better privacy and security in e-commerce: using elliptic curve-based zero-knowledge proofs

July 8, 2004 IEEE - CEC '04 1

Better Privacy and Security in E-Commerce:Using Elliptic Curve-Based Zero-Knowledge

Proofs

Sultan Almuhammadi

Nien Sui

Dennis McLeod

E-mail:

{salmuham, sui, mcleod}@usc.edu

July 8, 2004 IEEE - CEC '04 2

Keywords

Security Privacy Zero-knowledge proofs Elliptic Curves

July 8, 2004 IEEE - CEC '04 3

Zero-Knowledge Proof!… Why bother?

Peggy: "I know the password to the Federal Reserve System computers."

Victor: " No, you don't"Peggy: " Yes, I do!"Victor: " Do not!"Peggy: " Do too!"Victor: " Prove it!"Peggy: " All right. I'll tell you". She whispers in

Victor's ear.

July 8, 2004 IEEE - CEC '04 4

Zero-Knowledge Proof!… Why bother?

Victor: "That's interesting. Now I know it too. I'm going to tell the Washington Post."

Peggy: "Oops!!"

Unfortunately, the usual way for Peggy to prove something to Victor is for Peggy to tell him. But then he knows it too, and can tell anyone else he wants to.

July 8, 2004 IEEE - CEC '04 5

Outline

Introduction to Zero-Knowledge Proof Applications of ZKP to E-com Examples of ZK Proof Problems Classical Solutions Elliptic Curves EC Solutions Why EC? Current Research on ZKP Conclusion

July 8, 2004 IEEE - CEC '04 6

Introduction

What is ZK proof?

To prove knowledge of a secret without revealing any information about it.

It must be: Zero-knowledge, and Proof.

July 8, 2004 IEEE - CEC '04 7

Introduction

What is Zero-Knowledge? It is computationally infeasible to retrieve the

secret using the information revealed in the proof (dialogue).

If he deviates from the protocol, it doesn’t help the verifier to learn the secret.

The verifier can build a simulator to generate a transcript of a similar dialogue of the proof.

July 8, 2004 IEEE - CEC '04 8

Introduction

What about the Proof? It must be convincing! It must be highly unlikely that the prover can

generate the dialogue without knowing the secret.

July 8, 2004 IEEE - CEC '04 9

Applications of ZKP to E-com.

Identification schemes Multi-media security and digital watermarks Network privacy and anonymous

communication Digital cash and off-line digital coin systems Electronic voting systems Public-key cryptographic systems

July 8, 2004 IEEE - CEC '04 10

Examples of ZKP

Zero-Knowledge Proof of: Discrete Logarithm Graph Isomorphism Square root of an integer modulo n Integer factorization

July 8, 2004 IEEE - CEC '04 11

Discrete Logarithm

Peggy, the prover, wants to prove in zero-knowledge that she knows the DL of a given number modulo n.

i.e. to prove in zero-knowledge that she knows x such that

g^x = b (mod n), for known b, g, n.

July 8, 2004 IEEE - CEC '04 12

Graph Isomorphism

Peggy wants to prove in zero-knowledge that two given graphs G1 and G2 are isomorphic.

i.e. to prove that she knows a mapping f from G1 to G2 such that:

(v1,v2) is an edge in G1 iff (f (v1), f (v2)) is an edge in G2 without revealing any information about f.

July 8, 2004 IEEE - CEC '04 13

Square root of an integer modulo n

Peggy wants to prove in zero-knowledge that she knows the square root of a given number modulo a large composite number n.

i.e. to prove in zero-knowledge that she knows x such that

x^2 = b (mod n), for known b, n.

July 8, 2004 IEEE - CEC '04 14

Integer factorization

Peggy wants to prove in zero-knowledge that a given number n is a product of two large primes.

i.e. to prove in zero-knowledge that she knows p and q such that

p * q = n, for a given n.

July 8, 2004 IEEE - CEC '04 15

Classical Solutions

Iterative ZK proof of DL problem

Given n, generator g for Fn, and b Fn

To prove in zero-knowledge that Peggy knows x such that

g^x = b (mod n)

July 8, 2004 IEEE - CEC '04 16

ZKP of DL problem

hhP sends h = g^r mod n to V 2

rPeggy generates random r1

ccV flips a coin c = H or T 3

r, check g^r = hIf c = H, P sends r to V 4

m, check g^m = bhmIf c = T, P sends m = x + r 5

Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).

6

Victor (V)Peggy (P)g, b, ng, b, n, x0

July 8, 2004 IEEE - CEC '04 17

Elliptic Curves

Definition: an elliptic curve E over some field K is the set of all points (x, y) K K that satisfy the equation:

y2 = x3 + ax + b

Where a, b K

July 8, 2004 IEEE - CEC '04 18

ZK Proofs Using EC

EC vs. Multiplicative Groups Points (x,y) on the elliptic curve E/Fn instead of

integers. Multiplication (m.B) instead of power (b^m).

DL Problem in EC Given B, G E (Fn) {G is “generator” or its

order contains large prime}, to find m such that m.G = B

July 8, 2004 IEEE - CEC '04 19

ZK Proofs Using EC

ZK proof of DL problemGiven E/Fn , G (generator, or its order contains

large prime), and B = mG E. Peggy wants to prove in zero-knowledge that she knows m.

July 8, 2004 IEEE - CEC '04 20

ZKP of DL problem Using EC

AAP sends A = r G to V 2



r, check r G = AIf c = H, P sends r to V 4

x, check xG =A+BxIf c = T, P sends x = r + m 5


6

Victor (V)Peggy (P)G, BG, B, m0

July 8, 2004 IEEE - CEC '04 21

Why EC?

EC is more secure for DL blocks Having DL as building blocks in ZK proofs, EC

scheme is more secure than the classical scheme (using multiplicative groups).

Breaking the scheme requires solving the DL problem.

July 8, 2004 IEEE - CEC '04 22

Why EC?

Time Complexity of Solving DL The classical DL problem in Fq* can be solved in sub-

exponential time, L[1/3].

Exp[ O( (log q)1/3 (log log q)2/3) ] The best known algorithm to solve the DL problem in

E/Fq (using giant-step baby-step approach and MOV reduction) takes exponential time, L[1], O(N1/2) where N is the group order.

Exp[ O(log q) ]

July 8, 2004 IEEE - CEC '04 23

Why EC?

Other Problems? EC schemes are more secure than the classical

ones if they are based on only DL. If the EC scheme is not based on only DL, then

weaker parts can be attacked in sub-exponential time, and hence EC gives no more security than the classical ones. (E.g. ZK proof of knowing square root of b mod n)

July 8, 2004 IEEE - CEC '04 24

Example: Square root problem

ZK proof of knowing square root of b mod n

Given b and n, Peggy wants to prove in zero-knowledge that she knows x such that

x^2 = b (mod n)

EC version

Given E/Fn (for composite n) and B E, Peggy wants to prove in zero-knowledge that she knows A E such that

2A = B

July 8, 2004 IEEE - CEC '04 25

Example: x^2 = b mod n

ssP sends s = r^2 mod n to V 2



r, check r^2 = sIf c = H, P sends r to V 4

m, check m^2 = sbmIf c = T, P sends m = r x 5


6

Victor (V)Peggy (P)b, nb, n, x0

July 8, 2004 IEEE - CEC '04 26

Example (EC version) : 2 A = B

SSP sends S = 2R = R+R to V 2

RPeggy generates random R1


R, check 2R = SIf c = H, P sends R to V 4

M, check 2M = S+BMIf c = T, P sends M = R+A

5

Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).

6

Victor (V)Peggy (P)BA, B0

July 8, 2004 IEEE - CEC '04 27

Example (EC version) : 2 A = B

SSP sends S = 2R = R+R to V 2

RPeggy generates random R1


R, check 2R = SIf c = H, P sends R to V 4

M, check 2M = S+BMIf c = T, P sends M = R+A

5

Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).

6

Victor (V)Peggy (P)BA, B0

Solve for R in sub-exp

A = M - R

= T

July 8, 2004 IEEE - CEC '04 28

Current Research on ZKP

Iterative ZKPsVS.

One-round ZKPs Challenge-and-response protocol

July 8, 2004 IEEE - CEC '04 29

One-Round ZK proof of DL problem

yV generates a random y1

C= g^yCV sends C = g^y (mod n)2

RR= C^xP sends R = C^x (mod n)3

V verifies that

R = b^y (mod n)

i.e. R = C^x = (g^y)^x = g^xy

= (g^x)^y = b^y

4

Victor (V)Peggy (P)g, b, ng, b, n, x0

July 8, 2004 IEEE - CEC '04 30

One-Round ZK proof of DL problem

yV generates a random y1

C= yGCVictor sends C = yG2

RR= mCPeggy sends R = mC3

Victor verifies that

yB = R

i.e. yB = y(mG) = m(yG)

= mC = R

4

Victor (V)Peggy (P)G, BG, B, m0

July 8, 2004 IEEE - CEC '04 31

Conclusion

Graph Isomorphism

Factorization

Square root

DL

EC security advantage

ECClassical (one-round)

Classical (iterative)

ZK Proof Problems

July 8, 2004 IEEE - CEC '04 32

Conclusion

Graph Isomorphism

Factorization

Square root

YesYesYesYesDL




ZK Proof Problems

July 8, 2004 IEEE - CEC '04 33

Conclusion

Graph Isomorphism

Factorization

NoYesYesYesSquare root

YesYesYesYesDL




ZK Proof Problems

July 8, 2004 IEEE - CEC '04 34

Conclusion

Graph Isomorphism

YesYesFactorization


YesYesYesYesDL




ZK Proof Problems

July 8, 2004 IEEE - CEC '04 35

Conclusion

Graph Isomorphism

NoNoYesYesFactorization


YesYesYesYesDL




ZK Proof Problems

July 8, 2004 IEEE - CEC '04 36

Conclusion

YesGraph Isomorphism



YesYesYesYesDL




ZK Proof Problems

July 8, 2004 IEEE - CEC '04 37

Conclusion

?YesGraph Isomorphism



YesYesYesYesDL




ZK Proof Problems

July 8, 2004 IEEE - CEC '04 38

Conclusion

???YesGraph Isomorphism



YesYesYesYesDL




ZK Proof Problems

July 8, 2004 IEEE - CEC '04 39

References

1. Elliptic curve implementation of zero-knowledge blobs, Neal Koblitz, Journal of Cryptology, Vol. 4, 1991, 207-213.

2. Zero Knowledge Watermark Detection, Scott Craver, Princeton Univ.

3. Algebraic Aspects of Cryptography, Neal Koblitz, Springer. 1998.

4. Applied Cryptography, Bruce Schneier, Wiley. 1996. pp 101-111.

5. The improbability that an elliptic curve has sub-exponential discrete log problem under the MOV algorithm, R. Balasubramaniam, N. Koblitz, Journal of Cryptology, 1998.

July 8, 2004 IEEE - CEC '04 40

Better Privacy and Security in E-Commerce:Using Elliptic Curve-Based Zero-Knowledge

Proofs

Sultan Almuhammadi

Nien Sui

Dennis McLeod

E-mail:

{salmuham, sui, mcleod}@usc.edu

better privacy and security in e-commerce: using elliptic curve-based zero-knowledge proofs

Documents

zkpconclusionieee cec

proof dialogue

given number n

problemgiven n

known b

b fnto

given graphs g1

b mod nieee ce