301 research outputs found
Resettable Zero Knowledge in the Bare Public-Key Model under Standard Assumption
In this paper we resolve an open problem regarding resettable zero knowledge
in the bare public-key (BPK for short) model: Does there exist constant round
resettable zero knowledge argument with concurrent soundness for
in BPK model without assuming \emph{sub-exponential hardness}? We give a
positive answer to this question by presenting such a protocol for any language
in in the bare public-key model assuming only
collision-resistant hash functions against \emph{polynomial-time} adversaries.Comment: 19 pag
Concurrently Non-Malleable Zero Knowledge in the Authenticated Public-Key Model
We consider a type of zero-knowledge protocols that are of interest for their
practical applications within networks like the Internet: efficient
zero-knowledge arguments of knowledge that remain secure against concurrent
man-in-the-middle attacks. In an effort to reduce the setup assumptions
required for efficient zero-knowledge arguments of knowledge that remain secure
against concurrent man-in-the-middle attacks, we consider a model, which we
call the Authenticated Public-Key (APK) model. The APK model seems to
significantly reduce the setup assumptions made by the CRS model (as no trusted
party or honest execution of a centralized algorithm are required), and can be
seen as a slightly stronger variation of the Bare Public-Key (BPK) model from
\cite{CGGM,MR}, and a weaker variation of the registered public-key model used
in \cite{BCNP}. We then define and study man-in-the-middle attacks in the APK
model. Our main result is a constant-round concurrent non-malleable
zero-knowledge argument of knowledge for any polynomial-time relation
(associated to a language in ), under the (minimal) assumption of
the existence of a one-way function family. Furthermore,We show time-efficient
instantiations of our protocol based on known number-theoretic assumptions. We
also note a negative result with respect to further reducing the setup
assumptions of our protocol to those in the (unauthenticated) BPK model, by
showing that concurrently non-malleable zero-knowledge arguments of knowledge
in the BPK model are only possible for trivial languages
The Cryptographic Strength of Tamper-Proof Hardware
Tamper-proof hardware has found its way into our everyday life in various forms, be it SIM cards, credit cards or passports. Usually, a cryptographic key is embedded in these hardware tokens that allows the execution of simple cryptographic operations, such as encryption or digital signing. The inherent security guarantees of tamper-proof hardware, however, allow more complex and diverse applications
Concurrent Knowledge-Extraction in the Public-Key Model
Knowledge extraction is a fundamental notion, modelling machine possession of
values (witnesses) in a computational complexity sense. The notion provides an
essential tool for cryptographic protocol design and analysis, enabling one to
argue about the internal state of protocol players without ever looking at this
supposedly secret state. However, when transactions are concurrent (e.g., over
the Internet) with players possessing public-keys (as is common in
cryptography), assuring that entities ``know'' what they claim to know, where
adversaries may be well coordinated across different transactions, turns out to
be much more subtle and in need of re-examination. Here, we investigate how to
formally treat knowledge possession by parties (with registered public-keys)
interacting over the Internet. Stated more technically, we look into the
relative power of the notion of ``concurrent knowledge-extraction'' (CKE) in
the concurrent zero-knowledge (CZK) bare public-key (BPK) model.Comment: 38 pages, 4 figure
On the Impossibility of Approximate Obfuscation and Applications to Resettable Cryptography
The traditional notion of {\em program obfuscation} requires that an obfuscation of a program computes the exact same function as , but beyond that, the code of should not leak any information about . This strong notion of {\em virtual black-box} security was shown by Barak et al. (CRYPTO 2001) to be impossible to achieve, for certain {\em unobfuscatable function families}. The same work raised the question of {\em approximate obfuscation}, where the obfuscated is only required to approximate ; that is, only agrees with on some input distribution.
We show that, assuming {\em trapdoor permutations}, there exist families of {\em robust unobfuscatable functions} for which even approximate obfuscation is impossible. That is, obfuscation is impossible even if the obfuscated only agrees with with probability slightly more than , on a uniformly sampled input (below -agreement, the function obfuscated by is not uniquely defined). Additionally, we show that, assuming only one-way functions, we can rule out approximate obfuscation where is not allowed to err, but may refuse to compute with probability close to .
We then demonstrate the power of robust unobfuscatable functions by exhibiting new implications to resettable protocols that so far have been out of our reach. Concretely, we obtain a new non-black-box simulation technique that reduces the assumptions required for resettably-sound zero-knowledge protocols to {\em one-way functions}, as well as reduce round-complexity. We also present a new simplified construction of simultaneously resettable zero-knowledge protocols that does not rely on collision-resistent hashing. Finally, we construct a three-message simultaneously resettable \WI {\em argument of knowledge} (with a non-black-box knowledge extractor). Our constructions are based on a special kind of ``resettable slots that are useful for a non-black-box simulator, but not for a resetting prover
Efficient Resettably Secure Two-Party Computation
In 2000, Canetti, Goldreich, Goldwasser and Micali (STOC\u2700) proposed the notion of resettable zero-knowledge, which considers the scenario where a malicious verifier can reset the prover and force it to reuse its random tape. They provided a construction that resists such attacks, and in the following, the notion of resettability was considered in various other scenarios. Starting with resettably-sound zero-knowledge, over general resettable computation with one resettable party, to protocols where all parties are resettable.
Most of these results are only concerned with the feasibility of resettable computation, while efficiency is secondary. There is a considerable gap in the round- and communication-efficiency between actively secure protocols and resettably secure protocols. Following the work of Goyal and Sahai (EUROCRYPT\u2709), we study the round- and communication-efficiency of resettable two-party computation in the setting where one of the two parties is resettable, and close the gap between the two notions of security:
- We construct a fully simulatable resettable CRS in the plain model that directly yields constant-round resettable zero-knowledge and constant-round resettable two-party computation protocols in the plain model.
- We present a new resettability compiler that follows the approach of Ishai, Prabhakaran and Sahai (CRYPTO\u2708) and yields constant-rate resettable two-party computation
Resettably-Sound Zero-Knowledge and its Applications
Resettably-sound proofs and arguments remain sound even when the
prover can reset the verifier, and so force it to use the same
random coins in repeated executions of the protocol. We show that
resettably-sound zero-knowledge {\em arguments} for NP exist
if collision-resistant hash functions exist. In contrast,
resettably-sound zero-knowledge {\em proofs} are possible only
for languages in P/poly.
We present two applications of resettably-sound zero-knowledge
arguments. First, we construct resettable zero-knowledge arguments
of knowledge for NP, using a natural relaxation of the
definition of arguments (and proofs) of knowledge. We note that,
under the standard definition of proofs of knowledge, it is
impossible to obtain resettable zero-knowledge arguments of
knowledge for languages outside BPP. Second, we construct a
constant-round resettable zero-knowledge argument for NP in the
public-key model, under the assumption that collision-resistant
hash functions exist. This improves upon the sub-exponential
hardness assumption required by previous constructions.
We emphasize that our results use non-black-box zero-knowledge
simulations. Indeed, we show that some of the results are {\em
impossible} to achieve using black-box simulations. In
particular, only languages in BPP have resettably-sound
arguments that are zero-knowledge with respect to black-box
simulation
New Notions of Soundness and Simultaneous Resettability in the Public-Key Model
I n this paper, some new notions of soundness in public-key model are presented. We clarify the relationships among our new notions of soundness and the original 4 soundness notions presented by Micali and Reyzin. Our new soundness notions also characterize a new model for ZK protocols in public key model: weak soundness model. By ``weak” we mean for each common input x selected by a malicious prover on the fly, x is used by the malicious prover at most a-priori bounded polynomial times. The weak soundness model just lies in between BPK model and UPK model. Namely, it is weaker than BPK model but stronger than UPK model. In the weak soundness model (also in the UPK model, since weak soundness model implies UPK model), we get a 3-round black-box rZK arguments with weak resettable soundness for NP.
Note that simultaneous resettability is an important open problem in the field of ZK protocols. And Reyzin has proven that there are no ZK protocols with resettable soundness in the BPK model. It means that to achieve simultaneous resettability one needs to augment the BPK model in a reasonable fashion. Although Barak et al. [BGGL01] have proven that any language which has a black-box ZK arguments with resettable soundness is in BPP. It is the weak soundness that makes us to get simultaneous resettability.
More interestingly, our protocols work in a somewhat ``parallel repetition” manner to reduce the error probability and the verifier indeed has secret information with respect to historical transcripts. Note that in general the error probability of such protocols can not be reduced by parallel repetition. [BIN97]
At last, we give a 3-round non-black-box rZK arguments system with resettable soundness for NP in the preprocessing model in which a trusted third party is assumed. Our construction for such protocol is quite simple. Note that although the preprocessing model is quite imposing but it is still quite reasonable as indicated in [CGGM00]. For example, in many e-commerce setting a trusted third party is often assumed.
The critical tools used in this paper are: verifiable pseudorandom functions, zap and complexity leveraging. To our knowledge, our protocols are also the second application of verifiable pseudorandom functions. The first application is the 3-round rZK arguments with one-time soundness for NP in the public-key model as indicated by Micali and Reyzin [MR01a]
- …