A Zero-Knowledge Proof System with Algebraic Geometry Techniques
A Zero-Knowledge Proof System with Algebraic Geometry Techniques
González Fernández, Edgar;Morales-Luna, Guillermo;Sagols, Feliu
applied sciences Article A Zero-Knowledge Proof System with Algebraic Geometry Techniques 1, 1 2 Edgar González Fernández * , Guillermo Morales-Luna and Feliu Sagols Department of Computer Science, CINVESTAV-IPN, Av. IPN 2508, Gustavo A. Madero, San Pedro Zacatenco, Mexico City 07360, Mexico; email@example.com Department of Mathematics, CINVESTAV-IPN, Av. IPN 2508, Gustavo A. Madero, San Pedro Zacatenco, Mexico City 07360, Mexico; firstname.lastname@example.org * Correspondence: email@example.com; Tel.: +52-555-747-3756 Received: 4 November 2019; Accepted: 3 December 2019; Published: 8 January 2020 Abstract: Current requirements for ensuring data exchange over the internet to ﬁght against security breaches have to consider new cryptographic attacks. The most recent advances in cryptanalysis are boosted by quantum computers, which are able to break common cryptographic primitives. This makes evident the need for developing further communication protocols to secure sensitive data. Zero-knowledge proof systems have been around for a while and have been considered for providing authentication and identiﬁcation services, but it has only been in recent times that its popularity has risen due to novel applications in blockchain technology, Internet of Things, and cloud storage, among others. A new zero-knowledge proof system is presented, which bases its security in two main problems, known to be resistant, up to now, against quantum attacks: the graph isomorphism problem and the isomorphism of polynomials problem. Keywords: graph isomorphism; isomorphism of polynomials; interactive proof system; multivariate cryptography; zero-knowledge proof 1. Introduction The increasing use of powerful electronic devices and the availability of networks that provide ubiquitous and high-performance connectivity allow applications to transfer huge volumes of data in brief periods of time. Several transactions and secure connections are performed using reliable schemes of authentication and privacy based on complicated mathematical problems, which have remained unsolved up to now. The starting point of secure communications requires previous secret sharing or authentication, using for this purpose, public key cryptography (PKC). Though several cryptographic algorithms exist, only a few protocols are used in real-world applications due to their proven resistance and easy implementation: the well known procedure due to Rivest-Shamir-Adleman (RSA) , based on the factorization problem, and the Digital Signature Standard (DSS)  based on the discrete logarithm problem on ﬁnite groups. These algorithms are the base of several digital signature techniques, and authentication and identiﬁcation protocols, which are commonly used for e-commerce, banking transactions, and government services, among others, and their applications have been increasing with the introduction of multifactor authentication and cryptocurrencies. The rapid development of cryptanalysis techniques and quantum computers endanger these security measures, with the most alarming threat being the existence of an algorithm that can solve the factorization problem efﬁciently, provided a quantum computer can ever be built . These issues make clear that new techniques must be studied and developed in preparation for possible realizations of these threats. Recently, zero-knowledge proofs (ZKP) have been considered as an alternative to design authentication and identiﬁcation protocols. Protocols based on ZKP are built upon problems Appl. Sci. 2020, 10, 465; doi:10.3390/app10020465 www.mdpi.com/journal/applsci Appl. Sci. 2020, 10, 465 2 of 14 which have not been solved yet by quantum computer algorithms; many of them originated from graph theory and NP-complete problems. In addition to authentication and identiﬁcation services, novel technologies (e.g., blockchain and cryptocoins ), which require anonymity services, have demonstrated in ZKP systems, a reliable technique to prove knowledge of speciﬁc data without disclosing details; say, whether an account has enough credit to buy an item. Current uses have also been reported in the direction of authentication in cloud storage  and Internet of Things (IoT) , encouraging the development of these sorts of protocols. The method deﬁned in this work produces key pairs from an associated isomorphism between a pair of graphs. The public key will be given by a system of equations. The private key will consist of a solution to the system. It will be shown that ﬁnding this solution is at least as difﬁcult as ﬁnding an isomorphism between the associated graphs. At present, the fastest algorithm for solving the graph isomorphism (GI) problem runs in quasi-polynomial time . However, an authentic prover will be ready to provide a solution efﬁciently. 2. Related Work Interactive proof systems were presented by Goldwasser, Micali, and Rackoff  as a novel technique to demonstrate "knowledge" efﬁciently, in the sense that the veriﬁcation of such knowledge should be performed easily. This method involves an exchange of information between two entities: the prover, which is determined to demonstrate the truthiness of a proposition to a second party, and the veriﬁer,which in turn must be convinced of the assertion. The parties involved interact in a challenge-response process until the veriﬁer is ready to decide that the prover ’s assertion is correct, or concludes that the claim is false. Interactive proof systems are said to be zero-knowledge if the veriﬁer is not able to get any extra information from the interaction process, except the correctness of the statement. This kind of proof can be used by entities requiring authentication and identiﬁcation services: access control or credit card validations, among many others. One of the most typical examples of ZKP systems bases its security in the difﬁculty of solving the graph isomorphism problem (GI) . The main components of this system are: The public key: two isomorphic graphs G and H. The private key: the pair (G, H) together with an isomorphism f : G ! H. The interaction algorithm between Peggy (the prover) and Victor (the veriﬁer): 1. Peggy starts the interaction by providing a random isomorphic graph K. 2. Victor selects a random bit b 2 f0, 1g and sends it to Peggy. 3. Considering y = y f, y = y Peggy must send y accordingly. 0 1 b 4. Victor veriﬁes that y (G) = K or y ( H) = K depending on the choice of b. The interaction procedure is based on the commutativity of the diagram shown in Figure 1 and the difﬁculty of constructing y f from y alone. G H ψ ◦ φ ψ Figure 1. Composition of graphs. The GI problem can be easily solved for the average case with state-of-the-art solvers, such as nauty, Traces , saucy , and bliss , among others. In addition to these results, Babai  has proposed a novel technique reducing the complexity of GI to quasi-polynomial time (with a running O((log n) ) time of 2 ). Nevertheless, efforts to construct difﬁcult instances have been made. Contrary to Appl. Sci. 2020, 10, 465 3 of 14 what is expected, these cases might not provide suitable cases for cryptographic purposes but lower complexity bounds by solving particular cases with tuned algorithms. Grigoriev  generalizes the aforementioned construction by studying other mathematical objects possessing the commutativity property shown in Figure 1. This allows considering transformations with similar behaviour, such as homomorphisms and endomorphisms in group and ring theory. The required characteristics to obtain a resistant protocol are: that transformations f and y are difﬁcult to invert. The possibility of obtaining y f easily from f and y. The ZKP system based on GI is compliant with these restrictions, but further problems are introduced with similar characteristics, mainly related to graph theory, such as the subgraph problem or the colorability problem, and problems concerning group and ring endomorphisms, among others. Some of these problems are known to be NP-hard, which provides an advantage over the GI problem, whose membership to the NP-complete group is currently unknown, but expected to be false. Later, Patarin  introduced the Isomorphism of Polynomials Problem (IP), which relates afﬁne spaces by means of afﬁne transformations. Given two sets of polynomials of the same size, we say that both sets are isomorphic if there are afﬁne transformations that deﬁne a bijection from one set into the other. Formally, the IP problem is stated as follows: m n Deﬁnition 1. Consider two vector spaces F and F of dimensions m and n, respectively, over a ﬁnite ﬁeld F and two quadratic transformations F = ( f , . . . f ), F = (g , . . . , g ). Each f , g is a quadratic polynomial. F 1 m 1 m i i m m n n and F are isomorphic if there are S : F ! F and T : F ! F such that F = S F T. The composition of afﬁne transformations is itself an afﬁne transformation. Thus, the composition of isomorphisms can be deﬁned as straightforward. The original scheme considers two afﬁne transformations S, T, but a simpliﬁcation which consists of discarding one of them (or equivalently, setting a transformation as the identity) leads to deﬁning the IP on one or two secrets (IP1s and IP2s correspondingly). The proposed authentication scheme is very similar to that deﬁned for GI. Both IP1s and IP2s have been considered for a new brand of cryptographic primitives known as multivariate cryptography [15,16]. Theses primitives are based on the MQ problem, which consists of ﬁnding a common solution of a set of polynomials in several variables in a given vector space (commonly, over a ﬁnite ﬁeld F ). A traditional procedure for key generation in multivariate public key cryptography (MPKC) involves two major phases: Private key generation. A set of polynomials F = f f , . . . , f g is generated in such a way that 1 m the problem of ﬁnding a common root for every f is easy. Public keys derivation. From the private key polynomial set F, we generate a new polynomial set F = f f , . . . , f g. For this set, the problem of ﬁnding a common root must be computationally 1 n difﬁcult. Otherwise, a malicious entity would be able to perform sensitive operations, like deciphering and digital signing. The most common construction techniques base their security in the intractability of IP; for this, the afﬁne transformations S and T must be kept in secrecy since the recovery of the private polynomial set with knowledge of the afﬁne transforms is a computationally easy task. Further methods for private key generation can be found in . The origins of MPKC can be traced back to the scheme proposed by Matsumoto and Imai in [15,16]. The proposed cryptosystem (known as the Matsumoto–Imai (IM) cryptosystem) was broken a few years later . Since then, many other families of schemes have been proposed, including the unbalanced oil-vinegar (UOV) , the hidden ﬁeld equations (HFE) , and the Rainbow  schemes. Currently, the National Institute of Standards and Technology is working on the development of quantum-resistant cryptographic standards, many of them based on MPKC . Appl. Sci. 2020, 10, 465 4 of 14 The rapid development of MPKC has also caused advances in algorithms for solving multivariate systems. These provide very useful cryptanalytic attacks that, according to the target, can be classiﬁed into two main groups: Ciphertext decryption. In this case the primary goal is to get the original plaintext from the captured ciphertext. These attacks make use of polynomial system solvers such as the Buchberger algorithm  to compute Groebner bases. On each new ciphertext obtained, the algorithm must be executed. Private key recovery. The private key consists of the private set F and the transformations S , S . 1 2 If this information is disclosed, every ciphertext ciphered with the disclosed key is vulnerable. Examples of these algorithms are: high rank, MinRank, and separation of oil and vinegar , VI.5.4. Up till now, the most reliable algorithms for solving general polynomial systems have been those based on the Buchberger algorithm, which has an exponential running time , even for the average case. Additional aspects regarding asymptotic studies on graphs and Groebner bases are provided in  and . 3. Mathematical Background In this section, we provide a brief introduction to the basic concepts used throughout this work. 3.1. Graphs A graph is a pair (V, E), where V = fv , . . . , v g is a set of n elements—the vertices; and E is a 1 n subset of ( ) = fe Vj #e = 2g, the edges. The order and size of G are the cardinalities of the sets V and E, respectively. Two different vertices u , u 2 V are adjacent if they are connected by an edge. 1 2 Analogously, two different edges e , e 2 E are adjacent if they share one and only one vertex. The graph G = (V, E) deﬁned by E = fv v 2 ( ) j v v 62 Eg is the complementary graph of G. This consists i j i j of pairs of non-adjacent vertices. If two disjoint subsets V , V V exist such that V V = V and such that every edge has 1 2 1 2 vertices in both sets V and V , then the graph is said to be bipartite. Furthermore, G is complete bipartite 1 2 provided that every vertex in V is connected to every vertex in V and vice versa. 1 2 Now, consider two graphs G = (U, D) and H = (V, E). Consider a bijections of sets f : U ! V that preserves edges; i.e., if fu, vg 2 D implies ff(u), f(v)g 2 E. The f is an isomorphism between G and H, and G and H are said to be isomorphic, denoted G H. The graph isomorphism problem is deﬁned as the task of ﬁnding an isomorphism between G and H, or deciding that they are not isomorphic. Formally, GI can be deﬁned as follows. D ECI SION PROBLEM Instance: Two graphs G = (U, D), H = (V, E). 1 If there is an isomorphism f : G ! H Solution: 0 Otherwise. S EARCH PROBLEM Instance: Two graphs G = (U, D), H = (V, E). Solution: Either a proof that H and G are not isomorphic or the isomorphism f : G ! H. Finally, a matching in a graph G is a subset M E with the property that no to edges e , e 2 M 1 2 are adjacent. The matching is perfect if, in addition, every vertex of G is an paired by an edge of M. 3.2. Polynomial Ideals and Algebraic Sets Consider the ﬁnite ﬁeld of q elements F and the ring of polynomials in n variables over F , q q denoted R = F [X , . . . , X ]. A subset I R is an ideal if q 1 n Appl. Sci. 2020, 10, 465 5 of 14 For every f , g 2 I, f + g 2 I; For every f 2 I, h 2 R the product h f 2 I. Then, considering a ﬁnite set of polynomials F = f f , . . . , f g R, we can deﬁne the ideal 1 m generated by F as follows (F) = fh f + . . . + h f jh 2 R, i = 1, . . . , mg. m m 1 1 i A common root for the polynomials f for i = 1, . . . , m is also a root for any f 2 (F). The zero-set for the ideal I, denoted V , consists of all the points (x , . . . , x ) 2 F such that f (x , . . . , x ) = 0 for n n I 1 q 1 every f 2 I. By considering an algebraic extension of the base ﬁeld F , the zero-set is known as the algebraic set of I. We can now formalize MQ as a decision problem. Additionally, we state the related search problem. D ECI SION PROBLEM. Instance: An ideal I F [X , . . . , X ]. q 1 n 1 If V 6= Æ; Solution: 0 Otherwise. S EARCH PROBLEM Instance: An ideal I F [X , . . . , X ]. q 1 n Solution: Either a proof that V = Æ or a point x 2 F such that x 2 V . I I A solution to the search problem provides a solution to the decision problem immediately. If we are able to ﬁnd a solution for the polynomial system f = . . . = f = 0 we conclude that V 6= Æ. This 1 m I means that solving the search problem is at least as difﬁcult as solving the decision problem, which is known to be NP-complete. As mentioned before, any solution for a set of polynomials is also a solution for the ideal generated by that set. Most of the system solvers work based on this fact, by ﬁnding a set of "representatives" with better properties, making the resolution task easier. Finding these representatives has been already explored by Buchberger, who proposed the construction of the so-called Groebner bases. We can mention improved versions of the Buchberger algorithm, such as F4 and F5. They have been successful in attacking cryptographic schemes, such as the HFE and the Matsumoto–Imai , and some variations of UOV . Despite these efforts, the complexity of these algorithms, even in average instances of MQ, is fully exponential . 3.3. Zero-Knowledge Proof Systems Some handy cryptographic tools used for authentication and identiﬁcation services are zero-knowledge proofs. A basic description of such systems consists of two parts: the veriﬁer performs a series of questions to the prover, who must answer correctly in each round to convince the veriﬁer. The prover will be capable of answering correctly on each round only if he has legitimate information. For this process to be securely implemented, some characteristics regarding the interaction of the involved parties are desirable. The whole veriﬁcation process should be computationally efﬁcient for an authentic veriﬁer, whereas it must be infeasible for an unauthentic prover to impersonate the authentic one. Furthermore, no information that allows a malicious veriﬁer to reveal the prover ’s secret can be gathered, though this is commonly relaxed to "no statistically signiﬁcant information." The following points summarize the desirable characteristics of a ZKP system: Completeness. An authentic prover will always be accepted by an honest veriﬁer. Soundness. Upon interacting with a non-authentic prover, the veriﬁer will reject it with a very high probability. Appl. Sci. 2020, 10, 465 6 of 14 Zero-knowledge. A malicious veriﬁer is not capable of getting any extra information from the challenge-response procedure, other than the correctness of the assertion. This means that a veriﬁer will always accept an authentic prover. However, a malicious prover has a chance to impersonate an authentic one, but with very small probability. 4. Construction of the Polynomial System We proceed by developing the construction of the polynomial set based on an isomorphism between graphs. Consider two isomorphic graphs G = (U, D) and H = (V, E) of order n and size e. Denote by K the complete bipartite graph on the vertex set U V. It is possible to obtain a perfect matching U,V M in the graph K by choosing edges u v , u v if and only if both u u and v v are edges in their U,V i k j l i j k l respective graphs. In other words: (i) If u u 2 D and v v 62 E, edges u v and u v cannot lie in M simultaneously. i j k l i k j l (ii) If v v 2 E and u u 62 D, edges u v and u v cannot lie in M simultaneously. k l i j i k j l A perfect matching M gathered in this fashion can also be regarded as a bijection f of the vertices of U and V, deﬁning an isomorphism between their corresponding graphs. The aforementioned conditions are an equivalent way to assert: u u 2 D () f(u )f(u ) 2 E. i j i j What has been explained can be observed in Figure 2. 2,2 u v X 2,2 2 2 u v 2 2 u v 1 1 u v 1 1 u v 3 3 u v 3 3 4,3 4,3 u v 4 4 u v 4 4 4,4 (a) (b) Figure 2. Process of generating the polynomial set associated to graph isomorphism. (a) An isomorphism between G and H can be seen as a perfect matching in the graph K , preserving U,V adjacencies between G and H. (b) The edges u v and u v cannot belong simultaneously to M because 2 2 3 4 u u 2 D, but v v 2 / E. The polynomial X X is added to the ideal I. 2 3 2 4 2,2 3,4 Now, we translate the notion of isomorphism between graphs to a strictly algebraic language. The idea is to perform a proper reduction from GI to MQ motivated by conventional reductions of several problems in graphs to Boolean quadratic polynomials [29,30]. For this, we need to consider a set of n variables, denoted fX g for i, k = 1, . . . , n. The ﬁrst set of polynomials to append, restrict i,k any possible solution to values in the set f0, 1g. The polynomials are deﬁned as follows: X X for i, k 2 f1, . . . , ng. (1) i,k i,k Appl. Sci. 2020, 10, 465 7 of 14 These could be discarded if the restriction is made clear by considering only solutions over the binary vector space F . The next batch of polynomials restricts the zero-set to solutions that represent a perfect matching; i.e., exactly one vertex u from U is connected to one vertex of V and vice versa. This associates the solutions to the existence of a perfect matching M. X 1 for i = 1, . . . n (2) å i,k k=1 X 1 for k = 1, . . . n. å i,k i=1 The last set of polynomials guarantee that the solution is related exclusively to the isomorphism arising from the perfect matching: X X for every i, j, k, l which satisfy i,k j,l u u 2 / D^ v v 2 E _ i j k l u u 2 D^ v v 2 / E . (3) i j k l The construction of the polynomial set is now complete. 5. Zero-Knowledge Protocol Our next goal is to employ the theory developed in Section 4 to established the announced ZKP. Let us start by generating a graph G and a random isomorphism f, which can be obtained as a random bijection of its vertex set. In this way, we create a second graph H which is isomorphic to G with isomorphism f. Now, let F be the polynomial system resulting from the process of construction shown in Section 4. A solution x for the system F is found by setting X = 1 if u v 2 M, and 0 0 i,k i k X = 0 otherwise. The polynomial set F will be public and is used as the public key. The private key i,k will be the pair (F , x ). 0 1 The interaction process starts by generating a second isomorphic graph K, which can be performed by applying a random bijection y on the vertex set of H. Knowing the graph H and the applied permutation allows one to obtain a second polynomial set F and a its corresponding solution x . The following diagram (Figure 3) allows visualization of the operation performed. φ ψ G H K (F , x ) (F , x ) 0 0 1 1 Figure 3. Graph composition and resulting systems. Though the pair (F , x ) can be obtained in the same fashion as the pair (F , x ), i.e., by computing 1 1 0 0 the polynomial set related to the corresponding graph isomorphism, a more direct approach consists of directly applying suitable permutations to the subindices k and l for the variables obtained from the edges of H and H. In fact, let us deﬁne the permutation s by s (i) = k if f(u ) = v . Then, the edge f f i l u u 2 D transforms into edge i j f(u )f(u ) = v v . i j s (i) s (j) f f Appl. Sci. 2020, 10, 465 8 of 14 A similar permutation s , dependent on the action y, is obtained by relating edges of graph H and edges of graph K. The set of polynomials fulﬁlling condition (3) leads to a direct deﬁnition of the set of polynomials corresponding to H and K obtained from the public polynomial set as X X . (4) s (i),s (k) s (j),s (l) f y f y A solution for the system F is provided by applying permutations s , s to reorder the entries of 1 f y the vector x in a similar fashion. Observe that applying the permutation s to the subindices of X is equivalent to applying an y i,k afﬁne transformation T, which might be represented by a matrix with one and only one element with value 1 on each column and each row (a permutation matrix) deﬁned by 1 if j = s (i) T(i, j) = 0 otherwise. A similar transformation S is related to f; this time, it is applied on the right side. 1 If j = s (i) S(i, j) = 0 Otherwise. Indeed, S, T can be used to compute the new polynomial (see Y(F ) = S F T) and the new 1 0 solution to such a system by x = Y(x ) = S x T, which consists of matrix multiplications. 1 0 0 Finally, if instead of using the isomorphism y : H ! K to obtain the second polynomial system, the composition g = y f is used, we get a third system, constructed by computing the new set X X , which requires a single permutation, and in matrix notation, only the inner afﬁne i,s (k) j,s (l) g g transformation T. Since both systems rely on the difﬁculty of computing a graph isomorphism, theoretically, any one of them could be used without losing security in the deﬁned protocol. 5.1. Authentication Protocol The complete authentication protocol is outlined by the following steps, which are performed between Peggy (the prover) and Victor (the veriﬁer): Key Generation: 1. Peggy picks a graph G and randomly generates a permutation of the set f1, . . . , ng. This permutation is used to create the isomorphic graph H together with its isomorphism f, and then, the public key F using the technique aforementioned. The private key is the pair (F , x ), 0 0 0 which consists of the public polynomial system together with a solution to the system. Authentication: 1. Peggy generates a permutation s for the set f1, . . . , ng at random and computes the polynomial system F , which is sent to Victor as a compromise. 2. Victor creates a challenge by selecting at random b 2 f0, 1g. Victor sends b to Peggy. 3. Once Peggy has received b she must answer accordingly: If b = 0, she sends the transformation Y to Victor. If b = 1, then she sends the solution x of F . 4. According to the value of b Victor performs the following to authenticate Peggy: 0 0 If b = 0, he computes the system F = Y(F ) and veriﬁes whether he F = F . 1 1 If b = 1, he checks whether F (x ) = 0 or not. 1 1 Appl. Sci. 2020, 10, 465 9 of 14 5.2. Veriﬁcation of the Protocol In order to admit the proposed ZKP system as valid, it must fulﬁll the deﬁning requirements: completeness, soundness, and zero knowledge. Completeness. Consider Peggy and Victor as authentic entities. On each iteration, Peggy generates a pair (F , x ) from a random permutation s of the variables. Both can be computed efﬁciently i i by her, since she already has knowledge of the original solution (F , x ), and subsequently, can provide 0 0 a correct answer to the challenge. Soundness. Consider a rogue prover Robert, who wants to deceive Victor by claiming knowledge of the solution x . He might proceed in two different ways: 1. He creates a new system from F by using any random permutation s to the variable subindices. If Victor sends b = 0 Robert will be able to provide Y : F ! F ; however, if b = 1 he will not be 0 1 able of compute the solution x = Y(x ). 1 0 0 0 0 2. From a made-up solution x , Robert can compute set of polynomials F having x as solution. 0 0 Then if Victor sends b = 1, Robert can deceive Victor; on the other hand, if Victor send b = 1, Robert must provide the transformation Y : F ! F which is computed from a valid s. Since 0 1 the problem is strongly related to GI, this will be a difﬁcult task, and for this reason, infeasible. 1 1 In any case, the chance of succeeding is at each round. After n rounds, the probability is , 2 2 which becomes insigniﬁcant as n grows. Zero-Knowledge. Finally, zero-knowledge is provided for the following reasons: having knowledge of the systems F and F , it is infeasible to compute Y or its solution x in polynomial time, 0 1 1 since we have built these objects based on difﬁcult tasks: solving the GI problem or the MQ problem. At every iteration a piece of information is provided. If Y is disclosed, it is not possible to compute x without knowledge of the solution x . For the second case, if x is exposed, then, unknowing Y, it is 1 1 not possible to recover x . 5.3. Possible Attacks We will consider that a malicious entity, a rogue prover (Robert), wants to play the role of Peggy. He can try the following strategy. Robert can ﬂip a coin to obtain a random value r to decide how to proceed. If r = 0, Robert randomly generates a system F with a given solution that he knows. If Victor challenges with b = 1, Robert is able to provide the solution, but if b = 0, he will not have the corresponding transformation Y : F ! F . Alternatively, if Robert obtains r = 1, he computes a random permutation to obtain a 0 1 transformation of the system F . If Victor challenges with b = 0, Robert will be able to provide the required transformation, but, on the contrary, if Victor chooses to send b = 1, he will fail to compute a suitable solution. It has been noted that the probability of cheating with this strategy is insigniﬁcant after n rounds for an n big enough. Now we suppose that Robert attacks as a malicious veriﬁer, who wants to obtain information about the secret key, so he plays the role of Victor. He can try asking several times until he can gets the same set of polynomials twice. This would give hem access to the private key. The ﬁrst time he challenges Peggy with b = 0 so he can get the permutation. In subsequent times, he sends b = 1 and gets the solution to the corresponding system. If the ﬁrst random permutation is repeated at some time, Robert can compute the solution to the public system by applying s to the subindices of the solution. There are n! different ways of permuting n elements. This makes the strategy infeasible, since he will have to perform an exponential number of challenges. Finally, it is possible to solve these problems by breaking the protocol with more sophisticated tools: Solving MQ. Using a polynomial system solver to ﬁnd a solution for the polynomial system F would extract the private key (or another suitable private key x ). 1 Appl. Sci. 2020, 10, 465 10 of 14 Solving IP. This is done by computing the afﬁne transformations T and S, that make two quadratic transformations F and F isomorphic; i.e., F = S F T. In our construction, the permutation applied to subindices can be regarded as a special case of IP where S and T are permutation matrices. Addressing GI. We need to retrieve the initial isomorphic graphs from the polynomial set and ﬁnd an isomorphism, which leads to forge a private key. At present-day, authors are not aware of quantum algorithms solving, efﬁciently, any of the forenamed problems. 6. Computational Complexity An analysis of computational cost of the transformation of the GI instance is performed next. Observe that, for conditions (1) and (2) every pair (i, k) for i, k 2 f1, . . . , ng must be considered. This can be done in O(n ). The next step consists of including the polynomials required to comply with condition (3). The following veriﬁcations are made: 1. For every u u 2 D, look for the edges v v 2 E. The corresponding polynomials X X are i j k l i,k j,l added to the system. 2. For every v v 2 E, look for the edges u u 2 D and append the corresponding polynomials k l i j X X to the system. i,k j,l To show that the complexity of such transformation is performed in polynomial time, a very n(n 1) rough upper bound for the size of D can be set to , corresponding to a complete graph. A similar upper bound can be established for E. The set of polynomials appended in 1 is computed with two nested loops, the outer one traveling over every edge in D, while the inner loop must visit every 2 2 n (n 1) edge in E. Then, the number of steps for this operation is bounded by . The second set of polynomials gathered from E and D can be obtained following analogous arguments. Then, the time complexity of such an operation is O(n ), which is polynomial on the order of G. Of course, this upper bound is not reached due to the relation between of the sizes of a graph and its complement, but this is enough to argue why the construction takes a polynomial number of steps; thus, the reduction of GI to MQ can performed efﬁciently. Toy Example In this section, the construction of public and private key, together with the transformations required during the authentication procedure, are shown providing a small example. We start by showing the construction of a polynomial set. Let us consider the graph G = (U, D), where U = f1, 2, 3, 4g and D = f(1, 2), (1, 4), (2, 3), (3, 4)g. Consider the permutation 1 2 3 4 s = . 1 3 2 4 After applying s to the set U, we get the graph H = fV, Eg deﬁned by V = U and E = f(1, 3), (1, 4), (2, 3), (2, 4)g. The complementary graphs G and H are determined by the edge sets D = f(1, 3), (2, 4)g and E = f(1, 2), (3, 4)g respectively. Graphs G, H and their complements (shown by dashed lines) are shown in Figure 4. Appl. Sci. 2020, 10, 465 11 of 14 1 2 1 3 4 3 4 2 (a) Graph G (b) Graph H Figure 4. Isomorphic graphs G, H and complements indicated by dashed lines. We start by building the polynomial set by fulﬁlling condition (1), which appends 16 polynomials: X 1 for i, j 2 f1, 2, 3, 4g. i,j As already mentioned, these could replaced by considering solutions over a binary vector space, something useful when the amount of data to be exchanged faces restrictions. Subsequently, condition (2) is addressed by considering the polynomials X + X + X + X 1 for i = 1, 2, 3, 4 i,1 i,2 i,3 i,4 X + X + X + X 1 for j = 1, 2, 3, 4. 1,j 2,j 3,j 4,j Finally, the polynomials obtained from condition (3) are added to the polynomial set. To understand the process, let us consider an edge in D; say, (1,2). The edges not contained in H are (1,2) and (3,4), as seen in Figure 4. These edges introduce the polynomials X X and X X . 1,1 2,2 1,3 2,4 The set of polynomials obtain by considering fu u 2 D^ v v 2 / Eg is shown next i j k l X X , X X , X X , X X 2,2 3,2 1,1 1,1 4,2 2,1 3,1 4,2 X X , X X , X X , X X . 1,3 2,4 1,3 4,4 2,3 3,4 3,3 4,4 Finally, by considering the edges in G and H, we get another set of eight polynomials: X X , X X , X X , X X 3,3 3,3 1,1 1,2 2,1 4,3 3,1 4,2 X X , X X , X X , X X . 1,1 3,4 1,2 3,4 2,3 3,4 3,3 4,4 A root of these polynomials related to the isomorphism between these graphs can be computed by letting x = 1 for i = 1, 2, 3, 4 and zero in other case. Explicitly, i,s(i) 1 if (i, j) 2 f(1, 1), (2, 3), (3, 2), (4, 4)g x = (5) i,j 0 otherwise The polynomial system created with the polynomials here described together with the solution deﬁned in (5) conform to the public key F and the private key (F , x ). 0 0 0 Proceeding with the iterative procedure between prover and veriﬁer to perform the authentication step, a new polynomial system and its solution is computed using either a new graph isomorphism or directly a random permutation s on the subindices, as shown in Section 5.2. The construction is similar to what we have done above. Appl. Sci. 2020, 10, 465 12 of 14 7. Conclusions and Future Work A novel, alternative zero-knowledge authentication protocol whose security relies in the difﬁculty of solvingMQ and GI has been proposed. A set of polynomials was built in such a way that a solution is related to an isomorphism between graphs. That way, it is guaranteed that the protocol is at least as secure as the classical ZKP based uniquely in GI. It has also been shown that the implementation is computationally feasible. Also, the transformation applied on the polynomial set depends on a permutation, which makes the computation lightweight. Since most of the information interchanged at every challenge-response round consists of a set of polynomials, which is a bit string in the order of O(n ), further research on the possibility of reducing the number of polynomials in the system without weakening the proof system is desirable to provide a complete implementation of the authentication protocol. Additionally, it is expected that future research will be done in the direction of providing difﬁcult instances of GI to be employed in the protocol presented in the current work. Supplementary operations could be considered to improve the presented system, which would consist of using general afﬁne transformation S, T instead of permutations alone, as has been remarked in the authentication protocol presented in Section 5.2. In this case, the systems constructed can be additionally hardened by performing a more general isomorphism form Y(F ) = S F T, where S 0 1 and T are random afﬁne transformations. Observe that the amount of information transferred in each authentication round grows by using two transformations and non-sparse matrices. A more detailed study on the hardness of such instances is needed to decide if these modiﬁcations are useful. Author Contributions: All authors contributed equally to the development and writing of this work. All authors have read and agreed to the published version of the manuscript. Funding: The authors acknowledge the partial support of Mexican CONACYT. The ﬁrst author has a grant from Conacyt’s Scholarship Program. The last two authors have been partially supported by Conacyt’s National System of Researchers. Acknowledgments: The support from ABACUS-CINVESTAV (Conacyt, EDOMEX-2011-C01-165873) is gratefully acknowledged as well. Conﬂicts of Interest: The authors declare no conﬂict of interest. References 1. Rivest, R.; Shamir, A.; Adleman, L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM 1978, 21, 120–126. [CrossRef] 2. National Institute of Standards and Technology. Digital Signature Standard (DSS); Federal Information Processing Standards Publication 186-4: Gaithersburg, MD, USA, July 2013. 3. Shor, P.W. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM Comput. 1997, 26, 1484–1509. [CrossRef] 4. Hopwood, D.; Bowe, S.; Hornby, T.; Wilcox, N. Zcash Protocol Speciﬁcation; Technical Report; Zerocoin Electric Coin Company: Denver, CO, USA, 2016. 5. Yu, Y.; Au, M.H.; Ateniese, G.; Huang, X.; Susilo, W.; Dai, Y.; Min, G. Identity-Based Remote Data Integrity Checking With Perfect Data Privacy Preserving for Cloud Storage. IEEE Trans. Inf. Forensics Secur. 2017, 12, 767–778. [CrossRef] 6. Beydemir, A.; Sogukpinar, I. Lightweight zero knowledge authentication for Internet of things. In Proceedings of the 2017 International Conference on Computer Science and Engineering (UBMK), Antalya, Turkey, 5–8 October 2017, pp. 360–365. 7. Babai, L. Graph Isomorphism in Quasipolynomial Time. In Proceedings of the Forty-Eighth Annual ACM Symposium on Theory of Computing, Cambridge, MA, USA, 18–21 June 2016; ACM: New York, NY, USA, 2016; pp. 684–697. Appl. Sci. 2020, 10, 465 13 of 14 8. Goldwasser, S.; Micali, S.; Rackoff, C. The Knowledge Complexity of Interactive Proof-systems. SIAM J. Comput. 1989, 18, 186–208. [CrossRef] 9. Bellare, M.; Micali, S.; Ostrovsky, R. Perfect Zero-knowledge in Constant Rounds. In Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 13–17 May 1990; ACM: New York, NY, USA, pp. 482–493. 10. McKay, B.D.; Piperno, A. Practical graph isomorphism, II. J. Symb. Comput. 2014, 60, 94–112. [CrossRef] 11. Codenotti, P.; Katebi, H.; Sakallah, K.A.; Markov, I.L. Conﬂict Analysis and Branching Heuristics in the Search for Graph Automorphisms. In Proceedings of the International Conference on Tools with Artiﬁcial Intelligence of the IEEE, Herndon, VA, USA, 4–6 November 2013; pp. 907–914. 12. Junttila, T.; Kaski, P. Engineering an Efﬁcient Canonical Labeling Tool for Large and Sparse Graphs. In Proceedings of the Meeting on Algorithm Engineering & Experiments, New Orleans, LA, USA, 6 January 2007; Society for Industrial and Applied Mathematics: Philadelphia, PA, USA, 2007; pp. 135–149. 13. Grigoriev, D.; Shpilrain, V. Authentication schemes from actions on graphs, groups, or rings. Ann. Pure Appl. Log. 2010, 162, 194–200. [CrossRef] 14. Patarin, J. Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, 12–16 May 1996; Springer: Berlin/Heidelberg, Germany, 1996; pp. 33–48. 15. Imai, H.; Matsumoto, T. Algebraic methods for constructing asymmetric cryptosystems. In Proceedings of the 3rd International Conference on Applied Algebra, Algebraic Algorithms, and Error-Correcting Codes, Grenoble, France, 15–19 July 1985; Springer: Berlin/Heidelberg, Germany, 1985; pp. 108–119. 16. Matsumoto, T.; Imai, H. Public Quadratic Polynomial-Tuples for Efﬁcient Signature-Veriﬁcation and Message-Encryption. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, Davos, Switzerland, 25–27 May 1988; Springer: Berlin/Heidelberg, Germany, 1988; pp. 419–453. 17. Ding, J.; Gower, J.E.; Schmidt, D.S. Multivariate Public Key Cryptosystems; Springer: Berlin/Heidelberg, Germany, 2006; Volume 25, pp. 1–61. 18. Patarin, J. Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt’88. In Proceedings of the 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, 27–31 August 1995; Springer: Berlin/Heidelberg, Germany, 1995; pp. 248–261. 19. Kipnis, A.; Patarin, J.; Goubin, L. Unbalanced Oil and Vinegar Signature Schemes. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, 2–6 May 1999; Springer: Berlin/Heidelberg, Germany, 1999; pp. 206–222. 20. Ding, J.; Schmidt, D. Rainbow, a New Multivariable Polynomial Signature Scheme. In Proceedings of the Third International Conference on Applied Cryptography and Network Security, New York, NY, USA, 7–10 June 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 164–175. 21. National Institute of Standards and Technology. Candidate Quantum-Resistant Cryptographic Algorithms Publicly Available. Available online: https://www.nist.gov/news-events/news/2017/12/candidate- quantum-resistant-cryptographic-algorithms-publicly-available (accessed on 4 November 2019). 22. Buchberger, B. An Algorithmic Criterion for the Solvability of a System of Algebraic Equations. In Gröbner Bases and Applications; Number 251 in Lond Math S; Cambridge University Press: Cambridge, UK, 1998; pp. 535–545. 23. Bernstein, D.J.; Buchmann, J.; Dahmen, E. Post-Quantum Cryptography, 1st ed.; Springer: Berlin/Heidelberg, Germany, 2009. 24. Belov, A.Y. Linear Recurrence Equations on a Tree. Math. Notes 2005, 78, 603–609. [CrossRef] 25. Ufnarovskii, V.A. Combinatorial and asymptotic methods in algebra. In Itogi Nauki i Tekhniki. Sovremennye Problemy Matematiki. Fundamental’nye Napravleniya; VINITI: Moscow, Russia, 1990; Volume 57, p. 5–177. 26. Faugère, J.C.; Joux, A. Algebraic cryptanalysis of Hidden Field Equations (HFE) Using Gröbner Bases. In Proceedings of the 23rd Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 2003; pp. 44–60. 27. Braeken, A.; Wolf, C.; Preneel, B. A Study of the Security of Unbalanced Oil and Vinegar Signature Schemes. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, CA, USA, 14–18 February 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 29–43. Appl. Sci. 2020, 10, 465 14 of 14 28. Bard, G. Algebraic Cryptanalysis, 1st ed.; Springer: Berlin/Heidelberg, Germany, 2009. 29. Goldreich, O. Computational Complexity: A Conceptual Perspective; Cambridge University Press: Cambridge, UK, 2008. 30. Nemhauser, G.L.; Wolsey, L.A. Integer and Combinatorial Optimization; Wiley-Interscience: New York, NY, USA, 1988. c 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.pngApplied SciencesMultidisciplinary Digital Publishing Institutehttp://www.deepdyve.com/lp/multidisciplinary-digital-publishing-institute/a-zero-knowledge-proof-system-with-algebraic-geometry-techniques-b42rBpXLTy
A Zero-Knowledge Proof System with Algebraic Geometry Techniques