## Efficient and Concurrent Zero-Knowledge from any public coin HVZK protocol (2002)

### Cached

### Download Links

- [eprint.iacr.org]
- [www.cs.technion.ac.il]
- [www.cs.technion.ac.il]
- DBLP

### Other Repositories/Bibliography

Citations: | 1 - 0 self |

### BibTeX

@MISC{Micciancio02efficientand,

author = {Daniele Micciancio and Erez Petrank},

title = {Efficient and Concurrent Zero-Knowledge from any public coin HVZK protocol},

year = {2002}

}

### OpenURL

### Abstract

We show how to efficiently transform any public coin honest verifier zero knowledge proof system into a proof system that is concurrent zero-knowledge with respect to any (possibly cheating) verifier via black box simulation. By efficient we mean that our transformation incurs only an additive overhead, both in terms of the number of rounds and the computational and communication complexity of each round, independently of the complexity of the original protocol. Moreover, the transformation preserves (up to negligible additive terms) the soundness and completeness error probabilities. The new proof system is proved secure based on the Decisional Die-Hellman (DDH) assumption, in the standard model of computation, i.e., no random oracles, shared random strings, or public key infrastructure is assumed. In addition to the introduction of a practical protocol, this construction provides yet another example of ideas in plausibility results that turn into ideas in the construction of practical protocols.

### Citations

1049 | The knowledge complexity of interactive proofsystems
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ... sure that distrustful parties involved in a protocol are really following the protocol instructions, without revealing any extra information. The original formulation of the notion of zero knowledge =-=[29]-=- considers a single prover and a single verifier working in isolation. This formulation is inadequate for real applications where zero knowledge proofs are used as part of complex protocols. In order ... |

450 | Non-malleable cryptography - Dolev, Dwork, et al. - 2000 |

380 | Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...on which satisfies some special properties. Note that our transformation works for many interesting protocols. In fact, many of the known zero-knowledge proof systems are public-coin (see for example =-=[28, 25]-=-). Note also that parallel repetition may be used with these protocols to reduce error since we only require honest verifier zero knowledge. A weaker result that follows from our technique is a transf... |

377 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...hat is also reasonably efficient in practice. Our scheme is based on exponentiation in finite groups, but it is quite different from other discrete logarithm based commitment schemes, like Pedersen's =-=[38]-=-. 1 We assume a finite group G of large prime order Q such that the DDH problem in G is hard. We also assume that random elements of G can be efficiently generated, and membership in G can be decided ... |

306 |
Minimum disclosure proofs of knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ... and secrecy for the receiver), the assumed power of the two parties etc. Two-round commitment schemes with perfect secrecy can be constructed from any claw-free collection (see [22]). It is shown in =-=[3]-=- how to commit to bits with statistical security, based on the intractability of certain number-theoretic problems. D*amgard, Pedersen and Pfitzmann [13] give a protocol for efficiently committing to ... |

270 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols - Cramer, Damg˚ard, et al. - 1994 |

234 | Bit commitment using pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ...strings of bits with statistical security, relying only on the existence of collision-intractable hash functions. Commitment schemes with perfect binding can be constructed from any one-way functions =-=[36]-=-. We will employ different commitment schemes for the prover and the verifier. The prover's scheme will be perfectly binding. In particular, in this work we construct commitment schemes that are perfe... |

221 | How to go beyond the black-box simulation barrier
- Barak
- 2001
(Show Context)
Citation Context ...ed in isolation, but also when many instances of the proof system are executed asynchronously and concurrently. This strong notion of zero knowledge has been the subject of many recent investigations =-=[17, 35, 16, 10, 11, 5, 41, 34, 6, 8, 1]-=-. For example, in [11, 5], it is shown that if a public key infrastructure (PKI) is in place, then all languages in NP have an efficient (constant round) concurrent zero knowledge proof system. Unfort... |

195 | On the Composition of Zero-Knowledge Proof Systems - Goldreich, Krawczyk - 1990 |

170 | Witness Indistinguishable and Witness Hiding Protocols - Feige, Shamir - 1990 |

170 | Multiple noninteractive zero knowledge proofs under general assumptions - Feige, Lapidot, et al. - 1999 |

161 | Concurrent zero-knowledge - Dwork, Naor, et al. - 1998 |

160 | How to construct constant-round zero-knowledge proof systems for np - Goldreich, Kahan - 1996 |

113 | Definitions and Properties of ZeroKnowledge Proof Systems - Goldreich, Oren - 1994 |

113 | On the concurrent composition of zero-knowledge proofs
- Richardson, Kilian
- 1999
(Show Context)
Citation Context ...s indistinguishable proofs) that the final transcript used by the simulator is indistinguishable from a real conversation. 3.1 How we improve the proof system Our protocol is based on the protocol of =-=[40, 34, 39]-=-. In particular, we use a similar structure of proof system with an important modification. Our proof of correctness relies on the proof in [34] with an additional analysis. In particular, our constru... |

109 | Efficient concurrent zero-knowledge in the auxiliary string model
- Damg˚ard
- 2000
(Show Context)
Citation Context ...ed in isolation, but also when many instances of the proof system are executed asynchronously and concurrently. This strong notion of zero knowledge has been the subject of many recent investigations =-=[17, 35, 16, 10, 11, 5, 41, 34, 6, 8, 1]-=-. For example, in [11, 5], it is shown that if a public key infrastructure (PKI) is in place, then all languages in NP have an efficient (constant round) concurrent zero knowledge proof system. Unfort... |

105 | Zero-Knowledge Proofs of Knowledge in Two Rounds - Feige, Shamir - 1989 |

89 | Black-box concurrent zero-knowledge requires omega(log n) rounds
- Canetti, Kilian, et al.
- 2001
(Show Context)
Citation Context ...ed in isolation, but also when many instances of the proof system are executed asynchronously and concurrently. This strong notion of zero knowledge has been the subject of many recent investigations =-=[17, 35, 16, 10, 11, 5, 41, 34, 6, 8, 1]-=-. For example, in [11, 5], it is shown that if a public key infrastructure (PKI) is in place, then all languages in NP have an efficient (constant round) concurrent zero knowledge proof system. Unfort... |

88 |
The Knowledge Complexity of Interactive Proof
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...on which satisfies some special properties. Note that our transformation works for many interesting protocols. In fact, many of the known zero-knowledge proof systems are public-coin (see for example =-=[28, 25]-=-). Note also that parallel repetition may be used with these protocols to reduce error since we only require honest verifier zero knowledge. A weaker result that follows from our technique is a transf... |

69 | On the existence of statistically hiding bit commitment schemes and fail-stop signatures
- Damg˚ard, Pedersen, et al.
- 1997
(Show Context)
Citation Context ...claw-free collection (see [22]). It is shown in [3] how to commit to bits with statistical security, based on the intractability of certain number-theoretic problems. D*amgard, Pedersen and Pfitzmann =-=[13]-=- give a protocol for efficiently committing to and revealing strings of bits with statistical security, relying only on the existence of collision-intractable hash functions. Commitment schemes with p... |

54 | Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
- Dwork, Sahai
- 1998
(Show Context)
Citation Context |

49 | Lower bounds for zero knowledge on the internet - Kilian, Petrank, et al. - 1998 |

46 | Honest-Verifier Statistical Zero-Knowledge Equals General Statistical ZeroKnowledge
- Goldreich, Sahai, et al.
- 1998
(Show Context)
Citation Context ...sional Diffie Hellman assumption. Note that a similar transformation from honest verifier to cheating verifier for statistical zero knowledge 2sdoes not follow from general completeness results, yet, =-=[27]-=- shows that such transformation is possible in principle. Our transformation is much more efficient than the one in [27], but it does not preserve statistical zero knowledge, i.e., even if applied to ... |

45 | Constant–round perfect zero– knowledge computationally convincing protocols - Brassard, Crépeau, et al. - 1991 |

45 | Concurrent zero knowledge with logarithmic round-complexity
- Prabhakaran, Rosen, et al.
- 2002
(Show Context)
Citation Context ...is showing that a polylogarithmic number of rounds is sufficient to achieve concurrent zero knowledge. Recently, the analysis of the simulator of [34] has been improved by Prabhakaran, Sahai and Rosen=-=[39]-=- showing that !(log k) many rounds are enough. Although less efficient than solutions in the PKI model, the solution of [40, 34, 39] is interesting because it may be used where a PKI is not possible, ... |

42 | A Note on the Round-Complexity of Concurrent Zero-Knowledge
- Rosen
- 2000
(Show Context)
Citation Context |

41 | On Monotone Formula Closure of SZK
- Santis, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ...is fixed. Such influence games in which the prover has more influence if the input is legitimate, and less influence if it is not, have been used in previous zero-knowledge protocols. See for example =-=[12, 14, 33]-=-. We will now show how to obtain simulatable commitment schemes, and then proceed with using simulatable commitment to implement efficient concurrent zero knowledge proof systems (see Section 5 below)... |

41 |
Direct minimum-knowledge computations
- Yung, Impagliazzo
- 1988
(Show Context)
Citation Context ...s that are good also for non honest verifiers (in the non-concurrent setting). Such a transformation clearly follows from the fact that everything provable is provable in computational zero-knowledge =-=[25, 30, 2]-=-. However, the general transformation is not efficient. Methods for improving the efficiency of the transformation to remove the honest-verifier restriction for computational zero-knowledge protocols ... |

36 | On concurrent zero-knowledge with pre-processing
- Crescenzo, Ostrovsky
- 1999
(Show Context)
Citation Context |

32 | On the Cunning Power of Cheating Verifiers: Some Observations about Zero Knowledge Proofs (Extended Abstract - Oren - 1987 |

27 | An Efficient Non-Interactive Zero-Knowledge Proof System for NP with General Assumptions
- Kilian, Petrank
- 1998
(Show Context)
Citation Context ...is fixed. Such influence games in which the prover has more influence if the input is legitimate, and less influence if it is not, have been used in previous zero-knowledge protocols. See for example =-=[12, 14, 33]-=-. We will now show how to obtain simulatable commitment schemes, and then proceed with using simulatable commitment to implement efficient concurrent zero knowledge proof systems (see Section 5 below)... |

22 |
Foundations of Cryptography - Basic Tools, Cambridge U
- Goldreich
- 2001
(Show Context)
Citation Context ...rifier, and denote it by V \Lambdas. All these terms have the same meaning. Commitment schemes We include a short and informal presentation of commitment schemes. For more details and motivation, see =-=[22]-=-. A commitment scheme involves two parties: The sender and the receiver. These two parties are involved in a protocol which contains two phases. In the first phase the sender commits to a bit (or, mor... |

20 | Proofs of partial knowledge and simpli design of witness hiding protocols - Cramer, Damgard, et al. - 1994 |

14 | Zero-knoledge with Log-Space Verifiers - Kilian - 1988 |

10 | Concurrent Zero-Knowledge in Poly-logarithmic Rounds
- Kilian, Petrank
- 2001
(Show Context)
Citation Context |

8 | Responsive round complexity and concurrent zero-knowledge
- Cohen, Kilian, et al.
- 2001
(Show Context)
Citation Context |

6 |
de Graaf, Multiparty Computations Ensuring Secrecy of each
- Chaum, Damgard, et al.
- 1987
(Show Context)
Citation Context ...ing the efficiency of the transformation to remove the honest-verifier restriction for computational zero-knowledge protocols have been investigated in [32] and can be obtained from the techniques in =-=[7]-=-, but none of these results makes a practical protocol with a widely acceptable security assumption. Our techniques allow such a transformation for public coin zero-knowledge proofs with low overhead ... |

6 | On monotone function closure of perfect and statistical zeroknowledge
- D˚amgard, Cramer
- 1996
(Show Context)
Citation Context ...is fixed. Such influence games in which the prover has more influence if the input is legitimate, and less influence if it is not, have been used in previous zero-knowledge protocols. See for example =-=[12, 14, 33]-=-. We will now show how to obtain simulatable commitment schemes, and then proceed with using simulatable commitment to implement efficient concurrent zero knowledge proof systems (see Section 5 below)... |

4 |
Resettable zero-knowledge. Revision 1 of Report TR99-042, the Electronic Colloquium on Computational Complexity (ECCC) ftp://ftp.eccc.uni-trier.de/pub/eccc
- Canetti, Goldreich, et al.
- 2000
(Show Context)
Citation Context |

4 |
Achieving zero-knowledge robustly
- Kilian
- 1990
(Show Context)
Citation Context ...nsformation is not efficient. Methods for improving the efficiency of the transformation to remove the honest-verifier restriction for computational zero-knowledge protocols have been investigated in =-=[32]-=- and can be obtained from the techniques in [7], but none of these results makes a practical protocol with a widely acceptable security assumption. Our techniques allow such a transformation for publi... |

4 | Honest-veri statistical zero-knowledge equals general statistical zeroknowledge - Goldreich, Sahai, et al. - 1998 |

4 | On the cunning powers of cheating veri Some observations about zero knowledge proofs - Oren - 1987 |

2 | Multiple non-interactive zero-knowledge proofs based on a singe random string - thesis - 1990 |

1 | Resettable zero-knowledge. Revision 1 - Canetti, Goldreich, et al. - 2000 |

1 | 32nd Annual ACM Symposium on Theory of Computing May 2000. [6 - Canetti, Kilian, et al. |

1 | Thirty-Third Annual ACM Symposium on the Theory of Computing, July 6-8, 2001. [7 - Rounds |

1 | Theory of Cryptography Library: Record 96-03 - Damgard, Pedersen, et al. - 1996 |

1 | Direct Minimum-Knowledge computations. Advances in Cryptology - Impagliazzo, Yung - 1987 |