Impossibility and Feasibility
Results for Zero Knowledge
with Public Keys
Joël Alwen
Tech. Univ. Vienna
AUSTRIA
Giuseppe Persiano
Univ. Salerno
ITALY
Ivan Visconti
Univ. Salerno
ITALY
Outline
• Zero Knowledge (ZK)
• Concurrent ZK & Resettable ZK (cZK &
rZK)
• ZK with public keys (BPK-UPK)
• Soundness in these PK models
• Impossibility of 3-round sequentially-sound
cZK in the BPK model
• rZK proof of membership for LNP in the
UPK model
Interactive Proof Systems in the
Plain Model
theorem: “x  L”
rP, w
prover P
a
b
z
rV
V verifier
 Accept
or Reject
• Properties
Completeness: if the theorem is true  V outputs “Accept”
Soundness: if the theorem is false  V outputs “Reject”
Interactive Proofs (2)
Soundness: “no malicious prover P can convince V
of a false theorem”
Assumptions about P’s capabilities:
P unbounded  Interactive Proof
P bounded  Interactive Argument
Most results are for Interactive Arguments, not proofs.
Zero Knowledge
• Intuition: Don’t give any extra information to any possible verifier
theorem: “xL”
rP, w
prover
rV
a
P
V*
b
any verifier
 Accept
or Reject
z
• (Black-Box) Zero Knowledge   efficient S with oracle
access to V* simulating V*’s view of the interaction with P for
true theorems
xL
V* …
blackbox
S
rS
(rV,a,b,…,z)

View of V* above
(with rV as input)
Outline
•
•
•
•
•
Zero Knowledge (ZK)
Concurrent ZK & Resettable ZK (cZK & rZK)
ZK with public keys (BPK-UPK)
Soundness in these PK models
Impossibility of 3-round sequentially-sound cZK in
the BPK model
• rZK proof of membership for LNP in the UPK
model
Concurrent ZK (cZK)
Evil Adversary V*
V1
x2 L
P
...
V2
Vn
control network scheduling
Note: possibly xi = xj with i  j
Resettable ZK (rZK)
• Adversary V* can:
– Reset P to a previous state (including it’s random
tape) spawning a new incarnation of P
– Interact concurrently with all incarnations of P
P1 = P(r1)
P2 = P(r2)
Pn = P(rn)
r2
control
scheduling
Outline
•
•
•
•
•
Zero Knowledge (ZK)
Concurrent ZK & Resettable ZK (cZK & rZK)
ZK with public keys (BPK-UPK)
Soundness in these PK models
Impossibility of 3-round sequentially-sound cZK in
the BPK model
• rZK proof of membership for LNP in the UPK
model
Models for ZK with Public Keys
• In the plain model Constant round Black-Box rZK only
possible for trivial languages (LBPP) [CKPR STOC 01]
– For non Black-Box this remains open
• So add some setup assumption to the model.
• Bare Public Key (BPK) model
– In a preprocessing stage, the verifiers register their public keys in a
public file.
• This stage is performed only by verifiers, is non-interactive and further
the public file can be under the control of the adversary!
– In the proof stage, the same public file is part of the common input
in all proofs and the verifiers can use their private keys.
BPK Preprocessing Stage
maintains
honest
verifier
Vi
public
file
…
pki
Vs
…
pks
…
Vt
pkt
…
Related Models
• The verifier has a persistent counter (in all
related models)
• There is no bound; specifically for any public key
it is possible to run any polynomial number of
sessions. (Counter Public Key model = CPK)
• For each public key there is a bound on the
maximum number of sessions w.r.t. each
statement (Weak Public Key model = WPK)
• For each public key there is an upperbound on
the number of sessions for which it can be used
(Upperbound Public Key model = UPK)
Outline
•
•
•
•
•
Zero Knowledge (ZK)
Concurrent ZK & Resettable ZK (cZK & rZK)
ZK with public keys (BPK-UPK)
Soundness in these PK models
Impossibility of 3-round sequentially-sound cZK in
the BPK model
• rZK proof of membership for LNP in the UPK
model
4 Notions
• [MR Crypto 01] (black-box ZK):
• there are 4 distinct notions of soundness in the BPK
model:
•
•
•
•
one-time soundness (OTS)
sequential soundness (SS)
concurrent soundness (CS)
resettable soundness (RS)
sequential malicious
prover attacking
P*1
P*2
x2 L
V
P*n
sequential network
scheduling
Outline
•
•
•
•
•
Zero Knowledge (ZK)
Concurrent ZK & Resettable ZK (cZK & rZK)
ZK with public keys (BPK-UPK)
Soundness in these PK models
Impossibility of 3-round sequentially-sound cZK in
the BPK model
• rZK proof of membership for LNP in the UPK
model
The Complete Round Complexity
Analysis
We have resolved the last open problem of the analysis of
round complexity of various notions of ZK in the BPK model.
3-Round OTS
3-Round SS
4-Round CS
sZK
[MR Crypto 01]
[DPV 04]
[DPV Crypto 04]
cZK
[MR Crypto 01]
Our Result
[DPV Crypto 04]
rZK
[MR Crypto 01]
Our Result
[DPV Crypto 04]
Related Proofs
•
Our result: 3-Round black box cZK with
SS in the BPK model only exists for
trivial languages.
1. [GK 96]: 3-Round black box ZK in the
plain model only exists for trivial
languages.
2. [MR Crypto 01]: 3-Round black box rZK
with CS in the BPK model only exists for
trivial languages.
[GK 96] Proof
A.
B.
Assume 3-round black box ZK in the plain model exists
for a language L  LBPP
Design a BPP deciding machine D for L by having the
simulator S run against the honest V’s algorithm.
1.
2.
If S outputs an Accepting View then xL
If S outputs a Rejecting View then xL
xL
or
xL
D
(3)
(1)
V …
S
execute
rS
xL
(2)
(rV,a,b,…,z)
[GK 96] Proof (2)
C.
Prove correctness of D by showing strong correlation between S’s
output and the verity of the theorem.
1.
2.
The correctness of B.1 follows from the ZK property of the protocol
To show B.2 is correct demonstrate (by contradiction) how a
malicious prover P* could run S to convince V of a false statement.
can
reset V!
V
xL
interact
can’t
reset V!
3.
xL
P*
V …
S
execute
rS
Prove that with only polynomial loss of efficiency V will be convinced
by P* even without P* being able to reset V
[MR Crypto 01] Extension
• Assume a 3-round black-box rZK protocol with CS in the BPK model
exists for the language L
• B.1 to C.1 the same in the BPK model
• C.2 – C.3 need adjustment.
– Require concurrent powers of P* in order to use S’s output to cheat
against honest V.
• Thus CS proved impossible but not SS which is weaker (i.e. gives
less power to P*)
public file
V
V
x2L
xL
P*
V …
S
execute
V
control
scheduling
rS
Our Addition
• In order to show that sequential access to V by
P* suffices we require an added power.
• Use that S is a concurrent ZK simulator which
works against any verifier algorithm including
our specially designed V*
control
scheduling
V
V
x2L
xL
P*
V* …
S
execute
V
sequential
scheduling
rS
Our Addition (2)
• Careful design of P* and V* we show that if
S is efficient then it must solve at least one
of the concurrent sessions with V* straightline. (i.e. without a rewind).
• Demonstrate how P* can efficiently
enough guess which session this is and
use it to convince V of a false statement.
Outline
•
•
•
•
•
Zero Knowledge (ZK)
Concurrent ZK & Resettable ZK (cZK & rZK)
ZK with public keys (BPK-UPK)
Soundness in these PK models
Impossibility of 3-round sequentially-sound cZK in
the BPK model
• rZK proof of membership for LNP in the UPK
model
Result Overview
• Result:
– Present a 3-round rZK proof with CS for all NP in the
UPK model.
• Prover has unlimited computational power! So given a public
key can calculate the secret key… So we need a public key
which corresponds to a super-polynomial number of secret
keys
– Moreover no assumptions regarding the hardness of
superpolynomial-time algorithms needs to be made.
(No complexity leveraging)
– Uses perfectly hiding commitment scheme to make
(pk, sk1,…,skm)
UPK Setup
UPK Model
n times
{
random
coins
skj := (rj, xj) R {0,1}k x {0,1}k
pkj := commit(xj, rj)
upper bound : n
perfectly
hiding
security parameter : k
pki1
Public File:
…
pki2
…
pki
pkin
…
The Protocol
pkj := Com(xj, rj)
Using FLS paradigm
[FLS SJoComp ’99]
pk
witness to
xL
[Com(), Dec()] : perfectly binding
commitment scheme
[Com(), Dec()] : perfectly hiding
commitment scheme
[Zap1, Zap2(.)] : two-round resettable
witness-indistinguishable proof system
implemented with Zaps from
[DN FOCS ‘00]
P
pkc
counter : c
xL
Com(w) = m
V
pkc, skc := (xc, rc), Zap1
Zap2(“Dec(m) = w” and either “w =
skc” or “w witness to xL”)
Properties (Idea)
• Complete: Honest prover P can send Com(w :=
witness to xL) in round 1
• Sound: Because when (unbounded) P* sends
Com(w) in round 1, it has only seen a perfectly
hiding commitment to skc in the public file.
• rZK: The simulator can rewind V to use same
counter and thus same skc again. After max n
rewinds all secret keys are known. The rest can
be simulated straight-line.
That’s all folks. Thank you!