Adaptive Zero-Knowledge Proofs and Adaptively Secure Oblivious Transfer

In the setting of secure computation, a set of parties wish to securely compute some function of their inputs, in the presence of an adversary. The adversary in question may be static (meaning that it controls a predetermined subset of the parties) or adaptive (meaning that it can choose to corrupt parties during the protocol execution and based on what it sees). In this paper, we study two fundamental questions relating to the basic zero-knowledge and oblivious transfer protocol problems: Adaptive zero-knowledge proofs: We ask whether it is possible to construct adaptive zero-knowledge proofs (with unconditional soundness) for all of $\mathcal{NP}$. Beaver (STOC [1996]) showed that known zero-knowledge proofs are not adaptively secure, and in addition showed how to construct zero-knowledge arguments (with computational soundness).Adaptively secure oblivious transfer: All known protocols for adaptively secure oblivious transfer rely on seemingly stronger hardness assumptions than for the case of static adversaries. We ask whether this is inherent, and in particular, whether it is possible to construct adaptively secure oblivious transfer from enhanced trapdoor permutations alone. We provide surprising answers to the above questions, showing that achieving adaptive security is sometimes harder than achieving static security, and sometimes not. First, we show that assuming the existence of one-way functions only, there exist adaptive zero-knowledge proofs for all languages in $\mathcal{NP}$. In order to prove this, we overcome the problem that all adaptive zero-knowledge protocols known until now used equivocal commitments (which would enable an all-powerful prover to cheat). Second, we prove a black-box separation between adaptively secure oblivious transfer and enhanced trapdoor permutations. As a corollary, we derive a black-box separation between adaptively and statically secure oblivious transfer. This is the first black-box separation to relate to adaptive security and thus the first evidence that it is indeed harder to achieve security in the presence of adaptive adversaries than in the presence of static adversaries.

[1]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[2]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[3]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[4]  Amit Sahai,et al.  Concurrent Zero Knowledge without Complexity Assumptions , 2006, Electron. Colloquium Comput. Complex..

[5]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[6]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[7]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .

[8]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[9]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[10]  Michael E. Saks,et al.  A dual version of Reimer's inequality and a proof of Rudich's conjecture , 2000, Proceedings 15th Annual IEEE Conference on Computational Complexity.

[11]  Ran Canetti,et al.  Universally Composable Commitments (Extended Abstract) , 2001, CRYPTO 2001.

[12]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[13]  Marc Fischlin,et al.  On the Impossibility of Constructing Non-interactive Statistically-Secret Protocols from Any Trapdoor One-Way Function , 2002, CT-RSA.

[14]  Toshiya Itoh,et al.  A language-dependent cryptographic primitive , 1997, Journal of Cryptology.

[15]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[16]  Donald Beaver,et al.  Plug and Play Encryption , 1997, CRYPTO.

[17]  Sampath Kannan,et al.  The relationship between public key encryption and oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[18]  Srinivasan Venkatesh,et al.  A Characterization of Non-interactive Instance-Dependent Commitment-Schemes (NIC) , 2007, ICALP.

[19]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[20]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[21]  Yehuda Lindell,et al.  Efficient Secure Two-Party Protocols , 2010, Information Security and Cryptography.

[22]  Steven Myers,et al.  Towards a Separation of Semantic and CCA Security for Public Key Encryption , 2007, TCC.

[23]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[24]  Rafail Ostrovsky,et al.  Perfect zero-knowledge in constant rounds , 1990, STOC '90.

[25]  Chi-Jen Lu,et al.  On the Impossibilities of Basing One-Way Permutations on Central Cryptographic Primitives , 2002, ASIACRYPT.

[26]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[27]  Ivan Damgård,et al.  Interactive Hashing can Simplify Zero-Knowledge Protocol Design Without Computational Assumptions (Extended Abstract) , 1993, CRYPTO.

[28]  Tal Malkin,et al.  On the impossibility of basing trapdoor functions on trapdoor predicates , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[29]  Ivan Damgård,et al.  On the Existence of Bit Commitment Schemes and Zero-Knowledge Proofs , 1989, CRYPTO.

[30]  Salil P. Vadhan,et al.  An Equivalence Between Zero Knowledge and Commitments , 2008, TCC.

[31]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[32]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[33]  Steven Rudich,et al.  The Use of Interaction in Public Cryptosystems (Extended Abstract) , 1991, CRYPTO.

[34]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[35]  Salil P. Vadhan An Unconditional Study of Computational Zero Knowledge , 2004, FOCS.

[36]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[37]  Donald Beaver,et al.  Adaptively Secure Oblivious Transfer , 1998, ASIACRYPT.

[38]  Daniel R. Simon,et al.  Limits on the efficiency of one-way permutation-based hash functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[39]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[40]  Daniele Micciancio,et al.  Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More , 2003, CRYPTO.

[41]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[42]  Donald Beaver,et al.  Adaptive zero knowledge and computational equivocation (extended abstract) , 1996, STOC '96.

[43]  Ivan Damgård,et al.  Improved Non-committing Encryption Schemes Based on a General Complexity Assumption , 2000, Annual International Cryptology Conference.

[44]  Salil P. Vadhan,et al.  Zero knowledge with efficient provers , 2006, STOC '06.