A Proof-of-Knowledge protocol which is zero-knowledge ... Our protocol is zero-knowledge in the sense that the verifier .... non-interactive zero-knowledge proof-.
Proof-of-Knowledge of Representation of Committed Value and Its Applications Man Ho Au, Willy Susilo and Yi Mu ACISP 2010
Agenda � � �
Introduction Our Protocol Three Applications � � �
�
Blind Signature Compact E-Cash Traceable Signatures
Conclusion University of Wollongong
2
Introduction �
Zero-Knowledge Proof A protocol such that a prover convinces a verifier that a certain statement is true, while the verifier learns nothing except the validity of the assertion
University of Wollongong
3
Introduction �
Proof-of-Knowledge A protocol that convince a verifier that the prover knows a certain quantity satisfying some kinds of relation with respect to a commonly known string
University of Wollongong
4
Introduction �
Zero-Knowledge Proof-of-Knowledge (ZKPoK) A Proof-of-Knowledge protocol which is zero-knowledge
University of Wollongong
5
Introduction �
Discrete logarithm of an element �
�
Let G = be a cyclic group of prime order x is the discrete logarithm of a value y to base h if y = hx
University of Wollongong
6
Introduction �
Representation of an element � �
Let h1, …, hL be generators of G A tuple x=(x1, …, xL) is a representation of a value y to base h1, …, hL if y = h1x1…hLxL
University of Wollongong
7
Introduction �
Commitment Scheme �
�
A two stages protocol between committer Alice and receiver Bob Commit Stage �
�
Alice has a private input x, produces and gives Bob a value C, called the commitment of x
Reveal Stage �
Alice reveals x to Bob University of Wollongong
8
Introduction �
Commitment Scheme �
�
Hiding: Bob learns nothing about x in the commit stage Binding: Alice can only reveal a single value (i.e. x) in the reveal stage
University of Wollongong
9
Introduction �
Pedersen Commitment �
�
�
Let G be a cyclic group and g, g0, g1, …, gL be generators To commit a tuple x, choose a random number r and compute C = grg1x1…gLxL To reveal x, output x and r
University of Wollongong
10
Introduction � �
�
Let G be a cyclic group of prime order p Let H be a cyclic group of prime order q such that H is a subgroup of Zp* Let C, D be commitments of a value y and a tuple x such that x is a representation of y
University of Wollongong
11
Introduction �
Our Contributions �
Given C and D, we present a zero-knowledge proof-of-knowledge protocol such that � � �
�
y is committed in C x is committed in D x is a representation of y
Our protocol is zero-knowledge in the sense that the verifier learns nothing about x and y
University of Wollongong
12
Introduction �
Our Contributions �
Three applications of our argument system are presented � � �
Blind Signature Traceable Signatures Compact E-Cash
University of Wollongong
13
Agenda � � �
Introduction Our Protocol Three Applications � � �
�
Blind Signature Compact E-Cash Traceable Signatures
Conclusion University of Wollongong
14
Our Protocol �
ZKPoK of Double Discrete Logarithm [Stadler] �
�
Alice wishes to prove to Bob the knowledge of x such that C=g^{h^x} Both Alice and Bob knows C
University of Wollongong
15
Our Protocol �
3-Move Protocol �
� �
�
Alice sends to Bob T =g^h^r for some random number r Bob returns a bit c = 0 / 1 Alice computes and returns to Bob z = r – cx Bob checks if T = g^{h^z} if c = 0 C^{h^z} if c = 1 University of Wollongong
16
Our Protocol �
�
�
Alice can cheat with probability 1/2 by guessing the value of c and computing T = g^h^z or y^h^z To make the probability negligible, repeat the protocol for t times Stadler Protocol does not hide the witness x… University of Wollongong
17
Our Protocol �
Our Protocol �
� �
Alice wishes to prove to Bob the knowledge of x and s such that C=g^{h^x}g0s Both Alice and Bob knows C C is a commitment of h^x and thus leak no information on x
University of Wollongong
18
Our Protocol �
Three-Move Protocol �
� �
Alice sends to Bob T =g^{h^a}g0^b for some random numbers a, b Bob returns a bit c = 0 / 1 Alice computes and returns to Bob a pair (u, v) � �
�
u = a and v = b if c = 0 u = a – x and v = b – hus if c = 1
Bob checks if T = � �
g^{h^u} g0^v if c = 0 C^{h^u} g0^v if c = 1 University of Wollongong
19
Our Protocol �
�
Again, the protocol needs to be repeated t times Generalization of our protocol �
Alice wishes to prove to Bob the knowledge of a tuple x and s such that C=g^{h0^rh1^{x_1}…hL^{x_L}}g0s
University of Wollongong
20
Our Protocol �
Three-Move Protocol �
Alice sends to Bob �
�
T=g^{{h_0}^{a_0}…h_L^{a_L}}g0^b for some random numbers a_0, … a_L, b
Bob returns a bit c = 0 / 1
University of Wollongong
21
Our Protocol �
Alice computes and returns to Bob a tuple (u_0,… u_L, v) � �
�
u_i = a_i, v = b if c = 0 u_0 = a_0 – r, u_i=a_i – x_i, v = b – {h_0}^{u_0}…h_L^{u_L}s if c = 1
Bob checks whether T = � �
g^{{h_0}^{u_0}…h_L^{u_L}} g0^v if c =0 C^{{h_0}^{u_0}…h_L^{u_L}} g0^v if c = 1
University of Wollongong
22
Our Protocol �
�
Our Protocol is Honest Verifier ZeroKnowledge, meaning that it is zeroknowledge with respect to verifier that follows the protocol It can be turned into non-interactive form using the Fiat-Shamir Transform
University of Wollongong
23
Agenda � � �
Introduction Our Protocol Three Applications � � �
�
Blind Signature Compact E-Cash Traceable Signatures
Conclusion University of Wollongong
24
Blind Signature �
�
Alice wishes to obtain a signature on message m from Bob without revealing m… It is conceptually easy to build a blind signature using our zero-knowledge argument system
University of Wollongong
25
Blind Signature � � �
�
Let m be the message. Alice produces a value D = h0rh1m Alice sends D to Bob, who signs D and produces a signature σ Alice produces a value C, which is a commitment of D, i.e., C = g0sg1D
University of Wollongong
26
Blind Signature �
Using our protocol, Alice generates a non-interactive zero-knowledge proofof-knowledge π which proves the knowledge of the values σ,r such that � � �
(1) C is a commitment of D (2) D can be represented as h0rh1m (3) σ is a valid signature on D
University of Wollongong
27
Blind Signature �
�
Alice parses the blind signature on m as (C, π) To verify the signature, one checks if π is a valid proof which guarantees that � �
�
C is a commitment of a certain value D Alice knows the discrete logarithm of D/(h1m) to base h0 (i.e. D = h0rh1m) Alice knows a valid signature σ on D University of Wollongong
28
Blind Signature �
�
�
Our protocol handles requirements 1 and 2 and it remains to find a suitable signature scheme such that requirement 3 can be efficiently done Specifically, we require a signature scheme which allows zero-knowledge proof-ofknowledge of a signature on committed value Boneh-Boyen short signature is one of the candidates University of Wollongong
29
Agenda � � �
Introduction The Protocol Three Applications � � �
�
Blind Signature Compact E-Cash Traceable Signatures
Conclusion University of Wollongong
30
Compact E-Cash �
�
Alice wishes to obtain a electronic coin from the bank Bob This coin can be spent for k times, where k is a system parameter
University of Wollongong
31
Compact E-Cash �
Withdrawing a coin � �
�
Alice produces a value D’ = h0s’h1t’h2x Alice sends D’ to Bob, who sets D = D’h0s’’h1t’’ and signs D to produce a signature σ. Bob sends (σ, s’’, t’’) to Alice Alice computes s = s’+s’’, t=t’+t’’ and D accordingly. She parses her electronic coin as (σ, s, t, x, j) where j is the number of times the coin has been spent University of Wollongong
32
Compact E-Cash �
Spending a coin �
� �
Alice with electronic coin (σ, s, t, x, j) spends the coin to merchant Carol as follows Let R be a unique identifier for this transaction Alice produces C as a commitment of D, and computes two values, � �
S = prf(s, j) T = D(prf(t, j))R
University of Wollongong
33
Compact E-Cash �
Alice then produces a non-interactive proof π, which shows that Alice has the knowledge of the values σ, s, t, x, j such that � � � � � �
(1) (2) (3) (4) (5) (6)
C is a commitment of D D can be represented as h0sh1th2x σ is a valid signature on D S = prf(s, j) T = D(prf(t, j))R 1 ≤ j ≤k University of Wollongong
34
Compact E-Cash �
�
Alice gives Carol (π, C, S, T) as the spent coin Carol verifies the proof π and accepts the payment
University of Wollongong
35
Compact E-Cash �
Intuition �
�
Each electronic coin (σ, s, t, x, j) can be spent up to k times Repeated use of coin will be detected �
�
The value S = prf(s, j) is deterministic!
Identity of Alice will be revealed with repeated use of coins �
D:= (T^R’ / T^R)^{1/R’-R) University of Wollongong
36
Agenda � � �
Introduction The Protocol Three Applications � � �
�
Blind Signature Compact E-Cash Traceable Signatures
Conclusion University of Wollongong
37
Traceable Signatures �
�
�
Bob the group manger certifies a set of users, including Alice Certified user can sign on behalf of the group anonymously In case of dispute, Bob the GM can issue a tracing information which allows linking of all signatures generated by Alice University of Wollongong
38
Traceable Signatures �
Joining the group � �
�
Alice produces a value D’ = h0s’h2x Alice sends D’ to Bob, who sets D = D’h0s’’h1t and signs D to produce a signature σ. Bob sends σ, s’’, t to Alice. Alice computes s = s’+s’’. She parses her secret key as (σ, s, t, x)
University of Wollongong
39
Traceable Signatures �
Generation of a Group Signature �
� �
�
Alice with secret key (σ, s, t, x) generates a signature on behalf of the group as follows Let M be the message Alice produces C as a commitment of D, and computes three values, S = h^k, T=S^t, U = VE (D) University of Wollongong
40
Traceable Signatures �
Alice then produces a non-interactive proof π (signature of knowledge taking M as challenge), which proves the knowledge of the values σ, s,t,x,k such that � � � � � �
(1) (2) (3) (4) (5) (6)
C is a commitment of D D can be represented as h0sh1th2x σ is a valid signature on D S = h^k T = S^t U =VE(D) University of Wollongong
41
Traceable Signatures �
Alice parses the group signature as (π, C, S, T, U)
University of Wollongong
42
Traceable Signatures �
Open �
�
Bob decrypts U, obtains D and identifies the user
Trace �
Bob reveals t of a particular user, and everyone can check if the signature belongs to that user by checking if T = St University of Wollongong
43
Agenda � � �
Introduction The Protocol Three Applications � � �
�
Blind Signature Compact E-Cash Traceable Signatures
Conclusion University of Wollongong
44
Conclusion �
�
We present a zero-knowledge proof-ofknowledge protocol which allows proving the knowledge of representation of a committed value We demonstrate its significance with several applications
University of Wollongong
45
Conclusion �
Efficiency issues �
�
�
Protocol has to repeat t times (though that could be done in parallel) DL assumption has to be hard in the subgroup H, meaning that order of G has to be large => inefficient!
Applications �
Non-interactive form of the protocol requires the random oracle model University of Wollongong
46
