## Appeared in TCC-2010. Efficiency Preserving Transformations for Concurrent Non-Malleable Zero Knowledge

### BibTeX

@MISC{Ostrovsky_appearedin,

author = {Rafail Ostrovsky and Omkant P and Ivan Visconti},

title = {Appeared in TCC-2010. Efficiency Preserving Transformations for Concurrent Non-Malleable Zero Knowledge},

year = {}

}

### OpenURL

### Abstract

Abstract. Ever since the invention of Zero-Knowledge by Goldwasser, Micali, and Rackoff [1], Zero-Knowledge has become a central building block in cryptography- with numerous applications, ranging from electronic cash to digital signatures. The properties of Zero-Knowledge range from the most simple (and not particularly useful in practice) requirements, such as honest-verifier zero-knowledge to the most demanding (and most useful in applications) such as non-malleable and concurrent zero-knowledge. In this paper, we study the complexity of efficient zero-knowledge reductions, from the first type to the second type. More precisely, under a standard complexity assumption (ddh), on input a public-coin honest-verifier statistical zero knowledge argument of knowledge π ′ for a language L we show a compiler that produces an argument system π for L that is concurrent non-malleable zero-knowledge (under non-adaptive inputs – which is the best one can hope to achieve [2, 3]). If κ is the security parameter, the overhead of our compiler is as follows:

### Citations

1086 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...California, Los Angeles, USA, {rafail,omkant}@cs.ucla.edu 2 University of Salerno, ITALY, visconti@dia.unisa.it Abstract. Ever since the invention of Zero-Knowledge by Goldwasser, Micali, and Rackoff =-=[1]-=-, Zero-Knowledge has become a central building block in cryptography - with numerous applications, ranging from electronic cash to digital signatures. The properties of Zero-Knowledge range from the m... |

473 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ...mportance of these proof systems, no efficient and secure (plain model) protocol for such settings is known until today. Feasibility results have been given originally by Dolev, Dwork, and Naor (ddn) =-=[5]-=-, restricting the adversary to two simultaneous proofs. In recent work, Barak, Prabhakaran and Sahai [4] have obtained concurrent and non-malleable zero-knowledge without restricting the adversary to ... |

409 |
Non-Interactive and Information-Theoretical Secure Verifiable Secret Sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...l simulation requirement for the given hvzk argument, is easy to achieve as most hvzk protocols that we know of already admit statistical simulation (by using statistically hiding commitments such as =-=[10]-=- – which exist under the ddh assumption). Theorem 1 (Main Result). Let π ′ : 〈P ′ , V ′ 〉 be a public coin honest verifier statistical zero-knowledge argument of knowledge, for some language L ∈ N P. ... |

324 |
Efficient Identification and Signatures for Smart Cards
- Schnorr
- 1990
(Show Context)
Citation Context ...4].) An efficient instantiation appears in Fig. 1. In step 2, we mention the use of an efficient szkaok. An appropriate szkaok would be the one obtained by sequentially repeating the Schnorr protocol =-=[23]-=- ω(1) times. The size of verifier’s challenge in each execution of Schnorr protocol, however, would only be log κ. In step 3 of the bck protocol, we need an efficient proof system for statements of ty... |

279 |
Foundations of Cryptography: Basic Tools
- Goldreich
- 2001
(Show Context)
Citation Context ...amiliarity with (standard) cryptographic concepts such as computational and statistical indistinguishability, N P-relations, interactive proof and argument systems, simulation paradigm, etcetera (see =-=[22]-=-). In the following, L is an N P-language with witness relation RL. That is, a statement x ∈ L iff there exists a y of length poly(|x|) such that RL(x, y) = 1. Concurrent Man-in-the-Middle Attack. The... |

199 | Non-Interactive Zero-Knowledge
- Blum, Santis, et al.
- 1991
(Show Context)
Citation Context ...k that most of these research works also aim at avoiding. Among these, the most relevant works are those of Garay, MacKenzie, and Yang [6], and De Santis, Di Crescenzo, Ostrovsky, Persiano, and Sahai =-=[15]-=- (CRS model), and Micciancio and Petrank [12] (plain model). In the area of secure two-party computation, see the works of Mohassel and Franklin [16], Woodruff [17], Lindell and Pinkas [18], and Goyal... |

117 | On the Concurrent Composition of Zero-Knowledge Proofs
- Richardson, Kilian
- 1999
(Show Context)
Citation Context ...perfectly hiding commitment scheme (such as [10]) may be used as well. Also, for simplicity, we have chosen to use the extraction preamble in the prs-style, but the original style of RichardsonKilian =-=[24]-=- will be more efficient.Efficiency Preserving Transformations for Concurrent NMZK 11 scheme. Note that the first message of this ddn-commitment phase includes a perfectly binding commitment to 0 κ us... |

80 | An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries
- Lindell, Pinkas
- 2006
(Show Context)
Citation Context ... and Sahai [15] (CRS model), and Micciancio and Petrank [12] (plain model). In the area of secure two-party computation, see the works of Mohassel and Franklin [16], Woodruff [17], Lindell and Pinkas =-=[18]-=-, and Goyal, Mohassel, and Smith [19]. For non-interactive zero-knowledge see Chase and Lysyanskaya [20], and Groth, Ostrovsky, and Sahai [21]. 2 Definitions In this section we present relevant defini... |

77 | Resettable zero-knowledge
- Canetti, Goldreich, et al.
- 2000
(Show Context)
Citation Context ... Zq, assuming tags of length Õ(log κ). Although our main focus is the plain model, our results about tag-based nonmalleability, lead to more efficient constructions in the Bare-Public-Key (BPK) model =-=[11]-=-. The BPK model, assumes an untrusted setup which brings it very close to the plain model. Like the plain model, our results in the BPK model are the first efficient transformations (see section 5 for... |

48 | Concurrent Zero-Knowledge with Logarithmic Round Complexity
- Prabhakaran, Rosen, et al.
(Show Context)
Citation Context ...preamble and the verifier opening the commitments. It is easy to see that if com is a commitment scheme12 , the extraction-preamble is an interactive commitment scheme. We now state a result from prs =-=[25]-=-. Lemma 1. (Adapted from [25]) Consider provers P1, . . . , Pm and an adversarial verifier APRS running m sessions of a protocol with the extraction-preamble as described above, where m is polynomial ... |

45 | General composition and universal composability in secure multi-party computation
- Lindell
- 2003
(Show Context)
Citation Context ...π ′ for a language L we show a compiler that produces an argument system π for L that is concurrent non-malleable zero-knowledge (under non-adaptive inputs – which is the best one can hope to achieve =-=[2, 3]-=-). If κ is the security parameter, the overhead of our compiler is as follows: – The round complexity of π is r + Õ(log κ) rounds, where r is the round complexity of π ′ . – The new prover P (resp., t... |

42 | New and improved constructions of non-malleable cryptographic protocols
- Pass, Rosen
- 2005
(Show Context)
Citation Context ...tiation of ddn-commitments (see section 3.2). 6 This is a somewhat common issue in non-malleability proofs when going from one hybrid to another (e.g., the non-malleable commitments of Pass and Rosen =-=[14]-=-).Efficiency Preserving Transformations for Concurrent NMZK 5 tleneck that most of these research works also aim at avoiding. Among these, the most relevant works are those of Garay, MacKenzie, and Y... |

41 | Perfect Non-interactive Zero Knowledge for NP
- Groth, Ostrovsky, et al.
(Show Context)
Citation Context ...ssel and Franklin [16], Woodruff [17], Lindell and Pinkas [18], and Goyal, Mohassel, and Smith [19]. For non-interactive zero-knowledge see Chase and Lysyanskaya [20], and Groth, Ostrovsky, and Sahai =-=[21]-=-. 2 Definitions In this section we present relevant definitions. We assume familiarity with (standard) cryptographic concepts such as computational and statistical indistinguishability, N P-relations,... |

39 |
Lower bounds for concurrent self composition
- Lindell
- 2004
(Show Context)
Citation Context ...π ′ for a language L we show a compiler that produces an argument system π for L that is concurrent non-malleable zero-knowledge (under non-adaptive inputs – which is the best one can hope to achieve =-=[2, 3]-=-). If κ is the security parameter, the overhead of our compiler is as follows: – The round complexity of π is r + Õ(log κ) rounds, where r is the round complexity of π ′ . – The new prover P (resp., t... |

36 | On simulation-sound trapdoor commitments - MacKenzie, Yang |

30 | Strengthening zero-knowledge protocols using signatures
- Garay, MacKenzie, et al.
- 2003
(Show Context)
Citation Context ...fficiency Preserving Transformations for Concurrent NMZK 5 tleneck that most of these research works also aim at avoiding. Among these, the most relevant works are those of Garay, MacKenzie, and Yang =-=[6]-=-, and De Santis, Di Crescenzo, Ostrovsky, Persiano, and Sahai [15] (CRS model), and Micciancio and Petrank [12] (plain model). In the area of secure two-party computation, see the works of Mohassel an... |

24 | Efficient two party and multi party computation against covert adversaries
- Goyal, Mohassel, et al.
- 2008
(Show Context)
Citation Context ...iancio and Petrank [12] (plain model). In the area of secure two-party computation, see the works of Mohassel and Franklin [16], Woodruff [17], Lindell and Pinkas [18], and Goyal, Mohassel, and Smith =-=[19]-=-. For non-interactive zero-knowledge see Chase and Lysyanskaya [20], and Groth, Ostrovsky, and Sahai [21]. 2 Definitions In this section we present relevant definitions. We assume familiarity with (st... |

23 | Efficiency Tradeoffs for Malicious Two-Party Computation
- Mohassel, Franklin
- 2006
(Show Context)
Citation Context ...ntis, Di Crescenzo, Ostrovsky, Persiano, and Sahai [15] (CRS model), and Micciancio and Petrank [12] (plain model). In the area of secure two-party computation, see the works of Mohassel and Franklin =-=[16]-=-, Woodruff [17], Lindell and Pinkas [18], and Goyal, Mohassel, and Smith [19]. For non-interactive zero-knowledge see Chase and Lysyanskaya [20], and Groth, Ostrovsky, and Sahai [21]. 2 Definitions In... |

23 | Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model - Crescenzo, Persiano, et al. - 2004 |

18 | Multi-trapdoor Commitments and their Applications to Proofs of Knowledge Secure under Concurrent Man-in-the-Middle Attacks - Gennaro - 2004 |

16 | Simulatable VRFs with applications to multi-theorem NIZK
- Chase, Lysyanskaya
- 2007
(Show Context)
Citation Context ...rty computation, see the works of Mohassel and Franklin [16], Woodruff [17], Lindell and Pinkas [18], and Goyal, Mohassel, and Smith [19]. For non-interactive zero-knowledge see Chase and Lysyanskaya =-=[20]-=-, and Groth, Ostrovsky, and Sahai [21]. 2 Definitions In this section we present relevant definitions. We assume familiarity with (standard) cryptographic concepts such as computational and statistica... |

12 | Concurrent Non-malleable Commitments from Any One-way Function - Lin, Pass, et al. - 2008 |

12 | Revisiting the Efficiency of Malicious Two-Party Computation
- Woodruff
- 2007
(Show Context)
Citation Context ...nzo, Ostrovsky, Persiano, and Sahai [15] (CRS model), and Micciancio and Petrank [12] (plain model). In the area of secure two-party computation, see the works of Mohassel and Franklin [16], Woodruff =-=[17]-=-, Lindell and Pinkas [18], and Goyal, Mohassel, and Smith [19]. For non-interactive zero-knowledge see Chase and Lysyanskaya [20], and Groth, Ostrovsky, and Sahai [21]. 2 Definitions In this section w... |

12 | I.: Concurrent zero knowledge in the public-key model - Crescenzo, Visconti - 2005 |

9 | Simulatable Commitments and Efficient Concurrent ZeroKnowledge
- Micciancio, Petrank
- 2003
(Show Context)
Citation Context ...in the BPK model are the first efficient transformations (see section 5 for more details). Our starting point to avoid N P-reductions is “Simulatable Commitments” as defined by Micciancio and Petrank =-=[12]-=- (though our construction and proof requires development of several new techniques and ideas on top of this work). Using simulatable commitments, Micciancio and Petrank demonstrate how to efficiently ... |

7 | Efficient zero knowledge on the internet - Visconti |

7 | I.: Constant-round concurrent non-malleable zero knowledge in the bare public-key model
- Ostrovsky, Persiano, et al.
- 2008
(Show Context)
Citation Context ...s model has been used in sequence of papers [26–28] to initially achieve round and computationally efficient concurrent zero knowledge and later constant-round concurrent non-malleable zero-knowledge =-=[29, 30]-=-. We give an efficiency preserving compiler for obtaining cnmzk arguments from any HVSZK argument π ′ in the (true) BPK model. We obtain these results by applying our efficient tag-based constructions... |

3 | On the necessary and sufficient assumptions for UC computation
- Damg˚ard, Nielsen, et al.
- 2010
(Show Context)
Citation Context ...are fixed in advance (i.e., are not chosen adaptively based on the protocol execution), cnmzk was shown to be achievable by Barak, Prabhakaran, and Sahai (bps). The impossibility results discussed in =-=[2, 3, 9]-=- and the plausibility results of [4] suggest that cnmzk (under the nonadaptive input notion) is the best notion of security for proof systems that one can hope to achieve in the plain model. Our resul... |

3 | Constant-Round Concurrent NMWI and Its Relation to NMZK. Revised version of [63], ECCC
- Ostrovsky, Persiano, et al.
- 2007
(Show Context)
Citation Context ...s model has been used in sequence of papers [26–28] to initially achieve round and computationally efficient concurrent zero knowledge and later constant-round concurrent non-malleable zero-knowledge =-=[29, 30]-=-. We give an efficiency preserving compiler for obtaining cnmzk arguments from any HVSZK argument π ′ in the (true) BPK model. We obtain these results by applying our efficient tag-based constructions... |

1 |
A.: Concurrent non-malleable zero knowledge. FOCS 2006. Full version on Cryptology ePrint Archive report. (2006) http:// eprint.iacr.org
- Barak, Prabhakaran, et al.
(Show Context)
Citation Context ...rovided, the overhead is only r + Õ(log 2 κ) modular exponentiations. The only previous concurrent non-malleable zero-knowledge (under nonadaptive inputs) was achieved by Barak, Prabhakaran and Sahai =-=[4]-=-. Their construction, however, mainly focuses on a feasibility result rather than efficiency, and requires expensive N P-reductions. ⋆ Supported in part by IBM Faculty Award, Xerox Innovation Group Aw... |