391 research outputs found
On Constant-Round Concurrent Zero-Knowledge from a Knowledge Assumption
In this work, we consider the long-standing open question of constructing
constant-round concurrent zero-knowledge protocols in the plain model.
Resolving this question is known to require non-black-box techniques.
We consider non-black-box techniques for zero-knowledge based on knowledge
assumptions, a line of thinking initiated by the work of Hada and Tanaka
(CRYPTO 1998). Prior to our work, it was not known whether knowledge
assumptions could be used for achieving security in the concurrent setting, due
to a number of significant limitations that we discuss here. Nevertheless, we
obtain the following results:
1. We obtain the first constant round concurrent zero-knowledge argument for
\textbf{NP} in the plain model based on a new variant of knowledge of exponent
assumption. Furthermore, our construction avoids the inefficiency inherent in
previous non-black-box techniques such that those of Barak (FOCS 2001); we
obtain our result through an efficient protocol compiler.
2. Unlike Hada and Tanaka, we do not require a knowledge assumption to argue
the soundness of our protocol. Instead, we use a discrete log like assumption,
which we call Diffie-Hellman Logarithm Assumption, to prove the soundness of
our protocol.
3. We give evidence that our new variant of knowledge of exponent assumption
is in fact plausible. In particular, we show that our assumption holds in the
generic group model.
4. Knowledge assumptions are especially delicate assumptions whose
plausibility may be hard to gauge. We give a novel framework to express
knowledge assumptions in a more flexible way, which may allow for formulation
of plausible assumptions and exploration of their impact and application in
cryptography.Comment: 30 pages, 3 figure
Constant-Round Concurrent Zero-Knowledge From Falsifiable Assumptions
We present a constant-round concurrent zero-knowledge protocol for \NP. Our protocol is sound against uniform polynomial-time attackers, and relies on the existence of families of collision-resistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly speaking, that Micali's non-interactive CS-proofs are sound for languages in
A Tutorial on Concurrent Zero Knowledge
In this tutorial, we provide a brief overview of Concurrent Zero Knowledge and next present a simple proof of the existence of Concurrent Zero-knowledge arguments for N P based on one-way permutations
Random Walks and Concurrent Zero-Knowledge
The established bounds on the round-complexity of (black-box) concurrent zero-knowledge (cZK) consider adversarial verifiers with complete control over the scheduling of messages of different sessions. Consequently, such bounds only represent a case study of concurrent schedules, forcing rounds for protocol sessions. What happens in average cases against random schedules? Must all sessions still suffer large number of rounds?
Rosen and Shelat first considered such possibility, and constructed a cZK protocol that adjusts its round-complexity based on existing network conditions. While they provide experimental evidence for its average-case performance, no provable guarantees are known.
In general, a proper framework for studying and understanding the average-case schedules for cZK is missing. We present the first theoretical framework for performing such average-case studies. Our framework models the network as a stochastic process where a new session is opened with probability or an existing session receives the next message with probability ; the existing session can be chosen either in a first-in-first-out (FIFO) or last-in-first-out (LIFO) order. These two orders are fundamental and serve as good upper and lower bounds for other simple variations.
We also develop methods for establishing provable average-case bounds for cZK in these models. The bounds in these models turn out to be intimately connected to various properties of one-dimensional random walks that reflect at the origin. Consequently, we establish new and tight asymptotic bounds for such random walks, including: expected rate of return-to-origin, changes of direction, and concentration of positive movements. These results may be of independent interest.
Our analysis shows that the Rosen-Shelat protocol is highly sensitive to even moderate network conditions, resulting in a large fraction of non-optimal sessions. We construct a more robust protocol by generalizing the footer-free condition of Rosen-Shelat which leads to significant improvements for both FIFO and LIFO models
Constant-Round Concurrent Zero-knowledge from Indistinguishability Obfuscation
We present a constant-round concurrent zero-knowledge protocol for NP. Our protocol relies on the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for P/poly (with slightly super-polynomial security)
Concurrent Knowledge-Extraction in the Public-Key Model
Knowledge extraction is a fundamental notion, modelling machine possession of
values (witnesses) in a computational complexity sense. The notion provides an
essential tool for cryptographic protocol design and analysis, enabling one to
argue about the internal state of protocol players without ever looking at this
supposedly secret state. However, when transactions are concurrent (e.g., over
the Internet) with players possessing public-keys (as is common in
cryptography), assuring that entities ``know'' what they claim to know, where
adversaries may be well coordinated across different transactions, turns out to
be much more subtle and in need of re-examination. Here, we investigate how to
formally treat knowledge possession by parties (with registered public-keys)
interacting over the Internet. Stated more technically, we look into the
relative power of the notion of ``concurrent knowledge-extraction'' (CKE) in
the concurrent zero-knowledge (CZK) bare public-key (BPK) model.Comment: 38 pages, 4 figure
Precise Bounded-Concurrent Zero-Knowledge in Almost Constant Rounds
Precise concurrent zero-knowledge is a new notion introduced by
Pandey et al. \cite{P:P:M:T:V} in Eurocrypt\u2708 (which generalizes
the work on precise zero-knowledge by Micali and Pass \cite{M:P} in
STOC\u2706). This notion captures the idea that the view of any
verifier in concurrent interaction can be reconstructed in the
almost same time. \cite{P:P:M:T:V} constructed some (private-coin)
concurrent zero-knowledge argument systems for \NP which achieve
precision in different levels and all these protocols use at least
rounds. In this paper we investigate the
feasibility of reducing the round complexity and still keeping
precision simultaneously. Our result is that we construct a
public-coin precise bounded-concurrent zero-knowledge argument
system for \NP only using almost constant rounds, i.e.,
rounds. Bounded-concurrency means an a-priori bound on
the (polynomial) number of concurrent sessions is specified before
the protocol is constructed. Our result doesn\u27t need any setup
assumption. We stress that this result cannot be obtained by
\cite{P:P:M:T:V} even in bounded-concurrent setting
Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP
As recent studies show, the notions of *program obfuscation* and *zero
knowledge* are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists *differing input obfuscation* (diO) for the class of all polynomial time Turing machines, then there exists a *four message, fully concurrent zero-knowledge* proof system for all languages in NP with negligible soundness error. This result is constructive: given diO, our reduction yields an explicit protocol along with an *explicit* simulator that is ``straight line\u27\u27 and runs in strict
polynomial time.
Our reduction relies on a new non-black-box simulation technique which does not use the PCP theorem. In addition to assuming diO, our reduction also assumes (standard and polynomial time) cryptographic assumptions such as collision-resistant hash functions.
The round complexity of our protocol also sheds new light on the *exact* round complexity of concurrent zero-knowledge. It shows, for the first time, that in the realm of non-black-box simulation, concurrent zero-knowledge may not necessarily require more rounds than *stand alone* zero-knowledge
Non-Uniformly Sound Certificates with Applications to Concurrent Zero-Knowledge
We introduce the notion of non-uniformly sound certificates: succinct single-message (unidirectional) argument systems that satisfy a ``best-possible security\u27\u27 against non-uniform polynomial-time attackers. In particular, no polynomial-time attacker with s bits of non-uniform advice can find significantly more than s accepting proofs for false statements. Our first result is a construction of non-uniformly sound certificates for all NP in the random oracle model, where the attacker\u27s advice can depend arbitrarily on the random oracle.
We next show that the existence of non-uniformly sound certificates for P (and collision resistant hash functions) yields a public-coin constant-round fully concurrent zero-knowledge argument for NP
- …