Concurrent Zero-Knowledge

Zero-Knowledge is one of the coolest and non-intuitive ideas in modern cryptography.  The idea is that Alice wants to prove that something is true without explaining why.  (Just like a woman, right?).  For example, she knows how to 3-color a particular graph.  She can paint each vertex on the graph red, green, or blue in such a way that no two adjacent vertices are the same color.  Now she wants to prove to Bob that it is possible to do it.  (For example, Bob is being lazy and doesn’t want to help out around the house by spending exponential time coloring vertices.  It’s a very common situation).  So Alice and Bob engage in a protocol in which Alice proves that yes, it is  possible to 3-color the graph.  BUT….Bob does not learn how Alice did it.

Ok, that sounds pretty pointless.  Most modern households don’t have graphs lying around just waiting to be 3-colored.  (Plus there is a very efficient 4-coloring algorithm for planar graphs, so if you’re willing to invest in a little more paint you can save yourself a lot of clock cycles).

But what if Alice wants to prove she knows her credit card number without actually sending it to FlyByNight.com?  Now Alice can safely purchase shoes on-line without worrying about an unscrupulous merchant stealing her credit card number.

Zero-Knowledge has been around since 1986 (sorry no link, this result is really old).

Oded Goldreich, Silvio Micali, Avi Wigderson: Proofs that Yield Nothing But their Validity and a Methodology of Cryptographic Protocol Design (Extended Abstract) FOCS 1986: 174-187.

The tricky thing about zero-knowledge is actually proving that a protocol is zero-knowledge.  Things get even worse with concurrent zero-knowledge, when Alice might have to prove things to several different people at the same time.  An unscrupulous adversary might take advantage of Alice and use the results of one protocol query to alter a second query.  Here the proofs get really convoluted as the cryptographer tries to rewind multiple simulators.  As they say, the pudding is in the proof.

Endorsed E-Cash

E-Cash is supposed to be the digital equivalent of real cash.  The idea is that Alice can withdraw money from the bank and spend it anonymously.  Later, when the bank looks at its database of deposits and withdrawals, it shouldn’t be able to link any deposit with any withdrawal.

Of course there is a problem with this scenario.  Suppose Alice withdraws a digital dollar and then spends it twenty-gadzillion times.  Since Alice stores the digital dollar on her computer, nothing stops her from making those twenty-gadzillion copies.

The standard solution is to embed Alice’s identity into every e-dollar she withdraws.  If she spends the same e-dollar more than once, the bank can look at the two deposits and determine Alice’s identity.  For example, suppose we associate a straight line with each e-dollar.  The y-intercept is Alice’s identity.  The slope is chosen at random during withdrawal.  If Alice spends the e-dollar once, she reveals one point on the line.  That’s not enough to learn anything about Alice’s identity.  (Try it at home: point your finger on any random spot on the monitor and count the number of straight lines between your finger and the left hand side of the screen).  If Alice spends the e-dollar a second time, the bank can “connect the dots” and follow the line to the y-intercept.

The standard objection is that even if Alice is identified after the fact, Alice fly to the Bahamas long before the bank catches up.  The potential damage is just not worth the on-line privacy goodness.

These practical obligations did not deter me from writing my Ph.D. thesis on e-cash.  One of my favorite results was showing how to do secure fair exchange of e-cash.  When Alice sends Bob her e-dollars (ok, now that we’re getting technical, I should call them by their official latin name, e-coin, which is easy to remember, because it is like e-coli, only it corrupts you soul and not your stomach), she wants to make sure she gets some sort of receipt back in return.  Bob doesn’t want to send a receipt until he gets paid.  The solution is to do alot of math in algebraic groups of prime order.

Things get even more interesting when Alice needs to pay more than one e-coin.  Now we do a cool trick and hide all the e-coins in a polynomial of degree N.  Then Alice gives Bob N points on the polynomial.  Just as in the straight line example, Bob doesn’t learn anything about the e-coins because he only has N points.  He needs N+1 points to interpolate (english: compute) the polynomial.  Then Alice and Bob run the Asokan, Shoup and Waidner fair exchange algorithm for the magic N+1th point.  Alice gets a receipt.  Bob gets N+1 points.  He interpolates, and voila! out comes the pot of e-cash.

You can read more about Endorsed E-Cash in my IEEE Security and Privacy 2007 publication.

Jan Camenisch, Anna Lysyanskaya and Mira Meyerovich. IEEE Security and Privacy 2007.

Abstract. An electronic cash (e-cash) scheme lets a user withdraw money from a bank and then spend it anonymously. E-cash can be used only if it can be securely and fairly exchanged for electronic goods or services. In this paper, we introduce and realize endorsed e-cash. An endorsed e-coin consists of a lightweight endorsement x and the rest of the coin which is meaningless without x. We reduce the problem of exchanging e-cash to that of exchanging endorsements. We demonstrate the usefulness of endorsed e-cash by exhibiting simple and efficient solutions to two important problems: (1) optimistic and unlinkable fair exchange of e-cash for digital goods and services; and (2) onion routing with incentives and accountability for the routers. Finally, we show how to represent a set of n endorsements using just one endorsement; this means that the complexity of the fair exchange protocol for n coins is the same as for one coin, making e-cash all the more scalable and suitable for applications. Our fair exchange of multiple e-coins protocol can be applied to fair exchanges of (almost) any secrets.

Published Version

Mira Belenkiy, Melissa Chase, Markulf Kohlweiss, Anna Lysyanskaya. TCC 2008.

Abstract. In this paper, we introduce P-signatures. A P-signature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a non − interactive proof system for proving that the contents of a commitment has been signed; (3) a noninteractive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for P-signatures and show how they can be realized under appropriate assumptions about groups with a bilinear map. We make extensive use of the powerful suite of non-interactive proof techniques due to Groth and Sahai. Our P-signatures enable, for the first time, the design of a practical non-interactive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other privacy-preserving authentication mechanisms.

Published Version | Full Version

Mira Belenkiy, Jan Camenisch, Melissa Chase, Markulf Kohlweiss, Anna Lysyanskaya, Hovav Shacham.

Please contact me for a copy.

Mira Belenkiy. Cryptology ePrint Archive: Report 2008/018.

Abstract. A disjunctive multi-level secret sharing scheme divides users into different levels. Each level L is associated with a threshold t_L, and a group of users can only recover the secret if, for some L, there are at least t_L users at levels 0….L in the group. We present a simple ideal disjunctive multi-level secret sharing scheme — in fact, the simplest and most direct scheme to date. It is the first polynomial-time solution that allows the dealer to add new users dynamically. Our solution is by far the most efficient; the dealer must perform O(t) field operations per user, where t is the highest threshold in the system. We demonstrate the simplicity of our scheme by extending our construction into a distributed commitment scheme using standard techniques.

Technical Report

Mira Belenkiy, Melissa Chase, Chris Erway, John Jannotti, Alptekin Kupcu, Anna Lysyanskaya, Eric Rachlin. WPES 2007.

Abstract. Peer-to-peer systems have been proposed for a wide variety of applications, including file-sharing, web caching, distributed computation, cooperative backup, and onion routing. An important motivation for such systems is self-scaling. That is, increased participation increases the capacity of the system. Unfortunately, this property is at risk from selfish participants. The decentralized nature of peer-to-peer systems makes accounting difficult. We show that e-cash can be a practical solution to the desire for accountability in peer-to-peer systems while maintaining their ability to self-scale. No less important, e-cash is a natural fit for peer-to-peer systems that attempt to provide (or preserve) privacy for their participants. We show that e-cash can be used to provide accountability without compromising the existing privacy goals of a peer-to-peer system.

We show how e-cash can be practically applied to a file sharing application. Our approach includes a set of novel cryptographic protocols that mitigate the computational and communication costs of anonymous e-cash transactions, and system design choices that further reduce overhead and distribute load. We conclude that provably secure, anonymous, and scalable peer-to-peer systems are within reach.

Published Version

Jan Camenisch, Susan Hohenberger, Markulf Kohlweiss, Anna Lysyanskaya and Mira Meyerovich. ACM CCS 2006.

Abstract. We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n e-tokens. She shows an etoken to a verifier to authenticate herself; each e-token can be used only once, however, the dispenser automatically refreshes every time period. The only prior solution to this problem, due to Damgard et al. [29], uses protocols that are a factor of k slower for the user and verifier, where k is the security parameter. Damgard et al. also only support one authentication per time period, while we support n. Because our construction is based on e-cash, we can use existing techniques to identify a cheating user, trace all of her e-tokens, and revoke her dispensers. We also offer a new anonymity service: glitch protection for basically honest users who (occasionally) reuse e-tokens. The verifier can always recognize a reused e-token; however, we preserve the anonymity of users who do not reuse e-tokens too often.

Published Version | Full Version

Jan Camenisch, Susan Hohenberger, Markulf Kohlweiss, Anna Lysyanskaya and Mira Meyerovich.  D-A-CH Mobility 2006.

See also. How to Win the Clone Wars: Efficient Periodic n-Times Anonymous Authentication. Jan Camenisch, Susan Hohenberger, Markulf Kohlweiss, Anna Lysyanskaya and Mira Meyerovich. ACM CCS 2006.

Abstract. Wie verhindert man, dass ein anonymer Sensor ofter als viermal pro Tag Informationen ubermittelt? Mittels E-Cash naturlich! Anonymitat ist insbesondere fur mobile personengebundene Sensoren wesentlich, die andernfalls den Aufenthaltsort ihrer Besitzer preisgeben. Die Einschr ankung der Meldefrequenz ist notig, um die uneingeschr ankte Verbreitung von Roguesensoren zu verhindern.

Wir stellen ein System vor, das es Sensoren erlaubt, Daten bis zu n mal pro Zeitperiode anonym zu authentifizieren. Bei der Initialisierung erhalt der Sensor uber ein Abhebeprotokoll einen E-Token Spender
mit n E-Tokens. Um Daten zu authentifizieren, zeigt der Sensor eines dieser E-Token in einem interaktiven Protokoll mit dem Empfanger. Jedes E-Token kann nur einmal verwendet werden, allerdings werden
Spender pro Zeitperiode automatisch neu aufgefullt. Die einzige bekannte Losung fur dieses Problems
fur n = 1, vorgestellt von Damgard et al. [20], verwendet Protokolle, die um den Faktor k langsamer
sind. Der Sicherheitsparameter k bestimmt dabei die Wahrscheinlichkeit 2−k, mit der ein Sensor uner-
kannt zwei Datens atz verschicken kann.

Published Version

Anna Lysyanskaya and Mira Meyerovich.  PKC 2006.

Abstract. The goal of steganography is to pass secret messages by disguising them as innocent-looking covertexts. Real world stegosystems are often broken because they make invalid assumptions about the system’s ability to sample covertexts. We examine whether it is possible to weaken this assumption. By modeling the covertext distribution as a stateful Markov process, we create a sliding scale between real world and provably secure stegosystems. We also show that insufficient knowledge of past states can have catastrophic results.

Published Version | Full Version