Sigma Protocols and Zero Knowledge
- 1. SPB Crypto Devs Meetup Sigma Protocols and Efficient Zero-Knowledge Proofs Alexander Chepurnoy IOHK Research
- 2. Motivating Example ● Alice publishes a commitment of a secret ● Alice passes a secret to Bob ● Bob wants to convince Carol he knows a secret
- 3. Motivating Example ● Anonymous voting ● Every vote is whether 0 or 1 encrypted ● To calculate a sum, additively homomorphic encryption could be used ● But how to be sure only 0 or 1 is encrypted? ● Solution: a proof for each vote it is whether 0 or 1(without revealing a value!)
- 4. ZKPoKs: What For ● Identification schemes ● Signatures ● Building block in many protocols(voting, anonymous transactions etc)
- 5. ZKPoK ● Zero-Knowledge Proof of Knowledge ● Prover P, Verifier V, relation R ● Common input x ● P proves it knows a witness w for which (x,w) R∈ ● Without revealing anything about it ● In practice, often inefficient and so avoided
- 6. Properties ● Completeness: a correct statement could be proven ● Soundness: it's not possible to prove incorrect statements (with a non-negligible probability)
- 7. Σ-protocol, Generically ● P sends V a message a ● V sends P a random t-bit string e ● P sends a reply z, and V decides to accept or reject based solely on the data it has seen; i.e., based only on the values (x, a, e, z).
- 8. Theory Behind ● Ivan Damgard „On Sigma Protocols“ ● Yehuda Lindell, Carmit Hazay „Efficient Secure Two-Party Protocols: Techniques and Constructions“ (Book) ● Yehuda Lindell „Sigma Protocols and Zero Knowledge“ http://www.youtube.com/watch?v=nwsmG3S9wIc
- 9. Implementation ● ScAPI(Java/JVM) - The Secure Computation API https://github.com/cryptobiu/scapi ● Protocols pseudocode http://cryptobiu.github.io/scapi/SDK_Pseudocode.pdf
- 10. Example: Schnorr’s protocol ● Σ-protocol for DLOG ● h = gw ● (p, q ,g, h) is common input ● First msg(P): a = gr ● Second msg(V): challenge c = random({0, 1}, t) ● Third message(P): z = r + ew mod q ● V checks if gz = a * he ● Completeness: gz = g(r+ew) = gr * (gw )e = a * he
- 11. Schnorr’s protocol ● Very efficient: just 3 exponentiations ● Proof-of-Knowledge protocol ● Not provably Zero-Knowledge ● but Honest Verifier Zero-Knowledge ● error 2-t
- 12. Proof of Membership ● (x;w) ∈ L ● x is set
- 13. Example: Diffie-Hellman tuple ● Common input: (G,q,g,h,u,v,t) ● P knows w such as u = gw , v = hw ● P sends out a = gr , b = hr ● V sends out a challenge c = random({0, 1}, t) ● P sends out z = r + ew mod q ● V checks if gz = a*ue , hz = b * ve
- 14. Run Properties ● Parallel execution: l parallel runs with challenge of size t is equivalent to run protocols with challenge of size l*t ● Challenge could be of arbitrary size
- 15. Compound Statements ● AND ● OR
- 16. AND Statement ● Just run two protocols in parallel for (a1, a2) and the same e
- 17. OR Statement ● Prove one of two statements is true without revealing which ● Based on simulation for a statement witness isn't known for
- 18. Compound Statements ● OR of many statements (k out of n) is possible ● Any monotone formula, so any combination of ANDs and ORs without a negation, is possible
- 19. Commitment Scheme ● Commit phase ● Reveal phase ● hash (secret ++ blinding factor) ● Pedersen commitment: c = gx * hr
- 20. Zero Knowledge From Σ-protocol ● Verifier needs to commit a challenge in prior to a fist message from a Prover ● With the commitment being added, a Σ-protocol becomes provably Zero-Knowledge (details in the book of Lindell / Hazay)
- 21. Zero Knowledge From Σ-protocol ● Σ-protocol π ● V chooses a random t-bit challenge e and interacts with P via the commitment protocol in order to commit to e ● P computes the first message a in π, using (x, w) as input, and sends it to V ● V reveals e to P by decommitting ● P verifies the decommitment, computes the answer z in π, and sends z to V ● V accepts if and only if transcript (a, e, z) is accepting in π on input x
- 22. Commitment From Σ-protocol ● Verifier = receiver ● Prover = sender ● Set-up: V generates (x; w), sends x to P ● Commit: to commit to a t-bit string e. P runs simulator on (x, e) to get (a, e, z) and sends a to V ● Open: to reveal the commitment, P sends (e, z) to V, V checks (a, e, z)
- 23. Non-Interactive Σ-protocol ● No interaction, no Verifier ● w. public Random Oracle ● e = R(a) ● not provably secure
- 24. Signature From Σ-protocol ● (x; w) ● public key x ● private key w ● message m ● e = R(a++m) ● (a, z) is a signature ● as hard to break as to compute w from x (in ROM)
- 25. Conclusion ● One template for many protocols ● Highly efficient ● Composable ● Provably secure ● Makes things easier ● Crypto is HARD anyway...