generic and practical resettable zero- knowledge in the bare public-key model moti yung rsa...
TRANSCRIPT
Generic and Practical Resettable Zero-Knowledge in the Bare Public-Key Model
Moti Yung
RSA Laboratories and CS Dept. of Columbia University
Yunlei Zhao
Software School, Fudan University, Shanghai, P. R. China
1. Resettable Zero-Knowledge RZK
RZK is introduced by Canetti, Goldreich, Goldwasser and Micali (STOC 2000).
Motivated by implementing ZK provers using smart-cards or other devices that may be (maliciously) reset to their initial conditions and/or cannot afford to generate fresh randomness for each new invocation.
A generalization and strengthening of CZK intruduced by Dwork, Naor and Sahai [DNS98] .
2. The Bare Public-Key (BPK) Model
No constant-round (black-box) RZK/CZK protocols in the standard model [CKPR01].
To get constant-round RZK/CZK protocols, several computational models have been introduced: the timing model, the preprocessing model, the common reference string model, and the BPK model, etc.
The BPK model [CGGM00]
A protocol in BPK model simply assumes that all verifiers have deposited a public key in a public file before any interaction takes place among the users
The BPK model also allows dynamic key registrations.
No assumption is made on whether the public-keys deposited are unique or ``nonsensical" or ``bad" public-keys (e.g., for which no corresponding secret-keys exist or are known).Note that an adversary may deposit many (possibly invalid or fake) public keys without any guarantee on the validities of the registered public-keys.
That is, no trusted third party is assumed in the BPK model; the preprocessing is reduced to verifiers minimally register a public-key in a public file; and the communication network is assumed to be adversarially asynchronous;Weaker than PKI, where authentic association of user ID and its public-key is added.
3. Concurrent Verifier-Security in the Public-Key Model
Verifier security in public-key models turns out to be much more complicated and subtler than that of the standard model.
In public-key model, a verifier V possesses a secret key SK, corresponding to its public-key PK. A malicious prover P* could potentially gain some knowledge about SK from a session with the verifier. This extra gained knowledge may help this prover: Violate concurrent soundness: i.e., convincing the veri
fier of a false theorem in another concurrent session; Or: violate concurrent knowledge extractability: i.e., co
nvincing the honest verifier of a true statement in another concurrent session but without knowing corresponding witness.
Malicious Prover
Verifier (PK)
Verifier (PK)
Verifier (PK)
Four notions of soundness in the public-key model, i.e., from weaker to stronger: one-time, sequential, concurrent and resettable soundness. Concurrent soundness (CS): a malicious prover P* cannot convince the honest verifier V of a false statement even when P* is allowed multiple interleaving interactions with V in the public-key model. Concurrent knowledge-extractability (CKE): a malicious P* can convince the honest V of a statement only if it knows the corresponding witness
Some facts about concurrent verifier security in the public-key model
Any (resettable or not) black-box ZK protocols with concurrent soundness in the BPK model (for non-trivial languages) must run at least four rounds [MR01].Any (whether resettable or not) black-box ZK arguments with resettable soundness only exist for trivial (i.e, BPP) languages (whether in the BPK model or not) [BGGL01,MR01].Concurrent knowledge-extractability is (strictly) stronger than concurrent soundness.
4. Related Works and Our Contributions
Constant-round (black-box) RZK-CS argument for NP was first established by Di Crescenzo, Persiano and Visconti [Crypto 2000] Round-optimal Based on NIZK for NP and a special form of sub-exponentially se
cure PKE (e.g., the sub-exponentially secure version of the ElGamal scheme that is based on the sub-exponentially strong DDH assumption), etc.
The security analysis seems to be not extended to the case of CKE (CKE is not the issue considered in [DPV00] )
Problems left in [DPV00]: Can constant-round (in particular, round-optimal) RZK-CS can be
based on general hardness assumption? Can RZK-CKE be provably achieved? Can RZK-CS/CKE be implemented practically, say, with a very s
mall constant number of exponentiations?
The first constant-round RZK-CS protocol in the BPK model [DPV00]
This work
Constant-round (7-round) RZK-CS argument for NP in the BPK model based on any sub-exponentially-strong OWF.Round-optimal (i.e., 4-round) RZK-CS based on any certified OWP. One-round trapdoor commitments
Generic yet practical transformation for achieving 5-round RZK-CS arugments: Applicable to all languages admitting ∑-protocol Without going through NP-reduction, and can be imple
mented with several exponentiations Satisfy a reasonable (weak) black-box concurrent knowledge-extractibility.
5. The General RZK Construction Based on Any Subexponentially-Strong OWF
Common input xL.
Let fP be any (standard polynomial secure) OWF, and fV be any sub-exponentially secure OWFs. The public-key of the honest verifier V is: PK=fV(xV).
Let y0P=fP(x0
P) and y1P=fP(x1
P). The pair (y0P,
y1P) is then fixed for P.
xL
P(w)
PK
V(xV)Phase-1: RWI(y0
P y1P)
Phase-2: (Resettably-sound) WIPOK(y0
P y1P PK)
Phase-3: RWI(x PK)
The rough protocol structure
Complexity leveraging
The system parameter is N, the prover uses a relatively smaller parameter n (still polynomially related to N), such that:
Breaking fP by brute-forth in 2n-time does not compromise the security fV (i.e., PK) that is sub-exponentially secure in N, specifically, secure againt -time algorithm.
nN npolyc
2)(2
Two types of OWF-based constant-round rWI argument for NP
The CGGM transformation from Blum’s WI proof for NP to RWI proof for NP The verifier is required to first commit its random challenge on the
top by running a perfectly-hiding commitment scheme Randomness of prover is got by applying PRF on the transcript.
Phase-1 RWI arguments for NP: The challenge is committed with Naor’s OWF-based statistically-
binding and sub-exponentially hiding commitments, which can be implemented from any sub-exponentially strong OWF
Phase-3 RWI for NP: The challenge is committed with a OWF-based trapdoor commitm
ent scheme (by combining Naor’s OWF-based commitment scheme and Feige-Shamir trapdoor commitments), such that the binding property can be broken in 2n-time.
The dual role of Phase-1 RWI argument in
RZK proof and in CS/CKE proof
To deal with the subtlety with extracting xV in RZK simulation: We want to argue that Phase-2 WIPOK(y0
P y1P PK) is actually PO
K of the secret-key xV . But, Phase-2 begins after V* resettingly interacting with instances of P in Phase-1 RWI on fixed (y0
P y1P). In gener
al , in this case, normal POK and even CS do not guarantee concurrent knowledge-extractability of xV .
By statistically-binding of Naor’s commitments, reduce resetting interactions of V* with honest P in Phase-1 into concurrent interactions, which guarantees witness-hiding of (x0
P, x1P) and in turn guarantees of P
OK of xV of Phase-2.To guarantee preimage-verifiability of (y0
P y1P) in CS/CKE proof , followi
ng the simulation/extraction approach: Honest verifier always continues its interactions after successful Phas
e-1 RWI even on false (y0P y1
P) , i.e., no preimage of either y0P or y1
P exists, but the sub-exponential-time CS/CKE simulator always aborts by brute-force searching in this case.
But, using statistically-binding commitments in Phase-1 RWI makes the proof of concurrent soundness complicated and subtle.
Idea: reduce to sub-exponentially hiding of Naor’s commitments based on sub-exponentially strong OWF.
The role of Phase-3 RWI
On one hand, it is used for establishing RZK (the RZK simulator uses xV as the Phase-3 witness in simulation);
On the other hand, committing random challenge with trapdoor commitments (that can be broken within 2n-time) enables the simulation/extraction approach for proving (weak) CKE
6. Simplified, Practical, and Round-Optimal Implementations
An Observation
Recall that the Phase-1 RWI argument on (y0P , y1
P) plays a dual role: one-waynessness in RZK proof; and preimage-verifiability of either y0
P or y1P in CS/
CKE proof.Suppose fP is preimage-verfiable, then Phase-1 RWI can be removed, and the prover only needs to send a unique value yP=f(xP) on the top. This renders us 5-round simplified implementationPreimage-verifiable OWF is a quite weak hardness assumption.
Generic yet Practical Transformation
Building tools: ∑-protocol and ∑OR-protocol (WI without NP-reduction) Naor-Reingold practical PRF: needs only 2 exponentiations and ca
n be reduced to only 2 multiple products modulo a prime (without any exponentiaitions!) with natural preprocessing.
Preimage-verifiable OWFs admitting ∑-protocol, from which perfectly-hiding trapdoor commitments can be established (Damgard Crypto’89)
With all above tools, the preimage-verfiable OWF-based simplified implementation can be further converted into generic yet practical implementation for any language admitting ∑-protocols without NP-reductions.With RSA and DLP as examples, the implementations only need several modular exponentiations.
Round-Optimal Implementation.
In the 5-round simplified implementation, the unique value yP=f(xP), sent by P on the top, is used by the verifier V in two ways: It serves as a part of the inputs to the Phase-2 (resettably-sound) W
IPOK proof on (yP, yV); It serves the trapdoor commitment public-key (TCPK) for the verif
ier to make trapdoor commitments in the second round.
We want to merge yP into the third-round message from P to V. To this end, we need: Lapidot-Shamir WI for NP A special kind of trapdoor commitment scheme: commitment pha
se is non-interactive without knowing TCPK, which is only sent in the decommitment phase.
OWP-Based One-round TC
One-round commitment stage: To commit to 0, the committer P sends an n-by-n adjacency matrix of (O
WP-based one-round perfectly-binding) commitments with each entry committing to 0.
To commit to 1, the committer sends an n-by-n adjacency matrix of commitments such that the entries committing to 1 constitute a randomly n-cycle C.
Two-round decommitment stage: The receiver V sends a Hamiltonian graph G=(V, E) with size n=|V| to P. To decommit to 0, P sends a random permutation , and for each non-edg
e of G , (i, j) E, P reveals the value (that is 0) committed to the ( (i), (j))-entry of the adjacency matrix sent in the commitment stage (and V checks all revealed values are 0 and the unrevealed entries constitute a graph that is isomorphic to G via ).
To decommit to 1, P only reveals the committed cycle (and the receiver checks that all revealed values are 1 and the revealed entries constitute an n-cycle).
7. Weak Concurrent Knowledge-Extractability
Black-box sub-exponential-time CKE: for any x, suppoe P* can convince of ``xL” with non-negligible probability, with almost the same probability a black-box poly(n)2n-time extractor can extract a witness w for xLSuppose L is -hard, 0<c<1, then this means that P* does know the witness w (rather than only convincing NP-membership)Still reasonable Super-polynomial-time knowledge-extraction is intrinsic for black-box RZK Most practical OWFs are essentially sub-exponentially hard. Allow highly practical implementation, which are within reach for coming sm
art-card environment Highly practical efficiency and the CKE property are important for RZK to be
used as smart-card based Identification, which is the original motivation of RZK
nN npolyc
2)(2
Thanks
Agenda
1. Resettable zero-knowledge (RZK)2. The bare public-key (BPK) model3. Concurrent verifier security in the public-key
model4. Related works and our contributions5. The general RZK construction based on any sub-
exponentially secure OWF6. Simplified, practical, and round-optimal variants7. On the weak concurrent knowledge-
extractability