Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Yunlei Zhao,Robert Deng,Binyu Zang,Yiming Zhao

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general NP languages with going through general NP-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named ∑-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from ∑-protocols to practical (real) ZK arguments without general NP-reductions under either the DLP or RSA assumptions. © Springer-Verlag Berlin Heidelberg 2005.

Sven Laur,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-319-13257-0_9

2014-01-01

Abstract:Crypto-computing is a set of well-known techniques for computing with encrypted data. The security of the corresponding protocols are usually proven in the semi-honest model. In this work, we propose a new class of zero-knowledge proofs, which are tailored for cryptocomputing protocols. First, these proofs directly employ properties of the underlying crypto systems and thus many facts have more concise proofs compared to generic solutions. Second, we show how to achieve universal composability in the trusted set-up model where all zero-knowledge proofs share the same system-wide parameters. Third, we derive a new protocol for multiplicative relations and show how to combine it with several crypto-computing frameworks.

Ning Ding,Dawu Gu

DOI: https://doi.org/10.1007/978-3-642-34129-8_16

2012-01-01

Abstract:Precise zero-knowledge, introduced by Micali and Pass [STOC'06], captures the idea that a view of any verifier can be indifferently reconstructed. Though there are some constructions of precise zero-knowledge, constant-round constructions are unknown to exist. This paper is towards constant-round constructions of precise zero-knowledge. The results of this paper are as follows. · We propose a relaxation of precise zero-knowledge that captures the idea that with a probability arbitrarily polynomially close to 1 a view of any verifier can be indifferently reconstructed, i.e., there exists a simulator (without having q(n),p(n,t) as input) such that for any polynomial q(n), there is a polynomial p(n,t) satisfying with probability at least $1-\frac{1}{q(n)}$, the view of any verifier in every interaction can be reconstructed in p(n,T) time by the simulator whenever the verifier's running-time on this view is T. Then we show the impossibility of constructing constant-round protocols satisfying our relaxed definition with all the known techniques. We present a constant-round precise zero-knowledge argument for any language in NP with respect to our definition, assuming the existence of collision-resistant hash function families (against all nO(loglogn)-size circuits).

HanWu Liu,DongDai Lin

DOI: https://doi.org/10.1007/s11432-010-0082-0

2010-01-01

Science China Information Sciences

Abstract:Since the concept of zero-knowledge protocols was introduced, it has attracted a lot of attention and in turn showed significant effect on the development of cryptography, complexity theory and other areas. The round complexity of a zero-knowledge protocol is a very important efficiency consideration, and it is required to be as small as possible. Generally, it is desirable to have zero-knowledge protocols with constant numbers of rounds. Goldreich and Oren proved that only languages in BPP have one-round and two-round zero-knowledge protocols. Moreover, they also showed that only languages in BPP have one-round honest-verifier zero-knowledge protocols. The notion of honest-verifier zero-knowledge protocols is highly non-trivial and fascinating itself, and has many other uses. Thus, the problem as to whether there exist two-round honest-verifier zero-knowledge protocols becomes an important open problem. In this paper, we introduce a new simulation technique and present a two-round honest-verifier zero-knowledge protocol for any language in NP under a standard complexity assumption based on this technique.

Yunlei Zhao,Robert H. Deng,Binyu Zang,Yiming Zhao

DOI: https://doi.org/10.1007/11600930_28

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general \(\mathcal{NP}\) languages with going through general \(\mathcal{NP}\)-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named Σ-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from Σ-protocols to practical (real) ZK arguments without general \(\mathcal{NP}\)-reductions under either the DLP or RSA assumptions.

Yl Zhao,Xt Deng,Ch Lee,H Zhu

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:A new public-key model for resettable zero-knowledge (rZK) protocols, which is an extension and generalization of the upper-bounded public-key (UPK) model introduced by Micali and Reyzin [EuroCrypt'01, pp. 373-393], is introduced and is named weak public-key (WPK) model. The motivations and applications of the WPK model are justified in the distributed smart-card/server setting and it seems more preferable in practice, especially in E-commerce over Internet. In this WPK model a 3-round (optimal) black-box resettable zero-knowledge argument with concurrent soundness for NP is presented assuming the security of RSA with large exponents against subexponential-time adversaries. Our result improves Micali and Reyzin's result of resettable zero-knowledge argument with concurrent soundness for NP in the UPK model. Note that although Micali and Reyzin' protocol satisfies concurrent soundness in the UPK model, but it does not satisfy even sequential soundness in our WPK model.Our protocol works in a somewhat "parallel repetition" manner to reduce the error probability and the black-box zero-knowledge simulator works in strict polynomial time rather than expected polynomial time. The critical tools used are: verifiable random functions introduced by Micali, Rabin and Vadhan [FOCS'99, pp. 120-130], zap presented by Dwork and Naor [FOCS'00, pp. 283-293] and complexity leveraging introduced by Canetti, Goldreich, Goldwasser and Micali [STOC'00, pp. 235-244].

Pouriya Alikhani,Nicolas Brunner,Claude Crépeau,Sébastien Designolle,Raphaël Houlmann,Weixu Shi,Nan Yang,Hugo Zbinden

DOI: https://doi.org/10.1038/s41586-021-03998-y

2022-02-16

Abstract:Protecting secrets is a key challenge in our contemporary information-based era. In common situations, however, revealing secrets appears unavoidable, for instance, when identifying oneself in a bank to retrieve money. In turn, this may have highly undesirable consequences in the unlikely, yet not unrealistic, case where the bank's security gets compromised. This naturally raises the question of whether disclosing secrets is fundamentally necessary for identifying oneself, or more generally for proving a statement to be correct. Developments in computer science provide an elegant solution via the concept of zero-knowledge proofs: a prover can convince a verifier of the validity of a certain statement without facilitating the elaboration of a proof at all. In this work, we report the experimental realisation of such a zero-knowledge protocol involving two separated verifier-prover pairs. Security is enforced via the physical principle of special relativity, and no computational assumption (such as the existence of one-way functions) is required. Our implementation exclusively relies on off-the-shelf equipment and works at both short (60 m) and long distances ($\geqslant$400 m) in about one second. This demonstrates the practical potential of multi-prover zero-knowledge protocols, promising for identification tasks and blockchain applications such as cryptocurrencies or smart contracts.

Cryptography and Security,Quantum Physics

Cheng-Long Li,Kai-Yi Zhang,Xingjian Zhang,Kui-Xing Yang,Yu Han,Su-Yi Cheng,Hongrui Cui,Wen-Zhao Liu,Yang Liu,Bing Bai,Hai-Hao Dong,Jun Zhang,Xiongfeng Ma,Yu Yu,Jingyun Fan,Qiang Zhang,Jian-Wei Pan

DOI: https://doi.org/10.1073/pnas.2205463120

2023-01-01

Abstract:Zero-knowledge proof (ZKP) is a fundamental cryptographic primitive that allows a prover to convince a verifier of the validity of a statement without leaking any further information. As an efficient variant of ZKP, noninteractive zero-knowledge proof (NIZKP) adopting the Fiat-Shamir heuristic is essential to a wide spectrum of applications, such as federated learning, blockchain, and social networks. However, the heuristic is typically built upon the random oracle model that makes ideal assumptions about hash functions, which does not hold in reality and thus undermines the security of the protocol. Here, we present a quantum solution to the problem. Instead of resorting to a random oracle model, we implement a quantum randomness service. This service generates random numbers certified by the loophole-free Bell test and delivers them with postquantum cryptography (PQC) authentication. By employing this service, we conceive and implement NIZKP of the three-coloring problem. By bridging together three prominent research themes, quantum nonlocality, PQC, and ZKP, we anticipate this work to inspire more innovative applications that combine quantum information science and the cryptography field.

Ning Ding,Dawu Gu

DOI: https://doi.org/10.1007/978-3-642-24316-5_4

2011-01-01

Abstract:Traditionally, the definition of zero-knowledge states that an interactive proof of x ∈ L provides zero (additional) knowledge if the view of any polynomial-time verifier can be reconstructed by a polynomialtime simulator. Since this definition only requires that the worst-case running-time of the verifier and simulator are polynomials, zeroknowledge becomes a worst-case notion. In STOC'06, Micali and Pass proposed a new notion of precise zeroknowledge, which captures the idea that the view of any verifier in every interaction can be reconstructed in (almost) the same time (i.e., the view can be "indistinguishably reconstructed"). This is the strongest notion among the known works towards precislization of the definition of zeroknowledge. However, as we know, there are two kinds of resources (i.e. time and space) each algorithm consumes in computation. Although the view of a verifier in the interaction of a precise zero-knowledge protocol can be reconstructed in almost the same time, the simulator may run in very large space while at the same time the verifier only runs in very small space. In this case it is still doubtful to take indifference for the verifier to take part in the interaction or to run the simulator. Thus the notion of precise zero-knowledge may be still insufficient. This shows that precislization of the definition of zero-knowledge needs further investigation. In this paper, we propose a new notion of precise time and space simulatable zero-knowledge (PTSSZK), which captures the idea that the view of any verifier in each interaction can be reconstructed not only in the same time, but also in the same space. We construct the first PTSSZK proofs and arguments with simultaneous linear time and linear space precisions for all languages in NP. Our protocols do not use noticeably more rounds than the known precise zero-knowledge protocols.

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/11681878_2

2006-01-01

Abstract:We investigate the design and proofs of zero-knowledge (ZK) interactive systems under what we call the “restricted random oracle model” which restrains the usage of the oracle in the protocol design to that of collapsing protocol rounds a la Fiat-Shamir heuristics, and limits the oracle programmability in the security proofs. We analyze subtleties resulting from the involvement of random oracles in the interactive setting and derive our methodology. Then we investigate the Feige-Shamir 4-round ZK argument for $\mathcal{NP}$ in this model: First we show that a 2-round protocol is possible for a very interesting set of languages; we then show that while the original protocol is not concurrently secure in the public-key model, a modified protocol in our model is, in fact, concurrently secure in the bare public-key model. We point at applications and implications of this fact. Of possible independent interest is a concurrent attack against the Feige-Shamir ZK in the public-key model (for which it was not originally designed).

Kaiyan Shi,Kaushik Chakraborty,Wen Yu Kon,Omar Amer,Marco Pistoia,Charles Lim

2024-09-05

Abstract:We initiate the study of relativistic zero-knowledge quantum proof of knowledge systems with classical communication, formally defining a number of useful concepts and constructing appropriate knowledge extractors for all the existing protocols in the relativistic setting which satisfy a weaker variant of the special soundness property due to Unruh (EUROCRYPT 2012). We show that there exists quantum proofs of knowledge with knowledge error 1/2 + negl({\eta}) for all relations in NP via a construction of such a system for the Hamiltonian cycle relation using a general relativistic commitment scheme exhibiting the fairly-binding property due to Fehr and Fillinger (EUROCRYPT 2016). We further show that one can construct quantum proof of knowledge extractors for proof systems which do not exhibit special soundness, and therefore require an extractor to rewind multiple times. We develop a new multi-prover quantum rewinding technique by combining ideas from monogamy of entanglement and gentle measurement lemmas that can break the quantum rewinding barrier. Finally, we prove a new bound on the impact of consecutive measurements and use it to significantly improve the soundness bound of some existing relativistic zero knowledge proof systems, such as the one due to Chailloux and Leverrier (EUROCRYPT 2017).

Quantum Physics,Cryptography and Security

DENG Yi,LIN Dong-Dai

DOI: https://doi.org/10.3724/sp.j.1001.2008.00468

2008-01-01

Journal of Software

Abstract:This paper shows how to efficiently transform any 3-round public-coin honest verifier zero knowledge argument system for any language in NP into a 4 round (round-optimal) concurrent zero knowledge argument for the same language in the bare public-key model. The transformation has the following properties: 1) incurs only O(1) (small constant, about 20) additional modular exponentiations. Compared to the concurrent zero knowledge protocol proposed by Di Crescenzo and Visconti in ICALP 2005, in which their transformation requires an overhead of Θ(n), the protocol is significantly more efficient under the same intractability assumptions; 2) yields a perfect zero knowledge argument under DL assumption. Note that the Di Crescenzo, et al.’s argument system enjoys only computational zero knowledge property. The transformation relies on a specific 3-round honest verifier zero knowledge proof of knowledge for committed discrete log. Such protocols that require only O(1) modular exponentiations based on different kinds of commitment scheme are developed and they may be of independent interest.

Wei Puwen,Zhang Guoyan,Zhang Lijiang,Wang Xiaoyun

DOI: https://doi.org/10.1016/s1007-0214(09)70038-0

2009-01-01

Abstract:This paper shows that the protocol presented by Goyal et al.can be further simplified for a one-way function,with the simplified protocol being more practical for the decisional Diffie-Hellman assumption.Goyal et al.provided a general transformation from any honest verifier statistical zero-knowledge argument to a concurrent statistical zero-knowledge argument.Their transformation relies only on the existence of one-way functions.For the simplified transformation,the witness indistinguishable proof of knowledge protocols in"parallel"not only plays the role of preamble but also removes some computational zero-knowledge proofs, which Goyal et al.used to prove the existence of the valid openings to the commitments.Therefore,although some computational zero-knowledge proofs are replaced with a weaker notion,the witness indistinguishable protocol,the proof of soundness can still go through.

Nai-Hui Chia,Kai-Min Chung,Takashi Yamakawa

2023-10-30

Abstract:In a recent seminal work, Bitansky and Shmueli (STOC '20) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks. However, their construction has several drawbacks compared to the classical counterparts. Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation. In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called $\epsilon$-zero-knowledge. Concretely, we construct the following protocols: - We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box $\epsilon$-zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions. Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC '96) though the proof of $\epsilon$-zero-knowledge property against quantum adversaries requires novel ideas. - We construct a constant round interactive argument for NP that satisfies computational soundness and black-box $\epsilon$-zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions. At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier's internal state in an appropriate sense.

Quantum Physics,Cryptography and Security

Ning Ding,Dawu Gu

2007-01-01

Abstract:We present a stronger notion of zero-knowledge: precise concurrent zero-knowledge. Our notion captures the idea that the view of any verifier in concurrent interaction can be reconstructed in the almost same time (within a constant/polynomial factor). Precise zero-knowledge in stand-alone setting was introduced by Micali and Pass in STOC’06 (The original work used the term ”local zero-knowledge”.). Their notion shows that the view of any verifier can be reconstructed in the almost same time in stand-alone setting. Hence our notion is the generalization of their notion in concurrent setting. Furthermore, we propose a ω(log n)-round concurrent zero-knowledge argument for NP with linear precision, which shows that the view of any verifier in concurrent interaction can be reconstructed by the simulator with linear-time overhead. Our argument is Feige-Lapidot-Shamir type which consists of a proof-preamble and a proof-body for a modified NP statement. Our result assumes the restriction of adversarial scheduling the communication that the concurrent interaction of preambles of all sessions will be scheduled before any proof-body by the adversarial verifier.

Zongyang Zhang,Zhenfu Cao,Haojin Zhu

DOI: https://doi.org/10.1016/j.ins.2013.07.037

IF: 8.1

2013-01-01

Information Sciences

Abstract:Secure two-party computation allows two parties with private inputs to securely compute some function of their inputs, even in the presence of a malicious adversary. In this work, we revisit zero-knowledge proofs and focus on adaptive adversaries, which could corrupt an arbitrary number of parties and adaptively determine who and when to corrupt during the computation phase. Previous constructions could realize adaptive zero-knowledge proofs for all languages in NP (Lindell and Zarosim TCC'09) at the cost of a high round-complexity, i.e., super-constant number of rounds. In this work, assuming the existence of constant-round statistically hiding commitment schemes, we build efficient adaptive zero-knowledge proofs for all languages in NP, which only require constant number of communication rounds. The system is also a proof of knowledge. The construction relies on an adaptive instance-dependent commitment scheme, and the proof of security requires only the use of black-box techniques and is presented according to the real/ideal simulation paradigm.

Ning Ding,Dawu Gu

DOI: https://doi.org/10.1109/cis.workshops.2007.186

2007-01-01

Abstract:We present a stronger notion of precise bounded-concurrent zero-knowledge. Our notion captures the idea that view of any verifier in a bounded-concurrent interaction can be reconstructed in the almost same time. Precise zero-knowledge in stand-alone setting was introduced by Micali and Pass in STOC'06 and they constructed some precise stand-alone zero-knowledge protocols for NP using at least omega(1) rounds. Via providing a precise simulator for the known O(1)-round bounded-concurrent non-black-box zero-knowledge argument, we show the existence of O(1)- round bounded-concurrent zero-knowledge arguments with polynomial precision for NP. Our result assumes that the ratio of running-time of any adversarial verifier on any two different views in bounded-concurrent execution of the protocol is bounded by na, where a is any predeterminate constant. Such verifiers are called restricted verifiers.

Ning Ding

DOI: https://doi.org/10.1007/978-3-319-13257-0_8

2014-01-01

Abstract:This paper addresses the issues of constructing zero- knowledge arguments of knowledge (ZKAOK) with properties such as a small number of rounds, public-coin and strict-polynomial-time simulation and extraction, and shows the existence of the following systems for NP for the first time under some assumptions.

Ning Ding,Dawu Gu,Bart Preneel

DOI: https://doi.org/10.6138/jit.2011.12.4.09

2011-01-01

Abstract:Precise concurrent zero-knowledge is a new notion introduced by Pandey et al. in Eurocrypt'08, which captures the idea that the view of any verifier in concurrent interaction can be reconstructed in almost the same time. They also constructed some (private-coin) concurrent zero-knowledge argument systems for NP which achieve precision in different levels and all these protocols use at least.(log n) rounds. In this paper we investigate the feasibility of reducing the round complexity and still keeping precision simultaneously. Our main result is that we construct a public-coin precise bounded-concurrent zero-knowledge argument system for NP only using almost constant rounds, i.e., omega(1) rounds. Bounded-concurrency means an a-priori bound on the (polynomial) number of concurrent sessions is specified before the protocol is constructed. Our result doesn't need any setup assumption.