Efficient Zero-Knowledge Proofs of Knowledge for Homomorphisms Dissertation Submitted to the Fakult¨at fur¨ Elektrotechnik und Informationstechnik at the Ruhr-Universit¨at Bochum for the Degree of Doktor-Ingenieur by Endre Bangerter Bochum, Germany, July 2005 Abstract Efficient zero-knowledge proofs of knowledge for homomorphisms are a key building block in a vast number of constructions in applied cryptogra- phy. Examples are: identification-, signature-, group signature-, anonymous credential-, and identity escrow-schemes as well as voting systems, e-cash, multi-party computations, and trusted computing. This dissertation studies efficient zero-knowledge proofs of knowledge for exponentiation homomor- phisms. We prove that there are inherent efficiency limitations for existing proofs of knowledge for homomorphisms and describe novel proofs of know- ledge that overcome these efficiency limitations. All efficient zero-knowledge proofs of knowledge for homomorphisms hap- pen to be instances of the same protocol. We refer to this protocol as the Σψ-protocol. While all efficient zero-knowledge proofs of knowledge for ho- momorphisms are obtained using the Σψ-protocol, the converse is not true: the Σψ-protocol is not known to yield efficient proofs of knowledge for all practically relevant homomorphisms. It was not known whether these efficiency limitations are inherent to the Σψ-protocol or whether they are limitations that can be overcome, i.e., li- mitations which are due to the conditions under which the Σψ-protocol currently is known to be a proof of knowledge. We prove in different set- tings and for different homomorphisms that the efficiency limitations of the Σψ-protocol are inherent to the protocol, and hence cannot be overcome. In particular, for the practically important class of exponentiation ho- . x . x1 xl momorphisms ψE(x) = h and ψE(x1, . , xl) = h1 · ... · hl in hidden order groups (e.g., RSA groups or class groups) no efficient zero-knowledge proofs of knowledge were known; neither using the Σψ-protocol, nor using any other protocol. We describe novel protocols that for the first time allow to obtain efficient zero-knowledge proofs of knowledge for such homomorphisms. 3 Kurzzusammenfassung Effiziente zero-knowledge Beweise von Wissen fur¨ Homomorphismen sind Grundbausteine einer Vielzahl kryptographischer Anwendungen. Beispiele sind (anonyme) Identifikations-, (Gruppen) Signatur-, und Wahlsysteme, sowie digitales Geld, verteilte Berechnungen und so genanntes trusted com- puting. Schranken fur¨ die Effizienz solcher Beweise sind demnach von grosser praktischer Bedeutung. Diese Dissertation befasst sich mit effizienten zero-knowledge Beweisen von Wissen fur¨ Homomorphismen. Einerseits untersuchen wir die Effizienz- beschr¨ankungen bestehender Beweise von Wissen fur¨ Homomorphismen und zeigen auf, dass fur¨ solche Beweise inh¨arente und demnach prinzipiell nicht uberwindbare¨ Effizienzbeschr¨ankungen bestehen. Andererseits beschreiben wir neue Protokolle, welche diese Beschr¨ankungen zu uberwinden¨ verm¨ogen. Alle bestehenden, effizienten zero-knowledge Beweise von Wissen fur¨ Ho- momorphismen sind Instanzen eines einzigen Protokolls. Wir bezeichnen die- ses Protokoll als das Σψ-Protokoll. Der Umkehrschluss gilt hingegen nicht: das Σψ-Protokoll liefert nicht fur¨ alle praktisch bedeutsamen Homomor- phismen effiziente Beweise von Wissen. Offen war die Frage, ob diese Effizi- enzbeschr¨ankungen dem Σψ-Protokoll inh¨arent sind – oder ob sie allenfalls uberwunden¨ werden k¨onnen. Wir tragen zur Kl¨arung dieser Frage bei, indem wir beweisen, dass unter verschiedenen Voraussetzungen und fur¨ verschie- dene Homomorphismen die genannten Effizienzbeschr¨ankungen tats¨achlich protokoll-inh¨arent und demnach unuberwindbar¨ sind. Insbesondere waren fur¨ die praktisch bedeutsame Klasse von Exponen- . x . x1 xl tiations-Homomorphismen ψE(x) = h und ψE(x1, . , xl) = h1 · ... · hl in Gruppen unbekannter Ordnung (wie z.B., RSA- oder Klassengruppen) bis- her keine zero-knowledge Beweise von Wissen bekannt – weder mittels des Σψ-Protokolls, noch mittels anderer Protokolle. Wir beschreiben neue Pro- tokolle, die erstmalig effiziente zero-knowledge Beweise von Wissen fur¨ Ex- ponentiations-Homomorphismen in Gruppen unbekannter Ordnung liefern. Damit haben wir nicht nur gezeigt, dass fur¨ bisherige Protokolle unuber-¨ windbare Effizienzbeschr¨ankungen bestehen, sondern verm¨ogen diese mittels neuer Protokolle zu uberwinden.¨ 4 Acknowledgments I am profoundly grateful to Jan Camenisch and Ahmad Sadeghi for sup- porting me and without whom creating this thesis would not have been possible. I am also indebted to J¨org Schwenk for being one of the referees of this thesis and for taking on the time consuming work arising from this role, and to Ueli Maurer for proposing the topic of this thesis. Many thanks to Dieter Sommer and Markus Rohe who have proof read parts of this thesis and helped me to improve the text with their insightful comments. This thesis was elaborated at the IBM Zurich Research Lab between 2001 and 2004 and at the University of Bochum during winter 2005. I would like to take the opportunity to thank the following people from these in- stitutions: Michael Waidner, Birgit Pfitzmann, Matthias Schunter, Michael Backes, Christopher Giblin, Thomas Gross, Gunter¨ Karjoth, Irmgard Kuhn,¨ Luke O’Connor, Christof Paar, Jonathan Poritz, Andy Rupp, Els Van Her- reweghen, Christian Cachin, Andreas Wespi, Morton Swimmer. 5 Contents 1 Introduction page 9 1.1 Results 11 1.1.1 Efficiency limitations of the Σψ-protocol 12 1.1.2 Efficient proofs of knowledge for exponentiation homomorphisms in hidden order groups 13 1.2 Outline 14 2 Basic concepts 15 2.1 Some notation 15 2.2 Complexity theory 16 2.2.1 Algorithms and reducibility 16 2.2.2 Two-party protocols 21 2.3 Group theory 21 2.3.1 Notation and basic facts 22 2.3.2 Computational aspects 24 2.3.3 Concrete groups and homomorphisms used in cryptography 30 2.3.4 A note on the presentation 36 2.4 Zero-knowledge proofs 37 2.4.1 Definitions 38 2.4.2 Some fundamental results 43 3 Pseudo-preimages and related computational problems 45 3.1 Definition and basic facts 46 3.2 Pseudo-preimage problem 47 3.2.1 Solvable instances of the pseudo-preimage problem 47 3.2.2 Hardness of the pseudo-preimage problem 50 3.3 Pseudo-preimage generation problem 53 6 Contents 7 4 The Σψ-protocol 61 4.1 Protocol definitions and the zero-knowledge property 63 4.2 Proof of knowledge property 67 4.2.1 A note on pseudo-preimage extractors 72 4.3 Knowledge error and efficiency of the Σψ-protocol 73 4.3.1 Efficiency analysis 74 4.3.2 Efficiency limitations and the minimal standard knowledge error 76 4.4 Interactive proofs 77 4.5 The Damgaard-Fujisaki scheme 80 5 On the optimality of the standard knowledge extractor of the Σψ-protocol 85 5.1 Definition of lower bound on the knowledge error 87 5.2 Lower bounds in the generic model 89 5.2.1 Model 91 5.2.2 Pseudo-random functions 95 5.2.3 Results 96 5.3 Lower bounds in the plain model 99 5.3.1 Lower bounds for power homomorphisms 99 5.3.2 Lower bounds for exponentiation homomorphisms 102 5.4 Proof of Theorem 5.1 110 5.4.1 Preliminaries 111 ∗ 5.4.2 Definition of cheating prover P and DK(k) 114 5.4.3 Non-triviality and uniformity 115 5.4.4 Hardness 115 5.4.5 Evaluation of bounds in the simulated world 120 6 Efficient proofs of knowledge for exponentiation homo- morphisms 125 6.1 Auxiliary information in the common input 127 6.2 The Σψ-protocol in the auxiliary setting 128 6.2.1 Sketch of basic idea 128 6.2.2 Formalization of basic idea 129 6.2.3 Application to exponentiation homomorphisms in hidden order groups 132 + + 6.3 The Σψ - and the Σψ -WS-protocol 138 6.3.1 Proofs of knowledge in the auxiliary string model 138 + 6.3.2 The Σψ -protocol 140 + 6.3.3 The Σψ -WS-protocol 149 6.4 Comparison 154 8 Contents 7 Concluding remarks 156 Bibliography 158 1 Introduction Zero-knowledge proofs of knowledge are a key building block for a large num- ber of results in theoretical and in applied cryptography. A zero-knowledge proof of knowledge allows a prover to demonstrate to a verifier that it knows a solution of a search problem, whereas the verifier learns nothing about the solution. More precisely, a proof of knowledge is a protocol between a prover and a verifier. The common protocol input is an instance of a search pro- blem, and the prover’s input is a solution of the problem. At the end of the protocol execution the verifier either accepts or rejects. If a prover succeeds in getting the verifier to accept with a probability larger than some thres- hold probability (the knowledge error), then the verifier can be asserted that the prover “knows a solution” of the problem instance at hand. “Knowing a solution” means that an algorithm (the knowledge extractor) exists that, given the prover as a black-box, computes the desired solution. The notions of zero-knowledge and proof of knowledge origin in a seminal paper by Goldwasser, Micali, and Rackoff [GMR85]. The notion of zero- knowledge was formally introduced in the context of so called interactive proofs (an interactive proof allows a prover to demonstrate the validity of an assertion to a verifier), while the idea of a proof of knowledge was coined, but not formalized. Subsequently, formal definitions of a proof of knowledge were given by Tompa and Woll [TW87] and Feige, Fiat, and Shamir [FFS88]. A more refined definition, which is the commonly used definition nowadays, was later proposed by Bellare and Goldreich [BG92]. Fundamental results of theoretical cryptography by Goldreich, Micali, and Wigderson [GMW86] and by Brassard, Chaum, and Crepeau [BCC88] describe generic techniques that yield zero-knowledge proofs of knowledge for all NP search problems.