NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion

Motivated by the subversion of "trusted" public parameters in mass-surveillance activities, this paper studies the security of NIZKs in the presence of a maliciously chosen common reference string. We provide definitions for subversion soundness, subversion witness indistinguishability and subversion zero knowledge. We then provide both negative and positive results, showing that certain combinations of goals are unachievable but giving protocols to achieve other combinations.

[1]  Moti Yung,et al.  Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[2]  Rafail Ostrovsky,et al.  Non-interactive Zaps and New Techniques for NIZK , 2006, CRYPTO.

[3]  Hoeteck Wee,et al.  Lower Bounds for Non-interactive Zero-Knowledge , 2007, TCC.

[4]  Mihir Bellare,et al.  New Paradigms for Digital Signatures and Message Authentication Based on Non-Interative Zero Knowledge Proofs , 1989, CRYPTO.

[5]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[6]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[7]  Aggelos Kiayias,et al.  DEMOS-2: Scalable E2E Verifiable Elections without Random Oracles , 2015, CCS.

[8]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, Journal of Cryptology.

[9]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[10]  Jens Groth,et al.  Efficient Fully Structure-Preserving Signatures for Large Messages , 2015, IACR Cryptol. ePrint Arch..

[11]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[12]  Eli Ben-Sasson,et al.  Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs , 2015, 2015 IEEE Symposium on Security and Privacy.

[13]  Rafail Ostrovsky,et al.  Cryptography in the Multi-string Model , 2007, CRYPTO.

[14]  Kenneth G. Paterson,et al.  Imprimitive Permutation Groups and Trapdoors in Iterated Block Ciphers , 1999, FSE.

[15]  Yehuda Lindell,et al.  Lower bounds for non-black-box zero knowledge , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[16]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[17]  Christiaan E. van de Woestijne,et al.  Construction of Rational Points on Elliptic Curves over Finite Fields , 2006, ANTS.

[18]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[19]  Amit Sahai,et al.  Bringing People of Different Beliefs Together to Do UC , 2011, TCC.

[20]  Moti Yung,et al.  Cliptography: Clipping the Power of Kleptographic Attacks , 2016, ASIACRYPT.

[21]  Yevgeniy Dodis,et al.  A Formal Treatment of Backdoored Pseudorandom Generators , 2015, EUROCRYPT.

[22]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[23]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[24]  Ilias Diakonikolas,et al.  Testing for Concise Representations , 2007, FOCS 2007.

[25]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[26]  R. Pass,et al.  Cryptography from Sunspots: How to Use an Imperfect Reference String , 2007, FOCS 2007.

[27]  Moti Yung,et al.  The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? , 1996, CRYPTO.

[28]  Mehdi Tibouchi,et al.  Structure-Preserving Signatures from Type II Pairings , 2014, CRYPTO.

[29]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[30]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[31]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[32]  Louis Goubin,et al.  Asymmetric cryptography with S-Boxes , 1997, ICICS.

[33]  Tanja Lange,et al.  Dual EC: A Standardized Back Door , 2015, The New Codebreakers.

[34]  Giuseppe Ateniese,et al.  Subversion-Resilient Signature Schemes , 2015, IACR Cryptol. ePrint Arch..

[35]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[36]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[37]  Abhi Shelat,et al.  Cryptography from Sunspots: How to Use an Imperfect Reference String , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[38]  Oded Goldreich,et al.  A uniform-complexity treatment of encryption and zero-knowledge , 1993, Journal of Cryptology.

[39]  Jens Groth,et al.  Fine-Tuning Groth-Sahai Proofs , 2014, IACR Cryptol. ePrint Arch..

[40]  Nir Bitansky,et al.  On the existence of extractable one-way functions , 2014, SIAM J. Comput..

[41]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[42]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2014, Algorithmica.

[43]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, CRYPTO.

[44]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[45]  Yevgeniy Dodis,et al.  Efficient Public-Key Cryptography in the Presence of Key Leakage , 2010, ASIACRYPT.

[46]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[47]  Silvio Micali,et al.  CS proofs , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[48]  Vincent Rijmen,et al.  A Family of Trapdoor Ciphers , 1997, FSE.

[49]  Ran Canetti,et al.  Resettable zero-knowledge (extended abstract) , 2000, STOC '00.

[50]  Rafael Pass,et al.  On the Possibility of One-Message Weak Zero-Knowledge , 2004, TCC.

[51]  Silvio Micali,et al.  CS Proofs (Extended Abstracts) , 1994, FOCS 1994.

[52]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[53]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[54]  Jean-Sébastien Coron,et al.  Efficient Indifferentiable Hashing into Ordinary Elliptic Curves , 2010, CRYPTO.

[55]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[56]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[57]  Moni Naor,et al.  Zaps and Their Applications , 2007, SIAM J. Comput..

[58]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[59]  Aggelos Kiayias,et al.  Distributing the setup in universally composable multi-party computation , 2014, PODC '14.

[60]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[61]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[62]  Oded Goldreich,et al.  Definitions and properties of zero-knowledge proof systems , 1994, Journal of Cryptology.