Concurrent Non-Malleable Zero Knowledge

Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98, 1998

Concurrent executions of a zero-knowledge protocol by a ainSle prover (with one or more verifiers) may leak information and may not be zero-knowledge in toto; for example, in the case of zero-knowledge interactive proofs or arguments, the interactions remain proofs but may fail to remain zero-ltnowlcd~e, This paper addresses the problem of achieving concurrent zero-knowledge, We introduce timing in order to obtain zero-knowledge in concurrent executions. We assume that the adversary is conntrained in its control over processors' clocks by what we call an (cr,j+constroint for some o < p: for any two processors Pr and Pa, if A measures (Y elapsed time on its local clock nnd Pz measures /3 elapsed time on its local clock, and Pz atarts ajtcr PI does, then P2 will finish after PI does. We obtain four-round almost concurrent zero-knowledge interactive proofs and perfect concurrent zero-knowledge arguments for every language in NP. We also address the more apccific problem of Deniable Authentication, for which we propose efilcicnt solutions.

Lecture Notes in Computer Science, 1999

Concurrent Zero-Knowledge protocols remain zero-knowledge even when many sessions of them are executed together. These protocols have applications in a distributed setting, where many executions of the same protocol must take place at the same time by many parties, such as the Internet. In this paper, we are concerned with the numberof rounds of interaction needed for such protocols and their e ciency. Here, we show an e cient constant-round concurrent zero-knowledge protocol with preprocessing for all languages in NP, where both the preprocessing phase and the proof phase each require 3 rounds of interaction. We make no timing assumptions or assumptions on the knowledge of the number of parties in the system. Moreover, we allow arbitrary interleavings in both the preprocessing and in the proof phase. Our techniques apply to both zero-knowledge proof systems and zero-knowledge arguments and we show how to extend our technique so that polynomial number of zero-knowledge proofs arguments can be executed after the preprocessing phase is done.

Lecture Notes in Computer Science, 2014

In this work, we consider the long-standing open question of constructing constant-round concurrent zero-knowledge protocols in the plain model. Resolving this question is known to require non-black-box techniques. We consider non-black-box techniques for zero-knowledge based on knowledge assumptions, a line of thinking initiated by the work of Hada and Tanaka (CRYPTO 1998). Prior to our work, it was not known whether knowledge assumptions could be used for achieving security in the concurrent setting, due to a number of significant limitations that we discuss here. Nevertheless, we obtain the following results: 1. We obtain the first constant round concurrent zero-knowledge argument for NP in the plain model based on a new variant of knowledge of exponent assumption. Furthermore, our construction avoids the inefficiency inherent in previous non-black-box techniques such that those of Barak (FOCS 2001); we obtain our result through an efficient protocol compiler. 2. Unlike Hada and Tanaka, we do not require a knowledge assumption to argue the soundness of our protocol. Instead, we use a discrete log like assumption, which we call Diffie-Hellman Logarithm Assumption, to prove the soundness of our protocol. 3. We give evidence that our new variant of knowledge of exponent assumption is in fact plausible. In particular, we show that our assumption holds in the generic group model. 4. Knowledge assumptions are especially delicate assumptions whose plausibility may be hard to gauge. We give a novel framework to express knowledge assumptions in a more flexible way, which may allow for formulation of plausible assumptions and exploration of their impact and application in cryptography.

Lecture Notes in Computer Science, 2001

Non-Interactive Zero Knowledge (NIZK), introduced by Blum, , is a fundamental cryptographic primitive which has attracted considerable attention in the last decade and has been used throughout modern cryptography in several essential ways. For example, NIZK plays a central role in building provably secure public-key cryptosystems based on general complexity-theoretic assumptions that achieve security against chosen ciphertext attacks. In essence, in a multi-party setting, given a fixed common random string of polynomial size which is visible to all parties, NIZK allows an arbitrary polynomial number of Provers to send messages to polynomially many Verifiers, where each message constitutes an NIZK proof for an arbitrary polynomial-size NP statement.

Theoretical Computer Science, 1991

Proceedings of the twenty-ninth annual ACM symposium on Theory of computing - STOC '97, 1997

We present a zero-knowledge proof system [19] for any NP language L, which allows showing that x ∈ L with error probability less than 2 −k using communication corresponding to O(|x| c) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment scheme with a particular set of properties. We suggest an efficient implementation based on factoring. We also present a 4-move perfect zero-knowledge interactive argument for any NPlanguage L. On input x ∈ L, the communication complexity is O(|x| c) • max(k, l) bits, where l is the security parameter for the prover 1. Again, the protocol can be based on any bit commitment scheme with a particular set of properties. We suggest efficient implementations based on discrete logarithms or factoring. We present an application of our techniques to multiparty computations, allowing for example t committed oblivious transfers with error probability 2 −k to be done simultaneously using O(t+k) commitments. Results for general computations follow from this. As a function of the security parameters, our protocols have the smallest known asymptotic communication complexity among general proofs or arguments for NP. Moreover, the constants involved are small enough for the protocols to be practical in a realistic situation: both protocols are based on a Boolean formula Φ containing and-, or-and not-operators which verifies an NP-witness of membership in L. Let n be the number of times this formula reads an input variable. Then the communication complexity of the protocols when using our concrete commitment schemes can be more precisely stated as at most 4n + k + 1 commitments for the interactive proof and at most 5nl + 5l bits for the argument (assuming k ≤ l). Thus, if we use k = n, the number of commitments required for the proof is linear in n. Both protocols are also proofs of knowledge of an NP-witness of membership in the language involved. * Basic Research in Computer Science, Centre of the Danish National Research Foundation. 1 The meaning of l is that if the prover is unable to solve an instance of a hard problem of size l before the protocol is finished, he can cheat with probability at most 2 −k

Lecture Notes in Computer Science, 1998

An interactive proof system (or argument) (i v, V) is concur. rent zero.knowledgeif whenever the prover engages in polynomially many concurrent executions of (P, V), with (possibly distinct) colluding polynomial time bounded verifiers ~,..., ~v(,0, the entire undertaking is zero-knowledge. Dwork, Naor, and S~,ai recently showed the existence of a large class of concurrent zero-knowledge arguments, including arguments for all of NP, under a reasonable assumption on the behavior of clocks of nor.faulty processors. In this paper, we continue the study of concurrent zero-knowledge arguments. After observing that, without recourse to timing, the existence of a trusted center considerably simplifies the design and proof of many concurrent zero-knowledge arguments (again including arguments for all of NP), we design a preprocessing protocol, making use of timing, to simulate the trusted center for the purposes of achieving concurrent zero-knowledge. Once a particular prover and verifier have executed the preprocessing protocol, any polynomial number of subsequent executions of a rich class of protocols will be concurrent zero-knowledge.

1997

We fill a gap in the theory of zero-knowledge protocols by presenting NP-arguments that achieve negligible error probability and computational zero-knowledge in four rounds of interaction, assuming only the existence of a one-way function. This result is optimal in the sense that four rounds and a one-way function are each individually necassary to achieve a negligible error zero-knowledge argument for NP.

Proceedings of the thirty-ninth annual ACM symposium on Theory of computing - STOC '07, 2007

We present a general construction of a zero-knowledge proof for an NP relation R(x, w) which only makes a black-box use of a secure protocol for a related multi-party functionality f. The latter protocol is only required to be secure against a small number of "honest but curious" players. As an application, we can translate previous results on the efficiency of secure multiparty computation to the domain of zero-knowledge, improving over previous constructions of efficient zero-knowledge protocols. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming one-way functions exist, we get the following types of zero-knowledge proof protocols: • Approaching the witness length. If C has constant depth over ∧, ∨, ⊕, ¬ gates of unbounded fan-in, we get a zero-knowledge protocol with communication complexity m • poly(k) • polylog(s), where k is a security parameter. Such a protocol can be implemented in either the standard interactive model or, following a trusted setup, in a non-interactive model. • "Constant-rate" zero-knowledge. For an arbi-* Work done in part while the authors were visiting IPAM.

Corr, 2006

We consider a type of zero-knowledge protocols that are of interest for their practical applications within networks like the Internet: efficient zero-knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks. In an effort to reduce the setup assumptions required for efficient zero-knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks, we consider a model, which we call the Authenticated Public-Key (APK) model. The APK model seems to significantly reduce the setup assumptions made by the CRS model (as no trusted party or honest execution of a centralized algorithm are required), and can be seen as a slightly stronger variation of the Bare Public-Key (BPK) model from \cite{CGGM,MR}, and a weaker variation of the registered public-key model used in \cite{BCNP}. We then define and study man-in-the-middle attacks in the APK model. Our main result is a constant-round concurrent non-malleable zero-knowledge argument of knowledge for any polynomial-time relation (associated to a language in $\mathcal{NP}$), under the (minimal) assumption of the existence of a one-way function family. Furthermore,We show time-efficient instantiations of our protocol based on known number-theoretic assumptions. We also note a negative result with respect to further reducing the setup assumptions of our protocol to those in the (unauthenticated) BPK model, by showing that concurrently non-malleable zero-knowledge arguments of knowledge in the BPK model are only possible for trivial languages.

Public Key Cryptography, 2000

We initiate the investigation of the class of relations that admit extremely efficient perfect zero knowledge proofs of knowledge: constant number of rounds, communication linear in the length of the statement and the witness, and negligible knowledge error. In its most general incarnation, our result says that for relations that have a particular three-move honest-verifier zero-knowledge (HVZK) proof of knowledge, and which admit a particular three-move HVZK proof of knowledge for an associated commitment relation, perfect zero knowledge (against a general verifier) can be achieved essentially for free, even when proving statements on several instances combined under under monotone function composition. In addition, perfect zero-knowledge is achieved with an optimal 4-moves. Instantiations of our main protocol lead to efficient perfect ZK proofs of knowledge of discrete logarithms and RSA-roots, or more generally, q-one-way group homomorphisms. None of our results rely on intractability assumptions.

Advances in Cryptology – CRYPTO 2011, 2011

In this paper, we initiate a study of zero knowledge proof systems in the presence of side-channel attacks. Specifically, we consider a setting where a cheating verifier is allowed to obtain arbitrary bounded leakage on the entire state (including the witness and the random coins) of the prover during the entire protocol execution. We formalize a meaningful definition of leakage-resilient zero knowledge (LR-ZK) proof system, that intuitively guarantees that the protocol does not yield anything beyond the validity of the statement and the leakage obtained by the verifier. We give a construction of LR-ZK interactive proof system based on standard general assumptions. To the best of our knowledge, this is the first instance of a cryptographic interactive protocol where the adversary is allowed to perform leakage attacks during the protocol execution on the entire state of honest party (in contrast, prior work only considered leakage prior to the protocol execution, or very limited leakage during the protocol execution). Next, we give an LR-NIZK proof system based on standard number-theoretic assumptions. Finally, we demonstrate the usefulness of our notions by giving two concrete applications:-We initiate a new line of research to relax the assumption on the "tamper-proofness" of hardware tokens used in the design of various cryptographic protocols. In particular, we give a construction of a universally composable multiparty computation protocol in the leaky token model (where an adversary in possession of a token is allowed to obtain arbitrary bounded leakage on the entire state of the token) based on standard general assumptions.-Next, we give simple, generic constructions of fully leakage-resilient signatures in the bounded leakage model as well as the continual leakage model. Unlike the recent constructions of such schemes, we also obtain security in the "noisy leakage" model.

Science China Information Sciences, 2010

This paper considers the existence of constant-round zero-knowledge proofs of knowledge for NP under standard assumptions. By introducing a new interactive proof model, we construct a 3-round zeroknowledge proof of knowledge system for the NP-relation under the assumption that factoring is intractable. Our construction not only shows the existence of constant-round zero-knowledge proofs of knowledge, but also gives a positive answer to the open problem of the existence of 3-round zero-knowledge proofs for NP. Keywords zero-knowledge proof, proof of knowledge, constant-round, NP-relation Li H D, Xu H X, Li B, et al. On constant-round zero-knowledge proofs of knowledge for NP-relations.

Lecture Notes in Computer Science

One of the central questions in Cryptography is the design of round-efficient protocols that are secure under concurrent man-in-the-middle attacks. In this paper we present the first constant-round concurrent non-malleable zero-knowledge argument system for NP in the Bare Public-Key model [Canetti et al. STOC 2000], resolving one of the major open problems in this area. To achieve our result, we introduce and study the notion of non-malleable witness indistinguishability, which is of independent interest. Previous results either achieved relaxed forms of concurrency/security or needed stronger setup assumptions or required a non-constant round complexity.

Proceedings of the forty-sixth annual ACM symposium on Theory of computing, 2014

Motivated by theoretical and practical interest, the challenging task of designing cryptographic protocols having only black-box access to primitives has generated various breakthroughs in the last decade. Despite such positive results, even though nowadays we know black-box constructions for secure two-party and multi-party computation even in constant rounds, there still are in Cryptography several constructions that critically require non-black-box use of primitives in order to securely realize some fundamental tasks. As such, the study of the gap between black-box and non-black-box constructions still includes major open questions. In this work we make progress towards filling the above gap. We consider the case of blackbox constructions for computations requiring that even the size of the input of a player remains hidden. We show how to commit to a string of arbitrary size and to prove statements over the bits of the string. Both the commitment and the proof are succinct, hide the input size and use standard primitives in a black-box way. We achieve such a result by giving a black-box construction of an extendable Merkle tree that relies on a novel use of the "MPC in the head" paradigm of Ishai et al. [STOC 2007]. We show the power of our new techniques by giving the first black-box constant-round public-coin zero knowledge argument for NP. To achieve this result we use the non-black-box simulation technique introduced by Barak [FOCS 2001], the PCP of Proximity introduced by Ben-Sasson et al. [STOC 2004], together with a black-box public-coin witness indistinguishable universal argument that we construct along the way. Additionally we show the first black-box construction of a generalization of zero-knowledge sets introduced by Micali et al. [FOCS 2003]. The generalization that we propose is a strengthening that requires both the size of the set and the size of the elements of the set to remain private.