A note on universal composable zero-knowledge in the common reference string model

Pass observed that universal composable zero-knowledge (UCZK) protocols in the common reference string (CRS) model lose deniability that is a natural security property and implication of the ZK functionality in accordance with the UC framework. An open problem (or, natural query) raised in the literature is: are there any other essential security properties, other than the well-known deniability property, that could be lost by UCZK in the CRS model, in comparison with the ZK functionality in accordance with the UC framework? In this work, we answer this open question (or, natural query), by showing that when running concurrently with other protocols UCZK in the CRS model can lose proof of knowledge (POK) property that is very essential and core security implication of the ZK functionality. This is demonstrated by concrete attack against naturally existing UCZK protocols in the CRS model. Then, motivated by our attack, we make further clarifications of the underlying reasons beneath the concrete attack, and investigate the precise security guarantee of UC with CRS.

[1]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[2]  Yehuda Lindell Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation , 2001, CRYPTO.

[3]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[4]  Joe Kilian,et al.  Uses of randomness in algorithms and protocols , 1990 .

[5]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[6]  Jonathan Katz,et al.  Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications , 2003, EUROCRYPT.

[7]  Yehuda Lindell,et al.  Lower Bounds for Concurrent Self Composition , 2004, TCC.

[8]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[9]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 1, Basic Tools , 2001 .

[10]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[11]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[12]  Yunlei Zhao,et al.  A Note on the Feasibility of Generalized Universal Composability , 2007, TAMC.

[13]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[14]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[15]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[16]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[17]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[18]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[19]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[20]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[21]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[22]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[23]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[24]  Amit Sahai,et al.  Concurrent Non-Malleable Zero Knowledge , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[25]  Yehuda Lindell General Composition and Universal Composability in Secure Multiparty Computation , 2008, Journal of Cryptology.

[26]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[27]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[28]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[29]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[30]  Mihir Bellare,et al.  On Probabilistic versus Deterministic Provers in the Definition of Proofs Of Knowledge , 2006, IACR Cryptol. ePrint Arch..

[31]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[32]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[33]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[34]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[35]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[36]  Niklaus Wirth,et al.  Advances in Cryptology — EUROCRYPT ’88 , 2000, Lecture Notes in Computer Science.

[37]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[38]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[39]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[40]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[41]  Silvio Micali,et al.  How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[42]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, EUROCRYPT.

[43]  Yehuda Lindell,et al.  General Composition and Universal Composability in Secure Multiparty Computation , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[44]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[45]  Yehuda Lindell,et al.  On the Limitations of Universally Composable Two-Party Computation without Set-up Assumptions , 2003, EUROCRYPT.

[46]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[47]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[48]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[49]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .