Impossibility and Feasibility Results for Zero Knowledge with Public Keys PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: Impossibility and Feasibility Results for Zero Knowledge with Public Keys


1
Impossibility and Feasibility Results for Zero
Knowledge with Public Keys
  • Joël Alwen
  • Tech. Univ. Vienna
  • AUSTRIA

Giuseppe Persiano Univ. Salerno ITALY
Ivan Visconti Univ. Salerno ITALY
2
Outline
  • Zero Knowledge (ZK)
  • Concurrent ZK Resettable ZK (cZK rZK)
  • ZK with public keys (BPK-UPK)
  • Soundness in these PK models
  • Impossibility of 3-round sequentially-sound cZK
    in the BPK model
  • rZK proof of membership for L?NP in the UPK model

3
Interactive Proof Systems in the Plain Model
  • theorem x ? L

rP, w
rV
a
b
prover P
verifier
V
? Accept or Reject
z
  • Properties
  • Completeness if the theorem is true ? V
    outputs Accept
  • Soundness if the theorem is false ? V
    outputs Reject

4
Interactive Proofs (2)
Soundness no malicious prover P can convince V
of a false theorem
Assumptions about Ps capabilities P unbounded
? Interactive Proof P bounded ? Interactive
Argument
Most results are for Interactive Arguments, not
proofs.
5
Zero Knowledge
  • Intuition Dont give any extra information to
    any possible verifier

theorem x?L
rV
rP, w
a
P
V
prover
any verifier
b
? Accept or Reject
z
  • (Black-Box) Zero Knowledge ? ? efficient S with
    oracle access to V simulating Vs view of the
    interaction with P for true theorems

x?L
View of V above (with rV as input)
V

?
S
(rV,a,b,,z)
black-box
rS
6
Outline
  • Zero Knowledge (ZK)
  • Concurrent ZK Resettable ZK (cZK rZK)
  • ZK with public keys (BPK-UPK)
  • Soundness in these PK models
  • Impossibility of 3-round sequentially-sound cZK
    in the BPK model
  • rZK proof of membership for L?NP in the UPK model

7
Concurrent ZK (cZK)
V1
Evil Adversary V
x1? L
. . .
x2? L
. . .
V2
P
xn? L
. . .
Vn
control network scheduling
Note possibly xi xj with i ? j
8
Resettable ZK (rZK)
  • Adversary V can
  • Reset P to a previous state (including its
    random tape) spawning a new incarnation of P
  • Interact concurrently with all incarnations of P

P(r1)
P1
r1
r2
P(r2)
P2
rn
Pn
P(rn)
control scheduling
9
Outline
  • Zero Knowledge (ZK)
  • Concurrent ZK Resettable ZK (cZK rZK)
  • ZK with public keys (BPK-UPK)
  • Soundness in these PK models
  • Impossibility of 3-round sequentially-sound cZK
    in the BPK model
  • rZK proof of membership for L?NP in the UPK model

10
Models for ZK with Public Keys
  • In the plain model Constant round Black-Box rZK
    only possible for trivial languages (L?BPP)
    CKPR STOC 01
  • For non Black-Box this remains open
  • So add some setup assumption to the model.
  • Bare Public Key (BPK) model
  • In a preprocessing stage, the verifiers register
    their public keys in a public file.
  • This stage is performed only by verifiers, is
    non-interactive and further the public file can
    be under the control of the adversary!
  • In the proof stage, the same public file is part
    of the common input in all proofs and the
    verifiers can use their private keys.

11
BPK Preprocessing Stage
maintains
honest verifier
Vi
Vs
Vt
pki
pks



pkt

public file
12
Related Models
  • The verifier has a persistent counter (in all
    related models)
  • There is no bound specifically for any public
    key it is possible to run any polynomial number
    of sessions. (Counter Public Key model CPK)
  • For each public key there is a bound on the
    maximum number of sessions w.r.t. each statement
    (Weak Public Key model WPK)
  • For each public key there is an upperbound on the
    number of sessions for which it can be used
    (Upperbound Public Key model UPK)

13
Outline
  • Zero Knowledge (ZK)
  • Concurrent ZK Resettable ZK (cZK rZK)
  • ZK with public keys (BPK-UPK)
  • Soundness in these PK models
  • Impossibility of 3-round sequentially-sound cZK
    in the BPK model
  • rZK proof of membership for L?NP in the UPK model

14
4 Notions
  • MR Crypto 01 (black-box ZK)
  • there are 4 distinct notions of soundness in the
    BPK model
  • one-time soundness (OTS)
  • sequential soundness (SS)
  • concurrent soundness (CS)
  • resettable soundness (RS)

sequential malicious prover attacking
P1
x1? L
emulate
x2? L
P2
V
xn? L
Pn
sequential network scheduling
15
Outline
  • Zero Knowledge (ZK)
  • Concurrent ZK Resettable ZK (cZK rZK)
  • ZK with public keys (BPK-UPK)
  • Soundness in these PK models
  • Impossibility of 3-round sequentially-sound cZK
    in the BPK model
  • rZK proof of membership for L?NP in the UPK model

16
The Complete Round Complexity Analysis
We have resolved the last open problem of the
analysis of round complexity of various notions
of ZK in the BPK model.
  • 3-Round OTS

3-Round SS
4-Round CS
MR Crypto 01
DPV 04
DPV Crypto 04
sZK
MR Crypto 01
DPV Crypto 04
cZK
Our Result
MR Crypto 01
DPV Crypto 04
rZK
Our Result
17
Related Proofs
  • Our result 3-Round black box cZK with SS in the
    BPK model only exists for trivial languages.
  • GK 96 3-Round black box ZK in the plain model
    only exists for trivial languages.
  • MR Crypto 01 3-Round black box rZK with CS in
    the BPK model only exists for trivial languages.

18
GK 96 Proof
  • Assume 3-round black box ZK in the plain model
    exists for a language L ? L?BPP
  • Design a BPP deciding machine D for L by having
    the simulator S run against the honest Vs
    algorithm.
  • If S outputs an Accepting View then x?L
  • If S outputs a Rejecting View then x?L

x?L
D
emulate
x?L
output
V

(1)
S
(3)
or
execute
rS
x?L
(rV,a,b,,z)
(2)
19
GK 96 Proof (2)
  • Prove correctness of D by showing strong
    correlation between Ss output and the verity of
    the theorem.
  • The correctness of B.1 follows from the ZK
    property of the protocol
  • To show B.2 is correct demonstrate (by
    contradiction) how a malicious prover P could
    run S to convince V of a false statement.
  • Prove that with only polynomial loss of
    efficiency V will be convinced by P even without
    P being able to reset V

can reset V!
x?L
x?L
P
emulate
V
interact
V

S
execute
cant reset V!
rS
20
MR Crypto 01 Extension
  • Assume a 3-round black-box rZK protocol with CS
    in the BPK model exists for the language L
  • B.1 to C.1 the same in the BPK model
  • C.2 C.3 need adjustment.
  • Require concurrent powers of P in order to use
    Ss output to cheat against honest V.
  • Thus CS proved impossible but not SS which is
    weaker (i.e. gives less power to P)

public file
V
x1?L
x?L
x2?L
P
emulate
V
V

S
xn?L
execute
rS
control scheduling
V
21
Our Addition
  • In order to show that sequential access to V by
    P suffices we require an added power.
  • Use that S is a concurrent ZK simulator which
    works against any verifier algorithm including
    our specially designed V

V
control scheduling
x1?L
x?L
x2?L
P
emulate
V
V

S
xn?L
execute
rS
sequential scheduling
V
22
Our Addition (2)
  • Careful design of P and V we show that if S is
    efficient then it must solve at least one of the
    concurrent sessions with V straight-line. (i.e.
    without a rewind).
  • Demonstrate how P can efficiently enough guess
    which session this is and use it to convince V of
    a false statement.

23
Outline
  • Zero Knowledge (ZK)
  • Concurrent ZK Resettable ZK (cZK rZK)
  • ZK with public keys (BPK-UPK)
  • Soundness in these PK models
  • Impossibility of 3-round sequentially-sound cZK
    in the BPK model
  • rZK proof of membership for L?NP in the UPK model

24
Result Overview
  • Result
  • Present a 3-round rZK proof with CS for all NP in
    the UPK model.
  • Prover has unlimited computational power! So
    given a public key can calculate the secret key
    So we need a public key which corresponds to a
    super-polynomial number of secret keys
  • Moreover no assumptions regarding the hardness of
    superpolynomial-time algorithms needs to be made.
    (No complexity leveraging)
  • Uses perfectly hiding commitment scheme to make
    (pk, sk1,,skm)

25
UPK Setup
random coins
skj (rj, xj) ?R 0,1k x 0,1k

n times
UPK Model
pkj commit(xj, rj)
upper bound n
perfectly hiding
security parameter k

pki1
pki2
pkin


pki
Public File
26
The Protocol
pkj Com(xj, rj)
Using FLS paradigm FLS SJoComp 99
pk
pkc
witness to x?L
counter c
x?L
Com(), Dec() perfectly binding commitment
scheme Com(), Dec() perfectly hiding
commitment scheme Zap1, Zap2(.) two-round
resettable witness-indistinguishable proof system
implemented with Zaps from DN FOCS 00
P
V
Com(w) m
pkc, skc (xc, rc), Zap1
Zap2(Dec(m) w and either w skc or w
witness to x?L)
27
Properties (Idea)
  • Complete Honest prover P can send Com(w
    witness to x?L) in round 1
  • Sound Because when (unbounded) P sends Com(w)
    in round 1, it has only seen a perfectly hiding
    commitment to skc in the public file.
  • rZK The simulator can rewind V to use same
    counter and thus same skc again. After max n
    rewinds all secret keys are known. The rest can
    be simulated straight-line.

Thats all folks. Thank you!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Impossibility and Feasibility Results for Zero Knowledge with Public Keys" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!