Create Presentation
Download Presentation

Download Presentation
## Concurrent Zero-Knowledge

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**ConcurrentZero-Knowledge**Cynthia Dwork (IBM Almaden) Moni Naor (Weizmann) Amit Sahai (MIT)**Zero-Knowledgeon the Internet**Verifier 1 Verifier 2 Prover Verifier 3 Verifier 4**Deniable MessageAuthentication**Bill Linda Tripp Monica L.**Outline**1. Zero Knowledge -- What goes wrong in the concurrent setting? 2. Timing -- Assumptions and Uses 3. Concurrent Zero-Knowledge for NP 4. Open Problems**Zero-Knowledge Paradigm [GMR85]**v1 When assertion is true, Verifier can simulate her view of the interaction on her own. p1 v2 pk accept/reject Formally, require thatfor every probabilistic poly-time Verifier, there is probabilistic poly-time simulator such that when assertion is true, its output distribution is indistinguishablefrom Verifier’s view of its interaction with Prover. We require same to hold for every collection of polynomially many Verifiers, controlled by a probabilistic poly-time Adversary.**Protocol for NP:Graph 3-Colorability**Verifier Prover 1. Commit to the edge to be queried 2. Commit to Vertex colors 3. Open commitment to the edge 4. Open commitments to colors on the edge**Simulator forGraph 3-Colorability**• Get Verifier Step 1 commitment • Commit to nonsense in Step 2 • See Verifier’s revealed edge e in Step 3 • Rewind Verifier to Step 2 • Commit to colors good for e in Step 2 • Verifier must reveal same e in Step 3 • Open commitments to e’s colors in Step 4 1 2 3 4**Many Verifiers:A Troublesome Interleaving**V1 V2 … Vn-1 Vn 1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4**(…)**Simulation takes exponential time!**Our Goal**• Zero-Knowledge protocol for NP • secure under concurrent execution • few rounds • simple • local control**Timing**Explicit use of time. Weak Synchronization Assumption: There exist such that: Your clock All other clocks But: Allow Adversary to control timing of all messages, subject to constraint above.**Uses of Timing**• We use only: • Time-outs (require message within time ) • Delays (wait local time before sending message) Previous Work: • In Zero-Knowledge: • [Beth & Desmet90] [Brands & Chaum93] Use very accurate timing to prevent PIM attacks • As Cryptanalytic Tool: • [Kocher96] Attack PK Cryptosystems by measuring time to decrypt (shows time-awareness is necessary)**Protocol for NP with timing:Graph 3-Colorability**Verifier Prover 1. Commit to the edge to be queried 2. Commit to Vertex colors 3. Open commitment to the edge 4. Open commitments to colors on the edge • Timing Constraints: • Verifier must send Step 3 message within time of Step 1 message. (Prover waits ) • Prover waits until time has elapsed since Step 1 before sending Step 4. Invariant: While any Verifier is in Steps 1-3,no new interaction can start and proceed to Step 4.**Many Verifiers:A Troublesome Interleaving**V1 V2 … Vn-1 Vn 1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4 **Are we done?Not quite…**• Naïve simulation still does not work: • Bad static interleavings are impossible… But: • Adversary can select timings (and hence interleavings) of messages randomly. • Careful simulator design yields almost Zero-Knowledge (1/poly simulation error). • For Arguments, assuming “trapdoor” statistically hiding commitment schemes exist (e.g. exist under Discrete Log Assumption), can achieve Perfect Zero-Knowledge.**Other Results and Extensions**• Also achieve Proofs of Knowledge with Concurrent Perfect Extractors. • Simple protocols for Deniable Message Authentication using Timing to ensure both Privacy and Soundness. • Recent work of Dwork and Sahai (Crypto ‘98) -- for Arguments, show how to restrict Timing Constraints to short Preprocessing Protocol, still achieve Concurrent Zero-Knowledge.**Open Problems**• Concurrent Zero-Knowledge possible in the standard model? • Other uses of Timing under only a Weak Synchronization Assumption?**Motivation**Why would one want to give such a transformation? • Easier to prove statements about the honest-verifier model, e.g. HVSZK. By result, structural properties extend to General ZK as well. • Methodology: • Design an HVZK proof • Transform into General ZK proof**Many Verifiers:A Troublesome Interleaving**V1 V2 … Vn-1 Vn 1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4 **Many Verifiers:A Troublesome Interleaving**V1 V2 … Vn-1 Vn 1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4**Many Verifiers:A Troublesome Interleaving**V1 V2 … Vn-1 Vn 1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4**Many Verifiers:A Troublesome Interleaving**V1 V2 … Vn-1 Vn 1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4**Many Verifiers:A Troublesome Interleaving**V1 V2 … Vn-1 Vn 1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4 (…) Simulation takes exponential time!**Many Verifiers:A Troublesome Interleaving**V1 V2 … Vn-1 Vn 1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4 (… 2n simulations …)**Statistical Difference metric between distributions**statistically close means statistical difference is exponentially small in input size n =|x|.**Our Results**• For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK: • Show how to transform any proof ZK • for Honest Verifier into proof ZK for Any Verifier. • No computational assumptions needed for transformation. • ZK condition holds even for computationally unbounded Verifiers • For SZK, [Oka96] gives a transformation:HV Public-Coin HV. We transform:Public-Coin HV General Hence, HV General w/o Public Coins.**Public Coin Proofs[Babai]**Arthur (Verifier) Merlin (Prover) Random Coins Response Random Coins Response Accept/Reject**Previous Work**• Conditional: • For Computational Zero-Knowledge, assuming one-way functions exist, General CZK = IP = HVCZK [GMW86, IY87, Ben-Or+88] • For Statistical Zero-Knowledge, assuming one-way functions exist,HVSZK General SZK [BMO90, OVY93, Oka96] • Unconditional: • For both CZK and SZK, butrestricted to constant round Public-Coin Proofs,HV General [Dam94, DGW94]**Techniques**• Main Ingredients: • A new Random Selection Protocol. • A new Hashing Lemma about 2-universal hash functions.**Random Selection**Random Selection The Transformation a1 b1 ar Arthur br Merlin a1 b1 Arthur Merlin ar br**The Simulator**Use the Honest-Verifier Simulator togenerate transcript: a1 b1 ar br a1 b1 ar br**Desired Properties ofRandom Selection (RS) I**• Dishonest Merlin: need guarantee that Merlin cannot control output distribution too much to ensure Soundness. Let B be set of possible (a1, a2, ..., ar )’s on which original Merlin can fool Arthur. Use parallel repetition of original proof systemto make Pr[B] at most 2-(r+1) n So if, at each RS protocol, after r rounds, Merlin can make B at most2 r n times more likely than in original protocol. Hence Final Soundness Error at most 2-n. (details omitted)**Desired Properties ofRandom Selection (RS) II**• Dishonest Arthur: need Simulatordistribution to be close to true distribution: • HV Simulator outputs nearly uniform a‘s.Hence, RS protocol must also. • Moreover, for almost every a, need to simulate RS protocol to output a.i.e. For almost any a, need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts, conditioned on the output being a.**Random Selection [DGW]**Arthur selects “random” partition of message space into cells of size poly(n). Merlin Arthur Cell Cell ÎRpartition aÎRCell a • Dishonest Merlin can cause at most 1/poly(n) statistical deviation. • When Arthur is Dishonest, can simulate for only a 1/poly(n) fraction of a’s. • Yields result only for constant round. • We fix this.**Our Solution**[DGW] RS protocol Set S of 2n a’s Arthur Merlin a a ÎR S • Use [DGW] protocol to select randomly among sets of 2n possible a’s. • Any 1/poly(n) fraction of such sets will cover the space of a’s almost uniformly. Accept/Reject**Hash Functions**• We use hash functions to describe setsof a’s. We will use h-1(0) to be our set of a’s. • For almost all h’s, h-1(0) is of size 2n. • H is a 2-universal family of hash functions, so a’s will be “well spread” over sets h-1(0). Accept/Reject**New Random Selection**Arthur selects “random” partition of Hinto cells of size poly(n). Merlin Arthur Cell Cell ÎRpartition hÎRCell h a aÎRh-1(0)**Properties ofRandom Selection (RS)**• Dishonest Merlin: Still OK for Soundness. • Dishonest Arthur: • Outcome a almost uniform. • For almost every a, can simulate RS protocol to output a.i.e. For almost any a, distribution of Simulator for RS is statistically close to distribution of actual RS transcripts, conditioned on the output being a.**Simulation ofRandom Selection (RS)**• The random tape of Arthur is already fixed; Arthur is deterministic. • Simulator, on input a: • Obtains Arthur’s partition p. • Chooses cell y randomly among cells containing some h such that h(a)=0: • If Arthur picks h such that h(a)=0, output (p,y,h,a). Otherwise repeat. Why does this work?**RS Protocol & Simulator**Merlin Arthur Cell Cell ÎRpartition hÎRCell h a aÎRh-1(0) • Simulator, on input a: • Obtains Arthur’s partition p. • Chooses cell y randomly among cells containing some h such that h(a)=0. • If Arthur picks h such that h(a)=0, output (p,y,h,a). Otherwise repeat.**New Hashing Lemma(first view)**2n H ’s Blue hash functions: any inverse polynomial fraction of all hash functions H Weight from blue edges nearly uniform on ’s.**New Hashing Lemma(another view)**H ’s For almost any , fraction of blue neighbors is almost same as fraction of blue hash functions.**New Hashing Lemma**Let Í H be any set of size |{hBlue|h()=0}| |Blue| = 2-(n). |{h |h()=0}| | | (Hence the simulation is polynomial time) Moreover, the statistical difference between the following two distributions is at most 2-W(n) : {hBlue|h()=0} (Hence the simulation is statistically close.)**Proof Sketch(of first view)**Want to show: for all sets S of ’s, Pr[Ouput in S] = density(S) 2-(n). We show that for 1-2-(n) fraction of hH, h is a “good choice” for S, i.e. |h-1(0) S| = density(S) 2-(n). |h-1(0)| (First show this is true in expectation over hH, then use Chebyshev’s inequality to prove deviation from expectation is 2-(n) with probability 1-2-(n). Analysis made possible by pairwise independence of hH.) Since Blue is inverse polynomial fraction of H, also holds for 1-2-(n) fraction of hBlue. **Conclusions**• We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier. • HVSZK = SZK • Public-Coin HVCZK= Public-Coin CZK • We give a new Hashing Lemma which may be of independent interest.**Conclusions**• We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier. • HVSZK = SZK • We give a new Hashing Lemma which may be of independent interest.