1 / 15

Never Trust Victor An alternative r esettable z ero- k nowledge p ro of system

Never Trust Victor An alternative r esettable z ero- k nowledge p ro of system. Olaf Müller Michael Nüsken. Victor. Paula. ZK for 3-colorability. Victor. Paula. Fast ZK for 3-colorability. Resettable ZK (1). Canetti, Goldreich, Goldwasser & Micali (1999,2000) ZK

hakan
Télécharger la présentation

Never Trust Victor An alternative r esettable z ero- k nowledge p ro of system

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Never Trust VictorAn alternativeresettablezero-knowledge proof system Olaf Müller Michael Nüsken

  2. Victor Paula ZK for 3-colorability

  3. Victor Paula Fast ZK for 3-colorability

  4. Resettable ZK (1) • Canetti, Goldreich, Goldwasser & Micali (1999,2000) • ZK • Internet: concurrent • Smart cards: reset • resettable ZK (rZK) • Goldreich & Kahan (1996) • secret dependencies • constant-round resettable WI

  5. bPaulac Paula Resettable ZK (2) • The resettable machine bPaulac: • uses the same algorithm as Paula, • contains many copies of Paula, • reacts toreset( input i, randonmness j).

  6. Victor bPaulac Secret dependency Resettable ZK (3) Resettable ZK? Resettable WI

  7. Resettable ZK (4) • Canetti, Kilian, Petrank & Rosen (2001) • black-box rZK ¸W~(log n) rounds • Barak (2001): How to go beyond the black-box simulation barrier • constant round • strictly polynomial time simulation • only bounded-concurrency ZK • only computationally sound • Richardson & Kilian (1999)concurrent ne,CGGM (1999,2000)resettable,Kilian, Petrank & Richardson (2001) • preliminary phase (FLS-paradigm) • prove only: improbable preliminary phase OR original statement • O(log(n)2 u(n)) round concurrent ZK, even rZK

  8. reset The Problem

  9. Victor (q,h,Y) E = Ye hs e Paula meantime (e,s) Folklore Bit Commitment Problem: Can Victor learn (e,s) in the meantime?

  10. Victor bPaulac (q,h,Y) E = Ye hs B = Yb ht c Repeat until convinced (b‘,t‘) meantime (e,s) Better Bit Commitment e If c = 0: Open B, i.e. send (b,t) If c = 1, b = e: Open E/B, i.e. send (0,s-t) If c = 1, b  e: Open EB, i.e. send (1,s+t)

  11. Victor bPaulac (q,h,Y) c Repeat until convinced b‘ meantime e Better Bit Commitment e e b b‘ = b + ce

  12. Our solution w!8

  13. Sam‘s Success Provided Sam succeeds: • Simulated preamblesareperfectly indistinguishable from ideal ones. • The faked transcript is computationally indistinguishable from anhonest one. • L2/2 rounds,running time O(L4 poly(n)).

  14. Knowledgeable • Does Victor know a decommitment? • NEVER TRUST VICTOR:require a proof of knowledge! • A bit commitment is knowledgeable if it guarantees that the sender knows the content.

  15. Resettable ZK for G3C Never Trust Victor

More Related