Resettable zero-knowledge (extended abstract)

We introduce the notion of Resettable Zero-Knowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zero-knowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing it to use the same random tape. All known examples of zero-knowledge proofs and arguments are trivially breakable in this setting. Moreover, by definition, all zero-knowledge proofs of knowledge are breakable in this setting. Under general complexity assumptions, which hold for example if the Discrete Logarithm Problem is hard, we construct: • Resettable Zero-Knowledge proof-systems for NP with non-constant number of rounds. * Five-round Resettable Witness-Indistinguishable proofsystems for NP. e Four-round Resettabie Zero-Knowledge arguments for NP in the public key model: where verifiers have fixed, public keys associated with them. In addition to shedding new light on what makes zero knowledge possible (by constructing ZK protocols that use randomness in a dramatically weaker way than before), rZK has great relevance to applications. Firstly, rZK protocols are closed under parallel and concurrent execution and thus are guaranteed to be secure when implemented in fully asynchronous networks, even if an adversary schedules the arrival of every message sent so as to foil security. Secondly, rZK protocols enlarge the range of physical ways in which provers of ZK protocols can be securely implemented, including devices which cannot reliably toss coins on line, nor keep state *A subset of this work is included in patent application [21]. tIBM Research, Yorktown Height NY 10598; canetti@wats0n, ibm. c0m $Dept. of Computer Science, Weizmann Institute of Science, Rehovot, ISRABL; oded¢wisdom.weizmann.ac.il. Supported by MINERVA Foundation, Germany. 8Laboratory for Computer Science, MIT, Cambridge, MA02139; shall@theory. Ics. mi¢. edu ~Laboratory for Computer Science, MIT, Cambridge, MA02139; silvi0Qtheory.lcs .mit.edu Permission to make digital or hard copies of all or pat~ of this work for personal or classroom use is granted without fee provided that copies are not made or distributed tbr profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on sen,ers or to redistribute to lists, requires prior specific permission and/or a fee. STOC 2000 Portland Oregon USA Copyright ACM 2000 1-58113-184-4/00/5...$5.00 between invocations. (For instance, because ordinary smart cards with secure hardware are resettable, they could not be used to implement securely the provers of classical ZK protocols, but can now be used to implement securely the provers of rZK protocols.)

[1]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[2]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[3]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[4]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[5]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[6]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[7]  Ivan Damgård,et al.  Concurrent Zero-Knowledge is Easy in Practice , 1999, IACR Cryptol. ePrint Arch..

[8]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[9]  Johan Hstad,et al.  Construction of a pseudo-random generator from any one-way function , 1989 .

[10]  Silvio Micali,et al.  Interleaved Zero-Knowledge in the Public-Key Model , 1999, Electron. Colloquium Comput. Complex..

[11]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[12]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[13]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[14]  Amit Sahai,et al.  Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints , 1998, CRYPTO.

[15]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[16]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[17]  Joe Kilian,et al.  Lower bounds for zero knowledge on the Internet , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[18]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[19]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[20]  Ran Canetti,et al.  Resettable Zero-Knowledge , 1999, IACR Cryptol. ePrint Arch..

[21]  山敷 和男 『F・O・U』について (特集 佐藤春夫の世界) -- (作品の世界) , 2002 .

[22]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[23]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.