- 96 Views
- Uploaded on
- Presentation posted in: General

Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Sultan Almuhammadi

Nien Sui

Dennis McLeod

E-mail:

{salmuham, sui, [email protected]

IEEE - CEC '04

- Security
- Privacy
- Zero-knowledge proofs
- Elliptic Curves

IEEE - CEC '04

Peggy: "I know the password to the Federal Reserve System computers."

Victor: " No, you don't"

Peggy: " Yes, I do!"

Victor: " Do not!"

Peggy: " Do too!"

Victor: " Prove it!"

Peggy: " All right. I'll tell you". She whispers in Victor's ear.

IEEE - CEC '04

Victor: "That's interesting. Now I know it too. I'm going to tell the Washington Post."

Peggy: "Oops!!"

Unfortunately, the usual way for Peggy to prove something to Victor is for Peggy to tell him. But then he knows it too, and can tell anyone else he wants to.

IEEE - CEC '04

- Introduction to Zero-Knowledge Proof
- Applications of ZKP to E-com
- Examples of ZK Proof Problems
- Classical Solutions
- Elliptic Curves
- EC Solutions
- Why EC?
- Current Research on ZKP
- Conclusion

IEEE - CEC '04

- What is ZK proof?
To prove knowledge of a secret without revealing any information about it.

It must be:

- Zero-knowledge, and
- Proof.

IEEE - CEC '04

- What is Zero-Knowledge?
- It is computationally infeasible to retrieve the secret using the information revealed in the proof (dialogue).
- If he deviates from the protocol, it doesn’t help the verifier to learn the secret.
- The verifier can build a simulator to generate a transcript of a similar dialogue of the proof.

IEEE - CEC '04

- What about the Proof?
- It must be convincing!
- It must be highly unlikely that the prover can generate the dialogue without knowing the secret.

IEEE - CEC '04

- Identification schemes
- Multi-media security and digital watermarks
- Network privacy and anonymous communication
- Digital cash and off-line digital coin systems
- Electronic voting systems
- Public-key cryptographic systems

IEEE - CEC '04

Zero-Knowledge Proof of:

- Discrete Logarithm
- Graph Isomorphism
- Square root of an integer modulo n
- Integer factorization

IEEE - CEC '04

Peggy, the prover, wants to prove in zero-knowledge that she knows the DL of a given number modulo n.

i.e. to prove in zero-knowledge that she knows x such that

g^x = b (mod n), for known b, g, n.

IEEE - CEC '04

Peggy wants to prove in zero-knowledge that two given graphs G1 and G2 are isomorphic.

i.e. to prove that she knows a mapping f from G1 to G2 such that:

(v1,v2) is an edge in G1 iff (f (v1), f (v2)) is an edge in G2 without revealing any information about f.

IEEE - CEC '04

Peggy wants to prove in zero-knowledge that she knows the square root of a given number modulo a large composite number n.

i.e. to prove in zero-knowledge that she knows x such that

x^2 = b (mod n), for known b, n.

IEEE - CEC '04

Peggy wants to prove in zero-knowledge that a given number n is a product of two large primes.

i.e. to prove in zero-knowledge that she knows p and q such that

p * q = n, for a given n.

IEEE - CEC '04

- Iterative ZK proof of DL problem
Given n, generator g for Fn, and b Î Fn

To prove in zero-knowledge that Peggy knows x such that

g^x = b (mod n)

IEEE - CEC '04

Peggy (P)

Victor (V)

0

g, b, n, x

g, b, n

1

Peggy generates random r

r

2

P sends h = g^r mod n to V

h

h

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check g^r = h

5

If c = T, P sends m = x + r

m

m, check g^m = bh

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

IEEE - CEC '04

Definition: an elliptic curve E over some field K is the set of all points (x, y) K K that satisfy the equation:

y2 = x3 + ax + b

Where a, b K

IEEE - CEC '04

- EC vs. Multiplicative Groups
- Points (x,y) on the elliptic curve E/Fn instead of integers.
- Multiplication (m.B) instead of power (b^m).

- DL Problem in EC
Given B, G Î E (Fn) {G is “generator” or its order contains large prime},

to find m such that m.G = B

IEEE - CEC '04

- ZK proof of DL problem
Given E/Fn, G (generator, or its order contains large prime), and B = mGÎ E. Peggy wants to prove in zero-knowledge that she knows m.

IEEE - CEC '04

Peggy (P)

Victor (V)

0

G, B, m

G, B

1

Peggy generates random r

r

2

P sends A = r G to V

A

A

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check r G = A

5

If c = T, P sends x = r + m

x

x, check xG =A+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

IEEE - CEC '04

- EC is more secure for DL blocks
- Having DL as building blocks in ZK proofs, EC scheme is more secure than the classical scheme (using multiplicative groups).
- Breaking the scheme requires solving the DL problem.

IEEE - CEC '04

- Time Complexity of Solving DL
- The classical DL problem in Fq* can be solved in sub-exponential time, L[1/3].
Exp[ O( (log q)1/3 (log log q)2/3) ]

- The best known algorithm to solve the DL problem in E/Fq (using giant-step baby-step approach and MOV reduction) takes exponential time, L[1], O(N1/2) where N is the group order.
Exp[ O(log q) ]

- The classical DL problem in Fq* can be solved in sub-exponential time, L[1/3].

IEEE - CEC '04

- Other Problems?
- EC schemes are more secure than the classical ones if they are based on only DL.
- If the EC scheme is not based on only DL, then weaker parts can be attacked in sub-exponential time, and hence EC gives no more security than the classical ones. (E.g. ZK proof of knowing square root of b mod n)

IEEE - CEC '04

- ZK proof of knowing square root of b mod n
Given b and n, Peggy wants to prove in zero-knowledge that she knows x such that

x^2 = b (mod n)

- EC version
Given E/Fn (for composite n) and B E, Peggy wants to prove in zero-knowledge that she knows A E such that

2A = B

IEEE - CEC '04

Peggy (P)

Victor (V)

0

b, n, x

b, n

1

Peggy generates random r

r

2

P sends s = r^2 mod n to V

s

s

3

V flips a coin c = H or T

c

c

4

If c = H, P sends r to V

r, check r^2 = s

5

If c = T, P sends m = r x

m

m, check m^2 = sb

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

IEEE - CEC '04

Peggy (P)

Victor (V)

0

A, B

B

1

Peggy generates random R

R

2

P sends S = 2R = R+R to V

S

S

3

V flips a coin c = H or T

c

c

4

If c = H, P sends R to V

R, check 2R = S

5

If c = T, P sends M = R+A

M

M, check 2M = S+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).

IEEE - CEC '04

Peggy (P)

Victor (V)

0

A, B

B

1

Peggy generates random R

R

2

P sends S = 2R = R+R to V

S

S

3

V flips a coin c = H or T

c

c

4

If c = H, P sends R to V

R, check 2R = S

5

If c = T, P sends M = R+A

M

M, check 2M = S+B

6

Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).

Solve for R in sub-exp

= T

A = M - R

IEEE - CEC '04

- Iterative ZKPs
VS.

- One-round ZKPs
- Challenge-and-response protocol

IEEE - CEC '04

Peggy (P)

Victor (V)

0

g, b, n, x

g, b, n

1

V generates a random y

y

2

V sends C = g^y (mod n)

C

C= g^y

3

P sends R = C^x (mod n)

R= C^x

R

4

V verifies that

R = b^y (mod n)

i.e. R = C^x = (g^y)^x = g^xy

= (g^x)^y = b^y

IEEE - CEC '04

Peggy (P)

Victor (V)

0

G, B, m

G, B

1

V generates a random y

y

2

Victor sends C = yG

C

C= yG

3

Peggy sends R = mC

R= mC

R

4

Victor verifies that

yB = R

i.e. yB = y(mG) = m(yG)

= mC = R

IEEE - CEC '04

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Square root

Factorization

Graph Isomorphism

IEEE - CEC '04

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Factorization

Graph Isomorphism

IEEE - CEC '04

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Graph Isomorphism

IEEE - CEC '04

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

Graph Isomorphism

IEEE - CEC '04

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

IEEE - CEC '04

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

IEEE - CEC '04

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

?

IEEE - CEC '04

ZK Proof Problems

Classical (iterative)

Classical (one-round)

EC

EC security advantage

DL

Yes

Yes

Yes

Yes

Square root

Yes

Yes

Yes

No

Factorization

Yes

Yes

No

No

Graph Isomorphism

Yes

?

?

?

IEEE - CEC '04

- Elliptic curve implementation of zero-knowledge blobs, Neal Koblitz, Journal of Cryptology, Vol. 4, 1991, 207-213.
- Zero Knowledge Watermark Detection, Scott Craver, Princeton Univ.
- Algebraic Aspects of Cryptography, Neal Koblitz, Springer. 1998.
- Applied Cryptography, Bruce Schneier, Wiley. 1996. pp 101-111.
- The improbability that an elliptic curve has sub-exponential discrete log problem under the MOV algorithm, R. Balasubramaniam, N. Koblitz, Journal of Cryptology, 1998.

IEEE - CEC '04

Sultan Almuhammadi

Nien Sui

Dennis McLeod

E-mail:

{salmuham, sui, [email protected]

IEEE - CEC '04