lecturer: moni naor foundations of cryptography lecture 12: commitment and zero-knowledge

Lecturer: Moni Naor

Foundations of Cryptography

Lecture 12: Commitment and Zero-Knowledge

Recap of last week’s lecture• Notion of security: equivalence of semantic security

and indistinguishability of encryptions in shared key and public-key cases

• Properties of semantically secure cryptosystems• Constructions of semantically secure cryptosystems

– Trapdoors– Factoring (Blum Goldwasser)– Decisional Diffie-Hellman– Shared key: pseudo-random functions

The world so far

Pseudo-random generators

Signature Schemes

UOWHFs

One-way functions

Two guards Identification

P NP

Pseudo-random Permutations

Pseudo-random Functions

Shared-key Encryption (CPA) and Authentication

Trapdoor permutations

Public-key Encryption (CPA)

Factoring is hard (BG Permutations)

What’s next

• Further notions of security – Non-malleability– Chosen ciphertext attacks

• Protocols:– Zero-knowledge proof systems– Secure function evaluation

Commitments

• Define • Construct• Applications:

– Coin-flipping– Zero-Knowledge

String Commitment Protocols

• Sender: Input X0,1n

Receiver: no explicit input• Two Phases

– Commit– Reveal

• At the end of protocol: Receiver obtains X decides valid or not

Commitment Schemes

– Hiding: A computationally bounded receiver learns nothing about X.

– Binding: s can only be “opened” to the value X.

ReceiverSenderCommit

Phase

Sender ReceiverX

s

Reveal

Phase v

X

X

Reveal Verification Algorithm

s, v, X

yes/no

Following Commit Phase

• Receiver should not have gained any information about X– Information theoretic?– Computationally?

• Sender should be bound to X– No two different and valid openings exist– It is computationally infeasible to find two different valid

openings

Both worlds?

Cannot have best of both worlds:• Information theoretic secrecy following commit

– Distribution of conversation independent of X • Perfect binding

– No two different and valid openings exist whp

Security Parameter

Want • A family of protocols • Indexed by a security parameter

Relationship between security parameter andsize of hard problem

Definition: Computational Secrecy

• Indistinguishability of committed strings:Adversary A chooses X0, X1 0,1n

receives commit phase to Xb for bR0,1

has to decide whether b 0 or b 1.

For any pptm A for X0 , X1 0,1n

PrA ‘1’ b 0 - PrA ‘1’ b 1

is negligible

...Computational Secrecy

• Equivalent to semantic security of committed strings:

Whatever Adversary A can compute on committed string X 0,1n so can A’ that does not participate in commit phase

A selects:• Distribution Dn on 0,1n

• Relation R(X,Y) - computable by ppt

…Semantic Security

pptm A R A’ for XR Dn

PrR(X,A(commit)) - Pr R(X,A’())

is negligible.

Definition: Perfect Binding

• For all Adversary A controlling the Sender, following commit phase

• With high probability over random choices of Receiver

There are no two different and valid openings to X and X’

Protocol

Show a string commitment protocol with

• Indistinguishability of committed strings

• Perfect Binding

Idea

Hide the value X in a linear function– PX + B

• Who chooses/knows P and B?– If the sender: no binding– If the receiver: no hiding

• Compromise: – receiver chooses P– Sender chooses B. But B has to be of special form.

Tool: Pseudo-Random Sequence Generator

G4n:0,1n 0,14n

A cryptographically strong pseudo-random sequence generator

The Protocol - Commit

• Receiver: chooses PR0,14n

• Sender: Input - X0,1n . Chooses SR0,1n

Computes and sends Y XP G4n(S)

Computation is done in GF[24n]

The Protocol - Reveal

• Sender: sends S0,1n

• Receiver: computes

X (Y- G4n(S))P-1

Computation is done in GF[24n]

Binding

Claim: the probability of a Sender being able to open equivocally is at most 2-n

Sender can cheat given P iff S1 , S2 , X1 , X2 0,1n and X1 X2 s.t.

Y X1P G4n(S1) X2P G4n(S2)

P(X1 - X2 ) G4n(S2) - G4n(S1)

...Binding

There are 23n -1 possibilities for S1 , S2 and X1 - X2 .

Probability that P validates such a triple is 2-4n

Probability that P validates any triple is 2-n

There exists a universal P. Don’t know how to find it so Receiver chooses at random.

Cryptographic Reductions

Show how to use an adversary for breaking primitive 1 in order to break primitive 2

Important• Run time: how does T1 relate to T2

• Probability of success: how does 1 relate to 2

• Access to the system 1 vs. 2

Secrecy

Suppose Adversary A controlling the Receiver can distinguish whether (Y,P) corresponds to X0 or X1

PrA(Y,P) ‘1’ X0

- PrA(Y,P) ‘1’ X1

Probability is over random choice of S and random coins of A.

...SecrecyCan use A to distinguish whether a given string Z is

G4n(S)

or random

Given P send Receiver Y X1P Z

If Z is random so is Y!Let p1 PrA(Y,P) ‘1’ X0

p2 PrA(Y,P) ‘1’ X1

p3 PrA(Y,P) ‘1’ Z is random

…secrecy

• By assumption p1 - p2

Either p1 - p3 /2

or p2 - p3 /2• In either case can construct a distinguisher for Z

– If p1 - p3 /2 give Receiver Y X1 PZ

– If p2 - p3 /2 give Receiver Y X2 PZ

– Provide as the answer A(Y,P)

• Given input Z want to decide whether Z=G(s) or not

• Run A to get {X0,X1} get P

b’

If b’=b output “pseudo-random”

Choose b 2R {0,1} and

Compute Y= P¢ Xb + Z

A’A

Z

An existential clump

One-way functions

Pseudo-random generators

String commitment protocol

Also: String commitment one-way function

Applications

• Coin Flipping• Auctions• Zero Knowledge

Coin Flipping

Two parties want to agree on a random value R 0,1• Should be random even if one party cheats

• Potential Problem: one party knows the value before the other. Early Stopping.

A B

...Coin Flipping Specification

Result of the protocol could be 0,1,• For every PPTM Adversary controlling A (B), b 0,1

Pr result of protocol is b] 1/2

is negligible in security parameter

Coin Flipping Protocol

• A selects rA R 0,1;

Commits to rA

• B sends bit rB R 0,1

• Coin is rA rB

If A doesn’t open - result is If A’s opening is invalid - result is

Coin flipping security• adversary controlling A, b 0,1

Pr result of protocol is b ] 1/2 2-n

• For all PPTM adversary controlling B b 0,1

Pr result of protocol is b ] 1/2

is the advantage of distinguishing a commitment to 0

from a commitment to 1 in the commitment protocol

Dealing with early stopping

Suppose is not acceptableTo limit the influence of one party:• Gradual release of the result

– Commit to many bits– release one by one– Take majority of bits, substitute random values for early

stopping values• However: for r rounds one party can influence result

by 1/r

Definition: Computational Binding

• For all PPTM Adversary A controlling the Sender following commit phase

• With high probability over random choices of Receiver

The Sender cannot find no two different and valid openings to X and X’

Possible Advantage: perfect or statistical hiding

Proof systems

L = { (X, 1k) : X is a true mathematical assertion with a proof of length k}

• What is a “proof”?

Complexity theoretic insight: meaningless unless can be efficiently verified

Proof systems

For a language L, goal is to prove x L

Proof system for L is defined by a verification algorithm V – completeness: x L proof, V accepts (x, proof)

true assertions have proofs

– soundness: x L proof*, V rejects (x, proof*)false assertions have no proofs

– efficiency: x, proof, the machine running V(x, proof) is efficient:

• runs in polynomial time in |x|• ?

Classical Proofs

• Recall: L NP iff expressible asL = { x | y, |y| < |x|k, (x, y) RL } and RL P.

• NP is the set of languages with classical proof systems (RL is the verifier)

We wish to extend the notion.

Interactive Proofs

• Two new ingredients:– Randomness: verifier tosses coins

• Should err with some small probability – Interaction: rather than simply “reading” the proof,

verifier interacts with prover• Is the prover another TM?

• Framework captures the classical NP proof systems:: – prover sends proof. – verifier runs algorithm for RNo use of randomness

Interactive Proofs

Interactive proof system for L is an interactive protocol (P, V)

Prover Verifier

.

.

.

Common input: x

accept/reject

# rounds and length of messages is poly(|x|)

Random tape

New resources:

• # of rounds

•Length of message

New issue: who knows the random tape

Interactive Proofs

Definition: an interactive proof system for L is an interactive protocol (P, V)– completeness: x L:

Pr[V accepts in an execution of (P, V)(x)] 2/3– soundness: x L P*Pr[V accepts in an execution of (P*, V)(x)] 1/3

– efficiency: V is PPT machine

• Can we reduce the error to any ?

Perfect Completeness: V accepts with Prob 1

Error Reduction• If we execute the protocol sequentially ℓ times let

Ij =1 if jth run is correct and 0 otherwiseThe Ij’s are not necessarily independent of each other but,

since can tolerate any prover*

Pr[Ij =1 | any execution history] ¸ 2/3

If we compare to ℓ independent coins with probability 2/3 where we take majority of answers

For any prover* the interactive proof stochastically dominates

• Can argue the same for ℓ parallel executionsNumber of rounds is preserved

Interactive ProofsIP = {L : L has an interactive proof system}

– Captures more broadly what it means to be convinced a statement is true

• But no certificate to store for future generations!– Clearly NP IP. Potentially larger. How much larger? – IP with perfect soundness and completeness is NP

• To go beyond NP randomness is essential• Perfect soundness in itself implies NP power

– IP =PSPACE

Interactive Proof Systemsrelevant to crypto

• Let L µ {0,1}* be a language• The Prover P, wants to convince the other party, Verifier V that X L• In our case: both parties are PPTM;

– exchange messages and flip coins

• Prover P may have some extra information W• At the end of the protocol Verifier V state {accept, reject}

• For a given W the interaction between V and P induces a distribution of the transcripts

Prover P Verifier V

Witness Protection ProgramsA witness indistinguishable proof system for XL

Prover p Verifier V• Completeness: if prover P has witness W - can

construct effective proof that makes verifier V accept.• Soundness: if XL no prover P* can succeed with

high probability to make verifier V accept.• Witness Indistinguishability: for every V* and any

witnesses W1 and W2: distributions on transcripts are computationally indistinguishable.– No polynomial time test can distinguish the two

Example: Hamiltonicity• Common input graph G=(V,E)• L is the language of graphs with Hamiltonian cycles

G=(V,E) L if and only if there is a cycle C=(i1,i2, in) covering all nodes of V once and (ij,ij+1 ) E

Example: Hamiltonicity• Common input graph G=(V,E)• L is the language of graphs with Hamiltonian cycles• Witness W – a Hamiltonian Cycle C=(i1,i2, in)• Protocol:

– Prover P selects a random permutation of the nodes Commits to the adjacency matrix of (G)=((V), (E))

• for each entry separately– Verifier V selects and sends a bit r R 0,1– Prover P

If r=0 then P opens all the commitments and sends If r=1 then P opens only the commitments corresponding to C• entries ( (ij), (ij+1 ))

– Verifier V accepts if: r=0 and committed graph isomorphic to G r=1 and all opened slots are ’1’

Analysis of Protocol• Completeness: prefect √• Soundness: if there no cycle in G=(V,E), then

– from binding property of the commitment scheme following commitment there is unique graph G’

either P*– Commits to graph G’ non-isomorphic to G

• Verifier V rejects if r=0– Commits to graph G’ isomorphic to G

• Verifier V rejects if r=1Probability V accepts is bounded by ½

• Can reduce the error by repetition– Sequential– Parallel

Obtaining Witness Indistinguishability

• Key property: the distribution of the values opened in Step 3 is an efficiently computable function of – the Graph and – the challenge the verifier V sent in Step 2

for example: it could be a random permutation of 1..n

Witness IndistinguishabilityLet G=(V,E), with two Hamiltonian cycles C1 and C2• If there is a verifier V* that can distinguish between the

case C1 and C2 are used, – then can use V* to distinguish between commitments to 1(G)

and to 2(G) for some permutations 1 and 2

• Witness Indistinguishability remains so under parallel execution– Hybrid argument

• But what if there is a unique witness?

Zero Knowledge• Each (cheating) verifier V* induces a distribution on

transcripts on interaction with P• Zero-Knowledge Requirement: for all verifiers V*

there exists a simulator S such that:– simulator S is a pptm (does not get witness W)– for all XL the distributions on transcripts that V* ’

induces and that S produces are computationally indistinguishable.

Role of simulator similar to alternative adeversary in semantic security

SimulationZero-Knowledge: • Simulator S plays P role in interaction with V* • guess r’ R 0,1

– If r’=0 Selects a random permutation of the nodesCommits to the adjacency matrix of (G)=((V), (E))

– If r’=1 Selects a random cycle C Commits to the adjacency matrix of C (the rest of the edge slots are 0)

• Receive r0,1 from V* – If r’=r proceed as planed – Otherwise rewind V* and start from scratch

Claim: Simulator stops in expected constant number of trials Proof: if not can use V* to distinguish between commitment to G and C

Claim: Distributions of (S, V*) and (P, V*) are indistinguishableProof: if not can distinguish between commitment to G and C

Theorem: if one-way functions exist, then for any language L in NP there exists a Zero-Knowledge Proof System for L.

Via reduction to HamiltonicityWitnesses mapped to witnesses

Motivation for Zero-knowledge

• Can turn any protocol that works well when the parties are benign (but curious) into one that works well when the parties are malicious

• Need further property: proof of knowledge– Possible to extract the witness from a successful

prover

Question: zero-knowledge protocol for subset sum

• Give a direct protocol (i.e. not through a reduction to hamiltoncity) for the subset sum problem

• Subset sum problem: given – n numbers 0 ≤ a1, a2 ,…, an < 2m

– Target sum T – Is there a subset S⊆ {1,...,n} such that

∑ i S ai,=T mod 2m

What happens if…

• There is extra information about X:– Both A and A’ get h(X) for some polynomial time

computable function h– h might not be invertible

• Relation R is not polynomial time

• Try to encrypt information about the secret key

Further Issues

• What about errors in decryption?

• Is the this the ultimate definition– Does it capture all the ways where encryption is used?

Example: Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.

To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c

Decrypt c using KS

Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose

Is it Safe?• Definition of security: Existential unforgeability against adaptive

chosen message attack– Adversary can ask to authenticate any sequence of messages m1, m2, …– Has to succeed in making V accept a message m not authenticated– Has complete contrl ove the channels

• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r

• Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)

• Malleability– not sufficient to verify correct form of ciphertext in simulation

• Closer to a chosen ciphertext attack

Sources

• Goldreich’s Foundations of Cryptography, volume 1