1 / 28

On Round-Optimal Zero Knowledge in the Bare Public Key Model

On Round-Optimal Zero Knowledge in the Bare Public Key Model. Alessandra Scafuro and Ivan Visconti University of Salerno ITALY. FOCUS: Round-Optimal (4 rounds) concurrent and resettable Zero Knowledge in the Bare Public Key Model. have already been achieved:.

ziv
Download Presentation

On Round-Optimal Zero Knowledge in the Bare Public Key Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Round-Optimal Zero Knowledge in the Bare Public Key Model Alessandra Scafuro and Ivan Visconti University of Salerno ITALY

  2. FOCUS: Round-Optimal (4 rounds) concurrent and resettable Zero Knowledge in the Bare Public Key Model have already been achieved: • Round-optimal Resettable ZK: • (complexity leveraging) • [MR01] only sequential soundness, • [DPV04] concurrent soundness, • [YZ07] under generic assumptions. • Round-optimal Concurrent ZK: • (standard assumptions) • [Z03] only sequential soundness, • [DV05] concurrent soundness, • [V06] efficiently, • [D09] minimal assumptions, • [YZ10] sophisticated notion of argument of knowledge. What do we do in this paper ?

  3. Our Contribution • Point-out a subtle issue in the zero knowledge proof of allround-optimal (concurrent and resettable) protocols. • Alternative proof? Protocol’s structure of almost all round-optimal protocols makes problematic the design of any simulator. • Exceptions: could admit alternative simulators: • Resettable ZK of [YZ07]: uses complexity leveraging. • Concurrent ZK of [Z03]: only sequential soundness. • New round-optimal concurrent ZK with concurrent soundness and standard assumptions. • The same protocol admits efficient implementation. • Round-optimal resettable ZK (similar to [YZ07]), with a new proof.

  4. Outline • Definitions • Concurrent Zero Knowledge • Bare Public Key (BPK) Model • Concurrent Zero Knowledge and Soundness in the BPK model • Round-optimal Concurrent Zero Knowledge: • the issue of all zero-knowledge simulators • the difficulty of designing any alternative simulator • Our technique

  5. Zero knowledge Interactive Proofs(standard model) (x,w) ∈ RL x ∈ L V P Completeness: if both P and V are honest, V accepts the proof. Soundness: if the theorem is false any P* cannot convince V. Zero Knowledge: (intuition) any V* learns nothing but the fact that the theorem is true.

  6. Zero Knowledge (stand-alone) V* does not learn anything? x ∈ L x, witness V* P Sim Output Output rewind V* Coins V* Coins V* Black Box Sim: rewind V* Stand-alone : V* opens a single session

  7. Concurrent Zero Knowledge More realistic setting: V* can open many sessions concurrently. P Session 1 V* V* Session 2 Session 3 V* V* Session 4 Upon seeing a new msg, V* adaptively plays new sessions

  8. Constant-round concurrent black-box Zero Knowledge (cZK) in the standard model is impossible [CKPR01]. Achieving black-box constant-round cZK requires setup assumptions.

  9. Bare Public Key Model Introduced in STOC 2000 by Canetti, Goldreich, Goldwasser, Micali Assumption: each verifier must be associated with a permanent public key, registered before any proof starts. Public file Registration Phase register VID1 (SK1) PKID1 • Non-interactive • Fully controlled by V* • No trusted party involved register VIDi(SKi) PKIDi Proof Phase Public file • V* can still open an unbounded (poly) number of sessions. • V* has full control of the schedule • Restriction: V* cannot play with identity not in public file. P IDi V* IDi ? V* IDi IDk? V* IDk

  10. Achieving constant-round concurrent ZK in the BPK model x ∈ L (x,w) ∈ RL SKID PKID VID P 1-πV VID uses its secret SKID in 3-πV. (extractable through rewinds) 2-πV 3-πV Concurrent Zero Knowledge Sim: • gets SKID by rewinding πV 1-πP • runs πP in straight-line using SKID P convinces VID if 1) it knows witness OR 2) it knows SKID 2-πP • once SKID is extracted, all sessions played with VID are run in straight-line 3-πP • poly: number of extraction bounded by number of identities. “is able to compute something computable only with knowledge of SKID “

  11. Concurrent Soundness in the BPK model SKID IDEA: if known, the secret SKID should be used already in the first msg1-πP . VID P* PKID 1-πV 2-πV 1-πP Proving concurrent soundness: rule out MiM Attack (SKID) Concurrent executions 3-πV 1-πV SKID VID 1-πP MiM 2-πP 2-πV 3-πV 3-πP P convinces VID if 1) it knows witness OR 2) it knows SKID Concurrent Zero Knowledge Still preserved. Sim extracts the secret before having to play the first msg1-πP .

  12. Concurrent Zero Knowledge and Soundness (PKID, w) VID P SKID 1-πV 2-πV 3-πV (SKID) 1-πP 2-πP 3-πP

  13. Outline • Definitions • Concurrent Zero Knowledge • Bare Public Key (BPK) Model • Concurrent Zero Knowledge and Soundness in the BPK model • Round-optimal Concurrent Zero Knowledge: • the issue of all zero-knowledge simulators • the difficulty of designing any alternative simulator • Our technique

  14. Round-Optimal (4 rounds) Concurrent Zero Knowledge and Soundness (PKID, w) SKID VID P 1-πV 2-πV 3-πV The secret is used before VIDcompletes its protocol. Sim has to play the msg dependent on SKIDwithout knowing it yet. 2-πP (SKID) 1-πP 3-πP Concurrent Simulator?

  15. Concurrent Simulator in Literature all (published) simulators follow this strategy. Simulation in phases V*ID When playing with an “unresolved” identity: Sim 1-πV “bad” 1-πP 2-πV 1) Play a “bad” first message 2) Extract the secret needed to solve the session. 2-πP 3-πV 3) Start simulationfrom scratch (a new phase) with knowledge of one more secret SKID. Number of phases = number of identities (poly) Our contribution: Such simulation approach leads to a distinguishable distribution.

  16. A dummy attack Session 1 V* P Schedule 1-πV 2-πV (SKID) 1-πP Session 2 1-πV 2-πV (SKID) 1-πP 2-πP 3-πV 3-πP 3-πV 2-πP 3-πP

  17. A dummy attack V* Strategy Session 1 V* P 1-πV V* aborts Session 1 with prob. 1/2 V* aborts Session 2 with prob. 1/2 (taken over the transcript seen so far) 2-πV (SKID) 1-πP Session 2 1-πV 2-πV (SKID) 1-πP 2-πP 3-πV 3-πP 3-πV 2-πP 3-πP

  18. A dummy attack V* Strategy Session 1 V* P 1-πV V* aborts Session 1 with prob. 1/2 V* aborts Session 2 with prob. 1/2 (taken over the transcript seen so far) 2-πV (SKID) 1-πP Session 2 1-πV Prob. Abort in Real Game 2-πV (SKID) 1-πP Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4

  19. A dummy attack V* Strategy Session 1 V* Sim 1-πV V* aborts Session 1 with prob. 1/2 V* aborts Session 2 with prob. 1/2 (taken over the transcript seen so far) 2-πV (SKID) 1-πP Session 2 1-πV Prob. Abort in Real Game 2-πV (SKID) 1-πP 1) Extract secret to solve Session 1 Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4 2-πP 3-πV Prob. Abort Simulation Case 1. Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4 Case 2. Pr[Abort S2] x Pr[NOT Abort S1]

  20. A dummy attack 2) Start the simulation from scratch with knowledge of secret. Session 1 V* Sim V* Strategy 1-πV V* aborts Session 1 with prob. 1/2 V* aborts Session 2 with prob. 1/2 (taken over the transcript seen so far) Session 2 1-πV 1-πP 2-πV Prob. Abort in Real Game 2-πV transcript changes (SKID) 1-πP Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4 Prob. Abort Simulation Case 1. Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4 Case 2. xPr[Case 1] Sim outputs two aborts with probability at least Case 1 + Case 2 > Real Game Pr[Abort S2] x Pr[NOT Abort S1] = 1/2 x 1/2 x 1/4 = 1/16

  21. Simulation in phases yields a distinguishable output. Alternative Simulation Strategies? • Trivially, there exists a simulator for the dummy V* seen so far. • what about more sophisticated V* that aborts with different probability in different sessions….?

  22. The problem: the protocol’s structure of round-optimal protocols P VID • Remark • Protocols that do not follow this structure could admit alternative strategies: • resZK [YZ07] complexity leveraging. • cZK [Z03]: only sequential soundness. “bad” first msg 1-πV “good” first msg 2-πV (SKID) 1-πP 2-πP 3-πV 3-πP • In order to “solve” a session (played with a new identity) Simhas to change the view of the verifier (first play a bad msg, then a good msg) • changing the view of V* skews the output distribution. designing a successful simulation strategy seems problematic.

  23. Outline • Definitions • Concurrent Zero Knowledge • Bare Public Key (BPK) Model • Concurrent Zero Knowledge and Soundness in the BPK model • Round-optimal Concurrent Zero Knowledge: • the issue of all zero-knowledge simulators • the difficulty of designing any alternative simulator • Our technique

  24. Our round-optimal concurrent ZK “permanent secret SKID” SKID (PKID, w) VID P pick (PKtemp ,SKtemp) randomly 1-πV PKtemp 1-πtemp Make SKtempextractable through rewinds PKtemp( ) 2-πtemp 2-πV 3-πV 3-πtemp (SKID)1-πP - witness OR is accepting if P knows either: 2-πP (SKID) 1-πP - permanent secret SKID OR 3-πP (used already in the first round) - temporary secret key SKtemp (used only in the third round) KEY IDEA. Temporary secret key Sktempis used only in the last msg3-πP. (only after the extraction)

  25. The simulator “permanent secret SKID” SKID P VID 1-πV PKtemp 1-πtemp PKtemp( ) 2-πtemp 2-πV 3-πV 3-πtemp (SKID)1-πP 2-πP (sec)1-πP 3-πP Two-mode simulation (allows to keep the main thread unchanged) • to solve a session initiated by an unknown identity Sim extracts both permanent SKID and temporary key SKtemp, and computes the last msg using Sktemp. • to solve a session initiated by a known identity Sim runs in straight-line computing 3-πP using the permanent secret SKID. • the view of V* in the two modes must be statistically indistinguishable.

  26. Concurrent soundness? SKID VID P* to prove concurrent soundness secret must be used already in the first msg. 1-πV PKtemp 1-πtemp VID PKtemp( ) PK’temp 1-πtemp 2-πtemp 2-πV Proof by witness extraction 3-πV 3-πtemp (SKID)1-πP 2-πP - witness OR ((SKID)1-πP 2-πtemp - permanent secret SKID OR 3-πP Concurrent executions? 3-πtemp key point: the temporary keys used in concurrent sessions are independent. - temporary secret key SKtemp (used only in the third round)

  27. Actual implementation PKID = f(x0), f(x1) SKID = x0,x1 P VID Σ1 pk0,pk1 Σ1 C= com(xb) Pktemp= pk0,pk1, Sktemp = trap0, trap1. TC= TCom(pk0,pk1, Σ1) Σ2 Σ2 Σ3 Σ3 , open TCom as Σ1 Σ2 - Σ1 is the valid opening of TC AND (Σ1, Σ2, Σ3) is accepting. Σ3 VID accepts if: (Σ1, Σ2, Σ3) is accepting iff: • C is the commitment of xbOR • P knowsthe witness • πV πtemp πP are implemented with Sigma Protocols. • TComis a two-round trapdoor commitment scheme. • f is a OWP.

  28. thanks

More Related