On the Amortized Complexity of Zero Knowledge Protocols ...On the amortized complexity of...
Transcript of On the Amortized Complexity of Zero Knowledge Protocols ...On the amortized complexity of...
On the Amortized Complexity ofZero Knowledge Protocols for Multiplicative Relations
Ronald Cramer1 Ivan Damg̊ard2 Valerio Pastro2
1CWI Amsterdam
2Aarhus University
August 15, 2012
Centrum Wiskunde & Informatica
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 1 / 22
The Problem
Scenario
P holds x , y , z (in a finite field K ) s.t. z = xy
V holds hom. commitments com(x), com(y), com(z), of size κ
V wants to be sure z = xy
P does not want to reveal x , y , z
Commitments
Homomorphic: com(a) · com(b) = com(a + b)Shorthand: com(·) = [·]
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 2 / 22
The Problem
Motivation
Zero Knowledge proofs for satisfiability of Boolean circuits
MPC based on additive secret sharing [BDOZ11, DPSZ12]
Anonymous credentials, group signatures, . . .
Previous and Related Work (Apologies if I forgot any of your papers)
1991 Beaver [Bea91]1997 Fujisaki, Okamoto [FO97]1999 Cramer et al., [CDD+99]2002 Damg̊ard, Fujisaki [DF02]2009 Cramer, Damg̊ard [CD09]2012 Ben-Sasson et al. [BSFO12]
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 3 / 22
A Well-Known Solution [Bea91]
Protocol
P samples uniform a, b ← K
P computes c = ab, and sends [a], [b], [c] to V
V sends a uniform e ← K
P opens [ex − a], [y − b], define ε := ex − a, δ := y − b
P opens [ez − c − εb − δa− εδ]
V checks that P opened to 0
Properties
Correctness: P honest =⇒ ez − c − εb − δa− εδ = 0Soundness: P dishonest =⇒ Cheat with prob 1/|K | (guess e)
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 4 / 22
Room for Improvement
What if |K | small (e.g. K = F2)?
Constant soundness error probability =⇒ Bad!
Repeating l times =⇒ soundness error 2−l
Communication? O(κ · l)
Basic Field Case
Soundness Error Amortized comm. complexityPrevious solutions: 2−l O(l · κ)
Our work: 2−l O(κ)
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 5 / 22
Our Solution
Ingredients
Homomorphic commitments (size = κ)(for this part:statistically binding, computationally hiding commitment schemes)
Linear (multi)secret sharing schemes with R-product reconstruction(share s, share s ′,reconstruct s · s ′ as linear combo of shares of R players)
commitments: not to reveal x , y , zhomomorphic: to compute sums on committed values!
multi-secret: to use amortization techniques! [CD09].
Amortization: more instances to prove ⇒ better comm. complexity!
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 6 / 22
Digression on LSSS (multi-secret variant of Shamir)
How to Share?
Secret: x := (x1, . . . , xl).Polynomial: fx ← K [X ], with deg(fx) = t + l
fx(−i) = xi for i = 1, . . . , lShares: fx(1), . . . , fx(n)
xl xl−1 x1
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 7 / 22
Digression on LSSS (multi-secret variant of Shamir)
How to Share?
Secret: x := (x1, . . . , xl).Polynomial: fx ← K [X ], with deg(fx) = t + l
fx(−i) = xi for i = 1, . . . , lShares: fx(1), . . . , fx(n)
xl xl−1 x1
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 8 / 22
Digression on LSSS (multi-secret variant of Shamir)
How to Share?
Secret: x := (x1, . . . , xl).Polynomial: fx ← K [X ], with deg(fx) = t + l
fx(−i) = xi for i = 1, . . . , lShares: fx(1), . . . , fx(n)
xl xl−1 x1fx(1)
fx(2)
fx(3)
fx(n)
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 9 / 22
Digression on LSSS
Product Reconstruction? (Yes, if n > 2(t + l))
Share x, y
Local products fx(i) · fy (i) for > 2(t + l) i ’s
Reconstruct fx · fyEvaluate (fx · fy )(−i) for i = 1, . . . , l
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 10 / 22
Digression on LSSS
Product Reconstruction? (Yes, if n > 2(t + l))
Share x, y
Local products fx(i) · fy (i) for > 2(t + l) i ’s
Reconstruct fx · fyEvaluate (fx · fy )(−i) for i = 1, . . . , l
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 11 / 22
Digression on LSSS
Product Reconstruction? (Yes, if n > 2(t + l))
Share x, y
Local products fx(i) · fy (i) for > 2(t + l) i ’s
Reconstruct fx · fyEvaluate (fx · fy )(−i) for i = 1, . . . , l
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 12 / 22
Digression on LSSS
Product Reconstruction? (Yes, if n > 2(t + l))
Share x, y
Local products fx(i) · fy (i) for > 2(t + l) i ’s
Reconstruct fx · fyEvaluate (fx · fy )(−i) for i = 1, . . . , l
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 13 / 22
Digression on LSSS
Product Reconstruction? (Yes, if n > 2(t + l))
Share x, y
Local products fx(i) · fy (i) for > 2(t + l) i ’s
Reconstruct fx · fyEvaluate (fx · fy )(−i) for i = 1, . . . , l
zl zl−1z1
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 14 / 22
Notice:
Fact #1
V holds t evals fx(j) and fy (j)=⇒ no info on fy (−i), fy (−i), (fx · fy )(−i) revealed to V .
Fact #2
f 6= g ∈ K [X ],deg(f ) = 2(t + l) = deg(g)=⇒ f and g agree on at most 2(t + l) points.
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 15 / 22
Back to the Original Problem. What if . . . ?
Toy Protocol – Basic Field Scenario
P samples fx , fy ← K [X ], withdeg(fx) = t + l = deg(fy ), fx(−i) = xi , fy (−i) = yi
P computes fz = fx · fyP commits [fx ], [fy ], [fz ]
V chooses t indices O ⊂ {1, . . . , n}P opens [fx ](j), [fy ](j), [fz ](j) for j ∈ O
V accepts iff fx(j) · fy (j) = fz(j)
Private xi , yi , ziFact #1 ⇒ no info revealed on secrets!
Soundness Error
Fact #2 & Choice of O ⇒ soundness error ≤(
2(t+l)n
)tCramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 16 / 22
Back to the Original Problem. What if . . . ?
Toy Protocol – Basic Field Scenario
P samples fx , fy ← K [X ], withdeg(fx) = t + l = deg(fy ), fx(−i) = xi , fy (−i) = yi
P computes fz = fx · fyP commits [fx ], [fy ], [fz ]
V chooses t indices O ⊂ {1, . . . , n}P opens [fx ](j), [fy ](j), [fz ](j) for j ∈ O
V accepts iff fx(j) · fy (j) = fz(j)
Private xi , yi , ziFact #1 ⇒ no info revealed on secrets!
Soundness Error
Fact #2 & Choice of O ⇒ s.e. ≤(
2(t+l)n
)t= 2−l , if t, l = Θ(n)
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 17 / 22
The General Result
Shamir: n < |K | =⇒ general LSSS?
Basic Field Case
Using a linear (multi)secret sharing scheme over K with
K a finite field
d players
t privacy
l secrets
R product reconstruction
A zero-knowledge protocol for the language{(com(xi ), com(yi ), com(zi ))li=1 | xi , yi , zi ∈ K ; xi · yi = zi
},
with soundness error(R−1d
)tCramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 18 / 22
Parameters
Choice of parameters to get negligible soundness error:
Basic Field Case
Using a linear (multi)secret sharing scheme over K with
K a finite field
d players d = Θ(l)
t privacy t = Θ(l)
l secrets
R product reconstruction R = Θ(l)
A zero-knowledge protocol for the language{(com(xi ), com(yi ), com(zi ))li=1 | xi , yi , zi ∈ K ; xi · yi = zi
},
with soundness error(R−1d
)t= 2−l . Amo.Comm.: O(κ)
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 19 / 22
Comparisons & Extensions
Basic Field Case
Soundness Error Amortized comm. complexityOur work: 2−l O(κ)
Previous solutions: 2−l O(l · κ)
Let’s play!What if values were integers (rather than in a finite field)?We have a solution!
k-bit Integers Case
Security NotionOur work: Factoring
Previous solutions: Strong-RSA
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 20 / 22
Comparisons & Extensions - General Field Case
Basic field case: x · y = z .General field case: D(x1, . . . , xv ) = z .
Extension of protocol: to prove any algebraic rel. on committed values.Formally, a zero knowledge protocol for the language{
(com(x1,i ), . . . , com(xv ,i ), com(zi ))li=1 |
x1,i , . . . , xv ,i , zi ∈ K ;D(x1,i , . . . , xv ,i ) = zi
},
where D is an algebraic circuit.
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 21 / 22
Final Slide
Q: Standard commitments: cheating?
A: We also consider commitments of the following form
[v ] :
{P : v , mv = a · v + bvV : a, bv
given by some setup,e.g. the preprocessing phase of [BDOZ11], or [DPSZ12].
Such commitments:
Homomorphic (that is all we need!)
Information theoretically secure
NEW! Can be used over the integers!
Thanks! — Merci!
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 22 / 22
Final Slide
Q: Standard commitments: cheating?
A: We also consider commitments of the following form
[v ] :
{P : v , mv = a · v + bvV : a, bv
given by some setup,e.g. the preprocessing phase of [BDOZ11], or [DPSZ12].
Such commitments:
Homomorphic (that is all we need!)
Information theoretically secure
NEW! Can be used over the integers!
Thanks! — Merci!
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 22 / 22
Rikke Bendlin, Ivan Damg̊ard, Claudio Orlandi, and Sarah Zakarias.Semi-homomorphic encryption and multiparty computation.In EUROCRYPT, pages 169–188, 2011.
Donald Beaver.Efficient multiparty protocols using circuit randomization.In CRYPTO, pages 420–432, 1991.
Eli Ben-Sasson, Serge Fehr, and Rafail Ostrovsky.Near-linear unconditionally-secure multiparty computation with adishonest minority.In CRYPTO, 2012.To appear.
Ronald Cramer and Ivan Damg̊ard.On the amortized complexity of zero-knowledge protocols.In Shai Halevi, editor, CRYPTO, volume 5677 of Lecture Notes inComputer Science, pages 177–191. Springer, 2009.
Ronald Cramer, Ivan Damg̊ard, Stefan Dziembowski, Martin Hirt, andTal Rabin.
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 22 / 22
Efficient multiparty computations secure against an adaptiveadversary.In EUROCRYPT, pages 311–326, 1999.
Ivan Damg̊ard and Eiichiro Fujisaki.A statistically-hiding integer commitment scheme based on groupswith hidden order.In Yuliang Zheng, editor, ASIACRYPT, volume 2501 of Lecture Notesin Computer Science, pages 125–142. Springer, 2002.
Ivan Damg̊ard, Valerio Pastro, Nigel P. Smart, and Sarah Zakarias.Multiparty computation from somewhat homomorphic encryption.In CRYPTO, 2012.To appear.
Eiichiro Fujisaki and Tatsuaki Okamoto.Statistical zero knowledge protocols to prove modular polynomialrelations.In Burton S. Kaliski Jr., editor, CRYPTO, volume 1294 of LectureNotes in Computer Science, pages 16–30. Springer, 1997.
Cramer, Damg̊ard, Pastro (Aa, Am) Facts on LSSS August 15, 2012 22 / 22