Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.

Impossibility and Feasibility Results for Zero Knowledge

with Public Keys

Joël AlwenTech. Univ. Vienna

AUSTRIA

Giuseppe PersianoUniv. Salerno

ITALY

Ivan ViscontiUniv. Salerno

ITALY

Outline

• Zero Knowledge (ZK)• Concurrent ZK & Resettable ZK (cZK &

rZK)• ZK with public keys (BPK-UPK)• Soundness in these PK models• Impossibility of 3-round sequentially-sound

cZK in the BPK model• rZK proof of membership for LNP in the

UPK model

Interactive Proof Systems in the Plain Model

theorem: “x L”

prover P verifier

• Properties

Completeness: if the theorem is true V outputs “Accept”

Soundness: if the theorem is false V outputs “Reject”

Accept or Reject

rP, w rVa

b

z

V

Interactive Proofs (2)

Soundness: “no malicious prover P can convince V of a false theorem”

Assumptions about P’s capabilities:

P unbounded Interactive Proof

P bounded Interactive Argument

Most results are for Interactive Arguments, not proofs.

Zero Knowledge• Intuition: Don’t give any extra information to any possible verifier

theorem: “xL”

prover any verifier

Accept or Reject

P V*

xL

• (Black-Box) Zero Knowledge efficient S with oracle access to V* simulating V*’s view of the interaction with P for true theorems

V*

S…

(rV,a,b,…,z)View of V* above (with rV as input)

a

b

z

rVrP, w

rS

black-box

Outline

• Zero Knowledge (ZK)• Concurrent ZK & Resettable ZK (cZK & rZK)• ZK with public keys (BPK-UPK)• Soundness in these PK models• Impossibility of 3-round sequentially-sound cZK in

the BPK model• rZK proof of membership for LNP in the UPK

model

Concurrent ZK (cZK)

P

. . .

. . .

x 1 L

x2 L

. . .

xn L

V1

V2

Vn

Note: possibly xi = xj with i j

Evil Adversary V*

control network scheduling

Resettable ZK (rZK)

• Adversary V* can: – Reset P to a previous state (including it’s random

tape) spawning a new incarnation of P– Interact concurrently with all incarnations of P

= P(r1)

= P(r2)

Pn = P(rn)

r1

r2

rn

P2

P1

control scheduling

Outline



model

Models for ZK with Public Keys

• In the plain model Constant round Black-Box rZK only possible for trivial languages (LBPP) [CKPR STOC 01]– For non Black-Box this remains open

• So add some setup assumption to the model.

• Bare Public Key (BPK) model– In a preprocessing stage, the verifiers register their public keys in a

public file. • This stage is performed only by verifiers, is non-interactive and further

the public file can be under the control of the adversary!

– In the proof stage, the same public file is part of the common input in all proofs and the verifiers can use their private keys.

BPK Preprocessing Stage

pki pks… … … pkt

…

Vi Vs Vt

honestverifier

publicfile

maintains

Related Models

• The verifier has a persistent counter (in all related models)

• There is no bound; specifically for any public key it is possible to run any polynomial number of sessions. (Counter Public Key model = CPK)

• For each public key there is a bound on the maximum number of sessions w.r.t. each statement (Weak Public Key model = WPK)

• For each public key there is an upperbound on the number of sessions for which it can be used (Upperbound Public Key model = UPK)

Outline



model

4 Notions

• [MR Crypto 01] (black-box ZK): • there are 4 distinct notions of soundness in the BPK

model: • one-time soundness (OTS)• sequential soundness (SS)• concurrent soundness (CS) • resettable soundness (RS)

P*1

x1 L

P*2

P*n

Vxn L

x2 L

sequential malicious prover attacking

sequential network scheduling

emulate

Outline



model

The Complete Round Complexity Analysis

3-Round OTS 3-Round SS 4-Round CS

[MR Crypto 01]

[MR Crypto 01]

[MR Crypto 01]

[DPV 04] [DPV Crypto 04]

[DPV Crypto 04]

[DPV Crypto 04]

sZK

cZK

rZK

Our Result

Our Result

We have resolved the last open problem of the analysis of round complexity of various notions of ZK in the BPK model.

Related Proofs

• Our result: 3-Round black box cZK with SS in the BPK model only exists for trivial languages.

1. [GK 96]: 3-Round black box ZK in the plain model only exists for trivial languages.

2. [MR Crypto 01]: 3-Round black box rZK with CS in the BPK model only exists for trivial languages.

[GK 96] Proof

A. Assume 3-round black box ZK in the plain model exists for a language L LBPP

B. Design a BPP deciding machine D for L by having the simulator S run against the honest V’s algorithm.

1. If S outputs an Accepting View then xL2. If S outputs a Rejecting View then xL

Demulate

xL

VS

…

rS

execute

(rV,a,b,…,z)

(1)

(2)

outputxL

or

xL

(3)

[GK 96] Proof (2)C. Prove correctness of D by showing strong correlation between S’s

output and the verity of the theorem.1. The correctness of B.1 follows from the ZK property of the protocol

2. To show B.2 is correct demonstrate (by contradiction) how a malicious prover P* could run S to convince V of a false statement.

3. Prove that with only polynomial loss of efficiency V will be convinced by P* even without P* being able to reset V

P*emulate

xL

VS

…

rS

execute

can reset V!

V

can’t reset V!

interact

xL

[MR Crypto 01] Extension• Assume a 3-round black-box rZK protocol with CS in the BPK model

exists for the language L• B.1 to C.1 the same in the BPK model• C.2 – C.3 need adjustment.

– Require concurrent powers of P* in order to use S’s output to cheat against honest V.

• Thus CS proved impossible but not SS which is weaker (i.e. gives less power to P*)

P*emulate

xL

VS

…

rS

execute

Vx2L

V

V

x1L

x nL

public file

control scheduling

Our Addition

• In order to show that sequential access to V by P* suffices we require an added power.

• Use that S is a concurrent ZK simulator which works against any verifier algorithm including our specially designed V*

P*emulate

V*

S…

rS

execute

x2L

V x1L

x nL

V

Vsequential scheduling

xL

control scheduling

Our Addition (2)

• Careful design of P* and V* we show that if S is efficient then it must solve at least one of the concurrent sessions with V* straight-line. (i.e. without a rewind).

• Demonstrate how P* can efficiently enough guess which session this is and use it to convince V of a false statement.

Outline



model

Result Overview

• Result:– Present a 3-round rZK proof with CS for all NP in the

UPK model.• Prover has unlimited computational power! So given a public

key can calculate the secret key… So we need a public key which corresponds to a super-polynomial number of secret keys

– Moreover no assumptions regarding the hardness of superpolynomial-time algorithms needs to be made. (No complexity leveraging)

– Uses perfectly hiding commitment scheme to make (pk, sk1,…,skm)

UPK Setup

… …pki

pki1 pki

2 pkin…

skj := (rj, xj) R {0,1}k x {0,1}k

pkj := commit(xj, rj)

Public File:

{n times

upper bound : n

UPK Model

security parameter : kperfectly

hiding

random coins

The Protocol

P V

[Com(), Dec()] : perfectly binding commitment scheme

[Com(), Dec()] : perfectly hiding commitment scheme

[Zap1, Zap2(.)] : two-round resettable witness-indistinguishable proof system implemented with Zaps from[DN FOCS ‘00]

Com(w) = m

pkc, skc := (xc, rc), Zap1

counter : c

Using FLS paradigm [FLS SJoComp ’99] pk

pkc

Zap2(“Dec(m) = w” and either “w = skc” or “w witness to xL”)

xL

witness to xL

pkj := Com(xj, rj)

Properties (Idea)

• Complete: Honest prover P can send Com(w := witness to xL) in round 1

• Sound: Because when (unbounded) P* sends Com(w) in round 1, it has only seen a perfectly hiding commitment to skc in the public file.

• rZK: The simulator can rewind V to use same counter and thus same skc again. After max n rewinds all secret keys are known. The rest can be simulated straight-line.

That’s all folks. Thank you!

Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.

Documents

public file

public keysin

public keys bpkupksoundness

counter public key model

upperbound public key

bare public key bpk

public keysjol alwentech

sound czk