Constant-Round Concurrent Zero-Knowledge in Super-Polynomial Simulation Security (original) (raw)

Efficient Concurrent Oblivious Transfer in Super-Polynomial-Simulation Security

Lecture Notes in Computer Science, 2012

In this paper, we show a concurrent oblivious transfer protocol in super-polynomial-simulation (SPS) security. Our protocol does not require any setup and does not assume any independence among the inputs. In addition, our protocol is efficient since it does not use any inefficient primitives such as general zero-knowledge proofs for all NP statements. This is the first concurrent oblivious transfer protocol that achieves both of these properties simultaneously. The security of our protocol is based on the decisional Diffie-Hellman (DDH) assumption. c ≈ Y denote that X and Y are computationally indistinguishable. That is, we have X c ≈ Y if and only if for any probabilistic polynomial-time distinguisher D we have |Pr [D(X λ) = 1] − Pr [D(Y λ) = 1]| < (λ) for a sufficiently large λ.

Precise Concurrent Zero Knowledge

Lecture Notes in Computer Science, 2008

Precise zero knowledge introduced by Micali and Pass (STOC'06) guarantees that the view of any verifier V can be simulated in time closely related to the actual (as opposed to worst-case) time spent by V in the generated view. We provide the first constructions of precise concurrent zero-knowledge protocols. Our constructions have essentially optimal precision; consequently this improves also upon the previously tightest non-precise concurrent zero-knowledge protocols by Kilian and Petrank (STOC'01) and Prabhakaran, Rosen and Sahai (FOCS'02) whose simulators have a quadratic worst-case overhead. Additionally, we achieve a statistically-precise concurrent zero-knowledge property-which requires simulation of unbounded verifiers participating in an unbounded number of concurrent executions; as such we obtain the first (even non-precise) concurrent zero-knowledge protocols which handle verifiers participating in a super-polynomial number of concurrent executions.

Concurrent Non-Malleable Zero Knowledge

2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06), 2006

We provide the first construction of a concurrent and non-malleable zero knowledge argument for every language in NP. We stress that our construction is in the plain model without allowing a common random string, trusted parties, or super-polynomial simulation. That is, we construct a zero knowledge protocol Π such that for every polynomial-time adversary that can adaptively and concurrently schedule polynomially many executions of Π, and corrupt some of the verifiers and some of the provers in these sessions, there is a polynomial-time simulator that can simulate a transcript of the entire execution, along with the witnesses for all statements proven by a corrupt prover to an honest verifier. Our security model is the traditional model for concurrent zero knowledge, where the statements to be proven by the honest provers are fixed in advance and do not depend on the previous history (but can be correlated with each other); corrupted provers, of course, can chose the statements adaptively. We also prove that there exists some functionality F (a combination of zero knowledge and oblivious transfer) such that it is impossible to obtain a concurrent non-malleable protocol for F in this model. Previous impossibility results for composable protocols ruled out existence of protocols for a wider class of functionalities (including zero knowledge!) but only if these protocols were required to remain secure when executed concurrently with arbitrarily chosen different protocols (Lindell, FOCS 2003) or if these protocols were required to remain secure when the honest parties' inputs in each execution are chosen adaptively based on the results of previous executions (Lindell, TCC 2004). We obtain anÕ(n)-round protocol under the assumption that one-to-one one-way functions exist. This can be improved toÕ(k log n) rounds under the assumption that there exist k-round statistically hiding commitment schemes. Our protocol is a black-box zero knowledge protocol.

On Concurrent Zero-Knowledge with Pre-Processing (Extended abstract)

1999

Concurrent Zero-Knowledge protocols remain zero-knowledge even when many sessions of them are executed together. These protocols have applications in a distributed setting, where many executions of the same protocol must take place at the same time by many parties, such as the Internet. In this paper, we are concerned with the numberof rounds of interaction needed for such protocols and their e ciency. Here, we show an e cient constant-round concurrent zero-knowledge protocol with preprocessing for all languages in NP, where both the preprocessing phase and the proof phase each require 3 rounds of interaction. We make no timing assumptions or assumptions on the knowledge of the number of parties in the system. Moreover, we allow arbitrary interleavings in both the preprocessing and in the proof phase. Our techniques apply to both zero-knowledge proof systems and zero-knowledge arguments and we show how to extend our technique so that polynomial number of zero-knowledge proofs arguments can be executed after the preprocessing phase is done.

On Constant-Round Concurrent Zero-Knowledge from a Knowledge Assumption

Lecture Notes in Computer Science, 2014

In this work, we consider the long-standing open question of constructing constant-round concurrent zero-knowledge protocols in the plain model. Resolving this question is known to require non-black-box techniques. We consider non-black-box techniques for zero-knowledge based on knowledge assumptions, a line of thinking initiated by the work of Hada and Tanaka (CRYPTO 1998). Prior to our work, it was not known whether knowledge assumptions could be used for achieving security in the concurrent setting, due to a number of significant limitations that we discuss here. Nevertheless, we obtain the following results: 1. We obtain the first constant round concurrent zero-knowledge argument for NP in the plain model based on a new variant of knowledge of exponent assumption. Furthermore, our construction avoids the inefficiency inherent in previous non-black-box techniques such that those of Barak (FOCS 2001); we obtain our result through an efficient protocol compiler. 2. Unlike Hada and Tanaka, we do not require a knowledge assumption to argue the soundness of our protocol. Instead, we use a discrete log like assumption, which we call Diffie-Hellman Logarithm Assumption, to prove the soundness of our protocol. 3. We give evidence that our new variant of knowledge of exponent assumption is in fact plausible. In particular, we show that our assumption holds in the generic group model. 4. Knowledge assumptions are especially delicate assumptions whose plausibility may be hard to gauge. We give a novel framework to express knowledge assumptions in a more flexible way, which may allow for formulation of plausible assumptions and exploration of their impact and application in cryptography.

Concurrent zero-knowledge: Reducing the need for timing constraints

Lecture Notes in Computer Science, 1998

An interactive proof system (or argument) (i v, V) is concur. rent zero.knowledgeif whenever the prover engages in polynomially many concurrent executions of (P, V), with (possibly distinct) colluding polynomial time bounded verifiers ~,..., ~v(,0, the entire undertaking is zero-knowledge. Dwork, Naor, and S~,ai recently showed the existence of a large class of concurrent zero-knowledge arguments, including arguments for all of NP, under a reasonable assumption on the behavior of clocks of nor.faulty processors. In this paper, we continue the study of concurrent zero-knowledge arguments. After observing that, without recourse to timing, the existence of a trusted center considerably simplifies the design and proof of many concurrent zero-knowledge arguments (again including arguments for all of NP), we design a preprocessing protocol, making use of timing, to simulate the trusted center for the purposes of achieving concurrent zero-knowledge. Once a particular prover and verifier have executed the preprocessing protocol, any polynomial number of subsequent executions of a rich class of protocols will be concurrent zero-knowledge.

Concurrently Secure Computation in Constant Rounds

2011

We study the problem of constructing concurrently secure computation protocols in the plain model, where no trust is required in any party or setup. While the well established UC framework for concurrent security is impossible to achieve in this setting, a meaningful notion of concurrent security based on super-polynomial simulation (SPS) is achievable and has been extensively studied [Pas03, PS04, BS05, LPV09, CLP10]. The recent work of [CLP10] obtains a concurrently secure computation protocol in the plain model with SPS security under standard assumptions, but requires a number of rounds of interaction that is polynomial in the security parameter.

Concurrent Secure Computation via Non-Black Box Simulation

Lecture Notes in Computer Science, 2015

Recently, Goyal (STOC'13) proposed a new non-black-box simulation techniques for fully concurrent zero knowledge with straight-line simulation. Unfortunately, so far this technique is limited to the setting of concurrent zero knowledge. The goal of this paper is to study what can be achieved in the setting of concurrent secure computation using non-black-box simulation techniques, building upon the work of Goyal. The main contribution of our work is a secure computation protocol in the fully concurrent setting with a straight-line simulator, that allows us to achieve several new results: • We give first positive results for concurrent blind signatures and verifiable random functions in the plain model as per the ideal/real world security definition. Our positive result is somewhat surprising in light of the impossibility result of Lindell (STOC'03) for black-box simulation. We circumvent this impossibility using non-black-box simulation. This gives us a quite natural example of a functionality in concurrent setting which is impossible to realize using black-box simulation but can be securely realized using non-black-box simulation. • Moreover, we expand the class of realizable functionalities in the concurrent setting. Our main theorem is a positive result for concurrent secure computation as long as the ideal world satisfies the bounded pseudo-entropy condition (BPC) of Goyal (FOCS'12). The BPC requires that in the ideal world experiment, the total amount of information learnt by the adversary (via calls to the ideal functionality) should have "bounded pseudoentropy". • We also improve the round complexity of protocols in the single-input setting of Goyal (FOCS'12) both qualitatively and quantitatively. In Goyal's work, the number of rounds depended on the length of honest party inputs. In our protocol, the round complexity depends only on the security parameter, and is completely independent of the length of the honest party inputs. Our results are based on a non-black-box simulation technique using a new language (which allows the simulator to commit to an Oracle program that can access information with bounded pseudoentropy), and a simulation-sound version of the concurrent zero-knowledge protocol of Goyal (STOC'13). We assume the existence of collision resistant hash functions and constant round semi-honest oblivious transfer.

On Concurrent Zero-Knowledge with Pre-processing

Lecture Notes in Computer Science, 1999

Hybrid commitments and their applications to zero-knowledge proof systems

Theoretical Computer Science, 2007

We introduce the notion of hybrid trapdoor commitment schemes. Intuitively a hybrid trapdoor commitment scheme is a primitive which can be either an unconditionally binding commitment scheme or a trapdoor commitment scheme depending on the distribution of commitment parameters. Moreover, such two possible distributions are computationally indistinguishable. Hybrid trapdoor commitments are related but different with respect to mixed commitments (introduced by Damgård and Nielsen at Crypto 2002). In particular hybrid trapdoor commitments can either be polynomially trapdoor commitments or unconditionally binding commitments, while mixed commitment can be either trapdoor commitments or extractable commitments. In this paper we show that strong notions (e.g., simulation sound, multi trapdoor) of hybrid trapdoor commitments admit constructions based on the sole assumption that one-way functions exist as well as efficient constructions based on standard number-theoretic assumptions. To further stress the difference between hybrid and mixed commitments, we remark here that mixed commitments seem to require stronger theoretical assumptions (and the known number-theoretic constructions are less efficient). Our main result, is to show how to construct concurrent and simulation-sound zero-knowledge proof systems (in contrast to the arguments recently presented in [Damgård, Eurocrypt 2000], [MacKenzie and Yang, Eurocrypt 2004], [Gennaro, Crypto 2004]) in the common reference string model. We crucially use hybrid trapdoor commitments since we present general constructions based on the sole assumption that one-way functions exists and very efficient constructions based on number-theoretic assumptions.

Constant-Round Concurrent Zero-Knowledge in Super-Polynomial Simulation Security (original) (raw)

Related papers