better privacy and security in e-commerce: using elliptic curve-based zero-knowledge proofs
DESCRIPTION
Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs. Sultan Almuhammadi Nien Sui Dennis McLeod E-mail: { s almuham, sui, mcleod }@ usc.edu. Keywords. Security Privacy Zero-knowledge proofs Elliptic Curves. Zero-Knowledge Proof!… Why bother?. - PowerPoint PPT PresentationTRANSCRIPT
July 8, 2004 IEEE - CEC '04 1
Better Privacy and Security in E-Commerce:Using Elliptic Curve-Based Zero-Knowledge
Proofs
Sultan Almuhammadi
Nien Sui
Dennis McLeod
E-mail:
{salmuham, sui, mcleod}@usc.edu
July 8, 2004 IEEE - CEC '04 2
Keywords
Security Privacy Zero-knowledge proofs Elliptic Curves
July 8, 2004 IEEE - CEC '04 3
Zero-Knowledge Proof!… Why bother?
Peggy: "I know the password to the Federal Reserve System computers."
Victor: " No, you don't"Peggy: " Yes, I do!"Victor: " Do not!"Peggy: " Do too!"Victor: " Prove it!"Peggy: " All right. I'll tell you". She whispers in
Victor's ear.
July 8, 2004 IEEE - CEC '04 4
Zero-Knowledge Proof!… Why bother?
Victor: "That's interesting. Now I know it too. I'm going to tell the Washington Post."
Peggy: "Oops!!"
Unfortunately, the usual way for Peggy to prove something to Victor is for Peggy to tell him. But then he knows it too, and can tell anyone else he wants to.
July 8, 2004 IEEE - CEC '04 5
Outline
Introduction to Zero-Knowledge Proof Applications of ZKP to E-com Examples of ZK Proof Problems Classical Solutions Elliptic Curves EC Solutions Why EC? Current Research on ZKP Conclusion
July 8, 2004 IEEE - CEC '04 6
Introduction
What is ZK proof?
To prove knowledge of a secret without revealing any information about it.
It must be: Zero-knowledge, and Proof.
July 8, 2004 IEEE - CEC '04 7
Introduction
What is Zero-Knowledge? It is computationally infeasible to retrieve the
secret using the information revealed in the proof (dialogue).
If he deviates from the protocol, it doesn’t help the verifier to learn the secret.
The verifier can build a simulator to generate a transcript of a similar dialogue of the proof.
July 8, 2004 IEEE - CEC '04 8
Introduction
What about the Proof? It must be convincing! It must be highly unlikely that the prover can
generate the dialogue without knowing the secret.
July 8, 2004 IEEE - CEC '04 9
Applications of ZKP to E-com.
Identification schemes Multi-media security and digital watermarks Network privacy and anonymous
communication Digital cash and off-line digital coin systems Electronic voting systems Public-key cryptographic systems
July 8, 2004 IEEE - CEC '04 10
Examples of ZKP
Zero-Knowledge Proof of: Discrete Logarithm Graph Isomorphism Square root of an integer modulo n Integer factorization
July 8, 2004 IEEE - CEC '04 11
Discrete Logarithm
Peggy, the prover, wants to prove in zero-knowledge that she knows the DL of a given number modulo n.
i.e. to prove in zero-knowledge that she knows x such that
g^x = b (mod n), for known b, g, n.
July 8, 2004 IEEE - CEC '04 12
Graph Isomorphism
Peggy wants to prove in zero-knowledge that two given graphs G1 and G2 are isomorphic.
i.e. to prove that she knows a mapping f from G1 to G2 such that:
(v1,v2) is an edge in G1 iff (f (v1), f (v2)) is an edge in G2 without revealing any information about f.
July 8, 2004 IEEE - CEC '04 13
Square root of an integer modulo n
Peggy wants to prove in zero-knowledge that she knows the square root of a given number modulo a large composite number n.
i.e. to prove in zero-knowledge that she knows x such that
x^2 = b (mod n), for known b, n.
July 8, 2004 IEEE - CEC '04 14
Integer factorization
Peggy wants to prove in zero-knowledge that a given number n is a product of two large primes.
i.e. to prove in zero-knowledge that she knows p and q such that
p * q = n, for a given n.
July 8, 2004 IEEE - CEC '04 15
Classical Solutions
Iterative ZK proof of DL problem
Given n, generator g for Fn, and b Fn
To prove in zero-knowledge that Peggy knows x such that
g^x = b (mod n)
July 8, 2004 IEEE - CEC '04 16
ZKP of DL problem
hhP sends h = g^r mod n to V 2
rPeggy generates random r1
ccV flips a coin c = H or T 3
r, check g^r = hIf c = H, P sends r to V 4
m, check g^m = bhmIf c = T, P sends m = x + r 5
Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).
6
Victor (V)Peggy (P)g, b, ng, b, n, x0
July 8, 2004 IEEE - CEC '04 17
Elliptic Curves
Definition: an elliptic curve E over some field K is the set of all points (x, y) K K that satisfy the equation:
y2 = x3 + ax + b
Where a, b K
July 8, 2004 IEEE - CEC '04 18
ZK Proofs Using EC
EC vs. Multiplicative Groups Points (x,y) on the elliptic curve E/Fn instead of
integers. Multiplication (m.B) instead of power (b^m).
DL Problem in EC Given B, G E (Fn) {G is “generator” or its
order contains large prime}, to find m such that m.G = B
July 8, 2004 IEEE - CEC '04 19
ZK Proofs Using EC
ZK proof of DL problemGiven E/Fn , G (generator, or its order contains
large prime), and B = mG E. Peggy wants to prove in zero-knowledge that she knows m.
July 8, 2004 IEEE - CEC '04 20
ZKP of DL problem Using EC
AAP sends A = r G to V 2
rPeggy generates random r1
ccV flips a coin c = H or T 3
r, check r G = AIf c = H, P sends r to V 4
x, check xG =A+BxIf c = T, P sends x = r + m 5
Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).
6
Victor (V)Peggy (P)G, BG, B, m0
July 8, 2004 IEEE - CEC '04 21
Why EC?
EC is more secure for DL blocks Having DL as building blocks in ZK proofs, EC
scheme is more secure than the classical scheme (using multiplicative groups).
Breaking the scheme requires solving the DL problem.
July 8, 2004 IEEE - CEC '04 22
Why EC?
Time Complexity of Solving DL The classical DL problem in Fq* can be solved in sub-
exponential time, L[1/3].
Exp[ O( (log q)1/3 (log log q)2/3) ] The best known algorithm to solve the DL problem in
E/Fq (using giant-step baby-step approach and MOV reduction) takes exponential time, L[1], O(N1/2) where N is the group order.
Exp[ O(log q) ]
July 8, 2004 IEEE - CEC '04 23
Why EC?
Other Problems? EC schemes are more secure than the classical
ones if they are based on only DL. If the EC scheme is not based on only DL, then
weaker parts can be attacked in sub-exponential time, and hence EC gives no more security than the classical ones. (E.g. ZK proof of knowing square root of b mod n)
July 8, 2004 IEEE - CEC '04 24
Example: Square root problem
ZK proof of knowing square root of b mod n
Given b and n, Peggy wants to prove in zero-knowledge that she knows x such that
x^2 = b (mod n)
EC version
Given E/Fn (for composite n) and B E, Peggy wants to prove in zero-knowledge that she knows A E such that
2A = B
July 8, 2004 IEEE - CEC '04 25
Example: x^2 = b mod n
ssP sends s = r^2 mod n to V 2
rPeggy generates random r1
ccV flips a coin c = H or T 3
r, check r^2 = sIf c = H, P sends r to V 4
m, check m^2 = sbmIf c = T, P sends m = r x 5
Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).
6
Victor (V)Peggy (P)b, nb, n, x0
July 8, 2004 IEEE - CEC '04 26
Example (EC version) : 2 A = B
SSP sends S = 2R = R+R to V 2
RPeggy generates random R1
ccV flips a coin c = H or T 3
R, check 2R = SIf c = H, P sends R to V 4
M, check 2M = S+BMIf c = T, P sends M = R+A
5
Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).
6
Victor (V)Peggy (P)BA, B0
July 8, 2004 IEEE - CEC '04 27
Example (EC version) : 2 A = B
SSP sends S = 2R = R+R to V 2
RPeggy generates random R1
ccV flips a coin c = H or T 3
R, check 2R = SIf c = H, P sends R to V 4
M, check 2M = S+BMIf c = T, P sends M = R+A
5
Steps 1-5 are repeated until Victor is convinced that Peggy must know A (with prob 1-2-k, for k iterations).
6
Victor (V)Peggy (P)BA, B0
Solve for R in sub-exp
A = M - R
= T
July 8, 2004 IEEE - CEC '04 28
Current Research on ZKP
Iterative ZKPsVS.
One-round ZKPs Challenge-and-response protocol
July 8, 2004 IEEE - CEC '04 29
One-Round ZK proof of DL problem
yV generates a random y1
C= g^yCV sends C = g^y (mod n)2
RR= C^xP sends R = C^x (mod n)3
V verifies that
R = b^y (mod n)
i.e. R = C^x = (g^y)^x = g^xy
= (g^x)^y = b^y
4
Victor (V)Peggy (P)g, b, ng, b, n, x0
July 8, 2004 IEEE - CEC '04 30
One-Round ZK proof of DL problem
yV generates a random y1
C= yGCVictor sends C = yG2
RR= mCPeggy sends R = mC3
Victor verifies that
yB = R
i.e. yB = y(mG) = m(yG)
= mC = R
4
Victor (V)Peggy (P)G, BG, B, m0
July 8, 2004 IEEE - CEC '04 31
Conclusion
Graph Isomorphism
Factorization
Square root
DL
EC security advantage
ECClassical (one-round)
Classical (iterative)
ZK Proof Problems
July 8, 2004 IEEE - CEC '04 32
Conclusion
Graph Isomorphism
Factorization
Square root
YesYesYesYesDL
EC security advantage
ECClassical (one-round)
Classical (iterative)
ZK Proof Problems
July 8, 2004 IEEE - CEC '04 33
Conclusion
Graph Isomorphism
Factorization
NoYesYesYesSquare root
YesYesYesYesDL
EC security advantage
ECClassical (one-round)
Classical (iterative)
ZK Proof Problems
July 8, 2004 IEEE - CEC '04 34
Conclusion
Graph Isomorphism
YesYesFactorization
NoYesYesYesSquare root
YesYesYesYesDL
EC security advantage
ECClassical (one-round)
Classical (iterative)
ZK Proof Problems
July 8, 2004 IEEE - CEC '04 35
Conclusion
Graph Isomorphism
NoNoYesYesFactorization
NoYesYesYesSquare root
YesYesYesYesDL
EC security advantage
ECClassical (one-round)
Classical (iterative)
ZK Proof Problems
July 8, 2004 IEEE - CEC '04 36
Conclusion
YesGraph Isomorphism
NoNoYesYesFactorization
NoYesYesYesSquare root
YesYesYesYesDL
EC security advantage
ECClassical (one-round)
Classical (iterative)
ZK Proof Problems
July 8, 2004 IEEE - CEC '04 37
Conclusion
?YesGraph Isomorphism
NoNoYesYesFactorization
NoYesYesYesSquare root
YesYesYesYesDL
EC security advantage
ECClassical (one-round)
Classical (iterative)
ZK Proof Problems
July 8, 2004 IEEE - CEC '04 38
Conclusion
???YesGraph Isomorphism
NoNoYesYesFactorization
NoYesYesYesSquare root
YesYesYesYesDL
EC security advantage
ECClassical (one-round)
Classical (iterative)
ZK Proof Problems
July 8, 2004 IEEE - CEC '04 39
References
1. Elliptic curve implementation of zero-knowledge blobs, Neal Koblitz, Journal of Cryptology, Vol. 4, 1991, 207-213.
2. Zero Knowledge Watermark Detection, Scott Craver, Princeton Univ.
3. Algebraic Aspects of Cryptography, Neal Koblitz, Springer. 1998.
4. Applied Cryptography, Bruce Schneier, Wiley. 1996. pp 101-111.
5. The improbability that an elliptic curve has sub-exponential discrete log problem under the MOV algorithm, R. Balasubramaniam, N. Koblitz, Journal of Cryptology, 1998.
July 8, 2004 IEEE - CEC '04 40
Better Privacy and Security in E-Commerce:Using Elliptic Curve-Based Zero-Knowledge
Proofs
Sultan Almuhammadi
Nien Sui
Dennis McLeod
E-mail:
{salmuham, sui, mcleod}@usc.edu