Constant Round Concurrent Zero-Knowledge in the Bounded Player Model - PowerPoint PPT Presentation

About This Presentation
Title:

Constant Round Concurrent Zero-Knowledge in the Bounded Player Model

Description:

Constant Round Concurrent Zero-Knowledge in the Bounded Player Model Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 23
Provided by: Steve2212
Category:

less

Transcript and Presenter's Notes

Title: Constant Round Concurrent Zero-Knowledge in the Bounded Player Model


1
Constant Round Concurrent Zero-Knowledge in the
Bounded Player Model
Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas
Richelson Ivan Visconti
Microsoft Research India MIT and
BU UCLA UCLA University of Salerno, Italy
2
Zero-Knowledge Protocols
  • Prove trying to prove x is in L to the verifier
  • Meet
  • (P, V) is zero knowledge if there exists
    which can emulate s interaction with prover

and
3
Concurrent Zero Knowledge DNS98
  • (P, V) is concurrent zero knowledge if ZK holds
    when V may run many instances of protocol
    concurrently.

P
P
P
4
Concurrent ZK (plain model)
  • General feasibility result first given by
    Richardson and Kilian RK99
  • Since then, a body of literature has developed
    studying the round complexity
  • Construction with almost logarithmic round
    complexity PRS02, KP01
  • Shown to be almost optimal using black-box
    simulation R00, CKPR01
  • No constant round protocols known under standard
    assumptions

5
Bounded Concurrency Model
  • In a breakthrough work, Barak Barak01
    introduced the bounded concurrency model
  • Total number of concurrent sessions between
    prover and verifiers is apriori bounded (by a
    poly)
  • Barak gave a constant round protocol in this
    model
  • introduced non-black-box simulation in
    cryptography
  • Open problem constant round concurrent ZK
    without this bound?
  • In general, what level of concurrency can we
    achieve in constant rounds?

6
Talk Overview
  • Bounded player model and our results
  • Baraks construction very high level overview
  • Our construction
  • High level idea of our non-black-box simulation
    strategy

7
Bounded Player (BP) Model GJORV13
  • A bounded number of players in the system
  • Each player may participate in an unbounded
    (poly) number of concurrent sessions

V
unbounded concurrent sessions
. . .
P
unbounded concurrent sessions
V
  • Example number of machines over the network
    maybe known
  • However harder to accurately estimate how many
    processes (communicating over the network) each
    machine is running

8
BP model vs Bare Public Key (BPK) model
  • BP model can ask each player to choose a fixed
    public key during the first session it
    participates in
  • No setup phase
  • Player remembers it, to be remain the same in all
    sessions only difference from plain model
  • BPK model setup phase involving all players
  • Main property keys cant change during rewinding
  • Only superficial similarity techniques from BPK
    model have limited relevance here

9
BP model vs Baraks bounded concurrency model
  • BP model much closer in spirit to Baraks
    bounded concurrency
  • Strengthening of the bounded concurrency model
  • Provably requires non-black-box (NBB) simulation
    (unlike BPK)
  • Goyal et al GJORV13 a construction with w(1)
    round
  • Open constant round concurrent ZK in BP model?
    Will subsume the result of Barak

10
Our Results
  • Main theorem constant round concurrent ZK in the
    BP model assuming a collision resistant hash
    function family
  • Positive step towards getting constant round
    concurrent ZK in plain model under standard
    assumptions
  • Technical contribution new ways of performing
    NBB simulation
  • Techniques very different from the previous work
    of Goyal et al. GJORV13

11
NBB vs BB Simulation
  • Black-box simulation simply query the
    adversarial verifier machine as an Oracle
    (rewinding)
  • Non-black-box simulation uses the code of the
    adversary in a more non-trivial way

12
Baraks Construction (oversimplified)
Soundness r is long and random
Statement x in L
Com(M)
V
P
Random r
Verifier
Prover
WI x in L or M outputs r
  • Simulation if you have code/state of verifier,
    can construct such M
  • Note For simulation, constructing fake witness
    wf computationally heavy/expensive
  • Can only simulate a bounded number of sessions in
    poly-time

13
Baraks Construction Abstraction
Baraks preamble
Com(M)
Random r
  • Can compute fake witness wf
  • Computationally expensive to compute
  • Can be done for only bounded number of sessions

Use fake witness to complete rest
14
Building the Protocol
Focus single verifier, unbounded sessions
pk
P
V
Com(M)
Random r
sk
wf
Secure two party computation If wf valid fake
witness, output sk to first party
x ? L
OR I know sk
WI PoK
15
Problem Adversarial scheduling
Say adversary leaves most sessions in middle of
2pc Simulator computes fake witness in unbounded
number of sessions
pk
Com(M)
Random r
sk
wf
Secure two party computation Started but didnt
finish
New sessions start
  • GJORV13 idea use multiple opportunities for
    using fake witness (higher round complexity),
    complex probability distributions

16
Our Idea simple
  • fake witness computed in one session useable in
    others

pk
P
V
z Com(M)
Random r
  • Certified statement (t, s)
  • Compute fake witness wf

Signature s on t (z, r)
sk
(t, s), wf
Secure two party computation If valid certified
statement, fake witness given, output sk
x ? L
OR I know sk
WI PoK
17
Handling adversarial scheduling
Simulator computes fake witness pair just once
pk
Z Com(M)
Random r
Signature s on t
sk
(t, s), wf
Secure two party computation Started but didnt
finish
New sessions start
sk
(t, s), wf
Secure two party computation
18
Are we done?
  • This is gross oversimplification of our
    construction
  • In Barak no such fake witnesses of polynomial
    size
  • Rather fake witness is an accepting (encrypted)
    universal argument execution
  • Need to run 3-round UA and construct fake witness
    interactively

19
Our Construction
pk
z Com(M)
P
V
r
Signature s
heavy computation
UA first message
UA challenge
get fake witness
UA final message
. .
  • Adversarial scheduling what if verifier leaves
    most sessions in middle of UA? Computation done,
    yet no fake witness!

20
Completing the construction
  • Use the same basic idea multiple times
  • Ask the verifier to sign the UA transcript as we
    go along
  • Even a partially executed (but signed) UA
    transcript useful
  • Can be completed in some other session to get a
    fake witness

21
Conclusions
  • Constant round concurrent ZK in the bounded
    player model
  • Subsumes the bounded concurrent ZK of Barak
  • Strongest level of concurrency in plain model in
    constant rounds (under standard assumptions)
  • Key technical contribution new ways of
    performing NBB simulation
  • Reusing heavy computation

22
  • Thank You!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Constant Round Concurrent Zero-Knowledge in the Bounded Player Model" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!