Concurrent Non-Malleable Witness Indistinguishability and its Applications

One of the central questions in Cryptography today is proving security of the protocols “on the Internet”, i.e., in a concurrent setting where there are multiple interactions between players, and where the adversary can play so called “man-in-the-middle” attacks, forwarding and modifying messages between two or more unsuspecting players. Indeed, the main challenge in this setting is to provide security with respect to adaptive concurrent composition of protocols and also the non-malleability property, where the “man-in-the-middle” attacks are prevented. Despite much research effort, we do not know how to implement many basic tasks in this setting (which features concurrent composition and man-in-the-middle attacks). Indeed, even for tasks such as zero-knowledge proofs, which play an essential role in Cryptography, it is not known how to construct a protocol in a way that satisfies both security guarantees simultaneously. In this paper, we consider a slightly weaker notion than zero-knowledge, namely witness indistinguishability of proofs, which never-the-less is an extremely important building block in Cryptography. Despite its importance, neither formulations nor constructions that satisfy both concurrent composition and resiliency against man-in-the-middle attacks were known. The main contribution of this paper is to put forward the definition of concurrent nonmalleable witness indistinguishability (in fact, we show two different definitions) and show a constant-round construction using non-black-box techniques. Furthermore, we show that this construction allow us to solve some important open problems. More specifically, based on our construction of a constant-round input-adaptive concurrent non-malleable witness-indistinguishable argument of knowledge, we construct a constantround input-adaptive concurrent non-malleable zero-knowledge argument of knowledge in the Bare Public-Key Model (the BPK model in short) that has been first proposed in [Canetti et al., STOC 2000]. The BPK model makes very minimal set-up assumptions, therefore our result improves the current state-of-the-art as previous results required either the existence of trusted third parties (trusted PKI, common reference string), or made physical assumptions (common reference string) or achieved only quasi security (simulation in super-polynomial time) or quasi concurrency (timing assumptions, bounded concurrency). By plugging our results into known constructions, we achieve constant-round zero-knowledge and then (n 1)-secure multi-party computation under general concurrent composition in the BPK model.

[1]  Silvio Micali,et al.  The round complexity of secure protocols , 1990, STOC '90.

[2]  Yehuda Lindell,et al.  Secure Computation without Agreement , 2002, DISC.

[3]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[4]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[5]  Giovanni Di Crescenzo,et al.  Concurrent Zero Knowledge in the Public-Key Model , 2005, ICALP.

[6]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[7]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[8]  Rafael Pass,et al.  Bounded-concurrent secure multi-party computation with a dishonest majority , 2004, STOC '04.

[9]  Silvio Micali,et al.  Soundness in the Public-Key Model , 2001, CRYPTO.

[10]  Rafael Pass,et al.  Bounded-concurrent secure two-party computation in a constant number of rounds , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[11]  Joe Kilian,et al.  Lower bounds for zero knowledge on the Internet , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[12]  Ran Canetti,et al.  Black-Box Concurrent Zero-Knowledge Requires ~Omega(log n) Rounds , 2001, Electron. Colloquium Comput. Complex..

[13]  Ran Canetti,et al.  Resettable zero-knowledge (extended abstract) , 2000, STOC '00.

[14]  Boaz Barak,et al.  Constant-round coin-tossing with a man in the middle or realizing the shared random string model , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[15]  Leonid Reyzin,et al.  Zero-knowledge with public keys , 2001 .

[16]  Amit Sahai,et al.  New notions of security: achieving universal composability without trusted setup , 2004, STOC '04.

[17]  Yehuda Lindell,et al.  Bounded-concurrent secure two-party computation without setup assumptions , 2003, STOC '03.

[18]  Rafael Pass,et al.  New and improved constructions of non-malleable cryptographic protocols , 2005, STOC '05.

[19]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[20]  Amit Sahai,et al.  How to play almost any mental game over the net - concurrent composition via super-polynomial simulation , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[21]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[22]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[23]  Ran Canetti,et al.  Resettable Zero-Knowledge , 1999, IACR Cryptol. ePrint Arch..

[24]  Amit Sahai,et al.  Concurrent Non-Malleable Zero Knowledge , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[25]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[26]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[27]  Rafael Pass,et al.  Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition , 2003, EUROCRYPT.

[28]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[29]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[30]  Ran Canetti,et al.  Black-box concurrent zero-knowledge requires \tilde {Ω} (logn) rounds , 2001, STOC '01.

[31]  J. Kilian,et al.  Concurrent and Resettable Zero-Knowledge in Poly-logarithmic Rounds [ Extended Abstract ] , 2001 .

[32]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[33]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[34]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[35]  Joe Kilian,et al.  Uses of randomness in algorithms and protocols , 1990 .

[36]  Yehuda Lindell,et al.  Concurrent general composition of secure protocols in the timing model , 2005, STOC '05.

[37]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[38]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[39]  Giovanni Di Crescenzo,et al.  Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model , 2004, CRYPTO.

[40]  Yehuda Lindell,et al.  Lower Bounds for Concurrent Self Composition , 2004, TCC.