cryptographic protocols 2018, lecture 8cryptographic protocols 2018, lecture 8 sigma protocols...

CRYPTOGRAPHIC PROTOCOLS 2018, LECTURE 8

Sigma protocols

Helger Lipmaa University of Tartu, Estonia

Lecture: 01.11.18Slides last modified: 03.11.18

UP TO NOW

UP TO NOW

Introduction to the field

UP TO NOW

Introduction to the field

Secure computation protocols

UP TO NOW

Introduction to the field

Secure computation protocols

Can do almost everything in semihonest model

UP TO NOW

Introduction to the field

Secure computation protocols

Can do almost everything in semihonest model

Introduction to malicious model

THIS TIME

THIS TIME

Reminder: malicious model

THIS TIME

Reminder: malicious modelZero knowledge: very basics

THIS TIME

Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols

THIS TIME

Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols

motivation

THIS TIME

Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols

motivationsecurity definitions

THIS TIME

Reminder: malicious modelZero knowledge: very basicsΣ-Protocols: a particular type of "ZK" protocols

motivationsecurity definitionsexamples

Note: remade slides compared to 2016 (no graphs anymore)

RECALL: "SECOND IDEA”

RECALL: "SECOND IDEA”

Do not reveal the witness

RECALL: "SECOND IDEA”

Do not reveal the witness

Instead let the party to prove that such a witness exists

RECALL: "SECOND IDEA”

Do not reveal the witness

Instead let the party to prove that such a witness exists

so that the proof does not reveal any side information apart from that

Zero-knowledge proof

REMARK: AUTHENTICATION

If the last idea sounds crazy, think about authentication

REMARK: AUTHENTICATION

If the last idea sounds crazy, think about authentication

pk, sk pk

REMARK: AUTHENTICATION

If the last idea sounds crazy, think about authentication

pk, skI am The Doctor

pk

REMARK: AUTHENTICATION

If the last idea sounds crazy, think about authentication

pk, skI am The Doctor

Prove it!

pk

REMARK: AUTHENTICATION

If the last idea sounds crazy, think about authentication

pk, skI am The Doctor

Prove it!

sk

pk

REMARK: AUTHENTICATION

If the last idea sounds crazy, think about authentication

pk, skI am The Doctor

Prove it!

sk

ZK proof of knowledge of sk

pk

ZK PROOF: SHORT DEFINITION

ZK PROOF: SHORT DEFINITION

Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejects

ZK PROOF: SHORT DEFINITION

Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:

ZK PROOF: SHORT DEFINITION

Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:

Completeness: honest V accepts honest P

ZK PROOF: SHORT DEFINITION

Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:

Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*

ZK PROOF: SHORT DEFINITION

Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:

Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*Zero-knowledge: malicious V* learns from the proof with a honest P that P is honest and nothing else

ZK PROOF: SHORT DEFINITION

Syntax: ZK proof is a protocol between a prover P and a verifier V, at the end of which V either accepts or rejectsZK proof satisfies the following security requirements:

Completeness: honest V accepts honest PSoundness: honest V does not accept malicious P*Zero-knowledge: malicious V* learns from the proof with a honest P that P is honest and nothing else

formal definitions are much more complicated, see the next lecture

RECALL: HOMOMORPHIC E-VOTING

Enc(f(ci))

Σf(ci)ci∈{0,...,C - 1}

Enc(Σf(ci))sk

pkpkVote collector: sees who sent which ciphertext,

cannot decrypt

Tallier: sees anonymous ciphertext, can decrypt

RECALL: HOMOMORPHIC E-VOTING

Enc(f(ci))

Σf(ci)ci∈{0,...,C - 1}

Enc(Σf(ci))sk

pkpkVote collector: sees who sent which ciphertext,

cannot decrypt

Tallier: sees anonymous ciphertext, can decrypt

+ ZK proof that the plaintext is f(ci)

for some i + ZK proof that decryption was

correct

no need for ZK proof (product of

public ciphertexts)

RECALL: MIXNET BASED E-VOTING

Ci=Enc(ci)

pk

pk

π: random permutationri - random randomizers

Ci’=Cπ(i) · Enc(0; ri)

π’: random permutationri' - random randomizers

Ci''=C'π'(i) · Enc(0; ri')

pk sk: threshold

{c i} in s

ome o

rder

RECALL: MIXNET BASED E-VOTING

Ci=Enc(ci)

pk

pk

π: random permutationri - random randomizers

Ci’=Cπ(i) · Enc(0; ri)

π’: random permutationri' - random randomizers

Ci''=C'π'(i) · Enc(0; ri')

pk sk: threshold

{c i} in s

ome o

rder

+ ZK proof that the the shuffle is

correct

RECALL: MIXNET BASED E-VOTING

Ci=Enc(ci)

pk

pk

π: random permutationri - random randomizers

Ci’=Cπ(i) · Enc(0; ri)

π’: random permutationri' - random randomizers

Ci''=C'π'(i) · Enc(0; ri')

pk sk: threshold

{c i} in s

ome o

rder

+ ZK proof that the the shuffle is

correct + ZK proof that decryption was

correct

NOTE ON DIFFICULTY

NOTE ON DIFFICULTY

Some ZK proofs are obviously much more complex than others

NOTE ON DIFFICULTY

Some ZK proofs are obviously much more complex than othersProof of correct decryption:

NOTE ON DIFFICULTY

Some ZK proofs are obviously much more complex than othersProof of correct decryption:

with Paillier, tallier can compute both m and rEasy exercise. Note: tallier knows sk

NOTE ON DIFFICULTY

Some ZK proofs are obviously much more complex than othersProof of correct decryption:

with Paillier, tallier can compute both m and rproof = (m, r) Easy exercise. Note: tallier knows sk

NOTE ON DIFFICULTY

Some ZK proofs are obviously much more complex than othersProof of correct decryption:

with Paillier, tallier can compute both m and rproof = (m, r)

Proof of correct shuffle: ???

Easy exercise. Note: tallier knows sk

GENERAL PROTOCOL DESIGN

GENERAL PROTOCOL DESIGN

Design a passively secure protocol

GENERAL PROTOCOL DESIGN

Design a passively secure protocolI.e., that protects privacy given participants follow the protocol

GENERAL PROTOCOL DESIGN

Design a passively secure protocolI.e., that protects privacy given participants follow the protocol... take any protocol we have seen up to now

GENERAL PROTOCOL DESIGN

Design a passively secure protocolI.e., that protects privacy given participants follow the protocol... take any protocol we have seen up to now

Make it secure in the malicious model by adding ZK proofs to all messages

of course this needs "some" care: you need to know which ZK to addefficiency, ...

PROOFS VS PROOFS OF KNOWLEDGE

PROOFS VS PROOFS OF KNOWLEDGE

ZK Proof:

PROOFS VS PROOFS OF KNOWLEDGE

ZK Proof:Complete: honest prover convinces honest verifier

PROOFS VS PROOFS OF KNOWLEDGE

ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifier

PROOFS VS PROOFS OF KNOWLEDGE

ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifierZero Knowledge: dishonest verifier only gets to know that honest prover is honest

PROOFS VS PROOFS OF KNOWLEDGE

ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifierZero Knowledge: dishonest verifier only gets to know that honest prover is honest

ZK Proof of Knowledge: (in addition)

PROOFS VS PROOFS OF KNOWLEDGE

ZK Proof:Complete: honest prover convinces honest verifierSound: dishonest prover does not convince honest verifierZero Knowledge: dishonest verifier only gets to know that honest prover is honest

ZK Proof of Knowledge: (in addition)Proof of Knowledge (stronger soundness): honest prover convinces honest verifier that he knows "why he is honest" --- i.e., knows some secret "witness"

AUTHENTICATION, REVISITED

Prover P Verifier V

AUTHENTICATION, REVISITED

pk, sk pkProver P Verifier V

AUTHENTICATION, REVISITED

pk, skI am The Doctor

pkProver P Verifier V

AUTHENTICATION, REVISITED

pk, skI am The Doctor

Prove it!

pkProver P Verifier V

AUTHENTICATION, REVISITED

pk, skI am The Doctor

Prove it!

sk

pkProver P Verifier V

AUTHENTICATION, REVISITED

pk, skI am The Doctor

Prove it!

sk

ZK proof of knowledge of sk

pkProver P Verifier V

AUTHENTICATION, REVISITED

pk, skI am The Doctor

Prove it!

sk

ZK proof of knowledge of sk

pk

Proof: I can sign your document with Doctor's secret key. Leaks information (new signatures), not really ZK. ZK proofs do not make sense in this application

Proof of knowledge: I know sk (nothing else is leaked)

Prover P Verifier V

MOTIVATION BY EXAMPLES

MOTIVATION BY EXAMPLES

We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledge

MOTIVATION BY EXAMPLES

We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same sense

MOTIVATION BY EXAMPLES

We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same senseCommon name: Σ protocols

MOTIVATION BY EXAMPLES

We first describe a very simple protocol that intuitively is a "secure" ZK proof of knowledgeWe will later see other protocols that are "secure" in the same senseCommon name: Σ protocolsWe then formally define security of such protocols

Σ-PROTOCOL FOR DL

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DL

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of r

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of r

gx+rgr

gx

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + r

gx+rgr

gx

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + rProblem:

gx+rgr

gx

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 1: reveal both r and z ← x + rProblem:

if verifier gets to know both r and z then she can compute x ← z - r

gx+rgr

gx

Σ-PROTOCOL FOR DL

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of r

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + r

gx+rgr

gx

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + rProblem:

gx+rgr

gx

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 2: reveal one of r and z ← x + rProblem:

If prover knows that say z is revealed, then she can sample it randomly

gx+rgr

gx

Σ-PROTOCOL FOR DL

Idea:• honest P succeeds always• malicious P fails w.p. 50%

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 3:

Idea:• honest P succeeds always• malicious P fails w.p. 50%

Σ-PROTOCOL FOR DL

DL proof: // proof of knowledge of DLprove that you know x such that pk = gx

QUIZ: any ideas how to do it?Hint: generate a = gr for random r, and use the knowledge of rSolution 3:

first reveal gr and then let the verifier to pick whether she wants to see r or z ← x + r

gx+rgr

gx

with prob. 1/2

Idea:• honest P succeeds always• malicious P fails w.p. 50%

Σ-PROTOCOL FOR DL

pk = gx, sk = x pk

Σ-PROTOCOL FOR DL

pk = gx, sk = x pk1. r ←$ Zq

2. a ← gr

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

pk1. r ←$ Zq

2. a ← gr

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

c

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

c

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

c

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

z

Σ-PROTOCOL FOR DL

pk = gx, sk = xa

c

pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

z

1. If gz = pkc a then accept2. else reject

KNOWLEDGE ERROR

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κ

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κEvery Σ-protocol has non-zero knowledge error

KNOWLEDGE ERROR

Honest Prover is accepted with probability 1Dishonest Prover is accepted with non-zero probability κ = 1/2Def (informal). Κnowledge error = κEvery Σ-protocol has non-zero knowledge error

Prover can just guess Verifier's challenge and prepare first message accordingly

A BIT OF TERMINOLOGY

A BIT OF TERMINOLOGY

All such proofs are of type:

A BIT OF TERMINOLOGY

All such proofs are of type:does input inp belong to language L?

A BIT OF TERMINOLOGY

All such proofs are of type:does input inp belong to language L?

The prover knows a witness w

A BIT OF TERMINOLOGY

All such proofs are of type:does input inp belong to language L?

The prover knows a witness wProving inp ∈ L can be done efficiently, given w

A BIT OF TERMINOLOGY

All such proofs are of type:does input inp belong to language L?

The prover knows a witness wProving inp ∈ L can be done efficiently, given wProof of knowledge: Prover proves he knows w

A BIT OF TERMINOLOGY

All such proofs are of type:does input inp belong to language L?

The prover knows a witness wProving inp ∈ L can be done efficiently, given wProof of knowledge: Prover proves he knows w

DL proof: L = {pk ∈ G}inp = pkw = dlogg pk

Here, L is “trivial" but it’s a special case

A BIT OF TERMINOLOGY

All such proofs are of type:does input inp belong to language L?

The prover knows a witness wProving inp ∈ L can be done efficiently, given wProof of knowledge: Prover proves he knows w

DL proof: L = {pk ∈ G}inp = pkw = dlogg pk

Here, L is “trivial" but it’s a special case

DDH proof: L = {(h1, h2) ∈ G2}: ∃ x, (h1, h2)=(g1, g2)x}inp = (h1, h2)w = x

Σ-PROTOCOLS: SYNTAX

input, witness input

Σ-PROTOCOLS: SYNTAX

input, witness1st message: commitment a

input

Σ-PROTOCOLS: SYNTAX

input, witness1st message: commitment a

2nd message: challenge c

input

Σ-PROTOCOLS: SYNTAX

input, witness1st message: commitment a

2nd message: challenge c

3rd message: response z

input

Σ-PROTOCOLS: SYNTAX

input, witness1st message: commitment a

2nd message: challenge c

3rd message: response z

input

Σ-PROTOCOLS: SYNTAX

Requirement: c is chosen from some challenge set C randomly. (Does not depend on a!)Terminology: public coin protocol

Σ-PROTOCOLS: FORMAL DEFINITION

A protocol (P, V) is a Σ-protocol, if

1. it is a three-message public-coin protocol: it has three messages, with the prover starting, and the second message is completely random and independent of the first message

2. Security: it is complete, specially sound, and special honest-verifier zero knowledge

Definition

Σ-PROTOCOLS: FORMAL DEFINITION

A protocol (P, V) is a Σ-protocol, if

1. it is a three-message public-coin protocol: it has three messages, with the prover starting, and the second message is completely random and independent of the first message

2. Security: it is complete, specially sound, and special honest-verifier zero knowledge

Definition

input, witness1st message: commitment a

2nd message: challenge c

3rd message: response z

input

Σ-PROTOCOLS: SECURITY

1. Completeness 2. Special Soundness 3. Special Honest-Verifier ZK (SHVZK)

input, witness1st message: commitment a

2nd message: challenge c

3rd message: response z

input

Σ-PROTOCOLS: SECURITY

Completeness: if Prover is honest then honest Verifier always accepts.DL protocol has it

input, witness1st message: commitment a

2nd message: challenge c

3rd message: response z

input

Σ-PROTOCOLS: SECURITY

Special Soundness (with knowledge error κ): if Prover is dishonest then honest Verifier accepts with probability not much larger than κ.DL protocol has it (intuitively)

SPECIAL SOUNDNESS: MORE

SPECIAL SOUNDNESS: MORE

Our proof of special soundness for DL relied on the next (informal) fact:

SPECIAL SOUNDNESS: MORE

Our proof of special soundness for DL relied on the next (informal) fact:

If (possibly malicious) P* makes honest V always accept, then P* “knows” x such that y = gr and pk · y = gx + r and thus pk = gx

SPECIAL SOUNDNESS: MORE

Our proof of special soundness for DL relied on the next (informal) fact:

If (possibly malicious) P* makes honest V always accept, then P* “knows” x such that y = gr and pk · y = gx + r and thus pk = gx

We will next make this intuition more formal

SEMIFORMALLY: SPECIAL SOUNDNESS

SEMIFORMALLY: SPECIAL SOUNDNESS

Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κ

This guarantees κ is really the "limit"

SEMIFORMALLY: SPECIAL SOUNDNESS

Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κ

This guarantees κ is really the "limit"

SEMIFORMALLY: SPECIAL SOUNDNESS

Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κHowever, V is a pre-defined algorithm

=> we have a proof of knowledge

This guarantees κ is really the "limit"

SEMIFORMALLY: SPECIAL SOUNDNESS

Assume a dishonest prover P* can make honest verifier V to accept with some probability ε > κThen V can "extract" the witness (here, x) from P* in time, related to ε - κHowever, V is a pre-defined algorithm

We define a new algorithm, an extractor K, that communicates with P* and extracts x from P*

=> we have a proof of knowledge

This guarantees κ is really the "limit"

As in reductions, K can only communicate with P*. K does not know anything else about P* apart from what P* outputs

FORMALLY: SPECIAL SOUNDNESS

A Σ-protocol (P, V) is specially sound, if there exists a probabilistic expected poly-time extractor algorithm K, such that if a prover P* (possibly malicious) can make V to accept with a probability ε > κ, then K can --- after playing the role of V in possibly many instances of the protocol with P --- output the value of the witness

Definition

FORMALLY: SPECIAL SOUNDNESS

A Σ-protocol (P, V) is specially sound, if there exists a probabilistic expected poly-time extractor algorithm K, such that if a prover P* (possibly malicious) can make V to accept with a probability ε > κ, then K can --- after playing the role of V in possibly many instances of the protocol with P --- output the value of the witness

Definition

However, K must have some "superpower": otherwise V could do the same and extract witness. Here: rewinding

REMINDER: SPECIAL SOUNDNESS

input = pkwitness = x

a

c

input = pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

z

1. If gz = pkc a then accept2. else reject

REMINDER: SPECIAL SOUNDNESS

input = pkwitness = x

a

c

input = pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

z

1. If gz = pkc a then accept2. else reject

Intuition. Assume P* makes V to accept with probability 1.

Then y = gr and pk · y = gx + r

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x input = pk

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x

ainput = pk

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x

ainput = pk

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x

a

c

input = pk

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x

a

c

input = pk

z

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x

a

c

input = pk

zFormally, K plays V in the protocol. K does the following:

Execute the protocol once with c = 0. Store (a, 0, z)Create a breakpoint for prover directly after sending a

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x

ainput = pk

After that:Rewind P* to the breakpoint (the state P* was directly after sending a). Challenge with c* = 1, get P*'s answer, and store (a, 1, z*)

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x

a

c* ≠ c

input = pk

After that:Rewind P* to the breakpoint (the state P* was directly after sending a). Challenge with c* = 1, get P*'s answer, and store (a, 1, z*)

SPECIAL SOUNDNESS: REWINDING

input = pkwitness = x

a

c* ≠ c

input = pk

z*

After that:Rewind P* to the breakpoint (the state P* was directly after sending a). Challenge with c* = 1, get P*'s answer, and store (a, 1, z*)

REWINDING: ANALYSIS

input = pkwitness = x

a

c* ≠ c

input = pk

z*Since P* makes V accept with probability 1, this means that (a, 0, z) and (a, 1, z*) are both accepting viewsSince both views accept,

gz = pk0 · a gz* = pk1 · a

But then pk = gz* - z and thus x = z* - z

GENERAL K.E.

GENERAL K.E.

Previous analysis only works if ε = 1

GENERAL K.E.

Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κProbability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a,

P* (inp, ω, c) generates z

GENERAL K.E.

Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ

Construct a Boolean matrix AProbability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a,

P* (inp, ω, c) generates z

GENERAL K.E.

Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ

Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string c

Probability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a, P* (inp, ω, c) generates z

11

1 11

ω

c

GENERAL K.E.

Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ

Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string cKnown: fraction ε of entries are 1

Probability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a, P* (inp, ω, c) generates z

11

1 11

ω

c

GENERAL K.E.

Previous analysis only works if ε = 1Assume P* makes V to accept with any probability ε > κ

Construct a Boolean matrix AAω, c = 1 iff V accepts given that P* has random string ω and verifier has random string cKnown: fraction ε of entries are 1There exists a row with two 1-s iff

Probability ε is both over the randomness ω of P* and c of V P* (inp, ω) generates a, P* (inp, ω, c) generates z

11

1 11

ω

c

ε > κ := 1C , C := |{c} |

GENERAL K.E.

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting

view (a, c, z) 1 / ε expected steps

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting

view (a, c, z)2. Generate random c* (but use the same ω) until V

accepts the resulting view (a, c*, z*)

1 / ε expected steps

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting

view (a, c, z)2. Generate random c* (but use the same ω) until V

accepts the resulting view (a, c*, z*)

1. If c = c* then goto 1

1 / ε expected steps

Happens with some prob. p

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting

view (a, c, z)2. Generate random c* (but use the same ω) until V

accepts the resulting view (a, c*, z*)

1. If c = c* then goto 1

3. Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before

1 / ε expected steps

Happens with some prob. p

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting

view (a, c, z)2. Generate random c* (but use the same ω) until V

accepts the resulting view (a, c*, z*)

1. If c = c* then goto 1

3. Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before

Tprobes := the number of probed matrix entries before this happens

1 / ε expected steps

Happens with some prob. p

2 / (pε) expected steps

GENERAL K.E.

If P* makes V to accept with prob. ε > κ, K does:1. Generate random (ω, c) until V accepts the resulting

view (a, c, z)2. Generate random c* (but use the same ω) until V

accepts the resulting view (a, c*, z*)

1. If c = c* then goto 1

3. Now K has (a, c, z), (a, c*, z*), with c ≠ c*, and can retrieve witness as before

Tprobes := the number of probed matrix entries before this happens

47 6 52

13

2

35 4 61

ω

c

1 / ε expected steps

Happens with some prob. p

2 / (pε) expected steps

1 / ε expected steps

GENERAL EXTRACTOR

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such views

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysis Expected: with small probability, the

number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:

Tprobes ≤ 2 / (ε - κ): expected number of runs

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:

Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:

Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:

Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:

Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8ε = k-c, κ = 1 / q = 2-k: Tprobes ≤ 2 / (k-c - 2-k) ≈ 2 kc

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:

Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8ε = k-c, κ = 1 / q = 2-k: Tprobes ≤ 2 / (k-c - 2-k) ≈ 2 kc

// If ε - κ is non-negligible then Tprobes is polynomial

Expected: with small probability, the number of steps can be very large

GENERAL EXTRACTOR

One has to analyze the number of expected number of steps Tprobes that guarantees that K will with high probability obtain such viewsWill omit precise analysisAnswer:

Tprobes ≤ 2 / (ε - κ): expected number of runsExamples:ε = 1, κ = 1 / 2: Tprobes ≤ 2 / (1 - 1 / 2) = 4ε = 3 / 4, κ = 1 / 2: Tprobes ≤ 2 / (3 / 4 - 1 / 2) = 8ε = k-c, κ = 1 / q = 2-k: Tprobes ≤ 2 / (k-c - 2-k) ≈ 2 kc

// If ε - κ is non-negligible then Tprobes is polynomial k: security parameter

Expected: with small probability, the number of steps can be very large

SPECIAL SOUNDESS: SIMPLIFIED

SPECIAL SOUNDESS: SIMPLIFIED

Due to what we saw on last slides, we can somewhat simplify the special soundness definition

SPECIAL SOUNDESS: SIMPLIFIED

Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractor

SPECIAL SOUNDESS: SIMPLIFIED

Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractorWe can just assume that if we have already found two accepting views (a, c, z), (a, c*, z*) with c ≠ c*, then K can efficiently retrieve the witness

SPECIAL SOUNDESS: SIMPLIFIED

Due to what we saw on last slides, we can somewhat simplify the special soundness definitionWe know the relation between ε - κ and the running time of extractorWe can just assume that if we have already found two accepting views (a, c, z), (a, c*, z*) with c ≠ c*, then K can efficiently retrieve the witnessWe can then use what we know to construct full extractor

SPECIAL SOUNDNESS: SIMPLIFIED

A Σ-protocol (P, V) is specially sound, if there exists a (deterministic) poly-time extractor algorithm K that, given two accepting views (a, c, z) and (a, c*, z*), such that c ≠ c*, can efficiently compute the value of the witness

Definition (simplified)

DL: PROOF OF SPECIAL SOUNDNESS

input = pkwitness = x

a

c

input = pk1. r ←$ Zq

2. a ← gr

c ← {0, 1}

z ← c x + r

z

1. If gz = pkc · a then accept2. else reject

Construction of extractor: Given accepting views (a, 0, z) and (a, 1, z*), K outputs x ← z* - z

Analysis: 1. Since a is the same and both views accept, gz = y and gz* = pk · y2. Thus pk = gz* - z

STUDY OUTCOMES

STUDY OUTCOMES

Main idea of ZK proofs

STUDY OUTCOMES

Main idea of ZK proofsExample, very natural, protocol with "intuitive" security

STUDY OUTCOMES

Main idea of ZK proofsExample, very natural, protocol with "intuitive" securityΣ-protocols: definition

STUDY OUTCOMES

Main idea of ZK proofsExample, very natural, protocol with "intuitive" securityΣ-protocols: definitionMotivation and analysis of special soundness

NEXT LECTURE

NEXT LECTURE

More efficient Σ-protocols based on DL

NEXT LECTURE

More efficient Σ-protocols based on DLΣ-protocols for various relations about Elgamal plaintexts

NEXT LECTURE

More efficient Σ-protocols based on DLΣ-protocols for various relations about Elgamal plaintexts

For example: Σ-protocol that Elgamal plaintext is in {0, 1}

NEXT LECTURE

More efficient Σ-protocols based on DLΣ-protocols for various relations about Elgamal plaintexts

For example: Σ-protocol that Elgamal plaintext is in {0, 1}

Σ-protocol for Circuit-SAT