Abstract image of a woman sitting on books and studying on a laptop

Sigma Protocols and Zero Knowledge

Download as ODP, PDF
A
Alex Chepurnoy

This document summarizes a talk on Sigma protocols and zero-knowledge proofs. Sigma protocols form the basis for building efficient zero-knowledge proofs. They allow a prover to convince a verifier that they know a secret witness for a statement, without revealing the witness. Schnorr's protocol is provided as a simple example of a Sigma protocol for proving knowledge of discrete logarithms. More advanced applications include building zero-knowledge proofs for statements involving AND, OR, and other logical combinations. Sigma protocols can also construct commitment schemes, non-interactive zero-knowledge proofs, and digital signatures when combined with cryptographic primitives like hash functions and random oracles.

1 of 26
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
SPB Crypto Devs Meetup Sigma Protocols and Efficient Zero-Knowledge Proofs Alexander Chepurnoy IOHK Research
Motivating Example ● Alice publishes a commitment of a secret ● Alice passes a secret to Bob ● Bob wants to convince Carol he knows a secret
Motivating Example ● Anonymous voting ● Every vote is whether 0 or 1 encrypted ● To calculate a sum, additively homomorphic encryption could be used ● But how to be sure only 0 or 1 is encrypted? ● Solution: a proof for each vote it is whether 0 or 1(without revealing a value!)
ZKPoKs: What For ● Identification schemes ● Signatures ● Building block in many protocols(voting, anonymous transactions etc)
ZKPoK ● Zero-Knowledge Proof of Knowledge ● Prover P, Verifier V, relation R ● Common input x ● P proves it knows a witness w for which (x,w) R∈ ● Without revealing anything about it ● In practice, often inefficient and so avoided
Properties ● Completeness: a correct statement could be proven ● Soundness: it's not possible to prove incorrect statements (with a non-negligible probability)
Σ-protocol, Generically ● P sends V a message a ● V sends P a random t-bit string e ● P sends a reply z, and V decides to accept or reject based solely on the data it has seen; i.e., based only on the values (x, a, e, z).
Theory Behind ● Ivan Damgard „On Sigma Protocols“ ● Yehuda Lindell, Carmit Hazay „Efficient Secure Two-Party Protocols: Techniques and Constructions“ (Book) ● Yehuda Lindell „Sigma Protocols and Zero Knowledge“ http://www.youtube.com/watch?v=nwsmG3S9wIc
Implementation ● ScAPI(Java/JVM) - The Secure Computation API https://github.com/cryptobiu/scapi ● Protocols pseudocode http://cryptobiu.github.io/scapi/SDK_Pseudocode.pdf
Example: Schnorr’s protocol ● Σ-protocol for DLOG ● h = gw ● (p, q ,g, h) is common input ● First msg(P): a = gr ● Second msg(V): challenge c = random({0, 1}, t) ● Third message(P): z = r + ew mod q ● V checks if gz = a * he ● Completeness: gz = g(r+ew) = gr * (gw )e = a * he
Schnorr’s protocol ● Very efficient: just 3 exponentiations ● Proof-of-Knowledge protocol ● Not provably Zero-Knowledge ● but Honest Verifier Zero-Knowledge ● error 2-t
Proof of Membership ● (x;w) ∈ L ● x is set
Example: Diffie-Hellman tuple ● Common input: (G,q,g,h,u,v,t) ● P knows w such as u = gw , v = hw ● P sends out a = gr , b = hr ● V sends out a challenge c = random({0, 1}, t) ● P sends out z = r + ew mod q ● V checks if gz = a*ue , hz = b * ve
Run Properties ● Parallel execution: l parallel runs with challenge of size t is equivalent to run protocols with challenge of size l*t ● Challenge could be of arbitrary size
Compound Statements ● AND ● OR
AND Statement ● Just run two protocols in parallel for (a1, a2) and the same e
OR Statement ● Prove one of two statements is true without revealing which ● Based on simulation for a statement witness isn't known for
Compound Statements ● OR of many statements (k out of n) is possible ● Any monotone formula, so any combination of ANDs and ORs without a negation, is possible
Commitment Scheme ● Commit phase ● Reveal phase ● hash (secret ++ blinding factor) ● Pedersen commitment: c = gx * hr
Zero Knowledge From Σ-protocol ● Verifier needs to commit a challenge in prior to a fist message from a Prover ● With the commitment being added, a Σ-protocol becomes provably Zero-Knowledge (details in the book of Lindell / Hazay)
Zero Knowledge From Σ-protocol ● Σ-protocol π ● V chooses a random t-bit challenge e and interacts with P via the commitment protocol in order to commit to e ● P computes the first message a in π, using (x, w) as input, and sends it to V ● V reveals e to P by decommitting ● P verifies the decommitment, computes the answer z in π, and sends z to V ● V accepts if and only if transcript (a, e, z) is accepting in π on input x
Commitment From Σ-protocol ● Verifier = receiver ● Prover = sender ● Set-up: V generates (x; w), sends x to P ● Commit: to commit to a t-bit string e. P runs simulator on (x, e) to get (a, e, z) and sends a to V ● Open: to reveal the commitment, P sends (e, z) to V, V checks (a, e, z)
Non-Interactive Σ-protocol ● No interaction, no Verifier ● w. public Random Oracle ● e = R(a) ● not provably secure
Signature From Σ-protocol ● (x; w) ● public key x ● private key w ● message m ● e = R(a++m) ● (a, z) is a signature ● as hard to break as to compute w from x (in ROM)
Conclusion ● One template for many protocols ● Highly efficient ● Composable ● Provably secure ● Makes things easier ● Crypto is HARD anyway...
Questions? Twitter: @chepurnoy Mail: kushti@protonmail.ch

More Related Content

PPTX
Cryptography 101 for Java Developers - Devoxx 2019
Michel Schudel
 
PPTX
Cryptography 101 for Java Developers - JavaZone2019
Michel Schudel
 
PDF
Introduction to DID Auth for SSI with Markus Sabadello
SSIMeetup
 
PPTX
The OAuth 2.0 Authorization Framework
Samuele Cozzi
 
PDF
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
SSIMeetup
 
PDF
Responding to Cobalt Strike
Christopher Gerritz
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PPTX
Introduction to Public Key Infrastructure
Theo Gravity
 
Cryptography 101 for Java Developers - Devoxx 2019
Michel Schudel
 
Cryptography 101 for Java Developers - JavaZone2019
Michel Schudel
 
Introduction to DID Auth for SSI with Markus Sabadello
SSIMeetup
 
The OAuth 2.0 Authorization Framework
Samuele Cozzi
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
SSIMeetup
 
Responding to Cobalt Strike
Christopher Gerritz
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Introduction to Public Key Infrastructure
Theo Gravity
 

What's hot(20)

PDF
Offzone | Another waf bypass
Дмитрий Бумов
 
PPTX
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
PPTX
AES-GCM common pitfalls and how to work around them.pptx
skantos
 
PPTX
Encryption
Jasleen Khalsa
 
PPTX
Discrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
NIT Sikkim
 
PDF
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
PDF
Zero-Knowledge Proofs in Light of Digital Identity
Clare Nelson, CISSP, CIPP-E
 
PDF
One-Time Password
Ata Ebrahimi
 
PDF
Webauthn Tutorial
FIDO Alliance
 
PDF
Verifiable Credentials in Self-Sovereign Identity (SSI)
Evernym
 
PPTX
Cryptography
subodh pawar
 
PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PDF
Introduction to Self Sovereign Identity
Heather Vescent
 
PPT
Cryptography
gueste4c97e
 
PDF
Ch 6: Attacking Authentication
Sam Bowne
 
PDF
What is Cryptography?
Pratik Poddar
 
PDF
How attackers hack atm & withdraw cash from an atm using a phone - Infographic
Cheapest SSLs
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
PDF
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Offzone | Another waf bypass
Дмитрий Бумов
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
AES-GCM common pitfalls and how to work around them.pptx
skantos
 
Encryption
Jasleen Khalsa
 
Discrete Logarithmic Problem- Basis of Elliptic Curve Cryptosystems
NIT Sikkim
 
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Zero-Knowledge Proofs in Light of Digital Identity
Clare Nelson, CISSP, CIPP-E
 
One-Time Password
Ata Ebrahimi
 
Webauthn Tutorial
FIDO Alliance
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Evernym
 
Cryptography
subodh pawar
 
Attacking thru HTTP Host header
Sergey Belov
 
Introduction to Self Sovereign Identity
Heather Vescent
 
Cryptography
gueste4c97e
 
Ch 6: Attacking Authentication
Sam Bowne
 
What is Cryptography?
Pratik Poddar
 
How attackers hack atm & withdraw cash from an atm using a phone - Infographic
Cheapest SSLs
 
OAuth2 - Introduction
Knoldus Inc.
 
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
HTTP Request Smuggling via higher HTTP versions
neexemil
 

Viewers also liked(11)

PPT
Zero knowledge proofsii
sreesaiprakash
 
PDF
Elliptic Curve Cryptography and Zero Knowledge Proof
Arunanand Ta
 
PPTX
Digital Signatures
Sumanth Paramesh
 
PDF
Bitcoin
mahdi ataeyan
 
PDF
Cryptography and Voting
Ben Adida
 
PPT
Wireless sensor Network using Zero Knowledge Protocol ppt
sofiakhatoon
 
PPTX
Public Key Algorithms
Bit Hacker
 
PPT
Basic Encryption Decryption Chapter 2
AfiqEfendy Zaen
 
PPT
Spm unit 3
sweetyammu
 
PPTX
cryptography
Abhijeet Singh
 
PPTX
wireless sensor network my seminar ppt
Eisha Madhwal
 
Zero knowledge proofsii
sreesaiprakash
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Arunanand Ta
 
Digital Signatures
Sumanth Paramesh
 
Bitcoin
mahdi ataeyan
 
Cryptography and Voting
Ben Adida
 
Wireless sensor Network using Zero Knowledge Protocol ppt
sofiakhatoon
 
Public Key Algorithms
Bit Hacker
 
Basic Encryption Decryption Chapter 2
AfiqEfendy Zaen
 
Spm unit 3
sweetyammu
 
cryptography
Abhijeet Singh
 
wireless sensor network my seminar ppt
Eisha Madhwal
 

Similar to Sigma Protocols and Zero Knowledge(20)

PDF
Berlin sigma-2017
Alex Chepurnoy
 
PPT
CHAPTER 12 - Zero-knowledge proof protocols.ppt
sprojectdirector
 
PDF
ZKbasicsCheatsheet.pdf shasdhadasdsahdashdhasd
Clifford65
 
PPT
555_Spring12CryptoCryptoCrypto_topic23.ppt
Sameer Ali
 
PDF
Interactive proof systems
SSA KPI
 
PDF
Pwl rewal-slideshare
palvaro
 
PDF
ZeroKnowledge Nominative Signatures
Seungjoo Kim
 
PDF
Tutorial on Cryptography
kenluck2001
 
PDF
Privacy Preserving Paradigms of Blockchain Technology
Gokul Alex
 
PDF
One round threshold ecdsa with identifiable abort
National Chengchi University
 
PDF
Cerutti--Verification of Crypto Protocols (postgrad seminar @ University of B...
Federico Cerutti
 
PPTX
Blockchain privacy approaches in hyperledger indy
ManishKumarGiri2
 
PDF
Zksnarks in english
Ronak Kogta
 
PDF
Hardness of Online Voting
Giuliana Carullo
 
PDF
The protocol will use the following building blocks The Inn.pdf
adithvrc
 
PDF
Exploring the role of DSA in Zero Knowledge Proof
22f2000330
 
PDF
ZK Study Club: Sumcheck Arguments and Their Applications
Alex Pruden
 
PDF
Fast Multiparty Threshold ECDSA with Fast TrustlessSetup
National Chengchi University
 
PDF
Module: drand - the Distributed Randomness Beacon
Ioannis Psaras
 
PDF
Authentication protocols based on zero knowledge proof (Part 2 - Brief talk)
Israel Buitron
 
Berlin sigma-2017
Alex Chepurnoy
 
CHAPTER 12 - Zero-knowledge proof protocols.ppt
sprojectdirector
 
ZKbasicsCheatsheet.pdf shasdhadasdsahdashdhasd
Clifford65
 
555_Spring12CryptoCryptoCrypto_topic23.ppt
Sameer Ali
 
Interactive proof systems
SSA KPI
 
Pwl rewal-slideshare
palvaro
 
ZeroKnowledge Nominative Signatures
Seungjoo Kim
 
Tutorial on Cryptography
kenluck2001
 
Privacy Preserving Paradigms of Blockchain Technology
Gokul Alex
 
One round threshold ecdsa with identifiable abort
National Chengchi University
 
Cerutti--Verification of Crypto Protocols (postgrad seminar @ University of B...
Federico Cerutti
 
Blockchain privacy approaches in hyperledger indy
ManishKumarGiri2
 
Zksnarks in english
Ronak Kogta
 
Hardness of Online Voting
Giuliana Carullo
 
The protocol will use the following building blocks The Inn.pdf
adithvrc
 
Exploring the role of DSA in Zero Knowledge Proof
22f2000330
 
ZK Study Club: Sumcheck Arguments and Their Applications
Alex Pruden
 
Fast Multiparty Threshold ECDSA with Fast TrustlessSetup
National Chengchi University
 
Module: drand - the Distributed Randomness Beacon
Ioannis Psaras
 
Authentication protocols based on zero knowledge proof (Part 2 - Brief talk)
Israel Buitron
 

More from Alex Chepurnoy(14)

PDF
Ergo Presentation - Tokyo
Alex Chepurnoy
 
PDF
Ethereum and Its Challenges
Alex Chepurnoy
 
PDF
Improving Authenticated Dynamic Dictionaries, with Applications to Cryptocurr...
Alex Chepurnoy
 
PDF
Масштабируемость блокчейн-систем: проблемы и решения
Alex Chepurnoy
 
ODP
Blockchan For Developers
Alex Chepurnoy
 
PDF
Blockchain For Developers
Alex Chepurnoy
 
ODP
Blockchain Properties
Alex Chepurnoy
 
PDF
Blockchain For Developers (Talk at Innopolis Blockchain Hackathon 2016)
Alex Chepurnoy
 
ODP
Scorex, the Modular Blockchain Framework
Alex Chepurnoy
 
ODP
Some Open Problems in Blockchains
Alex Chepurnoy
 
PDF
On Private Blockchains, Technically
Alex Chepurnoy
 
ODP
Scorex meetup-aug-2015
Alex Chepurnoy
 
ODP
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Alex Chepurnoy
 
ODP
A New Business World Within A Blockchain
Alex Chepurnoy
 
Ergo Presentation - Tokyo
Alex Chepurnoy
 
Ethereum and Its Challenges
Alex Chepurnoy
 
Improving Authenticated Dynamic Dictionaries, with Applications to Cryptocurr...
Alex Chepurnoy
 
Масштабируемость блокчейн-систем: проблемы и решения
Alex Chepurnoy
 
Blockchan For Developers
Alex Chepurnoy
 
Blockchain For Developers
Alex Chepurnoy
 
Blockchain Properties
Alex Chepurnoy
 
Blockchain For Developers (Talk at Innopolis Blockchain Hackathon 2016)
Alex Chepurnoy
 
Scorex, the Modular Blockchain Framework
Alex Chepurnoy
 
Some Open Problems in Blockchains
Alex Chepurnoy
 
On Private Blockchains, Technically
Alex Chepurnoy
 
Scorex meetup-aug-2015
Alex Chepurnoy
 
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Alex Chepurnoy
 
A New Business World Within A Blockchain
Alex Chepurnoy
 

Recently uploaded(20)

PDF
TrustArc Webinar - Data Minimization in Practice_ Reducing Risk, Enhancing Co...
TrustArc
 
PPTX
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
PDF
Slides World Game (s) Great Redesign Eco Economic Epochs.pdf
Steven McGee
 
PDF
Domain-specific knowledge and context in large language models: challenges, c...
IAESIJAI
 
PDF
Advancements in abstractive text summarization: a deep learning approach
IAESIJAI
 
PDF
TicketRoot: Event Tech Solutions Deck 2025
TicketRoot
 
PDF
Rooftops detection with YOLOv8 from aerial imagery and a brief review on roof...
IAESIJAI
 
DOCX
AI Unit 1 Notes for engineering students
NamanBhola3
 
PDF
eBook Outline_ AI in Cybersecurity – The Future of Digital Defense.pdf
samalmaheswar155
 
PDF
Intravenous drug administration application for pediatric patients via augmen...
IAESIJAI
 
PDF
GDG Cloud Southlake #45: Patrick Debois: The Impact of GenAI on Development a...
James Anderson
 
PDF
ment.tech-How to Develop an AI Agent Healthcare App like Sully AI (1).pdf
thomasnova26
 
PDF
Secure Java Applications against Quantum Threats
Ana-Maria Mihalceanu
 
PPTX
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
PDF
Peak of Data & AI Encore: Scalable Design & Infrastructure
Safe Software
 
PDF
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
PDF
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
PDF
Child-friendly e-learning for artificial intelligence education in Indonesia:...
IAESIJAI
 
PDF
The Digital Engine Room: Unlocking APAC’s Economic and Digital Potential thro...
flintglobalapac
 
DOCX
Management Information Systems. and emmerging technologiesdocx
Rossy719186
 
TrustArc Webinar - Data Minimization in Practice_ Reducing Risk, Enhancing Co...
TrustArc
 
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
Slides World Game (s) Great Redesign Eco Economic Epochs.pdf
Steven McGee
 
Domain-specific knowledge and context in large language models: challenges, c...
IAESIJAI
 
Advancements in abstractive text summarization: a deep learning approach
IAESIJAI
 
TicketRoot: Event Tech Solutions Deck 2025
TicketRoot
 
Rooftops detection with YOLOv8 from aerial imagery and a brief review on roof...
IAESIJAI
 
AI Unit 1 Notes for engineering students
NamanBhola3
 
eBook Outline_ AI in Cybersecurity – The Future of Digital Defense.pdf
samalmaheswar155
 
Intravenous drug administration application for pediatric patients via augmen...
IAESIJAI
 
GDG Cloud Southlake #45: Patrick Debois: The Impact of GenAI on Development a...
James Anderson
 
ment.tech-How to Develop an AI Agent Healthcare App like Sully AI (1).pdf
thomasnova26
 
Secure Java Applications against Quantum Threats
Ana-Maria Mihalceanu
 
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
Peak of Data & AI Encore: Scalable Design & Infrastructure
Safe Software
 
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
Child-friendly e-learning for artificial intelligence education in Indonesia:...
IAESIJAI
 
The Digital Engine Room: Unlocking APAC’s Economic and Digital Potential thro...
flintglobalapac
 
Management Information Systems. and emmerging technologiesdocx
Rossy719186
 

Sigma Protocols and Zero Knowledge

  • 1.
    SPB Crypto DevsMeetup Sigma Protocols and Efficient Zero-Knowledge Proofs Alexander Chepurnoy IOHK Research
  • 2.
    Motivating Example ● Alicepublishes a commitment of a secret ● Alice passes a secret to Bob ● Bob wants to convince Carol he knows a secret
  • 3.
    Motivating Example ● Anonymousvoting ● Every vote is whether 0 or 1 encrypted ● To calculate a sum, additively homomorphic encryption could be used ● But how to be sure only 0 or 1 is encrypted? ● Solution: a proof for each vote it is whether 0 or 1(without revealing a value!)
  • 4.
    ZKPoKs: What For ●Identification schemes ● Signatures ● Building block in many protocols(voting, anonymous transactions etc)
  • 5.
    ZKPoK ● Zero-Knowledge Proofof Knowledge ● Prover P, Verifier V, relation R ● Common input x ● P proves it knows a witness w for which (x,w) R∈ ● Without revealing anything about it ● In practice, often inefficient and so avoided
  • 6.
    Properties ● Completeness: acorrect statement could be proven ● Soundness: it's not possible to prove incorrect statements (with a non-negligible probability)
  • 7.
    Σ-protocol, Generically ● Psends V a message a ● V sends P a random t-bit string e ● P sends a reply z, and V decides to accept or reject based solely on the data it has seen; i.e., based only on the values (x, a, e, z).
  • 8.
    Theory Behind ● IvanDamgard „On Sigma Protocols“ ● Yehuda Lindell, Carmit Hazay „Efficient Secure Two-Party Protocols: Techniques and Constructions“ (Book) ● Yehuda Lindell „Sigma Protocols and Zero Knowledge“ http://www.youtube.com/watch?v=nwsmG3S9wIc
  • 9.
    Implementation ● ScAPI(Java/JVM) -The Secure Computation API https://github.com/cryptobiu/scapi ● Protocols pseudocode http://cryptobiu.github.io/scapi/SDK_Pseudocode.pdf
  • 10.
    Example: Schnorr’s protocol ● Σ-protocolfor DLOG ● h = gw ● (p, q ,g, h) is common input ● First msg(P): a = gr ● Second msg(V): challenge c = random({0, 1}, t) ● Third message(P): z = r + ew mod q ● V checks if gz = a * he ● Completeness: gz = g(r+ew) = gr * (gw )e = a * he
  • 11.
    Schnorr’s protocol ● Veryefficient: just 3 exponentiations ● Proof-of-Knowledge protocol ● Not provably Zero-Knowledge ● but Honest Verifier Zero-Knowledge ● error 2-t
  • 12.
    Proof of Membership ●(x;w) ∈ L ● x is set
  • 13.
    Example: Diffie-Hellman tuple ●Common input: (G,q,g,h,u,v,t) ● P knows w such as u = gw , v = hw ● P sends out a = gr , b = hr ● V sends out a challenge c = random({0, 1}, t) ● P sends out z = r + ew mod q ● V checks if gz = a*ue , hz = b * ve
  • 14.
    Run Properties ● Parallelexecution: l parallel runs with challenge of size t is equivalent to run protocols with challenge of size l*t ● Challenge could be of arbitrary size
  • 15.
  • 16.
    AND Statement ● Justrun two protocols in parallel for (a1, a2) and the same e
  • 17.
    OR Statement ● Proveone of two statements is true without revealing which ● Based on simulation for a statement witness isn't known for
  • 18.
    Compound Statements ● ORof many statements (k out of n) is possible ● Any monotone formula, so any combination of ANDs and ORs without a negation, is possible
  • 19.
    Commitment Scheme ● Commitphase ● Reveal phase ● hash (secret ++ blinding factor) ● Pedersen commitment: c = gx * hr
  • 20.
    Zero Knowledge FromΣ-protocol ● Verifier needs to commit a challenge in prior to a fist message from a Prover ● With the commitment being added, a Σ-protocol becomes provably Zero-Knowledge (details in the book of Lindell / Hazay)
  • 21.
    Zero Knowledge FromΣ-protocol ● Σ-protocol π ● V chooses a random t-bit challenge e and interacts with P via the commitment protocol in order to commit to e ● P computes the first message a in π, using (x, w) as input, and sends it to V ● V reveals e to P by decommitting ● P verifies the decommitment, computes the answer z in π, and sends z to V ● V accepts if and only if transcript (a, e, z) is accepting in π on input x
  • 22.
    Commitment From Σ-protocol ●Verifier = receiver ● Prover = sender ● Set-up: V generates (x; w), sends x to P ● Commit: to commit to a t-bit string e. P runs simulator on (x, e) to get (a, e, z) and sends a to V ● Open: to reveal the commitment, P sends (e, z) to V, V checks (a, e, z)
  • 23.
    Non-Interactive Σ-protocol ● Nointeraction, no Verifier ● w. public Random Oracle ● e = R(a) ● not provably secure
  • 24.
    Signature From Σ-protocol ●(x; w) ● public key x ● private key w ● message m ● e = R(a++m) ● (a, z) is a signature ● as hard to break as to compute w from x (in ROM)
  • 25.
    Conclusion ● One templatefor many protocols ● Highly efficient ● Composable ● Provably secure ● Makes things easier ● Crypto is HARD anyway...
  • 26.