Constant round concurrent zero knowledge in the bounded player model
Download
1 / 22

Constant Round Concurrent Zero-Knowledge in the Bounded Player Model - PowerPoint PPT Presentation


  • 55 Views
  • Uploaded on

Constant Round Concurrent Zero-Knowledge in the Bounded Player Model. Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti. Microsoft Research India MIT and BU UCLA UCLA University of Salerno, Italy. Zero-Knowledge Protocols.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Constant Round Concurrent Zero-Knowledge in the Bounded Player Model' - signa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Constant round concurrent zero knowledge in the bounded player model

Constant Round Concurrent Zero-Knowledge in the Bounded Player Model

Vipul Goyal

Abhishek Jain

Rafail Ostrovsky

Silas Richelson

Ivan Visconti

Microsoft Research India

MIT and BU

UCLA

UCLA

University of Salerno, Italy


Zero knowledge protocols
Zero-Knowledge Protocols Player Model

  • Prove trying to prove x is in L to the verifier

  • Meet

  • (P, V) is zero knowledge if: there exists which can emulate ’s interaction with prover

and


Concurrent zero knowledge dns98
Concurrent Zero Knowledge Player Model[DNS98]

  • (P, V) is concurrent zero knowledge if ZK holds when V* may run many instances of protocol concurrently.

P

P

P


Concurrent zk plain model
Concurrent ZK (plain model) Player Model

General feasibility result first given by Richardson and Kilian [RK’99]

Since then, a body of literature has developed studying the round complexity

Construction with almost logarithmic round complexity [PRS02, KP01]

Shown to be almost optimal using “black-box simulation” [R00, CKPR01]

No constant round protocols known under standard assumptions


Bounded concurrency model
Bounded Concurrency Model Player Model

In a breakthrough work, Barak [Barak01] introduced the bounded concurrency model:

Total number of concurrent sessions between prover and verifiers is apriori bounded (by a poly)

Barak gave a constant round protocol in this model

introduced non-black-box simulation in cryptography

Open problem: constant round concurrent ZK without this bound?

In general, what level of concurrency can we achieve in constant rounds?


Talk overview
Talk Overview Player Model

Bounded player model and our results

Barak’s construction: very high level overview

Our construction

High level idea of our non-black-box simulation strategy


Bounded player bp model gjorv13
Bounded Player (BP) Model [GJORV13] Player Model

  • A bounded number of players in the system

    • Each player may participate in an unbounded (poly) number of concurrent sessions

V

unbounded concurrent sessions

.

.

.

P

unbounded concurrent sessions

V

  • Example: number of machines over the network maybe known

    • However harder to accurately estimate how many processes (communicating over the network) each machine is running


Bp model vs bare public key bpk model
BP model vs Bare Public Key (BPK) model Player Model

  • BP model: can ask each player to choose a fixed public key during the first session it participates in

    • No setup phase

    • Player remembers it, to be remain the same in all sessions: only difference from plain model

  • BPK model: setup phase involving all players

    • Main property: keys can’t change during rewinding

  • Only superficial similarity: techniques from BPK model have limited relevance here


Bp model vs barak s bounded concurrency model
BP model vs Barak’s bounded concurrency model Player Model

  • BP model: much closer in spirit to Barak’s bounded concurrency

    • Strengthening of the bounded concurrency model

  • Provably requires non-black-box (NBB) simulation (unlike BPK)

    • Goyal et al [GJORV13]: a construction with w(1) round

    • Open: constant round concurrent ZK in BP model? Will subsume the result of Barak


Our results
Our Results Player Model

  • Main theorem: constant round concurrent ZK in the BP model assuming a collision resistant hash function family

  • Positive step towards getting constant round concurrent ZK in plain model under standard assumptions

  • Technical contribution: new ways of performing NBB simulation

    • Techniques very different from the previous work of Goyal et al. [GJORV13]


Nbb vs bb simulation
NBB vs BB Simulation Player Model

Black-box simulation: simply query the adversarial verifier machine as an Oracle (rewinding)

Non-black-box simulation: uses the code of the adversary in a more non-trivial way


Barak s construction oversimplified
Barak’s Construction (oversimplified) Player Model

Soundness: r is long and random

Statement: x in L

Com(M)

V

P

Random r

Verifier

Prover

WI: x in L or

M outputs r

  • Simulation: if you have code/state of verifier, can construct such M

    • Note: For simulation, constructing fake witness wf computationally heavy/expensive

    • Can only simulate a bounded number of sessions in poly-time


Barak s construction abstraction
Barak’s Construction: Abstraction Player Model

Barak’s preamble

Com(M)

Random r

  • Can compute fake witness wf

  • Computationally expensive to compute

  • Can be done for only bounded number of sessions

Use fake witness to complete rest


Building the protocol
Building the Protocol Player Model

Focus: single verifier, unbounded sessions

pk

P

V

Com(M)

Random r

wf

sk

Secure two party computation:

If wf valid fake witness, output sk to first party

x ϵ L

OR “I know sk”

WI PoK


Problem adversarial scheduling
Problem: Adversarial scheduling Player Model

Say adversary leaves most sessions in middle of 2pc

Simulator computes fake witness in unbounded number of sessions

pk

Com(M)

Random r

wf

sk

Secure two party computation:

Started but didn’t finish

New sessions start

  • [GJORV13] idea: use multiple opportunities for using fake witness (higher round complexity), complex probability distributions


Our idea simple
Our Idea: simple Player Model

  • fake witness computed in one session useable in others

pk

P

V

z = Com(M)

Random r

  • Certified statement = (τ, σ)

  • Compute fake witness wf

Signature σ on τ = (z, r)

sk

(τ, σ), wf

Secure two party computation:

If valid certified statement, fake witness given, output sk

x ϵ L

OR “I know sk”

WI PoK


Handling adversarial scheduling
Handling adversarial scheduling Player Model

Simulator computes fake witness pair just once

pk

Z = Com(M)

Random r

Signature σ on τ

sk

(τ, σ), wf

Secure two party computation:

Started but didn’t finish

New sessions start

sk

(τ, σ), wf

Secure two party computation


Are we done
Are we done? Player Model

  • This is gross oversimplification of our construction

  • In Barak: no such fake witnesses of polynomial size

  • Rather: fake witness is an accepting (encrypted) universal argument execution

    • Need to run 3-round UA and construct fake witness interactively


Our construction
Our Construction Player Model

pk

  • Adversarial scheduling: what if verifier leaves most sessions in middle of UA? Computation done, yet no fake witness!

z = Com(M)

P

V

r

Signature σ

heavy

computation

UA first message

UA challenge

get fake witness

UA final message

.

.


Completing the construction
Completing the construction Player Model

  • Use the same basic idea multiple times

  • Ask the verifier to sign the UA transcript as we go along

  • Even a partially executed (but signed) UA transcript useful

    • Can be completed in some other session to get a fake witness


Conclusions
Conclusions Player Model

  • Constant round concurrent ZK in the bounded player model

    • Subsumes the bounded concurrent ZK of Barak

    • Strongest level of concurrency in plain model in constant rounds (under standard assumptions)

  • Key technical contribution: new ways of performing NBB simulation

    • Reusing heavy computation


Thank you

Thank You! Player Model


ad