1 identity-based zero-knowledge jonathan katz rafail ostrovsky michael rabin u. maryland u.c.l.a....
TRANSCRIPT
![Page 1: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/1.jpg)
1
Identity-Based Zero-Knowledge
Jonathan Katz Rafail Ostrovsky Michael Rabin
U. Maryland U.C.L.A. Harvard U.
![Page 2: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/2.jpg)
2
History: recall original ZK motivation of GMR
• Prover can interactively convince verifier that x is in L
• Later, verifier can not convince someone else
• This prevents off-line plagiarism (i.e. Verifier later claiming the proof as his own).
![Page 3: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/3.jpg)
3
What about on-line Adv?
• Verifier can play man-in-the-middle
• Handled by the “designated verifier proofs”– [Jackobson,Sako, Impagliazzo], others
• This LIMITS the dissemination of proofs!
![Page 4: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/4.jpg)
4
What we want…
• To publish the proofs as widely as possible with the authors names
• Prevent plagiarism
• So, why not use NIZK?
![Page 5: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/5.jpg)
5
NIZK reminder [BFM]
• Common reference string (R.S.)
• Prover sends a single message
• Its transferable
• Its ZK:– Can simulate the same view [BDPM]– Can simulate with the same R.S.
[DDOPS]
![Page 6: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/6.jpg)
6
So are we done?
• Any verifier can take a NIZK proof, and either
• change it a bit, but still keep it valid or
(The first point can be addressed with non-malleable NIZK [DDN][S][DDPOS])
• claim it as his own and simply copy
![Page 7: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/7.jpg)
7
Non-Malleable NIZK• Non-malleability [DDN] “can not constructed related
encrypted msg”
• Non-malleability for NIZK [S][DDOPS] “whatever the verifier can prove after seeing a prove, it can do without seeing the proof”
Technical points:
• (1) generation of CRS;
• (2) 1 thm vs. many theorems;
• (3) adaptivity;
• (4) adv. challenges and the guarantees
• So, use the strongest def, are we done?
![Page 8: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/8.jpg)
8
What is the def. of preventing plagiarism?
• You have an NP theorem and a witness
• You want is transferable
• You have your name (id) as part of it…
• Want to “bind” the proof to your name (id) such that nobody can change the proof to a different id’
![Page 9: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/9.jpg)
9
ID-ZK• This talk we concentrate on NIZK (but the
notion applies to interactive setting as well)
• A new notion: NIZK with extractable identity:
• Prover(id,x,w,CRS) proof
• 2 public algs: – check correctness – extract id from proof
• ZK: for all x in L, and all id, can generate comp indist. View. (1 thm or multiple thms).
• Sound (w.h.p. can not “cheat”)
![Page 10: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/10.jpg)
10
Security of ID-ZK
• Sound
• Can not change identities
• Informally: no poly-time Adv. Can take one or several ID-ZK proofs, and construct a proof for a new id of an “interesting” theorem
• Interesting something can Adv. Could not do without any help.
![Page 11: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/11.jpg)
11
Security of ID-ZK (cont.)
• NIZK with extractable identity is ID-ZK if:
• Adv asks for ID-ZK proofs of different theorems, and different id’s
• Adv comes up with a proof of a thm with a new id
• Simulator can output comp. indist. Distribution of thms with new id without any ID-ZK proofs.
• again several variants of what Adv can ask, the strongest is simulation-soundness
![Page 12: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/12.jpg)
12
Remarks about the model
•PK-infrastructure – does it help? (i.e. what if the prover “signs” his proof?)
•No, the adv can just get rid of the signature and substitute his own!
![Page 13: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/13.jpg)
13
Remarks about the model (cont.)
• NIZK with a single random string – what does security mean? (since simulator must have a trapdoor info)
• The point is that we can do the proof without the trapdoor – if there is an adv who can cheat, the proof implies that we can use it to derive the contradiction!
![Page 14: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/14.jpg)
14
How easy is it to construct?
Also, what is the connection to NIZK in the non-interactive
setting?
![Page 15: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/15.jpg)
15
Why not use non-mall NIZK?
• Claim 1: there exists non-malleable NIZK proofs which are not ID-ZK.
• Claim2: there exists ID-ZK NIZK proofs that are not non-malleable NIZK.
![Page 16: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/16.jpg)
16
Why not use non-mall NIZK?
• Claim 1: there exists non-malleable NIZK proofs which are not ID-ZK.
• Standard non-mall NIZK do not have any ID. I can simply copy the proof and claim it as my own
• Remark: [DDN] showed how with ID’s non-mall NIZK is easier to build, this is different!
![Page 17: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/17.jpg)
17
Why not use non-mall NIZK?
• Claim2: there exists ID-ZK proofs that are not non-malleable.
• Proof idea: take ID-ZK proof, where we attach the first (undetermined) bit. This is malleable, but can still be shown to be ID-ZK!
![Page 18: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/18.jpg)
18
ID-ZK are closely related to non-mall NIZK
• Claim 3: assuming any non-mall NIZK we can construct ID-ZK NIZK.
• Claim 4: assuming any ID-ZK NIZK, we can construct non-mall NIZK
![Page 19: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/19.jpg)
19
ID-ZK are closely related to non-mall NIZK
• Claim 3: assuming any non-mall NIZK we can construct ID-ZK
• given (x,w,id) we construct ID-ZK: as follows:
• Define langue L’(x,id): “either x in L or (a new portion) of CRS is a commitment to id”.
• Send is ID-ZK (id, non-mall-NIZK for L’).
• Intuition: if can create new id, violates non-malleability!
![Page 20: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/20.jpg)
20
ID-ZK are closely related to non-mall NIZK
• Claim 4: assuming any ID-ZK we can construct non-mall NIZK
• Proof idea: use as ID a signature public-key, i.e. id = PK.
• Let B = id-zk(id,x in L)
• Send (id; B; signpk(B))
• Note: same proof-structure works for interactive case.
![Page 21: 1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c9a5503460f94956f3d/html5/thumbnails/21.jpg)
21
CONCLUSIONS• Many previous works (including
DDN) used identities in constructions but this is the first formal definition of binding names to proofs.
• Our definition is the most interesting part, seems to be a useful building block.
• What about application-specific efficient implementations?