## H.: Resettable Zero-Knowledge in the Weak PublicKey Model (2003)

Venue: | In: Advances in Cryptology { Eurocrypt '03. Volume 2045 of Lecture |

Citations: | 3 - 1 self |

### BibTeX

@INPROCEEDINGS{Zhao03h.:resettable,

author = {Yunlei Zhao and Xiaotie Deng and C. H. Lee and Hong Zhu},

title = {H.: Resettable Zero-Knowledge in the Weak PublicKey Model},

booktitle = {In: Advances in Cryptology { Eurocrypt '03. Volume 2045 of Lecture},

year = {2003},

pages = {123--140},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. A new public-key model for resettable zero-knowledge (rZK) protocols, which is an extension and generalization of the upperbounded public-key (UPK) model introduced by Micali and Reyzin [EuroCrypt’01, pp. 373–393], is introduced and is named weak public-key (WPK) model. The motivations and applications of the WPK model are justified in the distributed smart-card/server setting and it seems more preferable in practice, especially in E-commerce over Internet. In this WPK model a 3-round (optimal) black-box resettable zero-knowledge argument with concurrent soundness for NP is presented assuming the security of RSA with large exponents against subexponential-time adversaries. Our result improves Micali and Reyzin’s result of resettable zero-knowledge argument with concurrent soundness for NP in the UPK model. Note that although Micali and Reyzin ’ protocol satisfies concurrent soundness in the UPK model, but it does not satisfy even sequential soundness in our WPK model. Our protocol works in a somewhat “parallel repetition ” manner to reduce the error probability and the black-box zero-knowledge simulator works in strict polynomial time rather than expected polynomial time. The critical tools used are: verifiable random functions introduced by Micali, Rabin and Vadhan [FOCS’99, pp. 120-130], zap presented by Dwork and Naor [FOCS’00, pp. 283–293] and complexity leveraging introduced by Canetti, Goldreich, Goldwasser and Micali [STOC’00, pp. 235–244]. 1

### Citations

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...del, which underlies any public key cryptosystem or digital signature. Resettable zero-knowledge protocols also shed hope on finding ID schemes secure against resetting attack. Feige, Fiat and Shamir =-=[16,14]-=- introduced a paradigm for ID schemes based on the notion of zero-knowledge proof of knowledge. In essence, a prover identifies himself by convincing the verifier of knowing a given secret. Almost all... |

628 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...su(1k ,u)=m] are both positive then u = v and sv = su. A one-round perfect-binding commitment scheme can be constructed based on any one-way permutation [17]. Definition 2 (Pseudorandom Functions PRF =-=[19]-=-). A pseudorandom function family is a keyed family of efficiently computable functions, such thats128 Y. Zhao et al. a function picked at random from the family is indistinguishable (via oracle acces... |

310 |
Zero-knowledge Proof of Identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...del, which underlies any public key cryptosystem or digital signature. Resettable zero-knowledge protocols also shed hope on finding ID schemes secure against resetting attack. Feige, Fiat and Shamir =-=[16,14]-=- introduced a paradigm for ID schemes based on the notion of zero-knowledge proof of knowledge. In essence, a prover identifies himself by convincing the verifier of knowing a given secret. Almost all... |

218 | How to Go Beyond the Black-Box Simulation Barrier
- Barak
- 2001
(Show Context)
Citation Context ...al time is necessary for blackbox zero-knowledge simulation in the standard model [6] and the first non-blackbox zero-knowledge argument for NP with strict polynomial time simulation was presented in =-=[1]-=-. (2). Concurrent Soundness We first note that a computational power unbounded prover can easily convince the verifier of a false statement since he can get the VRFSKif his computational power is unbo... |

193 | On the Composition of Zero-Knowledge Proof Systems
- Goldreich, Krawczyk
- 1996
(Show Context)
Citation Context ...ed that any (resettable or not) black-box zero-knowledge protocol in public-key models for a language outside of BPP requires at least three rounds (using an earlier result of Goldreich and Kraczwyck =-=[20]-=-). For efficient 4-round zero-knowledge protocols for NP, readers are referred to [7]. We also note that 2-round public-coin black-box and concurrent zero-knowledge protocols for NP do exist under the... |

190 | Noninteractive zero-knowledge
- Blum, Santis, et al.
- 1991
(Show Context)
Citation Context ...R ←− {0, 1} n : ADV PRF(PRFKey, ·) � =1 � − Pr F R ←− ({0, 1} n ) {0,1}∗ : ADV F (·) � =1 � � �� The value α is called the pseudorandomness constant. Definition 3 (non-interactive zero-knowledge NIZK =-=[2,4]-=-). Let NIP and NIV be two probabilistic interactive machines, and let NIσLen be a positive polynomial. We say that < NIT, NIV > is an NIZK proof system for an NP language L, if the following condition... |

167 |
Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ... R ←− {0, 1} NIσLen(n) ; Π R ←− NIP(σ, x, y) :(σ, Π)]. The value α is called the NIZK constant. Non-interactive zero-knowledge proof systems for NP can be constructed based on any one-way permutation =-=[15]-=- and one-way permutations can be constructed in turn under RSA assumption [18]. An efficient implementation based on any one-way permutation can be found in [21]. For more recent advances in NIZK read... |

159 | Concurrent Zero-Knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ... executed concurrently in an asynchronous network like the Internet. Actually, rZK is a generalization and strengthening of the notion of concurrent zero-knowledge introduced by Dwork, Naor and Sahai =-=[12]-=-. 1.1 Previous Results Under standard complexity assumptions, non-constant-round resettable zeroknowledge proof for NP was constructed in [8,22] by properly modifying the concurrent zero-knowledge pro... |

114 |
Non-interactive zero-knowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...R ←− {0, 1} n : ADV PRF(PRFKey, ·) � =1 � − Pr F R ←− ({0, 1} n ) {0,1}∗ : ADV F (·) � =1 � � �� The value α is called the pseudorandomness constant. Definition 3 (non-interactive zero-knowledge NIZK =-=[2,4]-=-). Let NIP and NIV be two probabilistic interactive machines, and let NIσLen be a positive polynomial. We say that < NIT, NIV > is an NIZK proof system for an NP language L, if the following condition... |

112 | On the Concurrent Composition of Zero-Knowledge Proofs
- Richardson, Kilian
(Show Context)
Citation Context ...ndard complexity assumptions, non-constant-round resettable zeroknowledge proof for NP was constructed in [8,22] by properly modifying the concurrent zero-knowledge protocol of Richardson and Killian =-=[28]-=-. Unfortunately, there are no constant-round rZK protocols in the standard model, at least for the black-box case, as shown by Canetti, Killian, Petrank and Rosen [9]. To get constant-round resettable... |

88 | Black-Box Concurrent Zero-Knowledge Requires (Almost) Logarithmically Many Rounds - Canetti, Kilian, et al. - 2002 |

74 | Resettable Zero-Knowledge
- Canetti, Goldreich, et al.
- 2000
(Show Context)
Citation Context ...nd Micali [STOC’00, pp. 235–244]. 1 Introduction The strongest notion of zero-knowledge to date, resettable zero-knowledge (rZK), was recently put forward by Canetti, Goldreich, Goldwasser and Micali =-=[8]-=-. Roughly speaking, an rZK protocol is an interactive system in which a verifier learns nothing (except for the verity of a given statement) even if he can interact with the prover polynomial many tim... |

52 | Verifiable Random Functions
- Micali, Rabin, et al.
- 1999
(Show Context)
Citation Context ...way permutation can be found in [21]. For more recent advances in NIZK readers are referred to [10]. 2.1 Verifiable Random Functions A family of verifiable random functions (VRF), first introduced in =-=[26]-=-, is essentially a pseudorandom function family with an additional property that the correct value of a function on an input can not only be computed by the owner of the seed, but also be proven to be... |

48 | Unique Signatures and Verifiable Random Functions from the DH-DDH Separation
- Lysyanskaya
- 2002
(Show Context)
Citation Context ...versaries [26]. Very recently, a new construction of VRF was provided by Lysyanskaya on an assumption about groups in which decisional Diffie-Hellman is easy, but computational Diffie-Hellman is hard =-=[23]-=-. We remark that up to now the first application of VRF, as suggested by Micali and Reyzin, is the simple construction of an rZK argument with one-time soundness for NP in the BPK model [24]. Our resu... |

44 | Strict Polynomial-time in Simulation and Extraction. Cryptology ePrint Archive
- Barak, Lindell
- 2002
(Show Context)
Citation Context ...We remark that this result does not hold for black-box zero-knowledge in the standard model. Indeed, expected polynomial time is necessary for blackbox zero-knowledge simulation in the standard model =-=[6]-=- and the first non-blackbox zero-knowledge argument for NP with strict polynomial time simulation was presented in [1]. (2). Concurrent Soundness We first note that a computational power unbounded pro... |

41 | Zaps and Their Applications
- Dwork, Naor
- 2000
(Show Context)
Citation Context ...zero-knowledge argument with concurrent soundness for NP in the WPK model. 2 Preliminaries In this section, we present some main tools used in this paper. However, one critical tool, zap presented in =-=[11]-=-, is absent from this section and is provided in Section 3 together with the definition of resettable witness indistinguishability. We remark that all these tools can be constructed assuming the secur... |

41 | Concurrent and resettable zero-knowledge in poly-logarithm rounds
- Kilian, Petrank
- 2001
(Show Context)
Citation Context ...urrent zero-knowledge introduced by Dwork, Naor and Sahai [12]. 1.1 Previous Results Under standard complexity assumptions, non-constant-round resettable zeroknowledge proof for NP was constructed in =-=[8,22]-=- by properly modifying the concurrent zero-knowledge protocol of Richardson and Killian [28]. Unfortunately, there are no constant-round rZK protocols in the standard model, at least for the black-box... |

36 | Does Parallel Repetition Lower the Error in Computationally Sound Protocols
- Bellare, Impagliazzo, et al.
- 1997
(Show Context)
Citation Context ... al. have proven that for a 3-round argument system if the verifier has secret information regarding historical transcripts then parallel repetition does not guarantee to reduce the error probability =-=[5]-=-. Note, however, that in our argument protocol the verifier indeed has secret information, the SK. The following proof uses a standard reduction technique. That is, if the above protocol does not sati... |

31 | Soundness in the Public-Key Model
- Micali, Reyzin
- 2001
(Show Context)
Citation Context ...troduced an appealingly simple model, the bare public-key (BPK) model, and presented a 5-round rZK argument for NP in this model. The round complexity was further reduced to four by Micali and Reyzin =-=[24]-=-. A protocol in the BPK model simply assumes that all verifiers have deposited a public key in a public file before any interaction among the users. This public file is accessible to all users at all ... |

28 | Identification protocols secure against reset attacks
- Bellare, Fischlin, et al.
- 2001
(Show Context)
Citation Context ...r, up to the emergence of rZK all the previous Fiat-Shamir like ID schemes fail to secure whenever the prover is resettable. Using constant-round rZK protocols in the BPK model above, Bellare, et al. =-=[3]-=- provided identification protocols secure against resetting attack. Unfortunately, there is a main disadvantage of this rZK-based solution since it only preserves the identity prover’s security but do... |

27 | An Efficient Non-Interactive Zero-Knowledge Proof System for NP with General Assumptions
- Kilian, Petrank
- 1998
(Show Context)
Citation Context ...ucted based on any one-way permutation [15] and one-way permutations can be constructed in turn under RSA assumption [18]. An efficient implementation based on any one-way permutation can be found in =-=[21]-=-. For more recent advances in NIZK readers are referred to [10]. 2.1 Verifiable Random Functions A family of verifiable random functions (VRF), first introduced in [26], is essentially a pseudorandom ... |

16 | Min-Round Resettable Zero-Knowledge in the PublicKey Model
- Micali, Reyzin
- 2001
(Show Context)
Citation Context ... secret key and VRFPKid along with the p(n) random strings, (RV1 ,RV2 , ··· ,RV p(n) )id, is its public key. We remark that in comparison with the key generation stage of Micali and Reyzin’s protocol =-=[25]-=-, the key generation stage of our protocol is greatly simplified.s134 Y. Zhao et al. 4.4 The Full Protocol Common input. An element x ∈ L∩{0, 1} n . Denote by RL the corresponding NP-relation for L. S... |

12 | Linear Zero-knowledge: A Note on Efficient ZeroKnowledge Proofs and Arguments
- Cramer, Damgard
- 1997
(Show Context)
Citation Context ... for a language outside of BPP requires at least three rounds (using an earlier result of Goldreich and Kraczwyck [20]). For efficient 4-round zero-knowledge protocols for NP, readers are referred to =-=[7]-=-. We also note that 2-round public-coin black-box and concurrent zero-knowledge protocols for NP do exist under the assumption that the prover is resource bounded[13]. Here, resource bounded prover me... |

8 | 2-Round Zero-Knowledge and Proof Auditors
- Dwork, Stockmeyer
- 2002
(Show Context)
Citation Context ...ls for NP, readers are referred to [7]. We also note that 2-round public-coin black-box and concurrent zero-knowledge protocols for NP do exist under the assumption that the prover is resource bounded=-=[13]-=-. Here, resource bounded prover means that during protocol execution the prover uses certain limited amount of (say, a-priori polynomial bounded) time or non-uniform advice. 1.2 Our Contributions In t... |

8 |
Foundation of Cryptography-Basic Tools
- Goldreich
- 2001
(Show Context)
Citation Context ...r every v, u and m, ifPr[Csv(1k ,v)=m] and Pr[Csu(1k ,u)=m] are both positive then u = v and sv = su. A one-round perfect-binding commitment scheme can be constructed based on any one-way permutation =-=[17]-=-. Definition 2 (Pseudorandom Functions PRF [19]). A pseudorandom function family is a keyed family of efficiently computable functions, such thats128 Y. Zhao et al. a function picked at random from th... |

7 |
Robust Non-Interactive Zero-Knowledge
- Santis, Crescenzo, et al.
- 2001
(Show Context)
Citation Context ...tions can be constructed in turn under RSA assumption [18]. An efficient implementation based on any one-way permutation can be found in [21]. For more recent advances in NIZK readers are referred to =-=[10]-=-. 2.1 Verifiable Random Functions A family of verifiable random functions (VRF), first introduced in [26], is essentially a pseudorandom function family with an additional property that the correct va... |

7 | Zero-Knowledge with Public Keys
- Reyzin
- 2001
(Show Context)
Citation Context ...ot guarantee to preserve verifier’s security when they are concurrently executed. The various security notions of the verifier in public-key models were first noted and clarified by Micali and Reyzin =-=[24,27]-=-. In public-key models, a verifier V has a secret key SK, corresponding to its public-key PK. A malicious prover P ∗ could potentially gain some knowledge about SK from an interaction with the verifie... |