Concurrent Zero-Knowledge

ConcurrentConcurrentZero-KnowledgeZero-Knowledge

Cynthia Dwork (IBM Almaden)Moni Naor (Weizmann)

Amit Sahai (MIT)

Zero-KnowledgeZero-Knowledgeon the Interneton the Internet

Prover

Verifier 1

Verifier 2

Verifier 3

Verifier 4

Deniable MessageDeniable MessageAuthenticationAuthentication

MonicaL.

Linda Tripp

Bill

OutlineOutline

1. Zero Knowledge -- What goes wrong in the concurrent setting?

2. Timing -- Assumptions and Uses

3. Concurrent Zero-Knowledge for NP

4. Open Problems

Zero-Knowledge Paradigm Zero-Knowledge Paradigm [GMR85][GMR85]

v1

p1

v2

pk

accept/reject

When assertion is true, Verifier can simulate her view of the interaction on her own.

Formally, require that for every probabilistic poly-time Verifier, there is probabilistic poly-time simulator such that when assertion is true, its output distribution is indistinguishable from Verifier’s view of its interaction with Prover.

We require same to hold for every collectionof polynomially many Verifiers, controlled by a probabilistic poly-time Adversary.

Protocol for NP:Protocol for NP:Graph 3-ColorabilityGraph 3-Colorability

Verifier Prover1. Commit to the edge to be queried

2. Commit to Vertex colors

3. Open commitment to the edge

4. Open commitments to colors on the edge

Simulator forSimulator forGraph 3-ColorabilityGraph 3-Colorability

• Get Verifier Step 1 commitment• Commit to nonsense in Step 2• See Verifier’s revealed edge e in Step 3• Rewind Verifier to Step 2• Commit to colors good for e in Step 2• Verifier must reveal same e in Step 3• Open commitments to e’s colors in Step 4

1234

Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving

V1 V2 … Vn-1 Vn

1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4

(…)

Simulation takesexponential time!

Our GoalOur Goal

• Zero-Knowledge protocol for NP

secure under concurrent execution

• few rounds

• simple

• local control

TimingTiming

Explicit use of time.

Weak Synchronization Assumption:There exist such that:

Your clock All other clocks

But: Allow Adversary to controltiming of all messages, subjectto constraint above.

Uses of TimingUses of Timing

In Zero-Knowledge:

• [Beth & Desmet90] [Brands & Chaum93] Use very accurate timing to prevent PIM attacks

As Cryptanalytic Tool:

• [Kocher96] Attack PK Cryptosystems by measuring time to decrypt (shows time-awareness is necessary)

We use only:

• Time-outs (require message within time )• Delays (wait local time before sending message)

Previous Work:Previous Work:

Protocol for NP Protocol for NP with timingwith timing::Graph 3-ColorabilityGraph 3-Colorability

Verifier Prover1. Commit to the edge to be queried

2. Commit to Vertex colors

3. Open commitment to the edge

4. Open commitments to colors on the edge

Timing Constraints:• Verifier must send Step 3 message within time of Step 1 message. (Prover waits )

• Prover waits until time has elapsed since Step 1 before sending Step 4.

Invariant: While any Verifier is in Steps 1-3,no new interaction can start and proceed toStep 4.


V1 V2 … Vn-1 Vn

1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4

Are we done?Are we done?Not quite…Not quite…

Naïve simulation still does not work:

• Bad static interleavings are impossible… But:

• Adversary can select timings (and hence interleavings) of messages randomly.

• Careful simulator design yields almost Zero-Knowledge (1/poly simulation error).

• For Arguments, assuming “trapdoor” statistically hiding commitment schemes exist (e.g. exist under Discrete Log Assumption), can achieve Perfect Zero-Knowledge.

Other Results and Other Results and ExtensionsExtensions

• Also achieve Proofs of Knowledge with Concurrent Perfect Extractors.

• Simple protocols for Deniable Message Authentication using Timing to ensure both Privacy and Soundness.

• Recent work of Dwork and Sahai (Crypto ‘98) -- for Arguments, show how to restrict Timing Constraints to short Preprocessing Protocol, still achieve Concurrent Zero-Knowledge.

Open ProblemsOpen Problems

• Concurrent Zero-Knowledge possible in the standard model?

• Other uses of Timing under only a Weak Synchronization Assumption?

MotivationMotivation

Easier to prove statements about the honest-verifier model, e.g. HVSZK. By result, structural properties extend to General ZK as well.

Methodology:

Design an HVZK proof

Transform into General ZK proof

Why would one want to give such a transformation?


V1 V2 … Vn-1 Vn

1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4


V1 V2 … Vn-1 Vn

1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4


V1 V2 … Vn-1 Vn

1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4


V1 V2 … Vn-1 Vn

1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4


V1 V2 … Vn-1 Vn

1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4

(…)

Simulation takesexponential time!


V1 V2 … Vn-1 Vn

1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4

(… 2n simulations…)

2

Area YXX Y

Statistical Difference metric between distributions

x

xYxXYX ]Pr[]Pr[2

1

statistically close means statistical difference is exponentially small in input size n =|x|.

Our ResultsOur Results

For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK:

Show how to transform any proof ZKfor Honest Verifier into proof ZK for Any Verifier.

No computational assumptions needed for transformation.

ZK condition holds even for computationally unbounded Verifiers

For SZK, [Oka96] gives a transformation: HV Public-Coin HV. We transform: Public-Coin HV General Hence, HV General w/o Public Coins.

Public Coin ProofsPublic Coin Proofs[Babai][Babai]

Arthur(Verifier)

Merlin(Prover)

Response

Response

Accept/Reject

Random Coins

Random Coins

Previous WorkPrevious Work

Conditional:

For Computational Zero-Knowledge, assuming one-way functions exist, General CZK = IP = HVCZK [GMW86, IY87, Ben-Or+88]

For Statistical Zero-Knowledge, assuming one-way functions exist, HVSZK General SZK [BMO90, OVY93, Oka96]

Unconditional:

For both CZK and SZK, but restricted to constant round Public-Coin Proofs, HV General [Dam94, DGW94]

TechniquesTechniques

Main Ingredients:

A new Random Selection Protocol.

A new Hashing Lemma about 2-universal hash functions.

r

r

Random Selection

r

r

Arthur Merlin

The TransformationThe Transformation

Random Selection

Arthur Merlin

The SimulatorThe Simulator

Use the Honest-Verifier Simulator togenerate transcript:

r

r

r

r

Desired Properties ofDesired Properties ofRandom Selection Random Selection

(RS) I(RS) I Dishonest Merlin: need guarantee that Merlin cannot control output distribution too much to ensure Soundness.

)(2] Outcome RSPr[

,)s'( messagesArthur possible of set any For

SdensityS

Sn

Let B be set of possible r ’s on whichoriginal Merlin can fool Arthur.

(details omitted)

after r rounds, Merlin can make B at most

2 r n

times more likely than in original protocol.

Hence Final Soundness Error at most 2-n

.

Use parallel repetition of original proof system

to make Pr[B] at most 2-(r+1) n

So if, at each RS protocol,


(RS) II(RS) II Dishonest Arthur: need Simulatordistribution to be close to true distribution:

HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also.

Moreover, for almost every , need to simulate RS protocol to output .

i.e. For almost any , need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts, conditioned on the output being .

Random Selection Random Selection [DGW][DGW]

Arthur MerlinCell Rpartition

Dishonest Merlin can cause at most 1/poly(n) statistical deviation.

When Arthur is Dishonest, can simulate for only a 1/poly(n) fraction of ’s.

Yields result only for constant round.

We fix this.

Arthur selects “random” partition of message space into cells of size poly(n).

RCell

Cell

)(}1,0{ n

Our SolutionOur Solution

Arthur Merlin

Use [DGW] protocol to select randomly among sets of 2n possible ’s.

Any 1/poly(n) fraction of such sets will cover the space of ’s almost uniformly.

[DGW] RS protocolSet S of 2n

’sR S

Hash FunctionsHash Functions

We use hash functions to describe setsof ’s.

.}1,0{ to}1,0{ from ,)(

functionslinear -affine of space thebe Let

.}1,0{ be messagesArthur of space Let the

)()(

)(

nnn

n

bAxxh

H

For almost all h’s, h-1(0) is of size 2n.

H is a 2-universal family of hash functions, so ’s will be “well spread” over sets h-1(0).

We will use h-1(0) to be our set of ’s.

New Random New Random SelectionSelection


Arthur selects “random” partition of H into cells of size poly(n).

h RCell

h

Rh-

1(0)

Cell

Properties ofProperties ofRandom Selection Random Selection

(RS)(RS) Dishonest Merlin:

Still OK for Soundness.

Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS protocol to output .

i.e. For almost any , distribution of Simulator for RS is statistically close to distribution of actual RS transcripts, conditioned on the output being .

)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS

n )(

1npoly

Simulation ofSimulation ofRandom Selection Random Selection

(RS)(RS) The random tape of Arthur is already fixed; Arthur is deterministic.

Simulator, on input :

Obtains Arthur’s partition p.

Chooses cell y randomly among cells containing some h such that h(

If Arthur picks h such that h(, output (p,y,h,Otherwise repeat. Why does this work?

Simulator, on input : Obtains Arthur’s partition p. Chooses cell y randomly among cells containing some h such that h(. If Arthur picks h such that h(, output (p,y,h,Otherwise repeat.

RS Protocol & SimulatorRS Protocol & Simulator


h RCell

h

Rh-

1(0)

Cell

H ’s

2n

Blue hash functions: any inverse polynomial fraction of all hash functions H

Weight from blue edges nearly uniform on ’s.

New Hashing LemmaNew Hashing Lemma(first view)

New Hashing LemmaNew Hashing Lemma(another view)

H ’s

For almost any , fraction of blue neighbors is almost same as fraction of blue hash functions.

New Hashing LemmaNew Hashing Lemma

s,' offraction 2 abut allfor Then, (n)-

. )(

npoly

H

Moreover, the statistical difference betweenthe following two distributions is at most 2-n:

).,(Output

Let .}1,0{ Choose II)(

).,(Output

).0(Let . Choose (I)

)(

1

h

h

h

hh

Rn

R

RR

(Hence the simulation is polynomial time)

(Hence the simulation is statistically close.)

Let H be any set of size Blue

hBlue h

h hhBlue h

Blue

Blue

2-(n).

Proof SketchProof Sketch(of first view)

Want to show: for all sets S of ’s, Pr[Ouput in S] = density(S) 2-(n).

We show that for 1-2-(n) fraction of hH,h is a “good choice” for S, i.e.

h-1(0)h-1(0) Sdensity(S) 2-(n).

(First show this is true in expectation over hH, then use Chebyshev’s inequality to prove deviation from expectation is 2-(n) with probability 1-2-(n). Analysis made possibleby pairwise independence of hH.)

Since Blue is inverse polynomial fraction of H,also holds for 1-2-(n) fraction of hBlue.

ConclusionsConclusions

We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.

HVSZK = SZK

Public-Coin HVCZK= Public-Coin CZK

We give a new Hashing Lemma which may be of independent interest.

ConclusionsConclusions

We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.

HVSZK = SZK

We give a new Hashing Lemma which may be of independent interest.

Zero-Knowledge: yeild nothing beyond validity of assertion

Usual proof: - Convincing - Lots of Knowledge

New Notion of Proof:

Interactive Process: Prover tries to convince Verifier

Probabilistic Confidence

Proofs and Zero-Proofs and Zero-KnowledgeKnowledge

I understand!

I tell you, PNP!

How’s that?

Proof: …………..….

Interactive Proof Interactive Proof System[GMR]System[GMR]

for a language L

v1

p1

v2

pk

accept/reject

ProverVerifier

Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x belongs to language L.

• (Completeness): When xL, Verifier accepts with high prob.• (Soundness): When xL, no matter what strategy Prover uses, Verifier accepts with low prob.

Graph IsomorphismGraph Isomorphism

The Problem:

1

2

34

5

6

78

1

2

34

5

6

78

Are these graphs the same undera relabeling of vertices?

G0 G1

YES

6 2 8 1 4 5 3 7

1 2 3 4 5 6 7 8

Relabeling: G0 G1


(RS)(RS)ProtocolProtocol

When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted)

When Arthur is Dishonest, need Simulatordistribution to be close to true distribution: HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also. Moreover, for almost every , need to simulate RS protocol to output .

i.e. For almost any , need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts that output .

Zero Knowledge Zero Knowledge Proof System [GMW]Proof System [GMW]

Verifier Prover

H

Pick G0 or G1

at random:b R {0,1} b

Check if maps H Gb.If so, accept. If not, reject.

Let H be graph obtained by random relabelingof G0

Let be therelabeling H Gb

Honest Verifier Simulator :- Pick G0 or G1 at random first: b R {0,1}.- Then let H be graph obtained by random relabeling of Gb -- and call the relabeling .Output (H, b, ).

General Verifiers...

SimulatorH: rdm relabeling Of Gb

b: random bit: relabeling H Gb

H

G0G1

Why it worksWhy it works

ProtocolH: rdm relabeling Of G0

b: random bit: relabeling H Gb

Zero-Knowledge (ZK)Zero-Knowledge (ZK)

Scope:

Honest Verifier

Any Verifier

v1

p1

v2

pk

accept/reject

When assertion is true, Verifier can produce transcripts of the interaction on her own.

Zero-Knowledge means Verifier learns nothing except truth of assertion.

Implementation Idea:

Statistical Zero-Knowledge Statistical Zero-Knowledge (SZK)(SZK)

Proof Systems[GMR]:Proof Systems[GMR]:Honest and GeneralHonest and General

Proof system for L is statistical zero-knowledge for the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover. Proof system for L is statistical zero-knowledge for General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.

2

Area YXX Y

Statistical Difference metric between distributions

x

xYxXYX ]Pr[]Pr[2

1

statistically close means statistical difference is exponentially small in input size n =|x|.

Our Results (really)Our Results (really)

For Public-Coin Statistical Zero-Knowledge Proof Systems:


No computational assumptions needed for transformation.


For SZK, [Oka96] gives a transformation: HV Public-Coin HV. We transform: Public-Coin HV General Hence, HV General w/o Public Coins.


Assuming one-way functions exist, HV General. [BMO90, OVY93, Oka96]

Without such assumptions: but restricted to constant rounds, Public Coin HV General. [Dam94, DGW94]

Random SelectionRandom Selection

Two distrustful parties agree on a random string.

If any one party is dishonest, output should still have random properties.

Statistical Zero-Knowledge Statistical Zero-Knowledge (SZK)(SZK)

Proof Systems[GMR]:Proof Systems[GMR]:Honest and GeneralHonest and General

Proof system for L is statistical zero-knowledge for the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover.

Proof system for L is statistical zero-knowledge for General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.

Hello there, my friend.


This is the beginning of the end, he said.There is no hope. What’s the use in going on? We’re all dead anyway… The door opened.


Test


(RS)(RS)ProtocolProtocol

When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted)

When Arthur is Dishonest, need Simulatordistribution to be close to true distribution: HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also. Moreover, for almost every , need to simulate RS protocol to output .

i.e. Conditioned on a fixed , need Simulator distribution to be statistically close to distribution of actual RS transcripts that output .

Zero-Knowledge means Verifier learns nothing except truth of assertion.Formally, can simulate interaction.

Zero-Knowledge (ZK)Zero-Knowledge (ZK)

We give a transformation:

Proof ZK for Honest Verifier

Proof ZK for General Verifiers

Computational

Statistical General

HonestQuality Scope

Definitions

Black-Box Simulator:

Random TapeSimulator Verifier

v1

p1

pk

vk+1

vk

Simulator Verifier

Computational Zero-Knowledge: Require Simulator Distribution to be only Computationally Indistinguishable rather than statistically close.

Zero-Knowledge Proof Zero-Knowledge Proof [GMR85][GMR85]

v1

p1

v2

pk

accept/reject

When assertion is true, Verifier can simulate her view of the interaction on her own.

Formally, a proof system is Statistical ZK if for every Verifier, there is probabilistic poly-time simulator such that, when the assertion is true, its output distribution is statistically close to Verifier’s view of the interaction with Prover.Computational ZK : require simulator distribution to be computationallyindistinguishable rather than statistically close .

Our ResultsOur Results

For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK:


For Statistical ZK, HVSZK = Public-Coin HVSZK [Oka96], so we show HVSZK = General SZK.

No computational assumptions



For Computational Zero-Knowledge, assuming one-way functions exist, CZK = HVCZK = IP = PSPACE [GMW86, IY87, Ben-Or+88]

For Statistical Zero-Knowledge, assuming one-way functions exist, SZK = HVSZK [BMO90, OVY93, Oka96]

For both CZK and SZK, unconditionally, but restricted to constant round Public-Coin Proofs, Honest Verifier = General Verifier [Dam94, DGW94]




n

OK for Soundness by parallel repetitionof Original Proof System.

Dishonest Arthur: Outcome almost uniform. For every , can simulate RS to produce .

i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .

Random Selection Random Selection [DGW][DGW]


Dishonest Merlin can cause at most 1/poly(n) statistical deviation.

For Dishonest Arthur: can simulate for only a 1/poly(n) fraction of ’s.

Yields result only for constant round.

We fix this.

Arthur selects “random” partition of message space into cells of size poly(n).

RCell

Cell




n


Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS to produce .


)(1npoly

Public Coin ProofsPublic Coin Proofs[Babai][Babai]

Arthur Merlin

Random Coins

Response

Random Coins

Response

Accept/Reject




n


Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS to produce .


)(1npoly

New Hashing LemmaNew Hashing Lemma

s,' offraction 2 abut allfor Then, (n)-

}.0)(|{Let hhH

. )(

npoly

H

)(1

npolyH

H

Moreover, the statistical difference betweenthe following two distributions is at most 2-n:

).,(Output . Let .}1,0{ Choose II)(

).,(Output ).0(Let . Choose (I)

)(

1

hHh

hhh

Rn

R

RR

(Hence the simulation is polynomial time)

(Hence the simulation is statistically close.)

Let H be any set of size

Blue

Blue

Blue

Blue

Honest-Verifier Honest-Verifier Statistical Zero-Statistical Zero-

Knowledge Knowledge EqualsEquals

General Statistical General Statistical

Zero-KnowledgeZero-Knowledge

Oded Goldreich (Weizmann)Amit Sahai (MIT)

Salil Vadhan (MIT)

Concurrent Zero-Knowledge

Documents

time of step

verifier step

local time

concurrent zeroknowledge

time delays

perfect zeroknowledge

rewind verifier

knowledge protocol