Constant-Round Concurrent NMWI and its relation to NMZK

One of the central questions in Cryptography is to design round-efficient protocols that are secure under man-in-the-middle attacks. In this paper we introduce and study the notion of non-malleable witness indistinguishability (NMWI) and examine its relation with the classic notion of non-malleable zero knowledge (NMZK). Indeed, despite tremendous applicability of witness indistinguishability, while a lot of attention has been given to NMZK, very little attention has been given to witness indistinguishability in case of man-in-the-middle attacks. We initiate this study, with several (perhaps somewhat surprising) results: • We give the first definition of NMWI proof systems. Just like every NMZK proof is a zero-knowledge proof which aims to attain a very strong proof independence property, we require (and formalize) the notion that every NMWI proof is a witness indistinguishable proof system which enjoys a very strong witness independence property against any man-in-the-middle attack. • We show the existence of a constant-round NMWI argument system for NP in the standard model (i.e. without any trusted or any other setup assumptions). • It is known that every zero-knowledge (ZK) argument is also a witness indistinguishable (WI) argument, but not vice-versa, i.e. ZK ( WI. Rather surprisingly, we show that NMWI and NMZK argument systems are incomparable. That is, we show that there exists a NMZK argument system that is not a NMWI argument system and we also show that there is a NMWI argument system that is not a NMZK argument system. • We show that our constant-round NMWI argument system is also secure under a concurrent man-in-the-middle attack, i.e., it is a concurrent constant-round NMWI argument system. This is somewhat surprising since the question of a constant-round concurrent NMZK argument system is still open. • We then turn our attention to Bare Public-Key (BPK) model. We show how to expand upon our concurrent NMWI result in the plain model to obtain a constant-round concurrent NMZK argument system for any NP language in the BPK model.

[1]  Yehuda Lindell,et al.  Concurrent general composition of secure protocols in the timing model , 2005, STOC '05.

[2]  Rafail Ostrovsky,et al.  Non-interactive Zaps and New Techniques for NIZK , 2006, CRYPTO.

[3]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[4]  Silvio Micali,et al.  Soundness in the Public-Key Model , 2001, CRYPTO.

[5]  Giovanni Di Crescenzo,et al.  Concurrent Zero Knowledge in the Public-Key Model , 2005, ICALP.

[6]  Ran Canetti,et al.  Resettable zero-knowledge (extended abstract) , 2000, STOC '00.

[7]  Boaz Barak,et al.  Constant-round coin-tossing with a man in the middle or realizing the shared random string model , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[8]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[9]  Rafael Pass,et al.  New and improved constructions of non-malleable cryptographic protocols , 2005, STOC '05.

[10]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[11]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[12]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[13]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[14]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[15]  Yehuda Lindell,et al.  Resettably-sound zero-knowledge and its applications , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[16]  Leonid Reyzin,et al.  Zero-knowledge with public keys , 2001 .

[17]  Amit Sahai,et al.  New notions of security: achieving universal composability without trusted setup , 2004, STOC '04.

[18]  Joe Kilian,et al.  Concurrent and resettable zero-knowledge in poly-loalgorithm rounds , 2001, STOC '01.

[19]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[20]  Giovanni Di Crescenzo,et al.  Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model , 2004, CRYPTO.

[21]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[22]  Amit Sahai,et al.  How to play almost any mental game over the net - concurrent composition via super-polynomial simulation , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[23]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[24]  Amit Sahai,et al.  Concurrent Non-Malleable Zero Knowledge , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[25]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[26]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[27]  Silvio Micali,et al.  Input-Indistinguishable Computation , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[28]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[29]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[30]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[31]  Joe Kilian,et al.  Uses of randomness in algorithms and protocols , 1990 .

[32]  Moni Naor,et al.  Zaps and Their Applications , 2007, SIAM J. Comput..

[33]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[34]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.