Constant Round Concurrent Zero-Knowledge in the Bounded Player Model
description
Transcript of Constant Round Concurrent Zero-Knowledge in the Bounded Player Model
1
Vipul Goyal
Abhishek Jain
Rafail Ostrovsky
Silas Richelson
Ivan Visconti
Microsoft Research India
MIT and BU
UCLA
UCLA
University of Salerno, Italy
Constant Round Concurrent Zero-Knowledge in the Bounded Player
Model
Zero-Knowledge Protocols
• Prove trying to prove x is in L to the verifier
• Meet
• (P, V) is zero knowledge if: there exists which can emulate ’s interaction with prover
and
Concurrent Zero Knowledge [DNS98]
• (P, V) is concurrent zero knowledge if ZK holds when V* may run many instances of protocol concurrently.
4
Concurrent ZK (plain model)
• General feasibility result first given by Richardson and Kilian [RK’99]
• Since then, a body of literature has developed studying the round complexity– Construction with almost logarithmic round complexity
[PRS02, KP01]
– Shown to be almost optimal using “black-box simulation” [R00, CKPR01]
• No constant round protocols known under standard assumptions
5
Bounded Concurrency Model
• In a breakthrough work, Barak [Barak01] introduced the bounded concurrency model:– Total number of concurrent sessions between prover and verifiers is
apriori bounded (by a poly)
• Barak gave a constant round protocol in this model– introduced non-black-box simulation in cryptography
• Open problem: constant round concurrent ZK without this bound? – In general, what level of concurrency can we achieve in constant
rounds?
6
Talk Overview
• Bounded player model and our results
• Barak’s construction: very high level overview
• Our construction
• High level idea of our non-black-box simulation strategy
Bounded Player (BP) Model [GJORV13]
• A bounded number of players in the systemEach player may participate in an unbounded (poly)
number of concurrent sessions
.
.
.
unbounded concurrent sessions
unbounded concurrent sessions
• Example: number of machines over the network maybe known– However harder to accurately estimate how many processes
(communicating over the network) each machine is running
BP model vs Bare Public Key (BPK) model
• BP model: can ask each player to choose a fixed public key during the first session it participates in– No setup phase– Player remembers it, to be remain the same in all
sessions: only difference from plain model
• BPK model: setup phase involving all players– Main property: keys can’t change during rewinding
• Only superficial similarity: techniques from BPK model have limited relevance here
BP model vs Barak’s bounded concurrency model
• BP model: much closer in spirit to Barak’s bounded concurrency– Strengthening of the bounded concurrency model
• Provably requires non-black-box (NBB) simulation (unlike BPK)
• Goyal et al [GJORV13]: a construction with w(1) round
• Open: constant round concurrent ZK in BP model? Will subsume the result of Barak
Our Results• Main theorem: constant round concurrent ZK in the
BP model assuming a collision resistant hash function family
• Positive step towards getting constant round concurrent ZK in plain model under standard assumptions
• Technical contribution: new ways of performing NBB simulation– Techniques very different from the previous work of Goyal
et al. [GJORV13]
11
NBB vs BB Simulation
• Black-box simulation: simply query the adversarial verifier machine as an Oracle (rewinding)
• Non-black-box simulation: uses the code of the adversary in a more non-trivial way
12
Barak’s Construction (oversimplified)
Statement: x in L
Com(M)
Random r
WI: x in L or M outputs r
Prover Verifier
• Simulation: if you have code/state of verifier, can construct such M Note: For simulation, constructing fake witness wf
computationally heavy/expensive Can only simulate a bounded number of sessions in poly-time
Soundness: r is long and random
13
Barak’s Construction: Abstraction
Com(M)
Random r
Can compute fake witness wf
Computationally expensive to compute
Can be done for only bounded number of sessions
Use fake witness to complete rest
Barak’s preamble
Building the Protocol
WI PoK x ϵ L OR “I know sk”
Secure two party computation: If wf valid fake witness, output
sk to first party
Focus: single verifier, unbounded sessions
Com(M)
Random r
pk
skwf
Problem: Adversarial scheduling
Secure two party computation: Started but didn’t finish
Say adversary leaves most sessions in middle of 2pcSimulator computes fake witness in unbounded number of sessions
Com(M)
Random r
pk
skwf
New sessions start
• [GJORV13] idea: use multiple opportunities for using fake witness (higher round complexity), complex probability distributions
Our Idea: simple
WI PoK x ϵ L OR “I know sk”
Secure two party computation: If valid certified statement, fake
witness given, output sk
fake witness computed in one session useable in others
z = Com(M)
Random r
pk
sk
(τ, σ), wf
Signature σ on τ = (z, r)
Certified statement = (τ, σ)
Compute fake witness wf
Handling adversarial scheduling
Secure two party computation: Started but didn’t finish
Simulator computes fake witness pair just once
sk
New sessions start
Z = Com(M)
Random r
pk
Signature σ on τ
(τ, σ), wf
Secure two party computation
sk(τ, σ), wf
Are we done?
• This is gross oversimplification of our construction
• In Barak: no such fake witnesses of polynomial size
• Rather: fake witness is an accepting (encrypted) universal argument execution– Need to run 3-round UA and construct fake witness
interactively
Our Construction
z = Com(M)
r
pk
heavycomputation
Signature σ
UA first message
UA challenge
UA final message
.
.• Adversarial scheduling: what if verifier leaves most sessions in
middle of UA? Computation done, yet no fake witness!
get fake witness
Completing the construction
• Use the same basic idea multiple times
• Ask the verifier to sign the UA transcript as we go along
• Even a partially executed (but signed) UA transcript useful– Can be completed in some other session to get a fake
witness
Conclusions
• Constant round concurrent ZK in the bounded player model– Subsumes the bounded concurrent ZK of Barak– Strongest level of concurrency in plain model in constant
rounds (under standard assumptions)
• Key technical contribution: new ways of performing NBB simulation– Reusing heavy computation
22
Thank You!