Yunlei Zhao,Robert H. Deng,Binyu Zang,Yiming Zhao

DOI: https://doi.org/10.1007/11600930_28

2005-01-01

Abstract:Zero-knowledge (ZK) plays a central role in the field of modern cryptography and is a very powerful tool for constructing various cryptographic protocols, especially cryptographic protocols in E-commerce. Unfortunately, most ZK protocols are for general \(\mathcal{NP}\) languages with going through general \(\mathcal{NP}\)-reductions, and thus cannot be directly employed in practice. On the other hand, a large number of protocols, named Σ-protocols, are developed in industry and in the field of applied cryptography for specific number-theoretic languages (e.g. DLP and RSA), which preserves the ZK property only with respect to honest verifiers (i.e., they are not real ZK) but are highly practical. In this work, we show a generic yet practical transformation from Σ-protocols to practical (real) ZK arguments without general \(\mathcal{NP}\)-reductions under either the DLP or RSA assumptions.

Yunlei Zhao,Jesper Buus Nielsen,Robert H. Deng,Dengguo Feng

2007-01-01

Abstract:In this work, we present a generic yet practical transformation from any public-coin honestverifier zero-knowledge (HVZK) protocols to normal zero-knowledge (ZK) arguments. By “generic”, we mean that the transformation is applicable to any public-coin HVZK protocol under any one-way function (OWF) admitting Σ-protocols. By “practical” we mean that the transformation does not go through general NP-reductions and only incurs minimal additional rounds. In particular, if the starting public-coin HVZK protocols and the underlying Σ-protocols are practical, the transformed ZK arguments are also practical. In addition, our transformation also preserves statistical/perfect zero-knowledge. To this end, we develop generic yet practical three-round perfectly-hiding equivocal (string) commitment scheme under any OWF admitting Σ-protocols, which is of independent value. To our knowledge, it is also the first constant-round statistically-hiding (not necessarily to be trapdoor or equivocal) commitment scheme based on any OWF admitting Σ-protocols. We show that the roundcomplexity (i.e., three rounds) is optimal for black-box equivocal commitment schemes. Along the way, we also make some clarifications that seem to be possibly of independent interest. In particular, we identify and clarify a seemingly important implication (to the elegant interaction between cryptography and complexity theory): Σ-protocols may witness non-NP-Completeness.

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-540-72540-4_8

2007-01-01

Abstract:We present a generic construction for constant-round concurrently sound resettable zero-knowledge (rZK-CS) arguments for NP in the bare public-key (BPK) model under any (sub-exponentially strong) one-way function (OWF), which is a traditional assumption in this area. The generic construction in turn allows round-optimal implementation for NP still under general assumptions, and can be converted into a highly practical instantiation (under specific number-theoretic assumptions) for any language admitting Sigma-protocols. Further, the rZK-CS arguments developed in this work also satisfy a weak (black-box) concurrent knowledge-extract ability property as proofs of knowledge, in which case some super-polynomial-time assumption is intrinsic.

Yunlei Zhao,Jesper Buus Nielsen,Robert H. Deng,Dengguo Feng

2005-01-01

Abstract:In this work, we present a generic yet practical transformation from any public-coin honest-verier zero-knowledge (HVZK) protocols to normal zero-knowledge (ZK) arguments. By \generic, we mean that the transformation is applicable to any public-coin HVZK protocol under any one-way function (OWF) admitting -proto cols. By \practical we mean that the transformation does not go through generalNP-reductions and only incurs additionally one round (for public-coin HVZK protocols of odd number of rounds that is the normal case in practice). In particular, if the starting public-coin HVZK protocols and the underlying -proto cols are practical, the transformed ZK arguments are also practical. In addition, our transformation also preserves statistical/perfect zero-knowledge. To this end, we develop generic yet practical 3-round perfectly-hiding equivocal (string) commitment scheme under any OWF admitting -proto cols, which is possibly of independent value. We also show that three rounds is the lower-bound of round-complexity for equivocal commitment schemes.

Moti Yung,Yunlei Zhao

2006-01-01

Abstract:We present constant-round concurrently knowledge-extractable black-box resettable zero-knowledge (rZK-CKE) arguments forNP in the bare public-key (BPK) model. We give minimal (sub-exponential) hardness assumption based protocols as well as round-optimal protocols (still under general hardness assumptions). To our knowledge, our protocols are the first ZK protocols that provably provide both resettable/concurrent prover security and concurrent verifier security in public-key models. Here, the notion of concurrent knowledge-extractability roughly means that no malicious polynomial-time prover can convince an honest verifier of any (whether false or true) statement without “knowing” a corresponding NP-witness even by concurrently interleaving interactions in public-key models when verifiers register public-keys. We show that concurrent knowledge-extractability is strictly stronger than “concurrent soundness” (under any sub-exponentially strong one-way permutation) for concurrently proving NP statements to honest verifiers with public-keys. In particular, we show that previous concurrent zero-knowledge protocols in the BPK model that achieved concurrent soundness security and are also traditional arguments of knowledge actually fail to satisfy this stronger security notion (this is demonstrated by concrete attacks). Our work deepens the understanding of the subtleties of concurrent verifier security in public-key settings, and may serve as building blocks in designing other round-efficient concurrently secure protocols in public-key models that use, in particular, argument of knowledge (AOK) protocols as building blocks. RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu Software School, School of Information Science and Engineering, Fudan University, Shanghai 200433, China.

Sven Laur,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-319-13257-0_9

2014-01-01

Abstract:Crypto-computing is a set of well-known techniques for computing with encrypted data. The security of the corresponding protocols are usually proven in the semi-honest model. In this work, we propose a new class of zero-knowledge proofs, which are tailored for cryptocomputing protocols. First, these proofs directly employ properties of the underlying crypto systems and thus many facts have more concise proofs compared to generic solutions. Second, we show how to achieve universal composability in the trusted set-up model where all zero-knowledge proofs share the same system-wide parameters. Third, we derive a new protocol for multiplicative relations and show how to combine it with several crypto-computing frameworks.

Yl Zhao,Xt Deng,Ch Lee,H Zhu

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:A new public-key model for resettable zero-knowledge (rZK) protocols, which is an extension and generalization of the upper-bounded public-key (UPK) model introduced by Micali and Reyzin [EuroCrypt'01, pp. 373-393], is introduced and is named weak public-key (WPK) model. The motivations and applications of the WPK model are justified in the distributed smart-card/server setting and it seems more preferable in practice, especially in E-commerce over Internet. In this WPK model a 3-round (optimal) black-box resettable zero-knowledge argument with concurrent soundness for NP is presented assuming the security of RSA with large exponents against subexponential-time adversaries. Our result improves Micali and Reyzin's result of resettable zero-knowledge argument with concurrent soundness for NP in the UPK model. Note that although Micali and Reyzin' protocol satisfies concurrent soundness in the UPK model, but it does not satisfy even sequential soundness in our WPK model.Our protocol works in a somewhat "parallel repetition" manner to reduce the error probability and the black-box zero-knowledge simulator works in strict polynomial time rather than expected polynomial time. The critical tools used are: verifiable random functions introduced by Micali, Rabin and Vadhan [FOCS'99, pp. 120-130], zap presented by Dwork and Naor [FOCS'00, pp. 283-293] and complexity leveraging introduced by Canetti, Goldreich, Goldwasser and Micali [STOC'00, pp. 235-244].

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/11681878_2

2006-01-01

Abstract:We investigate the design and proofs of zero-knowledge (ZK) interactive systems under what we call the “restricted random oracle model” which restrains the usage of the oracle in the protocol design to that of collapsing protocol rounds a la Fiat-Shamir heuristics, and limits the oracle programmability in the security proofs. We analyze subtleties resulting from the involvement of random oracles in the interactive setting and derive our methodology. Then we investigate the Feige-Shamir 4-round ZK argument for $\mathcal{NP}$ in this model: First we show that a 2-round protocol is possible for a very interesting set of languages; we then show that while the original protocol is not concurrently secure in the public-key model, a modified protocol in our model is, in fact, concurrently secure in the bare public-key model. We point at applications and implications of this fact. Of possible independent interest is a concurrent attack against the Feige-Shamir ZK in the public-key model (for which it was not originally designed).

Stavros Kassaras,Leandros Maglaras

DOI: https://doi.org/10.48550/arXiv.2006.09990

2020-06-18

Abstract:How someone can get health insurance without sharing his health information? How you can get a loan without disclosing your credit score? There is a method to certify certain attributes of various data, either this is health metrics or finance information, without revealing the data itself or any other kind of personal data. This method is known as zero-knowledge proofs. Zero-Knowledge techniques are mathematical methods used to verify things without sharing or revealing underlying data. Zero-Knowledge protocols have vast applications from simple identity schemes and blockchains to defense research programs and nuclear arms control

Cryptography and Security

Xiaotie Deng,C. H. Lee,Yunlei Zhao,Hong Zhu

DOI: https://doi.org/10.1007/3-540-36413-7_22

2002-01-01

Abstract:In this paper we re-examine the nature of zero-knowledge. We show evidences that the classic simulation based definitions of zero-knowledge (simulation zero-knowledge) may be somewhat too strong to include some "nice" protocols in which the malicious verifier seems to learn nothing but we do not know how to construct a zero-knowledge simulator for it. We overcome this problem by introducing reduction zero-knowledge. We show that reduction zero-knowledge lies between simulation zero-knowledge and witness indistinguishability. That is, any simulation zero-knowledge protocol is also reduction zero-knowledge and reduction zero-knowledge implies witness indistinguishability but the opposite direction is not guaranteed to be true. There are two major contributions of reduction zero-knowledge. One is that it introduces reduction between different protocols and extends the approaches to characterize the nature of zero-knowledge. Note that reduction is a widely used paradigm in the field of computer science. Another is that in contrast to normal simulation zero-knowledge reduction zero-knowledge can be made more efficient (especially for the verifier) and can be constructed under weaker assumption while losing little security than a corresponding simulation zero-knowledge protocol. In this paper a 4-round public-coin reduction zero-knowledge proof system for NP is presented and in practice this protocol works in 3 rounds since the first verifier's message can be fixed once and for all.

Pouriya Alikhani,Nicolas Brunner,Claude Crépeau,Sébastien Designolle,Raphaël Houlmann,Weixu Shi,Nan Yang,Hugo Zbinden

DOI: https://doi.org/10.1038/s41586-021-03998-y

2022-02-16

Abstract:Protecting secrets is a key challenge in our contemporary information-based era. In common situations, however, revealing secrets appears unavoidable, for instance, when identifying oneself in a bank to retrieve money. In turn, this may have highly undesirable consequences in the unlikely, yet not unrealistic, case where the bank's security gets compromised. This naturally raises the question of whether disclosing secrets is fundamentally necessary for identifying oneself, or more generally for proving a statement to be correct. Developments in computer science provide an elegant solution via the concept of zero-knowledge proofs: a prover can convince a verifier of the validity of a certain statement without facilitating the elaboration of a proof at all. In this work, we report the experimental realisation of such a zero-knowledge protocol involving two separated verifier-prover pairs. Security is enforced via the physical principle of special relativity, and no computational assumption (such as the existence of one-way functions) is required. Our implementation exclusively relies on off-the-shelf equipment and works at both short (60 m) and long distances ($\geqslant$400 m) in about one second. This demonstrates the practical potential of multi-prover zero-knowledge protocols, promising for identification tasks and blockchain applications such as cryptocurrencies or smart contracts.

Cryptography and Security,Quantum Physics

Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Moti Yung,Yunlei Zhao

2005-01-01

Abstract:We present constant-round concurrently secure (sound) resettable zero-knowledge (rZK-CS) arguments in the bare public-key (BPK) model. Our constructions deal with general NP ZK-arguments as well as with highly efficient ZK-arguments for number-theoretic languages, most relevant to identification scenarios. These are the first constant-round protocols of this type in the original real BPK model, where nothing is assured about public-keys generated by malicious verifiers. As part of this work, we develop a one-round trapdoor commitment scheme that is based on any one-way permutation, which is of independent interest and, in particular, can be used to reduce the round-complexity of other cryptographic protocols involving trapdoor commitments.

Ryan Lavin,Xuekai Liu,Hardhik Mohanty,Logan Norman,Giovanni Zaarour,Bhaskar Krishnamachari

2024-08-01

Abstract:Zero-knowledge proofs (ZKPs) represent a revolutionary advance in computational integrity and privacy technology, enabling the secure and private exchange of information without revealing underlying private data. ZKPs have unique advantages in terms of universality and minimal security assumptions when compared to other privacy-sensitive computational methods for distributed systems, such as homomorphic encryption and secure multiparty computation. Their application spans multiple domains, from enhancing privacy in blockchain to facilitating confidential verification of computational tasks. This survey starts with a high-level overview of the technical workings of ZKPs with a focus on an increasingly relevant subset of ZKPs called zk-SNARKS. While there have been prior surveys on the algorithmic and theoretical aspects of ZKPs, our work is distinguished by providing a broader view of practical aspects and describing many recently-developed use cases of ZKPs across various domains. These application domains span blockchain privacy, scaling, storage, and interoperability, as well as non-blockchain applications like voting, authentication, timelocks, and machine learning. Aimed at both practitioners and researchers, the survey also covers foundational components and infrastructure such as zero-knowledge virtual machines (zkVM), domain-specific languages (DSLs), supporting libraries, frameworks, and protocols. We conclude with a discussion on future directions, positioning ZKPs as pivotal in the advancement of cryptographic practices and digital privacy across many applications.

Cryptography and Security,Computational Complexity

Mark Carney

2023-08-07

Abstract:This paper presents a new method for quantum identity authentication (QIA) protocols. The logic of classical zero-knowledge proofs (ZKPs) due to Schnorr is applied in quantum circuits and algorithms. This novel approach gives an exact way with which a prover $P$ can prove they know some secret by encapsulating it in a quantum state before sending to a verifier $V$ by means of a quantum channel - allowing for a ZKP wherein an eavesdropper or manipulation can be detected with a fail-safe design. This is achieved by moving away from the hardness of the Discrete Logarithm Problem towards the hardness of estimating quantum states. This paper presents a method with which this can be achieved and some bounds for the security of the protocol provided. With the anticipated advent of a `quantum internet', such protocols and ideas may soon have utility and execution in the real world.

Quantum Physics,Cryptography and Security

Yun Li,Cun Ye,Yuguang Hu,Ivring Morpheus,Yu Guo,Chao Zhang,Yupeng Zhang,Zhipeng Sun,Yiwen Lu,Haodi Wang

DOI: https://doi.org/10.1145/3460120.3484558

2021-01-01

Abstract:Devising a fair-exchange protocol for digital goods has been an appealing line of research in the past decades. The Zero-Knowledge Contingent Payment (ZKCP) protocol first achieves fair exchange in a trustless manner with the aid of the Bitcoin network and zero-knowledge proofs. However, it incurs setup issues and substantial proving overhead, and has difficulties handling complicated validation of large-scale data. In this paper, we propose an improved solution ZKCPlus for practical and flexible fair exchange. ZKCPlus incorporates a new commit-and-prove non-interactive zero-knowledge (CP-NIZK) argument of knowledge under standard discrete logarithmic assumption, which is prover-efficient for data-parallel computations. With this argument we avoid the setup issues of ZKCP and reduce seller's proving overhead, more importantly enable the protocol to handle complicated data validations. We have implemented a prototype of ZKCPlus and built several applications atop it. We rework a ZKCP's classic application of trading sudoku solutions, and ZKCPlus achieves 21-67 times improvement in seller efficiency than ZKCP, with only milliseconds of setup time and 1 MB public parameters. In particular, our CP-NIZK argument shows an order of magnitude higher proving efficiency than the zkSNARK adopted by ZKCP. We also built a realistic application of trading trained CNN models. For a 3-layer CNN containing 8,620 parameters, it takes less than 1 second to prove and verify an inference computation, and also about 1 second to deliver the parameters, which is very promising for practical use.

Prastudy Fauzi,Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-662-45472-5_14

2014-01-01

Abstract:We propose a non-interactive zero knowledge pairwise multiset sum equality test (PMSET) argument of knowledge in the common reference string (CRS) model that allows a prover to show that the given committed multisets A(j) for j is an element of {1, 2, 3, 4} satisfy A(1) (sic) A(2) = A(3) (sic) A(4), i. e., every element is contained in A(1) and A(2) exactly as many times as in A3 and A(4). As a corollary to the PMSET argument, we present arguments that enable to efficiently verify the correctness of various (multi) set operations, for example, that one committed set is the intersection or union of two other committed sets. The new arguments have constant communication and verification complexity (in group elements and group operations, respectively), whereas the CRS length and the prover's computational complexity are both proportional to the cardinality of the (multi) sets. We show that one can shorten the CRS length at the cost of a small increase of the communication and the verifier's computation.

Yunlei Zhao

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:In this work, we investigate concurrent knowledge-extraction (CKE) and concurrent non-malleability (CNM) for concurrent (and stronger, resettable) ZK protocols in the bare public-key model. We formulate, driven by concrete attacks, and achieve CKE for constant-round concurrent/resettable arguments in the BPK model under standard polynomial assumptions. We get both generic and practical implementations. Here, CKE is a new concurrent verifier security that is strictly stronger than concurrent soundness in public-key model. We investigate, driven by concrete attacks, and clarify the subtleties in formulating CNM in the public-key model. We then give a new (augmented) CNM formulation in the public-key model and a construction of CNMZK in the public-key model satisfying the new CNM formulation.

Dai Yiqi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.06.038

2012-01-01

Abstract:UC security is the framework in treating a stand-alone protocol and guaranteeing the secure composition.This means that a protocol may run concurrently with many other protocols,on arbitrary inputs and in adversarial controlled way,if it is UC security in the sense that it emulates an ideal functionality,it can be treated as a piece of that ideal functionality in overall system security analysis.In this paper,ZK under UC framework is studied,and the study proves that Blum protocol is closed under sequential composition in the Fwzk-hybrid model.

Wouter Lueks,Bogdan Kulynych,Jules Fasquelle,Simon Le Bail-Collet,Carmela Troncoso

DOI: https://doi.org/10.1145/3338498.3358653

2019-11-11

Abstract:Zero-knowledge proofs are an essential building block in many privacy-preserving systems. However, implementing these proofs is tedious and error-prone. In this paper, we present zksk, a well-documented Python library for defining and computing sigma protocols: the most popular class of zero-knowledge proofs. In zksk, proofs compose: programmers can convert smaller proofs into building blocks that then can be combined into bigger proofs. zksk features a modern Python-based domain-specific language. This makes possible to define proofs without learning a new custom language, and to benefit from the rich Python syntax and ecosystem. The library is available at <a class="link-external link-https" href="https://github.com/spring-epfl/zksk" rel="external noopener nofollow">this https URL</a>

Cryptography and Security,Software Engineering