Concurrent Zero Knowledge in Concurrent Zero Knowledge in the Bounded - PowerPoint PPT Presentation

Concurrent Zero Knowledge in Concurrent Zero Knowledge in the Bounded Player Model y Vipul Goyal – Microsoft Research, India Abhishek Jain – MIT and Boston University Rafail Ostrovsky – UCLA y Silas Richelson – UCLA Ivan Visconti – University of Salerno, Italy Ivan Visconti University of Salerno, Italy

Introductions Introductions • Meet and • (P, V) is zero knowledge if: there exists which can emulate ’s interaction with . h h l ’ h

Concurrent Zero Knowledge Concurrent Zero Knowledge • (P, V) is concurrent zero knowledge [DNS98] if ZK holds when V* may run many instances of y y protocol concurrently.

cZK in the Plain Model cZK in the Plain Model • cZK exists in the plain model – [RK99]. • Nearly logarithmic round complexity – [KP01], Nearly logarithmic round complexity [KP01], [PRS02]. • Black box cZK requires almost logarithmically many Bl k b ZK i l l i h i ll rounds [R00], [CKPR01]. • Impossibility of cMPC – [CF01], [CKL03], [L03], [L04] • Open Problem: Is cZK possible in sublogarithmically many rounds?

Constant Round cZK in Other Models Constant Round cZK in Other Models • Timing Models – [DNS98] • Super Polytime Simulation – [P03] Super Polytime Simulation [P03] • Common Reference String – [BSMP91] • Bare Public Key – [CGGM00], [SV12] • Bounded Concurrency – [B01] Bounded Concurrency [B01] • Constant Round cMPC exists in most of the above models. above models.

Our Model Our Model – Bounded Player Model Bounded Player Model • A bounded number of players will ever engage in b d d b f l ill i the protocol.  Each player may play unbounded number of sessions. • Relaxation of bounded concurrency model. y • Improvements over Bare Public Key model.  No preprocessing phase  No preprocessing phase.  Non ‐ blackbox simulation needed for cZK with sublogarithmically many rounds sublogarithmically many rounds. • cMPC impossible .  Evidence that BP model is close to plain model.

Main Theorem Main Theorem • Assuming standard complexity theoretic assumptions there exists a cZK argument in p g the BPM.  Slightly super ‐ constant round complexity ( ω (1))  Slightly super ‐ constant round complexity ( ω (1))  Straight ‐ line non ‐ blackbox simulator.

Building the Protocol (Informal) g Player Registration Input: x ϵ L Preamble WI PoK x ϵ L x ϵ L OR OR “Trapdoor” Trapdoor

Building the Protocol (Informal) g pk = f(sk) OWF Input: x ϵ L Preamble WI PoK x ϵ L x ϵ L OR OR “I know sk” I know sk

Barak’s Protocol Barak s Protocol – A Building Block A Building Block (P B , V B ) Input: x ϵ L • Non ‐ blackbox simulator obtains trapdoor by h ϵ H sending z , a commitment to a machine Π which predicts r . p z = Com(0 n ) • Achieves bounded concurrency. Our model r ϵ {0,1} l (n) allows for unbounded concurrency (bound is on number of players). x ϵ L L O OR “Trapdoor” “ d ”

Our Starting Idea Our Starting Idea • Can we bound the number of non ‐ blackbox simulations required to learn each player’s q p y identity? • Then we could use bound on total number of players to reduce to case of bounded players to reduce to case of bounded concurrency.

The Preamble (informal) We need to devise a way for the simulator to learn the secret key. Input: x ϵ L • Unfair coin flipping protocol 1 1 Com( σ ) Com( σ P ) obtaining σ obtaining σ = σ P + σ V σ + σ  P never decommits. 2 σ V 3 3 σ P (P B , V B ) • P proves that σ P is fair using P proves that σ P is fair using 4 Barak’s protocol. σ P is fair • V sends encryption of sk 5 ξ = Enc σ (sk) under public key σ . • Proves correctness of ξ using (P WI , V WI ) WI. 6 ξ is correct

The Preamble (informal) Input: x ϵ L Soundness: • Soundness of (P B , V B ) forces P* 1 1 Com( σ ) Com( σ P ) to send same value in (3) that to send same value in (3) that he committed to in (1). 2 σ V • Public key used by V to encrypt Public key used by V to encrypt know corresponding private key. 3 3 σ P is random and so P* cannot (P B , V B ) • 4 Semantic security means P* σ P is fair learns nothing about secret key. 5 ξ = Enc σ (sk) (P WI , V WI ) 6 ξ is correct

The Preamble (informal) Input: x ϵ L Zero Knowledge: • Simulator can use trapdoor in 1 1 Com( σ P ) Com( σ ) Barak’s protocol to prove a false Barak s protocol to prove a false theorem to V*. 2 σ V 3 3 σ P (P B , V B ) Simulator: Simulator: • 4 Send Com(0 n ) σ P is fair • Run Gen obtaining key pair ( σ , τ ) • Send σ P = σ + σ V . P V • Use trapdoor to prove false 5 ξ = Enc σ (sk) theorem in (P B , V B ). • (P rWI , V rWI ) Receive ξ , verify correctness and recover sk = Dec τ ( ξ ). 6 ξ is correct

Main Problem Problem: Adversarial verifier can interleave sessions. pk = f(sk) z = Com( σ P ) σ V σ V σ P ( B , (P B , V B ) B ) z = Com( σ P ; s) for some s ξ = Enc σ (sk) We encounter the same issue as someone attempting (P rWI , V rWI ) to extend (P B , V B ) to the setting of unbounded concurrency concurrency. ξ is correct x ϵ L OR I know sk

Main Idea Main Idea – Many Preamble Blocks Many Preamble Blocks Advantages: Simulator only needs to extract the secret key once per player secret key once per player . Preamble Block Interleaving attack is now less dangerous: V* must Preamble Block guess where SIM will cheat guess where SIM will cheat. Preamble Block V* loses V* ties V* wins

A Sample Simulation A Sample Simulation V* ties V* ties V* wins V* loses Trapdoor Trapdoor Trapdoor Trapdoor Obtained! Obtained! Obtained! Obt i d! Obtained! Obt i d! Obt i Obtained! d!

Where to Cheat? Where to Cheat? • At least ω (1) preamble blocks are needed per l ( ) bl bl k d d session. • Theorem (Main Technical Lemma): Theorem (Main Technical Lemma): ω (1) preamble blocks are sufficient. • We will :  Construct distribution on {preamble blocks} describing where SIM will cheat.  Prove that SIM will have to cheat at most a bounded polynomial number of times per player.

The Distribution The Distribution

Proof Intuition of MTL (1/2) Proof Intuition of MTL (1/2) • Recall we must bound the number of non ‐ blackbox simulations required to learn sk. q • In light of the terminology: I li h f h i l V* loses session V* ties session V* wins session It suffices to show that V* cannot win p( n ) times It suffices to show that V cannot win p( n ) times without losing.

Proof Intuition of MTL (2/2) Proof Intuition of MTL (2/2)

Conclusion Conclusion • We define the bounded player model . d fi h b d d l d l  A natural model – can bound players, not sessions.  Seemingly closer to the plain model than other existing models. • We construct a cZK protocol in the BP model.  Sublogarithmic round complexity.  Sublogarithmic round complexity.  Straight line non ‐ blackbox simulator. • We construct a PDF with appealing properties • We construct a PDF with appealing properties.  Possible applications elsewhere.

Questions? Questions?