Advertisement

NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion

  • Mihir Bellare
  • Georg Fuchsbauer
  • Alessandra Scafuro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10032)

Abstract

Motivated by the subversion of “trusted” public parameters in mass-surveillance activities, this paper studies the security of NIZKs in the presence of a maliciously chosen common reference string. We provide definitions for subversion soundness, subversion witness indistinguishability and subversion zero knowledge. We then provide both negative and positive results, showing that certain combinations of goals are unachievable but giving protocols to achieve other combinations.

Notes

Acknowledgments

Bellare was supported in part by NSF grants CNS-1228890 and CNS-1526801, ERC Project ERCC FP7/615074 and a gift from Microsoft corporation. Fuchsbauer was supported in part by the European Research Council under the European Communitys Seventh Framework Programme (FP7/2007-2013 Grant Agreement no. 339563 CryptoCloud). This work was done in part while Bellare and Scafuro were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467. We thank Yuval Ishai for helpful discussions and information.

References

  1. 1.
    Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_12 CrossRefGoogle Scholar
  2. 2.
    Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Structure-preserving signatures from type II pairings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 390–407. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44371-2_22 CrossRefGoogle Scholar
  3. 3.
    Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15, pp. 364–375. ACM Press, October 2015Google Scholar
  4. 4.
    Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. In: 44th FOCS, pp. 384–393. IEEE Computer Society Press, October 2003Google Scholar
  5. 5.
    Barak, B., Pass, R.: On the possibility of one-message weak zero-knowledge. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 121–132. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24638-1_7 CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Fuchsbauer, G., Scafuro, A.: NIZKs with an untrusted CRS: Security in the face of parameter subversion. Cryptology ePrint Archive, Report 2016/372 (2016). http://eprint.iacr.org/2016/372
  7. 7.
    Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on non-interative zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1990. LNCS, vol. 435, pp. 194–211. Springer, Heidelberg (1990)Google Scholar
  8. 8.
    Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28628-8_17 CrossRefGoogle Scholar
  9. 9.
    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44371-2_1 CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). doi: 10.1007/11761679_25 CrossRefGoogle Scholar
  11. 11.
    Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M.: Secure sampling of public parameters for succinct zero knowledge proofs. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 287–304. IEEE (2015)Google Scholar
  12. 12.
    Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 276–294. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44381-1_16 CrossRefGoogle Scholar
  13. 13.
    Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a Von Neumann architecture. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 781–796 (2014)Google Scholar
  14. 14.
    Bernstein, D.J., Lange, T., Niederhagen, R., Dual, E.C.: A standardized back door. Cryptology ePrint Archive, Report 2015/767 (2015). http://eprint.iacr.org/2015/767
  15. 15.
    Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable one-way functions. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 505–514. ACM Press, May/June 2014Google Scholar
  16. 16.
    Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: 20th ACM STOC, pp. 103–112. ACM Press, May 1988Google Scholar
  18. 18.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28628-8_3 CrossRefGoogle Scholar
  19. 19.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). doi: 10.1007/3-540-44647-8_13 CrossRefGoogle Scholar
  20. 20.
    Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., Tibouchi, M.: Efficient indifferentiable hashing into ordinary elliptic curves. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 237–254. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_13 CrossRefGoogle Scholar
  21. 21.
    Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: 32nd ACM STOC, pp. 235–244. ACM Press, May 2000Google Scholar
  22. 22.
    Canetti, R., Pass, R., Shelat, A.: Cryptography from sunspots: how to use an imperfect reference string. In: 48th FOCS, pp. 249–259. IEEE Computer Society Press, October 2007Google Scholar
  23. 23.
    Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006). doi: 10.1007/11818175_5 CrossRefGoogle Scholar
  24. 24.
    Checkoway, S., Fredrikson, M., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H.: On the practical exploitability of Dual EC in TLS implementations. In: USENIX Security (2014)Google Scholar
  25. 25.
    Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). doi: 10.1007/3-540-46766-1_36 Google Scholar
  26. 26.
    Santis, A., Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001). doi: 10.1007/3-540-44647-8_33 CrossRefGoogle Scholar
  27. 27.
    Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_5 Google Scholar
  28. 28.
    Dodis, Y., Haralambiev, K., López-Alt, A., Wichs, D.: Efficient public-key cryptography in the presence of key leakage. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 613–631. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17373-8_35 CrossRefGoogle Scholar
  29. 29.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Dwork, C., Naor, M.: Zaps and their applications. In: 41st FOCS, pp. 283–293. IEEE Computer Society Press, November 2000Google Scholar
  31. 31.
    Escala, A., Groth, J.: Fine-tuning groth-sahai proofs. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 630–649. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54631-0_36 CrossRefGoogle Scholar
  32. 32.
    Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st FOCS, pp. 308–317. IEEE Computer Society Press, October 1990Google Scholar
  33. 33.
    Garg, S., Goyal, V., Jain, A., Sahai, A.: Bringing people of different beliefs together to do UC. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 311–328. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19571-6_19 CrossRefGoogle Scholar
  34. 34.
    Goldreich, O.: A uniform-complexity treatment of encryption and zero-knowledge. J. Cryptology 6(1), 21–53 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptology 7(1), 1–32 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). doi: 10.1007/11935230_29 CrossRefGoogle Scholar
  39. 39.
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17373-8_19 CrossRefGoogle Scholar
  40. 40.
    Groth, J.: Efficient fully structure-preserving signatures for large messages. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 239–259. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48797-6_11 CrossRefGoogle Scholar
  41. 41.
    Groth, J., Ostrovsky, R.: Cryptography in the multi-string model. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 323–341. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74143-5_18 CrossRefGoogle Scholar
  42. 42.
    Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). doi: 10.1007/11818175_6 CrossRefGoogle Scholar
  43. 43.
    Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). doi: 10.1007/11761679_21 CrossRefGoogle Scholar
  44. 44.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_24 CrossRefGoogle Scholar
  45. 45.
    Hada, S., Tanaka, T.: On the existence of 3-round zero-knowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998). doi: 10.1007/BFb0055744 CrossRefGoogle Scholar
  46. 46.
    Katz, J., Kiayias, A., Zhou, H.-S., Zikas, V.: Distributing the setup in universally composable multi-party computation. In: Halldórsson, M.M., Dolev, S. (eds.) 33rd ACM PODC, pp. 20–29. ACM, July 2014Google Scholar
  47. 47.
    Kiayias, A., Zacharias, T., Zhang, B.: DEMOS-2: scalable E2E verifiable elections without random oracles. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15, pp. 352–363. ACM Press, October 2015Google Scholar
  48. 48.
    Micali, S.: CS proofs (extended abstracts). In: 35th FOCS, pp. 436–453. IEEE Computer Society Press, November 1994Google Scholar
  49. 49.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: 22nd ACM STOC, pp. 427–437. ACM Press, May 1990Google Scholar
  50. 50.
    Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_19 CrossRefGoogle Scholar
  51. 51.
    Patarin, J., Goubin, L.: Asymmetric cryptography with S-Boxes Is it easier than expected to design efficient asymmetric cryptosystems? In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 369–380. Springer, Heidelberg (1997). doi: 10.1007/BFb0028492 CrossRefGoogle Scholar
  52. 52.
    Paterson, K.G.: Imprimitive permutation groups and trapdoors in iterated block ciphers. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 201–214. Springer, Heidelberg (1999). doi: 10.1007/3-540-48519-8_15 CrossRefGoogle Scholar
  53. 53.
    Rijmen, V., Preneel, B.: A family of trapdoor ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 139–148. Springer, Heidelberg (1997). doi: 10.1007/BFb0052342 CrossRefGoogle Scholar
  54. 54.
    Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. Cryptology ePrint Archive, Report 2015/695 (2015). http://eprint.iacr.org/2015/695
  55. 55.
    Shallue, A., Woestijne, C.E.: Construction of rational points on elliptic curves over finite fields. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 510–524. Springer, Heidelberg (2006). doi: 10.1007/11792086_36 CrossRefGoogle Scholar
  56. 56.
    Wee, H.: Lower bounds for non-interactive zero-knowledge. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 103–117. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-70936-7_6 CrossRefGoogle Scholar
  57. 57.
    Young, A., Yung, M.: The dark side of “Black-Box” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_8 Google Scholar
  58. 58.
    Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). doi: 10.1007/3-540-69053-0_6 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Georg Fuchsbauer
    • 2
  • Alessandra Scafuro
    • 3
  1. 1.Department of Computer Science and EngineeringUniversity of California, San DiegoSan DiegoUSA
  2. 2.Inria, Ecole Normale Supérieure, CNRS and PSL Research UniversityParisFrance
  3. 3.Department of Computer ScienceNorth Carolina State UniversityRaleighUSA

Personalised recommendations