update dis

This commit is contained in:
jude 2023-03-31 11:45:06 +01:00
parent 931b669529
commit 474fe9f70a
4 changed files with 146 additions and 19 deletions

View File

@ -21,8 +21,8 @@
\usepackage[margin=1in]{geometry}
% Margins
\usepackage{sfmath} % These two lines set the fonts to
\renewcommand{\familydefault}{\sfdefault} % sans-serif
%\usepackage{sfmath} % These two lines set the fonts to
%\renewcommand{\familydefault}{\sfdefault} % sans-serif
\usepackage{natbib} % Bibliography and citations
\newcommand*{\urlprefix}{Available from: }% in the Harvard-Bath style

View File

@ -201,17 +201,6 @@ doi={10.1109/SP.2014.36}}
organization={Springer}
}
@article{damgaard2010generalization,
title={A generalization of Pailliers public-key system with applications to electronic voting},
author={Damg{\aa}rd, Ivan and Jurik, Mads and Nielsen, Jesper Buus},
journal={International Journal of Information Security},
volume={9},
number={6},
pages={371--385},
year={2010},
publisher={Springer}
}
@phdthesis{groth2004honest,
title={Honest verifier zero-knowledge arguments applied},
author={Groth, Jens},
@ -219,6 +208,29 @@ doi={10.1109/SP.2014.36}}
school={BRICS}
}
@manual{random(4),
title = "random, urandom - kernel random number source devices",
year = "2017",
month = "September",
}
@InProceedings{fhe,
author="Gentry, Craig
and Sahai, Amit
and Waters, Brent",
editor="Canetti, Ran
and Garay, Juan A.",
title="Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based",
booktitle="Advances in Cryptology -- CRYPTO 2013",
year="2013",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="75--92",
abstract="We describe a comparatively simple fully homomorphic encryption (FHE) scheme based on the learning with errors (LWE) problem. In previous LWE-based FHE schemes, multiplication is a complicated and expensive step involving ``relinearization''. In this work, we propose a new technique for building FHE schemes that we call the approximate eigenvector method. In our scheme, for the most part, homomorphic addition and multiplication are just matrix addition and multiplication. This makes our scheme both asymptotically faster and (we believe) easier to understand.",
isbn="978-3-642-40041-4"
}
@InProceedings{fiatshamir,
author="Fiat, Amos
and Shamir, Adi",
@ -267,4 +279,34 @@ doi={10.1109/SP.2014.36}}
doi = {10.1007/s10207-010-0119-9}
}
@book{schneier_1996, place={Estados Unidos}, title={Applied cryptography}, publisher={John Wiley}, author={Schneier, Bruce}, year={1996}}
@book{schneier_1996, place={Estados Unidos}, title={Applied cryptography}, publisher={John Wiley}, author={Schneier, Bruce}, year={1996}}
@article{Shor_1997,
doi = {10.1137/s0097539795293172},
url = {https://doi.org/10.1137%2Fs0097539795293172},
year = 1997,
month = {oct},
publisher = {Society for Industrial {\&} Applied Mathematics ({SIAM})},
volume = {26},
number = {5},
pages = {1484--1509},
author = {Peter W. Shor},
title = {Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer},
journal = {{SIAM} Journal on Computing}
}
@inproceedings{Boudot2000EfficientPT,
title={Efficient Proofs that a Committed Number Lies in an Interval},
author={Fabrice Boudot},
booktitle={International Conference on the Theory and Application of Cryptographic Techniques},
year={2000}
}

Binary file not shown.

View File

@ -7,6 +7,8 @@
\usepackage{tikz}
\DeclareMathOperator{\lcm}{lcm}
\DeclareMathOperator{\id}{id}
\DeclareMathOperator{\pr}{pr}
\newtheorem{theorem}{Theorem}[section]
\newtheorem{proposition}[theorem]{Proposition}
@ -17,6 +19,7 @@
\newtheorem{remark}[theorem]{Remark}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{example}[theorem]{Example}
\newtheorem{protocol}[theorem]{Protocol}
\title{Cryptographic protocol for playing Risk in an untrusted setting}
\author{Jude Southworth}
@ -194,7 +197,7 @@ A similar issue appears in the proposed system: a cheating player could update t
Some cryptosystems admit an additive homomorphic property: that is, given the public key and two encrypted values $\sigma_1 = E(m_1), \sigma_2 = E(m_2)$, the value $\sigma_1 + \sigma_2 = E(m_1 + m_2)$ is the ciphertext of the underlying operation.
\cite{paillier1999public} defined a cryptosystem based on residuosity classes, which expresses this property. \cite{damgaard2010generalization} demonstrates an honest-verifier zero-knowledge proof for proving a given value is 0. Hence, clearly, proving a summation $a + b = v$ can be performed by proving $v - a - b = 0$ in an additive homomorphic cryptosystem.
\cite{paillier1999public} defined a cryptosystem based on residuosity classes, which expresses this property. \cite{damgard2003} demonstrates an honest-verifier zero-knowledge proof for proving a given value is 0. Hence, clearly, proving a summation $a + b = v$ can be performed by proving $v - a - b = 0$ in an additive homomorphic cryptosystem.
So, using some such scheme to obscure edge weights should enable verification of the edge values without revealing their actual values.
@ -209,7 +212,7 @@ An alternative general protocol is the $\Sigma$-protocol \citep{groth2004honest}
\end{itemize}
This reduces the number of communications to a constant, even for varying numbers of challenges.
The Fiat-Shamir heuristic \citep{fiatshamir} provides a method to further reduce communication by constructing non-interactive zero-knowledge proofs using a random oracle. For ledgers, non-interactive zero-knowledge proofs are necessary, as the ledger must be resilient to a user going offline. However, in our case, users should be expected to stay online for an entire session of Risk, and each session is self-contained. So this full transformation is not necessary.
The Fiat-Shamir heuristic \citep{fiatshamir} provides another method to reduce communication by constructing non-interactive zero-knowledge proofs using a random oracle. For ledgers, non-interactive zero-knowledge proofs are necessary, as the ledger must be resilient to a user going offline. However, in our case, users should be expected to stay online for an entire session of Risk, and each session is self-contained. So this full transformation is not necessary.
\subsubsection{Set membership proofs}
@ -332,7 +335,7 @@ Let $c$ be the ciphertext. The corresponding plaintext is computed as $m = L(c^\
The proof system is that of \cite{damgard2003}. The authors give a method to prove knowledge of an encrypted value. The importance of using a zero-knowledge method for this is that it verifies knowledge to a single party. This party should be an honest verifier: this is an assumption we have made of the context, but in general this is not true, and so this provides an attack surface for colluding parties.
The proof system presented is an interactive proof for a given ciphertext $c$ being an encryption of 0.
The proof system presented is an interactive proof for a given ciphertext $c$ being an encryption of zero.
\begin{center}
\begin{tikzpicture}[every node/.append style={very thick,rounded corners=0.1mm}]
@ -387,7 +390,58 @@ For (1), we propose the following communication sequence. The player submits pai
\subsection{Cheating with negative values}
A severe consideration is the ability to cheat with negative values.
By using negative values, a player can cheat their unit count during reinforcements. This is a severe issue, as potentially the cheat could be completely unnoticed even in the conclusion of the game. To overcome this, we apply a range proof for each committed value.
\cite{Boudot2000EfficientPT} demonstrates a proof that some given ciphertext lies within an interval $[-\ell, 2\ell]$, where $\ell$ is some public value. This proof can easily be manipulated into a proof that a value lies within the interval $[0, 3\ell]$ from the additive homomorphic property.
The combination of proofs is then to prove that the sum of all ciphertexts is 1, and the range of each ciphertext is as tight as possible, which is within the range $[0, 3]$ from the proof above. This is acceptable in the specific application, however we can achieve a better proof that is similar in operation to \cite{Boudot2000EfficientPT}.
Instead of proving a value is within a range, the prover will demonstrate that a bijection exists between the elements in the reinforcement set and a challenge set.
\begin{protocol}\label{protocol1}
The prover transmits the set \begin{align*}
S = \{ (R_1, E(n_1, r_1)), \dots, (R_N, E(n_N, r_N)) \}
\end{align*} as their reinforcement step. Verifier wants that the second projection of this set maps to 1 exactly once.
Run $t$ times in parallel:
\begin{enumerate}
\item Prover transmits $\{ (\psi(R_i), E(n_i, r_i^*)) \mid 0 < i \leq N \}$ where $\psi$ is a random bijection on the regions.
\item Verifier chooses a random $c \in \{0, 1\}$. \begin{enumerate}
\item If $c = 0$, the verifier requests the definition of $\psi$, to indeed see that this is a valid bijection. They then compute the product of the $E(x, r_1) \cdot E(x^*, r_1^*)$ and verify proofs that each of these is zero.
\item If $c = 1$, the verifier requests a proof that each $E(n_i, r_i^*)$ is as claimed.
\end{enumerate}
\end{enumerate}
\end{protocol}
This protocol has the following properties, given that the proof of zero from before also holds the same properties \citep{damgard2003}.
\begin{itemize}
\item \textbf{Complete.} The verifier will clearly always accept $S$ given that $S$ is valid.
\item \textbf{Sound.} A cheating prover will trick a verifier with probability $2^{-t}$. So select a sufficiently high $t$.
\item \textbf{Zero-knowledge.} Supposing each $\psi$, $r_i$, and $r_i^*$ are generated in a truly random manner, the verifier gains no additional knowledge of the prover's private state.
\end{itemize}
Additionally, we can consider this protocol perfect zero-knowledge.
\begin{proposition}
In the random oracle model, \hyperref[protocol1]{Protocol~\ref*{protocol1}} is perfect zero-knowledge.
\end{proposition}
\begin{proof}
To prove perfect zero-knowledge, we require a polynomial-time algorithm $T^*$ such that for all verifiers and for all valid sets $S$, the set of transcripts $T(P, V, S) = T^*(S)$, and the distributions are identical.
Such a $T^*$ can be defined for any $S$. \begin{enumerate}
\item Choose a random $\psi'$ from the random oracle.
\item Choose random $(r_i^*)'$ from the random oracle.
\item Encrypt under $P$'s public-key.
\item Verifier picks $c$ as before.
\item Perform proofs of zero, which are also perfect zero-knowledge from \cite{damgard2003}.
\end{enumerate}
This gives $T^*$ such that $T^*(S) = T(P, V, S)$, and the output distributions are identical. Hence, this proof is perfect zero-knowledge under random oracle model.
\end{proof}
\subsection{Shared random values}
@ -451,10 +505,41 @@ The typical way to avoid modular bias is by resampling. To avoid excessive commu
Random values are used in two places. \begin{itemize}
\item Selecting the first player.
\item Rolling dice.
\end{itemize}
\section{Implementation review}
\subsection{Random oracles}
Various parts of the implementation use the random oracle model: in particular, the zero-knowledge proof sections. The extent to which the random oracle model is used is in the construction of truly random values that will not reveal information about the prover's state. In practice, a cryptographically secure pseudo random number generator will suffice for this application, as CSPRNGs typically incorporate environmental data to ensure outputs are unpredictable \citep{random(4)}.
\subsection{Efficiency}
\subsubsection{Storage complexity}
Paillier ciphertexts are constant size, each $\sim$1.0kB in size (as they are taken modulo $n^2$, where $n$ is the product of two 2048 bit primes). This is small enough for the memory and network limitations of today.
The proof of zero uses two Paillier ciphertexts, a challenge of size 2048 bits, and a proof statement of size 4096 bits. In total, this is $\sim$2.8kB. These are constant size, and since they run in a single round, take constant time.
On the other hand, \hyperref[protocol1]{Protocol~\ref*{protocol1}} requires multiple rounds. Assume that we use 42 rounds: this provides an acceptable level of soundness, with a cheat probability of $\left(\frac{1}{2}\right)^{-42} \approx 2.3 \times 10^{-13}$. Additionally, assume that there are 10 regions to verify. Each round then requires ten Paillier ciphertexts alongside ten proofs of zero. This results in a proof size of $\sim$1.7MB. Whilst this is still within current memory limitations, the network cost is extreme.
This could be overcome by reducing the number of rounds, which comes at the cost of increasing the probability of cheating. In a protocol designed to only facilitate a single game session, this may be acceptable to the parties involved. For example, reducing the number of rounds to 19 will increase the chance of cheating to $\left(\frac{1}{2}\right)^{-19} \approx 1.9 \times 10^{-6}$, but the size would reduce considerably to $\sim$770kB.
Another potential solution is to change the second challenge's structure to only verify a single random ciphertext each turn. This would approximately half the amount of data required at the expense of soundness. However, the advantage over lowering the number of rounds is that the change in soundness is dependent on the number of items in the set being verified. By a tactful selection, a high probability of soundness can still be maintained. %todo
\subsection{Quantum resistance}
Some of the security of Paillier relies upon the difficulty of factoring large numbers. Therefore, it is vulnerable to the same quantum threat as RSA is, which is described by \cite{shor_1997}. Alternative homomorphic encryption schemes are available, which are widely believed to be quantum-resistant, as they are based on lattice methods (e.g, \cite{fhe}).
\subsection{Side-channels}
The specific implementation is likely vulnerable to side-channel attacks. The specification for BigInt does not specify that operations should be constant-time, and variation between browser engines could lead to timing attacks. %todo check as this might not be true since key sizes are the same
\section{Wider application}
Peer-to-peer software is a slowly growing field.
\bibliography{Dissertation}
\end{document}