Zero-Knowledge Proof and Authentication Protocols

Transcription

1 Zero-Knowledge Proof and Authentication Protocols Ben Lipton April 26, 2016

2 Outline Background Zero-Knowledge Proofs Zero-Knowledge Authentication History Example Protocols Guillou-Quisquater Non-zero-knowledge Anonymous Group Identification Practical Challenges

3 Zero-Knowledge Proofs Concept: Prover wishes to convince verifier of an assertion, without revealing any information besides that the assertion is true. Requirements [1]: Completeness - If the assertion is true, the verifier will be convinced (with high probability). Soundness - If the statement is false, the prover will (with high probability) fail to convince the verifier. Zero knowledge - The transcript of the proof reveals no information about the assertion.

4 Zero-Knowledge Authentication / Proofs of Identity In computing, we need authentication protocols to confirm identity of user Risk of eavesdropping, server compromise Best case - attacker learns nothing from exchange they didn t already know

5 History Idea of zero-knowledge proofs introduced [2] First zero-knowledge proof of identity (Fiat-Shamir [3]) Single-round zero-knowledge identification (Guillou-Quisquater [4]) 1990s - Lots of protocols, theory Since New applications: Group authentication [5] [6], anti-phishing [7], deniable authentication [8]

6 Guillou-Quisquater Identification Scheme - Setup The trusted authority (TA) chooses: primes p, q such that factoring their product n = pq is infeasible another large prime b b and n are published; p and q are kept secret. Alice s private key is an integer u Z n, and her public key is v = (u 1 ) b mod n. TA issues Alice a certificate (using any secure signature scheme): Cert(Alice) = (ID(Alice), v, sig TA (ID(Alice) v)) Note: This formulation from Stinson, original paper derives public key from user identity.

7 Guillou-Quisquater Identification Scheme - Protocol 1. Alice chooses random k Z n 2. Alice sends Bob Cert(Alice), γ = k b mod n 3. Bob verifies ver TA (ID(Alice) v, s) = true 4. Bob sends Alice a random number r (0 r b 1) 5. Alice computes and sends back 6. Bob verifies that y = ku r mod n γ v r y b (mod n)

8 Is this really zero-knowledge authentication? 1. A B: v = (u 1 ) b mod n; γ = k b mod n 2. B A: r 3. A B: y = ku r mod n 4. B: γ v r y b (mod n)? Completeness Soundness Zero knowledge

9 Public-key Authentication Example of a non-zero-knowledge protocol 1. Bob sends random challenge r to Alice 2. Alice sends back Cert(Alice) and y = sig Alice (ID(Bob) r) 3. Bob verifies Cert(Alice) and extracts public key ver Alice from it. 4. Bob accepts if and only if ver Alice (ID(Bob) r, y) = true Only Alice can generate y, so a transcript is proof that Alice was authenticated!

10 Anonymous Group Identification - Setup Goal: Convince verifier that prover is a member of an authorized group, without revealing which member it is. TA generates two large primes p, q, p q 3 (mod 4), and publishes their product n = pq. TA generates and distributes a private key w i to each user. The corresponding public key is the quadratic residue y i = w 2 i mod n.

11 Anonymous Group Identification - Protocol 1. Prover U i selects a random subset R of {y 1,..., y m }, and a random r Z n. 2. Prover computes and sends to verifier u = r 2 y R y mod n 3. Verifier sends random bit b to prover 4. Prover returns either: s = r, if b R (mod 2) s = rwi, if b R (mod 2) and y i R s = rw 1 i, if b R (mod 2) and y i R 5. Verifier confirms that s 2 mod n times a subset of the y i s with parity b is equal to u (mod n) 6. Repeat until verifier is convinced

12 Anonymous Group Identification - Zero-Knowledge To simulate a transcript of this protocol without access to the private keys: 1. Randomly select bit b, integer r, and subset R whose order has parity b. 2. Let s = r and let u = r 2 y R y mod n This transcript will pass verification because u = s 2 y R y mod n and the parity of R is b. And since s is always indistinguishable from random (including when multiplied by a secret value) these transcripts should have a distribution that is indistinguishable from real protocol executions.

13 Challenges Zero-knowledge is not preserved under parallel execution However, some protocols have proofs of weaker but still useful properties (zero transferable information [9], witness hiding [10]) Not an obvious fit with current web technologies (needs secure implementation on client side)

14 Questions?

15 [1] O. Goldreich, S. Micali, and A. Wigderson, Proofs That Yield Nothing but Their Validity or All Languages in NP Have Zero-knowledge Proof Systems, J. ACM, vol. 38, no. 3, pp , Jul [2] S. Goldwasser, S. Micali, and C. Rackoff, The Knowledge Complexity of Interactive Proof-systems, in Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, ser. STOC 85. New York, NY, USA: ACM, 1985, pp [3] A. Fiat and A. Shamir, How To Prove Yourself: Practical Solutions to Identification and Signature Problems, in Advances in Cryptology CRYPTO 86, ser. Lecture Notes in Computer Science, A. M. Odlyzko, Ed. Springer Berlin Heidelberg, Aug. 1986, no. 263, pp [4] L. C. Guillou and J.-J. Quisquater, A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory, in Advances in Cryptology EUROCRYPT 88, ser. Lecture Notes in

16 Computer Science, D. Barstow, W. Brauer, P. B. Hansen, D. Gries, D. Luckham, C. Moler, A. Pnueli, G. Seegmller, J. Stoer, N. Wirth, and C. G. Gnther, Eds. Springer Berlin Heidelberg, May 1988, no. 330, pp [5] A. De Santis, G. Di Crescenzo, and G. Persiano, Communication-efficient Anonymous Group Identification, in Proceedings of the 5th ACM Conference on Computer and Communications Security, ser. CCS 98. New York, NY, USA: ACM, 1998, pp [6] R. Gretzinger, Zero-Knowledge Proofs In Anonymous Group Identification, Rochester Institute of Technology, Tech. Rep., Feb [7] M. Sharifi, A. Saberi, M. Vahidi, and M. Zorufi, A Zero Knowledge Password Proof Mutual Authentication Technique Against Real-Time Phishing Attacks, in Information Systems Security, ser. Lecture Notes in Computer Science, P. McDaniel and S. K. Gupta, Eds. Springer Berlin Heidelberg, Dec. 2007, no. 4812, pp

17 [8] M. Di Raimondo and R. Gennaro, New Approaches for Deniable Authentication, in Proceedings of the 12th ACM Conference on Computer and Communications Security, ser. CCS 05. New York, NY, USA: ACM, 2005, pp [9] U. Feige, A. Fiat, and A. Shamir, Zero-knowledge proofs of identity, Journal of Cryptology, vol. 1, no. 2, pp , Jun [10] U. Feige and A. Shamir, Witness Indistinguishable and Witness Hiding Protocols, in Proceedings of the Twenty-second Annual ACM Symposium on Theory of Computing, ser. STOC 90. New York, NY, USA: ACM, 1990, pp