on round-optimal zero knowledge in the bare public key model
DESCRIPTION
On Round-Optimal Zero Knowledge in the Bare Public Key Model . Alessandra Scafuro and Ivan Visconti University of Salerno ITALY. FOCUS: Round-Optimal (4 rounds) concurrent and resettable Zero Knowledge in the Bare Public Key Model. have already been achieved:. - PowerPoint PPT PresentationTRANSCRIPT
On Round-Optimal Zero Knowledge
in the Bare Public Key Model
Alessandra Scafuro and Ivan ViscontiUniversity of Salerno
ITALY
FOCUS: Round-Optimal (4 rounds) concurrent and resettable Zero Knowledge
in the Bare Public Key Modelhave already been achieved:
Round-optimal Concurrent ZK: (standard assumptions)
• [Z03] only sequential soundness, • [DV05] concurrent soundness, • [V06] efficiently,• [D09] minimal assumptions,• [YZ10] sophisticated notion of
argument of knowledge.
What do we do in this paper ?
Round-optimal Resettable ZK: (complexity leveraging)
• [MR01] only sequential soundness,
• [DPV04] concurrent soundness,• [YZ07] under generic
assumptions.
Our ContributionPoint-out a subtle issue in the zero knowledge proof of all round-
optimal (concurrent and resettable) protocols.
Protocol’s structure of almost all round-optimal protocols makes problematic the design of any simulator.
New round-optimal concurrent ZK with concurrent soundness and standard assumptions.
Exceptions: could admit alternative simulators:- Resettable ZK of [YZ07]: uses complexity leveraging.- Concurrent ZK of [Z03]: only sequential soundness.
Alternative proof?
• The same protocol admits efficient implementation.• Round-optimal resettable ZK (similar to [YZ07]), with a new proof.
Outline• Definitions
- Concurrent Zero Knowledge- Bare Public Key (BPK) Model - Concurrent Zero Knowledge and Soundness in the BPK model
• Round-optimal Concurrent Zero Knowledge: - the issue of all zero-knowledge simulators- the difficulty of designing any alternative simulator
• Our technique
Zero knowledge Interactive Proofs(standard model)
P Vx ∈ L(x,w) ∈ RL
Soundness: if the theorem is false any P* cannot convince V.
Completeness: if both P and V are honest, V accepts the proof.
Zero Knowledge: (intuition) any V* learns nothing but the fact that the theorem is true.
Zero Knowledge (stand-alone)
Sim
x ∈ L
V*rewind
Coins V*
OutputP V*x, witness
Coins V*
Output
Stand-alone : V* opens a single session
Black Box Sim: rewind V*
V* does not learn anything?
Concurrent Zero KnowledgeMore realistic setting: V* can open many sessions concurrently.
P V*Session 1
Session 2 V*Session 3 V*
V*Session 4
Upon seeing a new msg, V* adaptively plays new sessions
Constant-round concurrent black-box Zero Knowledge (cZK) in the standard model is
impossible [CKPR01].
Achieving black-box constant-round cZK requires setup assumptions.
Bare Public Key ModelIntroduced in STOC 2000 by Canetti, Goldreich, Goldwasser, MicaliAssumption: each verifier must be associated with a permanent public key,registered before any proof starts.
Registration Phase
Proof Phase
VID1 (SK1)
VIDi (SKi)
PKID1
PKIDi
register
register
Public file
• Non-interactive• Fully controlled by V*• No trusted party involved
• V* can still open an unbounded (poly) number of sessions.
• V* has full control of the schedule• Restriction: V* cannot play with
identity not in public file.
PPublic fileV*
IDiIDi ?
V*V*
IDi
IDkIDk?
Achieving constant-round concurrent ZK in the BPK model
Px ∈ L(x,w) ∈ RL
VID
SKIDPKID
1-πV
2-πV
3-πV
VID uses its secret SKID
in 3-πV. (extractable through rewinds)
• once SKID is extracted, all sessions
played with VID are run in straight-line
Concurrent Zero Knowledge Sim:
P convinces VID if1) it knows witness OR2) it knows SKID
1-πP
2-πP
3-πP
• gets SKID by rewinding πV
• runs πP in straight-line using SKID
• poly: number of extraction bounded by number of identities.
“is able to compute something computable only with knowledge of SKID “
Concurrent Soundness in the BPK model
P* VIDSKID
PKID 1-πV
2-πV
3-πV
1-πP2-πP
3-πP
Proving concurrent soundness: rule out MiM Attack
Concurrent executions
1-πV
2-πV3-πV
VIDSKID
MiM1-πP(SKID)
IDEA: if known, the secret SKID should be used already in the first msg 1-πP .
Concurrent Zero Knowledge Still preserved. Sim extracts the secret before having to play the first msg 1-πP .
P convinces VID if1) it knows witness OR2) it knows SKID
Concurrent Zero Knowledge and Soundness
P VIDSKID
(PKID, w)
1-πV
2-πV
3-πV
(SKID) 1-πP
2-πP
3-πP
Outline• Definitions
- Concurrent Zero Knowledge- Bare Public Key (BPK) Model - Concurrent Zero Knowledge and Soundness in the BPK model
• Round-optimal Concurrent Zero Knowledge: - the issue of all zero-knowledge simulators- the difficulty of designing any alternative simulator
• Our technique
Round-Optimal (4 rounds) Concurrent Zero Knowledge and Soundness
P VIDSKID
(PKID, w)
1-πV
2-πV
3-πV
(SKID) 1-πP
2-πP
3-πPSim has to play the msg dependent on SKID without knowing it yet.
The secret is used before VID completes its protocol.
Concurrent Simulator?
Concurrent Simulator in Literature
V*ID1-πV
2-πV
3-πV2-πP
Simulation in phasesSimWhen playing with an
“unresolved” identity:
1) Play a “bad” first message
“bad” 1-πP2) Extract the secret needed to solve the session.
3) Start simulation from scratch (a new phase) with knowledge of one more secret SKID.
Number of phases = number of identities (poly)
Our contribution: Such simulation approach leads to a
distinguishable distribution.
all (published) simulators follow this strategy.
A dummy attackP V* Schedule
Session 2
(SKID) 1-πP
1-πV
2-πV
2-πP3-πP
3-πV
1-πV
2-πV(SKID) 1-πP
Session 1
2-πP
3-πP
3-πV
A dummy attackP V*
Session 2
(SKID) 1-πP
1-πV
2-πV
2-πP3-πP
3-πV
1-πV
2-πV(SKID) 1-πP
Session 1
2-πP
3-πP
3-πV
V* aborts Session 1 with prob. 1/2V* aborts Session 2 with prob. 1/2(taken over the transcript seen so far)
V* Strategy
A dummy attackP V* V* Strategy
Session 2
(SKID) 1-πP
1-πV
2-πV
1-πV
2-πV(SKID) 1-πP
Session 1
V* aborts Session 1 with prob. 1/2V* aborts Session 2 with prob. 1/2(taken over the transcript seen so far)
Prob. Abort in Real Game
Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4
A dummy attackSim V* V* Strategy
Session 2
(SKID) 1-πP
1-πV
2-πV
1-πV
2-πV(SKID) 1-πP
Session 1
V* aborts Session 1 with prob. 1/2V* aborts Session 2 with prob. 1/2(taken over the transcript seen so far)
Prob. Abort in Real Game
2-πP 3-πV
1) Extract secret to solve Session 1 Pr [Abort S1] x Pr[Abort S2] =
1/2 x 1/2 = 1/4
Prob. Abort SimulationCase 1.Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4
Case 2.Pr[Abort S2] x Pr[NOT Abort S1]
A dummy attackSim V*
1-πV
Session 1
2-πV 1-πP
(SKID) 1-πP
1-πV
2-πV
Session 2
V* Strategy V* aborts Session 1 with prob. 1/2V* aborts Session 2 with prob. 1/2(taken over the transcript seen so far)
Prob. Abort in Real Game
Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4
Prob. Abort SimulationCase 1.Pr [Abort S1] x Pr[Abort S2] = 1/2 x 1/2 = 1/4
Case 2.Pr[Abort S2] x Pr[NOT Abort S1]
2) Start the simulation from scratch with knowledge of secret.
x Pr[Case 1]
= 1/2 x 1/2 x 1/4 = 1/16
Sim outputs two aborts with probability at least Case 1 + Case 2 > Real Game
transcript changes
• Trivially, there exists a simulator for the dummy V* seen so far.
Alternative Simulation Strategies?
Simulation in phases yields a distinguishable output.
• what about more sophisticated V* that aborts with different probability in different sessions….?
The problem: the protocol’s structure of round-optimal protocols
(SKID) 1-πP
1-πV
2-πV
2-πP3-πP
3-πV
P VID“bad” first msg
“good” first msg
• In order to “solve” a session (played with a new identity) Sim has to change the view of the verifier (first play a bad msg, then a good msg)
• changing the view of V* skews the output distribution.
RemarkProtocols that do not follow this structure could admit alternative strategies: • resZK [YZ07] complexity
leveraging.• cZK [Z03]: only sequential
soundness.
designing a successful simulation strategyseems problematic.
Outline• Definitions
- Concurrent Zero Knowledge- Bare Public Key (BPK) Model - Concurrent Zero Knowledge and Soundness in the BPK model
• Round-optimal Concurrent Zero Knowledge: - the issue of all zero-knowledge simulators- the difficulty of designing any alternative simulator
• Our technique
Our round-optimal concurrent ZK P VID
(PKID, w)
1-πV
2-πV
3-πV
(SKID) 1-πP
2-πP
3-πP
“permanent secret SKID”SKID
PKtemp
PKtemp ( )
- witness OR- permanent secret SKID OR
- temporary secret key SKtemp
is accepting ifP knows either:
KEY IDEA. Temporary secret key Sktemp is used only in the last msg 3-πP.
(only after the extraction)
1-πtemp
2-πtemp
3-πtemp
Make SKtemp
extractable through rewinds
(used only in the third round)
(used already in the first round)
pick (PKtemp , SKtemp ) randomly
(SKID)1-πP
The simulatorP
1-πV
2-πV
3-πV
(sec)1-πP
2-πP
3-πP
PKtemp
)PKtemp (
1-πtemp
2-πtemp
3-πtemp
VID
“permanent secret SKID”SKID
Two-mode simulation (allows to keep the main thread unchanged)
• to solve a session initiated by an unknown identity Sim extracts both permanent SKID and temporary key SKtemp, and computes the last msg using Sktemp .
• to solve a session initiated by a known identity Sim runs in straight-line computing 3-πP using the permanent secret SKID.
• the view of V* in the two modes must be statistically indistinguishable.
(SKID)1-πP
Concurrent soundness?P*
1-πV
2-πV
3-πV
((SKID)1-πP
2-πP
3-πP
PKtemp
)PKtemp (
1-πtemp
2-πtemp
3-πtemp
VID
SKID
Proof by witness extraction
- witness OR
- permanent secret SKID OR
- temporary secret key SKtemp
(used only in the third round)
to prove concurrent soundness secret must be used already in the first msg.
key point: the temporary keys used in concurrent sessions are independent.
Concurrent executions?
1-πtemp
2-πtemp
3-πtemp
PK’temp
VID
(SKID)1-πP
Actual implementationP
Σ1
Σ2
Σ3Σ2
Σ3
pk0,pk1
TC= TCom(pk0,pk1, Σ1)
Σ1
Σ2
Σ3
VID
PKID = f(x0), f(x1)SKID = x0,x1
C= com(xb)Pktemp = pk0,pk1, Sktemp = trap0, trap1.
• πV πtemp πP are implemented with Sigma Protocols.
• TCom is a two-round trapdoor commitment scheme.
• f is a OWP.
, open TCom as Σ1- Σ1 is the valid opening of TC AND(Σ1, Σ2, Σ3) is accepting.
• C is the commitment of xb OR• P knows the witness
(Σ1, Σ2, Σ3) is accepting iff:VID accepts if:
thanks