JP6261493B2 - Zero knowledge proof system and method, certifier device, verifier device, and program - Google Patents

Description

  The present invention relates to a cryptographic protocol, and more particularly to zero knowledge proof, which is a kind of cryptographic protocol (dialogue proof) for performing proof by dialogue.

In zero-knowledge proof, a protocol participant called a prover performs proof by communicating with a protocol participant called a verifier a plurality of times. In particular, the prover and verifier have the NP language L and instance x as common inputs, and the prover proves to the verifier that x ∈ L holds. The prover has witness w that x ∈ L as a secret input. The following (1) to (3) are known as the safety of zero knowledge proof.
(1) Completeness: If x ∈ L (if the proposition is true), the proof succeeds.
(2) Soundness: Any prover fails to prove if x ∈ L is not true (if the proposition is false).
(3) Zero knowledge: If x ∈ L, information other than x ∈ L (for example, information on w) is not leaked to any verifier.

  It is known that zero knowledge proof is useful for authentication alone, and is also useful as a component of other cryptographic protocols.

  Several additional properties and security have been proposed for zero knowledge proof. Among them, the present invention relates to the following public random numbers and the possibility of parallel execution.

  The public random number is a property related to the structure of the zero knowledge proof, and all messages sent by the verifier are random numbers. That is, in the zero knowledge proof, the prover and the verifier alternately transmit various values at the time of execution, but in the public random number type zero knowledge proof, all the values transmitted by the verifier at the time of execution are independent random numbers. The public random number type zero knowledge proof has the advantage that it can be applied in various ways due to its simple structure. For example, it is known that a zero-knowledge proof satisfying stronger soundness (resetable soundness) than before can be constructed by using a public random number type zero-knowledge proof.

  The parallel feasibility is a property that safety (especially zero knowledge) is maintained even if the protocol is executed concurrently. Zero knowledge proofs are always safe in sequential execution, but generally are not always safe in parallel execution. There is no limit to the number of zero knowledge proofs to be executed in parallel, and there is no limit to the order of parallel execution. The parallel executable zero knowledge proof has the advantage that it can be used safely even in situations where the protocol may be executed in parallel. For example, it is difficult to always execute a plurality of zero knowledge proofs in series on an asynchronous network such as the Internet. Therefore, in order to use zero knowledge proof on such a network, concurrent executable zero knowledge proof is required.

  There are many prior arts related to public random number type zero knowledge proof and parallel executable zero knowledge proof, but it is difficult to satisfy both public random number and parallel feasibility simultaneously, and there are few prior arts. The prior art related to public random number type parallel executable zero knowledge proof is related to the present invention in the techniques described in Non-Patent Documents 1 and 2 described below.

Non-Patent Document 1 discloses the prior art related to public-random-type parallel executable zero-knowledge proof under the condition that security proof from standard cryptographic assumptions is possible and a trusted third party is not used. Technology only. However, the zero knowledge proof shown in Non-Patent Document 1 has a drawback that the number of rounds is large. That is, when executing the zero-knowledge proof of Non-Patent Document 1, the prover and the verifier must perform communication many times, so that the execution time becomes long and the efficiency is low. Specifically, the number of rounds in the zero knowledge proof of Non-Patent Document 1 is O (n ^ε ). Here, n is a security parameter, and ε is a constant.

  In addition, it is shown that when a certain kind of trusted third party is used, it is possible to construct a public random number type parallel executable zero knowledge proof that is capable of performing safety proof from standard assumptions and is efficient. In particular, Non-Patent Document 2 proposes a public random number type parallel executable zero knowledge proof in a model (Global hash function model) in which there is a third party who discloses a random hash function. However, since these protocols use a reliable third party, there is a drawback that the available situations are limited.

  Regarding the prior art, there are only two types of problems: (1) a technology that does not use a reliable third party but is inefficient, and (2) a technology that uses a reliable but reliable third party. there were.

Vipul Goyal, “Non-black-box simulation in the fully concurrent setting”, In STOC, pages 221-230, 2013. Ran Canetti, Huijia Lin, and Omer Paneth, “Public-coin concurrent zero-knowledge in the global hash model”, In TCC, pages 80-99, 2013.

  An object of the present invention is to provide a zero-knowledge proof system and method, a prover device, a verifier device, and a program that are more efficient than conventional methods and do not use a reliable third party.

A zero-knowledge proof system according to an aspect of the present invention is a zero-knowledge proof system including a prover device and a verifier device, where H is a hash function family, and H _n = ^def (h _s ∈ H st _s ∈ { 0,1} ⁿ }, the domain of each h∈H _n is {0,1} ^* , the range of each h∈H _n is {0,1} ⁿ , and the verifier device has a hash function h∈ H _n is selected and transmitted to the prover device, i = 1, ..., N _slot , j = 1, ..., n, and Pro (0 ⁿ ) is proved as a probabilistic algorithm that outputs 0 ⁿ commitment The user apparatus calculates C _{i, j} = Com (0 ⁿ ) and C ′ _{i, j} = Com (0 ⁿ ), and C ^→ _i = (C _{i, 1} , C ′ _{i, 1} ,..., C _{i, n} , C ′ _{i, n} ) to the verifier device, and i = 1,..., N _slot , the verifier device generates a character string r _i ∈ {0,1} ^{n ^ 2} The prover device is transmitted to the prover device, the input of the prover device is (x, w), w is the witness of x, the input of the verifier device is x, and Λ ₁ is a predetermined language. witness indistinguisha By using WIPOK, which is a dialogue proof method that guarantees bility safety, multiple communication with the verifier device is performed based on the above input, so that `` (x∈L) ∨ (<h, C ^→ 1, r ₁ , ..., C ^→ _Nslot , r _Nslot > ∈Λ ₁ ) ” .

  Efficient and more efficient than before, zero knowledge proof can be performed without using a reliable third party.

The functional block diagram of a zero knowledge proof system.

The present invention relates to a public random number type parallel executable zero knowledge proof. Security can be proved without using a trusted third party, and security certification from standard cryptography is possible. Compared with the technique of the same nonpatent literature 1, it implement ^| achieves by the smaller round number (n ^ ((omega) (1 / (log n) ^1/2 )). Here, it is (omega) (1 / (log n)). ^1/2 ) is an arbitrary function that is asymptotically larger than 1 / (log n) ^1/2 .

  In the embodiment of the present invention, the following conventional technique is used.

Collision- _resistant hash function family: In the present invention, a collision- _resistant hash function family H = {h _s } _{s∈ {0,1} *} is used. Here, for each n∈N, H _n = ^def {h _s ∈H st s∈ {0,1} ⁿ }. At this time, in each h∈H _n , the domain of h is {0,1} ^* (that is, an arbitrary length character string), and the range is {0,1} ⁿ .

Non-interactive commitment method: The non-interactive commitment method is a probabilistic algorithm Com, which uses the string v∈ {0,1} ⁿ and the random number r∈ {0,1} ^{poly (n)} as input, and the commitment c = Com ( v; r) is output. In the following, an operation “c ← Com (v; r) is selected by randomly selecting r∈ {0,1} ^{poly (n} )” by “c ← Com (v)” is represented. “C ← Com (v)” is also expressed as “c = Com (v)”. Here, in particular, a method having a property that (v, r) satisfying Com (v; r) = c is uniquely determined for an arbitrary c is used. It is well known that such commitment schemes can be constructed from unidirectional replacements. poly (n) is a predetermined polynomial for n. poly (n) is determined depending on Com.

Witness-indistinguishable proof of knowledge: Witness-indistinguishable proof of knowledge (WIPOK) is a kind of dialogue proof as well as zero knowledge proof. Therefore, even in WIPOK, the prover proves the proposition by communicating with the verifier multiple times. However, WIPOK does not guarantee zero knowledge, but instead guarantees the safety of witness indistinguishability. This means that when proving a proposition of the form `` (x ₁ ∈ L ₁ ) ∨ (x ₂ ∈ L ₂ ) '', is it proved by using the fact that x ₁ ∈ L ₁ holds? X ₂ ∈ Guarantee that the verifier cannot identify whether he proved using the fact that L ₂ holds.

  WIPOK can be any public random number. It is well known that a constant round public random number type WIPOK can be constructed using a one-way function.

Universal argument: Universal argument (UA) is one of the proofs of dialogue like zero knowledge proof and WIPOK. Here, the UA of Reference 1 is used in particular.
[Reference 1] Boaz Barak and Oded Goldreich, “Universal arguments and their applications”, SIAM J. Comput., 38 (5): P.1661-1694, 2008.

Since the number of rounds of this UA is 4, the communication sequence between the prover and the verifier can be written as (UA ₁ , UA ₂ , UA ₃ , UA ₄ ). That is, the verifier sends a value UA ₁ first, then the prover sends another value UA ₂ , the verifier sends UA ₃ , and finally the prover sends UA ₄ .

After receiving UA ₄ , the verifier determines whether the proof by the prover is correct from the communication series (UA ₁ , UA ₂ , UA ₃ , UA ₄ ). Here, since UA in Reference Document 1 is a public random number type, UA ₁ and UA ₃ are random numbers with appropriate lengths. Specifically, UA ₁ is a random hash function hεH _n and UA ₃ is a random n ² bit string.

  The technical background of the embodiment of the present invention will be described below. The system of the embodiment of the present invention is based on the Feige-Lapidot-Sahai (FLS) technique that is actively used in the study of zero knowledge proof. In order to explain this FLS technique, first, the definition of zero knowledge, which is the security of zero knowledge proof, will be explained. In the definition of zero knowledge, in order to express that no verifier obtains information on witness, etc., it is required for any verifier to have a simulator. Here, the simulator receives the same input (language L and instance x) as the verifier, and outputs (simulates) a communication sequence between the prover and the verifier. If a simulator exists for any verifier, it is intuitively guaranteed that the verifier has not obtained information on witness from the proof for the following reasons.

1. If the verifier obtains some information by communicating with the prover, the information should be calculated from the communication sequence between the prover and the verifier. This is because the information obtained from the prover by the verifier is only the communication series.
2. Therefore, if there is a simulator that outputs the communication sequence between the prover and the verifier from the same input as the verifier, the information obtained by the verifier can be calculated only from the input of the verifier.
3. This means that all the information obtained by the verifier can be calculated without communicating with the prover. Therefore, the verifier cannot obtain information (such as witness w) that cannot be calculated from the verifier's input. You wo n’t get it.

At this time, zero knowledge proof using the FLS technique takes the following form. The proposition that the prover proves to the verifier is x∈L.
1. Trap door information generation phase: The prover and verifier execute a protocol called trap door information generation protocol. If the communication sequence between the prover and the verifier in this protocol is written as trans, this protocol defines some language L ~ with respect to trans.
2. Proof phase: The prover uses WIPOK to prove “(x∈L) ∨ (trans∈L ~)”. Since the trapdoor information generation protocol is designed to be ¬ (trans∈L ~), if the proof by WIPOK is successful in the proof phase, x∈L holds from the soundness of WIPOK. Here, ¬ (trans∈Λ ₁ ) represents that trans is not an element of Λ ₁ . On the other hand, the trapdoor information generation protocol is also designed so that it can be simulated as transεL˜, so the simulator can simulate a communication sequence using the fact that transεL˜ holds.

  Since the system of the embodiment of the present invention is based on the FLS technique as described above, the rough configuration is as shown above.

  The difference in the prior art is that a newly designed trap door information generation protocol is used.

  Hereinafter, a zero knowledge proof system according to an embodiment of the present invention will be described.

The zero knowledge proof system includes, for example, a prover device P and a verifier device V as shown in FIG.
Input: The input of the prover apparatus P is (x, w), and the input of the verifier apparatus V is x. Here, x∈L with respect to the NP language L, and w is the witness of x∈L. The purpose of the prover device P is to prove x∈L.
Parameters: Integer N _slot = n ^ ω (1 / (log n) ^1/2 ).
Stage 1: The verifier device V randomly selects a hash function hεH _n and transmits the selected hash function h to the prover device P.
Stage 2: For each i∈ {1,..., N _slot }, the prover apparatus P and the verifier apparatus V perform the following in order.
1. For each j∈ {1,..., N}, the prover apparatus P calculates C _{i, j} ← Com (0 ⁿ ) and C ′ _{i, j} ← Com (0 ⁿ ). Then, the prover apparatus P transmits C ^→ _i = (C _{i, 1} , C ′ _{i, 1} ,..., C _{i, n} , C ′ _{i, n} ) to the verifier V.
2. The verifier device V transmits a random character string r _i ∈ {0,1} ^{n ^ 2} to the prover device P.
In this way, the prover device P sets i = 1,..., N _slot , j = 1,..., N, and C _{i, j} = Com (0 ⁿ ) and C ′ _{i, j} = Com (0 ⁿ ) And C ^→ _i = (C _{i, 1} , C ′ _{i, 1} ,..., C _{i, n} , C ′ _{i, n} ) is transmitted to the verifier device V.
Further, the verifier device V generates a character string r _i ε {0,1} ^{n ^ 2} with i = 1,..., N _slot and transmits it to the prover device P.
Stage 3: The prover device P uses WIPOK to prove “(x∈L), (<h, C ^→ 1, r ₁ ,..., C ^→ _Nslot , r _Nslot > ∈Λ ₁ )”.

Here, Λ ₁ is a predetermined language corresponding to L˜ described in the FLS technique. That is, Λ ₁ is designed so that the communication protocol of the communication protocol between the prover apparatus P and the verifier apparatus V is trans, and the communication protocol is ¬ (trans∈Λ ₁ ), but trans∈ It satisfies the relationship that it is designed to be simulated with Λ ₁ . Specifically, Λ ₁ is a language that satisfies the following properties.

Language Λ ₁ : <h, C ^→ 1, r ₁ ,…, C ^→ _Nslot , r _Nslot > ∈Λ ₁ holds if:
is there
i ₁ , i ₂ , i ₃ ∈ {1,…, N _slot } and j∈ {1,…, n} st i ₁ <i ₂ <i ₃ ,
U The second and fourth message UA ₂ ∈ {0, 1} of ^{_{A n, UA 4 ∈ {0,1}} } poly (n),
Random number R∈ {0,1} ^{poly (n)} used for Com
Exists,
C _{i3, j} = Com (UA ₂ ; R), and
(h, UA ₂ , r _i3 , UA ₄ ) is a correct proof of <h, C _{i1, j} , r _i1 , C _{i2, j} , C ′ _{i1, j} , r _i2 > ∈Λ ₂ .
Meet.
Language Λ ₂ : <h, C ₁ , r ₁ , C ₂ , C ′ ₁ , r ₂ > ∈Λ ₂ holds when
Oracle machine Π st | Π | ≦ T (n),
UA second and fourth messages UA ₂ ∈ {0,1} ⁿ , UA ₄ ∈ {0,1} ^{poly (n)} ,
String τ st | τ | ≦ T (n),
Random numbers R ₁ , R ₂ , R ' ₂ ∈ {0,1} ^{poly (n)} , used for Com
Integer T ~ ≦ T (n)
Exists,
C ₁ = Com (h (Π); R ₁ ), C ₂ = Com (UA ₂ , R ₂ ), C ' ₂ = Com (h (τ || T ~); R' ₂ ), and
r ₁ is a substring of τ, and
(h, UA ₂ , r ₂ , UA ₄ ) is a correct proof of <h, τ, T ~> ∈Λ ₃ .
Meet.

UA ₂ ∈ {0,1} ⁿ and UA ₄ ∈ {0,1} ^{poly (n)} are messages generated when the simulator simulates a communication sequence.
T (n) is a function larger than a polynomial, such as n ^logn .
Language Λ ₃ : <Π, τ, T ~> ∈Λ ₃ holds if:
Yes String y st | y | ≦ T ~
Exists and satisfies the following.

Π ^O outputs τ within T ~ step. Here, O is an Oracle, and when it receives Q, it returns (v, r) that satisfies Q = Com (v; r). Due to the nature of Com, (v, r) is uniquely determined.

For every Q that Π queries O when ^O executes, there is (Q, v, r) ∈y and satisfies Q = Com (v; r).

  Hereinafter, a comparison with the prior art will be described. The difference from the prior art is the trapdoor generation protocol (Stage 1 and Stage 2). The trapdoor information generation protocol is based on the zero knowledge proof trapdoor information generation protocol of Non-Patent Document 2. However, since the trap door information generation protocol of Non-Patent Document 2 uses a reliable third party, in the above embodiment, the trap door information generation protocol can be trusted by changing the language defined mainly by the trap door generation protocol to the one described above. The three parties are unnecessary. In particular, compared with Non-Patent Document 2, the number of languages is increased from two to three.

In the above embodiment, the number of rounds is reduced from O (n ^ε ) to n ^ (ω (1 / (log n) ^1/2 ), compared with the method of Non-Patent Document 1, thereby improving the efficiency. Moreover, compared with the method of Non-Patent Document 2, since a reliable third party is not used, it can be used in various situations.

[Modifications, etc.]
The processes described above are not only executed in chronological order according to the order of description, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  Various processing functions in each device may be realized by a computer. In that case, the processing contents of the functions that each device should have are described by a program. By executing this program on a computer, various processing functions in each device are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Further, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage unit. When executing the process, this computer reads the program stored in its own storage unit and executes the process according to the read program. As another embodiment of this program, a computer may read a program directly from a portable recording medium and execute processing according to the program. Further, each time a program is transferred from the server computer to the computer, processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program includes information provided for processing by the electronic computer and equivalent to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In addition, although each device is configured by executing a predetermined program on a computer, at least a part of these processing contents may be realized by hardware.

Claims (6)

A zero knowledge proof system including a certifier device and a verifier device,
H is a hash function family, H _n = ^def {h _s ∈ H st _s ∈ {0,1} ⁿ }, each h∈ H _n domain is {0, 1} ^*, and each h ∈ H _n as the range of {0, 1} ^n, the verifier device selects the hash function H∈H _n is transmitted to the prover device,
As a probabilistic algorithm for outputting i = 1, ..., N _slot , j = 1, ..., n and Com (0 ⁿ ) outputs a commitment of 0 ⁿ , the above prover device uses C _{i, j} = Com (0 ⁿ ) and C ′ _{i, j} = Com (0 ⁿ ) and C ^→ _i = (C _{i, 1} , C ′ _{i, 1} ,..., C _{i, n} , C ′ _{i, n} ) To the verifier device,
i = 1, ..., a N _slot, the verifier unit generates string ^{_{r i ∈ {0,1} n ^}} 2 sends to the prover device,
The input of the prover device a (x, w), the w a witness of x, the input of the verifier apparatus and x, the lambda ₁ as the predetermined language, the prover device, the so-called witness Indistinguishability By using WIPOK, which is a dialogue proof method that guarantees security, to perform communication with the verifier device multiple times based on the above input, `` (x∈L) ∨ (<h, C <sup>→</sup> 1, r <sub>1</sub> ,…, C <sup>→</sup> <sub>Nslot</sub> , r <sub>Nslot</sub> > ∈Λ <sub>1</sub> ) ”to the verifier ,
Zero knowledge proof system. A zero knowledge proof method for performing zero knowledge proof between a prover device and a verifier device,
H is a hash function family, H <sub>n</sub> = <sup>def</sup> {h <sub>s</sub> ∈ H st <sub>s</sub> ∈ {0,1} <sup>n</sup> }, each h∈ H <sub>n</sub> domain is {0, 1} <sup>*,</sup> and each h ∈ H <sub>n</sub> the value range as {0, 1} <sup>n,</sup> a step of the verifier apparatus, select a hash function H∈H <sub>n</sub> is transmitted to the prover device,
As a probabilistic algorithm for outputting i = 1,..., N <sub>slot</sub> , j = 1,..., and Com (0 <sup>n</sup> ) as a commitment of 0 <sup>n</sup> , the above prover device uses C <sub>i, j</sub> = Com (0 <sup>n</sup> ) and C ′ <sub>i, j</sub> = Com (0 <sup>n</sup> ) and C <sup>→</sup> <sub>i</sub> = (C <sub>i, 1</sub> , C ′ <sub>i, 1</sub> ,..., C <sub>i, n</sub> , C ′ <sub>i, n</sub> ) Transmitting to the verifier device;
i = 1, ..., a N <sub>slot,</sub> the method comprising the verifier device sends to the prover device to generate a string <sup><sub>r i ∈ {0,1} n ^</sub></sup> 2,
The input of the prover device a (x, w), the w a witness of x, the input of the verifier apparatus and x, the lambda <sub>1</sub> as the predetermined language, the prover device, the so-called witness Indistinguishability By using WIPOK, which is a dialogue proof method that guarantees security, to perform communication with the verifier device multiple times based on the above input, `` (x∈L) ∨ (<h, C ^→ 1, r ₁ ,…, C ^→ _Nslot , r _Nslot > ∈Λ ₁ ) ”to the verifier ,
Zero-knowledge proof method including   The prover apparatus of the zero knowledge proof system according to claim 1.   The verifier apparatus of the zero knowledge proof system according to claim 1. Program for causing a computer to function as the prover equipment of claim 3. A program for causing a computer to function as the verifier device according to claim 4.

Images