Concurrent Knowledge Extraction in the Public-Key Model

  • Andrew C. Yao
  • Moti Yung
  • Yunlei Zhao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6198)


Knowledge extraction is a fundamental notion, modeling machine possession of values (witnesses) in a computational complexity sense and enabling one to argue about the internal state of a party in a protocol without probing its internal secret state. However, when transactions are concurrent (e.g., over the Internet) with players possessing public-keys (as is common in cryptography), assuring that entities “know” what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. Here, we investigate how to formally treat knowledge possession by parties (with registered public-keys) interacting over the Internet. Stated more technically, we look into the relative power of the notion of “concurrent knowledge-extraction” (CKE) in the concurrent zero-knowledge (CZK) bare public-key (BPK) model where statements being proven can be dynamically and adaptively chosen by the prover.

We show the potential vulnerability of man-in-the-middle (MIM) attacks turn out to be a real security threat to existing natural protocols running concurrently in the public-key model, which motivates us to introduce and formalize the notion of CKE, alone with clarifications of various subtleties. Then, both generic (based on standard polynomial assumptions), and efficient (employing complexity leveraging in a novel way) implementations for \(\mathcal{NP}\) are presented for constant-round (in particular, round-optimal) concurrently knowledge-extractable concurrent zero-knowledge (CZK-CKE) arguments in the BPK model. The efficient implementation can be further practically instantiated for specific number-theoretic language.


Commitment Scheme Common Input Cryptology ePrint Archive Concurrent Session Random Tape 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Goldreich, O.: On Defining Proofs of Knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993)Google Scholar
  2. 2.
    Bellare, M., Goldreich, O.: On Probabilistic versus Deterministic Provers in the Definition of Proofs of Knowledge. Cryptology ePrint Archive, Report 2006/359Google Scholar
  3. 3.
    Blum, M.: How to Prove a Theorem so No One Else can Claim It. In: Proceedings of the International Congress of Mathematicians, pp. 1444–1451 (1986)Google Scholar
  4. 4.
    Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable Zero-Knowledge. In: ACM Symposium on Theory of Computing, pp. 235–244 (2000)Google Scholar
  5. 5.
    Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-Box Concurrent Zero-Knowledge Requires (Almost) Logarithmically Many Rounds. SIAM Journal on Computing 32(1), 1–47 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Cramer, R., Damgard, I., Schoenmakers, B.: Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  7. 7.
    Di Crescenzo, G., Visconti, I.: Concurrent Zero-Knowledge in the Public-Key Model. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 816–827. Springer, Heidelberg (2005)Google Scholar
  8. 8.
    Di Crescenzo, G., Visconti, I.: On Defining Proofs of Knowledge in the Bare Public-Key Model. In: ICTCS (2007)Google Scholar
  9. 9.
    Dolev, D., Dwork, C., Naor, M.: Non-Malleable Cryptography. SIAM Journal on Computing 30(2), 391–437 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Feige, U., Shamir, A.: Zero Knowledge Proofs of Knowledge in Two Rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, Heidelberg (1990)Google Scholar
  11. 11.
    Goldreich, O.: Foundation of Cryptography-Basic Tools (2001)Google Scholar
  12. 12.
    Goldreich, O.: Foundations of Cryptography-Basic Applications (2002)Google Scholar
  13. 13.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that Yield Nothing But Their Validity or All languages in \(\mathcal{NP}\) Have Zero-Knowledge Proof Systems. JACM 38(1), 691–729 (1991)zbMATHMathSciNetGoogle Scholar
  14. 14.
    Goldwasser, S., Micali, S., Rackoff, C.: The Knowledge Complexity of Interactive Proof-Systems. In: ACM Symposium on Theory of Computing, pp. 291–304 (1985)Google Scholar
  15. 15.
    Halevi, S., Micali, S.: Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Micali, S., Reyzin, L.: Soundness in the Public-Key Model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 542–565. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Naor, M.: Bit Commitment Using Pseudorandomness. Journal of Cryptology 4(2), 151–158 (1991)zbMATHCrossRefGoogle Scholar
  18. 18.
    Naor, M., Yung, M.: Public-Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks. In: STOC 1990, pp. 427–437 (1990)Google Scholar
  19. 19.
    Pass, R., Rosen, A.: New and Improved Constructions of Non-Malleable Cryptographic Protocols. SIAM Journal on Computing 38(2), 702–752 (2008)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Yao, A.C., Yung, M., Zhao, Y.: Concurrent Knowledge Extraction in the Public-Key Model. ECCC, Report 2007/002 (2007); Available also from Cryptology ePrint Archive, Report 2010/Google Scholar
  21. 21.
    Yung, M., Zhao, Y.: Interactive Zero-Knowledge with Restricted Random Oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 21–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Zhao, Y., Nielsen, J.B., Deng, R., Feng, D.: Generic yet Practical ZK Arguments from any Public-Coin HVZK. ECCC, 2005/162 (2005)Google Scholar
  23. 23.
    Zhao, Y.: Concurrent/Resettable Zero-Knowledge With Concurrent Soundness in the Bare Public-Key Model and Its Applications. Cryptology ePrint Archive, Report 2003/265 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Andrew C. Yao
    • 1
  • Moti Yung
    • 2
  • Yunlei Zhao
    • 3
  1. 1.ITCSTsinghua UniversityBeijingChina
  2. 2.Google Inc. and Columbia UniversityNew YorkUSA
  3. 3.Software SchoolFudan UniversityShanghaiChina

Personalised recommendations