Zero-knowledge with public keys

نویسنده

  • Leonid Reyzin
چکیده

In STOC 2000, Canetti, Goldreich, Goldwasser, and Micali put forward the strongest notion of zero-knowledge to date, resettable zero-knowledge (RZK) and implemented it in constant rounds in a new model, where the verifier simply has a public key registered before any interaction with the prover. This work explores their new public-key model for zero-knowledge protocols. First, it shows that the soundness notion in this model has not been sufficiently understood and is, in fact, more subtle and complex than in the classical model. It identifies four meaningful notions of soundness, and proves that they are distinct. Thus, protocol designers should understand the needs of the application in order to avoid designing protocols whose soundness is too weak (thus resulting in insecure protocols) or too strong (thus resulting in protocols that are less efficient than necessary). Second, having precisely defined the model, this work proceeds to demonstrate that stronger notions of soundness require more rounds to implement. Specifically, it provides upper and lower bounds on the numbers of rounds needed to implement the various soundness notions. Finally, to achieve both ultimate round efficiency and strong soundness, this work puts forward a slightly stronger model. Informally, as long as the honest verifier does not use a given public key more than a fixed-polynomial number of times, there exist 3-round (provably optimal) RZK protocols for all of NP that possess strong soundness. This is particularly surprising, because such 3-round protocols provably do not exist in the publickey model without such an upper bound. Thesis Supervisor: Silvio Micali Title: Professor of Computer Science and Engineering

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Zero-knowledge with Public Keys Zero-knowledge with Public Keys Acknowledgments

In STOC 2000, Canetti, Goldreich, Goldwasser, and Micali put forward the strongest notion of zero-knowledge to date, resettable zero-knowledge (RZK) and implemented it in constant rounds in a new model, where the verifier simply has a public key registered before any interaction with the prover. This work explores their new public-key model for zero-knowledge protocols. First, it shows that the...

متن کامل

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

In this paper, we continue the study the round complexity of black-box zero knowledge in the bare public-key (BPK, for short) model previously started by Micali and Reyzin in [11]. Specifically we show the impossibility of 3-round concurrent (and thus resettable) black-box zeroknowledge argument systems with sequential soundness for non-trivial languages. In light of the previous state-of-the-a...

متن کامل

Concurrent Oblivious Transfer

We consider the problem of designing an efficient oblivious transfer (OT) protocol that is provably secure in a concurrent setting, i.e., where many OT sessions may be running concurrently with their messages interleaved arbitrarily. Known OT protocols use zero-knowledge proofs, and no concurrent zero-knowledge proofs are known that use less than a poly-logarithmic number of rounds (at least wi...

متن کامل

Concurrent/Resettable Zero-Knowledge With Concurrent Soundness in the Bare Public-Key Model and Its Applications

In this paper, we present both practical and general 4-round concurrent and resettable zeroknowledge arguments with concurrent soundness in the bare public-key (BPK) model. To our knowledge, our result is the first work that achieves concurrent soundness for ZK protocols in the BPK model and stands for the current state-of-the-art of concurrent zero-knowledge with setup assumptions. Since the B...

متن کامل

MQ*-IP: An Identity-based Identification Scheme without Number-theoretic Assumptions

In this article, we propose an identification scheme which is based on the two combinatorial problems Multivariate Quadratic equations (MQ) and Isomorphism of Polynomials (IP). We show that this scheme is statistical zero-knowledge. Using a trapdoor for the MQ-problem, it is possible to make it also identity-based, i.e., there is no need for distributing public keys or for certificates within t...

متن کامل

Verifiably Encrypted Signatures with Short Keys Based on the Decisional Linear Problem and Obfuscation for Encrypted VES

Verifiably encrypted signatures (VES) are signatures encrypted by a public key of a trusted third party and we can verify their validity without decryption. This paper proposes a new VES scheme which is secure under the decisional linear (DLIN) assumption in the standard model. We also propose new obfuscators for encrypted signatures (ES) and encrypted VES (EVES) which are secure under the DLIN...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2001