A protocol for K-multiple substring matching

A protocol for K-multiple substring matching ∗ Vadym Fedyukovych

Vitaliy Sharapov

August 18, 2008

Abstract A protocol is introduced to show K copies of a pattern string are embedded is a host string. Commitments to both strings, and to offsets of copies of the pattern in the host is input of Verifier. Protocol does not leak useful information about strings, and is zero knowledge.

1

Preliminaries

We consider a string as a set of tuples of integers for each character and it’s position. This can be elaborated by introducing a set of allowed characters, and require positions to be continuous. Definition 1 (Polynomial representation). String characteristic polynomial is a mapping from all sets of character-position tuples to a ring of polynomials over integers: S : {(c j , i j )} → F ( x, y; S)

(1)

|S|

F ( x, y; S) =

∏(1 + xc j + yi j )

(2)

j =1

A related definition for graph characteristic polynomial appeared with protocols for graph isomorphism and vertex coloring [Fed08]. Lemma 1 (Schwartz-Zippel [Sch80], a case of a univariate polynomial). Probability to choose a root of a non-zero polynomial f (z) of degree at most d by choosing some z = c at random from a set D Pr [ f (c) = 0 | c ∈ R D ] ≤ ∗ Extended abstract.

d | D|

This report to appear in ITaS’08 (in Russian).

1

A commitment scheme is a tuple of algorithms Gen(), Commit(), Open() such that binding and hiding holds. An integer commitment scheme [DF02] suggest a group of a hidden order. We use this scheme with an additional requirement of avoiding small divisors of order of the group by using strong primes to produce module N. Protocols for this scheme achieve soundness on assumption of hardness of Strong RSA problem, as well as statistically indistinguishable simulated transcripts.

2

Protocol design

Let {(c Pj , i Pj )} be characters of pattern and their positions, {(c Hj , i Hj )} be characters and positions of host, {ok } be offsets of copies of pattern at the host, {r j } be flags assigned to characters of host. Let {CPj }, { IPj }, {C Hj }, { IHj }, {Ok }, { R j } be responses of a variant of Schnorr protocol [Oka92] with challenges (e, d, s) and initial random coins {α Pj }, { β Pj }, {α Hj }, { β Hj }, {γk }, {ρ j }: CPj = ec Pj + α Pj

IPj = di Pj + β Pj

(3)

C Hj = ec Hj + α Hj

IHj = di Hj + β Hj

(4)

Ok = dok + γk

(5)

R j = sr j + ρ j

(6)

Definition 2. Pattern string verification polynomial is a mapping from all sets of tuples of integers {(CPj , IPj )} that are protocol responses for characters of pattern and their positions, and all sets of integers {Ok } that are responses for pattern positions in the host, and for protocol challenges e, d to ring of polynomials over integers: K

FP ( x, y; SP ) =

LP

∏ ∏(ed + xdCPj + ye( IPj + Ok ))

(7)

k =1 j =1

Definition 3. Host string verification polynomial is a mapping from all sets of tuples of integers {(C Hj , IHj )} that are protocol responses for characters of host and their positions, and all sets of integers { R j } that are responses for flags, and for protocol challenges s, e, d to ring of polynomials over integers: LH

FH ( x, y; S H ) =

∏(eds + R j (xdCHj + yeIHj ))

(8)

j =1

We assign flags r j = 1 to characters of K non-overlapping copies of pattern string in the host string, and r j = 0 to all other characters of host. We say S F = { j | r j = 1}

2

Consider expansion coefficients as follows: FH ( x, y; S H ) = s L H FH′ ( x, y) +

L H −1

∑

st vt

(9)

t =0

FH′ ( x, y) = (ed) L H −KLP

∏ (ed + xdCHj + yeIHj )

(10)

j∈SF n

FH′ ( x, y) = (ed) L H −n ∑ el al ( x, y)

where n = KL P

(11)

l =0 n

an ( x, y) =

dm bm ( x, y)

∑

(12)

m =0 K

bn ( x, y) =

LP

∏ ∏(1 + xcPj + y(iPj + ok ))

(13)

k =1 j =1

Product in (10) is over characters of K copies of pattern in the host. Position of a character in the host was replaced at (13) with position of a matching character in the pattern and offset of a copy of the pattern. Consider another set of expansion coefficients: n

FP ( x, y; S) =

∑ el a′l (x, y)

(14)

l =0

a′n ( x, y) =

n

∑

′ d m bm ( x, y)

(15)

m =0

bn′ ( x, y) =

K

LP

∏ ∏(1 + xcPj + y(iPj + ok ))

(16)

k =1 j =1

It follows that Lemma 2. There are at least K non-overlapping copies of the pattern string in the host string if, and only if bn ( x, y) ≡ bn′ ( x, y)

(17)

holds for top expansion coefficients of pattern and host verification polynomials, and for some assignments of flags r j ∈ {0, 1} to characters of the host. Backward statement can be shown due to unique decomposition of verification polynomials into relatively prime linear polynomials. Verifier tests that (17) holds by choosing x = xc , y = yc at random, and testing bn ( xc , yc ) = bn′ ( xc , yc ) with our protocol.

3

(18)

3

Protocol

Common input is commitment scheme parameters: ( N, g, h), commitment to pattern string:

{(WPj , MPj )},

j = 1 . . . LP

{(WHj , M Hj )},

j = 1 . . . LH

to host string:

and to pattern offsets in host string:

{ Q k },

k = 1...K

Auxiliary input of Prover is characters and their positions of both strings, offsets of pattern copies in the host, as well as random coins used to produce commitments:

{(c Pj , i Pj )},

{(c Hj , i Hj )},

{ok }

{(θ Pj , φPj )},

{(θ Hj , φHj )},

{λk }

such that WPj = gcPj hθPj ,

MPj = giPj hφPj

WHj = gc Hj hθ Hj ,

M Hj = gi Hj hφHj

Q k = g ok h λk Prover shows there are at least K copies of pattern string in the host string as follows: 1. Prover assigns flags r j = 1 to characters of text string that are copies of pattern string, and r j = 0 to all other characters of text string. Prover chooses random coins {ω j }, produces commitments: L j = gr j h ω j

j = 1 . . . LH

(19)

Prover sends { L j } to Verifier. 2. Verifier chooses a challenge ( xc , yc ) from the interval at random, and sends it to Prover. 3. Prover chooses random coins

{( β Hj , µ Hj )},

{( β Pj , µ Pj )},

4

{(γk , χk )}

(20)

′ }: produces expansion coefficients {bm }, {bm n

n

j =1

m =0

∏(z + xc zc Hj + yc (zi Hj + β Hj )) = ∑

z m bm

LP

K

(21)

n

∏ ∏(z + xc zcPj + yc ((ziPj + β Pj ) + (zok + γk ))) = ∑

′ z m bm

m =0

k =1 j =1

(22) ′ , ψ, τ, τ ′ ), produces commitments: chooses random coins (ζ m , ζ m ′

′

′ Bm = g bm h ζ m

Bm = gbm hζ m ,

m = 0...n

(23)

β Pj µ Pj

j = 1 . . . LP

(24)

YHj = g β Hj hµPj

j = 1 . . . LH

(25)

YPj = g

h

γk χ k

Xk = g h

k = 1...K

(26)

ψ τ

Z=g h

Z′ = gψ h

(27)

τ′

(28)

′ }, {Y }, {Y }, { X }, Z, Z ′ to Verifier. Prover sends { Bm }, { Bm Pj Hj k

4. Verifier chooses a non-zero challenge d at random from the interval, and sends it to Prover. 5. Prover produces responses: IHj = di Hj + β Hj , IPj = di Pj + β Pj ,

Φ Hj = dφHj + µ Hj ,

j = 1 . . . LH

Φ Pj = dφPj + µ Pj ,

Ok = dok + γk ,

Λk = dλk + χk ,

Ψ = dbn + ψ,

Γ = dζ n + τ,

′

(29)

j = 1 . . . LP

(30)

k = 1...K

(31)

Γ =

dζ n′

+τ

′

(32)

chooses random coins ({(α Hj , η Hj )}, {(α Pj , ηPj )}), produces expansion coefficients { an }, { a′n }: KL P

n

∏ (zd + xc d(zc Hj + α Hj ) + yc z( IHj + dok )) =

∑ zl al

j =1

l =0

K

LP

(33)

n

∏ ∏(zd + xc d(zcPj + αPj ) + yc z( IPj + Ok )) =

∑ zl a′l

k =1 j =1

l =0

(34)

chooses random coins {πl }, {πl′ }, produces commitments: Al = g al h πl ,

′

l = 0 . . . ( n − 1)

(35)

α Pj ηPj

h

j = 1 . . . LP

(36)

α Hj η Hj

j = 1 . . . LH

(37)

TPj = g THj = g

′

A′l = g al hπl h

5

Prover sends { IHj }, {Φ Hj }, { IPj }, {Φ Pj }, {Ok }, {Λk }, Ψ, { Al }, { A′l }, { TPj }, { THj } to Verifier. 6. Verifier chooses a non-zero challenge e at random from the interval, and sends it to Prover. 7. Prover produces responses: C Hj = ec j + α Hj ,

Θ Hj = eθ Hj + η Hj

(38)

CPj = ec j + α Pj ,

Θ Pj = eθ Pj + ηPj

(39)

chooses random coins {ρ j }, produces expansion coefficients {vt }: LH

LH

∏(edz + (zr j + ρ j )(xc dCHj + yc eIHj )) =

∑ zt vt

j =1

t =0

(40)

produces expansion coefficients {(u1j , u0j )}:

(zr j + ρ j )(z(r j − 1) + ρ j ) = u1j z + u0j

(41)

chooses random coins {σt }, {δj }, {(ν1j , ν0j )}, produces commitments: Vt = gvt hσt

t = 0 . . . ( L H − 1)

(42)

j = 1 . . . LH

(43)

E0j = gu0j hν0j

(44)

ρ j δj

Nj = g h

E1j = gu1j hν1j ,

Prover sends {C Hj }, {Θ Hj }, {CPj }, {Θ Pj }, {Vt }, { Nj }, {( E1j , E0j )} to Verifier. 8. Verifier chooses a non-zero challenge s at random from the interval, and sends it to Prover. 9. Prover produces responses R j = sr j + ρ j ,

j = 1 . . . LH

Ω j = sω j + δj

(46)

Ξ j = sν1j + ν0j

(47)

∆ P = en

n

∑

′ dm ζ m +

m =0

∆H = s

LH

(e

n

(45)

n

∑

m

d ζm +

m =0

n −1

∑ el πl′

(48)

l =0 n −1

l

L H −1

∑ e πl ) + ∑

l =0

t =0

Prover sends { R j }, {Ω j }, {Ξ j }, ∆ P , ∆ H to Verifier.

6

st σt

(49)

10. Verifier tests responses to fit commitments: −e gCPj hΘPj WPj = TPj

−d g IPj hΦPj MPj = YPj

(50)

−e gCHj hΘ Hj WHj = THj

d g IHj hΦ Hj M− Hj = YHj

(51)

d g Ok h Λ k Q − k = Xk s g R j hΩ j L− j

(52)

= Nj

(53)

tests flags to be from the right set (r j ∈ {0, 1}): s g− R j ( R j −s) h−Ξ j E1j E0j = 1

(54)

produces LP

K

UP =

∏ ∏(ed + xc dCj + yc e( Ij + Ok ))

(55)

k =1 j =1 LH

U H = (ed)−( L H −n) ∏(eds + R j ( xc dC j + yc eIj ))

(56)

j =1

Verifier accepts if ′ } are commitments to expansion coefficients of pat(a) { A′l }, { Bm tern verification polynomial:

g

− UP − ∆ P

h

n

∏

′ dm ( Bm )

m =0

!en

n −1

∏ ( A′l )e

l

=1

(57)

l =0

(b) { Al }, { Bm } are commitments to expansion coefficients of host verification polynomial: 

g −U H h − ∆ H 

n

∏ ( Bm )d

m

m =0

! en

n −1

l

sLH

∏ ( Al )e  l =0

L H −1

∏ (Vt )s

t

=1

t =0

(58)

(c) top expansion coefficients committed at Bn , Bn′ are the same (bn = bn′ ): gΨ hΓ Bn−d = Z Γ′

gΨ h ( Bn′ )−d = Z′

7

(59) (60)

4

Protocol properties

It is clear honest Verifier always accepts for an honest Prover and commitments such that there are at least K copies of pattern in the host. Lemma 3 (Soundness). Probability for an honest Verifier to accept for any polynomial Prover and any commitments such that there are no or less than K copies of pattern string in host string while running protocol shown in section 3 is at most 2KLPq+ L H . Lemma 4 (Zero knowledge). Protocol shown in section 3 has a simulator, and is honest verifier statistical zero knowledge. Proof. Consider a candidate simulator algorithm as follows. Given commitment scheme parameters ( N, g, h), challenges ( xc , yc , d, e, s), and commitments {(WPj , MPj )}, {(WHj , M Hj )}, { Qk }, Verifier: ′ }, { A ′ } 1. chooses group elements: { E1j }, { Bm l l =1...n −1 , { Bm }, { Al }, {Vt }t=1...L H −1 at random;

2. chooses some {CPj }, {Θ Pj }, { IPj }, {Φ Pj }, {C Hj }, {Θ Hj }, { IHj }, {Φ Hj }, {Ok }, {Λk }, { R j }, {Ω j }, ∆ P , ∆ H , Ψ, Γ, Γ′ at random; 3. produces −e TPj = gCPj hΘPj WPj

−d YPj = g IPj hΦPj MPj

(61)

−e THj = gCHj hΘ Hj WHj

d YHj = g IHj hΦ Hj M− Hj

(62)

d X k = g Ok h Λ k Q − k

(63)

s Nj = g R j hΩ j L− j

(64)

−s E0j = g R j ( R j −s) hΞ j E1j

(65)

LP

K

UP =

∏ ∏(ed + xc dCj + yc e( Ij + Ok ))

(66)

k =1 j =1 LH

U H = (ed)−( L H −n) ∏(eds + R j ( xc dC j + yc eIj ))

(67)

j =1

A0′

UP ∆ P

=g h

n

∏

′ dm ( Bm )

m =0



V0 = gUH h∆ H 

n

∏ ( Bm )d

m

m =0

! en

! −en

n −1

n −1

∏ ( A′l )−e l

−s L H

∏ ( Al )e  l =0

Z′ = gΨ h ( Bn′ )−d

8

(68)

l =1

Γ′

Z = gΨ hΓ Bn−d

l

L H −1

∏ (Vt )−s

t

t =1

(69) (70)

Transcript simulated this way is statistically indistinguishable from all protocol transcripts with the same challenges.

5

Discussion

Protocol introduced can be extended to show matching for 2D and 3D objects. Approximate matching can be another extension. Protocols of this type may be developed for similar statements regarding pattern matching. Protocol is expected to be useful in bioinformatics.

References ˚ and Eiichiro Fujisaki. A statistically-hiding in[DF02] Ivan Damgard teger commitment scheme based on groups with hidden order. In ASIACRYPT, pages 125–142, 2002. [Fed08] Vadym Fedyukovych. Protocols for graph languages. In (submitted), 2008. [Oka92] Tatsuaki Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In CRYPTO, pages 31–53, 1992. [Sch80] J. T. Schwartz. Fast probabilistic algorithms for verification of polynomial identities. J. ACM, 27(4):701–717, 1980.

9