Better privacy and security in e commerce using elliptic curve based zero knowledge proofs
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on
  • Presentation posted in: General

Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs. Sultan Almuhammadi Nien Sui Dennis McLeod E-mail: { s almuham, sui, mcleod }@ usc.edu. Keywords. Security Privacy Zero-knowledge proofs Elliptic Curves. Zero-Knowledge Proof!… Why bother?.

Download Presentation

Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Better privacy and security in e commerce using elliptic curve based zero knowledge proofs

Better Privacy and Security in E-Commerce:Using Elliptic Curve-Based Zero-Knowledge Proofs

Sultan Almuhammadi

Nien Sui

Dennis McLeod

E-mail:

{salmuham, sui, [email protected]

IEEE - CEC '04


Keywords

Keywords

  • Security

  • Privacy

  • Zero-knowledge proofs

  • Elliptic Curves

IEEE - CEC '04


Zero knowledge proof why bother

Zero-Knowledge Proof!… Why bother?

Peggy: "I know the password to the Federal Reserve System computers."

Victor: " No, you don't"

Peggy: " Yes, I do!"

Victor: " Do not!"

Peggy: " Do too!"

Victor: " Prove it!"

Peggy: " All right. I'll tell you". She whispers in Victor's ear.

IEEE - CEC '04


Zero knowledge proof why bother1

Zero-Knowledge Proof!… Why bother?

Victor: "That's interesting. Now I know it too. I'm going to tell the Washington Post."

Peggy: "Oops!!"

Unfortunately, the usual way for Peggy to prove something to Victor is for Peggy to tell him. But then he knows it too, and can tell anyone else he wants to.

IEEE - CEC '04


Outline

Outline

  • Introduction to Zero-Knowledge Proof

  • Applications of ZKP to E-com

  • Examples of ZK Proof Problems

  • Classical Solutions

  • Elliptic Curves

  • EC Solutions

  • Why EC?

  • Current Research on ZKP

  • Conclusion

IEEE - CEC '04


Introduction

Introduction

  • What is ZK proof?

    To prove knowledge of a secret without revealing any information about it.

    It must be:

    • Zero-knowledge, and

    • Proof.

IEEE - CEC '04


Introduction1

Introduction

  • What is Zero-Knowledge?

    • It is computationally infeasible to retrieve the secret using the information revealed in the proof (dialogue).

    • If he deviates from the protocol, it doesn’t help the verifier to learn the secret.

    • The verifier can build a simulator to generate a transcript of a similar dialogue of the proof.

IEEE - CEC '04


Introduction2

Introduction

  • What about the Proof?

    • It must be convincing!

    • It must be highly unlikely that the prover can generate the dialogue without knowing the secret.

IEEE - CEC '04


Applications of zkp to e com

Applications of ZKP to E-com.

  • Identification schemes

  • Multi-media security and digital watermarks

  • Network privacy and anonymous communication

  • Digital cash and off-line digital coin systems

  • Electronic voting systems

  • Public-key cryptographic systems

IEEE - CEC '04


Examples of zkp

Examples of ZKP

Zero-Knowledge Proof of:

  • Discrete Logarithm

  • Graph Isomorphism

  • Square root of an integer modulo n

  • Integer factorization

IEEE - CEC '04


Discrete logarithm

Discrete Logarithm

Peggy, the prover, wants to prove in zero-knowledge that she knows the DL of a given number modulo n.

i.e. to prove in zero-knowledge that she knows x such that

g^x = b (mod n), for known b, g, n.

IEEE - CEC '04


Graph isomorphism

Graph Isomorphism

Peggy wants to prove in zero-knowledge that two given graphs G1 and G2 are isomorphic.

i.e. to prove that she knows a mapping f from G1 to G2 such that:

(v1,v2) is an edge in G1 iff (f (v1), f (v2)) is an edge in G2 without revealing any information about f.

IEEE - CEC '04


Square root of an integer modulo n

Square root of an integer modulo n

Peggy wants to prove in zero-knowledge that she knows the square root of a given number modulo a large composite number n.

i.e. to prove in zero-knowledge that she knows x such that

x^2 = b (mod n), for known b, n.

IEEE - CEC '04


Integer factorization

Integer factorization

Peggy wants to prove in zero-knowledge that a given number n is a product of two large primes.

i.e. to prove in zero-knowledge that she knows p and q such that

p * q = n, for a given n.

IEEE - CEC '04


Classical solutions

Classical Solutions

  • Iterative ZK proof of DL problem

    Given n, generator g for Fn, and b Î Fn

    To prove in zero-knowledge that Peggy knows x such that

    g^x = b (mod n)

IEEE - CEC '04


Zkp of dl problem

Peggy (P)

Victor (V)

0

g, b, n, x

g, b, n

1

Peggy generates random r

r

2

P sends h = g^r mod n to V

h

h

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check g^r = h

5

If c = T, P sends m = x + r

m

m, check g^m = bh

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

ZKP of DL problem

IEEE - CEC '04


Elliptic curves

Elliptic Curves

Definition: an elliptic curve E over some field K is the set of all points (x, y)  K  K that satisfy the equation:

y2 = x3 + ax + b

Where a, b  K

IEEE - CEC '04


Zk proofs using ec

ZK Proofs Using EC

  • EC vs. Multiplicative Groups

    • Points (x,y) on the elliptic curve E/Fn instead of integers.

    • Multiplication (m.B) instead of power (b^m).

  • DL Problem in EC

    Given B, G Î E (Fn) {G is “generator” or its order contains large prime},

    to find m such that m.G = B

IEEE - CEC '04


Zk proofs using ec1

ZK Proofs Using EC

  • ZK proof of DL problem

    Given E/Fn, G (generator, or its order contains large prime), and B = mGÎ E. Peggy wants to prove in zero-knowledge that she knows m.

IEEE - CEC '04


Zkp of dl problem using ec

Peggy (P)

Victor (V)

0

G, B, m

G, B

1

Peggy generates random r

r

2

P sends A = r G to V

A

A

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check r G = A

5

If c = T, P sends x = r + m

x

x, check xG =A+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

ZKP of DL problem Using EC

IEEE - CEC '04


Why ec

Why EC?

  • EC is more secure for DL blocks

    • Having DL as building blocks in ZK proofs, EC scheme is more secure than the classical scheme (using multiplicative groups).

    • Breaking the scheme requires solving the DL problem.

IEEE - CEC '04


Why ec1

Why EC?

  • Time Complexity of Solving DL

    • The classical DL problem in Fq* can be solved in sub-exponential time, L[1/3].

      Exp[ O( (log q)1/3 (log log q)2/3) ]

    • The best known algorithm to solve the DL problem in E/Fq (using giant-step baby-step approach and MOV reduction) takes exponential time, L[1], O(N1/2) where N is the group order.

      Exp[ O(log q) ]

IEEE - CEC '04


Why ec2

Why EC?

  • Other Problems?

    • EC schemes are more secure than the classical ones if they are based on only DL.

    • If the EC scheme is not based on only DL, then weaker parts can be attacked in sub-exponential time, and hence EC gives no more security than the classical ones. (E.g. ZK proof of knowing square root of b mod n)

IEEE - CEC '04


Example square root problem

Example: Square root problem

  • ZK proof of knowing square root of b mod n

    Given b and n, Peggy wants to prove in zero-knowledge that she knows x such that

    x^2 = b (mod n)

  • EC version

    Given E/Fn (for composite n) and B  E, Peggy wants to prove in zero-knowledge that she knows A  E such that

    2A = B

IEEE - CEC '04


Example x 2 b mod n

Peggy (P)

Victor (V)

0

b, n, x

b, n

1

Peggy generates random r

r

2

P sends s = r^2 mod n to V

s

s

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check r^2 = s

5

If c = T, P sends m = r x

m

m, check m^2 = sb

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

Example: x^2 = b mod n

IEEE - CEC '04


Example ec version 2 a b

Peggy (P)

Victor (V)

0

A, B

B

1

Peggy generates random R

R

2

P sends S = 2R = R+R to V

S

S

3

V flips a coin c = H or T

c

c

4

If c = H, P sends R to V

R, check 2R = S

5

If c = T, P sends M = R+A

M

M, check 2M = S+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).

Example (EC version) : 2 A = B

IEEE - CEC '04


Example ec version 2 a b1

Peggy (P)

Victor (V)

0

A, B

B

1

Peggy generates random R

R

2

P sends S = 2R = R+R to V

S

S

3

V flips a coin c = H or T

c

c

4

If c = H, P sends R to V

R, check 2R = S

5

If c = T, P sends M = R+A

M

M, check 2M = S+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).

Example (EC version) : 2 A = B

Solve for R in sub-exp

= T

A = M - R

IEEE - CEC '04


Current research on zkp

Current Research on ZKP

  • Iterative ZKPs

    VS.

  • One-round ZKPs

    • Challenge-and-response protocol

IEEE - CEC '04


One round zk proof of dl problem

Peggy (P)

Victor (V)

0

g, b, n, x

g, b, n

1

V generates a random y

y

2

V sends C = g^y (mod n)

C

C= g^y

3

P sends R = C^x (mod n)

R= C^x

R

4

V verifies that

R = b^y (mod n)

i.e. R = C^x = (g^y)^x = g^xy

= (g^x)^y = b^y

One-Round ZK proof of DL problem

IEEE - CEC '04


One round zk proof of dl problem1

Peggy (P)

Victor (V)

0

G, B, m

G, B

1

V generates a random y

y

2

Victor sends C = yG

C

C= yG

3

Peggy sends R = mC

R= mC

R

4

Victor verifies that

yB = R

i.e. yB = y(mG) = m(yG)

= mC = R

One-Round ZK proof of DL problem

IEEE - CEC '04


Conclusion

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Square root

Factorization

Graph Isomorphism

Conclusion

IEEE - CEC '04


Conclusion1

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Factorization

Graph Isomorphism

Conclusion

IEEE - CEC '04


Conclusion2

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Graph Isomorphism

Conclusion

IEEE - CEC '04


Conclusion3

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

Graph Isomorphism

Conclusion

IEEE - CEC '04


Conclusion4

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Conclusion

IEEE - CEC '04


Conclusion5

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

Conclusion

IEEE - CEC '04


Conclusion6

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

?

Conclusion

IEEE - CEC '04


Conclusion7

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

?

?

?

Conclusion

IEEE - CEC '04


References

References

  • Elliptic curve implementation of zero-knowledge blobs, Neal Koblitz, Journal of Cryptology, Vol. 4, 1991, 207-213.

  • Zero Knowledge Watermark Detection, Scott Craver, Princeton Univ.

  • Algebraic Aspects of Cryptography, Neal Koblitz, Springer. 1998.

  • Applied Cryptography, Bruce Schneier, Wiley. 1996. pp 101-111.

  • The improbability that an elliptic curve has sub-exponential discrete log problem under the MOV algorithm, R. Balasubramaniam, N. Koblitz, Journal of Cryptology, 1998.

IEEE - CEC '04


Better privacy and security in e commerce using elliptic curve based zero knowledge proofs1

Better Privacy and Security in E-Commerce:Using Elliptic Curve-Based Zero-Knowledge Proofs

Sultan Almuhammadi

Nien Sui

Dennis McLeod

E-mail:

{salmuham, sui, [email protected]

IEEE - CEC '04


  • Login