## On the Concurrent Composition of Zero-Knowledge Proofs (1999)

Venue: | In EuroCrypt99, Springer LNCS 1592 |

Citations: | 110 - 3 self |

### BibTeX

@INPROCEEDINGS{Richardson99onthe,

author = {Ransom Richardson and Joe Kilian},

title = {On the Concurrent Composition of Zero-Knowledge Proofs},

booktitle = {In EuroCrypt99, Springer LNCS 1592},

year = {1999},

pages = {415--431},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We examine the concurrent composition of zero-knowledge proofs. By concurrent composition, we indicate a single prover that is involved in multiple, simultaneous zero-knowledge proofs with one or multiple verifiers. Under this type of composition it is believed that standard zero-knowledge protocols are no longer zero-knowledge. We show that, modulo certain complexity assumptions, any statement in NP has k ɛ-round proofs and arguments in which one can efficiently simulate any k O(1) concurrent executions of the protocol.

### Citations

1035 | The knowledge complexity of interactive proof systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...zero-knowledge to more practical contexts; the notion of zero-knowledge has been refined accordingly. For example, to make zero-knowledge closed under sequential composition, a number of researchers (=-=[18,20,12]-=-) have proposed a modified definition, known as auxiliary zero-knowledge. A still cleaner model, motivated by these issue, is that of black-box simulation zero-knowledge [18]; all of the results we wi... |

719 | A pseudorandom generator from any one-way function
- Hastad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...t scheme from the prover to the verifier. We use a computationally binding, unconditionally private bit commitment scheme from the verifier to the prover. The former can be based on one way functions =-=[14,17]-=-, and the latter can be based on collision-resistant hash functions [4]. Our main result is a transformation on zero-knowledge protocols for statements in NP. Our transformed protocol for a statement ... |

448 | Nonmalleable cryptography
- Dolev, Dwork, et al.
- 2006
(Show Context)
Citation Context ...inues the normal-mode simulation. We show that S can use the information obtained in its look-ahead mode yet still maintain a faithful simulation. We must also take care to avoid malleability attacks =-=[5]-=-, where one links a commitment to the value of another parties commitment. For example, the prover might try to commit to the verifier’s value, always achieving a match, or the verifier might try to f... |

414 | Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems
- Kocher
- 1996
(Show Context)
Citation Context ...tionally indistinguishable from the distribution on V ’s final state after interacting with P . Note that in our modeling of the adversary, we are considering ordering attacks, but not timing attacks =-=[16]-=- in which one uses the actual response time from the prover to obtain information. There are implementation-specific defenses to such attacks [16]; these methods and concerns are orthogonal to our own... |

374 | Proofs that Yield Nothing But Their Validity or All Languages in NP Have Zero-Knowledge Proof Systems
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...he revelation of pi, V would accept that pi = vi.s420 Ransom Richardson and Joe Kilian Note that P doesn’t reveal which witness it knows, just that it knows one or the other. The general protocols of =-=[13]-=- and [1] may be used for this step (conceivably, more efficient protocols may be designed for useful special cases). The details of this interactive proof (argument) are unimportant. There are two way... |

300 |
Minimum Disclosure Proofs of Knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ...n efficiently simulate any k O(1) concurrent executions of the protocol. Key Words: Asynchronous Attacks, Zero Knowledge, Black-box Simulation. 1 Introduction Zero-knowledge proofs [11] and arguments =-=[1]-=- are interactive protocols between a prover (or arguer), P , and a verifier, V , which informally yield no knowledge except for the validity of the assertion. The original formal definition of zerokno... |

229 | Bit commitment using pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ...t scheme from the prover to the verifier. We use a computationally binding, unconditionally private bit commitment scheme from the verifier to the prover. The former can be based on one way functions =-=[14,17]-=-, and the latter can be based on collision-resistant hash functions [4]. Our main result is a transformation on zero-knowledge protocols for statements in NP. Our transformed protocol for a statement ... |

190 | On the composition of zero-knowledge proof systems
- Goldreich, Krawczyk
- 1996
(Show Context)
Citation Context ...ty without increasing the round complexity. Unfortunately, it is not clear how to efficiently simulate an arbitrary zero-knowledge proof in parallel in polynomial time. Indeed, Goldreich and Krawczyk =-=[10]-=- have shown that for any language L outside of BPP, there is no 3-message protocol for L whose parallel execution can be simulated in black-box zero-knowledge. In their model, the verifier has oracle ... |

165 |
Multiple Non-Interactive Zero Knowledge Proofs Under General Assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...er the simulation takes. However, the result in [19] uses no additional complexity assumptions, and is thus an incomparable result. 1.4 Techniques Used We use a technique of Feige, Lapidot and Shamir =-=[8]-=- in order to convert witness indistinguishable protocols into zero-knowledge protocols. Instead of proving Theorem T , the prover proves a technically weaker theorem, T ∨ W ,where W is a statement tha... |

87 |
The knowledge complexity of interactive proofs
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...nts in which one can efficiently simulate any k O(1) concurrent executions of the protocol. Key Words: Asynchronous Attacks, Zero Knowledge, Black-box Simulation. 1 Introduction Zero-knowledge proofs =-=[11]-=- and arguments [1] are interactive protocols between a prover (or arguer), P , and a verifier, V , which informally yield no knowledge except for the validity of the assertion. The original formal def... |

75 |
Random self-reducibility and zero knowledge interactive proofs of possession of information
- Tompa, Woll
- 1987
(Show Context)
Citation Context ...zero-knowledge to more practical contexts; the notion of zero-knowledge has been refined accordingly. For example, to make zero-knowledge closed under sequential composition, a number of researchers (=-=[18,20,12]-=-) have proposed a modified definition, known as auxiliary zero-knowledge. A still cleaner model, motivated by these issue, is that of black-box simulation zero-knowledge [18]; all of the results we wi... |

68 | On the Existence of Statistically Hiding Bit Commitment Schemes and Fail-Stop Signatures", Crypto '93, LNCS 773
- Damgard, Pedersen, et al.
- 1994
(Show Context)
Citation Context ... unconditionally private bit commitment scheme from the verifier to the prover. The former can be based on one way functions [14,17], and the latter can be based on collision-resistant hash functions =-=[4]-=-. Our main result is a transformation on zero-knowledge protocols for statements in NP. Our transformed protocol for a statement T (oraproofofknowledge) has two parts: an O(m)-message preamble, for so... |

52 | Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
- Dwork, Sahai
- 1998
(Show Context)
Citation Context ... pair (α, β), where α ≤ β, such that when a good player has observed the passage of β units of time, then every other good player has observed the passage of at least α units of time. Dwork and Sahai =-=[7]-=- reduce (but do not eliminate) the timing constraints required by their defense. A natural question is defend against arbitrary scheduling without any use of timing. A negative result by Kilian, Petra... |

49 | Lower bounds for zero knowledge on the internet
- Kilian, Petrank, et al.
- 1998
(Show Context)
Citation Context ... not eliminate) the timing constraints required by their defense. A natural question is defend against arbitrary scheduling without any use of timing. A negative result by Kilian, Petrank and Rackoff =-=[15]-=- extends the Goldreich-Krawczyk result to concurrent attacks, for essentially the same model. They show that for any 4-message proof system for a language L, ifonecan black-box simulate polynomially m... |

45 | Constant–round perfect zero– knowledge computationally convincing protocols - Brassard, Crépeau, et al. - 1991 |

39 |
Moni Naor, and Amit Sahai. Concurrent zero-knowledge
- Dwork
(Show Context)
Citation Context ... context of identification protocols, and show how to defend against such attacks if parties have precisely synchronized clocks and the adversary is forced to delay its actions. Dwork, Naor and Sahai =-=[6]-=- consider the role of concurrent attacks on zeroknowledge protocols. They give 4-round zero-knowledge protocols for NP,assuming a weak constraints on the synchrony of weak players: there exist a pair ... |

31 |
On the Cunning Power of Cheating Verifiers: Some Observations about Zero Knowledge Proofs (Extended Abstract
- Oren
- 1987
(Show Context)
Citation Context ...zero-knowledge to more practical contexts; the notion of zero-knowledge has been refined accordingly. For example, to make zero-knowledge closed under sequential composition, a number of researchers (=-=[18,20,12]-=-) have proposed a modified definition, known as auxiliary zero-knowledge. A still cleaner model, motivated by these issue, is that of black-box simulation zero-knowledge [18]; all of the results we wi... |

12 |
Identification tokens - or: Solving the chess grandmaster problem
- Beth, Desmedt
- 1991
(Show Context)
Citation Context ...essages in these protocols. Intuitively, the verifier can run some of the protocols ahead in an attempt to gain information that will enable it to attack some of the other protocols. Beth and Desmedt =-=[3]-=- first discussed such concurrent attacks in the context of identification protocols, and show how to defend against such attacks if parties have precisely synchronized clocks and the adversary is forc... |

11 | Zero Knowledge Proofs of Knowledge - Feige, Shamir - 1989 |