Ning Ding,Dawu Gu

DOI: https://doi.org/10.1007/978-3-642-34129-8_16

2012-01-01

Abstract:Precise zero-knowledge, introduced by Micali and Pass [STOC'06], captures the idea that a view of any verifier can be indifferently reconstructed. Though there are some constructions of precise zero-knowledge, constant-round constructions are unknown to exist. This paper is towards constant-round constructions of precise zero-knowledge. The results of this paper are as follows. · We propose a relaxation of precise zero-knowledge that captures the idea that with a probability arbitrarily polynomially close to 1 a view of any verifier can be indifferently reconstructed, i.e., there exists a simulator (without having q(n),p(n,t) as input) such that for any polynomial q(n), there is a polynomial p(n,t) satisfying with probability at least $1-\frac{1}{q(n)}$, the view of any verifier in every interaction can be reconstructed in p(n,T) time by the simulator whenever the verifier's running-time on this view is T. Then we show the impossibility of constructing constant-round protocols satisfying our relaxed definition with all the known techniques. We present a constant-round precise zero-knowledge argument for any language in NP with respect to our definition, assuming the existence of collision-resistant hash function families (against all nO(loglogn)-size circuits).

Ning Ding,Dawu Gu

DOI: https://doi.org/10.1007/978-3-642-24316-5_4

2011-01-01

Abstract:Traditionally, the definition of zero-knowledge states that an interactive proof of x ∈ L provides zero (additional) knowledge if the view of any polynomial-time verifier can be reconstructed by a polynomialtime simulator. Since this definition only requires that the worst-case running-time of the verifier and simulator are polynomials, zeroknowledge becomes a worst-case notion. In STOC'06, Micali and Pass proposed a new notion of precise zeroknowledge, which captures the idea that the view of any verifier in every interaction can be reconstructed in (almost) the same time (i.e., the view can be "indistinguishably reconstructed"). This is the strongest notion among the known works towards precislization of the definition of zeroknowledge. However, as we know, there are two kinds of resources (i.e. time and space) each algorithm consumes in computation. Although the view of a verifier in the interaction of a precise zero-knowledge protocol can be reconstructed in almost the same time, the simulator may run in very large space while at the same time the verifier only runs in very small space. In this case it is still doubtful to take indifference for the verifier to take part in the interaction or to run the simulator. Thus the notion of precise zero-knowledge may be still insufficient. This shows that precislization of the definition of zero-knowledge needs further investigation. In this paper, we propose a new notion of precise time and space simulatable zero-knowledge (PTSSZK), which captures the idea that the view of any verifier in each interaction can be reconstructed not only in the same time, but also in the same space. We construct the first PTSSZK proofs and arguments with simultaneous linear time and linear space precisions for all languages in NP. Our protocols do not use noticeably more rounds than the known precise zero-knowledge protocols.

Ning Ding,Dawu Gu

2007-01-01

Abstract:We present a stronger notion of zero-knowledge: precise concurrent zero-knowledge. Our notion captures the idea that the view of any verifier in concurrent interaction can be reconstructed in the almost same time (within a constant/polynomial factor). Precise zero-knowledge in stand-alone setting was introduced by Micali and Pass in STOC’06 (The original work used the term ”local zero-knowledge”.). Their notion shows that the view of any verifier can be reconstructed in the almost same time in stand-alone setting. Hence our notion is the generalization of their notion in concurrent setting. Furthermore, we propose a ω(log n)-round concurrent zero-knowledge argument for NP with linear precision, which shows that the view of any verifier in concurrent interaction can be reconstructed by the simulator with linear-time overhead. Our argument is Feige-Lapidot-Shamir type which consists of a proof-preamble and a proof-body for a modified NP statement. Our result assumes the restriction of adversarial scheduling the communication that the concurrent interaction of preambles of all sessions will be scheduled before any proof-body by the adversarial verifier.

Ning Ding,Dawu Gu

DOI: https://doi.org/10.1109/cis.workshops.2007.186

2007-01-01

Abstract:We present a stronger notion of precise bounded-concurrent zero-knowledge. Our notion captures the idea that view of any verifier in a bounded-concurrent interaction can be reconstructed in the almost same time. Precise zero-knowledge in stand-alone setting was introduced by Micali and Pass in STOC'06 and they constructed some precise stand-alone zero-knowledge protocols for NP using at least omega(1) rounds. Via providing a precise simulator for the known O(1)-round bounded-concurrent non-black-box zero-knowledge argument, we show the existence of O(1)- round bounded-concurrent zero-knowledge arguments with polynomial precision for NP. Our result assumes that the ratio of running-time of any adversarial verifier on any two different views in bounded-concurrent execution of the protocol is bounded by na, where a is any predeterminate constant. Such verifiers are called restricted verifiers.

Ning Ding,Da-wu Gu

DOI: https://doi.org/10.1007/s12204-010-9720-3

2010-01-01

Journal of Shanghai Jiaotong University (Science)

Abstract:Precise zero-knowledge was introduced by Micali and Pass in STOC’06. This notion captures the idea that the view of any verifier in interaction can be reconstructed in almost time. Pass also obtained a sequential composition lemma for precise zero-knowledge protocols. However, this lemma doesn’t provide tight precisions for composed protocols. In this paper we further obtain a sequential composition lemma for a subclass of precise zero-knowledge protocols, which all satisfy a property: their simulators use the code of verifier in almost the black-box way. We call such subclass emulated black-box zero-knowledge protocols. Our lemma provides better precisions for sequential composition of such protocols.

Ning Ding

DOI: https://doi.org/10.1007/978-3-319-17470-9_4

2015-01-01

Abstract:This paper investigates the exact round complexity of zero-knowledge arguments of knowledge (ZKAOK) with strict-polynomial-time simulation and extraction. Previously, Barak and Lindell [STOC 02] presented a constant-round such ZKAOK. With the parallel technique by Ostrovsky and Visconti [ECCC 12] for implementing Barak's zero-knowledge [FOCS 01] in 6 rounds, the Barak-Lindell ZKAOK can be implemented in, we believe, 7 rounds, which achieves the best exact round complexity for such ZKAOK from reasonable assumptions.Recently, Pandey et al. [ePrint 13] proposed a 4-round (concurrent) ZK with strict-polynomial-time simulation based on differing-input obfuscation for machines. Based on their construction, Ding [ISC 14] presented a 4-round ZKAOK with strict-polynomial-time simulation and extraction. However, the known construction of differing-input obfuscation for machines uses knowledge assumptions which are too strong. So an interesting question is whether we can reduce the round complexity of such ZKAOK without using differing-input obfuscation for machines.In this paper we show that based on differing-input obfuscation for some circuit samplers and other reasonable assumptions, there exists a 6-round ZKAOK for NP with strict-polynomial-time simulation and extraction. Importantly, the assumption of differing-input obfuscation for circuits does not use any knowledge assumption and thus is mild. Moreover, we note that the auxiliary inputs output by the circuit samplers in our construction are public coins and perfectly-hiding commitments, which is quite natural. So this assumption, in our view, could be considered reasonable.

Ning Ding,Dawu Gu,Bart Preneel

DOI: https://doi.org/10.6138/jit.2011.12.4.09

2011-01-01

Abstract:Precise concurrent zero-knowledge is a new notion introduced by Pandey et al. in Eurocrypt'08, which captures the idea that the view of any verifier in concurrent interaction can be reconstructed in almost the same time. They also constructed some (private-coin) concurrent zero-knowledge argument systems for NP which achieve precision in different levels and all these protocols use at least.(log n) rounds. In this paper we investigate the feasibility of reducing the round complexity and still keeping precision simultaneously. Our main result is that we construct a public-coin precise bounded-concurrent zero-knowledge argument system for NP only using almost constant rounds, i.e., omega(1) rounds. Bounded-concurrency means an a-priori bound on the (polynomial) number of concurrent sessions is specified before the protocol is constructed. Our result doesn't need any setup assumption.

Guifang Huang,Dongdai Lin,Yanshuo Zhang

DOI: https://doi.org/10.1007/978-3-642-00843-6_9

2009-01-01

Abstract:In [16], Pass generalized the definition of zero knowledge proof and defined n O(σ(n))-simulatable proof which can be simulated by a simulator in n O(σ(n)) time. Assuming the existence of one-way permutation secure against sub-exponential circuits and 2-round perfect hiding commitment scheme, an efficient 4-round perfect n poly(logn)-simulatable argument of knowledge was presented there. In this paper, we construct an efficient concurrent n poly(logn)-simulatable argument of knowledge under more general assumption. The new scheme is 5-round and is based on the existence of one-way permutation secure against sub-exponential circuits. However, for the scheme in [16], if using ordinary Σ-protocol for the corresponding statement as sub-protocol, instead of Σ-protocol with honest verifier perfect zero knowledge, the resulting protocol is not necessarily closed under concurrent composition.

DENG Yi,LIN Dong-Dai

DOI: https://doi.org/10.3724/sp.j.1001.2008.00468

2008-01-01

Journal of Software

Abstract:This paper shows how to efficiently transform any 3-round public-coin honest verifier zero knowledge argument system for any language in NP into a 4 round (round-optimal) concurrent zero knowledge argument for the same language in the bare public-key model. The transformation has the following properties: 1) incurs only O(1) (small constant, about 20) additional modular exponentiations. Compared to the concurrent zero knowledge protocol proposed by Di Crescenzo and Visconti in ICALP 2005, in which their transformation requires an overhead of Θ(n), the protocol is significantly more efficient under the same intractability assumptions; 2) yields a perfect zero knowledge argument under DL assumption. Note that the Di Crescenzo, et al.’s argument system enjoys only computational zero knowledge property. The transformation relies on a specific 3-round honest verifier zero knowledge proof of knowledge for committed discrete log. Such protocols that require only O(1) modular exponentiations based on different kinds of commitment scheme are developed and they may be of independent interest.

Bin Lian,Gongliang Chen,Jianhua Li

DOI: https://doi.org/10.14257/ijsia.2015.9.3.17

2015-01-01

International Journal of Security and Its Applications

Abstract:Zero-knowledge proof protocol is a basic cryptographic technique. And zero-knowledge proof of double discrete logarithm has some particular properties, so it has been widely applied in many security systems. But the efficient problem of zero-knowledge proof of double discrete logarithm has not been solved to this day, since there are some special difficulties in computing this kind of knowledge proof. Hence, the time complexity and the space complexity of existing schemes are all O(k), where k is a security parameter. After redesigning the basic construction of knowledge proof, we provide a new zero-knowledge proof of double discrete logarithm, which is the first scheme with O(1) time complexity and O(1) space complexity. If introducing an off-line TTP (trusted third party), we can provide two additional zero-knowledge proof schemes of double discrete logarithm, one is even more efficient than the first one, the other one solves another open problem, which is how to efficiently prove the equality of double discrete logarithms in zero-knowledge way, and the existing techniques cannot solve this problem. We also provide the detailed security proofs of our designs and efficiency analysis, comparing with the existing schemes. The significant improvement in efficiency of this basic cryptographic technique is also helpful for many security systems.

Yunlei Zhao,Robert Deng,Binyu Zang,Yiming Zhao

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general NP languages with going through general NP-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named ∑-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from ∑-protocols to practical (real) ZK arguments without general NP-reductions under either the DLP or RSA assumptions. © Springer-Verlag Berlin Heidelberg 2005.

Ning Ding,Yanli Ren,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-42634-1_23

2016-01-01

Abstract:In this paper we present a 4-round zero-knowledge argument of knowledge for NP with strict-polynomial-time simulation and expected polynomial-time extraction based on differing-input obfuscation for some circuit samplers and other reasonable assumptions.

Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Ning Ding,DaWu Gu

DOI: https://doi.org/10.1007/s11432-010-4056-z

2010-01-01

Science China Information Sciences

Abstract:Precise concurrent zero-knowledge is a new notion introduced by Pandey et al. in Eurocrypt’08. This notion captures the idea that the view of any verifier in concurrent interaction can be reconstructed in almost the same time. Pandey et al. also constructed some precise concurrent zero-knowledge argument systems. In this paper we construct a precise bounded-concurrent zero-knowledge proof for NP, which has the precision p(n, y) = poly(n) + O(ny). Bounded-concurrency means that an a-priori bound on the number of concurrent sessions is specified before the protocol is constructed. Our result holds even if adversarial verifiers adopt the dynamic scheduling strategy. We make no setup assumption. The advantage of proof systems over argument systems is that the soundness property of proof systems can resist computationally-unbounded adversarial provers, while that of argument systems can only resist polynomial-time adversarial provers.

Yunlei Zhao,Robert H. Deng,Binyu Zang,Yiming Zhao

DOI: https://doi.org/10.1007/11600930_28

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general \(\mathcal{NP}\) languages with going through general \(\mathcal{NP}\)-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named Σ-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from Σ-protocols to practical (real) ZK arguments without general \(\mathcal{NP}\)-reductions under either the DLP or RSA assumptions.

Ning Ding

DOI: https://doi.org/10.1007/978-3-319-13257-0_8

2014-01-01

Abstract:This paper addresses the issues of constructing zero- knowledge arguments of knowledge (ZKAOK) with properties such as a small number of rounds, public-coin and strict-polynomial-time simulation and extraction, and shows the existence of the following systems for NP for the first time under some assumptions.

Ronald Cramer,Ivan Damgard,Chaoping Xing,Chen Yuan

DOI: https://doi.org/10.1007/978-3-319-56620-7_17

2017-01-01

Abstract:We propose a new zero-knowledge protocol for proving knowledge of short preimages under additively homomorphic functions that map integer vectors to an Abelian group. The protocol achieves amortized efficiency in that it only needs to send O(n) function values to prove knowledge of n preimages. Furthermore we significantly improve previous bounds on how short a secret we can extract from a dishonest prover, namely our bound is a factor O(k) larger than the size of secret used by the honest prover, where k is the statistical security parameter. In the best previous result, the factor was O(k(log k) n). Our protocol can be applied to give proofs of knowledge for plaintexts in (Ring-) LWE-based cryptosystems, knowledge of preimages of homomorphic hash functions as well as knowledge of committed values in some integer commitment schemes.

Jiaheng Zhang,Tiancheng Xie,Yupeng Zhang,Dawn Song

DOI: https://doi.org/10.1109/sp40000.2020.00052

2020-05-01

Abstract:We present a new succinct zero knowledge argument scheme for layered arithmetic circuits without trusted setup. The prover time is O(C + nlogn) and the proof size is O(D logC +log2 n) for a D-depth circuit with n inputs and C gates. The verification time is also succinct, O(D logC + log2 n), if the circuit is structured. Our scheme only uses lightweight cryptographic primitives such as collision-resistant hash functions and is plausibly post-quantum secure. We implement a zero knowledge argument system, Virgo, based on our new scheme and compare its performance to existing schemes. Experiments show that it only takes 53 seconds to generate a proof for a circuit computing a Merkle tree with 256 leaves, at least an order of magnitude faster than all other succinct zero knowledge argument schemes. The verification time is 50ms, and the proof size is 253KB, both competitive to existing systems. Underlying Virgo is a new transparent zero knowledge verifiable polynomial delegation scheme with logarithmic proof size and verification time. The scheme is in the interactive oracle proof model and may be of independent interest.

Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-32928-9_27

2013-01-01

Journal of Computer Security

Abstract:We propose a new non-interactive perfect zero-knowledge NIZK shuffle argument that, when compared with the only previously known efficient NIZK shuffle argument by Groth and Lu, has a small constant factor times smaller computation and communication, and is based on more standard computational assumptions. Differently from Groth and Lu who only prove the co-soundness of their argument under purely computational assumptions, we prove computational soundness under a necessary knowledge assumption. We also present a general transformation that results in a shuffle argument that has a quadratically smaller common reference string CRS and a small constant factor times longer argument than the original shuffle. This can be interpreted as a general technique of decreasing the offline cost of an arbitrary shuffle argument.