论文信息 - Concurrent Knowledge Extraction in Public-Key Models

Concurrent Knowledge Extraction in Public-Key Models

Knowledge extraction is a fundamental notion, modeling machine possession of values (witnesses) in a computational complexity sense and enabling one to argue about the internal state of a party in a protocol without probing its internal secret state. However, when transactions are concurrent, say over the Internet, with players possessing public keys (as is common in cryptography), assuring that entities “know” what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. In such settings, mixing the public-key structure as part of the language and statements is a natural adversarial strategy. Here, we investigate how to formally treat knowledge possession by parties interacting concurrently in the public-key model. More technically, we look into the relative power of the notion of “concurrent knowledge extraction” (CKE) for concurrent zero knowledge (CZK) in the bare public-key (BPK) model, where the language and statements being proved can be dynamically and adaptively chosen by the prover and may be possibly based on verifiers’ public keys. By concrete attacks against some existing natural protocols, we first show that concurrent soundness and normal arguments of knowledge do not guarantee concurrent verifier security in the public-key setting. Here, roughly speaking, concurrent verifier security says that the malicious concurrent prover should “know" all the witnesses to all the possibly public-key-related statements adaptively chosen and successfully proved in the concurrent sessions. These concrete attacks serve as a good motivation for understanding “possession of knowledge” for concurrent transactions with registered public keys, i.e., the subtleties of concurrent knowledge extraction in the public-key model. This motivates us to introduce and formalize the notion of CKE, along with clarifications of various subtleties. Two implementations are then presented for constant-round concurrently knowledge extractable concurrent zero-knowledge (CZK–CKE) argument for $$\mathcal {NP}$$NP in the BPK model: One protocol is generic and based on standard polynomial-time assumptions, whereas the other protocol is computationally efficient and employs complexity leveraging in a novel way. Both protocols can be practically instantiated for some specific number-theoretic languages without going through general $$\mathcal {NP}$$NP-reductions. Of independent interest are the discussions about the subtleties surrounding the fundamental structure of Feige–Shamir zero knowledge in the BPK model.

[1] Ivan Damgård,et al. Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[2] Giovanni Di Crescenzo,et al. Concurrent Zero Knowledge in the Public-Key Model , 2005, ICALP.

[3] Rafail Ostrovsky,et al. 4-Round Resettably-Sound Zero Knowledge , 2014, TCC.

[4] Johan Hstad,et al. Construction of a pseudo-random generator from any one-way function , 1989 .

[5] Yehuda Lindell,et al. Concurrent Composition of Secure Protocols in the Timing Model , 2007, Journal of Cryptology.

[6] Jonathan Katz,et al. Efficient cryptographic protocols preventing man-in-the-middle attacks , 2002 .

[7] Dongdai Lin,et al. Concurrently Non-Malleable Zero Knowledge in the Authenticated Public-Key Model , 2006, IACR Cryptol. ePrint Arch..

[8] Phillip Rogaway,et al. Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys , 2006, IACR Cryptol. ePrint Arch..

[9] Moni Naor,et al. Nonmalleable Cryptography , 2000, SIAM Rev..

[10] David Chaum,et al. Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[11] Rafail Ostrovsky,et al. Concurrent Non-Malleable Witness Indistinguishability and its Applications , 2006, Electron. Colloquium Comput. Complex..

[12] Yehuda Lindell,et al. Resettably-sound zero-knowledge and its applications , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[13] Rafail Ostrovsky,et al. Constant-Round Concurrent Non-malleable Zero Knowledge in the Bare Public-Key Model , 2008, ICALP.

[14] Yehuda Lindell,et al. Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[15] Yehuda Lindell,et al. Constant-Round Zero-Knowledge Proofs of Knowledge , 2010, IACR Cryptol. ePrint Arch..

[16] Claus-Peter Schnorr,et al. Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[17] Moni Naor,et al. Does parallel repetition lower the error in computationally sound protocols? , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[18] Ivan Visconti,et al. On Round-Optimal Zero Knowledge in the Bare Public-Key Model , 2012, EUROCRYPT.

[19] Joe Kilian,et al. Concurrent and resettable zero-knowledge in poly-loalgorithm rounds , 2001, STOC '01.

[20] Oded Goldreich,et al. Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[21] Silvio Micali,et al. Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[22] Dongdai Lin,et al. Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model under Standard Assumption , 2007, Inscrypt.

[23] Silvio Micali,et al. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[24] Ran Canetti,et al. Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[25] Rafael Pass,et al. Concurrent Zero Knowledge, Revisited , 2012, Journal of Cryptology.

[26] Rafail Ostrovsky,et al. Simultaneously Resettable Arguments of Knowledge , 2012, TCC.

[27] Silvio Micali,et al. Soundness in the Public-Key Model , 2001, CRYPTO.

[28] Ronald Cramer,et al. Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[29] Yunlei Zhao,et al. Concurrent/Resettable Zero-Knowledge With Concurrent Soundness in the Bare Public-Key Model and Its Applications , 2003, IACR Cryptol. ePrint Arch..

[30] Boaz Barak,et al. How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[31] Amit Sahai,et al. Concurrent zero knowledge with logarithmic round-complexity , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[32] Oded Goldreich,et al. How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[33] Mihir Bellare,et al. Subtleties in the Definition of IND-CCA: When and How Should Challenge Decryption Be Disallowed? , 2013, Journal of Cryptology.

[34] Ivan Damgård,et al. On the Existence of Bit Commitment Schemes and Zero-Knowledge Proofs , 1989, CRYPTO.

[35] Oded Goldreich,et al. Foundations of Cryptography: Basic Tools , 2000 .

[36] Joe Kilian,et al. On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[37] Jonathan Katz,et al. Reducing Complexity Assumptions for Statistically-Hiding Commitment , 2009, Journal of Cryptology.

[38] Manuel Blum,et al. How to Prove a Theorem So No One Else Can Claim It , 2010 .

[39] Ran Canetti,et al. Resettable zero-knowledge (extended abstract) , 2000, STOC '00.

[40] Jonathan Katz,et al. Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications , 2003, EUROCRYPT.

[41] A. Yao,et al. Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[42] Yehuda Lindell,et al. Bounded-concurrent secure two-party computation without setup assumptions , 2003, STOC '03.

[43] Dongdai Lin,et al. Resettable Zero Knowledge in the Bare Public-Key Model under Standard Assumption , 2006, IACR Cryptol. ePrint Arch..

[44] Silvio Micali,et al. Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[45] Amit Sahai,et al. Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints , 1998, CRYPTO.

[46] Oded Goldreich. Foundations of Cryptography: Index , 2001 .

[47] Rafael Pass,et al. New and improved constructions of non-malleable cryptographic protocols , 2005, STOC '05.

[48] Yunlei Zhao,et al. Interactive Zero-Knowledge with Restricted Random Oracles , 2006, TCC.

[49] Rafail Ostrovsky,et al. Constant-Round Concurrent NMWI and its relation to NMZK , 2006, IACR Cryptol. ePrint Arch..

[50] Rafail Ostrovsky,et al. On Concurrent Zero-Knowledge with Pre-processing , 1999, CRYPTO.

[51] Phillip Rogaway,et al. Formalizing Human Ignorance , 2006, VIETCRYPT.

[52] Amit Sahai,et al. Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[53] Rafael Pass,et al. An efficient parallel repetition theorem for Arthur-Merlin games , 2007, STOC '07.

[54] Erez Petrank,et al. Simulatable Commitments and Efficient Concurrent Zero-Knowledge , 2003, EUROCRYPT.

[55] Moni Naor,et al. Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[56] Ran Canetti,et al. Resettable Zero-Knowledge , 1999, IACR Cryptol. ePrint Arch..

[57] Amit Sahai,et al. Concurrent Non-Malleable Zero Knowledge , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[58] Ran Canetti,et al. Black-Box Concurrent Zero-Knowledge Requires (Almost) Logarithmically Many Rounds , 2002, SIAM J. Comput..

[59] Leonid A. Levin,et al. A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[60] Richard E. Overill,et al. Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[61] Yunlei Zhao,et al. Adaptive Concurrent Non-Malleability with Bare Public-Keys , 2009, IACR Cryptol. ePrint Arch..

[62] Manuel Blum,et al. Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[63] Silvio Micali,et al. How to Prove all NP-Statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design , 1986, CRYPTO.

[64] Moni Naor,et al. Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[65] Rafael Pass,et al. Constant-round non-malleable commitments from any one-way function , 2011, STOC '11.

[66] Yunlei Zhao,et al. Generic yet Practical ZK Arguments from any Public-Coin HVZK , 2005, Electron. Colloquium Comput. Complex..

[67] Adi Shamir,et al. Publicly Verifiable Non-Interactive Zero-Knowledge Proofs , 1990, CRYPTO.

[68] Rafael Pass,et al. Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[69] Silvio Micali,et al. The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[70] T. Elgamal. A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[71] Yehuda Lindell,et al. Strict Polynomial-Time in Simulation and Extraction , 2004, SIAM J. Comput..

[72] Juan A. Garay,et al. Concurrent oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[73] Rafael Pass,et al. New and Improved Constructions of Nonmalleable Cryptographic Protocols , 2008, SIAM J. Comput..

[74] Joe Kilian,et al. Uses of randomness in algorithms and protocols , 1990 .

[75] Hugo Krawczyk,et al. On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[76] Omer Reingold,et al. Statistically-hiding commitment from any one-way function , 2007, STOC '07.

[77] Ivan Visconti,et al. Efficient Zero Knowledge on the Internet , 2006, ICALP.

[78] Ivan Damgård,et al. Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[79] Rafail Ostrovsky,et al. Concurrent Zero Knowledge in the Bounded Player Model , 2013, TCC.

[80] Yehuda Lindell,et al. Lower Bounds for Concurrent Self Composition , 2004, TCC.

[81] Rafael Pass,et al. An Efficient Parallel Repetition Theorem , 2010, TCC.

[82] Jean-Jacques Quisquater,et al. A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[83] Giovanni Di Crescenzo,et al. On Defining Proofs of Knowledge in the Bare Public Key Model , 2007, ICTCS.

[84] Yehuda Lindell,et al. Lower bounds for non-black-box zero knowledge , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[85] Moni Naor,et al. Concurrent zero-knowledge , 1998, STOC '98.

[86] Giovanni Di Crescenzo,et al. Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model , 2004, CRYPTO.

[87] Silvio Micali,et al. Input-Indistinguishable Computation , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[88] Dan Boneh,et al. Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[89] Yunlei Zhao,et al. Generic and Practical Resettable Zero-Knowledge in the Bare Public-Key Model , 2007, EUROCRYPT.

[90] Yehuda Lindell,et al. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation , 2001, Journal of Cryptology.

[91] Silvio Micali,et al. How to play ANY mental game , 1987, STOC.

[92] Oded Goldreich,et al. Universal arguments and their applications , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[93] Jonathan Katz,et al. Reducing Complexity Assumptions for Statistically-Hiding Commitment , 2005, EUROCRYPT.

[94] Mihir Bellare,et al. On Probabilistic versus Deterministic Provers in the Definition of Proofs Of Knowledge , 2006, IACR Cryptol. ePrint Arch..

[95] Ivan Damgård,et al. On the Existence of Statistically Hiding Bit Commitment Schemes and Fail-Stop Signatures , 1993, CRYPTO.

[96] Dongdai Lin,et al. Resettable Cryptography in Constant Rounds - the Case of Zero Knowledge , 2011, IACR Cryptol. ePrint Arch..