Universally composable zero-knowledge sets

We define and construct universally composable (UC) Zero-Knowledge Set (ZKS) protocols. A ZKS protocol allows a prover to commit to a secret set S and prove statements of the form x ∈ S or x ∉ S without revealing any other information about S. The universal composability framework initiated by Canetti is very useful as it ensures stronger security such as concurrent composition, adaptive security and non-malleability. In this paper, we propose a UC ZKS protocol and prove its security in the random oracle model. Simultaneously, we give the negative result that a UC ZKS cannot exist in the standard model (without a random oracle). The negative result shows that the random oracle has both compression and extraction, which is a pair of paradoxical properties. To our knowledge, this is the first time this kind of property has been considered.

[1]  Ninghui Li,et al.  Algebraic Construction for Zero-Knowledge Sets , 2008, Journal of Computer Science and Technology.

[2]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[3]  Silvio Micali,et al.  Independent Zero-Knowledge Sets , 2006, ICALP.

[4]  Xu Hai Universally Composable Mercurial Commitment Scheme , 2008 .

[5]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[6]  Tal Malkin,et al.  Mercurial Commitments with Applications to Zero-Knowledge Sets , 2005, Journal of Cryptology.

[7]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[8]  Dario Fiore,et al.  Zero-Knowledge Sets with Short Proofs , 2008, EUROCRYPT.

[9]  Silvio Micali,et al.  Zero-knowledge sets , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[10]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.