Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

Published byAnahi Samuel Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U."— Presentation transcript:

1 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

2 2 History: recall original ZK motivation of GMR Prover can interactively convince verifier that x is in L Later, verifier can not convince someone else This prevents off-line plagiarism (i.e. Verifier later claiming the proof as his own).

3 3 What about on-line Adv? Verifier can play man-in-the-middle Handled by the “designated verifier proofs” –[Jackobson,Sako, Impagliazzo], others This LIMITS the dissemination of proofs!

4 4 What we want… To publish the proofs as widely as possible with the authors names Prevent plagiarism So, why not use NIZK?

5 5 NIZK reminder [BFM] Common reference string (R.S.) Prover sends a single message Its transferable Its ZK: –Can simulate the same view [BDPM] –Can simulate with the same R.S. [DDOPS]

6 6 So are we done? Any verifier can take a NIZK proof, and either change it a bit, but still keep it valid or (The first point can be addressed with non- malleable NIZK [DDN][S][DDPOS]) claim it as his own and simply copy

7 7 Non-Malleable NIZK Non-malleability [DDN] “can not constructed related encrypted msg” Non-malleability for NIZK [S][DDOPS] “whatever the verifier can prove after seeing a prove, it can do without seeing the proof” Technical points: (1) generation of CRS; (2) 1 thm vs. many theorems; (3) adaptivity; (4) adv. challenges and the guarantees So, use the strongest def, are we done?

8 8 What is the def. of preventing plagiarism? You have an NP theorem and a witness You want is transferable You have your name (id) as part of it… Want to “bind” the proof to your name (id) such that nobody can change the proof to a different id’

9 9 ID-ZK This talk we concentrate on NIZK (but the notion applies to interactive setting as well) A new notion: NIZK with extractable identity: Prover(id,x,w,CRS)  proof 2 public algs: –check correctness –extract id from proof ZK: for all x in L, and all id, can generate comp indist. View. (1 thm or multiple thms). Sound (w.h.p. can not “cheat”)

10 10 Security of ID-ZK Sound Can not change identities Informally: no poly-time Adv. Can take one or several ID-ZK proofs, and construct a proof for a new id of an “interesting” theorem Interesting  something can Adv. Could not do without any help.

11 11 Security of ID-ZK (cont.) NIZK with extractable identity is ID-ZK if: Adv asks for ID-ZK proofs of different theorems, and different id’s Adv comes up with a proof of a thm with a new id Simulator can output comp. indist. Distribution of thms with new id without any ID-ZK proofs. again several variants of what Adv can ask, the strongest is simulation-soundness

12 12 Remarks about the model PK-infrastructure – does it help? (i.e. what if the prover “signs” his proof?) No, the adv can just get rid of the signature and substitute his own!

13 13 Remarks about the model (cont.) NIZK with a single random string – what does security mean? (since simulator must have a trapdoor info) The point is that we can do the proof without the trapdoor – if there is an adv who can cheat, the proof implies that we can use it to derive the contradiction!

14 14 How easy is it to construct? Also, what is the connection to NIZK in the non-interactive setting?

15 15 Why not use non-mall NIZK? Claim 1: there exists non-malleable NIZK proofs which are not ID-ZK. Claim2: there exists ID-ZK NIZK proofs that are not non-malleable NIZK.

16 16 Why not use non-mall NIZK? Claim 1: there exists non-malleable NIZK proofs which are not ID-ZK. Standard non-mall NIZK do not have any ID. I can simply copy the proof and claim it as my own Remark: [DDN] showed how with ID’s non-mall NIZK is easier to build, this is different!

17 17 Why not use non-mall NIZK? Claim2: there exists ID-ZK proofs that are not non-malleable. Proof idea: take ID-ZK proof, where we attach the first (undetermined) bit. This is malleable, but can still be shown to be ID-ZK!

18 18 ID-ZK are closely related to non-mall NIZK Claim 3: assuming any non-mall NIZK we can construct ID-ZK NIZK. Claim 4: assuming any ID-ZK NIZK, we can construct non-mall NIZK

19 19 ID-ZK are closely related to non-mall NIZK Claim 3: assuming any non-mall NIZK we can construct ID-ZK given (x,w,id) we construct ID-ZK: as follows: Define langue L’(x,id): “either x in L or (a new portion) of CRS is a commitment to id”. Send is ID-ZK (id, non-mall-NIZK for L’). Intuition: if can create new id, violates non- malleability!

20 20 ID-ZK are closely related to non-mall NIZK Claim 4: assuming any ID-ZK we can construct non-mall NIZK Proof idea: use as ID a signature public- key, i.e. id = PK. Let B = id-zk(id,x in L) Send (id; B; sign pk (B)) Note: same proof-structure works for interactive case.

21 21 CONCLUSIONS Many previous works (including DDN) used identities in constructions but this is the first formal definition of binding names to proofs. Our definition is the most interesting part, seems to be a useful building block. What about application-specific efficient implementations?

Download ppt "1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Universal Communication Brendan Juba (MIT) With: Madhu Sudan (MIT)

Universal Communication Brendan Juba (MIT) With: Madhu Sudan (MIT)
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.

Similar presentations

Ads by Google