Add Schnorr's protocol
This commit is contained in:
parent
5b469c6d66
commit
ee1bc8c41d
158
chap-ZK.tex
158
chap-ZK.tex
@ -29,9 +29,11 @@ If these primitives flourish in the context of number-theory-based cryptography
|
||||
$\{\trans(P(x, w), V^\star(x))\}_{(x,w) \in R}$ and $\{S^{V^\star}(x)\}_{(x,w) \in R}$ are computationally indistinguishable.
|
||||
\end{description}
|
||||
|
||||
If in the soundness definition, the adversary $P^\star$ is restricted to be a $\ppt$ algorithm, then the proof system is called an \textit{argument}.
|
||||
If in the \textit{soundness} definition, the adversary $P^\star$ is restricted to be a $\ppt$ algorithm, then the proof system is called an \textit{argument}.
|
||||
|
||||
We can notice that the soundness error can be reduced by repeating the proof.
|
||||
|
||||
If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}.
|
||||
\end{definition}
|
||||
|
||||
\begin{figure}
|
||||
@ -48,10 +50,78 @@ If these primitives flourish in the context of number-theory-based cryptography
|
||||
& $\xrightarrow{\mathmakebox[2cm]{\rsp}}$ & \\
|
||||
& & return $b = V_2(x, \chall, \rsp, \mathsf{st}_V)$
|
||||
\end{tabular}
|
||||
\caption{$\Sigma$-protocol} \label{fig:sigma}
|
||||
\caption{Abstract description of a $\Sigma$-protocol.} \label{fig:sigma}
|
||||
\end{figure}
|
||||
|
||||
Zero-knowledge proofs also exists in a non-interactive version.
|
||||
A way to construct zero-knowledge proofs --- that will be described with more details in \cref{sse:schnorr} -- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}.
|
||||
|
||||
\begin{definition}[$\Sigma$-protocol~{\cite[De.~1]{Dam10}}] \index{Zero Knowledge!$\Sigma$-protocol}
|
||||
Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is three move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties.
|
||||
\begin{description}
|
||||
\item[Completeness.] For any $(x,w) \in R$, $P(x,w)$ and $V(x)$ that follows the protocol, the verifier always accepts.
|
||||
\item[Special soundness.] For any $x$ and any pair of accepting transcripts on input $x$: $(\cmt, \chall, \rsp)$ and $(\cmt, \chall', \rsp')$, there exists a $\ppt$ algorithm $\extr$ that takes as input the two aforementioned transcripts and outputs an element $w$ such that $(x,w) \in R$.
|
||||
\item[Honest-Verifier Zero-Knowledge.] There exists a $\ppt$ simulator $S$, such that the two probability distributions $\{\trans(P(x,w), V(x))\}$ and $\{S(x)\}$ with honest $P$ and $V$ are the same.
|
||||
\end{description}
|
||||
\end{definition}
|
||||
|
||||
An example of $\Sigma$-protocol will be given in \cref{sse:schnorr}, and its transformation into a Zero-Knowledge proof using a commitment scheme as well.
|
||||
|
||||
Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal is to commit a message $M$ into a commitment $\com$ such that once a message is committed, it is impossible to know what is inside (hiding property), and it is as well impossible to modify a commitment to change the underlying message (binding property).
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\subfloat[Hiding experiments]{
|
||||
\fbox{\procedure{$\Exp{\mathrm{hiding}}{\adv, b}(\lambda)$}{%
|
||||
\param \gets \Setup(1^\lambda)\\
|
||||
(m_0, m_1, \mathsf{st}) \gets \adv(\param, 1^\lambda)\\
|
||||
(\com, \open) \gets \Commit (m_b)\\
|
||||
b' \gets \adv(pk, 1^\lambda, \mathsf{com}; \mathsf{st})\\
|
||||
\pcreturn b'
|
||||
}}
|
||||
} \hspace{1cm}
|
||||
\subfloat[Binding experiment]{
|
||||
\fbox{
|
||||
\procedure{$\Exp{\mathrm{binding}}{\adv}(\lambda)$}{
|
||||
\param \gets \Setup(1^\lambda)\\
|
||||
(\com, \open, m_0, m_1) \gets \adv(\param)\\
|
||||
\pcif \Verify(\param, \com, \open, m_0) = 1 \\
|
||||
\pcind \wedge \Verify(\param, \com, \open, m_1) = 1\\
|
||||
\!\!\pcthen~
|
||||
\pcreturn 1\\
|
||||
\pcelse~
|
||||
\pcreturn 0
|
||||
}}
|
||||
}
|
||||
\caption{Security experiments for commitment schemes.}
|
||||
\label{fig:hiding-binding-games}
|
||||
\end{figure}
|
||||
|
||||
\begin{definition}[Commitment schemes] \index{Commitment scheme}
|
||||
A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Open)$ that acts as follows:
|
||||
\begin{description}
|
||||
\item[\textsf{Setup}$(1^\lambda)$:] This algorithm outputs the commitment scheme's parameters $\param$.
|
||||
\item[\textsf{Commit}$(\param, M)$:] From a message $M$ and parameters $\param$, this algorithms outputs a commitment $\com$ and an opening $\open$.
|
||||
\item[\textsf{Verify}$(\param, \com, \open, M)$:] Using parameters $\param$ a message $M$, its commitment $\com$ and its opening $\open$, this algorithms returns bit $b$.
|
||||
\end{description}
|
||||
|
||||
These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hiding-binding-games}.
|
||||
\begin{description}
|
||||
\item[Correctness.] For any $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$.
|
||||
\item[Hiding.] For any \ppt{} adversary $\adv$ against the hiding experiment, we have that
|
||||
\[ \hspace{-1cm}
|
||||
\advantage{\mathrm{hiding}}{\adv}(\lambda) = \left| \Pr\left[\Exp{\mathrm{hiding}}{\adv, 1}(\lambda) = 1\right] - \Pr\left[\Exp{\mathrm{hiding}}{\adv, 0}(\lambda) = 1\right] \right| \leq \negl[\lambda],
|
||||
\]
|
||||
over the randomness of $\Commit$.
|
||||
\item[Binding.] For any $\ppt$ adversary $\adv$ against the binding experiment,
|
||||
\[
|
||||
\Pr\left[\Exp{\mathrm{binding}}{\adv}(\lambda) = 1 \right] \leq \negl[\lambda].
|
||||
\]
|
||||
\end{description}
|
||||
\end{definition}
|
||||
|
||||
Commitment schemes are thus used to \textit{oblige} the verifier of the $\Sigma$-protocol to be honest: it commits its challenge at the outset of the interaction, and opens it at the challenge phase, so that it cannot change its challenge with respect to the commitment of the prover.
|
||||
|
||||
Another useful primitives are the non-interactive version of zero-knowledge proofs.
|
||||
|
||||
\begin{definition}[Non Interactive Zero Knowledge]
|
||||
\index{Zero Knowledge!NIZK}
|
||||
@ -74,7 +144,7 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
|
||||
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
|
||||
\begin{enumerate}
|
||||
\item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$;
|
||||
\item Generate the challenge as $\chall \gets \mathcal H(\cmt)$;
|
||||
\item Generate the challenge as $\chall \gets \mathcal H(x,\cmt)$;
|
||||
\item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$;
|
||||
\item Return the proof $\pi = (\cmt, \rsp)$.
|
||||
\end{enumerate}
|
||||
@ -82,15 +152,93 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
|
||||
And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$:
|
||||
\begin{enumerate}
|
||||
\item Parse $\pi$ as $(\cmt, \rsp)$;
|
||||
\item Generate the challenge $\chall = \mathcal H(\cmt)$;
|
||||
\item Generate the challenge $\chall = \mathcal H(x, \cmt)$;
|
||||
\item Return $V_2(x, \chall, \rsp, \emptyset)$.
|
||||
\end{enumerate}
|
||||
|
||||
Then $(\hat P, \hat V)$ forms a non-interactive zero-knowledge proof in the \ROM.
|
||||
\end{definition}
|
||||
|
||||
For the sake of completeness, we can also mention $\NIZK$ in the standard model, such at Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis.
|
||||
|
||||
\section{Schnorr Proofs}
|
||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}
|
||||
\label{sse:schnorr}
|
||||
|
||||
\begin{figure}
|
||||
\textbf{Common input:} A prime-order group $\GG$ of order $p$ with a generator $g$.
|
||||
\bigskip
|
||||
|
||||
\centering
|
||||
\procedure{Schnorr's Protocol for DLOG}{%
|
||||
P(h,a) \> \> V(h) \\
|
||||
r \sample \ZZ_p^\star \> \> \\
|
||||
\rho = g^r \in \GG \\
|
||||
\> \sendmessageright*{\rho} \> \\
|
||||
\> \> c \sample \ZZ_p \\
|
||||
\> \sendmessageleft*{c} \> \\
|
||||
d \gets c \cdot a + r \bmod p \\
|
||||
\> \sendmessageright*{d} \> \\
|
||||
\> \> \pcif g^d = h^c \cdot \rho \pcthen\\
|
||||
\>\> \pcind \pcreturn 1\\
|
||||
\>\> \pcelse \\
|
||||
\>\> \pcind \pcreturn 0
|
||||
}
|
||||
\caption{The Schnorr $\Sigma$-protocol for discrete logarithm.}
|
||||
\label{fig:schnorr-dlog}
|
||||
\end{figure}
|
||||
|
||||
Schnorr's methodology to construct proofs are based on the $\Sigma$-protocol technique to design zero-knowledge proofs.
|
||||
It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}.
|
||||
|
||||
This methodology can be interpreted as follows. Given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in fixing the randomness used in the commitment scheme $r$ \emph{via} $\rho$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$. Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$.
|
||||
|
||||
In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}.
|
||||
|
||||
Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}.
|
||||
|
||||
This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zero-knowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}. In this description $D_y$ and $D_c$ are the distributions from which $\mathbf y_1, \mathbf y_2$ and $\mathbf c$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf z_1, \mathbf z_2$ in order not to leak informations about $\mathbf s_1, \mathbf s_2$.
|
||||
|
||||
\begin{figure}
|
||||
\textbf{Common input:} A public element $\mathbf a \in R$ where $R = \ZZ_p[\mathbf x]/\langle \mathbf x^n + 1 \rangle$.
|
||||
\bigskip
|
||||
|
||||
\centering
|
||||
\procedure{Schnorr's Protocol for Ring-SIS}{%
|
||||
P(\mathbf t = \mathbf a \cdot \mathbf s_1 + \mathbf s_2, (\mathbf s_1, \mathbf s_2)) \> \> V(\mathbf t) \\
|
||||
\mathbf y_1, \mathbf y_2 \sample D_y \in R \> \> \\
|
||||
\mathbf w = \mathbf a \cdot \mathbf y_1 + \mathbf y_2 \in R \\
|
||||
\> \sendmessageright*{\mathbf w} \> \\
|
||||
\> \> \mathbf c \sample D_c \in R \mbox{ (small)} \\
|
||||
\> \sendmessageleft*{\mathbf c} \> \\
|
||||
\mathbf z_1 \gets \mathbf s_1 \mathbf c + \mathbf y_1 \in R\\
|
||||
\mathbf z_2 \gets \mathbf s_2 \mathbf c + \mathbf y_2 \in R\\{}
|
||||
[\pcif \mathbf z_1, \mathbf z_2 \notin G^2 \pcthen\\
|
||||
\pcind \mathbf z_1, \mathbf z_2 \gets \bot, \bot ]\\
|
||||
\> \sendmessageright*{\mathbf z_1, \mathbf z_2} \> \\
|
||||
\> \> \pcif \mathbf z_1 \in G \wedge \mathbf z_2 \in G \wedge\\
|
||||
\>\> \pcind \mathbf a \cdot \mathbf z_1 + \mathbf z_2 = \mathbf t \mathbf c + \mathbf w \pcthen\\
|
||||
\>\> \pcind \pcreturn 1\\
|
||||
\>\> \pcelse \\
|
||||
\>\> \pcind \pcreturn 0
|
||||
}
|
||||
\caption{The Schnorr $\Sigma$-protocol for Ring-SIS.}
|
||||
\label{fig:schnorr-lwe}
|
||||
\end{figure}
|
||||
|
||||
One can notice that this is not \textit{stricly} a $\Sigma$-protocol as the knowledge extractor outputs \textit{witnesses} that can be up to $\softO(n)$ larger than the actual witness in infinity norm. This behaviour is sometimes called \textit{imperfect soundness}.
|
||||
|
||||
However, this method suffers from \textit{expressivity} issues: the relations that can be proved with this proof system are limited to be knowledge of a Ring-SIS secret, which is not sufficient to prove for instance the knowledge of a signature for a committed message. Moreover, the gap in the extraction makes it hard, yet possible, to prove that an underlying message under an encryption is binary~\cite{dPLNS17}.
|
||||
|
||||
\section{Stern-like Proofs}
|
||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves à la Stern}
|
||||
\label{sse:stern}
|
||||
|
||||
On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}.
|
||||
\index{Syndrome Decoding Problem}
|
||||
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf P \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf x$ with fixed hamming weight $w$ such that $\mathbf P \cdot \mathbf x = \mathbf v \bmod 2$.
|
||||
|
||||
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
|
||||
|
||||
After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
|
||||
This advance in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, e-cash~\cite{LLNW17},
|
||||
|
Loading…
Reference in New Issue
Block a user