Moti Yung,Yunlei Zhao

2006-01-01

Abstract:We present constant-round concurrently knowledge-extractable black-box resettable zero-knowledge (rZK-CKE) arguments forNP in the bare public-key (BPK) model. We give minimal (sub-exponential) hardness assumption based protocols as well as round-optimal protocols (still under general hardness assumptions). To our knowledge, our protocols are the first ZK protocols that provably provide both resettable/concurrent prover security and concurrent verifier security in public-key models. Here, the notion of concurrent knowledge-extractability roughly means that no malicious polynomial-time prover can convince an honest verifier of any (whether false or true) statement without “knowing” a corresponding NP-witness even by concurrently interleaving interactions in public-key models when verifiers register public-keys. We show that concurrent knowledge-extractability is strictly stronger than “concurrent soundness” (under any sub-exponentially strong one-way permutation) for concurrently proving NP statements to honest verifiers with public-keys. In particular, we show that previous concurrent zero-knowledge protocols in the BPK model that achieved concurrent soundness security and are also traditional arguments of knowledge actually fail to satisfy this stronger security notion (this is demonstrated by concrete attacks). Our work deepens the understanding of the subtleties of concurrent verifier security in public-key settings, and may serve as building blocks in designing other round-efficient concurrently secure protocols in public-key models that use, in particular, argument of knowledge (AOK) protocols as building blocks. RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu Software School, School of Information Science and Engineering, Fudan University, Shanghai 200433, China.

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-540-72540-4_8

2007-01-01

Abstract:We present a generic construction for constant-round concurrently sound resettable zero-knowledge (rZK-CS) arguments for NP in the bare public-key (BPK) model under any (sub-exponentially strong) one-way function (OWF), which is a traditional assumption in this area. The generic construction in turn allows round-optimal implementation for NP still under general assumptions, and can be converted into a highly practical instantiation (under specific number-theoretic assumptions) for any language admitting Sigma-protocols. Further, the rZK-CS arguments developed in this work also satisfy a weak (black-box) concurrent knowledge-extract ability property as proofs of knowledge, in which case some super-polynomial-time assumption is intrinsic.

Moti Yung,Yunlei Zhao

2005-01-01

Abstract:We present constant-round concurrently secure (sound) resettable zero-knowledge (rZK-CS) arguments in the bare public-key (BPK) model. Our constructions deal with general NP ZK-arguments as well as with highly efficient ZK-arguments for number-theoretic languages, most relevant to identification scenarios. These are the first constant-round protocols of this type in the original real BPK model, where nothing is assured about public-keys generated by malicious verifiers. As part of this work, we develop a one-round trapdoor commitment scheme that is based on any one-way permutation, which is of independent interest and, in particular, can be used to reduce the round-complexity of other cryptographic protocols involving trapdoor commitments.

Yunlei Zhao

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:In this work, we investigate concurrent knowledge-extraction (CKE) and concurrent non-malleability (CNM) for concurrent (and stronger, resettable) ZK protocols in the bare public-key model. We formulate, driven by concrete attacks, and achieve CKE for constant-round concurrent/resettable arguments in the BPK model under standard polynomial assumptions. We get both generic and practical implementations. Here, CKE is a new concurrent verifier security that is strictly stronger than concurrent soundness in public-key model. We investigate, driven by concrete attacks, and clarify the subtleties in formulating CNM in the public-key model. We then give a new (augmented) CNM formulation in the public-key model and a construction of CNMZK in the public-key model satisfying the new CNM formulation.

Yunlei Zhao,Robert Deng,Binyu Zang,Yiming Zhao

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general NP languages with going through general NP-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named ∑-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from ∑-protocols to practical (real) ZK arguments without general NP-reductions under either the DLP or RSA assumptions. © Springer-Verlag Berlin Heidelberg 2005.

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/11681878_2

2006-01-01

Abstract:We investigate the design and proofs of zero-knowledge (ZK) interactive systems under what we call the “restricted random oracle model” which restrains the usage of the oracle in the protocol design to that of collapsing protocol rounds a la Fiat-Shamir heuristics, and limits the oracle programmability in the security proofs. We analyze subtleties resulting from the involvement of random oracles in the interactive setting and derive our methodology. Then we investigate the Feige-Shamir 4-round ZK argument for $\mathcal{NP}$ in this model: First we show that a 2-round protocol is possible for a very interesting set of languages; we then show that while the original protocol is not concurrently secure in the public-key model, a modified protocol in our model is, in fact, concurrently secure in the bare public-key model. We point at applications and implications of this fact. Of possible independent interest is a concurrent attack against the Feige-Shamir ZK in the public-key model (for which it was not originally designed).

Yunlei Zhao,Robert H. Deng,Binyu Zang,Yiming Zhao

DOI: https://doi.org/10.1007/11600930_28

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general \(\mathcal{NP}\) languages with going through general \(\mathcal{NP}\)-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named Σ-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from Σ-protocols to practical (real) ZK arguments without general \(\mathcal{NP}\)-reductions under either the DLP or RSA assumptions.

Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Shirley H. C. Cheung,Xiaotie Deng,Chan H. Lee,Yunlei Zhao

DOI: https://doi.org/10.1007/3-540-36413-7_23

2002-01-01

Abstract:A new notion of soundness in bare public-key (BPK) model is presented. This new notion just lies in between one-time soundness and sequential soundness and its reasonableness is justified in the context of resettable zero-knowledge when resettable zero-knowledge prover is implemented by smart card.

Xiaotie Deng,C. H. Lee,Yunlei Zhao,Hong Zhu

DOI: https://doi.org/10.1007/3-540-36413-7_22

2002-01-01

Abstract:In this paper we re-examine the nature of zero-knowledge. We show evidences that the classic simulation based definitions of zero-knowledge (simulation zero-knowledge) may be somewhat too strong to include some "nice" protocols in which the malicious verifier seems to learn nothing but we do not know how to construct a zero-knowledge simulator for it. We overcome this problem by introducing reduction zero-knowledge. We show that reduction zero-knowledge lies between simulation zero-knowledge and witness indistinguishability. That is, any simulation zero-knowledge protocol is also reduction zero-knowledge and reduction zero-knowledge implies witness indistinguishability but the opposite direction is not guaranteed to be true. There are two major contributions of reduction zero-knowledge. One is that it introduces reduction between different protocols and extends the approaches to characterize the nature of zero-knowledge. Note that reduction is a widely used paradigm in the field of computer science. Another is that in contrast to normal simulation zero-knowledge reduction zero-knowledge can be made more efficient (especially for the verifier) and can be constructed under weaker assumption while losing little security than a corresponding simulation zero-knowledge protocol. In this paper a 4-round public-coin reduction zero-knowledge proof system for NP is presented and in practice this protocol works in 3 rounds since the first verifier's message can be fixed once and for all.

SHC Cheung,XT Deng,CH Lee,YL Zhao

2003-01-01

Abstract:A new notion of soundness in bare public-key (BPK) model is presented. This new notion just lies in between one-time soundness and sequential soundness and its reasonableness is justified in the context of resettable zero-knowledge when resettable zero-knowledge prover is implemented by smart card.

Andrew C. Yao,Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/s00145-014-9191-z

2014-01-01

Journal of Cryptology

Abstract:Knowledge extraction is a fundamental notion, modeling machine possession of values (witnesses) in a computational complexity sense and enabling one to argue about the internal state of a party in a protocol without probing its internal secret state. However, when transactions are concurrent (e.g., over the Internet) with players possessing public-keys (as is common in cryptography), assuring that entities "know" what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. Here, we investigate how to formally treat knowledge possession by parties (with registered public-keys) interacting over the Internet. Stated more technically, we look into the relative power of the notion of "concurrent knowledge-extraction" (CKE) in the concurrent zero-knowledge (CZK) bare public-key (BPK) model where statements being proven can be dynamically and adaptively chosen by the prover.We show the potential vulnerability of man-in-the-middle (MIM) attacks turn out to be a real security threat to existing natural protocols running concurrently in the public-key model, which motivates us to introduce and formalize the notion of CKE, alone with clarifications of various subtleties. Then, both generic (based on standard polynomial assumptions), and efficient (employing complexity leveraging in a novel way) implementations for NP are presented for constant-round (in particular, round-optimal) concurrently knowledge-extractable concurrent zero-knowledge (CZK-CKE) arguments in the BPK model. The efficient implementation can be further practically instantiated for specific number-theoretic language.

Nai-Hui Chia,Kai-Min Chung,Takashi Yamakawa

2023-10-30

Abstract:In a recent seminal work, Bitansky and Shmueli (STOC '20) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks. However, their construction has several drawbacks compared to the classical counterparts. Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation. In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called $\epsilon$-zero-knowledge. Concretely, we construct the following protocols: - We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box $\epsilon$-zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions. Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC '96) though the proof of $\epsilon$-zero-knowledge property against quantum adversaries requires novel ideas. - We construct a constant round interactive argument for NP that satisfies computational soundness and black-box $\epsilon$-zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions. At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier's internal state in an appropriate sense.

Quantum Physics,Cryptography and Security

Yi Deng,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-540-72540-4_9

2007-01-01

Abstract:We introduce a notion of instance-dependent verifiable random functions (InstD-VRFs for short). Informally, an InstD-VRF is, in some sense, a verifiable random function [23] with a special public key, which is generated via a (possibly)interactive protocol and contains an instance y ∈ L ∩ {0,1}* for a specific NP language L, but the security requirements on such a function are relaxed: we only require the pseudorandomness property when y ∈ L and only require the uniqueness property when y ∉ L, instead of requiring both pseudorandomness and uniqueness to hold simultaneously. We show that this notion can be realized under standard assumption.Our motivation is the conjecture posed by Barak et al.[2], which states there exist resettably-sound resettable zero knowledge arguments for NP. The instance-dependent verifiable random functions is a powerful tool to tackle this problem. We first use them to obtain two interesting instance-dependent argument systems from the Barak’s public-coin bounded concurrent zero knowledge argument [1], and then, weConstruct the first (constant round) zero knowledge arguments for NP enjoying a certain simultaneous resettability under standard hardness assumptions in the plain model, which we call bounded-class resettable ZK arguments with weak resettable-soundness Though the malicious party (prover or verifier) in such system is limited to a kind of bounded resetting attack, We put NO restrictions on the number of the total resets made by malicious party.show that, under standard assumptions, if there exist public-coin concurrent zero knowledge arguments for NP, there exist the resettably-sound resetable zero knowledge arguments for NP.

Kieran Mastel,William Slofstra

2024-07-30

Abstract:The recent MIP*=RE theorem of Ji, Natarajan, Vidick, Wright, and Yuen shows that the complexity class MIP* of multiprover proof systems with entangled provers contains all recursively enumerable languages. Prior work of Grilo, Slofstra, and Yuen [FOCS '19] further shows (via a technique called simulatable codes) that every language in MIP* has a perfect zero knowledge (PZK) MIP* protocol. The MIP*=RE theorem uses two-prover one-round proof systems, and hence such systems are complete for MIP*. However, the construction in Grilo, Slofstra, and Yuen uses six provers, and there is no obvious way to get perfect zero knowledge with two provers via simulatable codes. This leads to a natural question: are there two-prover PZK-MIP* protocols for all of MIP*? In this paper, we show that every language in MIP* has a two-prover one-round PZK-MIP* protocol, answering the question in the affirmative. For the proof, we use a new method based on a key consequence of the MIP*=RE theorem, which is that every MIP* protocol can be turned into a family of boolean constraint system (BCS) nonlocal games. This makes it possible to work with MIP* protocols as boolean constraint systems, and in particular allows us to use a variant of a construction due to Dwork, Feige, Kilian, Naor, and Safra [Crypto '92] which gives a classical MIP protocol for 3SAT with perfect zero knowledge. To show quantum soundness of this classical construction, we develop a toolkit for analyzing quantum soundness of reductions between BCS games, which we expect to be useful more broadly. This toolkit also applies to commuting operator strategies, and our argument shows that every language with a commuting operator BCS protocol has a two prover PZK commuting operator protocol.

Quantum Physics,Computational Complexity

Kaiyan Shi,Kaushik Chakraborty,Wen Yu Kon,Omar Amer,Marco Pistoia,Charles Lim

2024-09-05

Abstract:We initiate the study of relativistic zero-knowledge quantum proof of knowledge systems with classical communication, formally defining a number of useful concepts and constructing appropriate knowledge extractors for all the existing protocols in the relativistic setting which satisfy a weaker variant of the special soundness property due to Unruh (EUROCRYPT 2012). We show that there exists quantum proofs of knowledge with knowledge error 1/2 + negl({\eta}) for all relations in NP via a construction of such a system for the Hamiltonian cycle relation using a general relativistic commitment scheme exhibiting the fairly-binding property due to Fehr and Fillinger (EUROCRYPT 2016). We further show that one can construct quantum proof of knowledge extractors for proof systems which do not exhibit special soundness, and therefore require an extractor to rewind multiple times. We develop a new multi-prover quantum rewinding technique by combining ideas from monogamy of entanglement and gentle measurement lemmas that can break the quantum rewinding barrier. Finally, we prove a new bound on the impact of consecutive measurements and use it to significantly improve the soundness bound of some existing relativistic zero knowledge proof systems, such as the one due to Chailloux and Leverrier (EUROCRYPT 2017).

Quantum Physics,Cryptography and Security

Cheng-Long Li,Kai-Yi Zhang,Xingjian Zhang,Kui-Xing Yang,Yu Han,Su-Yi Cheng,Hongrui Cui,Wen-Zhao Liu,Yang Liu,Bing Bai,Hai-Hao Dong,Jun Zhang,Xiongfeng Ma,Yu Yu,Jingyun Fan,Qiang Zhang,Jian-Wei Pan

DOI: https://doi.org/10.1073/pnas.2205463120

2023-01-01

Abstract:Zero-knowledge proof (ZKP) is a fundamental cryptographic primitive that allows a prover to convince a verifier of the validity of a statement without leaking any further information. As an efficient variant of ZKP, noninteractive zero-knowledge proof (NIZKP) adopting the Fiat-Shamir heuristic is essential to a wide spectrum of applications, such as federated learning, blockchain, and social networks. However, the heuristic is typically built upon the random oracle model that makes ideal assumptions about hash functions, which does not hold in reality and thus undermines the security of the protocol. Here, we present a quantum solution to the problem. Instead of resorting to a random oracle model, we implement a quantum randomness service. This service generates random numbers certified by the loophole-free Bell test and delivers them with postquantum cryptography (PQC) authentication. By employing this service, we conceive and implement NIZKP of the three-coloring problem. By bridging together three prominent research themes, quantum nonlocality, PQC, and ZKP, we anticipate this work to inspire more innovative applications that combine quantum information science and the cryptography field.

Foteini Baldimtsi,Aggelos Kiayias,Thomas Zacharias,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-662-53890-6_30

2016-01-01

Abstract:We introduce a new class of protocols called Proofs of Work or Knowledge PoWorKs. In a PoWorK, a prover can convince a verifier that she has either performed work or that she possesses knowledge of a witness to a public statement without the verifier being able to distinguish which of the two has taken place. We formalize PoWorK in terms of three properties, completeness, f-soundness and indistinguishability where f is a function that determines the tightness of the proof of work aspect and present a construction that transforms 3-move HVZK protocols into 3-move public-coin PoWorKs. To formalize the work aspect in a PoWorK﾿protocol we define cryptographic puzzles that adhere to certain uniformity conditions, which may also be of independent interest. We instantiate our puzzles in the random oracle RO model as well as via constructing \"dense\" versions of suitably hard one-way functions. We then showcase PoWorK﾿protocols by presenting a number of applications. We first show how non-interactive PoWorKs can be used to reduce spam email by forcing users sending an e-mail to either prove to the mail server they are approved contacts of the recipient or to perform computational work. As opposed to previous approaches that applied proofs of work to this problem, our proposal of using PoWorKs is privacy-preserving as it hides the list of the receiver's approved contacts from the mail server. Our second application, shows how PoWorK can be used to compose cryptocurrencies that are based on proofs of work \"Bitcoin-like\" with cryptocurrencies that are based on knowledge relations these include cryptocurrencies that are based on \"proof of stake\", and others. The resulting PoWorK-based cryptocurrency inherits the robustness properties of the underlying two systems while PoWorK-indistinguishability ensures a uniform population of miners. Finally, we show that PoWorK﾿protocols imply straight-line quasi-polynomial simulatable arguments of knowledge and based on our construction we obtain an efficient straight-line concurrent 3-move statistically quasi-polynomial simulatable argument of knowledge.

Dai Yiqi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.06.038

2012-01-01

Abstract:UC security is the framework in treating a stand-alone protocol and guaranteeing the secure composition.This means that a protocol may run concurrently with many other protocols,on arbitrary inputs and in adversarial controlled way,if it is UC security in the sense that it emulates an ideal functionality,it can be treated as a piece of that ideal functionality in overall system security analysis.In this paper,ZK under UC framework is studied,and the study proves that Blum protocol is closed under sequential composition in the Fwzk-hybrid model.

Claude Crépeau,John Stuart

2023-04-20

Abstract:A Zero-Knowledge Protocol (ZKP) allows one party to convince another party of a fact without disclosing any extra knowledge except the validity of the fact. For example, it could be used to allow a customer to prove their identity to a potentially malicious bank machine without giving away private information such as a personal identification number. This way, any knowledge gained by a malicious bank machine during an interaction cannot be used later to compromise the client's banking account. An important tool in many ZKPs is bit commitment, which is essentially a digital way for a sender to put a message in a lock-box, lock it, and send it to the receiver. Later, the key is sent for the receiver to open the lock box and read the message. This way, the message is hidden from the receiver until they receive the key, and the sender is unable to change their mind after sending the lock box. In this paper, the homomorphic properties of a particular multi-party commitment scheme are exploited to allow the receiver to perform operations on commitments, resulting in polynomial time ZKPs for two NP-Complete problems: the Subset Sum Problem and 3SAT. These ZKPs are secure with no computational restrictions on the provers, even with shared quantum entanglement. In terms of efficiency, the Subset Sum ZKP is competitive with other practical quantum-secure ZKPs in the literature, with less rounds required, and fewer computations.

Quantum Physics,Cryptography and Security