Uni Paderborn Germany Never Trust Victor An alternative resettable zero-knowledge proof system Olaf Müller Michael Nüsken

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (2/35) Universität Paderborn ZK for 3-colorability PaulaVictor

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (3/35) Universität Paderborn Fast ZK for 3-colorability VictorPaula

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (4/35) Universität Paderborn Resettable ZK (1) Canetti, Goldreich, Goldwasser & Micali (1999,2000) ZK Internet: concurrent Smart cards: reset resettable ZK (rZK) Goldreich & Kahan (1996) secret dependencies constant-round resettable WI

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (5/35) Universität Paderborn Resettable ZK (2) bPaulac The resettable machine bPaulac: uses the same algorithm as Paula, contains many copies of Paula, reacts to reset( input i, randonmness j). Paula

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (6/35) Universität Paderborn Resettable ZK (3)Resettable ZK?Resettable WI Secret dependency bPaulac Victor

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (7/35) Universität Paderborn Resettable ZK (4) Canetti, Kilian, Petrank & Rosen (2001) –black-box rZK ¸ (log n) rounds Barak (2001): How to go beyond the black-box simulation barrier +constant round +strictly polynomial time simulation –only bounded-concurrency ZK –only computationally sound Richardson & Kilian (1999) concurrent n, CGGM (1999,2000) resettable, Kilian, Petrank & Richardson (2001) preliminary phase (FLS-paradigm) prove only: improbable preliminary phase OR original statement O(log(n) 2 u(n)) round concurrent ZK, even rZK

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (8/35) Universität Paderborn The Problem reset

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (9/35) Universität Paderborn Folklore Bit Commitment meantime (e,s) Problem: Can Victor learn (e,s) in the meantime? Paula(q,h,Y) E = Y e h s Victor e

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (10/35) Universität Paderborn Better Bit Commitment (q,h,Y) E = Y e h s B = Y b h t c Repeat until convinced (b,t) meantime (e,s) bPaulac Victor e If c = 0: Open B, i.e. send (b,t) If c = 1, b = e: Open E/B, i.e. send (0,s-t) If c = 1, b e: Open E B, i.e. send (1,s+t)

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (11/35) Universität Paderborn c (q,h,Y) Repeat until convinced meantime bPaulac Victor Better Bit Commitment be b e e b = b + ce

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (12/35) Universität Paderborn Our solution !8

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (13/35) Universität Paderborn Sams Success Provided Sam succeeds: Simulated preambles are perfectly indistinguishable from ideal ones. The faked transcript is computationally indistinguishable from an honest one. L 2 /2 rounds, running time O(L 4 poly(n)).

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (14/35) Universität Paderborn Knowledgeable Does Victor know a decommitment? NEVER TRUST VICTOR: require a proof of knowledge! A bit commitment is knowledgeable if it guarantees that the sender knows the content.

Olaf Müller, Michael Nüsken: Never trust Victor. 12. Februar 2014 (15/35) Universität Paderborn Resettable ZK for G3C