Slide - Cristina Onete

Download Report

Transcript Slide - Cristina Onete 

Sigma Protocols and (Non-Interactive)
Zero Knowledge
Rennes, 24/10/2014
CIDRE/
INRIA
Cristina Onete
 What is zero-knowledge?
Zero-knowledge proof: “a method by which one party […] can prove
to another party […] that a […] statement is true, without conveying
any [further] information”
Wikipedia, en.wikipedia.org
Preuve à divulgation nulle de connaissance: “un protocole […] dans
lequel une entité […] prouve […] à une autre entité […] qu’une proposition est vraie sans […] révéler une autre information.”
Wikipedia, fr.wikipedia.org
Cristina Onete ||
24/10/2014
||
2
 So far
chg
resp
Prover
Verifier
 No anonymity:
• 𝑟𝑒𝑠𝑝 = 𝑀𝐴𝐶𝐾 𝑐ℎ𝑔
or
𝑟𝑒𝑠𝑝 = 𝑆𝑖𝑔𝑛𝑠𝑘 (𝑐ℎ𝑔)
 Anonymity in a ring:
𝑟𝑒𝑠𝑝 = 𝑅𝑆𝑖𝑔𝑛(𝑐ℎ𝑔)
 Anonymity and traceability:
𝑟𝑒𝑠𝑝 = 𝐺𝑆𝑖𝑔𝑛(𝑐ℎ𝑔)
 Now: Deniability/Zero-Knowledge!
Cristina Onete ||
24/10/2014
||
3
 Sigma ( ) protocols
 Setup: we have a secret witness 𝑤 and a public statement 𝑦
and a function 𝑓: 𝑊 × 𝑌 → {0,1}
 Idea: Prover must prove she has 𝑤 such that 𝑓 𝑤, 𝑦 = 1
without revealing anything else
 Example 1: finite fields
Group 𝐺𝑝 =< 𝑔 > with p prime, 𝑓: 1, … , 𝑝 − 1 × 𝐺𝑝 = {0,1}
𝑓 𝑤, 𝑦 = 1 iff. 𝑦 = 𝑔𝑤
protocol
Prover
𝑠𝑘 = 𝑤 ; 𝑦 = 𝑔𝑤
Verifier
I know the discrete log of 𝑦
𝑦 = 𝑔𝑤
Cristina Onete ||
24/10/2014
||
4
 Sigma ( ) protocols
 Setup: witness 𝑤, statement 𝑦, function 𝑓: 𝑊 × 𝑌 → {0,1}
 Idea: Prover proves she has 𝑤 s.t. 𝑓 𝑤, 𝑦 = 1, but no more
 Example 2: RSA
Modulus 𝑁 = 𝑝𝑞, order 𝜑 𝑁 = (𝑝 − 1)(𝑞 − 1), 𝑒 co-prime with 𝑁
𝑓: 𝑍𝑁∗ × 𝑍𝑁∗ → 0,1 ; 𝑓 𝑤, 𝑦 = 1 iff. 𝑦 = 𝑤 𝑒 (𝑚𝑜𝑑 𝑁)
protocol
Prover
𝑠𝑘 = 𝑤 ; 𝑦 = 𝑤 𝑒 𝑚𝑜𝑑 𝑁
Verifier
𝑁, 𝑦 = 𝑤 𝑒 𝑚𝑜𝑑 𝑁
I know the message encrypted in 𝑦
Cristina Onete ||
24/10/2014
||
5
 Sigma ( ) protocols
 Setup: witness 𝑤, statement 𝑦, function 𝑓: 𝑊 × 𝑌 → {0,1}
 Idea: Prover proves she has 𝑤 s.t. 𝑓 𝑤, 𝑦 = 1, but no more
 Example 3: Composition
Group 𝐺𝑝 =< 𝑔 > with p prime, 𝑓: 𝑍𝑝∗ × 𝐺𝑝 = {0,1}
𝑓 𝑤, 𝑦 = {𝑦1 , … , 𝑦𝑛 } = 1 iff. ∃𝑗 ∈ 1, … , 𝑛 𝑠. 𝑡. 𝑦𝑗 = 𝑔𝑤
protocol
Prover
𝑠𝑘 = 𝑤 ; 𝑦𝑗 = 𝑔𝑤 𝑚𝑜𝑑 𝑝
Verifier
𝑦 = {𝑦1 , … , 𝑦𝑛 }
I have the 𝑠𝑘 corresponding to one of 𝑛 𝑝𝑘 ′ 𝑠
Cristina Onete ||
24/10/2014
||
6
 Contents
 Commitment Schemes
 Sigma Protocols
• Structure
• Properties
• Schnorr’s protocol
 Composition of Sigma Protocols
• Parallel composition
• AND composition
• EQ and OR compositions
 The Fiat-Shamir heuristic
 Commitment Schemes
Bob
Alice
Alice
Bob
 Example:
•
•
Alice and Bob must agree who will clean tonight
They are at their offices. Each tosses a coin & they call:
 If tosses are the same, then Alice cleans
 If tosses are different, then Bob cleans
•
Who talks first?
Cristina Onete ||
24/10/2014
||
8
 Commitment Schemes
Alice
Bob
Alice
Bob
 Alice and Bob toss
•
Alice talks first
Bob says he tossed the same value
•
Bob talks first
Alice says she tossed the opposite value
 How can we avoid this?
Cristina Onete ||
24/10/2014
||
9
 Commitment Schemes
Bob
cleans
Alice
Bob
 Commitment: an envelope with a strange seal
•
Alice talks first
•
Commit phase: she hides toss in envelope, gives it to Bob
•
Bob reveals toss
•
Reveal phase: Alice tells Bob how to unseal envelope
Cristina Onete ||
24/10/2014
||
10
 Commitment Schemes
Alice
Bob
 Properties:
•
Hiding: The content of the envelope is not visible
Bob doesn’t know anything about Alice’s toss
•
Binding: Alice can’t change the content in the envelope
Alice can’t cheat after getting Bob’s toss
Cristina Onete ||
24/10/2014
||
11
 Commitment Schemes
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
Input 𝑥
……………………
Random 𝑤
𝑥, 𝑤
Alice
Bob
Check
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
 Formally: 𝐶𝑜𝑚𝑚𝑖𝑡: {0,1}𝑘 × {0,1}∗ → {0,1}∗
 Commitment hiding:
Dist 𝑤 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥1 , 𝑤
≈ Dist 𝑤 (𝐶𝑜𝑚𝑚𝑖𝑡(𝑥2 , 𝑤))
 Commitment binding:
∀ 𝑥1 , 𝑥2 ∈ 0,1 ∗ : Prob 𝑤, 𝑤 ′ ← 𝜀: 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥1 , 𝑤 = 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥2 , 𝑤 ′
Cristina Onete ||
24/10/2014
≪1
||
12
 Pedersen Commitments
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
𝑥 ∈ {0,1}
……………………
Random 𝑤
𝑥, 𝑤
Alice
Bob
Check
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
 Setup: 𝐺𝑝∗ = < 𝑔 >, prime field, ℎ = 𝑔 𝑠 ∈ 𝐺𝑝∗ \ {1}, 𝑠 unknown
 Commitment of input value 𝑥 ∈ {0,1}:
• Choose random witness 𝑤 ←𝑅 {1, … , 𝑝 − 1}
• Compute 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑤 = 𝑔𝑤 ℎ 𝑥
′
 Binding: from 𝑔𝑤 ℎ 𝑥 = 𝑔𝑤 ℎ1−𝑥 , we have ℎ1−2𝑥 = 𝑔𝑤−𝑤
Thus we have 𝑠 = log 𝑔 ℎ =
𝑤−𝑤′
1−2𝑥
′
Impossible
Cristina Onete ||
24/10/2014
||
13
 Pedersen Commitments
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
𝑥 ∈ {0,1}
……………………
Random 𝑤
𝑥, 𝑤
Alice
Bob
Check
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
 Setup: 𝐺𝑝∗ = < 𝑔 >, prime field, ℎ = 𝑔 𝑠 ∈ 𝐺𝑝∗ \ {1}, 𝑠 unknown
 Commitment of input value 𝑥 ∈ {0,1}:
• Choose random witness 𝑤 ←𝑅 {1, … , 𝑝 − 1}
• Compute 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑤 = 𝑔𝑤 ℎ 𝑥
 Hiding: Dist 𝑤 𝐶𝑜𝑚𝑚𝑖𝑡 𝑔𝑤
≈ Dist 𝑤 (𝐶𝑜𝑚𝑚𝑖𝑡(𝑔𝑤 ℎ))
Cristina Onete ||
24/10/2014
||
14
 DLog-based Commitments
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
𝑥 ∈ 𝑍𝑞
……………………
Random 𝑤
𝑥, 𝑤
Alice
Bob
Check
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
 Setup: 𝑝 prime, 𝑞 | (𝑝 − 1) prime, 𝑔 ∈ 𝑍𝑝∗ with ord 𝑔 = 𝑞
 Commitment of input value 𝑥 ∈ 𝑍𝑞 :
𝐶𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑤 = 𝑔 𝑥 𝑚𝑜𝑑 𝑝
(no randomness)
 Computationally hiding: DLog
 Perfectly binding by construction
Cristina Onete ||
24/10/2014
||
15
 Contents
 Commitment Schemes
 Sigma Protocols
• Structure
• Properties
• Schnorr’s protocol
 Composition of Sigma Protocols
• Parallel composition
• AND composition
• EQ and OR compositions
 The Fiat-Shamir heuristic
 Sigma Protocols: Structure
Commitment: 𝑎
Witness 𝑤
Statement 𝑥
Challenge:𝑐 ←𝑅 {0,1}𝑛
Prover
Statement 𝑥
Verifier
Response:𝑟
 Relation 𝑅 associated with NP-language L
 If (𝑥, 𝑤)∈ 𝑅 , then 𝑤 is witness for 𝑥
 E.g.: 𝑅 =
𝑤, 𝑥
𝑥 = 𝑝, 𝑞, 𝑔, ℎ , ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝}
Cristina Onete ||
24/10/2014
||
17
 Sigma Protocols: Properties
𝑎
Witness 𝑤
𝑐
Statement 𝑥
Statement 𝑥
𝑟
Prover
Verifier
 Completeness:
•
Always accept prover with 𝑤 s.t. 𝑤, 𝑥 ∈ 𝑅
 (Special) soundness:
•
From 𝑥, (𝑎, 𝑐, 𝑟), and (𝑎, 𝑐 ′ , 𝑟 ′ ) with 𝑐 ≠ 𝑐 ′ can get 𝑤 with (𝑤, 𝑥) ∈ 𝑅
 Honest verifier zero-knowledge (HVZK):
•
∃ PPT Sim. s.t. 𝑆𝑖𝑚 𝑥, 𝑐 ←𝑅 0,1
Dist 𝑐 𝑎, 𝑐, 𝑟
𝑛
→ (𝑎, 𝑐, 𝑟) such that:
≈ Dist 𝑐 𝑎′ , 𝑐, 𝑟 ′ 𝑤 s. t. (𝑤, 𝑥) ∈ 𝑅)
Cristina Onete ||
24/10/2014
||
18
 Schnorr’s Protocol
 Setup: 𝑝 prime, 𝑞 | (𝑝 − 1) prime, 𝑔 ∈ 𝑍𝑝∗ with ord 𝑔 = 𝑞
𝑡 ←𝑅 𝑍𝑞
Prover
𝑤
ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝
𝑎 = 𝑔𝑡 𝑚𝑜𝑑 𝑝
𝑐 ←𝑅 𝑍𝑞
Verifier
𝑟 = 𝑡 + 𝑐𝑤 (𝑚𝑜𝑑 𝑞)
ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝
Check:
𝑔𝑟 = 𝑎ℎ𝑐 𝑚𝑜𝑑 𝑝
 Completeness:
𝑔𝑟 = 𝑔𝑡+𝑐𝑤 = 𝑔𝑡 𝑔𝑐𝑤 = 𝑎𝑔𝑐𝑤 = 𝑎(𝑔𝑤 )𝑐 = 𝑎ℎ𝑐 (𝑚𝑜𝑑 𝑝)
Cristina Onete ||
24/10/2014
||
19
 Schnorr’s Protocol
 Setup: 𝑝 prime, 𝑞 | (𝑝 − 1) prime, 𝑔 ∈ 𝑍𝑝∗ with ord 𝑔 = 𝑞
𝑡 ←𝑅 𝑍𝑞
𝑎 = 𝑔𝑡 𝑚𝑜𝑑 𝑝
Prover
𝑤
ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝
𝑐 ←𝑅 𝑍𝑞
Verifier
𝑟 = 𝑡 + 𝑐𝑤 (𝑚𝑜𝑑 𝑞)
ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝
Check:
𝑔𝑟 = 𝑎ℎ𝑐 𝑚𝑜𝑑 𝑝
 Special Soundness: Given 𝑎, 𝑐, 𝑟 and 𝑎, 𝑐′, 𝑟′ , with 𝑐 ≠ 𝑐′ find 𝑤
𝑎, 𝑐, 𝑟 : 𝑔𝑟 = 𝑎ℎ𝑐 (𝑚𝑜𝑑 𝑝)
𝑎, 𝑐′, 𝑟′ : 𝑔𝑟′ = 𝑎ℎ𝑐′ (𝑚𝑜𝑑 𝑝)
𝑔𝑟−𝑟′ = ℎ𝑐−𝑐′ → 𝑤 =
Cristina Onete ||
(𝑟 − 𝑟′)
(𝑐 − 𝑐′)
24/10/2014
||
20
 Schnorr’s Protocol
 Setup: 𝑝 prime, 𝑞 | (𝑝 − 1) prime, 𝑔 ∈ 𝑍𝑝∗ with ord 𝑔 = 𝑞
𝑡 ←𝑅 𝑍𝑞
Prover
𝑤
ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝
𝑎 = 𝑔𝑡 𝑚𝑜𝑑 𝑝
𝑐 ←𝑅 𝑍𝑞
Verifier
𝑟 = 𝑡 + 𝑐𝑤 (𝑚𝑜𝑑 𝑞)
ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝
Check:
𝑔𝑟 = 𝑎ℎ𝑐 𝑚𝑜𝑑 𝑝
 HVZK:
• ∃ 𝑆𝑖𝑚 𝑥, 𝑐 ←𝑅 𝑍𝑞 → (𝑎, 𝑐, 𝑟) of same distribution
•
Simulator: generate 𝑟 ←𝑅 𝑍𝑞 . Now compute: 𝑎 = 𝑔𝑟 ℎ−𝑐 (𝑚𝑜𝑑 𝑝)
•
The conversation is valid and identically distributed
Cristina Onete ||
24/10/2014
||
21
 Contents
 Commitment Schemes
 Sigma Protocols
• Structure
• Properties
• Schnorr’s protocol
 Composition of Sigma Protocols
• Parallel composition
• AND composition
• EQ and OR compositions
 The Fiat-Shamir heuristic
 Parallel Composition
 Goal: larger challenge space
𝑎 = (𝑎1 , 𝑎2 )
Witness 𝑤
Statement 𝑥
𝑐 = (𝑐1, 𝑐2 )
Prover
𝑟 = (𝑟1, 𝑟2 )
Statement 𝑥
Verifier
 Verification is done in parallel:
•
Verify: (𝑎1 , 𝑐1 , 𝑟1 )
•
Verify: (𝑎2 , 𝑐2 , 𝑟2 )
Accept iff. (𝑎1 , 𝑐1 , 𝑟1 ) and (𝑎2 , 𝑐2 , 𝑟2 )
Cristina Onete ||
24/10/2014
||
23
 AND Composition
 Goal: Proof for more than 1 witness
𝑎 = (𝑎1 , 𝑎2 )
w = (𝑤1 , 𝑤2 )
Statement 𝑥
𝑐
Prover
𝑟 = (𝑟1, 𝑟2 )
Statement 𝑥
Verifier
 Verification is done as follows:
•
Verify: (𝑎1 , 𝑐, 𝑟1 )
•
Verify: (𝑎2 , 𝑐, 𝑟2 )
Accept iff. (𝑎1 , 𝑐, 𝑟1 ) and (𝑎2 , 𝑐, 𝑟2 )
Cristina Onete ||
24/10/2014
||
24
 EQ-Composition
 Goal: Prove your witness fulfills two conditions
𝑎 = (𝑎1 , 𝑎2 )
Witness 𝑤
𝑥 = (𝑥1 , 𝑥2 )
𝑐
Prover
𝑟
𝑥 = (𝑥1 , 𝑥2 )
Verifier
 Verification is done as follows:
•
Verify: (𝑎1 , 𝑐, 𝑟)
•
Verify: (𝑎2 , 𝑐, 𝑟)
Accept iff. (𝑎1 , 𝑐, 𝑟) and (𝑎2 , 𝑐, 𝑟)
Cristina Onete ||
24/10/2014
||
25
 OR-Composition
 Goal: the witness fulfills one of two conditions
We won’t reveal which, however
𝑎 = ( 𝑎1 , 𝑎2 )
Either 𝑤1 or 𝑤2
𝑥 = (𝑥1 , 𝑥2 )
𝑐
Prover
(𝑐1 , 𝑟1 , 𝑐2 , 𝑟2 )
Verifier
𝑥 = (𝑥1 , 𝑥2 )
 Idea: split challenge in two, do one proof, simulate other
 Verification is done as follows:
•
Check: 𝑐 = 𝑐1 + 𝑐2
•
Verify: (𝑎1 , 𝑐1 , 𝑟1 )
•
Verify: (𝑎2 , 𝑐2 , 𝑟2 )
Accept iff. (𝑎1 , 𝑐1 , 𝑟1 ) and (𝑎2 , 𝑐2 , 𝑟2 ) and
𝑐 = 𝑐1 + 𝑐2
Cristina Onete ||
24/10/2014
||
26
 OR-Composition of Schnorr
 Setup: 𝑝, 𝑞 | (𝑝 − 1) primes, 𝑔1 , 𝑔2 ∈ 𝑍𝑝∗ with ord 𝑔1 = ord 𝑔2 = 𝑞
𝑎 = (𝑎1 , 𝑎2 )
𝑤1
𝑤
ℎ1 = 𝑔1 1 ,
𝑤
ℎ2 = 𝑔2 2
𝑐
Prover
(𝑐1 , 𝑟1 , 𝑐2 , 𝑟2 )
Real
Real Schnorr
protocol run
𝑤
𝑤
𝑔1 1 , 𝑔2 2
Verifier
Simulated
• 𝑢1 ←𝑅 𝑍𝑞
• 𝑐2 , 𝑟2 ←𝑅 𝑍𝑞
• 𝑎1 = 𝑔𝑢1 𝑚𝑜𝑑 𝑝
• 𝑐1 = 𝑐 − 𝑐2
• 𝑎2 = 𝑔𝑟2 ℎ2
?
𝑐 = 𝑐1 + 𝑐2 𝑚𝑜𝑑 𝑞
?
𝑐
𝑔𝑟1 = 𝑎1 ℎ11 𝑚𝑜𝑑 𝑝
?
𝑐
𝑔𝑟2 = 𝑎2 ℎ22 𝑚𝑜𝑑 𝑝
Simulation
as in HVZK
−𝑐2
• 𝑟1 = 𝑢1 + 𝑐1 𝑤1
Cristina Onete ||
24/10/2014
||
27
 Contents
 Commitment Schemes
 Sigma Protocols
• Structure
• Properties
• Schnorr’s protocol
 Composition of Sigma Protocols
• Parallel composition
• AND composition
• EQ and OR compositions
 The Fiat-Shamir heuristic
 The Fiat-Shamir Heuristic
 So far: interactive protocols, need random challenge
 If Prover can choose challenge, she can replay, she
can choose 𝑐 = 0, or other convenient challenges
 Choose clever way to control challenge!
Fiat-Shamir heuristic
𝑎
𝑎
(𝑎, 𝑐, 𝑟)
𝑐
Prover
𝑟
𝑐
Verifier
Verifier
Prover
Cristina Onete ||
𝑟
24/10/2014
||
29
 Signatures from
protocols
 Recall: SScheme = (KGen, Sign, Vf)
 Correctness: honest signatures should always verify
 Unforgeability: cannot sign fresh message without sk
 Setup: 𝑝, 𝑞 | (𝑝 − 1) primes, 𝑔 ∈ 𝑍𝑝∗ with ord 𝑔 = 𝑞
𝑢 ∈ 𝑍𝑞 ; 𝑎 = 𝑔𝑢
𝑐 ← 𝐻(𝑎, 𝑀)
𝑤, ℎ = 𝑔𝑤
𝑟 = 𝑢 + 𝑐𝑤 𝑚𝑜𝑑 𝑝
𝑀, 𝜎 = (𝑐, 𝑟)
ℎ = 𝑔𝑤
Check: 𝑐 = 𝐻(𝑔𝑟 ℎ−𝑐 𝑀)
 Secure if H outputs pseudorandom strings!
Cristina Onete ||
24/10/2014
||
30
 Further reading
 Zero-Knowledge Proofs of Knowledge:
S. Brands, ‘97: “Rapid Demonstration of Linear Relations Connected by Boolean Operators”
U. Feige, A. Fiat, A. Shamir, ‘88: “Zero Knowledge Proofs of
Identity”
 Trapdoor commitment schemes
Di Crescenzo, Ishai, Ostrovsky, ‘98: “Non-interactive and NonMalleable Commitment”
Fischlin, Fischlin, 2000: “Efficient Non-Malleable Commitment
Schemes”
Cristina Onete ||
24/10/2014
||
31
 Some exercises:
 Commitment schemes:
•
What if the receiver knows log 𝑔 ℎ for the Pedersen commitment?
•
What are the properties of the following commitment scheme?
Setup: 𝑝 prime, 𝑞 | (𝑝 − 1) prime, 𝑔 ∈ 𝐺𝑝∗ with ord 𝑔 = 𝑞
Commit for 𝑥 ∈ < 𝑔 > : 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑤 = 𝑔𝑤 𝑥 (𝑚𝑜𝑑 𝑝)
 Sigma protocols:
•
Show that the following protocol is a Sigma protocol:
Modulus 𝑁 = 𝑝𝑞, order 𝜑 𝑁 = (𝑝 − 1)(𝑞 − 1), 𝑒 co-prime with 𝑁
𝑢 ←𝑅 𝑍𝑁∗ ;
𝑎 = 𝑢𝑒 𝑚𝑜𝑑 𝑁
𝑐 ←𝑅 𝑍𝑒
𝑤
𝑒
𝑦 = 𝑤 𝑚𝑜𝑑 𝑁
Prover
𝑦 = 𝑤 𝑒 𝑚𝑜𝑑 𝑁
𝑟 = 𝑢 𝑤 𝑐 𝑚𝑜𝑑 𝑁
Verifier
Cristina Onete ||
24/10/2014
||
32
 Some more exercises:
•
Is the following protocol a Sigma protocol?
Setup: 𝑝 prime, 𝑞 | (𝑝 − 1) prime, 𝑔 ∈ 𝑍𝑝∗ with ord 𝑔 = 𝑞
𝑢 ←𝑅 𝑍𝑞∗ ;
𝑤
ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝
ℎ = 𝑔𝑤 𝑚𝑜𝑑 𝑝
𝑐 ←𝑅 𝑍𝑐
Prover
•
𝑎 = 𝑔𝑢 𝑚𝑜𝑑 𝑝
𝑟 = 𝑐𝑢 + 𝑤 (𝑚𝑜𝑑 𝑝)
Verifier
How can a malicious verifier find the value of 𝑤 in the protocol
above?
Cristina Onete ||
24/10/2014
||
33
Thanks!
CIDRE