Loading in 5 sec....

Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge ProofsPowerPoint Presentation

Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs

- By
**oni** - Follow User

- 119 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs' - oni

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Better Privacy and Security in E-Commerce:Using Elliptic Curve-Based Zero-Knowledge Proofs

Sultan Almuhammadi

Nien Sui

Dennis McLeod

E-mail:

{salmuham, sui, [email protected]

IEEE - CEC '04

Zero-Knowledge Proof!… Why bother?

Peggy: "I know the password to the Federal Reserve System computers."

Victor: " No, you don't"

Peggy: " Yes, I do!"

Victor: " Do not!"

Peggy: " Do too!"

Victor: " Prove it!"

Peggy: " All right. I'll tell you". She whispers in Victor's ear.

IEEE - CEC '04

Zero-Knowledge Proof!… Why bother?

Victor: "That's interesting. Now I know it too. I'm going to tell the Washington Post."

Peggy: "Oops!!"

Unfortunately, the usual way for Peggy to prove something to Victor is for Peggy to tell him. But then he knows it too, and can tell anyone else he wants to.

IEEE - CEC '04

Outline

- Introduction to Zero-Knowledge Proof
- Applications of ZKP to E-com
- Examples of ZK Proof Problems
- Classical Solutions
- Elliptic Curves
- EC Solutions
- Why EC?
- Current Research on ZKP
- Conclusion

IEEE - CEC '04

Introduction

- What is ZK proof?
To prove knowledge of a secret without revealing any information about it.

It must be:

- Zero-knowledge, and
- Proof.

IEEE - CEC '04

Introduction

- What is Zero-Knowledge?
- It is computationally infeasible to retrieve the secret using the information revealed in the proof (dialogue).
- If he deviates from the protocol, it doesn’t help the verifier to learn the secret.
- The verifier can build a simulator to generate a transcript of a similar dialogue of the proof.

IEEE - CEC '04

Introduction

- What about the Proof?
- It must be convincing!
- It must be highly unlikely that the prover can generate the dialogue without knowing the secret.

IEEE - CEC '04

Applications of ZKP to E-com.

- Identification schemes
- Multi-media security and digital watermarks
- Network privacy and anonymous communication
- Digital cash and off-line digital coin systems
- Electronic voting systems
- Public-key cryptographic systems

IEEE - CEC '04

Examples of ZKP

Zero-Knowledge Proof of:

- Discrete Logarithm
- Graph Isomorphism
- Square root of an integer modulo n
- Integer factorization

IEEE - CEC '04

Discrete Logarithm

Peggy, the prover, wants to prove in zero-knowledge that she knows the DL of a given number modulo n.

i.e. to prove in zero-knowledge that she knows x such that

g^x = b (mod n), for known b, g, n.

IEEE - CEC '04

Graph Isomorphism

Peggy wants to prove in zero-knowledge that two given graphs G1 and G2 are isomorphic.

i.e. to prove that she knows a mapping f from G1 to G2 such that:

(v1,v2) is an edge in G1 iff (f (v1), f (v2)) is an edge in G2 without revealing any information about f.

IEEE - CEC '04

Square root of an integer modulo n

Peggy wants to prove in zero-knowledge that she knows the square root of a given number modulo a large composite number n.

i.e. to prove in zero-knowledge that she knows x such that

x^2 = b (mod n), for known b, n.

IEEE - CEC '04

Integer factorization

Peggy wants to prove in zero-knowledge that a given number n is a product of two large primes.

i.e. to prove in zero-knowledge that she knows p and q such that

p * q = n, for a given n.

IEEE - CEC '04

Classical Solutions

- Iterative ZK proof of DL problem
Given n, generator g for Fn, and b Î Fn

To prove in zero-knowledge that Peggy knows x such that

g^x = b (mod n)

IEEE - CEC '04

Victor (V)

0

g, b, n, x

g, b, n

1

Peggy generates random r

r

2

P sends h = g^r mod n to V

h

h

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check g^r = h

5

If c = T, P sends m = x + r

m

m, check g^m = bh

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

ZKP of DL problemIEEE - CEC '04

Elliptic Curves

Definition: an elliptic curve E over some field K is the set of all points (x, y) K K that satisfy the equation:

y2 = x3 + ax + b

Where a, b K

IEEE - CEC '04

ZK Proofs Using EC

- EC vs. Multiplicative Groups
- Points (x,y) on the elliptic curve E/Fn instead of integers.
- Multiplication (m.B) instead of power (b^m).

- DL Problem in EC
Given B, G Î E (Fn) {G is “generator” or its order contains large prime},

to find m such that m.G = B

IEEE - CEC '04

ZK Proofs Using EC

- ZK proof of DL problem
Given E/Fn, G (generator, or its order contains large prime), and B = mGÎ E. Peggy wants to prove in zero-knowledge that she knows m.

IEEE - CEC '04

Victor (V)

0

G, B, m

G, B

1

Peggy generates random r

r

2

P sends A = r G to V

A

A

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check r G = A

5

If c = T, P sends x = r + m

x

x, check xG =A+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

ZKP of DL problem Using ECIEEE - CEC '04

Why EC?

- EC is more secure for DL blocks
- Having DL as building blocks in ZK proofs, EC scheme is more secure than the classical scheme (using multiplicative groups).
- Breaking the scheme requires solving the DL problem.

IEEE - CEC '04

Why EC?

- Time Complexity of Solving DL
- The classical DL problem in Fq* can be solved in sub-exponential time, L[1/3].
Exp[ O( (log q)1/3 (log log q)2/3) ]

- The best known algorithm to solve the DL problem in E/Fq (using giant-step baby-step approach and MOV reduction) takes exponential time, L[1], O(N1/2) where N is the group order.
Exp[ O(log q) ]

- The classical DL problem in Fq* can be solved in sub-exponential time, L[1/3].

IEEE - CEC '04

Why EC?

- Other Problems?
- EC schemes are more secure than the classical ones if they are based on only DL.
- If the EC scheme is not based on only DL, then weaker parts can be attacked in sub-exponential time, and hence EC gives no more security than the classical ones. (E.g. ZK proof of knowing square root of b mod n)

IEEE - CEC '04

Example: Square root problem

- ZK proof of knowing square root of b mod n
Given b and n, Peggy wants to prove in zero-knowledge that she knows x such that

x^2 = b (mod n)

- EC version
Given E/Fn (for composite n) and B E, Peggy wants to prove in zero-knowledge that she knows A E such that

2A = B

IEEE - CEC '04

Victor (V)

0

b, n, x

b, n

1

Peggy generates random r

r

2

P sends s = r^2 mod n to V

s

s

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check r^2 = s

5

If c = T, P sends m = r x

m

m, check m^2 = sb

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

Example: x^2 = b mod nIEEE - CEC '04

Victor (V)

0

A, B

B

1

Peggy generates random R

R

2

P sends S = 2R = R+R to V

S

S

3

V flips a coin c = H or T

c

c

4

If c = H, P sends R to V

R, check 2R = S

5

If c = T, P sends M = R+A

M

M, check 2M = S+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).

Example (EC version) : 2 A = BIEEE - CEC '04

Victor (V)

0

A, B

B

1

Peggy generates random R

R

2

P sends S = 2R = R+R to V

S

S

3

V flips a coin c = H or T

c

c

4

If c = H, P sends R to V

R, check 2R = S

5

If c = T, P sends M = R+A

M

M, check 2M = S+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).

Example (EC version) : 2 A = BSolve for R in sub-exp

= T

A = M - R

IEEE - CEC '04

Current Research on ZKP

- Iterative ZKPs
VS.

- One-round ZKPs
- Challenge-and-response protocol

IEEE - CEC '04

Victor (V)

0

g, b, n, x

g, b, n

1

V generates a random y

y

2

V sends C = g^y (mod n)

C

C= g^y

3

P sends R = C^x (mod n)

R= C^x

R

4

V verifies that

R = b^y (mod n)

i.e. R = C^x = (g^y)^x = g^xy

= (g^x)^y = b^y

One-Round ZK proof of DL problemIEEE - CEC '04

Victor (V)

0

G, B, m

G, B

1

V generates a random y

y

2

Victor sends C = yG

C

C= yG

3

Peggy sends R = mC

R= mC

R

4

Victor verifies that

yB = R

i.e. yB = y(mG) = m(yG)

= mC = R

One-Round ZK proof of DL problemIEEE - CEC '04

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Square root

Factorization

Graph Isomorphism

ConclusionIEEE - CEC '04

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Factorization

Graph Isomorphism

ConclusionIEEE - CEC '04

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Graph Isomorphism

ConclusionIEEE - CEC '04

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

Graph Isomorphism

ConclusionIEEE - CEC '04

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

ConclusionIEEE - CEC '04

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

ConclusionIEEE - CEC '04

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

?

ConclusionIEEE - CEC '04

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

?

?

?

ConclusionIEEE - CEC '04

References

- Elliptic curve implementation of zero-knowledge blobs, Neal Koblitz, Journal of Cryptology, Vol. 4, 1991, 207-213.
- Zero Knowledge Watermark Detection, Scott Craver, Princeton Univ.
- Algebraic Aspects of Cryptography, Neal Koblitz, Springer. 1998.
- Applied Cryptography, Bruce Schneier, Wiley. 1996. pp 101-111.
- The improbability that an elliptic curve has sub-exponential discrete log problem under the MOV algorithm, R. Balasubramaniam, N. Koblitz, Journal of Cryptology, 1998.

IEEE - CEC '04

Better Privacy and Security in E-Commerce:Using Elliptic Curve-Based Zero-Knowledge Proofs

Sultan Almuhammadi

Nien Sui

Dennis McLeod

E-mail:

{salmuham, sui, [email protected]

IEEE - CEC '04

Download Presentation

Connecting to Server..