Constant-Round Concurrent Zero-Knowledge from Indistinguishability Obfuscation [chapter]

Kai-Min Chung, Huijia Lin, Rafael Pass
2015 Lecture Notes in Computer Science  
We present a constant-round concurrent zero-knowledge protocol for NP. Our protocol relies on the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for P/poly (with slightly super-polynomial security). Zero-knowledge (ZK) interactive proofs [GMR89] are paradoxical constructs that allow one player (called the Prover) to convince another player (called the Verifier) of the validity of a mathematical statement x ∈ L, while
more » ... ing zero additional knowledge to the Verifier. Beyond being fascinating in their own right, ZK proofs have numerous cryptographic applications and are one of the most fundamental cryptographic building blocks. The notion of concurrent zero knowledge, first introduced and achieved in the paper by Dwork, Naor and Sahai [DNS04], considers the execution of zero-knowledge proofs in an asynchronous and concurrent setting. More precisely, we consider a single adversary mounting a coordinated attack by acting as a verifier in many concurrent executions (called sessions). Concurrent ZK proofs are significantly harder to construct and analyze. Since the original protocol by Dwork, Naor and Sahai (which relied on so called "timing assumptions"), various other concurrent ZK protocols have been obtained based on different set-up assumptions (e.g., [DS98, Dam00, CGGM00, Gol02, PTV12, GJO + 12]), or in alternative models (e.g., super-polynomial-time simulation [Pas03, PV10] ). In the standard model, without set-up assumptions (the focus of our work,) Canetti, Kilian, Petrank and Rosen [CKPR01] (building on earlier works by [KPR98, Ros00]) show that concurrent ZK proofs for non-trivial languages, with "black-box" simulators, require at leastΩ(log n) number of communication rounds. Richardson and Kilian [RK99] constructed the first concurrent ZK argument in the standard model without any extra set-up assumptions. Their protocol, which uses a black-box simulator, requires O(n ) number of rounds. The round-complexity was later improved in the work of Kilian and Petrank (KP) [KP01] toÕ(log 2 n) round. More recent work by Prabhakaran, Rosen and Sahai [PRS02] improves the analysis of the KP simulator, achieving an essentially optimal, w.r.t. black-box simulation, round-complexity ofÕ(log n); see also [PTV12] for an (arguably) simplified and generalized analysis. The central open problem in the area is whether a constant-round concurrent ZK protocol (for a non-trivial language) can be obtained. Note that it could very well be the case that all "classic" zero-knowledge protocols already are concurrent zero-knowledge; thus, simply assuming that those protocols are concurrent zero-knowledge yields an assumption under which constant-round concurrent zero-knowledge (trivially) exists-in essence, we are assuming that for every attacker a simulator exists. Furthermore, as shown in [GS12] (and informally discussed in [CLP13b]) under various "extractability" assumptions of the knowledge-of-exponent type [Dam91, HT98, BP04], constant-round concurrent zero-knowledge is easy to construct. But such extractability assumptions also simply assume that for every attacker, a simulator (in essence, "the extractor" guaranteed by the extractability assumption) exists. In particular, an explicit construction of the concurrent zero-knowledge simulator is not provided-it is simply assumed that one exists. For some applications of zero-knowledge such as deniability (see e.g., [DNS04, Pas03] ), having an explicit simulator is crucial. Rather, we are here concerned with the question of whether constant-round concurrent zero-knowledge, with an explicit simulator exits. Towards Constant-round Concurrent Zero-Knowledge Recently, the authors [CLP13b] provided a first construction a constant-round concurrent zeroknowledge protocol with an explicit simulator, based on a new cryptographic hardness assumptionthe existence of so-called P-certificates, roughly speaking, succinct non-interactive arguments for languages in P. An issue with their approach, however, is we only have candidate constructions of P-certificates that are sound against uniform polynomial-time attackers (as opposed to non-uniform ones), and the protocol of [CLP13b] inherits the soundness property of the underlying P-certificate.
doi:10.1007/978-3-662-47989-6_14 fatcat:xhb6miv2nvamje3yh5infuaxgi