented languages
P:
given candidate
membership in L can be efficiently decided
"there is poly-time TM deciding L"
for all z element_of {0,1}* there_is efficient A(z)
such that iff z element_of L then A(z) = 1 else 0
NP:
given candidate & proof ("witness")
membership in L can be efficiently accepted/rejected
"there is non-deterministic poly-time TM accepting L"
for polynomial p, poly-time computation o(candidate, proof) -> accept/reject
such that iff z element_of L then x exists |x| < p(|z|)
with o(z, x) = 1 (soundness)
else o(z, x) = 0 (correctness)
NP-hard:
any NP language can be solved with this language
hence at least as hard as NP, potentially harder
for any L' element_of NP, L' can be efficiently reduced to L
NP-complete:
in NP and NP-hard
useful because NP-hard also include harder problems than NP
IP:
efficiently verifiable interactive proof of membership exists
superset of NP bc interactive proofs more general concept than non-interactive
PSPACE:
only polynomial space used (no constraint on time made)
"there is TM that uses only poly memory"
proven to include same problems as IP
IP subset_of PSPACE bc can construct polynomial tree with all transcripts
algorithm classifications:
efficient if running time grows at most polynomial with input size
unbounded if running time arbitrary
randomized/probabilistic if access to uniformly random bits
deterministic if no access to uniformly random bits
function classification:
polynomial:
it grows slower than some polynomial
starting at some n,
if there_is c, n_0 for_all n > n_0
such that f(n) <= n^c
negligible:
decreases faster than inverse of every polynomial
if for_all c, there_is n_0, for_all n > n_0
such that f(n) <= 1/(n^c)
other notions possible
but should stay negligible if repeated efficiently ofen
noticeable / non-negligible:
grows faster than inverse of some polynomial
if there_is c, n_0 for_all n > n_0
such that f(n) >= 1/(n^c)
overwhelming:
grows infinitely
1-f is negligible
calculation rules:
polynomial * polynomial = polynomial
polynomial * negligible is negligible
polynomial * noticeable might be overwhelming
decision problem:
problem with answer accept/reject
like existence of hamiltonian cycle, isomorphims of graphs, ...
as formal language L:
instances of problem as bitstring
bitstring z element_of L iff decision true
proofs
===
primality proof:
for small n, simply do table lookup
else decompose n-1 into p1, p2, ...
find a such that a^(n-1) mod n = 1
and a^(n-1)/p_i mod n != 1
then recursively proof primality for all p_i
proof system:
statement & proof each are a string over finite alphabet
semantics define which statements are true
verification function calculates (statement, proof) -> (accept or reject)
non-prime proof example:
verification function checks if proof divides statement
statement = 12, proof = 3, output = accept
requirements:
soundness (only true statements have proofs)
completeness (every true statement has a proof)
efficient verifiability (verification efficiently computable)
potential criteria:
efficiency (for prover/verfier, messages & rounds)
generality (which type of statements can be proved)
leakage (what kind of information prover has to share with peggy)
type of security (information theoretic, based on RSA, based on DL, ...)
"what" proof types:
proof of knowledge:
proof some knowledge exist
like i know for sudoku X the solution Y
proof of statement:
proof a statement, may follows from knowledge
like sudoku X has solution Y
"how" proof types:
static proof:
prover and verifier know statement s
prover sends proof p to verifier
verifier accepts/rejects (s,p) combination
interactive proof:
proof string replaced by interaction with unbounded prover p
both prover & verifier are probabilistic
verifier/provers may deviate from the protocol
at the end of interaction, verifier accepts/rejects
interactive proof:
proof for language L as pair of probabilistic algorithms (P,V)
if z element_of L then V accepts with at least p=3/4
if z not_element_of L then V accepts with at most q=1/2
p and q can be arbitrary, but they must be 0 < q < p <= 1
language membership:
transcript of deterministic P,V serves as NP witness
bc deterministic implies only single x witness exists
transcript of P,V with q=0 serves as NP witness
bc q=0 implies no wrong witness, p>q implies some witness
prover properties:
can be deterministic (as powerful as indeterministic)
but deterministic can not be zero-knowledge
if poly-time required, then only "interactive argument"
verifier properties:
randomized (else prover can be constructed trivially)
efficient (running time polynomial in |z|)
parallelization:
can execute n rounds in parallel
only remains zero-knowledge if #rounds = O(log (n))
interactive proof applications:
identification protocols:
prover is able to identify itself to verifier
use hard problem (like hamiltonian graph, public key)
and prove knowledge about solution (hamiltonian cycle, private key)
must choose sufficiently hard but still efficient problem
NP not sufficient bc some instances may be easily solvable
first practical implementation by fiat-shamir
fiat-shamir heuristic:
replace interactive proof with non interactive one
by calculating verifier input from hash function
then sending all messages at once to verifier
needs hash function to be random oracle (truly random results)
hence lives in the random oracle model (ROM)
but very useful in practice, because constructable from many problems
digital signatures:
construct digital signature using the fiat-shamir heuristic
choose random instance z of NP problem with witness x
to sign message m, generate randoms t1, t2, ... (sufficiently many)
generate c1, c2, ... from hash(t1, t2, ..., m)
generate answers r1, r2, ...
signature then is (t1, t2, ...; c1, c2, ...; r1, r2, ...)
assumption that c1, c2, ... can not be sufficiently influenced to cheat
proof of knowledge:
for string z, proof x
Q(z,x) = true iff x proofs knowledge of z
requirements:
completeness:
V accepts if P knows some x
such that Q(z,x) = true
soundness:
there exists knowledge extractor K
which interacts with some P which V accepts noticeable
and then outputs valid secret x
(K can rewind P = restart with same randomness)
properties:
2-extractability:
if from two accepted rounds
with outputs (t,c,r) & (t,c',r') and c != c'
secret x can be efficiently computed
for 1/|C|^s (s=#rounds) negligible compared to input length |z|
three-move:
protocol consists of exactly three moves
P -> V some start value
V -> P some challenge
P -> V result calculated with challenge relative to start value
knowledge extractor example:
for s-round 2-extractable 3-move protocol with negligible 1/|c|^s
(1) choose l uniformly at random
(2) generate two executions with same l
(3) iff V does not accepts both restart, else stop
soundness:
use first round with c != c' to get x (2-extractability)
in first such round, t = t' bc prover randomness fixed
efficiency:
for p probability V accepts
E[f(l)] = p for f(l) probability V accepts using random l
E[f(l)^2] >= (jensens inequality) E[f(l)]^2 = p^2 for two executions
because 1/|c|^s negligible, protocol execution equal can be ignored
hence runs in polynomial O(1/p^2) for p noticeable
witness-hiding & witness-independence:
if proving zero-knowledge not possible
show that verifier can not impersonate prover
witness-hiding:
no poly-time verification V after verification with P
can itself act as prover for another verifier V'
witness-independent:
if for all z, all V'
distribution of transcript is identical for each witness
witness-independent => witness-hiding:
if hard to generate (z, w, w') for w != w'
but easy to generate (z, w)
then witness-independence implies witness-hiding
zero-knowledge:
for protocol (P,V) resulting in transcript T
show simulator S exists which outputs indistinguishable transcript T'
for both proof of statements / knowledge
requirements:
complete (true statements have proof)
soundness (only true statements have proof)
some classification of zero-knowledge
proof checks:
completeness by inspection
soundness by showing that knowledge extractor exists / 2-extractable
zero-knowledge by showing c-simulatability & poly-space C
zero-knowledge classification depending on powers of verifier
distinguisher A:
tries to differentiate T and T'
hence tries to decide "Y" on Y -> y / "X" on X -> x
advantage given by P_X[A(x) = "X"] - P_Y[A(y) = "Y"]
indistinguishable level:
perfect (exact same distribution; like P_X = P_Y; advantage = 0)
statistical (difference is negligible)
computational (difference for poly-time algorithms negligible)
c-simulatability:
(for t random input prover, c challenge verifier, r response prover)
if for any c, a triplet (t,c,r) can be generated
with same distribution as in a real execution of the protocol
hence it holds that P_TR|C = p_T * p_R|TC
for example given c, choose r uniformly, then generate t
"conditional distribution P_TR|C is efficiently samplable"
zero-knowledge classifications:
proof checks:
no challenge publishes the secret or any value leading to it
no dishonest verifier learns new information (then only HVZK)
size of challenge space must be polynomial
honest-verifier zero-knowledge (HVZK):
verifier used to generate T' must be honest
honest V chooses challenge independently of m
weaker than (perfect) ZK
zero-knowledge (ZK):
for all polytime V', input z, there is poly-time simulator S
such that transcript T and T' are indistinct
must also hold for dishonest prover
which picks challenge dependent on previously seen messages
black-box zero-knowledge (BB-ZK):
there is single poly-time simulator S for all polytime V', input z,
with S having rewind access to V
such that transcript T and T' are indistinct
hence stronger than (perfect) ZK bc only single simulator needed
construct ZK simulator for dishonest V:
V chooses challenge c depending on previously seen messages
determines c_i it wants to do choose the next round
uses honest verifier V' to generate transcript
if transcript used c_i, then accept; hence repeat round
V is still efficient; expected runtime is 1/|c| (hence polynomial)
zero-knowledge proofs:
proof that simulator with same distribution exists & is efficient
3-move distribution:
for prover random t, verifier challenge c, prover reply r
both t and c chosen uniformly at random
then prover chooses r depending on t and c
hence expected distribution is p_T * p_C * p_R|TC
dishonest verifier may choose c based on t, hence p_C|T
(1) 3-move c-simulatable protocol => HVZK:
honest verifier chooses c with p_C
then generate t & r with p_TR|C
due to c-simulatability same distribution as expected
(2) HVZK 3-move with poly |C| => BB-ZK:
S generates triplet (t,c,r) with HVZK property
(hence distribution d1 = p_T(t) * p_R|CT * 1/|C|)
then invokes verifier with t, getting c'
(we assume dishonest verifier, hence d2 = d1 * p_C|T)
if c' equals c, then output triplet; else restart
(probability e = 1/|C|, bc other terms are summed up)
hence distribution is d2 / e = p_T * p_C|T * p_R|TC
efficient bc polynomial runtime / success probability e
(3) sequence of BB-ZK is BB-ZK:
build a simulator that uses the simulator of the respective sequence
s rounds of c-simulatable 3-move with poly |C| => ZK:
poly |C| is needed bc else could not generate transcripts for all challenges easily
bc of (1), subprotocol HVZK
bc of (2), subprotocol BB-ZK
bc of (3), protocol BB-ZK
bc BB-ZK stricter than ZK, it follows that ZK
3-move HVZK with uniform challenge => c-simulatable:
construct (P',V') using HVZK (P,V)
P sends t to P'
P' chooses c'' and sends (t, c'') to V'
V' chooses c' and sends it to P'
P' sends c = c' + c'' to P
P answers with r to P', which forwards to V'
V' accepts/rejects (t, c'+c'', r)
c-simulatable bc P' can simulate for any c
by choosing c'' = c + c'
zero-knowledge discrete math examples:
fiat-shamir:
given m as RSA modulo, z element_of Z_m*
proof knowledge of x such that x^2 mod m = z
protocol:
prover and verifier know z
prover knows x such that x^2 mod m = z
prover picks random k element_of Z_m*
prover sends t = k^2
verifier sends c element_of {0,1}
prover sends r = k * x^c
verifier checks that r^2 = t * z^c
proof:
c=0 works because r^2 = k^2 = t
c=1 works because r^2 = k^2*x^2 = t * z
extractability:
get r_0 = k, r_1 = k * x -> extract x
guillou-quisquater:
given m as RSA modulo, z element_of Z_m*, e
proof knowledge of e-th root of x, such that x^e = z
protocol:
prover & verifier know z, e
prover knows x such that x^e = z
prover picks random k element_of Z_m*
prover sends t = k^e
verifier sends c element_of {0,1, ..., e-1}
prover sends r = k * x^c
verifier checks that r^e = t * z^c
proof:
works because r^e = k^e * x^(c*e) = t * z^c
extractability:
get r_c = k * x^c, r_d = k * x^d
let ggt(c-d, e) = (c-d) * a + e * b = 1
then x = (r_c / r_d)^a * z^b
schnorr:
given cyclic group H, generator h, prime order q, z element_of H
proof knowledge of discrete logarithm x of z
protocol:
prover and verifier know z
prover knows x such that h^x mod m = z
prover picks random k element_of Z_q*
prover sends t = h^k
verifier sends c element_of Z_q*
prover sends r = k + x*c
verifier checks that h^r = t * z^c
proof:
h^r = h^(k+x*c) = t*z^c
extractability:
r_c = k + c*x, r_d = k + d*x
x = (r_c - r_d) / (c - d)
one-way group homomorphism (OWGH):
f :: G -> H such that [a * b] = [a] x [b] (f written as [])
examples:
exponential:
G = H = <Z_m*, *>, [a] = a^e
for example [a*b] = (a*b)^e = a^e * b^e = [a] * [b]
logarithmic:
G = <Z_q, +>, H = <h>, [a] = h^a
for example [a+b] = h^(a+b) = h^a * h^b = [a] * [b]
pre-image proof of knowledge (OWGH PoK):
given groups G and H as one-way homomorphism f(x+y) = f(x) * f(y)
proof knowledge of pre-image x element_of G of z element_of H
protocol:
prover & verifier know z element_of H
prover knows x element_of G such that [x] = z
prover picks random k element_of G
prover sends t = [k]
verifier sends c element_of Z_+
prover sends r = k * x^c
verifier checks that [r] = t * z^c
proof:
works because [r] = [k] * [x]^c = t * z^c
two-extractability of OWGH PoK:
requirement:
if there_is l and u element_of G
(1) for all c1 != c2, gcd(c1 - c2, l) = 1
(2) [u] = z^l
proof:
let [r1] = t * z^c1, [r2] = t * z^c2
then x' = u^a + (r1/r2)^b
for gcd(c1-c2, l) = (c1-c2)*a + l*b = 1
works because u = z^l and r1/r2 = z^(c1-c2)
instantiation:
choose appropriate homomorphism for []
prove that it holds by showing f(x * y) = f(x) * f(y)
define poly-bound C (for example Z_q)
argue that s (number of rounds) such that 1/|C|^s
choose l which is co-prime to all c1, c2
define u such that [u] = z^l (usually something with z)
schnorr:
by definition G = Z_q, H = <h>, |H| = q, q is prime, [x] = h^x
choose l = q, hence u = 0
(1) gcd(c1 - c2, q) = 1 (bc q is prime)
(2) [0] = h^0 = 1 = z^q (bc of identity)
guillou-quisquater:
by definition G = H = Z_m*, [x] = x^e
choose l=e, hence u=z
(1) gcd(c1 - c2, e) = 1 (bc e is prime)
(2) [z] = z^e = z^l
zero-knowledge NP problem examples:
ZK proof of NP-complete problem allows to do ZK for arbitrary NP
sudoku:
proof that solution is known without revealing it
protocol:
peggy places three cards per field with correct number
numbers visible if preset, hidden if part of solution
vic chooses for all column, row, cell one of the tree cards
(hence board empty at the end of the move)
gives the cards for each column, row, cell face-down to peggy
peggy shuffles each deck and returns them to vic
vic controls that each deck is valid
soundness:
1/3 that proof succeeds although sudoku wrong
because have to pick the correct out of three cards
sudoku (using ZK for equality):
proof that solution is known without revealing it
uses type B commit protocol
uses ZK proof to show some blob of commitments are equal
protocol:
peggy commits to every cell of the sudoku solution (1)
peggy commits to 1..n for every row/column/subgrid (2)
vic chooses challenge c = 0 or c = 1
if c == 0 then peggy opens (2) and preprinted values of (1)
vic checks that (2) consistent & (1) correct
if c == 1 then peggy use ZK to show (1) equals (2)
proof:
completeness (bc peggy can answer both c if solution known)
soundness (approx. 1/2 that peggy succeeds if solution unknown)
only approx. 1/2 bc could cheat in ZK proof with negligible p
proof of knowledge bc of 2-extractability
get triplets (t, c, r) and (t, c', r'); one opens (2)
the other proves how opened values relate to (1) values
zero-knowledge bc of c-simulatability
commit as usual choosing random values for sudoku solution
for c=0 simply open (trivially correct)
for c=1 use simulator of ZK protocol
bc commitment is computational hiding
simulator output is computationally indisting
graph isomorphism:
given two graphs G_0 and G_1
proof that G_0 and G_1 are isomorphic
protocol:
prover & verifier know G_0, G_1
prover knows o such that G_1 = o * G_0 * o^-1
prover picks random permutation pi
prover sends T = pi * G_0 * pi^1
verifier sends c element_of {0,1}
prover sends p = pi (for c=0)
or p = pi * o^-1 (for c=1)
verifier checks that T = p*G_0*p^-1 (for c=0)
or T = pi*G_1*pi^-1 (for c=1)
proof:
c=0 works because of construction of T
c=1 T = pi * o^-1 * G_1 * o * pi^-1 = pi * G_0 * pi^-1
zero-knowledge:
no; V now knows if G_0 and G_1 are isomorph
graph non-isomorphism (GNI):
given two graphs G_0 and G_1
proof that G_0 and G_1 are not isomorphic
protocol:
prover & verifier know G_0, G_1
verifier picks random pi and b element_of {0,1}
verifier sends T = pi * G_b * pi^-1
prover sends r=0 if T ~ G_0
or r=1 if T ~ G_1
verifier checks that r = b
zero-knowledge:
only HV-ZK
else V chooses arbitrary graph K to learn if isomorph
three graph extension:
with three graphs, verifier permutes each graph
then sends triple shifted by random factor
prover must be able to tell shift factor
only HK-ZK, bc else learn shift factor
graph coloring:
proof of statement
given graph G
proof that a k-coloring exists
protocol:
verifier picks random pi (bijection on vertices)
verifier applies pi to vertex color map f to get f'
verifier creates commitment for all f' & sends to prover
prover sends edge (i,j) to verifier
verifier opens commitments to C_i, C_j
prover accepts if committed color is different
zero-knowledge:
yes, because c-simulatability given
hamiltonian cycle (hc):
given graph G_0
proof that G_0 has closed path visiting each node exactly once
adjacency matrix:
matrix with 1 where directed graph has edge
select exactly one 1 in each row/column for hc
protocol:
prover picks random permutation pi
verifier picks c element_of {0,1}
if 0, prover uncovers whole adjacency matrix
verifier checks permutation is valid
if 1, prover uncovers 1 in each column/row (hence cycle)
verifier checks in each column/row exactly one 1
=> unclear how to simulate "uncover"
proof:
check completeness by inspection
both c=0 and c=1 fulfillable by peggy
soundness when knowledge extractor exists
negligible, C witness, 2-extractable all given hence KE exists
2-extractable because with both responses can reconstruct answers
zero knowledge when simulator can output transcript
for c=0 choose random permutation
for c=1 choose H all 1's; open random HC
commitment must be type H (for c=1 case)
boolean circuit:
lower reduction overhead than hc bc more cases representable
computes fulfilment of boolean circuit
let input bits flow through scrambled truth tables
after truth table add masking bit (0 or 1 mask)
scramble truth table:
(1) on each wire, choose random bit and XOR input/output
hence if bit 1, invert truth table input column from wire
and truth table result / input bit leading to wire
(2) permute rows of truth table randomly
protocol:
peggy permutes truth tables of whole circuit and commits
then computes result of permuted circuit
if vic chooses c=0 then peggy reveals circuit & random bits
hence peggy verifies the permutation was applied correctly
if vic chooses c=1 then peggy reveals masked input bits & hit rows in tables
then peggy verifies that hit rows indeed give asserted result
proof:
completeness by inspection
soundness; for c=0 open blobs, then use c=1 to get valid row assignments
recover original input values bottom-up
zero-knowledge because c-simulatable
for c=0, scramble circuit, send all blobs & open all
for c=1, set to all 1 in output, then open random rows
boolean circuit 2:
use zero knowledge proofs of equality instead of blinding bits
gate protocol:
P randomly permutes function table and commit to elements
V chooses c = 0 or c = 1
if c = 0 then P opens all commitments of table
V checks if valid permutation
if c = 1 then P proofs ZK that blobs of matching row equal
protocol:
P commits to all bits on wire
P uses gate protocol to show V that gates correct
protocol foundations
===
attackers:
share state with all other attackers
passive attacker must follow protocol
active attacker may deviate
usually constraint protocol to max t attackers
security:
information theoretical:
no assumptions like RSA, one-way functions
proof scheme only breakable with negligible probability
usually assume authenticated, complete, synchronous network
cryptographic:
assume primitives to be secure based on hardness assumption
oblivious transfer (OT):
property on channel
between sender -> trusted party -> receiver
all variants equivalent
all variants have string (instead of bit) variation (OST)
rabin-OT:
sender sends s to TTP
TTP only forwards s in 50%, else bottom
1-2-OT:
sender sends s_0, s_1 to TTP
receiver send i to TTP for i = {0,1}
TTP forwards selected s_i to receiver
1-k-OT:
sender sends s_0, s_1, ... to TTP
receiver send i to TTP for i = {0,1, ...}
TTP forwards selected s_i to receiver
1-2-OT => 1-k-OT:
do k rounds, with each round random r_i and value c_i
each round, send e_i, r_i over 1-2-OT
for e_i = c_i XOR with all r_(i-1)
hence receiver pick randoms until at round i with c_i
now can decrypt r_i to c_i (because knows all r_(i-1))
but does not learn r_i (hence can not decrypt any later value e_(i+1))
1-2-OT => rabin-OT:
choose i element_of {0,1}
send b_i = b, b_(i-1) = 0 over 1-2-OT
send i
if receiver picked correct b_i, now learns b
else learns nothing (and knows it, bc i != receiver picked i)
rabin-OT => 1-2-OT:
transfer k random bits r_i with rabin-OT (for k security parameter)
receiver learns expected 1/2 of these r_i
receiver chooses random c
receiver forms T_c = {index where received}, T_(c-1) = {index where not received)
receiver sends T_0 and T_1 to sender
sender XOR r_i for all in T_0 (=t_0) and same T_1 (=t_1)
sender sends e_0 = t_0 XOR b_0, e_1 = t_1 XOR b_1
now receiver can decrypt e_c with XOR t_c
guarantees:
recipient learns only one of the strings
sender does not know which one
1-2-OST with RSA/AES:
sender has secrets s0, s1; shares one with receiver
generate two pairs of RSA (n, e, d) for n similar
sender sends (n_0, e_0) and (n_1, e_1) to receiver
receiver chooses random r
receiver sends back u = r^(e_b) for some b = {0,1}
sender calculates k = u^(d) for both d
sender calculates y = AES_k(s) for both s
sender sends y0, y1 to receiver
receiver gets s_b = AES_decrypt_r(y_b)
works because r^(e_b)^d = r for correct d
=> can be generalized to 1-k-OST
secret sharing scheme:
dealer D shares secret s among parties P
qualified subset of P reconstruct s (without needing D)
access structure L defines who is able to reconstruct
definition:
for protocol (share, reconstruct)
with parties P, access structure L
(1) after share, there is a unique value s'
where s' = s of dealer if dealer honest
(2) after reconstruct(M), iff M subset_of L, M knows s'
(3) after share, all M' not_subset_of L do not know s'
(1),(2) for correctness, (3) for privacy
for L = {P}:
n parties, L = {P} (hence all parties required for secret)
(share) send random xi to Pi such that sum_of xi = s
(reconstruct) all parties send each other xi
for L = arbitrary:
n parties, L = arbitrary
(share) for each M element_of L
send random xi to Pi such that sum_of xi = s
(reconstruct) parties element_of M send each other specific xi
(hence parties receive multiple xi if in multiple M)
linear sharing scheme:
if secret s and randoms r_1, ..., r_m
can be used to calculate player secrets s_1, ..., s_n
define as matrix multiplication with A as m*n "decompose-matrix"
[s_1, s_2, ...] = [A_10, A_11, ...; ...; ..., A_nm] * [s, r_1, ..., r_m]
shamir's secret sharing scheme:
n parties, L = {any M for |M| >= k}
hence k parties needed for reconstruction
polynomial construction:
construct polynomial f of degree d = k-1 with secret s at f(0)
hence of the form f(x) = s + a_1 * x + a_2 * x^2 + ... + a_(k-1) * x^(k-1)
for a_i picked randomly
matrix A looks like [...; 1, a_i, a_i^2; ...] ("van der monde matrix")
lagrange:
for y_i(x) = mul_of((x - a_i)/(a_i - a_j)), s_i = f(a_i)
f(x) = sum_of(y_i(x) * s_i)
hence allows to calculate value at x with (a_i, s_i) tuples
for polynomial of degree k, k tuples needed
protocol:
(share) choose f with degree d with f(0) = secret
choose n points a_i on f such that a_i != 0
send (a_i, s_i) for s_i = f(a_i) to each party P_i
(reconstruct) send (a_i, s_i) to P
P reconstructs s with lagrange interpolation on x = 0
note that points a_i can be public; only s_i must be party private
analysis if definition holds:
(1) bc f provides single secret at f(0)
(2) bc with k shares, lagrange can output value
(3) bc with < k shares, any secret still compatible
=> degree must be d = k-1 for (3) to hold
violate privacy with k-1:
construct d-1 polynomial g out of k-1 shares
now know that g(0) is not real value
bc else g would be equal to real polynomial
broadcast & consensus
===
known thresholds:
for crypto, t < n (but consensus undefined for t >= n/2)
for theoretic, t < n/3
broadcast:
single sender sends message to many receivers
input x; output y1, y2, ...
definition:
(of course only need to hold for honest players)
consistency (y* all equal)
validity (if sender honest => y* = x)
termination (y eventually received)
behaviour:
players output same y*
sender honest => players output y*=x
consensus:
many players agree on single value of majority
input x1, x2 ...; output y1, y2, ...
undefined for t >= n/2 (because majority unclear)
"pre-agreement" if all honest provide same input
definition:
(of course only need to hold for honest players)
consistency (y* all equal)
persistency (if all honest same input x => y* = x)
termination (y eventually received)
behaviour:
players output same y*
pre-agreement => players output y*=x
consensus vs broadcast:
given consensus, construct broadcast:
P1 sends x to all Pj which receive xj
(y1, y2, ...) = consensus(x1, x2, ...)
Pj output yj
given broadcast, construct consensus:
Pi broadcast xi
yj = majority of received xi
Pj output yj
construction:
weak -> graded -> king -> "normal" consensus
then broadcast is archived
weak consensus:
players output (y_i or bottom) such that all y_i are equal
input x1, x2 ...; output y1, y2, ...
properties:
weak consistency (all y* equal or bottom)
persistency (if all honest same input x => y* = x)
termination (y eventually received)
protocol:
send xi to every Pj
if (#zeros >= n-t) then yj=0
else if (#ones >= n-t) then yj=1
else yj=bottom
return yj
proof weak consistency:
if Pi outputs 0, it received >= n-t zeros
hence Pj received >= n-2t zeros (bc at most t malicious)
hence Pj received <= 2t < n-t ones
graded consensus:
input x1,x2,...; output (y1, g1), (y2, g2),...
for g grade, "how secure I am with this choice"
properties:
graded consistency (if some p has (y, g=1) => y* = (y, *))
graded persistency (if all honest same input x => y* = (x, 1))
termination (y eventually received)
protocol:
(z1, z2, ...) = weak_consensus(x1, x2, ...)
Pi sends zi to all Pj
if (#zeros >= #ones) then y = 0 else y = 1
if (#y >= n-t) then g = 1
return (y, g)
proof graded consistency:
assume party outputs (0, 1) (hence #zeros >= n-t)
then for others (#zeros >= n-2t) > (#ones <= t)
because weak consensus implies no honest party published ones
king consensus:
take own value if sure, else take kings value
input x1, x2, ...; output y1, y2, ...
properties:
king consensus (if king correct => y* = y)
persistency (if all honest same input x => y* = x)
termination (y eventually received)
protocol:
((z1,g1), (z2, g2), ...) = graded_consensus(x1, x2, ...)
Pk (king) sends (zk, gk) to all Pj
for all Pj if (gj = 1) then y = zj else y = zk (kings value)
return y
proof king consistency:
assume king is honest
for g_j = 0, then take kings value
for g_j = 1, then all honest have same value (bc graded_consensus)
hence in both cases, king's value is taken
consensus:
do kings consensus t+1 times; giving output as input again
first honest king archives consensus (due to king consensus)
consensus is kept until the end (due to persistency)
protocol:
(repeat t+1 times for t+1 different kings)
(x1, x2, ...) = king_consensus(x1, x2, ...)
impossibility for P=3, t=1:
if honest players both input 1, must decide 1
if honest players both input 0, must decide 0
if honest players have different input, must decide on same
honest player can not differentiate situations
hence can not fulfil consistency / persistency at same time
formal proof:
assume consensus protocol for n=3, t=1
assume three programs pi_i (x_i => y_i), used by player P_i
each program has two channels for input/output to other player
attacker corrupts some player P_i, starts programs & connects channels
makes different cases (with different required output) look like the same
c1 = (P1 compromised, x_2 = 1, x_3 = 1) -> output 1
c2 = (x_1 = 0, P_2 compromised, x_3 = 0) -> output 0
c3 = (x_1 = 0, x_2 = 1, P_3 compromised) -> output y_1 = y_2
for c1, starts pi_1, pi_3 with both input 0
for c2, starts pi_2, pi_3 with both input 1
for c3, starts pi_3, pi_3 with input 0 and 1 respectively
in each case, connects programs such that same layout produced
commitment schemes
===
peggy P commits to value x towards vic V
P can open x at some point in the future
definition:
P inputs x in COMMIT
V outputs x' in OPEN
properties:
binding (after commit, x is fixed)
hiding (with commit, V does not learn x)
"non-exploitable" information; total security not required
correctness:
if vic honest, x' element_of {x, bottom}
if both honest, x' = x
trivial implementations:
hash function h:
send h(x) to V (COMMIT)
send x to V (OPEN)
but same value can only be committed to once