Concurrent Non-Malleable Witness Indistinguishability

Rafail Ostrovsky (UCLA, USA)Giuseppe Persiano (Univ. Salerno – ITALY)Ivan Visconti (Univ. Salerno – ITALY)

Los Angeles, nov 15 2006 3

Outline

Concurrent ZK, NMZK, Witness Indist.Non-Malleable Witness IndistinguishabilityCnst-Rnd Concurrent NMWI in the plain modelCnst-Rnd Concurrent NMZK in the BPK ModelUC with preprocessing

Los Angeles, nov 15 2006 4

Interactive Proof System

a

b

x ∈ L

z

01

Prover P Verifier V

w

Los Angeles, nov 15 2006 5

Interactive Proof Systemx ∈ L

01

Properties:

Completeness: if x ∈ L then V outputs 1Soundness: if NOT(x ∈ L) then V outputs 0

w

Los Angeles, nov 15 2006 6

Interactive Zero-Knowledge Proofs

Zero Knowledge:

x ∈ L01

w

01

x ∈ L

V*

V*

V*~~

Los Angeles, nov 15 2006 7

Interactive Proof of Knowledge

Witness Extraction:

x ∊ L01

x ∊ LW

P*

P*

P*

Los Angeles, nov 15 2006 8

Outline

Concurrent ZK, NMZK, Witness Indist.Non-Malleable Witness IndistinguishabilityCnst-Rnd Concurrent NMWI in the plain modelCnst-Rnd Concurrent NMZK in the BPK Model UC with preprocessing

Los Angeles, nov 15 2006 9

Man-in-the-Middle (MiM) Attack

r,wx ∈ L

x’ ∈ L

Los Angeles, nov 15 2006 10

Concurrent MiM Attack

w

x ∈ L

x’ ∈ L

Los Angeles, nov 15 2006 11

Concurrent NMZK

x’ ∈ Lx ∈ L

y’: (x’,y’) ∈ RL

Los Angeles, nov 15 2006 12

Concurrent NMZKx’ ∈ L

x ∈ L

Los Angeles, nov 15 2006 13

Outline

Concurrent (ZK, NMZK), Witness Indist.Non-Malleable Witness IndistinguishabilityCnst-Rnd Concurrent NMWI in the plain modelCnst-Rnd Concurrent NMZK in the BPK Model UC with preprocessing

Los Angeles, nov 15 2006 14

Witness Indistinguishable Proofs

Witness Indistinguishability:For all x ∈ L, for all pair (y,y’) of valid witnesses for x ∈ LViewV*(P(y),x,y,y’) ≈ ViewV*(P(y’),x,y,y’) where ZK implies WI

P

V*x ∈ L

Los Angeles, nov 15 2006 15

Witness Indistinguishability

ZK implies WIbut WI helps for the design of ZK protocols (e.g., FLS-paradigm):

Non-Black-Box ZKNIZK in the SRS model [FLS90,DDOPS01]

can we use a notion of WI secure against MiMattacks for the design of CNMZK protocols ?

Los Angeles, nov 15 2006 16

Outline

Concurrent (ZK, NMZK), Witness Indist.Non-Malleable Witness IndistinguishabilityCnst-Rnd Concurrent NMWI in the plain modelCnst-Rnd Concurrent NMZK in the BPK Model UC with preprocessing

Los Angeles, nov 15 2006 17

Witness Encoded in a Proof

we focus on commit-and-prove arguments where in the first message the prover commits to the witness by using a statistically binding (therefore we consider computational indistinguishability) commitment scheme (this message is the “witness encoded in the proof”) and then proves that the committed message is an NP-witness for x ∈ L

the goal of the MiM is to relate the witnesses encoded in the proofs he gives with the witnesses encoded in the proofs he receives

Los Angeles, nov 15 2006 18

Concurrent MiM Attack

w

x ∈ L

x’ ∈ L

Los Angeles, nov 15 2006 19

CNMWI, very informally

CNM Witness Indistinguishability:

“the distribution of the witnesses encoded in the proofs given by the man-in-the-middle is independent of the distribution of the witnesses encoded in the proofs given by the prover”

Los Angeles, nov 15 2006 20

CNMWI, informally

CNM Witness Indistinguishability:

let mim<x>(<w>) the random variable that the describes the witnesses encoded in the proofs given by the mim when receiving proofs for <x> from P with encoded witnesses <w>

CNMWI requires that the following distributions are comput. indistinguishable

{mim<x> (<w>)}, {mim<x>(<w’>)}

Los Angeles, nov 15 2006 21

CNMZK vs CNMWI

w0,w1

x ∈ L x’ ∈ L

CNMWI

x’ ∈ Lx ∈ Ly’: (x’,y’) ∈ RL

w’0, w’1

CNMZK

Los Angeles, nov 15 2006 22

CNMWI+ (informal)

CNMWI+ following the Simulation paradigm:

“for any PPT adversary A that in a MiM attack proves statements <x> to a honest verifier with proofs that encode witnesses <w>, there exists a ppt S that by accessing to A proves statements <x> to a honest verifier with proofs that encode witnesses <w>”

this definition implies both the previous def. of CNMWI and that of CNMZK

Los Angeles, nov 15 2006 23

CNM Commitments [PR05]

CNM Commitments:

“for any PPT adversary A that in a MiM attack commits to messages <w>, there exists a PPT S that by accessing to A outputs commitments to messages <w>”

Can CNM commitment schemes help for designing CNMWI argument systems ?

Los Angeles, nov 15 2006 24

Outline

Concurrent ZK, NMZK, Witness Indist.Non-Malleable Witness IndistinguishabilityCnst-Rnd Concurrent NMWI in the plain modelCnst-Rnd Concurrent NMZK in the BPK ModelUC with preprocessing

Los Angeles, nov 15 2006 25

Constant Round CNMWI

P V send a commitment of the witness wP V use the one-left many-right

statistical concurrentnon-malleable ZK argument of knowledge of [PR05a] for proving that w is a witness for x ∈ L

Remark: this protocol is a PoK and it is only a cosmetic variation of the one by [PR05b] for concurrent non-malleable commitments

Los Angeles, nov 15 2006 26

Outline

Concurrent ZK, NMZK, Witness Indist.Non-Malleable Witness IndistinguishabilityCnst-Rnd Concurrent NMWI in the plain modelCnst-Rnd Concurrent NMZK in the BPK Model UC with preprocessing

Los Angeles, nov 15 2006 27

The Bare Public-Key (BPK) model(CGGM00)

In a key-registration stage:Each verifier (non-interactively) posts her public key on a public file, common to all partiesThere is no bound on the power of the adversary that therefore can control the entire resulting file

In the proof stage:The same public file is part of the common input in all proofs and the verifiers can use their private keys

BPK is a weaker version of the (PKI) model sincepublic keys do NOT need to be certified during the key-registration phase

Los Angeles, nov 15 2006 28

BPK model: the Key-Registration Stage

Vj

skj

pkj

Los Angeles, nov 15 2006 29

BPK model: first attack of the MiM

(pkj)aux

Vj

skj pki

pkj

Los Angeles, nov 15 2006 30

BPK model: the Proof Stage

pki

pkj

w

x ∊ L

x’ ∊ Lskjaux

Los Angeles, nov 15 2006 31

CNMZK in the BPK model

x ∊ L

CNMWIPoK skj0 ∨ skj1

CNMWIPoK x ∈ L ∨ skj0 ∨ skj1

yj0,=f(skj0), yi1=f(skj1) yj0 yj1

skjb

Los Angeles, nov 15 2006 32

Man-in-the-Middle Attack

x ∊ L

sk*j0 ∨ sk*j1

x ∈ L ∨ sk*j0 ∨ sk*j1

yj0,=f(skj0), yi1=f(skj1) yj0 yj1

skjb

y*j0 y*j1

skj0 ∨ skj1

x’ ∈ L ∨ skj0 ∨ skj1

x’ ∊ L

Los Angeles, nov 15 2006 33

Simulator for the MiM

x ∊ Lsk*j0 ∨ sk*j1

x ∈ L ∨ sk*j0 ∨ sk*j1

yj0,=f(skj0), yi1=f(skj1)yj0 yj1

skjb

y*j0 y*j1

skj0 ∨ skj1

x’ ∈ L ∨ skj0 ∨ skj1

x’ ∊ L

≈≈ Sim of

CGGM00≈

Los Angeles, nov 15 2006 34

Concurrent NMZK

x’ ∈ Lx ∈ L

y’: (x’,y’) ∈ RL

Los Angeles, nov 15 2006 35

Simulator for the MiM

x ∊ Lsk*j0 ∨ sk*j1

x ∈ L ∨ sk*j0 ∨ sk*j1

yj0,=f(skj0), yj1=f(skj1)yj0 yj1

skjb

y*j0 y*j1

skj0 ∨ skj1

x’ ∈ L ∨ skj0 ∨ skj1

x’ ∊ L

≈ sk*j(b)

Los Angeles, nov 15 2006 36

Concurrent NMZK

x’ ∈ Lx ∈ L

get w ∈ {y’, skj0,skj0}if (w==y’) velse if (w==skj(1-b))velse if (w==skjb) ??

Los Angeles, nov 15 2006 37

Simulator for the MiMx ∊ L

sk*j0 ∨ sk*j1

x ∈ L ∨ sk*j0 ∨ sk*j1

skjbskj0 ∨ skj1

x’ ∈ L ∨ skj0 ∨ skj1

x’ ∊ L

sk*j(b) skjb

Los Angeles, nov 15 2006 38

Simulator for the MiMx ∊ L

sk*j0 ∨ sk*j1

x ∈ L ∨ sk*j0 ∨ sk*j1

skjbskj0 ∨ skj1

x’ ∈ L ∨ skj0 ∨ skj1

x’ ∊ L

skjbsk*j(b)

Los Angeles, nov 15 2006 39

The MiM for CNMZK in BPK is reduced to a MiM for CNMWI in the plain model

x ∊ Lsk*j0 ∨ sk*j1

x ∈ L ∨ sk*j0 ∨ sk*j1

skjbskj0 ∨ skj1

x’ ∈ L ∨ skj0 ∨ skj1

x’ ∊ L

skjb

skj0 ∨ skj1

x ∈ L ∨ sk*j0 ∨ sk*j1

sk*j0 ∨ sk*j1

x’ ∈ L ∨ skj0 ∨ skj1

sk*j(b)

skjb,sk*j(b) skjb

Los Angeles, nov 15 2006 40

Reducing the MiM to a MiM for CNMWI

skj0 ∨ skj1

x ∈ L ∨ sk*j0 ∨ sk*j1

sk*j0 ∨ sk*j1

x’ ∈ L ∨ skj0 ∨ skj1

skj1,sk*j(1) skj1

skj0 ∨ skj1

x ∈ L ∨ sk*j0 ∨ sk*j1

sk*j0 ∨ sk*j1

x’ ∈ L ∨ skj0 ∨ skj1

skj0,sk*j(0) skj0

Los Angeles, nov 15 2006 41

Comparison with previous CNMZK

Timing AssumptionKLP 05

Bare Public KeyThis workPlain (polylog rounds)PRS 06

Relaxed SecurityPS 04 / BS 05Shared Random StringDDOPS 01ModelPaper

Los Angeles, nov 15 2006 42

Outline

Concurrent ZK, NMZK, Witness Indist.Non-Malleable Witness IndistinguishabilityCnst-Rnd Concurrent NMWI in the plain modelCnst-Rnd Concurrent NMZK in the BPK ModelUC with preprocessing

Los Angeles, nov 15 2006 43

UC [Can01+CLOS02+BCNP04]

[CLOS02] UC for any functionality can be reduced to realizing Fmcom (multi-instance commitment functionality)[BCNP04] Fmcom can be reduced to realizing Fkr (key registration funct.)

Los Angeles, nov 15 2006 44

Key Registration Funct. [BCNP04]

Fkr requires that the functionality can see each private key and guarantees that

each party has a well formed public keythe public keys of the honest parties aresafe (private keys are not known by the adversary)

Los Angeles, nov 15 2006 45

Key Registration Funct. [BCNP04]

Fkr is realized in BCNP04 assuming the existence of trusted third parties

with any Fcrswith a PKI-like registration service where the key authority generates public keys and gives the public keys to partieswith a PKI-like registration service where parties

generates keys but have to the send both the public and secret keys to the authoritywith semi-trusted authorities

assuming isolated stand-alone executionseach party generates a public key and gives a ZKPoK of the secret key to a trusted authority

Los Angeles, nov 15 2006 46

UC with Preprocessing

key-stage preprocessing (non-interactive):run the key-stage of the CNMZK protocol in the BPK model; each party generates and posts also the additional public key PK used in BCNP04

key-knowledge preprocessing (interactive):each party interested in running protocols with other parties, runs the proof stage of the CNMZK protocol in the BPK model, proving knowledge of the secret key SK

Los Angeles, nov 15 2006 47

Comparison with previous results

Relaxed SecurityPS 04 / BS 05

Preprocessing (2 stages)This workTiming AssumptionKLP 05

TTP or Isolated ZKPoKBCNP 04Common Reference StringCLOS 02ModelPaper

Los Angeles, nov 15 2006 48

Thanks!the prover

the verifier

the simulator

the extractor

the man-in-the-middle