How (Not) to Prove Yourself
CryptoForma 2013
David Bernhard
April 16, 2013
CryptoForma 2013
How (Not) to Prove Yourself
1 / 17
Goldwasser, Micali: Turing Award 2012.
“ However, their most interesting contribution
is the idea of zero-knowledge. ”
CryptoForma 2013
How (Not) to Prove Yourself
2 / 17
Goldwasser, Micali: Turing Award 2012.
“ However, their most interesting contribution
is the idea of zero-knowledge. ”
Source: bristolcrypto.blogspot.com
CryptoForma 2013
How (Not) to Prove Yourself
2 / 17
Verifiable Computation
data
f
result
CryptoForma 2013
proof
How (Not) to Prove Yourself
3 / 17
Zero Knowledge
public X
secret w
CryptoForma 2013
How (Not) to Prove Yourself
4 / 17
Zero Knowledge
he doesn’t know w !
she knows w !
public X
secret w
CryptoForma 2013
How (Not) to Prove Yourself
4 / 17
Zero Knowledge
he doesn’t know w !
she knows w !
Zero-Knowledge
public X
secret w
CryptoForma 2013
How (Not) to Prove Yourself
4 / 17
Zero Knowledge
interactive
non-interactive simulation-sound
he doesn’t know w ! non-malleable
concurrent
plain
secret
ROMw
CRS
ROM+GGM
CryptoForma 2013
single-theorem
multi-theorem
she knows w !
computational
statistical
Zero-Knowledge
perfect
PoK
PoM
argument
How (Not) to Prove Yourself
public X
rewinding
straight-line
trapdoor
4 / 17
CryptoForma 2013
How (Not) to Prove Yourself
5 / 17
Schnorr
w, X = Gw
a
X
A = Ga
c
c
s =a+c ·w
?
Gs = A · Xc
CryptoForma 2013
How (Not) to Prove Yourself
6 / 17
Who gives Bob the public element X ?
ID protocol:
voting:
CryptoForma 2013
π
X
(X , π)
How (Not) to Prove Yourself
7 / 17
Who gives Bob the public element X ?
ID protocol:
voting:
CryptoForma 2013
π
(X , π)
How (Not) to Prove Yourself
X
definition
of PoK
most
applications
7 / 17
Weak and Strong
w, X = Gw
a
A = Ga
strong
weak
c = H(X , A)
c = H(A)
(X , A, s = a + cw )
?
G s = A · X H(...)
CryptoForma 2013
How (Not) to Prove Yourself
8 / 17
Weak and Strong
Theory does not distinguish between the weak and strong
Fiat-Shamir transformations.
Both are ROM-NIZKPoK (if the Σ-protocol is “good”).
CryptoForma 2013
How (Not) to Prove Yourself
9 / 17
Zero-Knowledge
w
statement X
commitment A
challenge c
response s
statement X
response s
challenge c
commitment A
(patch oracle)
Italics: computed from previous values.
CryptoForma 2013
How (Not) to Prove Yourself
10 / 17
The Third Way
w
statement X
commitment A
challenge c
response s
CryptoForma 2013
statement X
response s
challenge c
commitment A
(patch oracle)
How (Not) to Prove Yourself
response s
commitment A
challenge c
statement X
11 / 17
Weak Schnorr
Pick s and A. Compute c = H(A).
X = (Gs /A)1/c
(exponent is in some Fq ).
Result: statement X and proof (A, c, s) of knowledge of
DLOG (X ), such that c = H(A) and G s = A · X c .
CryptoForma 2013
How (Not) to Prove Yourself
12 / 17
Chaum-Pedersen
Chaum-Pedersen: proof that X = (X1 , X2 , X3 ) is a DDH triple.
Weak Chaum-Pedersen is not sound: can create (X , π) that
verifies but X is random in G3 .
CryptoForma 2013
How (Not) to Prove Yourself
13 / 17
Bad Ballots
Ballots cast:
Yes 2
No 0
Maybe 1
Bad ballot for “yes”
CryptoForma 2013
How (Not) to Prove Yourself
14 / 17
Bad Results
In a Helios election, if all talliers and one voter are dishonest they
can set up a “trapdoor” public key that allows them to make one
change, chosen in advance, to the election result.
Such elections are indistinguishable from correct ones.
CryptoForma 2013
How (Not) to Prove Yourself
15 / 17
Conclusions
I
Current notions of ZK-PoKs are insufficient for verifiable
computation, where the statement and proof are computed
together.
Theory does not distinguish weak from strong FS, in practice
the former can be insecure.
I
Current notions of ZK are complex and model-dependent.
Σ-protocols are simple and practical. The same should hold
for their theory!
CryptoForma 2013
How (Not) to Prove Yourself
16 / 17
CryptoForma 2013
How (Not) to Prove Yourself
17 / 17