TOWARDS PRACTICAL (GENERIC)ZERO-KNOWLEDGE

Claudio Orlandi – Aarhus University

In this talk: 3 simple ideas from Jawurek, Kerschbaum, Orlandi

Zero-Knowledge from Garbled Circuits, CCS 2013

Frederiksen, Nielsen, Orlandi Privacy-Free Garbled Circuits,

EUROCRYPT 2015

Chuo, Orlandi The Simplest OT Protocol, ePrint (next

week?)

Jawurek, Ferschbaum, OrlandiCCS 2013

Zero-Knowledge from Garbled Circuits

Zero-Knowledge Protocols

IP/ZK – GMR85 Revolutionary idea in cryptography and CS

Soundness: even a corrupted P cannot prove false statements

Zero-Knowledge: even a corrupted V only learns that the statement is true (and not

why)

Important in practice Authentication Essential component in complex protocols

What about efficiency?

Zero-Knowledge Protocols

Many examples of efficient ZK for algebraic languages Discret Logarithm RSA Lattice ...

What about non-algebraic statements? How do I prove ”I know x s.t. y=SHA(x)”?

This work tries to fill this gap!

Related Work

IKOS’07 ZK from (honest majority) MPC First step towards the ”MPC in the head”

approach

Efficient NIZK/SNARK (GOS06,GGPPR13,…) Non-interactive Require heavy public key operations per

gate

Zero-Knowledge vs Secure 2PC

A B

f,x f,y

f(x,y)

P V

x,w

R(x,w) = true

x

Garbled Circuits

EvDeGb

En

f

x

[F]

e

d

[X] [Z]

z

Correct if z=f(x)

Values in a box are

“garbled”

OT

[Fy]

x e

[X]

[Z]

([Fy],e,d) Gb( f(·,y) )

zDe([Z],d)

[Z]Ev([Fy],[X])

2PC from GC (Yao’s protocol)Alice Bob

Soundness:

If A is corrupted and

[Z*] A([F],[X]),

then

De([Z*],d) is either

f(x) or “”

B could garble a

“malicious”

function

g≠f

e.g. g(x)= lsb(x)

2PC secure against active adversaries?

How can Bob prove that he garbled f

without revealing any extra information?

Plenty of (costly) solutions are known for 2PC

Zero-Knowledge

Cut-and-choose

Etc.

Can we do better for ZK?

ZK based on GC

The main idea:

In ZK the verifier (Bob) has no secrets!

After the protocol, Bob can reveal all his

randomness.

Alice can simply check that Bob behaved

honestly

by redoing his entire computation.

OT

[F]

w e

[W]

Com([Z])

([F],e,d) Gb( f,r )

zDe([Z],d)

[Z]Ev([F],[W])

Prover Verifier

If [F]=Gb(f,r)(and check OTs) [Z]

Prover work~

2x passive Yao

(else abort)

reveal r, e

Verifier work ~

Passive Yao

Communication~

Passive Yao

CCS Implementations

Code not open-source, but easily reproducible

FastGC garbled circuits implementation

Smart-Tillich optimized circuits: AES, MD5,

SHA…

GCParser to combine the two above

SCAPI for implementing OT (using elliptic

curves)

Runtime (rough estimates)

Proof of “c=AES(k,m)” for secret k and public (c,m)

AES: 35k gates (7k ANDs/28k XORs) Communication: 204kB (98% GC) Runtime:

OT: 29.4ms (Using Chou-Orlandi OT) (|w|=128) Garbling: 721µs (Using JustGarble GaXR) Eval: 273 µs Total (Garble+OT+Eval+Garble) ~ 31.2ms

(+network)

Frederiksen, Nielsen, OrlandiEUROCRYPT 2015

Privacy-Free Garbled Circuits

Garbled Circuits

EvDeGb

En

f

x

[F]

e

d

[X] [Z]

z

Correct if z=f(x)

Main idea

In 2PC GC ensure that evaluator does not learn internal values In Yao garbled circuits evaluation must be

oblivious

But in ZK the prover knows all the input bits! He also knows all internal wires values

Can we optimize? Yes!

Garbling Schemes without Privacy

Conceptual contribution: Natural separation between privacy and

authenticity

Concrete efficiency: Better constants in garbled circuit

Can we construct garbling schemes tailored to specific applications, which are more efficient

than Yao’s original construction?

Garbling a Circuit ([F],e,d) Gb(f)

K10,K1

1 Choose 2 random keys Ki

0,Ki1 for each input wire

For each gate compute (Z0,Z1,gg) Gb(L0,L1,R0,R1)

Output e=(Ki

0,Ki1) for all input wires

d=(Z0,Z1) [F]=(ggi) for all gates i

K20,K2

1

Z0,Z1

Ki0,Ki

1

Evaluating a GC [Z] Ev([F],[X])

K1a Parse [X] as (K1

x1,K2x2 ,…)

for all input wires Parse [F] as (gg1,gg2, …)

for all gates

For each gate compute Zg(a,b) Ev(La,Rb,gg)

Output [Z]=Z’

K2b

Z’

Kic

Garbling a Gate

AND/XOR

L0,L1 R0,R1

Z0,Z1

A (privacy-free) garbled gate is a gadget that given two inputs keys gives you the right output key (and nothing else)

(Z0,Z1,gg) Gb(L0,L1,R0,R1) Zg(a,b) Ev(La,Rb,gg) //and not Z1-g(a,b)

Garbling w/o free-XOR (GRR1)

Gb_AND(L0,L1,R0,R1) Output keys:

Z1 = H(L1,R1) Z0 = H(L0)

Send: C = Z0 ⊕ H(R0)

Ev_AND(Lx, Ry, C) If(x = y = 1)

output Z1 = H(Lx, Ry)

If(x = 0) output Z0 = H(Lx)

If(y = 0) output Z0 = C ⊕ H(Ry)

Garbling w/o free-XOR (GRR1)

Gb_XOR(L0,L1,R0,R1) Output keys:

Z0 = L0 ⊕ R0

Z1 = L0 ⊕ R1

Send: C = L0⊕R0⊕L1⊕R1

Ev_XOR(La, Rb, C) If(a = 0) output

Z(a⊕b) = La ⊕ Rb

If(a = 1) output Z(a⊕b) = C⊕La⊕Rb

Conclusions & Open Problems

Still a lot to be done with garbling schemes!

Other specific purpose garbling schemes?

Non-interactive ZK (w/o PKE/gate)?

Chou, Orlandicoming soon on ePrint

The Simplest Oblivious Transfer Protocol

Diffie Hellman Key Exchange

X = gx

K = H(Yx)

m

Y = gy

C = E(K,m)

K = H(Xy)

m = D(K,C)

There is another key

K’ = H( (X/Y)x )which Bob

cannot compute!

X = gx

The Simplest OT protocol

K0 = H(Yx)K1 = H((X/Y)x)

m0,m1

C0 = E(K0,m0)C1 = E(K1,m1)

b=0 : Y = gy

b=1 : Y = X/gy

b

Y

Kb = H(Xy)

mb = D(Kb,Cb)

E((α,β), m) =

(α+ m, (α+ m)β)

The Simplest OT Protocol

Complexity: Communication: 1ge/OT + 2 ctxt/OT + 1ge Computation: 3 exp/OT + 3 H/OT + 2 exp

Security: UC vs. active adversary with programmable

RO Performances: ~5000 OT/s

Implementation based on Bernstein’s Curve25519