IdentityBased ZeroKnowledge

1
Identity-Based Zero-Knowledge
Jonathan Katz Rafail Ostrovsky
Michael Rabin U. Maryland U.C.L.A.
Harvard U.
2
History recall original ZK motivation of GMR

• Prover can interactively convince verifier that x
  is in L
• Later, verifier can not convince someone else
• This prevents off-line plagiarism (i.e. Verifier
  later claiming the proof as his own).

3
What about on-line Adv?

• Verifier can play man-in-the-middle
• Handled by the designated verifier proofs
• Jackobson,Sako, Impagliazzo, others
• This LIMITS the dissemination of proofs!

4
What we want

• To publish the proofs as widely as possible with
  the authors names
• Prevent plagiarism
• So, why not use NIZK?

5
NIZK reminder BFM

• Common reference string (R.S.)
• Prover sends a single message
• Its transferable
• Its ZK
• Can simulate the same view BDPM
• Can simulate with the same R.S. DDOPS

6
So are we done?

• Any verifier can take a NIZK proof, and either
• change it a bit, but still keep it valid or
• (The first point can be addressed with
  non-malleable NIZK DDNSDDPOS)
• claim it as his own and simply copy

7
Non-Malleable NIZK

• Non-malleability DDN can not constructed
  related encrypted msg
• Non-malleability for NIZK SDDOPS whatever
  the verifier can prove after seeing a prove, it
  can do without seeing the proof
• Technical points
• (1) generation of CRS
• (2) 1 thm vs. many theorems
• (3) adaptivity
• (4) adv. challenges and the guarantees
• So, use the strongest def, are we done?

8
What is the def. of preventing plagiarism?

• You have an NP theorem and a witness
• You want is transferable
• You have your name (id) as part of it
• Want to bind the proof to your name (id) such
  that nobody can change the proof to a different
  id

9
ID-ZK

• This talk we concentrate on NIZK (but the notion
  applies to interactive setting as well)
• A new notion NIZK with extractable identity
• Prover(id,x,w,CRS) ? proof
• 2 public algs
• check correctness
• extract id from proof
• ZK for all x in L, and all id, can generate comp
  indist. View. (1 thm or multiple thms).
• Sound (w.h.p. can not cheat)

10
Security of ID-ZK

• Sound
• Can not change identities
• Informally no poly-time Adv. Can take one or
  several ID-ZK proofs, and construct a proof for a
  new id of an interesting theorem
• Interesting ? something can Adv. Could not do
  without any help.

11
Security of ID-ZK (cont.)

• NIZK with extractable identity is ID-ZK if
• Adv asks for ID-ZK proofs of different theorems,
  and different ids
• Adv comes up with a proof of a thm with a new id
• Simulator can output comp. indist. Distribution
  of thms with new id without any ID-ZK proofs.
• again several variants of what Adv can ask, the
  strongest is simulation-soundness

12
Remarks about the model

• PK-infrastructure does it help? (i.e. what if
  the prover signs his proof?)
• No, the adv can just get rid of the signature and
  substitute his own!

13
Remarks about the model (cont.)

• NIZK with a single random string what does
  security mean? (since simulator must have a
  trapdoor info)
• The point is that we can do the proof without the
  trapdoor if there is an adv who can cheat, the
  proof implies that we can use it to derive the
  contradiction!

14
How easy is it to construct?

• Also, what is the connection to NIZK in the
  non-interactive setting?

15
Why not use non-mall NIZK?

• Claim 1 there exists non-malleable NIZK proofs
  which are not ID-ZK.
• Claim2 there exists ID-ZK NIZK proofs that are
  not non-malleable NIZK.

16
Why not use non-mall NIZK?

• Claim 1 there exists non-malleable NIZK proofs
  which are not ID-ZK.
• Standard non-mall NIZK do not have any ID. I can
  simply copy the proof and claim it as my own
• Remark DDN showed how with IDs non-mall NIZK
  is easier to build, this is different!

17
Why not use non-mall NIZK?

• Claim2 there exists ID-ZK proofs that are not
  non-malleable.
• Proof idea take ID-ZK proof, where we attach the
  first (undetermined) bit. This is malleable, but
  can still be shown to be ID-ZK!

18
ID-ZK are closely related to non-mall NIZK

• Claim 3 assuming any non-mall NIZK we can
  construct ID-ZK NIZK.
• Claim 4 assuming any ID-ZK NIZK, we can
  construct non-mall NIZK

19
ID-ZK are closely related to non-mall NIZK

• Claim 3 assuming any non-mall NIZK we can
  construct ID-ZK
• given (x,w,id) we construct ID-ZK as follows
• Define langue L(x,id) either x in L or (a new
  portion) of CRS is a commitment to id.
• Send is ID-ZK (id, non-mall-NIZK for L).
• Intuition if can create new id, violates
  non-malleability!

20
ID-ZK are closely related to non-mall NIZK

• Claim 4 assuming any ID-ZK we can construct
  non-mall NIZK
• Proof idea use as ID a signature public-key,
  i.e. id PK.
• Let B id-zk(id,x in L)
• Send (id B signpk(B))
• Note same proof-structure works for interactive
  case.

21
CONCLUSIONS

• Many previous works (including DDN) used
  identities in constructions but this is the first
  formal definition of binding names to proofs.
• Our definition is the most interesting part,
  seems to be a useful building block.
• What about application-specific efficient
  implementations?