Trading Static for Adaptive Security in Universally Composable Zero-Knowledge

Adaptive security, while more realistic as an adversarial model, is typically much harder to achieve compared to static security in cryptographic protocol design. Universal composition (UC) provides a very attractive framework for the modular design of cryptographic protocols that captures both static and adaptive security formulations. In the UC framework, one can design protocols in hybrid worlds that allow access to idealized functionalities and then apply the universal composition theorem to obtain more concrete protocol instances. The zero-knowledge (ZK) ideal functionality is one of the most useful sub-protocols in modular cryptographic design. Given an adaptively secure protocol in the ideal ZK-hybrid-world do we always need an adaptively secure realization of the ZK functionality in order to preserve adaptive security under composition? In this work, perhaps surprisingly, we find that this is not so and in fact there are useful protocol instances that we can "trade static security for adaptive security." We investigate the above setting, by introducing a weakened ZK ideal functionality, called the ideal leaking-zero-knowledge functionality (LZK) that leaks some information about the witness to the adversary in a certain prescribed way. We show that while LZK is interchangeable to ZK against static adversaries, ZK is more stringent when adaptive adversaries are considered. We then proceed to characterize a class of protocols in the hybrid-ZK-world that can be "transported" to the LZK-hybridworld without forfeiting their security against adaptive adversaries. Our results demonstrate that in such settings a static protocol realization of ZK is sufficient for ensuring adaptive security for the parent hybrid protocol something that enables simplified and substantially more efficient UC realizations of such protocols.

[1]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[2]  Ivan Damgård,et al.  Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor , 2001, CRYPTO.

[3]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[4]  Donald Beaver,et al.  Cryptographic Protocols Provably Secure Against Dynamic Adversaries , 1992, EUROCRYPT.

[5]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[6]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[7]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[8]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[9]  Amit Sahai,et al.  Relaxing Environmental Security: Monitored Functionalities and Client-Server Computation , 2005, TCC.

[10]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[11]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[12]  Jesper Buus Nielsen,et al.  On Protocol Security in the Cryptographic Model , 2003 .

[13]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[14]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[15]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[16]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[17]  Aggelos Kiayias,et al.  Equivocal Blind Signatures and Adaptive UC-Security , 2008, TCC.

[18]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[19]  Yuval Ishai,et al.  On Adaptive vs. Non-adaptive Security of Multiparty Protocols , 2001, EUROCRYPT.

[20]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.