## Simulatable Commitments and Efficient Concurrent Zero-Knowledge (2003)

### Cached

### Download Links

- [www.iacr.org]
- [www.iacr.org]
- [www.cs.ucsd.edu]
- [www-cse.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In EUROCRYPT’03, volume 2656 of LNCS |

Citations: | 9 - 1 self |

### BibTeX

@INPROCEEDINGS{Micciancio03simulatablecommitments,

author = {Daniele Micciancio and Erez Petrank},

title = {Simulatable Commitments and Efficient Concurrent Zero-Knowledge},

booktitle = {In EUROCRYPT’03, volume 2656 of LNCS},

year = {2003},

pages = {140--159},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We define and construct simulatable commitments. These are commitment schemes such that there is an efficient interactive proof system to show that a given string c is a legitimate commitment on a given value v, and furthermore, this proof is efficiently simulatable given any proper pair (c, v). Our construction is provably secure based on the Decisional Diffie-Hellman (DDH) assumption. Using simulatable commitments, we show how to efficiently transform any public coin honest verifier zero knowledge proof system into a proof system that is concurrent zero-knowledge with respect to any (possibly cheating) verifier via black box simulation. By efficient we mean that our transformation incurs only an additive overhead (both in terms of the number of rounds and the computational and communication complexity of each round), and the additive term is close to optimal (for black box simulation): only ω(log n) additional rounds, and ω(log n) additional public key operations for each round of the original protocol, where n is a security parameter, and ω(log n) can be any superlogarithmic function of n independent of the complexity of the original protocol. The transformation preserves (up to negligible additive terms) the soundness and completeness error probabilities, and the new proof system is proved secure based on the DDH assumption, in the standard model of computation, i.e., no random oracles, shared random strings, or public key infrastructure is assumed. 1

### Citations

1066 | The knowledge complexity of interactive proof systems
- GOLDWASSER, MICALI, et al.
- 1989
(Show Context)
Citation Context ...e Commitments and Efficient Concurrent Zero-Knowledge 141 really following the protocol instructions, without revealing any extra information. The original formulation of the notion of zero knowledge =-=[22]-=- considers a single prover and a single verifier working in isolation. This formulation is inadequate for real applications where zero knowledge proofs are used as part of complex protocols. In order ... |

383 | Proofs that yield nothing but their validity or All Languages in NP Have Zero-Knowledge Proof Systems
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...on which satisfies some special properties. Note that our transformation works for many interesting protocols. In fact, many of the known zero-knowledge proof systems are public-coin (see for example =-=[22, 20]-=-). Note also that parallel repetition may be used with these protocols to reduce error since we only require honest verifier zero knowledge. A weaker result that follows from our technique is a transf... |

310 |
Minimum disclosure proofs of knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ... and secrecy for the receiver), the assumed power of the two parties etc. Two-round commitment schemes with perfect secrecy can be constructed from any claw-free collection (see [18]). It is shown in =-=[3]-=- how to commit to bits with statistical security, based on the intractability of certain number-theoretic problems. D˚amgard, Pedersen and Pfitzmann [10] give a protocol for efficiently committing to ... |

277 |
Foundations of Cryptography: Basic Tools
- Goldreich
- 2000
(Show Context)
Citation Context ...ng verifier, and denote it by V ∗ . All these terms have the same meaning. Commitment schemes. We include a short and informal presentation of commitment schemes. For more details and motivation, see =-=[18]-=-. A commitment scheme involves two parties: The sender and the receiver. These two parties are involved in a protocol which contains two phases. In the first phase the sender commits to a bit (or, mor... |

223 | How to go beyond the black-box simulation barrier
- Barak
- 2001
(Show Context)
Citation Context ... many instances of the proof system are executed asynchronously and concurrently. This strong notion of zero knowledge, first discussed in [15, 13], has been the subject of many recent investigations =-=[14, 27, 13, 12, 9, 4, 32, 26, 5, 7, 1]-=-. For example, in [9, 4], it is shown that if a public key infrastructure (PKI) is in place, then all languages in NP have an efficient (constant round) concurrent zero knowledge proof system. Unfortu... |

174 |
Multiple noninteractive zero knowledge proofs under general assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...e the commitment message c to the verifier, who checks that c is indeed equal to commitr(v). 3 The Richardson-Kilian protocol Richardson and Kilian [31], following ideas of Feige, Lapidot, and Shamir =-=[16]-=-, have proposed a concurrent zero-knowledge proof system, for any language in NP, with a polynomial number of rounds. Kilian and Petrank [26] have drastically improved the analysis of the protocol by ... |

165 | Concurrent zero-knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ... knowledge not only when executed in isolation, but also when many instances of the proof system are executed asynchronously and concurrently. This strong notion of zero knowledge, first discussed in =-=[15, 13]-=-, has been the subject of many recent investigations [14, 27, 13, 12, 9, 4, 32, 26, 5, 7, 1]. For example, in [9, 4], it is shown that if a public key infrastructure (PKI) is in place, then all langua... |

160 | How To Construct Constant-Round Zero-Knowledge Proof Systems for NP
- Goldreich, Kahan
- 1996
(Show Context)
Citation Context ... let the verifier commit to its random queries at the beginning of the protocol, and then, in place of sending a random queries, open the initial commitments. This transformation (used for example in =-=[19]-=- to preserve zero-knowledge under parallel composition, following a suggestion from [20]) does not by itself enforce honest verifier behavior. Consider for example a honest-verifier proof system where... |

108 | E±cient Concurrent Zero-Knowledge in the Auxiliary String Model. Eurocrypt 00
- Damgard
- 2000
(Show Context)
Citation Context ... many instances of the proof system are executed asynchronously and concurrently. This strong notion of zero knowledge, first discussed in [15, 13], has been the subject of many recent investigations =-=[14, 27, 13, 12, 9, 4, 32, 26, 5, 7, 1]-=-. For example, in [9, 4], it is shown that if a public key infrastructure (PKI) is in place, then all languages in NP have an efficient (constant round) concurrent zero knowledge proof system. Unfortu... |

106 |
A.: Zero Knowledge Proofs of Knowledge in Two Rounds
- Feige, Shamir
- 1989
(Show Context)
Citation Context ... cheat. Moreover, Pedersen’s commitment does not have the simulatability property required by our application. Another commitment scheme based on discrete exponentiation is the trapdoor commitment of =-=[17]-=-. As Pedersen’s, this commitment scheme is only computationally binding. Moreover, the scheme only allows to commit to single bit messages. On the other hand, like our scheme, the trapdoor commitment ... |

90 | Black-box concurrent zeroknowledge requires Ω (logn) rounds
- Canetti, Kilian, et al.
- 2001
(Show Context)
Citation Context ... many instances of the proof system are executed asynchronously and concurrently. This strong notion of zero knowledge, first discussed in [15, 13], has been the subject of many recent investigations =-=[14, 27, 13, 12, 9, 4, 32, 26, 5, 7, 1]-=-. For example, in [9, 4], it is shown that if a public key infrastructure (PKI) is in place, then all languages in NP have an efficient (constant round) concurrent zero knowledge proof system. Unfortu... |

71 | On the existence of statistically hiding bit commitment schemes and fail-stop signatures
- Damg̊ard, Pedersen, et al.
- 1997
(Show Context)
Citation Context ...claw-free collection (see [18]). It is shown in [3] how to commit to bits with statistical security, based on the intractability of certain number-theoretic problems. D˚amgard, Pedersen and Pfitzmann =-=[10]-=- give a protocol for efficiently committing to and revealing strings of bits with statistical security, relying only on the existence of collisionintractable hash functions. Commitment schemes with pe... |

52 | Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
- Dwork, Sahai
- 1998
(Show Context)
Citation Context |

41 | On Monotone Formula Closure of SZK
- Santis, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ...c coin protocol, the transformed protocol is also efficient enough to be run in practice. 3 Such use of simulators within cryptographic protocols is not new, and it has occurred before for example in =-=[8, 11]-=-.sSimulatable Commitments and Efficient Concurrent Zero-Knowledge 149 4 Simulatable Commitments We start by defining and constructing simulatable commitment schemes that satisfy some special propertie... |

41 |
Direct Minimum-Knowledge Computations
- Impagliazzo, Yung
- 1988
(Show Context)
Citation Context ...that are good also for non honest verifiers (in the non-concurrent setting). Such a transformation trivially follows from the fact that everything provable is provable in computational zero-knowledge =-=[20, 23, 2]-=-: one can simply disregard the given public-coins honest-verifier zero-knowledge proof system, and construct a new computational (general) zero-knowledge proof system for the same language from scratc... |

38 |
Alternative Models for Zero-Knowledge Interactive Proofs
- Feige
- 1990
(Show Context)
Citation Context ... knowledge not only when executed in isolation, but also when many instances of the proof system are executed asynchronously and concurrently. This strong notion of zero knowledge, first discussed in =-=[15, 13]-=-, has been the subject of many recent investigations [14, 27, 13, 12, 9, 4, 32, 26, 5, 7, 1]. For example, in [9, 4], it is shown that if a public key infrastructure (PKI) is in place, then all langua... |

37 |
Everything Provable is Provable in Zero-Knowledge
- Ben-Or, Goldreich, et al.
- 1990
(Show Context)
Citation Context ...that are good also for non honest verifiers (in the non-concurrent setting). Such a transformation trivially follows from the fact that everything provable is provable in computational zero-knowledge =-=[20, 23, 2]-=-: one can simply disregard the given public-coins honest-verifier zero-knowledge proof system, and construct a new computational (general) zero-knowledge proof system for the same language from scratc... |

36 | On Concurrent Zero-Knowledge with Pre-Processing
- Crescenzo, Ostrovsky
- 1999
(Show Context)
Citation Context |

8 | Responsive round complexity and concurrent zero-knowledge
- Cohen, Kilian, et al.
- 2001
(Show Context)
Citation Context |

6 |
de Graaf, Multiparty Computations Ensuring Secrecy of each
- Chaum, Damgard, et al.
- 1987
(Show Context)
Citation Context ...ing the efficiency of the transformation to remove the honest-verifier restriction for computational zero-knowledge protocols have been investigated in [24] and can be obtained from the techniques in =-=[6]-=-, but none of these results makes a practical protocol with a widely acceptable security assumption. Our techniques allow such a transformation for public coin zero-knowledge proofs with low overhead ... |

4 |
Honest-veri statistical zero-knowledge equals general statistical zeroknowledge
- Goldreich, Sahai, et al.
- 1998
(Show Context)
Citation Context ...cisional Diffie Hellman assumption. Note that a similar transformation from honest verifier to cheating verifier for statistical zero knowledge does not follow from general completeness results, yet, =-=[21]-=- shows that such transformation is possible in principle. Our transformation is much more efficient than the one in [21], but it does not preserve statistical zero knowledge, i.e., even if applied to ... |

4 |
Achieving zero-knowledge robustly
- Kilian
- 1990
(Show Context)
Citation Context ...uction to a complete problem. Methods for improving the efficiency of the transformation to remove the honest-verifier restriction for computational zero-knowledge protocols have been investigated in =-=[24]-=- and can be obtained from the techniques in [6], but none of these results makes a practical protocol with a widely acceptable security assumption. Our techniques allow such a transformation for publi... |

1 |
Resettable zero-knowledge. Report TR99-042 (Revision 1
- Canetti, Goldreich, et al.
(Show Context)
Citation Context |

1 |
On monotone function closure of statistical zeroknowledge
- Damg˚ard, Cramer
- 1996
(Show Context)
Citation Context ...c coin protocol, the transformed protocol is also efficient enough to be run in practice. 3 Such use of simulators within cryptographic protocols is not new, and it has occurred before for example in =-=[8, 11]-=-.sSimulatable Commitments and Efficient Concurrent Zero-Knowledge 149 4 Simulatable Commitments We start by defining and constructing simulatable commitment schemes that satisfy some special propertie... |