# Concurrent Knowledge Extraction in Public-Key Models

- 581 Downloads
- 1 Citations

## Abstract

Knowledge extraction is a fundamental notion, modeling machine possession of values (witnesses) in a computational complexity sense and enabling one to argue about the internal state of a party in a protocol without probing its internal secret state. However, when transactions are concurrent, say over the Internet, with players possessing public keys (as is common in cryptography), assuring that entities “know” what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. In such settings, mixing the public-key structure as part of the language and statements is a natural adversarial strategy. Here, we investigate how to formally treat knowledge possession by parties interacting concurrently in the public-key model. More technically, we look into the relative power of the notion of “concurrent knowledge extraction” (CKE) for concurrent zero knowledge (CZK) in the bare public-key (BPK) model, where the language and statements being proved can be dynamically and adaptively chosen by the prover and may be possibly based on verifiers’ public keys. By concrete attacks against some existing natural protocols, we first show that concurrent soundness and normal arguments of knowledge do not guarantee concurrent verifier security in the public-key setting. Here, roughly speaking, concurrent verifier security says that the malicious concurrent prover should “know" all the witnesses to all the *possibly public-key-related* statements adaptively chosen and successfully proved in the concurrent sessions. These concrete attacks serve as a good motivation for understanding “possession of knowledge” for concurrent transactions with registered public keys, i.e., the subtleties of concurrent knowledge extraction in the public-key model. This motivates us to introduce and formalize the notion of CKE, along with clarifications of various subtleties. Two implementations are then presented for constant-round concurrently knowledge extractable concurrent zero-knowledge (CZK–CKE) argument for \(\mathcal {NP}\) in the BPK model: One protocol is generic and based on standard polynomial-time assumptions, whereas the other protocol is computationally efficient and employs complexity leveraging in a novel way. Both protocols can be practically instantiated for some specific number-theoretic languages without going through general \(\mathcal {NP}\)-reductions. Of independent interest are the discussions about the subtleties surrounding the fundamental structure of Feige–Shamir zero knowledge in the BPK model.

## Keywords

Proof of knowledge Zero knowledge Bare public key Complexity leveraging Strong witness indistinguishability Witness-extended emulator## Notes

### Acknowledgments

First of all, we are grateful to the anonymous referees for their very helpful and insightful review comments and suggestions, which in particular have significantly improved this work. We are indebted to Oded Goldreich for many invaluable suggestions and discussions (particularly on strong WI and POK). We are grateful to Alessandra Scafuro and Ivan Visconti for many helpful discussions (particularly on round-optimal CZK in the BPK model) and for sending us an electronic copy of the work [75]. We thank Giovanni Di Crescenzo, Yehuda Lindell, Giuseppe Persiano and Alon Rosen for helpful discussions.

## References

- 1.B. Barak. How to Go Beyond the Black-Box Simulation Barrier. In
*IEEE Symposium on Foundations of Computer Science*, pages 106–115, 2001.Google Scholar - 2.B. Barak, R. Canetti, J. B. Nielsen and R. Pass. UniversallyComposable Protocols with Relaxed Set-Up Assumptions. In
*IEEESymposium on Foundations of Computer Science*, pages 186–195, 2004.Google Scholar - 3.B. Barak and O. Goldreich. Universal Arguments and Their Applications. In
*IEEE Conference on Computational Complexity*, pages 194–203, 2002.Google Scholar - 4.B. Barak, O. Goldreich, S. Goldwasser and Y. Lindell. Resettably-Sound Zero-Knowledge and Its Applications. In
*IEEE Symposium on Foundations of Computer Science*, pages 116–125, 2001.Google Scholar - 5.B. Barak and Y. Lindell. Strict Polynomial-Time in Simulation andExtraction.
*SIAM Journal on Computing*, 33(4): 783–818, 2004.Google Scholar - 6.B. Barak, Y. Lindell and S, Vadhan. Lower Bounds for Non-Black-Box Zero-Knowledge.
*Journal of Computer and System Sciences*, 72(2): 321–391, 2006.Google Scholar - 7.B. Barak, M. Prabhakaran, and A. Sahai. Concurrent Non-Malleable Zero-Knowledge. FOCS 2006: 345–354.Google Scholar
- 8.M. Bellare and O. Goldreich. On Defining Proofs of Knowledge In
*E. F. Brickell (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1992, LNCS 740*, pages 390–420, Springer-Verlag, 1992.Google Scholar - 9.M. Bellare and O. Goldreich. On Probabilistic versus Deterministic Provers in the Definition of Proofs Of Knowledge. Electronic Colloquium on Computational Complexity, 13(136), 2006. A slightly refined version also appears in [47], pages 114–123, 2011.Google Scholar
- 10.M. Bellare, R. Impagliazzo and M. Naor. Does Parallel RepetitionLower the Error in Computationally Sound Protocols? In
*IEEESymposium on Foundations of Computer Science*, pages 374–383, 1997.Google Scholar - 11.M. Blum. Coin Flipping by Telephone. In
*proc. IEEE Spring COMPCOM*, pages 133–137, 1982.Google Scholar - 12.M. Blum. How to Prove a Theorem so No One Else can Claim It. InProceedings of the International Congress of Mathematicians,Berkeley, California, USA, 1986, pp. 1444–1451.Google Scholar
- 13.D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring.
*Eurocrypt*1998: 59–71.Google Scholar - 14.G. Brassard, D. Chaum and C. Crepeau. Minimum Disclosure Proofsof Knowledge.
*Journal of Computer Systems and Science*, 37(2):156–189, 1988.Google Scholar - 15.R. Canetti, O. Goldreich, S. Goldwasser and S. Micali. Resettable Zero-Knowledge. In ACM Symposium on Theory of Computing, pp. 235–244, 2000. Available from:http://www.wisdom.weizmann.ac.il/~oded/
- 16.R. Canetti, J. Kilian, E. Petrank and A. Rosen. Black-BoxConcurrent Zero-Knowledge Requires (Almost) Logarithmically ManyRounds. In
*SIAM Journal on Computing*, 32(1): 1–47, 2002.Google Scholar - 17.C. Cho, R. Ostrovsky, A. Scafuro and I. Visconti. Simultaneously Resettable Arguments of Knowledge. TCC 2012: 530–547.Google Scholar
- 18.K. M. Chung, R. Ostrovsky, R. Pass, M. Venkitasubramaniam and I. Visconti. 4-Round Resettably-Sound Zero Knowledge. TCC 2014: 192–216.Google Scholar
- 19.R. Cramer. Modular Design of Secure, yet Practical Cryptographic Protocols, PhD Thesis, University of Amsterdam, 1996.Google Scholar
- 20.R. Cramer, I. Damgard and B. Schoenmakers. Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In
*Y. Desmedt (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1994, LNCS 893*, pages 174–187. Springer-Verlag, 1994.Google Scholar - 21.I. Damgard. Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. In
*B. Preneel (Ed.): Advances in Cryptology-Proceedings of Eurocrypt 2000, LNCS 1807*, pages 418–430. Springer-Verlag, 2000.Google Scholar - 22.I. Damgard. Lecture Notes on Cryptographic Protocol Theory. BRICS, Aarhus University, 2003. Available from: http://www.daimi.au.dk/~ivan/CPT.html
- 23.I. Damgard, T. Pedersen and B. Pfitzmann. On the Existence of Statistically-Hiding Bit Commitment and Fail-Stop Signatures. In CRYPTO 1993: 250–265.Google Scholar
- 24.Y. Deng and D. Lin. Resettable Zero Knowledge in the Bare Public Key Model under Standard Assumption. Inscrypt 2007, pages 123–137.Google Scholar
- 25.Y. Deng, D. Feng, V. Goyal, D. Lin, A. Sahai and M. Yung. Resettable Cryptography in Constant Rounds: the Case of Zero Knowledge. Asiacrypt 2011, pages 390–406. Available also from Cryptology ePrint Archive, Report No. 2011/408.Google Scholar
- 26.G. Di Crescenzo and R. Ostrovsky. On Concurrent Zero-Knowledge with Pre-Processing. In
*M. J. Wiener (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1999, LNCS 1666*, pages 485–502. Springer-Verlag, 1999.Google Scholar - 27.G. Di Crescenzo, G. Persiano and I. Visconti. Constant-Round Resettable Zero-Knowledge with Concurrent Soundness in the Bare Public Key Model. In
*M. Franklin (Ed.): Advances in Cryptology-Proceedings of CRYPTO 2004, LNCS 3152*, pages 237–253. Springer-Verlag, 2004.Google Scholar - 28.G. Di Crescenzo and I. Visconti. Concurrent Zero-Knowledge in the Public Key Model. In
*L. Caires et al. (Ed.): ICALP 2005, LNCS 3580*, pages 816–827. Springer-Verlag, 2005.Google Scholar - 29.G. Di Crescenzo and I. Visconti. Personal communications, 2004.Google Scholar
- 30.G. Di Crescenzo and I. Visconti. On Defining Proofs of Knowledge in the Bare Public Key Model. In
*Italian Conference on Theoretical Computer Science (ICTCS)*, 2007.Google Scholar - 31.D. Dolev, C. Dwork and M. Naor. Non-Malleable Cryptography. SIAM Journal on Computing, 30(2): 391–437, 2000. Preliminary version in
*ACM Symposium on Theory of Computing*, pages 542–552, 1991.Google Scholar - 32.C. Dwork, M. Naor and A. Sahai. Concurrent Zero-Knowledge. In
*ACM Symposium on Theory of Computing*, pages 409–418, 1998.Google Scholar - 33.C. Dwork and A. Sahai. Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints. In
*H. Krawczyk (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1998, LNCS 1462*, pages 442–457. Springer-Verlag, 1998.Google Scholar - 34.T. El Gamal. A Public Key Cryptosystem and Signature Scheme Basedon Discrete Logarithms.
*IEEE Transactions on InformationTheory*, 31: 469–472, 1985.Google Scholar - 35.U. Feige. Alternative Models for Zero-Knowledge Interactive Proofs. Ph.D Thesis, Weizmann Institute of Science, 1990.Google Scholar
- 36.U. Feige and Shamir. Zero-Knowledge Proofs of Knowledge in Two Rounds. In G. Brassard (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1989, LNCS 435, pages 526–544. Springer-Verlag, 1989.Google Scholar
- 37.U. Feige and A. Shamir. Witness Indistinguishability and WitnessHiding Protocols. In
*ACM Symposium on the Theory ofComputing*, pages 416–426, 1990.Google Scholar - 38.O. Goldreich.
*Foundation of Cryptography-Basic Tools*. Cambridge University Press, 2001.Google Scholar - 39.O. Goldreich.
*Foundations of Cryptography-Basic Applications*. Cambridge University Press, 2002.Google Scholar - 40.O. Goldreich.
*Studies in Complexity and Cryptography*. LNCS 6650, Springer-Verlag, 2011.Google Scholar - 41.O. Goldreich.
*Strong Proofs of Knowledge*. Pages 55–59 in [47].Google Scholar - 42.O. Goldreich and A. Kahan. How to Construct Constant-Round Zero-Knowledge Proof Systems for \(\cal NP\).
*Journal of Cryptology,*9(2): 167–189, 1996.Google Scholar - 43.O. Goldreich and H. Krawczyk. On the Composition of Zero-Knowledge Proof Systems.
*SIMA Journal on Computing,*25(1): 169–192, 1996.zbMATHMathSciNetCrossRefGoogle Scholar - 44.O. Goldreich, S. Micali and A. Wigderson. Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design. In
*IEEE Symposium on Foundations of Computer Science*, pages 174–187, 1986.Google Scholar - 45.O. Goldreich, S. Micali and A. Wigderson. How to Prove all \(\cal NP\)-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design. In
*A. M. Odlyzko (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1986, LNCS 263,*pages 104–110, Springer-Verlag, 1986.Google Scholar - 46.O. Goldreich, S. Micali and A. Wigderson. How to Play any Mental Game-A Completeness Theorem for Protocols with Honest Majority. In
*ACM Symposium on Theory of Computing*, pages 218–229, 1987.Google Scholar - 47.O. Goldreich, S. Micali and A. Wigderson. Proofs that Yield Nothing But Their Validity or All languages in \(\cal NP\) Have Zero-Knowledge Proof Systems.
*Journal of the Association for Computing Machinery,*38(1): 691–729, 1991. Preliminary version appears in [51, 52].Google Scholar - 48.S. Goldwasser, S. Micali and C. Rackoff. The Knowledge Complexity of Interactive Proof-Systems In
*ACM Symposium on Theory of Computing*, pages 291–304, 1985.Google Scholar - 49.S. Goldwasser, S. Micali and R. L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks.
*SIAM Journal on Computing*, 17(2): 281–308, 1988.zbMATHMathSciNetCrossRefGoogle Scholar - 50.V. Goyal, A. Jain, R. Ostrovsky, S. Richelson and I. Visconti. Concurrent Zero Knowledge in the Bounded Player Model. TCC 2013: 60–79.Google Scholar
- 51.V. Goyal, A. Jain, R. Ostrovsky, S. Richelson and I. Visconti. Constant-Round Concurrent Zero Knowledge in the Bounded Player Model. Asiacrypt 2013: 21–40.Google Scholar
- 52.L. Guillou and J. J. Quisquater. A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing both Transmission and Memory. In
*C. G. Gnther (Ed.): Advances in Cryptology-Proceedings of Eurocrypt 1988, LNCS 330*, pages 123–128, Springer-Verlag, 1988.Google Scholar - 53.J. Hastad, R. Impagliazzo, L. A. Levin and M. Luby. Construction of a Pseudorandom Generator from Any One-Way Function
*SIAM Journal on Computing*, 28(4): 1364–1396, 1999.zbMATHMathSciNetCrossRefGoogle Scholar - 54.H. Hastad, R. Pass, D. Wikstrom and K. Pietrzak. An Efficient Parallel Repetition Theorem. In TCC 2010, pages 1–18, 2010.Google Scholar
- 55.I. Haitner and O. Reingold. Statistically-Hiding Commitment from Any One-Way Function. STOC 2007: 1–10.Google Scholar
- 56.I. Haitner, O. Horvitz, J. Katz, C. Koo, R. Morselli and R. Shaltiel. Reducing Complexity Assumptions for Statistically-Hiding Commitments. In Eurocrypt 2005: 58–77.Google Scholar
- 57.S. Halevi and S. Micali. Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing. In CRYPTO 1996: 201–215.Google Scholar
- 58.J. Kilian and E. Petrank. Concurrent and resettable zero-knowledge in polyloalgorithm rounds. In STOC, pages 560–569, 2001.Google Scholar
- 59.D. Lapidot and A. Shamir. Publicly-Verifiable Non-Interactive Zero-Knowledge Proofs. In
*A.J. Menezes and S. A. Vanstone (Ed.): Advances in Cryptology-Proceedings of CRYPTO 1990, LNCS 537*, pages 353–365.Google Scholar - 60.H. Lin and R. Pass. Constant-Round Non-Malleable Commitments from Any One-Way Function. STOC 2011: 705–714.Google Scholar
- 61.Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation.
*Journal of Cryptology*, 16(3): 143–184, 2003. Preliminary version appeared in CRYPTO 2001.Google Scholar - 62.Y. Lindell. Constant-Round Zero-Knowledge Proof of Knowledge. ECCC Report No. 2011/003.Google Scholar
- 63.D. Micciancio and E. Petrank. Simulatable Commitments and Efficient Concurrent Zero-Knowledge. In
*E. Biham (Ed.): Advances in Cryptology-Proceedings of Eurocrypt 2003, LNCS 2656*, pages 140–159. Springer-Verlag, 2003.Google Scholar - 64.S. Micali and L. Reyzin. Soundness in the Public Key Model. In
*J. Kilian (Ed.): Advances in Cryptology-Proceedings of CRYPTO 2001, LNCS 2139*, pages 542–565. Springer-Verlag, 2001.Google Scholar - 65.M. Naor. Bit Commitment Using Pseudorandomness.
*Journal of Cryptology*, 4(2): 151–158, 1991.zbMATHCrossRefGoogle Scholar - 66.M. Naor, R. Ostrovsky, R. Venkatesan and M. Yung. Perfect Zero-Knowledge Arguments for NP Using Any One-Way Permutation.
*Journal of Cryptology*, 11(2): 87–108, 1998.zbMATHMathSciNetCrossRefGoogle Scholar - 67.M. Naor and M. Yung. Public Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks. In
*ACM Symposium on Theory of Computing*, pages 427–437, 1990.Google Scholar - 68.R. Ostrovsky, G. Persiano and I. Visconti. Constant-Round Concurrent Non-malleable Zero Knowledge in the Bare Public Key Model.
*ICALP(2) 2008, LNCS 5126*, pages 548–559, 2008. Full version available from ECCC Report No. 2006/095.Google Scholar - 69.R. Pass, W.-L. Dustin Tseng, and M. Venkitasubramaniam: Concurrent Zero Knowledge, Revisited.
*Journal of Cryptology*, 27(1): 45–66, 2014.Google Scholar - 70.R. Pass and A. Rosen. Concurrent Non-Malleable Commitments. SIAM Journal on Computing, 37(6): 1891–1925 (2008). Preliminary version appears in In
*IEEE Symposium on Foundations of Computer Science*, pages 563–572, 2005.Google Scholar - 71.R. Pass and M. Venkitasubramaniam. An Efficient Parallel Repetition Theorem for Arthur-Merlin Games. In
*ACM Symposium on Theory of Computing*, pages 420–429, 2007.Google Scholar - 72.M. Prabhakaran, A. Rosen and A. Sahai. Concurrent zero knowledge with logarithmic round-complexity. In FOCS, pages 366–375, 2002.Google Scholar
- 73.R. Richardson and J. Kilian. On the concurrent composition of zero-knowledge proofs. In Eurocrypt, pages 415–432, 1999.Google Scholar
- 74.P. Rogaway. Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys. Vietcrypt 2006, LNCS 4341, pages 221–228.Google Scholar
- 75.A. Scafuro and I. Visconti. On Round-Optimal Zero Knowledge in the Bare Public Key Model. Eurocrypt 2012, LNCS 7237, pages 153–171.Google Scholar
- 76.C. Schnorr. Efficient Signature Generation by Smart Cards.
*Journal of Cryptology*, 4(3): 24, 1991.MathSciNetCrossRefGoogle Scholar - 77.I. Visconti. Efficient Zero Knowledge on the Internet.
*ICALP 2006, LNCS 4052*, pages 22–33, Springer-Verlag.Google Scholar - 78.A. C. Yao. How to Generate and Exchange Secrets. In
*IEEE Symposium on Foundations of Computer Science*, pages 162–167, 1986.Google Scholar - 79.A. Yao, M. Yung and Y. Zhao. Concurrent Knowledge Extraction in the Public Key Model. ICALP 2010, Part I, LNCS 6198, pages 702–714, 2010. Preliminary version appears in Electronic Colloquium on Computational Complexity (ECCC), Report No. 2007/002.Google Scholar
- 80.M. Yung and Y. Zhao. Generic and practical resettable zero-knowledge in the bare public key model. In
*M. Naor (Ed.): Advances in Cryptology-Proceedings of Eurocrypt 2007, LNCS 4515*, pages 116–134, Springer-Verlag, 2007. Preliminary version appears in ECCC Report No. 2005/048.Google Scholar - 81.M. Yung and Y. Zhao. Interactive Zero-Knowledge with Restricted Random Oracles. In
*S. Halevi and T. Rabin (Ed.): Theory of Cryptography (TCC) 2006, LNCS 3876*, pages 21–40, Springer-Verlag, 2006.Google Scholar - 82.Y. Zhao. Concurrent/Resettable Zero-Knowledge With Concurrent Soundness in the Bare Public Key Model and Its Applications. Cryptology ePrint Archive, Report 2003/265.Google Scholar