Slow Motion Zero Knowledge Identifying with Colliding Commitments

Abstract

Discrete-logarithm authentication protocols are known to present two interesting features: The first is that the prover’s commitment, \(x=g^r\), claims most of the prover’s computational effort. The second is that x does not depend on the challenge and can hence be computed in advance. Provers exploit this feature by pre-loading (or pre-computing) ready to use commitment pairs \(r_i,x_i\). The \(r_i\) can be derived from a common seed but storing each \(x_i\) still requires 160 to 256 bits when implementing DSA or Schnorr.

This paper proposes a new concept called slow motion zero-knowledge (SM-ZK). SM-ZK allows the prover to slash commitment size (by a factor of 4 to 6) by combining classical zero-knowledge and a timing channel. We pay the conceptual price of requiring the ability to measure time but, in exchange, obtain communication-efficient protocols.

Appendices

A Proof of Lemma 2

Proof

The zero-knowledge property of the standard GPS protocol is proven by constructing a polynomial-time simulation of the communication between a prover and a verifier [12, Theorem 2]. We adapt this proof to the context of the proposed protocol. The function \(\delta \) is defined by \(\delta (\mathsf {true}) = 1\) and \(\delta (\mathsf {false}) = 0\), and \(\wedge \) denotes the logical operator “and”. For clarity, the function \(f_{\tau , \ell }\) is henceforth written f.

The scenario is that of a prover \(\mathcal P\) and a dishonest verifier \(\mathcal A\) who can use an adaptive strategy to bias the choice of the challenges to try to obtain information about s. In this case the challenges are no longer chosen at random, and this must be taken into account in the security proof. Assume the protocol is run N times and focus on the i-th round.

\(\mathcal A\) has already obtained a certain amount of information \(\eta \) from past interactions with \(\mathcal P\). \(\mathcal P\) sends a pre-computed commitment \(x_i\). Then \(\mathcal A\) chooses a commitment using all information available to her, and a random tape \(\omega \): \(c_i\left( x_i, \eta , \omega \right) \).

The following is an algorithm (using its own random tape \(\omega _M\)) that simulates this round:

1. Step 1.

   Choose \(\overline{c_i} \xleftarrow {\$}[0, B-1]\) and \(\overline{y_i} \xleftarrow {\$}[(B-1)(S-1), A-1]\) using \(\omega _M\).

2. Step 2.

   Compute \(\overline{x_i} = f_{\tau ,\ell }\left( g^{\overline{y_i}}v^{\overline{c_i}}\right) \).

3. Step 3.

   If \(c_i\left( \overline{x_i}, \eta , \omega \right) = \overline{c_i}\) then return to step 1 and try again with another pair \((\overline{c_i}, \overline{y_i})\), else return \((\overline{x_i}, \overline{c_i}, \overline{y_i})\).⁴

The rest of the proof shows that, provided \(\varPhi = (B-1)(S-1)\) is much smaller than A, this simulation algorithm outputs triples that are indistinguishable from real ones, for any fixed random tape \(\omega \).

Formally, we want to prove that

$$\begin{aligned} \varSigma _1 = \sum _{\alpha , \beta , \gamma } \left| {\text {*}}{Pr}_{\omega _P}\left[ (x, c, y) = (\alpha , \beta , \gamma )\right] - {\text {*}}{Pr}_{\omega _M} \left[ (\overline{x}, \overline{c}, \overline{y}) = (\alpha , \beta , \gamma )\right] \right| \end{aligned}$$

is negligible, i.e., that the two distributions cannot be distinguished by accessing a polynomial number of triples (even using an infinite computational power). Let \((\alpha , \beta , \gamma )\) be a fixed triple, and assuming a honest prover, we have the following probability:

$$\begin{aligned} p&= {\text {*}}{Pr}_{\omega _P} \left[ (x,c,y) = (\alpha ,\beta ,\gamma )\right] \\&= {\text {*}}{Pr}_{0 \le r < A} \left[ \alpha = f(g^r) \wedge \beta = c(\alpha ,\eta ,\omega ) \wedge \gamma = r + \beta s \right] \\&= \sum _{r= 0}^{A-1} \frac{1}{A} \delta \left( \alpha =f(g^\gamma v^\beta ) \wedge \beta = c(\alpha , \eta ,\omega ) \wedge r = \gamma - \beta s \right) \\&= \frac{1}{A}\delta \left( \alpha =f(g^\gamma v^\beta ) \wedge \beta = c(\alpha , \eta , \omega ) \wedge \gamma - \beta s \in \left[ 0, A-1\right] \right) \\&= \frac{1}{A}\delta \left( \alpha =f(g^\gamma v^\beta )\right) \delta \left( \beta = c(\alpha , \eta , \omega )\right) \delta \left( \gamma - \beta s \in \left[ 0, A-1\right] \right) . \end{aligned}$$

where \(f = f_{\tau ,\ell }\).

We now consider the probability \(\overline{p} = \mathrm {Pr}_{\omega _M}\left[ (\overline{x},\overline{c},\overline{y}) = (\alpha ,\beta ,\gamma )\right] \) to obtain the triple \((\alpha ,\beta ,\gamma )\) during the simulation described above. This is a conditional probability given by

$$\begin{aligned} \overline{p} = \mathop {\mathrm{Pr}}\limits _{\begin{array}{c} \overline{y}\in [\varPhi ,A-1] \\ \overline{c}\in [0,B-1] \end{array}} \left[ \alpha = f\left( g^{\overline{y}}v^{\overline{c}}\right) \wedge \beta = \overline{c}\wedge \gamma = \overline{y} \;\big |\; \overline{c} = c\left( f\left( g^{\overline{y}}v^{\overline{c}}\right) , \eta , \omega \right) \right] \end{aligned}$$

Using the definition of conditional probabilities, this equals

$$\begin{aligned} \overline{p} =\frac{\mathop {\mathrm{Pr}}\limits _{\begin{array}{c} \overline{y}\in [\varPhi ,A-1] \\ \overline{c}\in [0,B-1] \end{array}} \left[ \alpha = f\left( g^{\overline{y}}v^{\overline{c}}\right) \wedge \beta = \overline{c}\wedge \gamma = \overline{y} \right] }{\mathop {\mathrm{Pr}}\limits _{\begin{array}{c} \overline{y}\in [\varPhi ,A-1] \\ \overline{c}\in [0,B-1] \end{array}} \left[ \overline{c} = c\left( f\left( g^{\overline{y}}v^{\overline{c}}\right) , \eta , \omega \right) \right] } \end{aligned}$$

Let us introduce

$$\begin{aligned} Q = \sum _{\begin{array}{c} \overline{y}\in [\varPhi ,A-1] \\ \overline{c}\in [0,B-1] \end{array}} \delta \left( \overline{c} = c\left( f\left( g^{\overline{y}}v^{\overline{c}}\right) , \eta , \omega \right) \right) \end{aligned}$$

then the denominator in \(\overline{p}\) is simply \(Q/B(A-\varPhi )\). Therefore:

$$\begin{aligned} \overline{p}&= \sum _{\overline{c} \in [0, B-1]} \frac{1}{B} {\text {*}}{Pr}_{\overline{y}\in [\varPhi ,A-1]} \left[ \alpha = f\left( g^{\overline{y}}v^{\overline{c}}\right) \wedge \gamma = \overline{y} \wedge \beta = \overline{c} = c(\alpha , \eta , \omega ) \right] \frac{B(A - \varPhi )}{Q} \\&= {\text {*}}{Pr}_{\overline{y}\in [\varPhi ,A-1]} \left[ \alpha = f\left( g^{\gamma }v^{\beta }\right) \wedge \gamma = \overline{y} \wedge \beta = c(\alpha , \eta , \omega ) \right] \frac{A-\varPhi }{Q} \\&= \sum _{\overline{y} \in [\varPhi ,A-1]}\frac{1}{A - \varPhi }\delta \left( \alpha = f\left( g^{\gamma }v^{\beta }\right) \wedge \gamma = \overline{y} \wedge \beta = c(\alpha , \eta , \omega ) \right) \frac{A-\varPhi }{Q} \\&= \frac{1}{Q}\delta \left( \alpha = f\left( g^{\gamma }v^{\beta }\right) \right) \delta \left( \beta = c(\alpha , \eta , \omega )\right) \delta \left( \gamma \in [\varPhi , A-1]\right) \end{aligned}$$

We will now use the following combinatorial lemma:

Lemma 4

If \(h : \mathcal G \rightarrow [0, B-1]\) and \(v \in \{g^{-s}, s \in [0, S-1]\}\) then the total number M of solutions \((c,y) \in [0, B-1]\times [\varPhi , A-1]\) to the equation \(c = h(g^y v^{c})\) satisfies \(A - 2\varPhi \le M\le A\).

Proof

(Proof of Lemma 4 ) [12, Appendix A]. Specialising Lemma 4 to the function that computes \(c(f(g^{\overline{y}}v^{\overline{c}}), \eta , \omega )\) from \((\overline{c}, \overline{y})\) gives \(A-2\varPhi \le Q \le A\). This enables us to bound \(\varSigma _1\):

$$\begin{aligned} \varSigma _1&= \sum _{\alpha , \beta , \gamma } \left| {\text {*}}{Pr}_{\omega _P}\left[ (x, c, y) = (\alpha , \beta , \gamma )\right] - {\text {*}}{Pr}_{\omega _M} \left[ (\overline{x}, \overline{c}, \overline{y}) = (\alpha , \beta , \gamma )\right] \right| \\&= \sum _{\alpha , \beta , \gamma \in [\varPhi , A-1]} \left| {\text {*}}{Pr}_{\omega _P}\left[ (x, c, y) = (\alpha , \beta , \gamma )\right] - {\text {*}}{Pr}_{\omega _M} \left[ (\overline{x}, \overline{c}, \overline{y}) = (\alpha , \beta , \gamma )\right] \right| \\&\qquad + \sum _{\alpha , \beta , \gamma \notin [\varPhi , A-1]} {\text {*}}{Pr}_{\omega _P}\left[ (x, c, y) = (\alpha , \beta , \gamma )\right] \\&= \sum _{\begin{array}{c} \gamma \in [\varPhi ,A-1]\\ \beta \in [0,B-1]\\ \alpha = f(g^\gamma v^\beta ) \end{array}} \left| \frac{1}{A}\delta \left( \beta = c(\alpha ,\eta , \omega )\right) - \frac{1}{Q}\delta (\beta = c(\alpha , \eta , \omega )) \right| \\&\qquad + \, \left( 1 - \sum _{\alpha , \beta , \gamma \in [\varPhi , A-1]} {\text {*}}{Pr}_{\omega _P}\left[ (x, c, y) = (\alpha , \beta , \gamma )\right] \right) \\&= \left| \frac{1}{A} - \frac{1}{Q} \right| Q + 1 - \sum _{\begin{array}{c} \gamma \in [\varPhi ,A-1]\\ \beta \in [0,B-1]\\ \alpha = f(g^\gamma v^\beta ) \end{array}} \frac{1}{A}\delta \left( \beta = c(\alpha , \eta , \omega )\right) \\&= \frac{|Q-A|}{A} + 1 - \frac{Q}{A} \end{aligned}$$

Therefore \(\varSigma _1 \le 2 |Q-A|/A \le 4\varPhi /A < 4SB/A\), which proves that the real and simulated distributions are statistically indistinguishable if SB / A is negligible.     \(\square \)

B GPS Commitment Pre-computation

Figure 4 described one possible way in which pre-computed commitments are generated and used for GPS. In this figure, we delegate the computation to a trusted authority. That role can be played by \(\mathcal P\) alone, but we leverage the authority to alleviate \(\mathcal P\)’s computational burden.

To efficiently generate a sequence of commitments, the authority uses a shared secret seed J and a cryptographic hash function H. Here J is chosen by \(\mathcal P\) but it could be chosen by the authority instead.

Fig. 4.

Commitment pre-processing as applied to GPS. The first stage describes the preliminary interaction with a trusted authority, where pre-computed commitments are generated and stored. The second stage describes the interaction with a verifier. For the sake of clarity the range-tests on c and y were omitted. The trusted authority can be easily replaced by \(\mathcal P\) himself.