DENG Yi,LIN Dong-Dai

DOI: https://doi.org/10.3724/sp.j.1001.2008.00468

2008-01-01

Journal of Software

Abstract:This paper shows how to efficiently transform any 3-round public-coin honest verifier zero knowledge argument system for any language in NP into a 4 round (round-optimal) concurrent zero knowledge argument for the same language in the bare public-key model. The transformation has the following properties: 1) incurs only O(1) (small constant, about 20) additional modular exponentiations. Compared to the concurrent zero knowledge protocol proposed by Di Crescenzo and Visconti in ICALP 2005, in which their transformation requires an overhead of Θ(n), the protocol is significantly more efficient under the same intractability assumptions; 2) yields a perfect zero knowledge argument under DL assumption. Note that the Di Crescenzo, et al.’s argument system enjoys only computational zero knowledge property. The transformation relies on a specific 3-round honest verifier zero knowledge proof of knowledge for committed discrete log. Such protocols that require only O(1) modular exponentiations based on different kinds of commitment scheme are developed and they may be of independent interest.

Yi Deng,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-540-79499-8_11

2008-01-01

Abstract:In this paper we present the first constant round resettable zero knowledge arguments with concurrent soundness for \(\mathcal{NP}\) in the bare public-key (BPK for short) model assuming only collision-resistant hash functions against polynomial-time adversaries. This resolves the problem whether there exist such protocols for \(\mathcal{NP}\) in BPK model without assuming sub-exponential hardness. In our protocol, the resettable zero knowledge is demonstrated via a black-box simulator, while the concurrent soundness is proved by using the malicious prover strategy in non-black-box manner.

Moti Yung,Yunlei Zhao

2006-01-01

Abstract:We present constant-round concurrently knowledge-extractable black-box resettable zero-knowledge (rZK-CKE) arguments forNP in the bare public-key (BPK) model. We give minimal (sub-exponential) hardness assumption based protocols as well as round-optimal protocols (still under general hardness assumptions). To our knowledge, our protocols are the first ZK protocols that provably provide both resettable/concurrent prover security and concurrent verifier security in public-key models. Here, the notion of concurrent knowledge-extractability roughly means that no malicious polynomial-time prover can convince an honest verifier of any (whether false or true) statement without “knowing” a corresponding NP-witness even by concurrently interleaving interactions in public-key models when verifiers register public-keys. We show that concurrent knowledge-extractability is strictly stronger than “concurrent soundness” (under any sub-exponentially strong one-way permutation) for concurrently proving NP statements to honest verifiers with public-keys. In particular, we show that previous concurrent zero-knowledge protocols in the BPK model that achieved concurrent soundness security and are also traditional arguments of knowledge actually fail to satisfy this stronger security notion (this is demonstrated by concrete attacks). Our work deepens the understanding of the subtleties of concurrent verifier security in public-key settings, and may serve as building blocks in designing other round-efficient concurrently secure protocols in public-key models that use, in particular, argument of knowledge (AOK) protocols as building blocks. RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu Software School, School of Information Science and Engineering, Fudan University, Shanghai 200433, China.

Yi Deng,Giovanni Di Crescenzo,Dongdai Lin

2006-01-01

Abstract:We consider a type of zero-knowledge protocols that are of interest for their practical applications within networks like the Internet: efficient zero-knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks. In an effort to reduce the setup assumptions required for efficient zero-knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks, we consider a model, which we call the Authenticated Public-Key (APK) model. The APK model seems to significantly reduce the setup assumptions made by the CRS model (as no trusted party or honest execution of a centralized algorithm are required), and can be seen as a slightly stronger variation of the Bare Public-Key (BPK) model from , and a weaker variation of the registered public-key model used in . We then define and study man-in-the-middle attacks in the APK model. Our main result is a constant-round concurrent non-malleable zero-knowledge argument of knowledge for any polynomial-time relation (associated to a language in 𝒩𝒫), under the (minimal) assumption of the existence of a one-way function family. Furthermore,We show time-efficient instantiations of our protocol based on known number-theoretic assumptions. We also note a negative result with respect to further reducing the setup assumptions of our protocol to those in the (unauthenticated) BPK model, by showing that concurrently non-malleable zero-knowledge arguments of knowledge in the BPK model are only possible for trivial languages.

Nai-Hui Chia,Kai-Min Chung,Takashi Yamakawa

2023-10-30

Abstract:In a recent seminal work, Bitansky and Shmueli (STOC '20) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks. However, their construction has several drawbacks compared to the classical counterparts. Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation. In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called $\epsilon$-zero-knowledge. Concretely, we construct the following protocols: - We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box $\epsilon$-zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions. Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC '96) though the proof of $\epsilon$-zero-knowledge property against quantum adversaries requires novel ideas. - We construct a constant round interactive argument for NP that satisfies computational soundness and black-box $\epsilon$-zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions. At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier's internal state in an appropriate sense.

Quantum Physics,Cryptography and Security

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-540-72540-4_8

2007-01-01

Abstract:We present a generic construction for constant-round concurrently sound resettable zero-knowledge (rZK-CS) arguments for NP in the bare public-key (BPK) model under any (sub-exponentially strong) one-way function (OWF), which is a traditional assumption in this area. The generic construction in turn allows round-optimal implementation for NP still under general assumptions, and can be converted into a highly practical instantiation (under specific number-theoretic assumptions) for any language admitting Sigma-protocols. Further, the rZK-CS arguments developed in this work also satisfy a weak (black-box) concurrent knowledge-extract ability property as proofs of knowledge, in which case some super-polynomial-time assumption is intrinsic.

Moti Yung,Yunlei Zhao

2005-01-01

Abstract:We present constant-round concurrently secure (sound) resettable zero-knowledge (rZK-CS) arguments in the bare public-key (BPK) model. Our constructions deal with general NP ZK-arguments as well as with highly efficient ZK-arguments for number-theoretic languages, most relevant to identification scenarios. These are the first constant-round protocols of this type in the original real BPK model, where nothing is assured about public-keys generated by malicious verifiers. As part of this work, we develop a one-round trapdoor commitment scheme that is based on any one-way permutation, which is of independent interest and, in particular, can be used to reduce the round-complexity of other cryptographic protocols involving trapdoor commitments.

Ning Ding,Dawu Gu,Bart Preneel

DOI: https://doi.org/10.6138/jit.2011.12.4.09

2011-01-01

Abstract:Precise concurrent zero-knowledge is a new notion introduced by Pandey et al. in Eurocrypt'08, which captures the idea that the view of any verifier in concurrent interaction can be reconstructed in almost the same time. They also constructed some (private-coin) concurrent zero-knowledge argument systems for NP which achieve precision in different levels and all these protocols use at least.(log n) rounds. In this paper we investigate the feasibility of reducing the round complexity and still keeping precision simultaneously. Our main result is that we construct a public-coin precise bounded-concurrent zero-knowledge argument system for NP only using almost constant rounds, i.e., omega(1) rounds. Bounded-concurrency means an a-priori bound on the (polynomial) number of concurrent sessions is specified before the protocol is constructed. Our result doesn't need any setup assumption.

Yunlei Zhao

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:In this work, we investigate concurrent knowledge-extraction (CKE) and concurrent non-malleability (CNM) for concurrent (and stronger, resettable) ZK protocols in the bare public-key model. We formulate, driven by concrete attacks, and achieve CKE for constant-round concurrent/resettable arguments in the BPK model under standard polynomial assumptions. We get both generic and practical implementations. Here, CKE is a new concurrent verifier security that is strictly stronger than concurrent soundness in public-key model. We investigate, driven by concrete attacks, and clarify the subtleties in formulating CNM in the public-key model. We then give a new (augmented) CNM formulation in the public-key model and a construction of CNMZK in the public-key model satisfying the new CNM formulation.

Ning Ding

DOI: https://doi.org/10.1007/978-3-319-13257-0_8

2014-01-01

Abstract:This paper addresses the issues of constructing zero- knowledge arguments of knowledge (ZKAOK) with properties such as a small number of rounds, public-coin and strict-polynomial-time simulation and extraction, and shows the existence of the following systems for NP for the first time under some assumptions.

Hongda Li,Yang Liu,Qihua Niu

DOI: https://doi.org/10.1007/978-3-642-34883-9_16

2012-01-01

Abstract:This paper deals with how to construct a constant-round bounded-concurrent zero-knowledge argument of knowledge with black-box extractors for any NP language under standard complexity assumptions. It is accepted that both constant-round zero-knowledge arguments of knowledge and constant-round bound-concurrent zero-knowledge arguments exist for all NP. But the existence of constant-round bounded-concurrent zero-knowledge arguments of knowledge (with black-box extractors) for NP is still an unsolved question. In this paper, we give a positive answer to this question by constructing a constant-round bounded-concurrent zero-knowledge argument of knowledge with a black-box extractor for any NP under certain standard complexity assumptions.

Yl Zhao,Xt Deng,Ch Lee,H Zhu

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:A new public-key model for resettable zero-knowledge (rZK) protocols, which is an extension and generalization of the upper-bounded public-key (UPK) model introduced by Micali and Reyzin [EuroCrypt'01, pp. 373-393], is introduced and is named weak public-key (WPK) model. The motivations and applications of the WPK model are justified in the distributed smart-card/server setting and it seems more preferable in practice, especially in E-commerce over Internet. In this WPK model a 3-round (optimal) black-box resettable zero-knowledge argument with concurrent soundness for NP is presented assuming the security of RSA with large exponents against subexponential-time adversaries. Our result improves Micali and Reyzin's result of resettable zero-knowledge argument with concurrent soundness for NP in the UPK model. Note that although Micali and Reyzin' protocol satisfies concurrent soundness in the UPK model, but it does not satisfy even sequential soundness in our WPK model.Our protocol works in a somewhat "parallel repetition" manner to reduce the error probability and the black-box zero-knowledge simulator works in strict polynomial time rather than expected polynomial time. The critical tools used are: verifiable random functions introduced by Micali, Rabin and Vadhan [FOCS'99, pp. 120-130], zap presented by Dwork and Naor [FOCS'00, pp. 283-293] and complexity leveraging introduced by Canetti, Goldreich, Goldwasser and Micali [STOC'00, pp. 235-244].

Andrew C. Yao,Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/s00145-014-9191-z

2014-01-01

Journal of Cryptology

Abstract:Knowledge extraction is a fundamental notion, modeling machine possession of values (witnesses) in a computational complexity sense and enabling one to argue about the internal state of a party in a protocol without probing its internal secret state. However, when transactions are concurrent (e.g., over the Internet) with players possessing public-keys (as is common in cryptography), assuring that entities "know" what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. Here, we investigate how to formally treat knowledge possession by parties (with registered public-keys) interacting over the Internet. Stated more technically, we look into the relative power of the notion of "concurrent knowledge-extraction" (CKE) in the concurrent zero-knowledge (CZK) bare public-key (BPK) model where statements being proven can be dynamically and adaptively chosen by the prover.We show the potential vulnerability of man-in-the-middle (MIM) attacks turn out to be a real security threat to existing natural protocols running concurrently in the public-key model, which motivates us to introduce and formalize the notion of CKE, alone with clarifications of various subtleties. Then, both generic (based on standard polynomial assumptions), and efficient (employing complexity leveraging in a novel way) implementations for NP are presented for constant-round (in particular, round-optimal) concurrently knowledge-extractable concurrent zero-knowledge (CZK-CKE) arguments in the BPK model. The efficient implementation can be further practically instantiated for specific number-theoretic language.

Huang Guifang,Lin Dongdai

DOI: https://doi.org/10.23919/cje.2009.10138270

2009-01-01

Abstract:In asynchronous network communication, non-malleability is required to resist against man-in-the-middle attack. Based on the existence of one-way permutation, we propose two unbounded non-malleable Non-interactive zero knowledge (NIZK) protocols. Firstly, by using NIZK argument of knowledge instead of Omega-protocol as a building block, we transform 5-rounds concurrent non-malleable zero knowledge argument in the Common reference string (CRS) model([15]) to non-malleable NIZK argument. The transformation achieves optimal round efficiency in the same model. Secondly, we simplify the second scheme in CRYPO'01([8]) by using the technique hidden unduplicatable set selection. In the simplified scheme, the CRS is much shorter and statements to be proved in the two NIZK sub-protocols are simplified.

Yi Deng,Dengguo Feng,Vipul Goyal,Dongdai Lin,Amit Sahai,Moti Yung

DOI: https://doi.org/10.1007/978-3-642-25385-0_21

2011-01-01

Abstract:A fundamental question in cryptography deals with understanding the role that randomness plays in cryptographic protocols and to what extent it is necessary. One particular line of works was initiated by Canetti, Goldreich, Goldwasser, and Micali (STOC 2000) who introduced the notion of resettable zero-knowledge, where the protocol must be zero-knowledge even if a cheating verifier can reset the prover and have several interactions in which the prover uses the same random tape. Soon afterwards, Barak, Goldreich, Goldwasser, and Lindell (FOCS 2001) studied the setting where the verifier uses a fixed random tape in multiple interactions. Subsequent to these works, a number of papers studied the notion of resettable protocols in the setting where only one of the participating parties uses a fixed random tape multiple times. The notion of resettable security has been studied in two main models: the plain model and the bare public key model (also introduced in the above paper by Canetti et. al.). In a recent work, Deng, Goyal and Sahai (FOCS 2009) gave the first construction of a simultaneous resettable zero-knowledge protocol where both participants of the protocol can reuse a fixed random tape in any (polynomial) number of executions. Their construction however required O(nε) rounds of interaction between the prover and the verifier. Both in the plain as well as the BPK model, this construction remain the only known simultaneous resettable zero-knowledge protocols. In this work, we study the question of round complexity of simultaneous resettable zero-knowledge in the BPK model. We present a constant round protocol in such a setting based on standard cryptographic assumptions. Our techniques are significantly different from the ones used by Deng, Goyal and Sahai.

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/11681878_2

2006-01-01

Abstract:We investigate the design and proofs of zero-knowledge (ZK) interactive systems under what we call the “restricted random oracle model” which restrains the usage of the oracle in the protocol design to that of collapsing protocol rounds a la Fiat-Shamir heuristics, and limits the oracle programmability in the security proofs. We analyze subtleties resulting from the involvement of random oracles in the interactive setting and derive our methodology. Then we investigate the Feige-Shamir 4-round ZK argument for $\mathcal{NP}$ in this model: First we show that a 2-round protocol is possible for a very interesting set of languages; we then show that while the original protocol is not concurrently secure in the public-key model, a modified protocol in our model is, in fact, concurrently secure in the bare public-key model. We point at applications and implications of this fact. Of possible independent interest is a concurrent attack against the Feige-Shamir ZK in the public-key model (for which it was not originally designed).

Ning Ding,Dawu Gu

DOI: https://doi.org/10.1007/978-3-642-34129-8_16

2012-01-01

Abstract:Precise zero-knowledge, introduced by Micali and Pass [STOC'06], captures the idea that a view of any verifier can be indifferently reconstructed. Though there are some constructions of precise zero-knowledge, constant-round constructions are unknown to exist. This paper is towards constant-round constructions of precise zero-knowledge. The results of this paper are as follows. · We propose a relaxation of precise zero-knowledge that captures the idea that with a probability arbitrarily polynomially close to 1 a view of any verifier can be indifferently reconstructed, i.e., there exists a simulator (without having q(n),p(n,t) as input) such that for any polynomial q(n), there is a polynomial p(n,t) satisfying with probability at least $1-\frac{1}{q(n)}$, the view of any verifier in every interaction can be reconstructed in p(n,T) time by the simulator whenever the verifier's running-time on this view is T. Then we show the impossibility of constructing constant-round protocols satisfying our relaxed definition with all the known techniques. We present a constant-round precise zero-knowledge argument for any language in NP with respect to our definition, assuming the existence of collision-resistant hash function families (against all nO(loglogn)-size circuits).

Zongyang Zhang,Zhenfu Cao,Haojin Zhu

DOI: https://doi.org/10.1016/j.ins.2013.07.037

IF: 8.1

2013-01-01

Information Sciences

Abstract:Secure two-party computation allows two parties with private inputs to securely compute some function of their inputs, even in the presence of a malicious adversary. In this work, we revisit zero-knowledge proofs and focus on adaptive adversaries, which could corrupt an arbitrary number of parties and adaptively determine who and when to corrupt during the computation phase. Previous constructions could realize adaptive zero-knowledge proofs for all languages in NP (Lindell and Zarosim TCC'09) at the cost of a high round-complexity, i.e., super-constant number of rounds. In this work, assuming the existence of constant-round statistically hiding commitment schemes, we build efficient adaptive zero-knowledge proofs for all languages in NP, which only require constant number of communication rounds. The system is also a proof of knowledge. The construction relies on an adaptive instance-dependent commitment scheme, and the proof of security requires only the use of black-box techniques and is presented according to the real/ideal simulation paradigm.

Nai-Hui Chia,Kai-Min Chung,Xiao Liang,Jiahui Liu

2024-09-10

Abstract:Zero-Knowledge (ZK) protocols have been intensely studied due to their fundamental importance and versatility. However, quantum information's inherent differences significantly alter the landscape, necessitating a re-examination of ZK designs. A crucial aspect is round complexity, linked to $\textit{simulation}$, which forms the foundation of ZK definition and security proofs. In the $\textit{post-quantum}$ setting, where honest parties and channels are classical but adversaries quantum, Chia et al. [FOCS'21] showed constant-round $\textit{black-box-simulatable}$ ZK arguments (BBZK) for $\mathbf{NP}$ are impossible unless $\mathbf{NP} \subseteq \mathbf{BQP}$. But this problem remains open when all parties and communication are quantum. Indeed, this problem interests the broader theory of quantum computing. Investigating how quantum power alters tasks like the $\textit{unconditional}$ security of QKD and incorporating OT in MiniQCrypt has been crucial. Moreover, quantum communication has enabled round compression for commitments and interactive arguments. Along this line, understanding if quantum computing could fundamentally change ZK protocols is vital. We resolved this problem by proving that only languages in $\mathbf{BQP}$ admit constant-round $\textit{fully-quantum}$ BBZK. This result holds significant implications. Firstly, it illuminates the nature of quantum zero-knowledge and provides valuable insights for designing future protocols in the quantum realm. Secondly, it relates ZK round complexity with the intriguing problem of $\mathbf{BQP}$ vs $\mathbf{QMA}$, which is out of the reach of previous analogue impossibility results in the classical or post-quantum setting. Lastly, it justifies the need for the $\textit{non-black-box}$ simulation techniques or the relaxed security notions employed in existing constant-round fully-quantum BBZK protocols.

Quantum Physics,Cryptography and Security

Wei Puwen,Zhang Guoyan,Zhang Lijiang,Wang Xiaoyun

DOI: https://doi.org/10.1016/s1007-0214(09)70038-0

2009-01-01

Abstract:This paper shows that the protocol presented by Goyal et al.can be further simplified for a one-way function,with the simplified protocol being more practical for the decisional Diffie-Hellman assumption.Goyal et al.provided a general transformation from any honest verifier statistical zero-knowledge argument to a concurrent statistical zero-knowledge argument.Their transformation relies only on the existence of one-way functions.For the simplified transformation,the witness indistinguishable proof of knowledge protocols in"parallel"not only plays the role of preamble but also removes some computational zero-knowledge proofs, which Goyal et al.used to prove the existence of the valid openings to the commitments.Therefore,although some computational zero-knowledge proofs are replaced with a weaker notion,the witness indistinguishable protocol,the proof of soundness can still go through.