Zero Knowledge Accumulators and Set Operations

Transcription

1 Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios Papadopoulos 3 Roberto Tamassia 1 Nikos Triandopoulos 4 1 Brown University 2 Microsoft Research 3 University of Maryland 4 Stevens Institute of Technology Research supported in part by the US National Science Foundation

2 Data Outsourcing OWNER SERVER query answer CLIENTS

3 Verifiable data outsourcing (static) OWNER SERVER θ θ σ query answer, proof CLIENTS

4 Verifiable data outsourcing (dynamic) OWNER SERVER state σ Upd query answer, proof θ CLIENTS

5 Challenge: Proof Leaking Information r c a x Merkle tree with items stored in sorted order at the leaves. Proof of x: ((a, L), (b, R)). Verification: h(h(a, h(x), c) = r Proof leaks rank of item.

6 Zone enumeration attack Primary resolver Secondary resolver pk,h(.) Zone names: a.com b.com w.com θ θ H(a.com) H(b.com) H(w.com) a5bb 23ce fae1 23ce a5bb fae1 q.com answer, proof CLIENTS [GNPRVZ NDSS15, RFC 5155]

7 Zone enumeration attack Primary resolver Secondary resolver Zone names: a.com b.com w.com θ θ pk,h(.) H(a.com) H(b.com) H(w.com) a5bb 23ce fae1 23ce a5bb fae1 q.com, 23ce a5bb CLIENTS [Bernstein11 nsec3walker]

8 Cryptographic accumulator [Benaloh and del Mare93] σ acc(setx ). Efficient and succinct proof for x X, x / X. Proofs are publicly computable and verifiable. Soundness: Forging proof for an element is infeasible. Traditional proofs are leaky.

9 In this work Formal model for zero-knowledge universal dynamic accumulators. Efficient construction for zero-knowledge accumulators. Efficient construction for : 1. is-subset 2. difference 3. union 4. intersection

10 Our Model OWNER SERVER state σ Upd query answer, proof θ CLIENTS

11 Soundness Challenger Adversary pk Setup Repeat λ times { Set X0 Digests σ0, θ0 Update Ui σi+1, Updi j,query*, answer*, proof* Figure: Probability that Verify accepts but answer is not correct wrt query on X j is negligible

12 Zero-Knowledge Challenger pk Adversary Simulator pk Client σ0 query {answer,proof { Ui σi+1 Set X0 Guess { Client σ0 query answer,proof { σi+1 Notify Update Figure: Probability that Adversary guesses correctly if it is talking to a challenger or a simulator is negligible

13 Zero Knowledge Accumulator

14 Query X = {x 1,..., x N } = set of elements Client Query: Is element x X? Server Response: answer = 1 indication yes and answer = 0 indicating no + proof

15 Set Representation A set X = {x 1,..., x N } represented using its characteristic polynomial Ch X [z] = N i=1 (z + x i) Bilinear Map: λ N is the security parameter of the scheme G, G 1 multiplicative cyclic groups of prime order p p is a large k-bit prime g is a random generator of G e : G G G 1 is computable bilinear nondegenerate map e(g a, g b ) = e(g, g) ab.

16 Keygen and Setup (Owner) (sk, pk) KeyGen(1 λ ) Generate bilinear parameters pub = (p, G, G 1, e, g). O(poly(λ)) Choose s $ Z p. Set sk = s and pk = (g s, pub). (σ 0, θ 0, state 0 ) Setup(sk, X 0 ) Choose r $ Z p. Set σ 0 = g r Ch X (s).o(n) Set θ 0 = (g, g s, g s2,..., g sn, r). O(N) Set state 0 = X.

17 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N)

18 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x if query = x / X : = g r Ch X (s) (s+x). O(N log N)

19 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N)

20 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p

21 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p 3. Set q 1 [z] = q 1[z] + γ (z + x)

22 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p 3. Set q 1 [z] = q 1[z] + γ (z + x) 4. Set q 2 [z] = q 2[z] γ Ch X [z].

23 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p 3. Set q 1 [z] = q 1[z] + γ (z + x) 4. Set q 2 [z] = q 2[z] γ Ch X [z]. 5. Set W 1 := g q 1 (s)r 1, W 2 = g q 2 (s).

24 Query (Server) (answer, proof) PerformQuery(X j, θ j, query) if query = x X : set answer = 1 and proof = (σ j ) 1 s+x = g r Ch X (s) (s+x). O(N log N) if query = x / X : 1. Using the Extended Euclidean algorithm, compute polynomials q 1 [z], q 2 [z] such that q 1 [z]ch X [z] + q 2 [z](z + x) = 1. O(N log 2 N log log N) 2. Pick a random γ $ Z p 3. Set q 1 [z] = q 1[z] + γ (z + x) 4. Set q 2 [z] = q 2[z] γ Ch X [z]. 5. Set W 1 := g q 1 (s)r 1, W 2 = g q 2 (s). 6. Set proof := (W 1, W 2 ) and answer = 0.

25 Verification (Client) (accept/reject) Verify(pk, σ j, query, answer, proof) Let query = x. If answer = 1, return accept if e(σ j, g) = e(proof, g x pk). O(1) if answer = 0, return accept if e(w 1, σ j )e(w 2, g x pk) = e(g, g). O(1) Return reject otherwise.

26 Update (X i+1, σ i+1, upd i, state i+1 ) Update(sk, state i, σ i, θ i, X i, u i ) Owner: Choose r $ Z p. If x is to be inserted: 1. Compute σ i+1 = σ (s+x)r i. O(1) If x is to be deleted: 1. Compute σ i+1 = σ r s+x.o(1) Set upd i = (r ) and state i+1 = X i+1. Server: i Store the inserted/deleted element and upd i = (r ).O(1)

27 Privacy comes almost for free [Nguyen05 No Privacy] This work Setup NMUL NMUL Update 1MUL 2MUL Witness (Member) NMUL + (N 1)ADD NMUL + (N 1)ADD Witness (Non-Member) NMUL + (N 1)ADD (N + 1)MUL + (N 1)ADD Verify (Member) 1(MUL + ADD + PAIR) 1(MUL + ADD + PAIR) Verify (Non-Member) 2(MUL + ADD + PAIR) 1(MUL + ADD + ADD 1 ) + 2PAIR Witness Update (Member) 1(MUL + ADD) 2MUL + 1ADD Witness Update (Non-Member) 2MUL + 1ADD (N + 1)MUL + (N 1)ADD Figure: ADD = point addition MUL = scalar multiplication in the elliptic curve group G, ADD 1 = point addition in G 1 and PAIR a pairing computation, whereas N is the size of the set.

28 Set Algebra : Union

29 Query {X 1,..., X m } = set collection Client Query: Return union of sets 2, 5, 9 Server Response: answer = X 2 X 5 X 9 + proof Let X 2 = {a, b, d}, X 5 = {d, f }, X 9 = {a, c} answer = {a, c, b, d, f }

30 Completeness Conditions Superset condition: X 2 answer X 5 answer X 9 answer. Technique: Generalization of set membership. Membership condition: answer Ũ where Ũ = X 2 X 5 X 9.

31 Proving membership Multiset union: Ũ = {a, a, c, c, b, d, d, f } 1. Compute σũ g (r 2r 5 r 9 )ChŨ(s) = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f )

32 Proving membership Multiset union: Ũ = {a, a, c, c, b, d, d, f } 1. Compute σũ g (r 2r 5 r 9 )ChŨ(s) = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f ) 2. Prove σũ is correctly computed

33 Proving membership Multiset union: Ũ = {a, a, c, c, b, d, d, f } 1. Compute σũ g (r 2r 5 r 9 )ChŨ(s) = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f ) 2. Prove σũ is correctly computed 3. Prove answer Ũ using σũ

34 Step 2: Server σũ = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f ) σ 2,5 = g r 2r 5 (s+a)(s+b)(s+d) 2 (s+f ) σ 9 = g r 9(s+a)(s+c) σ 2 = g r 2(s+a)(s+b)(s+d) σ 5 = g r 5(s+d)(s+f )

35 Step 2: Server σũ = g (r 2r 5 r 9 )(s+a) 2 (s+c)(s+b)(s+d) 2 (s+f ) σ 2,5 = g r 2r 5 (s+a)(s+b)(s+d) 2 (s+f ) σ 9 = g r 9(s+a)(s+c) σ 2 = g r 2(s+a)(s+b)(s+d) σ 5 = g r 5(s+d)(s+f )

36 Step 2: Client e(σ 2,5, σ 9 )? = e(σũ, g) e(σ 2, σ 5 )? = e(σ 2,5, g) σ 9 σ 2 σ 5

37 Step 3 r Server: W (answer, Ũ) g 2 r 5 r 9 ChŨ (s) Chanswer(s) = g r 2r 5 r 9 (s+a)(s+d) Client: e(w (answer, Ũ), g Chanswer(s) )? = e(σũ, g)

38 More in the paper: 1. Relation of Zero Knowledge Accumulator with the existing primitives (ZKS, PSR, Trapdoorless Acc). 2. Formal proof that Zero knowledge is stronger than indistinguishably notion [MLPP12, DHS15] of privacy. 3. First efficient construction for zero-knowledge verifiable set algebra queries (Is-subset, Intersection, Union, Difference) with no additional cost over the state-of-the art non-private construction [PTT11].

39 Thank you!