Signatures and Efficient Proofs on Committed Graphs and NP-Statements

Abstract

Digital signature schemes are a foundational building block enabling integrity and non-repudiation. We propose a graph signature scheme and corresponding proofs that allow a prover (1) to obtain a signature on a committed graph and (2) to subsequently prove to a verifier knowledge of such a graph signature. The graph signature scheme and proofs are a building block for certification systems that need to establish graph properties in zero-knowledge, as encountered in cloud security assurance or provenance. We extend the Camenisch-Lysyanskaya (CL) signature scheme to graphs and enable efficient zero-knowledge proofs of knowledge on graph signatures, notably supporting complex statements on graph elements. Our method is based on honest-verifier \({\varSigma }\)-proofs and the strong RSA assumption. In addition, we explore the capabilities of graph signatures by establishing a proof system on graph 3-colorability (G3C). As G3C is NP-complete, we conclude that there exist Camenisch-Lysyanskaya proof systems for statements of NP languages.

Appendices

9 Proofs

1.1 9.1 Well-Formed Encoding and Security

Proof

(Unambiguous encoding and decoding: Theorem 2 ). We show that there is a bijection between encoding and graph.

Graph \(\rightarrow \) Encoding: For each graph there exits a unique encoding modulo base association. For all vertices \(i \in \mathcal {V} \) choose the vertex identifier \(e_i \in {\varXi }_\mathcal {V} \), for the labels \(k \in f_\mathcal {V} (i) \) choose the prime representative \(e_k \in {\varXi }_\mathcal {L} \) and compute their product. As said factors are prime, it follows from the fundamental theorem of arithmetic that the \(e_i {\varPi }_{k \in f_\mathcal {V} (i)} e_k\) represents a unique integer. Given that the user is not privy to the discrete logarithm between one base and another (guaranteed by the CL-Signature setup), the bases unambiguously separate the exponents. Thus, apart from the random permutation of the base association, the encoding is unambiguous.

Encoding \(\rightarrow \) Graph: With knowledge of the elements of \({\varXi }_\mathcal {V} \) and \({\varXi }_\mathcal {L} \), an encoded product can be decoded efficiently and unambiguously into the elements of the graph. That the parties are not privy to the discrete logarithm between base and another guarantees attribute separation. The base designates unambiguously whether a vertex or an edge is encoded. Given that all representatives of the encoding are prime, the product can be decomposed into a unique factorization by the fundamental theorem of arithmetic. Each representative unambiguously represents either a vertex identifier in \({\varXi }_\mathcal {V} \) or a label in \({\varXi }_\mathcal {L} \), as both sets are disjoint. \(\quad \square \)

Proof

(Security of graph signatures: Theorem 4 ). The security of the scheme is directly derived from the unambiguous embedding into Integer commitments and Camenisch-Lysyanskaya signatures and their security properties. Theorem 2 establishes that the graph encoding encodes graphs unambiguously into the CL-message space. The graph structure is encoded in the exponents of the Integer commitment and CL-signature schemes. Confidentiality is derived from the information-theoretical hiding property of the Integer commitment scheme and the hiding properties of CL-signatures on committed messages. Under the condition that the adversary is not privy to the group-order of the commitment and the CL signature scheme, we obtain that integrity for both schemes holds over the integers and thereby the graph encoding (cf. [6]). We obtain existential unforgeability against chosen message attacks directly from the CL-signature scheme in Theorem 1 [2].

10 Well-Formedness Proof

The following proof is representative for the argument structure of the proofs for different predicates; others use the same tools.

Proof

(Wellformedness proofs, Theorem 3 ). The Schnorr proofs used in the construction are honest-verifier zero-knowledge if executed repeatedly with small challenges, otherwise witness-indistinguishable. It is standard to extract from a successful prover knowledge on the secrets ranging over \(\forall i,j\):

$$\begin{aligned} \mu _i, \mu _{(i,j)}, \rho , \rho _i, \rho _{(i,j)}, \varepsilon _i, \breve{\rho }_i, \gamma _i, \rho _i', \dot{\varepsilon }_i, \gamma _{(i,j)}, \rho _{(i,j)}', \alpha _{i,j}, \beta _{i,j}, \rho _{i,j} \end{aligned}$$

such that all equations of the CS-notation hold for some t, where t must be \(\pm 1\) as modulus N is a product of two safe primes [6]. As CL-signatures are existentially unforgeable [2], we obtain that the messages \(\mu _i\) and \(\mu _{(i,j)}\) are indeed signed, and that the membership proofs for \(\varepsilon _i\) establish that \(\varepsilon _i \in {\varXi }_\mathcal {V} \), i.e., are certified vertex identifiers (the CL multi-show unlinkability ensures that the verifier learns no other information about \(\varepsilon _i\)). The CG-OR proofs [22] yield that \(\gamma _i\) and \(\gamma _{(i,j)}\) must encode valid vertex label identifiers (but yield no further information on the labels). Therefore, we have fixes the roots \(\mu _i, \mu _{(i,j)}\) and the leaves \(\varepsilon _i, \gamma _i, \gamma _{(i,j)}\) of the proof tree in the CL-notation.

It remains to show what can be derived from the equations that connect the roots to the leaves in the vertex and edge composition statements and from the pairwise difference. The technique used is a standard decomposition of certified messages in Integer commitments to make their components accessible to discrete-logarithm based proofs of knowledge; if the same secret is referenced we have an equality proof, if not there is no further information learned about the relation of the secrets. For the vertices, the equation \(C_i \equiv \pm \breve{C}_i^{\gamma _i} S^{\rho _{i}'}\) (4) establishes that \(\mu _i = \varepsilon _i\gamma _i\), given that the prover does not know a multiple of the group order, \(\breve{C}_i\) separates out \(\varepsilon _i\) connected to the membership proof. For edges, the equation \(C_{(i,j)} \equiv \pm \breve{C}_{(i,j)}^{\gamma _{(i,j)}} S^{\rho _{(i,j)}'} \)(7) establishes that \(\mu _{(i,j)} = \mu _{(i,j)}'\gamma _{(i,j)}\), where \(\breve{C}_{(i,j)}\) is shown to contain a product \(\dot{\varepsilon }_i \dot{\varepsilon }_j\) in equation (3), which are in turn shown to be valid vertex identifiers (8). By that all variables are bound and the connection between the roots and the leaves established.

Finally, we claim pair-wise difference on vertices from the equation

$$\begin{aligned} R \equiv \pm \breve{C}_{i}^{\alpha _{i,j}} \breve{C}_{j}^{\beta _{i,j}} S^{\rho _{i,j}} \end{aligned}$$

(8)

Unless the prover knows a multiple of the group order or the discrete logarithm \(\log _R S\), the following equation must hold over the integers:

$$\begin{aligned} 1 = \varepsilon _i \alpha _{i,j} + \varepsilon _j \beta _{i,j}. \end{aligned}$$

It is well-known that \(\alpha _{i,j}\) and \(\beta _{i,j}\) only exist if \(\varepsilon _i\) and \(\varepsilon _j\) are coprime, which gives us the pair-wise difference claimed.

1.1 10.1 Graph 3-Colorability (G3C)

Proof

(Graph 3-Colorability: Lemma 1 ).

1. Proof of Knowledge. It is standard to show that there exists a knowledge extractor for all exponents of the proof such that the equality of exponents equations are fulfilled.

We obtain from Clause 1 that the prover knows the representation of a CL-Signature of the given structure. From the existential unforgeability of CL-Signatures, we see that the issuer must have signed the secret attributes \(\mu _i\), \(\mu _j\) and \(\mu _{(i,j)}\). Proving equality of exponents with corresponding integer commitments is standard, by which the arguments over the commitments, such as \(C_i\), \(\breve{C}_i\) and \(C_{(i,j)}\) transfer to the structure of the signed messages.

The Clause 4 shows that a message \(\mu _i\) consists of two factors known to the prover: \(\mu _i = \varepsilon _i \gamma _i\). The following Clause 5 employs a set membership proof to show that \(\varepsilon _i \in {\varXi }_\mathcal {V} \) and that \(\gamma _i \in {\varXi }_\mathcal {L} \). We use that the set membership from Sect. 2.5 guarantees that \(\varepsilon _i\) and \(\gamma _i\) are exactly one member of the set to conclude that a message \(\mu _i\) contains exactly one vertex identifier and one label identifier. Thus, \(\mu _i\) is well-formed. Similarly, Clause 7 establishes the structure \(\mu _{(i,j)} = \varepsilon _i \varepsilon \) for the edge (i, j), showing it to be well-formed. Because the prover is not privy to the group order, these statements hold over the integers, by the results of Damgård and Fujisaki [6]. Therefore, with the proof of representation including pair-wise difference, we conclude that the signed graph is well-formed.

Clause 8 shows that the labeling \(f_\mathcal {V} \) of the signed graph is a proper coloring. Again, we employ Damgård and Fujisaki’s [6] result that equations hold over the integers. We have that for each edge (i, j), the corresponding signed messages have the following structure:

$$\begin{aligned} \mu _i = \varepsilon _i \gamma _i\quad \text { and }\quad \mu _j = \varepsilon _j \gamma _j. \end{aligned}$$

We show that the secret labels \(\gamma _i\) and \(\gamma _j\) are different by showing that \(\mu _i\) and \(\mu _j\) are coprime, where we use Bézout’s Identity:

$$\begin{aligned} \mathsf {gcd}(\mu _i, \mu _j) = 1\quad \Leftrightarrow \quad 1 = {\alpha _{(i,j)}} \mu _i + {\beta _{(i,j)}} \mu _j. \end{aligned}$$

The equality of exponent proof of Clause 8 achieves this as follows

$$\begin{aligned} R&\equiv \pm C_i^{\alpha _{(i,j)}} C_j^{\beta _{(i,j)}} S^{\rho _{(i,j)}} \!\!\! \pmod {N}\\ R^1&\equiv \pm (R^\mu _i S^{\rho _i})^{\alpha _{(i,j)}} (R^\mu _j S^{\rho _j})^{\beta _{(i,j)}} S^{\rho _{(i,j)}} \!\!\! \pmod {N}\\ R^1&\equiv \pm R^{{\alpha _{(i,j)}} \mu _i} S^{{\alpha _{(i,j)}} \rho _i} R^{{\beta _{(i,j)}} \mu _j} S^{{\beta _{(i,j)}} \rho _j} S^{\rho _{(i,j)}} \!\!\! \pmod {N}\\ R^1&\equiv \pm R^{{\alpha _{(i,j)}} \mu _i + {\beta _{(i,j)}} \mu _j} S^{{\alpha _{(i,j)}} \rho _i + {\beta _{(i,j)}} \rho _j + \rho _{(i,j)}} \!\!\! \pmod {N} \end{aligned}$$

From this equation we can conclude that \(\mathsf {gcd}(\mu _i, \mu _j) = 1\) and that, therefore, \(\gamma _i \ne \gamma _j\), which implies that \(f_\mathcal {V} (i) \ne f_\mathcal {V} (j) \) and that the CL signature indeed contains a proper coloring. \(\Box \)

2. Zero-Knowledge. We claim that proof does not disclose anything else than the statement made that the prover knows a CL-Signature of a proper coloring on known graph \(\mathcal {G} \).

The \({\varSigma }\)-proofs here are zero-knowledge in an honest verifier setting if performed with multiple rounds and small challenges. It is standard to construct a simulator for all \({\varSigma }\)-proofs of representation for the CL-Signature and the commitments as well as for their conjunction [18, 19], showing that the verifier does not learn anything else than the relations on exponents shown.

It remains to be shown what the relations disclose. We will argue on the statements made on the secret messages \(\gamma _i\), which contain the color. Clause 4 establishes that \(\gamma _i\) is part of commitment \(C_i\), but does not disclose further information than the equality of exponents.

Clause 5 proves that \(\gamma _i\) is a member of the set \({\varXi }_\mathcal {L} = \{ e_\mathsf {R}, e_\mathsf {G}, e_\mathsf {B} \}\). This statement itself is part of the known problem definition of G3C. The set membership proof is a proof of representation for an anonymized CL-Signature and a standard proof of equality of exponents, and thereby, does not disclose further information.

Finally, Clause 8 references \(\mu _i = \epsilon _i \gamma _i\) to prove that \(\gamma _i\) and \(\gamma _j\) of an adjacent edge are coprime. As the vertex identifiers are pair-wise different by definition and as all representatives are primes, this only establishes that \(\gamma _i \ne \gamma _j\) as required by the G3C problem, but nothing else.\(\quad \square \)

Proof

(Polynomial Proof of G3C: Lemma 2 ).

Precomputation: The prover computes \(2 n +1\) signature randomizations with one exponentiation each and \(2 n + m \) integer commitments with 2 exponentiations each. The pre-computation phase uses \(6 n +2 m +1\) exponentiations, transmits \(4 n + m +1\) group elements, and thereby has a computation complexity of \(O( n + m )\) and a communication complexity of \(O( n + m )\).

Proof of Knowledge: The Schnorr proofs in the proof of knowledge are zero-knowledge if executed with small challenges over multiple rounds and can be connected with techniques from Cramer et al. [18]. The round complexity of the overall protocol is dependent on the proof mode (cf. Brands [17]).

Clause 1 is executed once yielding a Schnorr proof with \( n + m +2\) exponentiations for the prover. The clauses 2 are executed once for each vertex, such as i and j, Therefore we have \( n \) Schnorr proofs with 2 exponentiations each for the prover. The clauses 3 are executed once for each edge (i, j), making \( m \) Schnorr proofs with 2 exponentiations each for the prover. The clauses 4 are executed once for each vertex, such as i or j. We have \(2 n \) Schnorr proofs with 2 exponentiations each for the prover. The set membership proofs of Clauses 5 are executed once for each vertex and its label. Each set membership proof is a proof of representation of a designated CL-Signature for the set member, amounting to 3 exponentiations for the prover. In total, we have \(2 n \) such proofs of possessions, all done with a single Schnorr proof proving equality of exponents with the corresponding commitment. Clause 7 proves the edge structure and is executed once per edge, yielding \( m \) Schnorr proofs with 2 exponentiations each for the prover. Finally, the proper graph coloring in Clause 8 is shows once for each edge (i, j) amounting to \( m \) Schnorr proofs with 3 exponentiations for the prover.

The proof of knowledge of graph coloring thereby requires \(5 n \) + \(3 m +1 = O( n + m )\) Schnorr proofs with a computational complexity for the prover of \(13 n +8 m +2 = O( n + m )\) exponentiations. The total computational complexity is therefore \(O( n + m )\), the communication complexity is \(O( n + m )\) group elements. The G3C proof is done in polynomial time. The round complexity depends on the proof mode, where variants with multiple rounds (number of rounds depending on the error probability), with four rounds and initial commitments of the verifier on challenges, and three rounds in a \({\varSigma }\)-proof (not zero-knowledge) are possible.\(\quad \square \)

1.2 10.2 CL Proof Systems for NP-Statements

Proof

(Sketch NP-Statements: Theorem 5 ). Let a NP language \(\mathfrak {L} \) be given. Let \(\tau \) be a polynomial-time computable and invertible reduction from \(\mathfrak {L} \) to Graph 3-Colorability (G3C): \(\tau \) can be constructed by composing a polynomial-time reduction of \(\mathfrak {L} \) to 3SAT by Cook’s proof [27] and a polynomial-time reduction from 3SAT to G3C. We have that \(x \in \mathfrak {L} \) iff \(\tau (x)\) is 3-colorable.

On common input x, both prover and verifier compute graph \(G \leftarrow \tau (x)\). In Goldreich, Micali and Widgerson’s work, the proof proceeds to use any interactive zero-knowledge proof system to prove that G is 3-colorable and thereby show that \(x \in \mathfrak {L} \). Our proof continues from this point to show that there exists a Camenisch-Lysyanskaya proof system.

On obtaining \(\mathcal {G} = \tau (x)\), the prover constructs a graph commitment C on \(\mathcal {G} \) as defined in Sect. 3, including a labeling \(f_\mathcal {V} \) of a proper coloring of \(\mathcal {G} \). The known-graph proof transmits \(\mathcal {G} \) itself, yet keeps the proper coloring confidential as default.

Proof of Representation \(\mathsf {P} \!\rightarrow \mathsf {I} \!:\) The prover interacts with an CL-Signature issuer, proving representation and well-formedness of the commitment C in a known-graph proof, disclosing information to satisfy the verification requirements of the issuer. As \(\tau (x)\) is invertible, this proof of representation of G and the proper coloring serves as proof of representation for x and \(x \in \mathfrak {L} \).

Issuing \(\mathsf {I} \!\rightarrow \mathsf {P} \!:\) Upon acceptance of the proof, the issuer signs the committed graph \(\mathcal {G} \) in a CL-Signature \(\sigma \). Given the invertibility of \(\tau \), this signature holds for x as well. sigma is a CL-Signature on \(\tau (x)\) and the proper coloring of \(\tau (x)\) iff \(x \in \mathfrak {L} \).

Proof of Possession \(\mathsf {P} \!\rightarrow \mathsf {V} \!:\) The prover interacts with the verifier to proof knowledge of the CL-Signature \(\sigma \) on a proper coloring on \(\mathcal {G} \) and thereby shows graph 3-colorability of \(\tau (x)\), which holds iff \(x \in \mathfrak {L} \). Thereby, the proof of possession of \(\sigma \) translates to a proof of possession of the statement \(x \in \mathfrak {L} \). The proof is zero-knowledge if executed with small challenges over multiple rounds.\(\quad \square \)