Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan Visconti Univ. Salerno ITALY

Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

Interactive Proof Systems in the Plain Model theorem: “x  L” prover P verifier Properties Completeness: if the theorem is true  V outputs “Accept” Soundness: if the theorem is false  V outputs “Reject”  Accept or Reject r P, w rVrV a b z V

Interactive Proofs (2) Soundness: “no malicious prover P can convince V of a false theorem” Assumptions about P’s capabilities: P unbounded  Interactive Proof P bounded  Interactive Argument Most results are for Interactive Arguments, not proofs.

Zero Knowledge Intuition: Don’t give any extra information to any possible verifier theorem: “x  L” proverany verifier  Accept or Reject P V*V* xLxL (Black-Box) Zero Knowledge   efficient S with oracle access to V * simulating V * ’s view of the interaction with P for true theorems V*V* S … (r V,a,b,…,z) View of V * above (with r V as input)  a b z rVrV r P, w r S black- box

Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

Concurrent ZK (cZK) P... x 1  L x 2  L... x n  L V1V1 V2V2 VnVn Note: possibly x i = x j with i  j Evil Adversary V * control network scheduling

Resettable ZK (rZK) Adversary V * can: –Reset P to a previous state (including it’s random tape) spawning a new incarnation of P –Interact concurrently with all incarnations of P = P(r 1 ) = P(r 2 ) PnPn = P(r n ) r1r1 r2r2 rnrn P2P2 P1P1 control scheduling

Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

Models for ZK with Public Keys In the plain model Constant round Black-Box rZK only possible for trivial languages (L  BPP) [CKPR STOC 01] –For non Black-Box this remains open So add some setup assumption to the model. Bare Public Key (BPK) model –In a preprocessing stage, the verifiers register their public keys in a public file. This stage is performed only by verifiers, is non-interactive and further the public file can be under the control of the adversary! –In the proof stage, the same public file is part of the common input in all proofs and the verifiers can use their private keys.

BPK Preprocessing Stage pk i pk s ……… pk t … ViVi VsVs VtVt honest verifier public file maintains

Related Models The verifier has a persistent counter (in all related models) There is no bound; specifically for any public key it is possible to run any polynomial number of sessions. (Counter Public Key model = CPK) For each public key there is a bound on the maximum number of sessions w.r.t. each statement (Weak Public Key model = WPK) For each public key there is an upperbound on the number of sessions for which it can be used (Upperbound Public Key model = UPK)

Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

4 Notions [MR Crypto 01] (black-box ZK): there are 4 distinct notions of soundness in the BPK model: one-time soundness (OTS) sequential soundness (SS) concurrent soundness (CS) resettable soundness (RS) P*1P*1 x 1  L P* 2 P* n V x n  L x 2  L sequential malicious prover attacking sequential network scheduling emulate

Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

The Complete Round Complexity Analysis 3-Round OTS3-Round SS4-Round CS [MR Crypto 01] [DPV 04][DPV Crypto 04] sZK cZK rZK Our Result We have resolved the last open problem of the analysis of round complexity of various notions of ZK in the BPK model.

Related Proofs Our result: 3-Round black box cZK with SS in the BPK model only exists for trivial languages. 1.[GK 96]: 3-Round black box ZK in the plain model only exists for trivial languages. 2.[MR Crypto 01]: 3-Round black box rZK with CS in the BPK model only exists for trivial languages.

[GK 96] Proof A.Assume 3-round black box ZK in the plain model exists for a language L  L  BPP B.Design a BPP deciding machine D for L by having the simulator S run against the honest V’s algorithm. 1.If S outputs an Accepting View then x  L 2.If S outputs a Rejecting View then x  L D emulate xLxL V S … r S execute (r V,a,b,…,z) (1) (2) output xLxL or xLxL (3)

[GK 96] Proof (2) C.Prove correctness of D by showing strong correlation between S’s output and the verity of the theorem. 1.The correctness of B.1 follows from the ZK property of the protocol 2.To show B.2 is correct demonstrate (by contradiction) how a malicious prover P * could run S to convince V of a false statement. 3.Prove that with only polynomial loss of efficiency V will be convinced by P * even without P * being able to reset V P*P* emulate xLxL V S … r S execute can reset V! V can’t reset V! interact xLxL

[MR Crypto 01] Extension Assume a 3-round black-box rZK protocol with CS in the BPK model exists for the language L B.1 to C.1 the same in the BPK model C.2 – C.3 need adjustment. –Require concurrent powers of P * in order to use S’s output to cheat against honest V. Thus CS proved impossible but not SS which is weaker (i.e. gives less power to P * ) P*P* emulate xLxL V S … r S execute V x2Lx2L V V x1Lx1L xnLxnL public file control scheduling

Our Addition In order to show that sequential access to V by P * suffices we require an added power. Use that S is a concurrent ZK simulator which works against any verifier algorithm including our specially designed V * P*P* emulate V*V* S … r S execute x2Lx2L V x1Lx1L xnLxnL V V sequential scheduling xLxL control scheduling

Our Addition (2) Careful design of P * and V * we show that if S is efficient then it must solve at least one of the concurrent sessions with V * straight- line. (i.e. without a rewind). Demonstrate how P* can efficiently enough guess which session this is and use it to convince V of a false statement.

Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

Result Overview Result: –Present a 3-round rZK proof with CS for all NP in the UPK model. Prover has unlimited computational power! So given a public key can calculate the secret key… So we need a public key which corresponds to a super-polynomial number of secret keys –Moreover no assumptions regarding the hardness of superpolynomial-time algorithms needs to be made. (No complexity leveraging) –Uses perfectly hiding commitment scheme to make (pk, sk 1,…,sk m )

UPK Setup … … pk i pk i 1 pk i 2 pk i n … sk j := (r j, x j )  R {0,1} k x {0,1} k pk j := commit(x j, r j ) Public File: { n times upper bound : n UPK Model security parameter : k perfectly hiding random coins

The Protocol PV [Com(), Dec()] : perfectly binding commitment scheme [Com(), Dec()] : perfectly hiding commitment scheme [Zap 1, Zap 2 (.)] : two-round resettable witness-indistinguishable proof system implemented with Zaps from [DN FOCS ‘00] Com(w) = m pk c, sk c := (x c, r c ), Zap 1 counter : c Using FLS paradigm [FLS SJoComp ’99] pk pk c Zap 2 (“Dec(m) = w” and either “w = sk c ” or “w witness to x  L”) xLxL witness to x  L pk j := Com(x j, r j )

Properties (Idea) Complete: Honest prover P can send Com(w := witness to x  L) in round 1 Sound: Because when (unbounded) P * sends Com(w) in round 1, it has only seen a perfectly hiding commitment to sk c in the public file. rZK: The simulator can rewind V to use same counter and thus same sk c again. After max n rewinds all secret keys are known. The rest can be simulated straight-line. That’s all folks. Thank you!