introductory zero-knowledge proof and its extension to ... zero-knowledge...• thief used 9 a magic...

Introductory Zero-Knowledge Proof

and its Extension to Boolean-Proof

Hiroaki ANADA

Dept. of Pure Mathematics, University of Calcutta

18 Dec 2015

1. Introductory Protocol of

Zero-Knowledge Proof

Thief-Cop Protocol

(a variant of [0])

2

[0] “How to Explain Zero-Knowledge Protocols to Your Children”

Quisquater and Guillou, http://pages.cs.wisc.edu/~mkowalcz/628.pdf

Long, long ago, Thief was chased by Cop

• Went into a cave

• Two paths

3

Long, long ago, Thief was chased by Cop

• Went into a cave

• Two paths

• Door...

4

Long, long ago, Thief was chased by Cop

• Went into a cave

• Two paths

• Cop lost Thief..

5

?

Long, long ago, Thief was chased by Cop

• Went into a cave

• Two paths

• Thief used

6

a magic word(!)to open & go through

The other day, Thief was chased by Cop

• Went into a cave

• Two paths

• Door...

7

The other day, Thief was chased by Cop

• Went into a cave

• Two paths

• Cop lost Thief..

8

?

The other day, Thief was chased by Cop

• Went into a cave

• Two paths

• Thief used

9

a magic word(!)to open & go through

One day, finally Thief was caught by Cop

• Cop asked Thief for the magic word,

• but he refused…

• So, Cop asked;

10

Provethat you know the magic word

Prove that you know the magic word

• “Choose one path, Left or Right

while I am away”

11

Prove that you know the magic word

• “Choose one path, Left / Right

while I am away”

• Maybe, Thief

choose Left / Right

at Random

12

Prove that you know the magic word

• “Choose one path, Left / Right

while I am away”

• “When “Left!”,

come back from

“Left”

13

Left!

Prove that you know the magic word

• “Choose one path, Left / Right

while I am away”

• “When “Left!”,

come back from

“Left”

14

Left!

Prove that you know the magic word

• “Choose one path, Left / Right

while I am away”

• “When “Right!”,

come back from

“Right”

15

Right!

Prove that you know the magic word

• “Choose one path, Left / Right

while I am away”

• “When “Right!”,

come back from

“Right”

16

Right!

Cop: “Left” w. prob. 1/2

“Right” w. remain. prob. 1/2

Thief-Cop Protocol

• “Choose one path, Left or Right while I am away”

• “When “Left!”, come back from “Left””

• “When “Right!”, come back from “Right””

• By using the magic word;

Thief always succeeds

“COMPLETE”17

Right!

Thief-Cop Protocol

• “Choose one path, Left / Right while I am away”

• “When “Left!”, come back from “Left””

• “When “Right!”, come back from “Right””

• Suppose Thief does not know.

After times trial

Thief succeeds only with neg.Prob.=(1/2)

“SOUND”18

Right!

→ ���� → ∞

Thief-Cop Protocol

• “Choose one path, Left / Right while I am away”

• “When “Left!”, come back from “Left””

• “When “Right!”, come back from “Right””

• Cop gets no info. on the magic word

“ZERO-KNOWLEDGE”19

Right!

Thief-Cop protocol: Summary1. COMPLETE

2. SOUND

3. ZERO-KNOWLEDGE

Under Three Properties,

Protocol of

Zero-Knowledge Proof

20

Right!

Left!

Prob.

=1/2

Iteration...

2. Fiat-Shamir Protocol of

Zero-Knowledge Proof

21

Fiat-Shamir protocol

•2

Prover: : Verifier

�

� ∈� ℤ/�ℤ ≔ �2mod�

∈� {1,0}

If = 1, �: = ��mod�else = 0, � ≔ �mod� If �2 = � , then accept

else reject

� (�,�)

22

′

′

�′

Repeat

("-times iteration)

�: “∃�, � = �$”

Fiat-Shamir protocol is COMPLETE

• If

Therefore, 2 2 2 2 1

• else , then

Therefore, 2 2 0

• In Both cases 2

� always accepts

COMPLETE

23

Fiat-Shamir protocol is SOUND• Suppose ∀ 2

• Then ∀PPT ∗;

• Pr[�2 ≠ �] =,

$

• When iterated for " times,

Pr �2 ≠ � for"times =

,

$

2→ 0(" → ∞)

�Wrong statements are not accepted with non-neg. prob.

SOUND

24

Fiat-Shamir protocol is ZERO-KNOWLEDGE

• For ∀ PPT ∗, ∃ : Simulator:

� �$ 3

If ∗

Return

else Try again

� generates without as if REAL

ZERO-KNOWLEDGE

25

In average two trials because is ONLY 1 bit

4∗’s view is indistinguishable from 5’s output☺

Fiat-Shamir protocol is PROOF OF KNOWLEDGE

• For ∀ PPT 6∗s.t. 6∗ makes 4accept, ∃7: PPT, Extractor:

7 �,� :

6∗(�, �)

� ≔89

8:, Return �

� ; returns < (employing =∗) with non-neg. prob

PROOF OF KNOWLEDGE26

�$ =�,�>

$

=�

= �

= 1�,

= 0�>

Rewind 6∗

Fiat-Shamir protocol: Summary1. COMPLETE

2. SOUND

3. ZERO-KNOWLEDGE

4. PROOF OF KNOWLEDGE

Under Four Properties,

Protocol of Zero-Knowledge Proof of Knowledge

27

�

� ∈� ℤ/�ℤ ∶= �2

∈� {1,0}If = 1, �: = ��else = 0, �: = �

If�2 = �

thenacceptelsereject

� (�,�)

3. Guillou-Quisquater Protocol of

Zero-Knowledge Proof

No need of the "-times repetition

28

Guillou-Quisquater protocol

• �∗ H

Prover: : Verifier

�

� ∈� ℤ/�ℤ ≔ �I

∈� {0,1}J

� ≔ ��3

If �I = � , then accept

else reject

� (�, I, �)�: “∃�, � = �H”

29

(No Repeat)

Without , ∗ succeeds ONLY WITH neg.Prob.=(1/2)K

not 1 bit,

but L bits

Guillou-Quisquater protocol is COMPLETE

I H H H3 3

always accepts

COMPLETE

30

Guillou-Quisquater protocol is SOUND• Suppose ∀ H

• Then ∀PPT ∗;

• Pr �I ≠ � =,

$

J→ 0(L → ∞)

�Wrong statements are not accepted with non-neg. prob.

SOUND

31

Guillou-Quisquater protocol is

Honest-Verifier ZERO-KNOWLEDGE

• For ∀ PPT ; honest, ∃ : Simulator

�J

�∗ H 3

Return

generates without as if REAL

HONEST-VERIFIER

ZERO-KNOWLEDGE32

: the same dist. as Honest Verifier 4

4’s view is indistinguishable from 5’s output☺

Guillou-Quisquater protocol is PROOF OF KNOWLEDGE

• For ∀ PPT 6∗s.t. 6∗ makes 4accept with non-neg. prob., ∃7: PPT, Extractor

7(�, �)

6∗(�, �)

� ≔8

8M

,/(3N3O), Return �

; returns < (employing =∗) with non-neg. prob

PROOF OF KNOWLEDGE33

�H =�

�′

H

= �

�

′�′

Rewind 6∗

∈� 0,1 J

′ ∈� 0,1 J

Guillou-Quisquater protocol: Summary1. COMPLETE

2. SOUND

3. HONEST-VERIFIER ZERO-KNOWLEDGE

4. PROOF OF KNOWLEDGE

Under Four Properties,

Protocol of Honest-Verifier Zero-Knowledge Proof of

Knowledge34

�

� ∈� ℤ/�ℤ ∗

∶= �I

∈� {0,1} J

�:= ��

If�I = �

accept;elsereject

� (�, I, �)

Abstraction of Guillou-Quisquater• GQ-protocol

= , $ T UVWX

is:

HV-ZKPOK

with Extractor & Simulator:YZ[ \]^

35

�

← Σ2(a)

� ← Σ3(�, �, , )

IfΣvrfy �,�; , , �= 1, thenaccept;elsereject

� �

← Σ1(�, �)

Summary: “ -protocol”• -protocol

= , $ T eVWX

is:

HV-ZKPOK

with Extractor & Simulator:YZ[ \]^

: statement

: witness

36

�

← Σ2(a)

� ← Σ3(�, �, , )

IfΣvrfy �,�; , , �= 1, thenaccept;elsereject

� �

← Σ1(�, �)

4. Boolean-proof

“Expressive” Proof-Technique

37

What is AND-proof?

• Run two = , $ T eVWX in parallel with a single

38

= f

(�1, �2)(�1, �2)

1, 2

1, �1, 2, �2

1 ← Σ1(�1, �1)2 ← Σ1(�2, �2)

← Σ2(a)�1 ← Σ3(�1, �1, 1, )�2 ← Σ3(�2, �2, 2, ) ΣVrfy(�1, 1, 1, h1)

∧ ΣVrfy(�2, 2, 2, h2)

Two statementsTwo witnesses

jkl: AND-proof: both 1 and 2

: AND-proof protocol

Proving Knowledge of both 1 and 2

for a single AND-formula 1 2

HV-ZKPOK39

∧

mn mo

✔ ✔

✔

1 2

What is OR-proof?

• Divide with \]^

40

= f

(�1, �2)�1

1, 2

1, �1, 2, �2

1 ← Σ1(�1, �1)2 ← Σ2(a),(2, �2) ← Σsim(�2, 2)

← Σ2(a)1: = ⊕ 2

�1 ← Σ3(�1, �1, 1, 1) ΣVrfy(�1, 1, 1, h1)∧ ΣVrfy(�2, 2, 2, h2)

Committment

Two statementsOne witnesses

qr: OR-proof: either 1 or 2 or both

: OR-proof protocol [1][2]

Proving Knowledge of either 1 or 2 or both

for a single OR-formula 1 2

HV-ZKPOK & WI

41

∨

mn mo

✔

✔

1

[1] “Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols”

Cramer, Damgård, Shoenmakers, CRYPTO’94

[2] “On Sigma Protocols”

Damgård, survey: http://www.cs.au.dk/~ivan/Sigma.pdf

WI: witness indistinguishable;

“Which one was used, (�,, −)or (−,�$)?”

� “Indistinguishable”☺

What is Boolean-proof? [1][3][4]

•

�u(v) = v1 ∧((v2 ∧ v3) ∨ v4))

Proving Knowledge of " "

for a Boolean formula

HV-ZKPOK & WI

42

∧

mn ∨

∧ mx

mo my

✔

✔

✔

✔1

4

[1] “Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols”

Cramer, Damgård, Shoenmakers, CRYPTO’94

[3] "Generalized Secret Sharing and Monotone Functions"

Benaloh and Leichter, CRYPTO’88

[4] "Attribute-Based Signatures without Pairings via the Fiat-Shamir Paradigm"

Anada, Arita and Sakurai, AsiaPKC2014

Wrap Up

1. Thief-Cop Protocol

2. Fiat-Shamir Protocol

3. Guillou-Quisquater Protocol

4. Boolean-Proof protocol

43

References[0] “How to Explain Zero-Knowledge Protocols to Your Children”

Quisquater and Guillou, http://pages.cs.wisc.edu/~mkowalcz/628.pdf

[1] “Proofs of Partial Knowledge and Simplified Design of

Witness Hiding Protocols”

Cramer, Damgård, Shoenmakers, CRYPTO’94:

[2] “On Sigma Protocols”

Damgård, survey paper: http://www.cs.au.dk/~ivan/Sigma.pdf

[3] “Generalized Secret Sharing and Monotone Functions”

Benaloh and Leichter, CRYPTO’88

[4] “Attribute-Based Signatures without Pairings via the

Fiat-Shamir Paradigm”

Anada, Arita and Sakurai, AsiaPKC2014

44

Thanks

45