Advertisement

Journal of Cryptology

, Volume 29, Issue 1, pp 156–219 | Cite as

Concurrent Knowledge Extraction in Public-Key Models

  • Andrew Chi-Chih Yao
  • Moti Yung
  • Yunlei Zhao
Article

Abstract

Knowledge extraction is a fundamental notion, modeling machine possession of values (witnesses) in a computational complexity sense and enabling one to argue about the internal state of a party in a protocol without probing its internal secret state. However, when transactions are concurrent, say over the Internet, with players possessing public keys (as is common in cryptography), assuring that entities “know” what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. In such settings, mixing the public-key structure as part of the language and statements is a natural adversarial strategy. Here, we investigate how to formally treat knowledge possession by parties interacting concurrently in the public-key model. More technically, we look into the relative power of the notion of “concurrent knowledge extraction” (CKE) for concurrent zero knowledge (CZK) in the bare public-key (BPK) model, where the language and statements being proved can be dynamically and adaptively chosen by the prover and may be possibly based on verifiers’ public keys. By concrete attacks against some existing natural protocols, we first show that concurrent soundness and normal arguments of knowledge do not guarantee concurrent verifier security in the public-key setting. Here, roughly speaking, concurrent verifier security says that the malicious concurrent prover should “know" all the witnesses to all the possibly public-key-related statements adaptively chosen and successfully proved in the concurrent sessions. These concrete attacks serve as a good motivation for understanding “possession of knowledge” for concurrent transactions with registered public keys, i.e., the subtleties of concurrent knowledge extraction in the public-key model. This motivates us to introduce and formalize the notion of CKE, along with clarifications of various subtleties. Two implementations are then presented for constant-round concurrently knowledge extractable concurrent zero-knowledge (CZK–CKE) argument for \(\mathcal {NP}\) in the BPK model: One protocol is generic and based on standard polynomial-time assumptions, whereas the other protocol is computationally efficient and employs complexity leveraging in a novel way. Both protocols can be practically instantiated for some specific number-theoretic languages without going through general \(\mathcal {NP}\)-reductions. Of independent interest are the discussions about the subtleties surrounding the fundamental structure of Feige–Shamir zero knowledge in the BPK model.

Keywords

Proof of knowledge Zero knowledge Bare public key Complexity leveraging Strong witness indistinguishability Witness-extended emulator 

Notes

Acknowledgments

First of all, we are grateful to the anonymous referees for their very helpful and insightful review comments and suggestions, which in particular have significantly improved this work. We are indebted to Oded Goldreich for many invaluable suggestions and discussions (particularly on strong WI and POK). We are grateful to Alessandra Scafuro and Ivan Visconti for many helpful discussions (particularly on round-optimal CZK in the BPK model) and for sending us an electronic copy of the work [75]. We thank Giovanni Di Crescenzo, Yehuda Lindell, Giuseppe Persiano and Alon Rosen for helpful discussions.

References

  1. 1.
    B. Barak. How to Go Beyond the Black-Box Simulation Barrier. In IEEE Symposium on Foundations of Computer Science, pages 106–115, 2001.Google Scholar
  2. 2.
    B. Barak, R. Canetti, J. B. Nielsen and R. Pass. UniversallyComposable Protocols with Relaxed Set-Up Assumptions. In IEEESymposium on Foundations of Computer Science, pages 186–195, 2004.Google Scholar
  3. 3.
    B. Barak and O. Goldreich. Universal Arguments and Their Applications. In IEEE Conference on Computational Complexity, pages 194–203, 2002.Google Scholar
  4. 4.
    B. Barak, O. Goldreich, S. Goldwasser and Y. Lindell. Resettably-Sound Zero-Knowledge and Its Applications. In IEEE Symposium on Foundations of Computer Science, pages 116–125, 2001.Google Scholar
  5. 5.
    B. Barak and Y. Lindell. Strict Polynomial-Time in Simulation andExtraction. SIAM Journal on Computing, 33(4): 783–818, 2004.Google Scholar
  6. 6.
    B. Barak, Y. Lindell and S, Vadhan. Lower Bounds for Non-Black-Box Zero-Knowledge. Journal of Computer and System Sciences, 72(2): 321–391, 2006.Google Scholar
  7. 7.
    B. Barak, M. Prabhakaran, and A. Sahai. Concurrent Non-Malleable Zero-Knowledge. FOCS 2006: 345–354.Google Scholar
  8. 8.
    M. Bellare and O. Goldreich. On Defining Proofs of Knowledge In E. F. Brickell (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1992, LNCS 740, pages 390–420, Springer-Verlag, 1992.Google Scholar
  9. 9.
    M. Bellare and O. Goldreich. On Probabilistic versus Deterministic Provers in the Definition of Proofs Of Knowledge. Electronic Colloquium on Computational Complexity, 13(136), 2006. A slightly refined version also appears in [47], pages 114–123, 2011.Google Scholar
  10. 10.
    M. Bellare, R. Impagliazzo and M. Naor. Does Parallel RepetitionLower the Error in Computationally Sound Protocols? In IEEESymposium on Foundations of Computer Science, pages 374–383, 1997.Google Scholar
  11. 11.
    M. Blum. Coin Flipping by Telephone. In proc. IEEE Spring COMPCOM, pages 133–137, 1982.Google Scholar
  12. 12.
    M. Blum. How to Prove a Theorem so No One Else can Claim It. InProceedings of the International Congress of Mathematicians,Berkeley, California, USA, 1986, pp. 1444–1451.Google Scholar
  13. 13.
    D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring. Eurocrypt 1998: 59–71.Google Scholar
  14. 14.
    G. Brassard, D. Chaum and C. Crepeau. Minimum Disclosure Proofsof Knowledge. Journal of Computer Systems and Science, 37(2):156–189, 1988.Google Scholar
  15. 15.
    R. Canetti, O. Goldreich, S. Goldwasser and S. Micali. Resettable Zero-Knowledge. In ACM Symposium on Theory of Computing, pp. 235–244, 2000. Available from:http://www.wisdom.weizmann.ac.il/~oded/
  16. 16.
    R. Canetti, J. Kilian, E. Petrank and A. Rosen. Black-BoxConcurrent Zero-Knowledge Requires (Almost) Logarithmically ManyRounds. In SIAM Journal on Computing, 32(1): 1–47, 2002.Google Scholar
  17. 17.
    C. Cho, R. Ostrovsky, A. Scafuro and I. Visconti. Simultaneously Resettable Arguments of Knowledge. TCC 2012: 530–547.Google Scholar
  18. 18.
    K. M. Chung, R. Ostrovsky, R. Pass, M. Venkitasubramaniam and I. Visconti. 4-Round Resettably-Sound Zero Knowledge. TCC 2014: 192–216.Google Scholar
  19. 19.
    R. Cramer. Modular Design of Secure, yet Practical Cryptographic Protocols, PhD Thesis, University of Amsterdam, 1996.Google Scholar
  20. 20.
    R. Cramer, I. Damgard and B. Schoenmakers. Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In Y. Desmedt (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1994, LNCS 893, pages 174–187. Springer-Verlag, 1994.Google Scholar
  21. 21.
    I. Damgard. Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. In B. Preneel (Ed.): Advances in Cryptology-Proceedings of Eurocrypt 2000, LNCS 1807, pages 418–430. Springer-Verlag, 2000.Google Scholar
  22. 22.
    I. Damgard. Lecture Notes on Cryptographic Protocol Theory. BRICS, Aarhus University, 2003. Available from: http://www.daimi.au.dk/~ivan/CPT.html
  23. 23.
    I. Damgard, T. Pedersen and B. Pfitzmann. On the Existence of Statistically-Hiding Bit Commitment and Fail-Stop Signatures. In CRYPTO 1993: 250–265.Google Scholar
  24. 24.
    Y. Deng and D. Lin. Resettable Zero Knowledge in the Bare Public Key Model under Standard Assumption. Inscrypt 2007, pages 123–137.Google Scholar
  25. 25.
    Y. Deng, D. Feng, V. Goyal, D. Lin, A. Sahai and M. Yung. Resettable Cryptography in Constant Rounds: the Case of Zero Knowledge. Asiacrypt 2011, pages 390–406. Available also from Cryptology ePrint Archive, Report No. 2011/408.Google Scholar
  26. 26.
    G. Di Crescenzo and R. Ostrovsky. On Concurrent Zero-Knowledge with Pre-Processing. In M. J. Wiener (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1999, LNCS 1666, pages 485–502. Springer-Verlag, 1999.Google Scholar
  27. 27.
    G. Di Crescenzo, G. Persiano and I. Visconti. Constant-Round Resettable Zero-Knowledge with Concurrent Soundness in the Bare Public Key Model. In M. Franklin (Ed.): Advances in Cryptology-Proceedings of CRYPTO 2004, LNCS 3152, pages 237–253. Springer-Verlag, 2004.Google Scholar
  28. 28.
    G. Di Crescenzo and I. Visconti. Concurrent Zero-Knowledge in the Public Key Model. In L. Caires et al. (Ed.): ICALP 2005, LNCS 3580, pages 816–827. Springer-Verlag, 2005.Google Scholar
  29. 29.
    G. Di Crescenzo and I. Visconti. Personal communications, 2004.Google Scholar
  30. 30.
    G. Di Crescenzo and I. Visconti. On Defining Proofs of Knowledge in the Bare Public Key Model. In Italian Conference on Theoretical Computer Science (ICTCS), 2007.Google Scholar
  31. 31.
    D. Dolev, C. Dwork and M. Naor. Non-Malleable Cryptography. SIAM Journal on Computing, 30(2): 391–437, 2000. Preliminary version in ACM Symposium on Theory of Computing, pages 542–552, 1991.Google Scholar
  32. 32.
    C. Dwork, M. Naor and A. Sahai. Concurrent Zero-Knowledge. In ACM Symposium on Theory of Computing, pages 409–418, 1998.Google Scholar
  33. 33.
    C. Dwork and A. Sahai. Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints. In H. Krawczyk (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1998, LNCS 1462, pages 442–457. Springer-Verlag, 1998.Google Scholar
  34. 34.
    T. El Gamal. A Public Key Cryptosystem and Signature Scheme Basedon Discrete Logarithms. IEEE Transactions on InformationTheory, 31: 469–472, 1985.Google Scholar
  35. 35.
    U. Feige. Alternative Models for Zero-Knowledge Interactive Proofs. Ph.D Thesis, Weizmann Institute of Science, 1990.Google Scholar
  36. 36.
    U. Feige and Shamir. Zero-Knowledge Proofs of Knowledge in Two Rounds. In G. Brassard (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1989, LNCS 435, pages 526–544. Springer-Verlag, 1989.Google Scholar
  37. 37.
    U. Feige and A. Shamir. Witness Indistinguishability and WitnessHiding Protocols. In ACM Symposium on the Theory ofComputing, pages 416–426, 1990.Google Scholar
  38. 38.
    O. Goldreich. Foundation of Cryptography-Basic Tools. Cambridge University Press, 2001.Google Scholar
  39. 39.
    O. Goldreich. Foundations of Cryptography-Basic Applications. Cambridge University Press, 2002.Google Scholar
  40. 40.
    O. Goldreich. Studies in Complexity and Cryptography. LNCS 6650, Springer-Verlag, 2011.Google Scholar
  41. 41.
    O. Goldreich. Strong Proofs of Knowledge. Pages 55–59 in [47].Google Scholar
  42. 42.
    O. Goldreich and A. Kahan. How to Construct Constant-Round Zero-Knowledge Proof Systems for \(\cal NP\). Journal of Cryptology, 9(2): 167–189, 1996.Google Scholar
  43. 43.
    O. Goldreich and H. Krawczyk. On the Composition of Zero-Knowledge Proof Systems. SIMA Journal on Computing, 25(1): 169–192, 1996.zbMATHMathSciNetCrossRefGoogle Scholar
  44. 44.
    O. Goldreich, S. Micali and A. Wigderson. Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design. In IEEE Symposium on Foundations of Computer Science, pages 174–187, 1986.Google Scholar
  45. 45.
    O. Goldreich, S. Micali and A. Wigderson. How to Prove all \(\cal NP\)-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design. In A. M. Odlyzko (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1986, LNCS 263, pages 104–110, Springer-Verlag, 1986.Google Scholar
  46. 46.
    O. Goldreich, S. Micali and A. Wigderson. How to Play any Mental Game-A Completeness Theorem for Protocols with Honest Majority. In ACM Symposium on Theory of Computing, pages 218–229, 1987.Google Scholar
  47. 47.
    O. Goldreich, S. Micali and A. Wigderson. Proofs that Yield Nothing But Their Validity or All languages in \(\cal NP\) Have Zero-Knowledge Proof Systems. Journal of the Association for Computing Machinery, 38(1): 691–729, 1991. Preliminary version appears in [51, 52].Google Scholar
  48. 48.
    S. Goldwasser, S. Micali and C. Rackoff. The Knowledge Complexity of Interactive Proof-Systems In ACM Symposium on Theory of Computing, pages 291–304, 1985.Google Scholar
  49. 49.
    S. Goldwasser, S. Micali and R. L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks. SIAM Journal on Computing, 17(2): 281–308, 1988.zbMATHMathSciNetCrossRefGoogle Scholar
  50. 50.
    V. Goyal, A. Jain, R. Ostrovsky, S. Richelson and I. Visconti. Concurrent Zero Knowledge in the Bounded Player Model. TCC 2013: 60–79.Google Scholar
  51. 51.
    V. Goyal, A. Jain, R. Ostrovsky, S. Richelson and I. Visconti. Constant-Round Concurrent Zero Knowledge in the Bounded Player Model. Asiacrypt 2013: 21–40.Google Scholar
  52. 52.
    L. Guillou and J. J. Quisquater. A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing both Transmission and Memory. In C. G. Gnther (Ed.): Advances in Cryptology-Proceedings of Eurocrypt 1988, LNCS 330, pages 123–128, Springer-Verlag, 1988.Google Scholar
  53. 53.
    J. Hastad, R. Impagliazzo, L. A. Levin and M. Luby. Construction of a Pseudorandom Generator from Any One-Way Function SIAM Journal on Computing, 28(4): 1364–1396, 1999.zbMATHMathSciNetCrossRefGoogle Scholar
  54. 54.
    H. Hastad, R. Pass, D. Wikstrom and K. Pietrzak. An Efficient Parallel Repetition Theorem. In TCC 2010, pages 1–18, 2010.Google Scholar
  55. 55.
    I. Haitner and O. Reingold. Statistically-Hiding Commitment from Any One-Way Function. STOC 2007: 1–10.Google Scholar
  56. 56.
    I. Haitner, O. Horvitz, J. Katz, C. Koo, R. Morselli and R. Shaltiel. Reducing Complexity Assumptions for Statistically-Hiding Commitments. In Eurocrypt 2005: 58–77.Google Scholar
  57. 57.
    S. Halevi and S. Micali. Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing. In CRYPTO 1996: 201–215.Google Scholar
  58. 58.
    J. Kilian and E. Petrank. Concurrent and resettable zero-knowledge in polyloalgorithm rounds. In STOC, pages 560–569, 2001.Google Scholar
  59. 59.
    D. Lapidot and A. Shamir. Publicly-Verifiable Non-Interactive Zero-Knowledge Proofs. In A.J. Menezes and S. A. Vanstone (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1990, LNCS 537, pages 353–365.Google Scholar
  60. 60.
    H. Lin and R. Pass. Constant-Round Non-Malleable Commitments from Any One-Way Function. STOC 2011: 705–714.Google Scholar
  61. 61.
    Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. Journal of Cryptology, 16(3): 143–184, 2003. Preliminary version appeared in CRYPTO 2001.Google Scholar
  62. 62.
    Y. Lindell. Constant-Round Zero-Knowledge Proof of Knowledge. ECCC Report No. 2011/003.Google Scholar
  63. 63.
    D. Micciancio and E. Petrank. Simulatable Commitments and Efficient Concurrent Zero-Knowledge. In E. Biham (Ed.): Advances in Cryptology-Proceedings of Eurocrypt 2003, LNCS 2656, pages 140–159. Springer-Verlag, 2003.Google Scholar
  64. 64.
    S. Micali and L. Reyzin. Soundness in the Public Key Model. In J. Kilian (Ed.): Advances in Cryptology-Proceedings of CRYPTO 2001, LNCS 2139, pages 542–565. Springer-Verlag, 2001.Google Scholar
  65. 65.
    M. Naor. Bit Commitment Using Pseudorandomness. Journal of Cryptology, 4(2): 151–158, 1991.zbMATHCrossRefGoogle Scholar
  66. 66.
    M. Naor, R. Ostrovsky, R. Venkatesan and M. Yung. Perfect Zero-Knowledge Arguments for NP Using Any One-Way Permutation. Journal of Cryptology, 11(2): 87–108, 1998.zbMATHMathSciNetCrossRefGoogle Scholar
  67. 67.
    M. Naor and M. Yung. Public Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks. In ACM Symposium on Theory of Computing, pages 427–437, 1990.Google Scholar
  68. 68.
    R. Ostrovsky, G. Persiano and I. Visconti. Constant-Round Concurrent Non-malleable Zero Knowledge in the Bare Public Key Model. ICALP(2) 2008, LNCS 5126, pages 548–559, 2008. Full version available from ECCC Report No. 2006/095.Google Scholar
  69. 69.
    R. Pass, W.-L. Dustin Tseng, and M. Venkitasubramaniam: Concurrent Zero Knowledge, Revisited. Journal of Cryptology, 27(1): 45–66, 2014.Google Scholar
  70. 70.
    R. Pass and A. Rosen. Concurrent Non-Malleable Commitments. SIAM Journal on Computing, 37(6): 1891–1925 (2008). Preliminary version appears in In IEEE Symposium on Foundations of Computer Science, pages 563–572, 2005.Google Scholar
  71. 71.
    R. Pass and M. Venkitasubramaniam. An Efficient Parallel Repetition Theorem for Arthur-Merlin Games. In ACM Symposium on Theory of Computing, pages 420–429, 2007.Google Scholar
  72. 72.
    M. Prabhakaran, A. Rosen and A. Sahai. Concurrent zero knowledge with logarithmic round-complexity. In FOCS, pages 366–375, 2002.Google Scholar
  73. 73.
    R. Richardson and J. Kilian. On the concurrent composition of zero-knowledge proofs. In Eurocrypt, pages 415–432, 1999.Google Scholar
  74. 74.
    P. Rogaway. Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys. Vietcrypt 2006, LNCS 4341, pages 221–228.Google Scholar
  75. 75.
    A. Scafuro and I. Visconti. On Round-Optimal Zero Knowledge in the Bare Public Key Model. Eurocrypt 2012, LNCS 7237, pages 153–171.Google Scholar
  76. 76.
    C. Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3): 24, 1991.MathSciNetCrossRefGoogle Scholar
  77. 77.
    I. Visconti. Efficient Zero Knowledge on the Internet. ICALP 2006, LNCS 4052, pages 22–33, Springer-Verlag.Google Scholar
  78. 78.
    A. C. Yao. How to Generate and Exchange Secrets. In IEEE Symposium on Foundations of Computer Science, pages 162–167, 1986.Google Scholar
  79. 79.
    A. Yao, M. Yung and Y. Zhao. Concurrent Knowledge Extraction in the Public Key Model. ICALP 2010, Part I, LNCS 6198, pages 702–714, 2010. Preliminary version appears in Electronic Colloquium on Computational Complexity (ECCC), Report No. 2007/002.Google Scholar
  80. 80.
    M. Yung and Y. Zhao. Generic and practical resettable zero-knowledge in the bare public key model. In M. Naor (Ed.): Advances in Cryptology-Proceedings of Eurocrypt 2007, LNCS 4515, pages 116–134, Springer-Verlag, 2007. Preliminary version appears in ECCC Report No. 2005/048.Google Scholar
  81. 81.
    M. Yung and Y. Zhao. Interactive Zero-Knowledge with Restricted Random Oracles. In S. Halevi and T. Rabin (Ed.): Theory of Cryptography (TCC) 2006, LNCS 3876, pages 21–40, Springer-Verlag, 2006.Google Scholar
  82. 82.
    Y. Zhao. Concurrent/Resettable Zero-Knowledge With Concurrent Soundness in the Bare Public Key Model and Its Applications. Cryptology ePrint Archive, Report 2003/265.Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  1. 1.Institute for Interdisciplinary Information Sciences (IIIS)Tsinghua UniversityBeijingChina
  2. 2.Google Inc.Mountain ViewUSA
  3. 3.Columbia UniversityNew YorkUSA
  4. 4.Shanghai Key Laboratory of Data Science, School of Computer ScienceFudan UniversityShanghaiChina

Personalised recommendations