Presentation is loading. Please wait.

Presentation is loading. Please wait.

Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.

Published byVictor Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan."— Presentation transcript:

1 Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan Visconti Univ. Salerno ITALY

2 Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

3 Interactive Proof Systems in the Plain Model theorem: “x  L” prover P verifier Properties Completeness: if the theorem is true  V outputs “Accept” Soundness: if the theorem is false  V outputs “Reject”  Accept or Reject r P, w rVrV a b z V

4 Interactive Proofs (2) Soundness: “no malicious prover P can convince V of a false theorem” Assumptions about P’s capabilities: P unbounded  Interactive Proof P bounded  Interactive Argument Most results are for Interactive Arguments, not proofs.

5 Zero Knowledge Intuition: Don’t give any extra information to any possible verifier theorem: “x  L” proverany verifier  Accept or Reject P V*V* xLxL (Black-Box) Zero Knowledge   efficient S with oracle access to V * simulating V * ’s view of the interaction with P for true theorems V*V* S … (r V,a,b,…,z) View of V * above (with r V as input)  a b z rVrV r P, w r S black- box

6 Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

7 Concurrent ZK (cZK) P... x 1  L x 2  L... x n  L V1V1 V2V2 VnVn Note: possibly x i = x j with i  j Evil Adversary V * control network scheduling

8 Resettable ZK (rZK) Adversary V * can: –Reset P to a previous state (including it’s random tape) spawning a new incarnation of P –Interact concurrently with all incarnations of P = P(r 1 ) = P(r 2 ) PnPn = P(r n ) r1r1 r2r2 rnrn P2P2 P1P1 control scheduling

9 Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

10 Models for ZK with Public Keys In the plain model Constant round Black-Box rZK only possible for trivial languages (L  BPP) [CKPR STOC 01] –For non Black-Box this remains open So add some setup assumption to the model. Bare Public Key (BPK) model –In a preprocessing stage, the verifiers register their public keys in a public file. This stage is performed only by verifiers, is non-interactive and further the public file can be under the control of the adversary! –In the proof stage, the same public file is part of the common input in all proofs and the verifiers can use their private keys.

11 BPK Preprocessing Stage pk i pk s ……… pk t … ViVi VsVs VtVt honest verifier public file maintains

12 Related Models The verifier has a persistent counter (in all related models) There is no bound; specifically for any public key it is possible to run any polynomial number of sessions. (Counter Public Key model = CPK) For each public key there is a bound on the maximum number of sessions w.r.t. each statement (Weak Public Key model = WPK) For each public key there is an upperbound on the number of sessions for which it can be used (Upperbound Public Key model = UPK)

13 Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

14 4 Notions [MR Crypto 01] (black-box ZK): there are 4 distinct notions of soundness in the BPK model: one-time soundness (OTS) sequential soundness (SS) concurrent soundness (CS) resettable soundness (RS) P*1P*1 x 1  L P* 2 P* n V x n  L x 2  L sequential malicious prover attacking sequential network scheduling emulate

15 Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

16 The Complete Round Complexity Analysis 3-Round OTS3-Round SS4-Round CS [MR Crypto 01] [DPV 04][DPV Crypto 04] sZK cZK rZK Our Result We have resolved the last open problem of the analysis of round complexity of various notions of ZK in the BPK model.

17 Related Proofs Our result: 3-Round black box cZK with SS in the BPK model only exists for trivial languages. 1.[GK 96]: 3-Round black box ZK in the plain model only exists for trivial languages. 2.[MR Crypto 01]: 3-Round black box rZK with CS in the BPK model only exists for trivial languages.

18 [GK 96] Proof A.Assume 3-round black box ZK in the plain model exists for a language L  L  BPP B.Design a BPP deciding machine D for L by having the simulator S run against the honest V’s algorithm. 1.If S outputs an Accepting View then x  L 2.If S outputs a Rejecting View then x  L D emulate xLxL V S … r S execute (r V,a,b,…,z) (1) (2) output xLxL or xLxL (3)

19 [GK 96] Proof (2) C.Prove correctness of D by showing strong correlation between S’s output and the verity of the theorem. 1.The correctness of B.1 follows from the ZK property of the protocol 2.To show B.2 is correct demonstrate (by contradiction) how a malicious prover P * could run S to convince V of a false statement. 3.Prove that with only polynomial loss of efficiency V will be convinced by P * even without P * being able to reset V P*P* emulate xLxL V S … r S execute can reset V! V can’t reset V! interact xLxL

20 [MR Crypto 01] Extension Assume a 3-round black-box rZK protocol with CS in the BPK model exists for the language L B.1 to C.1 the same in the BPK model C.2 – C.3 need adjustment. –Require concurrent powers of P * in order to use S’s output to cheat against honest V. Thus CS proved impossible but not SS which is weaker (i.e. gives less power to P * ) P*P* emulate xLxL V S … r S execute V x2Lx2L V V x1Lx1L xnLxnL public file control scheduling

21 Our Addition In order to show that sequential access to V by P * suffices we require an added power. Use that S is a concurrent ZK simulator which works against any verifier algorithm including our specially designed V * P*P* emulate V*V* S … r S execute x2Lx2L V x1Lx1L xnLxnL V V sequential scheduling xLxL control scheduling

22 Our Addition (2) Careful design of P * and V * we show that if S is efficient then it must solve at least one of the concurrent sessions with V * straight- line. (i.e. without a rewind). Demonstrate how P* can efficiently enough guess which session this is and use it to convince V of a false statement.

23 Outline Zero Knowledge (ZK) Concurrent ZK & Resettable ZK (cZK & rZK) ZK with public keys (BPK-UPK) Soundness in these PK models Impossibility of 3-round sequentially-sound cZK in the BPK model rZK proof of membership for L  NP in the UPK model

24 Result Overview Result: –Present a 3-round rZK proof with CS for all NP in the UPK model. Prover has unlimited computational power! So given a public key can calculate the secret key… So we need a public key which corresponds to a super-polynomial number of secret keys –Moreover no assumptions regarding the hardness of superpolynomial-time algorithms needs to be made. (No complexity leveraging) –Uses perfectly hiding commitment scheme to make (pk, sk 1,…,sk m )

25 UPK Setup … … pk i pk i 1 pk i 2 pk i n … sk j := (r j, x j )  R {0,1} k x {0,1} k pk j := commit(x j, r j ) Public File: { n times upper bound : n UPK Model security parameter : k perfectly hiding random coins

26 The Protocol PV [Com(), Dec()] : perfectly binding commitment scheme [Com(), Dec()] : perfectly hiding commitment scheme [Zap 1, Zap 2 (.)] : two-round resettable witness-indistinguishable proof system implemented with Zaps from [DN FOCS ‘00] Com(w) = m pk c, sk c := (x c, r c ), Zap 1 counter : c Using FLS paradigm [FLS SJoComp ’99] pk pk c Zap 2 (“Dec(m) = w” and either “w = sk c ” or “w witness to x  L”) xLxL witness to x  L pk j := Com(x j, r j )

27 Properties (Idea) Complete: Honest prover P can send Com(w := witness to x  L) in round 1 Sound: Because when (unbounded) P * sends Com(w) in round 1, it has only seen a perfectly hiding commitment to sk c in the public file. rZK: The simulator can rewind V to use same counter and thus same sk c again. After max n rewinds all secret keys are known. The rest can be simulated straight-line. That’s all folks. Thank you!

Download ppt "Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan."

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Similar presentations

Ads by Google