Zero-knowledge authentication schemes from actions on graphs, groups, or rings

ZER O-KNOWLEDGE A UTHENTICA TION SCHE MES FR OM A CTIONS O N GRAPHS, GR OUPS, OR RINGS DIMA GRIGORIEV AND VLADIMIR SHPILRAI N Abstra ct. W e prop ose a general wa y of constru ct in g zero-knowledge authentication sc hemes from actions of a semigroup on a set, without exploiting any specific algebraic prop erties of the set acted up on. Then we give severa l concrete realizations of this general idea, and in particular, we describe several zero-knowledge auth entica tion sc hemes where forgery ( a.k.a. imp ersonation) is N P-hard. Computationally hard problems that can b e emplo yed in these realizations include (Sub )graph Isomorphism, Graph Colorabilit y , Diophan tine Problem, and many oth ers. 1. Introduction In th is pap er, w e pr op ose a ge neral F eige -Fiat-Shamir-lik e [3] construction of a ze ro- kno wledge authentic ation sc heme from arbitrary actions. Supp ose a (partial) semigroup S acts on a set X , i.e., for s, t ∈ S and x ∈ X , one has ( st )( x ) = s ( t ( x )) whenev er b oth sides are defined. F or cryptographic pu rp oses, it is go o d to h a v e an action wh ic h is “h ard -to-in v ert”. W e delib erately av oid u sing the “one-w a y function” terminology here b ecause w e do not wa nt to b e distracted b y formal definitions th at are outside of the main f o cus of this pap er. F or a rigorous defin ition of a one-w a y fun ction, we just refer to one of the w ell-established sources, suc h as [5]. I t is sufficien t for our p urp oses to use an intuitiv e idea of a hard-to-in v ert action whic h is as follo w s. Let X and Y b e tw o sets such that complexit y | u | is defined f or all element s u of either set. A fun ction f : X → Y is hard-to-in v ert if computing f ( x ) tak es time p olynomial in | x | for an y x ∈ X (whic h implies, in p articular, th at complexit y of f ( x ) is b ound ed by a p olynomial function of | x | ), but there is no kno wn algorithm that w ould compute some f − 1 ( y ) in p olynomial time in | y | for ev ery y ∈ f ( X ). In our context of actions, we t ypically consider hard-to-in vert functions of the t yp e f x : s → s ( x ); in particular, a secret is usu ally a mapping , w hic h mak es our approac h differen t from what w as considered b efore. Th is idea allo ws u s to construct a general F eige -Fiat-Shamir-lik e zero-kno wledge authen tication sc h eme from arb itrary actions, see th e next S ection 2. Then, in the su bsequent sections, w e giv e sev eral concrete realizatio ns of this general idea, and in particular, w e describ e seve ral zero-kno wledge authen tication sc hemes w here reco vering the prov er’s secret key from her pub lic key is an NP-hard prob lem. W e note ho w ev er that what really matters f or cryptographic securit y is computational intracta bilit y of a pr oblem on a generic set of in puts, i.e., the problem should b e h ard on “most” rand omly s elected in puts. F or a pr ecise definition of Researc h of the second author wa s partially supp orted by the N SF grant DMS-0405105. 1 2 the “generic-NP” class, w e refer to [8]. Here we just sa y that some of the problems that w e emp loy in the present p ap er, e.g. Graph Colorabilit y , are likely to b e generically NP-hard, which mak es them quite attractiv e for cryptographic applications. W e also ad d ress an apparen tly ea sier task of for gery (a.k.a. misr epr esentation , a.k.a. imp ersonation ), and s h o w that in m ost of our schemes this, to o, is equiv alen t for the adv ersary to solving an NP-hard problem. T o b e more sp ecific, b y for g ery w e mean the scenario where the adv er s ary en ters the authen tication p r o cess at the c ommitment step, and then has to resp ond to the chal lenge pr op erly . Finally , w e note that there w ere other attempts at constructing zero-knowle dge au- then tication s chemes based on NP-hard prob lems (e.g. [1], [2]), but these constructions are less transp aren t, and it is not immediately clea r ho w and why they w ork . 2. Tw o p rotocols In this section, w e giv e a description of t wo generic zero-kno w ledge auth en ticatio n proto cols. Here Alic e is the pr o ver and Bob the v erifier . 2.1. Proto col I. Sup p ose a set S acts on a set X , i.e., for an y s ∈ S and x ∈ X , the elemen t s ( x ) ∈ X is well-defined. (1) Alice’s p ublic k ey co nsists of sets S , X , an element x ∈ X , and an elemen t u = s ( x ) for some r andomly selected s ∈ S , which is her priv ate k ey . (2) T o b egin authen tication, Alice selects an elemen t t ∈ S and sends the elemen t v = t ( s ( x )) ∈ X , called the c ommitment , to Bob. (3) Bob c ho oses a random b it c , called the chal lenge , and sends it to Alice. • I f c = 0, then Alice sends the elemen t t to Bo b, and Bob c hec ks if the equalit y v = t ( u ) is satisfied. If it is, then Bob acce pts the authen tication. • I f c = 1, then Alice send s the composition ts to Bob, and Bob c hec ks if th e equalit y v = ts ( x ) is satisfied. If it is, th en Bob accepts the authent ication. 2.2. Proto col I I . I n this proto col, the hardn ess of obtaining the “p erman ent” p riv ate k ey for th e adversary can b e based on “most an y” searc h problem; we giv e some concrete examples in the follo wing sectio ns, whereas in th is section, we giv e a generic protocol. (1) Alice’s public k ey consists of a set S that has a prop erty P . Her priv ate ke y is a pr o of (or a “witness”) that S do es ha v e this pr op ert y . W e are also assuming that the prop ert y P is p reserv ed by isomorp hisms . (2) T o b egin authen tication, Alice selects an isomorph ism ϕ : S → S 1 and send s the set S 1 (the commitmen t) to Bob. (3) Bob c ho oses a random b it c and send s it to Alice. • I f c = 0, then Alice sends the isomorph ism ϕ to Bo b, and Bob chec ks (i) if ϕ ( S ) = S 1 and (ii) if ϕ is an isomorphism. • I f c = 1, then Alice sends a pro of of the fact th at S 1 has the prop erty P to Bob, and Bob c hec k s its v alidit y . The f ollo wing prop osition says that in the Proto col I I, successful forgery is equiv alen t for the adversary to fi nding Alice’s priv ate ke y fr om her pu blic ke y , whic h is equiv alent, 3 in tur n, to giving a pro of (or a “witness”) that S d o es ha ve the prop ert y P . Th e latte r problem can b e selected fr om a large p o ol of NP-hard p roblems (see e.g. [4]). Prop osition 1. Supp ose that after sever al runs of steps (2)-(3) of the ab ove Pr oto c ol II, b oth values of c ar e enc ounter e d. Then suc c essful for gery i n such a pr oto c ol i s e q uivalent to finding a pr o of of the fact that S has the pr op erty P . Pr o of. S upp ose Eve w ant s to imp ersonate Alice . T o that effect, she in terf er es with the commitmen t step by sending her o wn commitment S ′ 1 to Bob. Since she should b e prepared to resp ond to the c hallenge c = 0, she s h ould kno w an isomorp h ism ϕ ′ : S → S ′ 1 . On the other hand, since she should b e p repared for the challe nge c = 1, she should kno w a pro of of th e fact that S ′ 1 has the prop ert y P . Therefore, since ϕ ′ is in vertible, this imp lies that sh e can pro du ce a pro of of the fact that S has the prop erty P . This completes the p ro of in one direction. The other direction is trivial.  Remark 1. We note that finding a pr o of of the fact that a given S has a pr op e rty P is not a de cision pr oblem, but r ather a se ar ch pr oblem (sometimes also c al le d a promise pr oblem), so we c annot f ormal ly al lo c ate it to one of the e stablishe d c omplexity classes. However, we observe that, if ther e wer e an algorithm A that would pr o duc e, for any S having a pr op e rty P , a pr o of of that fact in time b ounde d by a p olynomial P ( | S | ) in the “size” | S | of S , then, given an arbitr ary S ′ , we c ould run the algorithm A on S ′ , and if it would not pr o duc e a pr o of of S ′ having the pr op erty P after running over the time P ( | S ′ | ) , we c ould c onclude that S ′ do es not have the pr op erty P , ther eby solving the c orr esp onding de cisi on pr oblem in p olynomial time. 3. Graph isomor p hism In this section, w e describ e a realizat ion of the Protocol I f rom Section 2 (actually , it also fi ts in w ith the Proto col I I), based on the Graph Isomorph ism problem. W e note that th is de cision problem is in th e class NP , but it is not known to b e NP-h ard . Moreo ve r, generic instances of this p r oblem are easy , b ecause t w o r andom graphs are t yp ically non-isomorp h ic for trivial reasons. Ho w ev er, the prob lem that w e actually use in the proto col b elo w, is a pr omise problem: given t w o isomorp hic graphs, fin d a particular isomorphism b et ween them. Th is is not a decision pr oblem; therefore, if w e w an t to allocate it to one of the established complexit y classes, we n eed some k in d of “stratificatio n” to con v ert it to a decision pr ob lem. This can b e done as follo ws . Any isomorphism of a graph Γ on n v ertices can b e identified with a p ermutatio n of the tuple (1 , 2 , . . . , n ), i.e., with an element of the symmetric group S n . If we choose a set of generators { g i } of S n , w e can ask whether or not there is an isomorph ism b et ween tw o giv en graphs Γ and Γ 1 , whic h can b e r epresen ted as a pro d uct of at most k generators g i . T o the b est of our knowledge, the question of NP-hardness of this problem has not b een addressed in the literature, b ut it lo oks like a really in teresting and imp ortant problem. (1) Alice’s p ublic k ey consists of t wo isomorphic graphs, Γ and Γ 1 , and her priv ate k ey is an isomorp hism ϕ : Γ → Γ 1 . 4 (2) T o b egin authen tication, Alice selects an isomorphism ψ : Γ 1 → Γ 2 , and s ends the graph Γ 2 (the commitmen t) to Bob. (3) Bob c ho oses a random b it c and send s it to Alice. • I f c = 0, then Alice sends th e isomorphism ψ to Bob, and Bob c hec ks if ψ (Γ 1 ) = Γ 2 and if ψ is an isomorphism. • I f c = 1, th en Alice send s the comp osition ψ ϕ = ψ ( ϕ ) to Bob, and Bob c h ecks if ψ ϕ (Γ) = Γ 2 and if ψ ϕ is an isomorphism. A couple of commen ts are in order. • As it is us u al with F eige-Fiat- Shamir-like authen tication pr oto cols, steps (2)-(3) of th is proto col h a ve to b e iterated sev eral times to p rev en t a successful forgery with non-negligible probabilit y . • Wh en we sa y that Alice “send s” (or “publishes”) a graph , that means th at Alice sends or p ublishes its adjacency matrix. Thus, the size of Alice’s public key is 2 n 2 , where n is the num b er of v ertices in Γ. • Wh en w e say that Alice sends an isomorph ism, that means that Alice sends a p ermutatio n of the tup le (1 , 2 , . . . , n ), wher e n is the n u m b er of v ertices in the graph in question. Thus, the size of Alice’s priv ate ke y is appro ximately n log n . • Wh en w e say that Alice “selects an isomorph ism”, that m eans that Alice selects a rand om p erm utation from the group S n ; there is extensiv e literat ure on h o w to do this efficien tly , see e.g. [11]. Prop osition 2. Supp ose that after sever al runs of steps (2)-(3) of the ab ove pr oto c ol, b oth values of c ar e enc ounter e d. Then suc c essful for gery i n such a pr oto c ol i s e q uivalent to finding an i somorph ism b etwe en Γ and Γ 1 . Pr o of. S upp ose Eve wan ts to imp ersonate Alice. T o that effec t, sh e interferes with the commitment step by send ing h er own commitment Γ ′ 2 to Bob. Since she should b e prepared to resp ond to the c h allenge c = 0, sh e should know an isomorph ism ψ ′ b et w een Γ and Γ ′ 2 . On the other hand , since she should b e prepared for the c hallenge c = 1, she should b e able to pro du ce the comp osition ψ ′ ϕ = ψ ′ ( ϕ ). Since she kno ws ψ ′ and since ψ ′ is in v ertible, this implies that she can pro d uce ϕ . This complete s the pro of in one direction. The other direction is trivial.  4. Subgraph isomor phism In this section, we describ e another realization of th e Proto col I from S ection 2, based on the S ubgraph Isomorphism pr oblem. It is very similar to th e Graph Isomorphism problem, but it is known to b e NP-hard, see e.g. [4, Problem GT48]. W e also note that this pr oblem con tains man y other pr oblems ab out graphs, includin g the Hamiltonian Circuit problem, as sp ecial cases. The prob lem is: giv en t w o graph s Γ 1 and Γ 2 , fi nd out wh ether or not Γ 1 is isomorphic to a subgraph of Γ 2 . The r elev ant authentica tion proto col is similar to that in Sectio n 3. (1) Alice’s p ublic ke y consists of t wo graphs, Γ and Λ 1 . Alice’s priv ate k ey is a subgraph Γ 1 of Λ 1 and an isomorp h ism ϕ : Γ → Γ 1 . 5 (2) T o b egin authentica tion, Alice selects an isomorphism ψ : Λ 1 → Γ 2 , th en em- b eds Γ 2 in to a bigger graph Λ 2 , and sends the graph Λ 2 (the commitmen t) to Bob. (3) Bob c ho oses a random b it c and send s it to Alice. • I f c = 0, then Alice sends the subgraph Γ 2 and the isomorph ism ψ to Bob, and Bob c hec ks if ψ (Λ 1 ) = Γ 2 and if ψ is an isomorph ism. • I f c = 1, then Alice sends the subgraph Γ 2 and the composition ψϕ = ψ ( ϕ ) to Bob, and Bob c h ec ks whether ψ ϕ (Γ) = Γ 2 and whether ψϕ is an isomorphism. Again, a couple of commen ts are in order. • T he Sub graph Isomorphism pr oblem is NP-complete, s ee e.g. [4]. • Wh en w e sa y that Alic e “sends a su bgraph” of a bigger graph, that means that Alice sends the n umb ers { m 1 , m 2 , . . . , m n } of v ertices that define this sub- graph in the bigger graph. When she sends such a subgraph tog ether with an isomorphism from another (sub)graph, sh e send s a map ( k 1 , k 2 , . . . , k n ) → ( m 1 , m 2 , . . . , m n ) b et wee n the v ertices. • C ompared to the p roto col in Section 3, the size of Alice’s p ublic k ey is somewhat bigger b ecause Alice h as to embed one of the isomorphic graphs into a bigger graph. Th e size of Alice’s priv ate k ey is ab out the s ame as in the proto col of Section 3. 5. Graph colorab ility Graph colorabilit y (more p recisely , k -colorabilit y) app ears as problem [GT4] on th e list of NP-complete p roblems in [4]. W e includ e an authenti cation pr otocol b ased on this problem here as a sp ecial case of the Proto col I I from Sectio n 2. W e note th at a (rather p eculiar) v ariant of this problem w as sho w n to b e NP-hard on aver age in [12] (the latter p ap er deals with edge colo ring though). (1) Alice’s pu blic k ey is a k -colorable graph Γ, and h er priv ate k ey is a k -coloring of Γ, f or some (public) k . (2) T o b egin authent ication, Alice selects an isomorphism ψ : Γ → Γ 1 , and sends the graph Γ 1 (the commitmen t) to Bob. (3) Bob c ho oses a random b it c and send s it to Alice. • I f c = 0, then Alice send s the isomorphism ψ to Bo b. Bob v erifi es that ψ is, ind eed, an isomorphism from Γ on to Γ 1 . • I f c = 1, then Alice sends a k -coloring of Γ 1 to Bob. Bob v erifies that this is, ind eed, a k -coloring of Γ 1 . Again, a couple of commen ts are in order. • I t is ob vious that if Γ is k -colorable and Γ 1 is isomorphic to Γ, then Γ 1 is k -colorable, to o. • Wh en we say that Alic e “sends a k -coloring”, that means that Alice sends a set of pairs ( v i , n i ), where v i is a v ertex and n i are in tegers b et wee n 1 and k such that, if v i is adjacent to v j , then n i 6 = n j . 6 • Alice’s algorithm for creating her p ublic k ey (i.e., a k -colorable graph Γ) is as follo ws. Firs t she selects a num b er n of v ertices; th en s he partitions n into a sum of k p ositiv e in tegers: n = n 1 + . . . + n k . No w the vertex set V of the graph Γ will b e the union of the sets V i of cardinalit y n i . No t wo vertices that b elong to the same V i will b e adjacen t, and any t w o vertices that b elong to different V i will b e adjacen t with pr obabilit y 1 2 . The k -colo ring of Γ) is then ob vious: all v er tices in the set V i are colored in color i . Prop osition 3. Supp ose that after sever al runs of steps (2)-(3) of the ab ove pr oto c ol, b oth values of c ar e enc ounter e d. Then suc c e ssful for gery is e quivalent to finding a k -c oloring of Γ . The pro of is almost exactly the same as that of Prop osition 2. 6. Endomorphisms of groups or rings In this s ection, we describ e a realization of the Proto col I I (it also fits in with the Proto col I) fr om Sectio n 2 b ased on an algebraic problem kno wn as the endomorphism pr oblem , whic h can b e form ulated as f ollo ws. Giv en a group (or a semigroup, or a ring, or whatev er) G and t wo elemen ts g , h ∈ G , fin d out whether or not there is an endomorphism of G (i.e., a h omomorp hism of G into itself ) that tak es g to h . F or some particular groups (and rings), the endomorphism problem is kn o wn to b e equiv alen t to the Diophantine problem (see [9, 10]), an d therefore the decision problem in these groups is algorithmically u nsolv able, whic h implies th at the relate d searc h problem do es not adm it a solution in time b ounded by any recur siv e function of the size of an input. Belo w we give a description of th e authent ication proto col based on the endomor- phism problem, w ithout sp ecifying a platform group (or a ring), and then d iscuss p ossible platforms. (1) Alice’s public key consists of a group (or a ring) G and t wo elemen ts g , h ∈ G , suc h that ϕ ( g ) = h for some en domorphism ϕ ∈ E nd ( G ). This ϕ is Alice’s priv ate key . (2) T o b egin authen tication, Alice selects an automorphism ψ of G and sends the elemen t v = ψ ( h ) (the commitment ) to Bob. • I f c = 0, then Alice sends the automorph ism ψ to Bob, and Bob c h ecks whether v = ψ ( h ) and whether ψ is an automorphism. • I f c = 1, then Alice sends the comp osite end omorphism ψ ϕ = ψ ( ϕ ) to Bob, and Bob chec ks whether ψ ϕ ( g ) = v and wh ether ψ ϕ is an endomorphism. Here we p oin t out that c h ecking wh ether a giv en map is an endomorphism (or an automorphism) d ep ends on how the platform group G is giv en. If , for example, G is giv en b y generators and d efi ning r elators, then c hec king whether a giv en map is an endomorphism of G amounts to chec king whether eve ry d efi ning relator is tak en b y this map to an elemen t equal to 1 in G . Thus, the wor d pr oblem in G (see e.g. [7] or [8]) has to b e efficien tly solv able. 7 Chec king whether a giv en map is an automorphism is more complex, and th er e is no general recip e f or doing that, although f or a particular platform group that we describ e in su bsection 6.1 this can b e don e v ery efficien tly . In general, it wo uld mak e sense for Alice to su pply a pro of (at the resp onse step) th at her ψ is an automorphism; this p ro of w ould then dep end on an algorithm Alice used to pro duce ψ . Prop osition 4. Supp ose that after sever al runs of steps (2)-(3) of the ab ove pr oto c ol, b oth values of c ar e enc ounter e d. Then suc c essful f or gery is e q uivalent to finding an endomorp hism ϕ such that ϕ ( g ) = h , and is ther efor e NP-har d i n some gr oups (and rings) G . Again, the pro of is almost exactl y the same as that of Prop osition 2. W e also note that in [6 ], a class of r ings is designed f or whic h the problem of existence of an endomorphism b etw een tw o giv en rings from this class is NP-hard. A particular example of a group with the NP-hard en d omorphism p roblem is giv en in the follo wing subsection. 6.1. Platform: free metab elian group of rank 2. A group G is called ab elian (or comm u tativ e) if [ a, b ] = 1 for any a, b ∈ G , where [ a, b ] is the n otation for a − 1 b − 1 ab . This can b e generalized in differen t wa ys. A group G is called metab elian if [[ x, y ] , [ z , t ]] = 1 for an y x, y , z , t ∈ G . Th e commutat or su bgroup of G is th e group G ′ = [ G, G ] generated by all comm utators, i.e., b y expressions of the f orm [ u, v ] = u − 1 v − 1 uv , wh ere u, v ∈ G . The second commutat or subgroup G ′′ is the commutato r of the commutato r of G . Definition 1. Let F n b e the free group of rank n . The factor group F n /F ′′ n is called the fr e e metab elian gr oup of rank n , wh ic h w e denote b y M n . Roman’k ov [10] sho wed that, giv en an y Diophantine equation E , one can efficien tly (in linear time in the “length” of E ) constru ct a pair of elements u, v of the group M 2 , suc h that to an y solution of th e equation E , ther e corresp onds an end omorphism of M 2 that takes u to v , and vice v ersa. Therefore, there are pairs of elemen ts of M 2 for whic h the endomorphism problem is NP-h ard (see e.g . [4, Problem AN8]). Thus, if a free metab elian group is used as the platform f or the proto col in this section, then, b y Prop osition 4, f orgery in that proto col is NP-hard . 6.2. Platform: Z ∗ p . Here the platform group is Z ∗ p , f or a prime p . Then, since Z ∗ p − 1 acts on Z ∗ p b y automorph isms, via the exp onentia tion, this can b e used as the platform for the Proto col I. In this case, forgery is equiv alen t to solving the discrete logarithm problem, by Prop osition 4. A cknow le dgement. The fir st author is grateful to Max Planc k Institut f ¨ ur Mathematik, Bonn for its hospitalit y during the work on this pap er. Referen ces [1] P . Caballero-Gil and C. Hern´ andez-Goy a, Str ong Solutions to the Identific ation Pr oblem , in: 7th Annual International Conference COCOON 2001, Lecture Notes Comp. Sc. 2108 (200 1), 257–262 . 8 [2] P . Caballero-Gil and C. Hern´ andez-Goy a, A Zer o-Know le dge I dentific ation Scheme Base d on an A ver age-Case NP-Complete Pr oblem , in: Computer Netw ork Securit y , MMM-A CNS 2003, St. Peters burg, Russia. Lecture Notes Comp. Sc. 2776 (2003), 289–297. [3] U. F eige, A. Fiat and A. Shamir, Zer o know le dge pr o ofs of identity, Journal of Cryptology 1 (1987), 77–94. [4] M. Garey , J. Johnson, Computers and Intr actability, A Guide to NP-Completeness , W. H. F reeman, 1979. [5] O. Goldreic h, F oundations of crypto gr aphy , Cam bridge Unive rsity Press, 2001. [6] D. Grigoriev, On the c ompl exity of the “wild” matrix pr oblems, of the i somorphism of algebr as and gr aphs , Notes of Scientific Seminars of LOMI 105 (1981), 10–17 (in Ru ssian) [English translation in J. Soviet Math. 22 (1983), 1285–1289 ]. [7] R. C. Lynd on, P . E. Schupp, Combinatorial Gr oup The ory , Ergebnisse d er Mathematik, band 89, Springer 1977. Reprin ted in the Springer Classics in Mathematics series, 2000. [8] A. G. Myasniko v, V. Sh pilrain, and A . Ushako v, Gr oup-b ase d crypt o gr aphy , Birkh¨ auser, to app ear. [9] V. A . R oman’ko v, Unsolvabili ty of the pr oblem of endomorphic r e ducibil i ty in fr e e nilp otent gr oups and in fr e e rings , A lgebra and Logic 16 (1977), 310-320. [10] V. A . Roman’ko v , Equations in fr e e metab elian gr oups , Sib erian Math. J. 20 (1979), 469-471. [11] A. S eress, Permutation Gr oup A l gorithms , Cam bridge Universit y Press, 2002. [12] R. V en katesa n, L. Levin, Ran dom Instanc es of a Gr aph Coloring Pr oblem ar e Har d , Pro ceedings of the Annual ACM Symp osium on Theory of Comput ing ( 1988), 217–222. Institut de Reche rche Ma th ´ ema tique, Campus de Beaulieu, 35042 Rennes, France E-mail addr ess : dmitry.grigoryev @univ-rennes 1.fr Dep ar tment of Ma th e ma tics, T h e City College of N ew York, New York, NY 10031 E-mail addr ess : shpil@groups.sci .ccny.cuny.e du