## On Deniability in the Common Reference String and Random Oracle Model (2003)

### Cached

### Download Links

- [www.nada.kth.se]
- [www.iacr.org]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In proceedings of CRYPTO ’03, LNCS series |

Citations: | 54 - 5 self |

### BibTeX

@INPROCEEDINGS{Pass03ondeniability,

author = {Rafael Pass},

title = {On Deniability in the Common Reference String and Random Oracle Model},

booktitle = {In proceedings of CRYPTO ’03, LNCS series},

year = {2003},

pages = {316--337},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We revisit the definitions of zero-knowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zero-knowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zero-knowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zero-knowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zero-knowledge argument of knowledge, that preserves both the zero-knowledge property and the proof of knowledge property under concurrent executions (concurrent zero-knowledge and concurrent proof-of knowledge). 1

### Citations

1418 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...ent and secure schemes in the standard model. Stronger models, such as the Common Reference String (CRS) model [5], where a random string is accessible to the players, or the Random Oracle (RO) model =-=[2]-=-, where a random function is accessible through oracle calls to the players, were therefore introduced to handle even those applications. Recently the CRS model has been extensively used in interactiv... |

1080 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
(Show Context)
Citation Context ...f knowledge). 1 Introduction Zero-knowledge proofs, i.e., interactive proofs that yield no other knowledge than the validity of the assertion proved, were introduced by Goldwasser, Micali and Rackoff =-=[26]-=- in 1982. Intuitively, the verifier of a zero-knowledge proof should not be able to do anything it could not have done before the interaction. Knowledge, thus, in this context means the ability to per... |

881 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...first running the simulator. This feature has made zero-knowledge a very powerful and useful tool for proving the security of cryptographic protocols. For some applications, such as signature schemes =-=[18]-=- [39], voting systems, non-interactive zero-knowledge [5] [25], concurrent zero-knowledge [14], [9] etc.,sit however seems hard, or is even impossible, to achieve efficient and secure schemes in the s... |

750 | A pseudorandom generator from any one-way function
- Hastad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...ark 3. The existence of statistically binding commitment schemes that are non-uniformly computationally hiding is implied by the existence of non-uniform one-way functions by combining the results of =-=[29]-=- and [33]. Remark 4. We note that we do not show that the coin-tossing protocol in phase one is simulatable. Indeed, for our construction to work we simply have to show that the output of the coin-tos... |

666 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ...acle calls to the players, were therefore introduced to handle even those applications. Recently the CRS model has been extensively used in interactive settings to prove universal composability (e.g. =-=[6]-=- [7] [10]). We note that an important part of the intuition behind zero-knowledge is lost in these two models in a multi-party scenario, if the CRS string or the random oracle may be reused. An easy w... |

662 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...S string. However, the computational case, which is the relevant one when considering cryptographic applications, seems more complicated. The existence of the powerful tool of pseudo-random functions =-=[21]-=- has shown that in some applications an object with low-entropy (the seed to the pseudorandom function) can be used to “simulate” the behavior of a high-entropy object (namely a random function). It, ... |

537 |
How to Play Any Mental Game or a Completeness Theorem for Protocols with Honest Majority, STOC ’87
- Goldreich, Micali, et al.
(Show Context)
Citation Context ...protocol [4] can be used to generate a pseudo-random string. The interesting part of the proof is that we show this without resorting to the standard simulation based definition of secure computation =-=[24]-=-. Previously, the only known constant-round coin-tossing protocol for generating a “random” string (and not a bit) is the protocol of Lindell [31] which relies on zero-knowledge proofs and is therefor... |

525 |
Undeniable signatures
- Chaum, Antwerpen
- 1990
(Show Context)
Citation Context ...t non-interactive zero-knowledge [13]. In this paper we examine the problem in the more general interactive setting. Deniable Zero-knowledge. In many interactive protocols (e.g. undeniable signatures =-=[11]-=-, or deniable authentification [14]) it is essential that the transcript of the interaction does not yield any evidence of the interaction. We say that such protocols are deniable. We use the standard... |

389 | Proofs that Yield Nothing but their Validity or All Languages in NP have Zero-Knowledge Proof System
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ... tool, in section 4.2 we construct a oneround straight-line witness extractable zero-knowledge arguments for Graph-3Coloring in the RO model, by implementing the commitment scheme in the GMW protocol =-=[23]-=- with straight-line extractable commitments and thereafter applying the Fiat-Shamir transformation [18] [2] to “collapse” it down to a oneround zero-knowledge argument in the RO model (see Lemma 6). S... |

323 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ..., the HVZK argument can be tailored for the function to get an efficient implementation. Examples of such protocols are the Guillou-Quisquater scheme [28] for the RSA function, and the Schnorr scheme =-=[38]-=- for the discrete logarithm. Let the witness relation RL ′, where (x, y) ∈ RL ′ if f(x) = y, characterize the language L ′ . Let RO : {0, 1} poly(n) → {0, 1} poly(n) be a random oracle, and the langua... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...protocols, the standard definitions (that do not guarantee deniability) can in some cases be sufficient. For example in the construction of encryption schemes secure against chosen-ciphertext attacks =-=[34]-=-, zero-knowledge protocols that do not satisfy deniability have been successfully used as sub-protocols. 2 (Looking ahead, the notion “unreplayability” introduced in section 1.1 is another example whe... |

299 | Security Arguments for Digital Signatures and Blind Signatures
- Pointcheval, Stern
(Show Context)
Citation Context ... running the simulator. This feature has made zero-knowledge a very powerful and useful tool for proving the security of cryptographic protocols. For some applications, such as signature schemes [18] =-=[39]-=-, voting systems, non-interactive zero-knowledge [5] [25], concurrent zero-knowledge [14], [9] etc.,sit however seems hard, or is even impossible, to achieve efficient and secure schemes in the standa... |

277 |
Foundations of Cryptography: Basic Tools
- Goldreich
- 2000
(Show Context)
Citation Context ...e RO model (see [2]), Zero-knowledge in the CRS model, Witness relations, Commitment schemes, Hard instance ensembles, Witness Indistinguishability (WI), Witness Hiding (WH), Proofs of knowledge (see =-=[19]-=- for definitions), Special soundness (see [12]), Concurrent zero-knowledge (see [20] for a survey). Formal definitions are given in the full paper. 2 ZK in the CRS/RO Model Implies WH and WI In this s... |

255 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ... transformation would be to substitute the random oracle with a (hash) function chosen from a class of function according to the CRS string [2]. However, it was shown by Canetti, Goldreich and Halevi =-=[8]-=- that there exist schemes for which every transformations of this type results in an insecure schemes. The question of the existence of other (more complicated) transformation has, nevertheless, remai... |

244 | Bit commitment using pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ...e existence of statistically binding commitment schemes that are non-uniformly computationally hiding is implied by the existence of non-uniform one-way functions by combining the results of [29] and =-=[33]-=-. Remark 4. We note that we do not show that the coin-tossing protocol in phase one is simulatable. Indeed, for our construction to work we simply have to show that the output of the coin-tossing is p... |

204 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...wever, that if a specific one-way function is used, the HVZK argument can be tailored for the function to get an efficient implementation. Examples of such protocols are the Guillou-Quisquater scheme =-=[28]-=- for the RSA function, and the Schnorr scheme [38] for the discrete logarithm. Let the witness relation RL ′, where (x, y) ∈ RL ′ if f(x) = y, characterize the language L ′ . Let RO : {0, 1} poly(n) →... |

197 | Noninteractive zero-knowledge
- Blum, DeSantis, et al.
- 1991
(Show Context)
Citation Context ...have done before. In the non-interactive setting, this problem has lead to the definition of non-malleable non-interactive zero-knowledge [37], and very recently robust non-interactive zero-knowledge =-=[13]-=-. In this paper we examine the problem in the more general interactive setting. Deniable Zero-knowledge. In many interactive protocols (e.g. undeniable signatures [11], or deniable authentification [1... |

195 | On the composition of zero-knowledge proof systems
- Goldreich, Krawczyk
- 1996
(Show Context)
Citation Context ...for the language L, then L ∈ BPP. Proof. It is clear from the construction that the transformation in section 3.1 preserves the public-coin property of the protocol. Now, since Goldreich and Krawczyk =-=[22]-=- have shown the impossibility of non-trivial constant-round blackbox public-coin zero-knowledge arguments, L ∈ BPP. ✷sAs a sanity check to the definition we also note the impossibility of non-trivial ... |

175 |
Multiple non-interactive zero knowledge proofs under general assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ... efficient prover for RL. Then Π is witness indistinguishable for RL in the CRS/RO model. Remark 2. The lemma was proven for the plain model in [16], and for noninteractive proofs in the CRS model in =-=[15]-=-. We note that in the case of WH, the proof of the lemma is a straight-forward adaptation of the proof in the plain model [16], but concerning WI such a simple adaptation can no longer be done, as was... |

173 | Witness indistinguishable and witness hiding protocols
- Feige, Shamir
- 1990
(Show Context)
Citation Context ...ge proof (argument), in the CRS/ RO model, for the language L. Then, for all witness relations RL for L, Π is witness hiding in the CRS/RO model. Remark 1. The lemma was proven for the plain model in =-=[16]-=-. Lemma 2. Let the language L ∈ N P, RL be a witness relation for L, and Π be a zero-knowledge proof (argument) in the CRS/RO model for L with efficient prover for RL. Then Π is witness indistinguisha... |

172 | Concurrent zero knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...ool for proving the security of cryptographic protocols. For some applications, such as signature schemes [18] [39], voting systems, non-interactive zero-knowledge [5] [25], concurrent zero-knowledge =-=[14]-=-, [9] etc.,sit however seems hard, or is even impossible, to achieve efficient and secure schemes in the standard model. Stronger models, such as the Common Reference String (CRS) model [5], where a r... |

161 | Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security
- Sahai
- 1999
(Show Context)
Citation Context ...eferring to the CRS string or the random oracle, it could not have done before. In the non-interactive setting, this problem has lead to the definition of non-malleable non-interactive zero-knowledge =-=[37]-=-, and very recently robust non-interactive zero-knowledge [13]. In this paper we examine the problem in the more general interactive setting. Deniable Zero-knowledge. In many interactive protocols (e.... |

151 | Universally composable commitments
- Canetti, Fischlin
- 2001
(Show Context)
Citation Context ...ling out the use of the ideal CRS functionality and other functionalities that model public information. However, since the plain model is too weak to construct even universally composable commitment =-=[7]-=-, some extra set-up assumptions need to be incorporated into the security definitions, in such a way that the simulator can be run by the parties themselves. For example, if incorporating a CRS string... |

144 | Designated verifier proofs and their applications
- Jakobsson, Sako, et al.
- 1996
(Show Context)
Citation Context ...iming model of [14], or the on-line/off-line model of [35],sthat do not suffer from problems with deniability. We also note that in a publickey model, methods similar to those of designated verifiers =-=[30]-=- can be used to successfully implement non-trivial zero-knowledge protocols that are deniable. Indeed, the method of designated verifier shows how to convert zero-knowledge protocols that are not deni... |

126 | How to prove a theorem so no one else can claim it
- Blum
- 1986
(Show Context)
Citation Context ...Such argument systems exists for every one-way function, by reducing the one-way function to an instance of the graph hamiltonicity problem, using Cook’s theorem, and thereafter using Blum’s protocol =-=[3]-=-. We emphasize, however, that if a specific one-way function is used, the HVZK argument can be tailored for the function to get an efficient implementation. Examples of such protocols are the Guillou-... |

122 |
Non-interactive zeroknowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...owledge a very powerful and useful tool for proving the security of cryptographic protocols. For some applications, such as signature schemes [18] [39], voting systems, non-interactive zero-knowledge =-=[5]-=- [25], concurrent zero-knowledge [14], [9] etc.,sit however seems hard, or is even impossible, to achieve efficient and secure schemes in the standard model. Stronger models, such as the Common Refere... |

117 | Definitions and Properties of Zero-Knowledge Proof Systems
- Goldreich, Oren
- 1994
(Show Context)
Citation Context ...dge a very powerful and useful tool for proving the security of cryptographic protocols. For some applications, such as signature schemes [18] [39], voting systems, non-interactive zero-knowledge [5] =-=[25]-=-, concurrent zero-knowledge [14], [9] etc.,sit however seems hard, or is even impossible, to achieve efficient and secure schemes in the standard model. Stronger models, such as the Common Reference S... |

108 |
Zero Knowledge Proofs of Knowledge in Two Rounds
- Feige, Shamir
- 1989
(Show Context)
Citation Context ...K) public-coin argument. We here briefly outline the construction. Outline of the Construction of 2-round Deniable ZK Arguments. On a very high level the protocol follows the paradigm of Feige-Shamir =-=[17]-=-. The verifier start by sending a “challenge” and a witness hiding proof of knowledge of the answer to the challenge, to the prover. The prover thereafter shows using a WI argument that either it has ... |

95 | Black-box concurrent zero-knowledge requires (almost) logarithmically many rounds
- Canetti, Kilian, et al.
- 2003
(Show Context)
Citation Context ...r proving the security of cryptographic protocols. For some applications, such as signature schemes [18] [39], voting systems, non-interactive zero-knowledge [5] [25], concurrent zero-knowledge [14], =-=[9]-=- etc.,sit however seems hard, or is even impossible, to achieve efficient and secure schemes in the standard model. Stronger models, such as the Common Reference String (CRS) model [5], where a random... |

92 |
Coin flipping by telephone
- Blum
- 1982
(Show Context)
Citation Context ...r requirement of deniability. Proofs of Protocol Security without the Simulation Paradigm. In the proof of Lemma 3 (in section 3.1) we show that a parallelized version of Blum’s coin-tossing protocol =-=[4]-=- can be used to generate a pseudo-random string. The interesting part of the proof is that we show this without resorting to the standard simulation based definition of secure computation [24]. Previo... |

79 | Parallel coin-tossing and constant-round secure two-party computation
- Lindell
(Show Context)
Citation Context ...ard simulation based definition of secure computation [24]. Previously, the only known constant-round coin-tossing protocol for generating a “random” string (and not a bit) is the protocol of Lindell =-=[31]-=- which relies on zero-knowledge proofs and is therefore not practical. (The protocol of Lindell is, however, simulatable). More details can be found in the full version. 1.6 Preliminaries Due to lack ... |

48 | Bounded-concurrent secure two-party computation without setup assumptions
- Lindell
- 2003
(Show Context)
Citation Context ... in the framework, methods similar to those of designated verifier [30] could possibly be used to achieve universally composable deniable zero-knowledge. An altogether different approach was taken in =-=[32]-=- [36] where it is shown how to realize the ideal zero-knowledge functionality without resorting to set-up assumptions (such as a CRS string), by trading universal composability for the weaker notion o... |

47 | Strict Polynomial-time in Simulation and Extraction
- Barak, Lindell
(Show Context)
Citation Context ...s later been used to show blackbox impossibility results in the case of constant-round concurrent zero-knowledge [9], and very recently in the case of strict polynomial time simulatable zeroknowledge =-=[1]-=-. On a high-level, the Goldreich-Krawczyk method is a constructive reduction from a machine deciding the language L to a simulator of the zeroknowledge argument. That is, the existence of a simulator ... |

41 | Simulation in quasi-polynomial time, and its application to protocol composition
- Pass
- 2003
(Show Context)
Citation Context ...he question of deniability). 1.3 Other Models We mention briefly that there are other models that are stronger than the plain model, such as the timing model of [14], or the on-line/off-line model of =-=[35]-=-,sthat do not suffer from problems with deniability. We also note that in a publickey model, methods similar to those of designated verifiers [30] can be used to successfully implement non-trivial zer... |

30 | A signature scheme as secure as the Diffie-Hellman problem
- Goh, Jarecki
- 2003
(Show Context)
Citation Context ...ght security reductions for non-interactive proofs of knowledge. Standard extraction techniques for non-interactive proofs of knowledge in the RO model [39] result in “loose” security reductions (see =-=[27]-=- for a discussion). 4 Using straight-line extraction, on the other hand, we obtain a linear and optimal security reduction. We mention that this technique can be used also for standard zero-knowledge ... |

5 |
Universally Composable TwoParty and Multy-Party Computation
- Canetti, Lindell, et al.
(Show Context)
Citation Context ...ls to the players, were therefore introduced to handle even those applications. Recently the CRS model has been extensively used in interactive settings to prove universal composability (e.g. [6] [7] =-=[10]-=-). We note that an important part of the intuition behind zero-knowledge is lost in these two models in a multi-party scenario, if the CRS string or the random oracle may be reused. An easy way of see... |

2 |
Zero-knowledge twenty years after their invention
- Goldreich
(Show Context)
Citation Context ... schemes, Hard instance ensembles, Witness Indistinguishability (WI), Witness Hiding (WH), Proofs of knowledge (see [19] for definitions), Special soundness (see [12]), Concurrent zero-knowledge (see =-=[20]-=- for a survey). Formal definitions are given in the full paper. 2 ZK in the CRS/RO Model Implies WH and WI In this section, we show two lemmas concerning the witness hiding (WH) and witness indistingu... |