Client-Server Concurrent Zero Knowledge
with Constant Rounds
and Guaranteed Complexity
Ran Canetti, Abhishek Jain and Omer Paneth
1
Zero-Knowledge Protocols
[Goldwasser-Micali-Rackoff 85]
• Completeness
• Soundness
• Zero knowledge
𝑥 ∈ 𝐿?
𝑃
𝑉
2
Completeness
𝑤
𝑥∈𝐿
𝑃
𝑉
Accept
3
Soundness
𝑥∉𝐿
𝑃∗
𝑉
reject
4
Zero-knowledge
𝑥∈𝐿
𝑃
𝑉∗
≈𝑐
𝑆
5
Why do we care about zero-knowledge?
Used as a sub-protocol
in larger cryptographic protocols and systems
Secure composition?
6
Concurrent Composition
𝑃
𝑤
𝑃
𝑃
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑉
𝑉
𝑉
Session
7
Concurrent Zero Knowledge
[Dwork-Naor-Sahai 98]
𝑃
𝑤
𝑃
𝑃
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑉∗
𝑆
≈𝑐
8
Rounds
Assumption
Stand-alone zero knowledge
[Feige-Shamir 89]
[Bellare-Jakobson-Yung 97]
4
OWF
Concurrent zero knowledge
[Richardson-Kilian 99]
[Kilian-Petrank 01]
[Prabhakaran-Rosen-Sahai 02]
[Gupta-Sahai 12]
[Chung-Lin-Pass 13]
[Pandey-Prabhakaran-Sahai 13]
OWF
Strong assumption:
interactive knowledge assumptions
statistically sound P-certificates
differing input obfuscation
9
Today
Constant-round protocols
from standard assumptions
Weaker notions of concurrent security
10
Bounded Concurrent ZK
[Barak 01]
Assuming collision-resistant hash functions. For bound 𝐵:
Barak
𝑃
𝑃
𝑉
Barak
𝑉
…
Complexity of each session
Rounds
Barak
𝑃
≤ 𝐵 sessions
𝑉
Communication
𝑂(1)
𝑃𝑜𝑙𝑦(𝐵)
11
Barak’s Protocol
The bound on the number of concurrent
sessions is set at protocol design time
This is
too early
Barak
Client
Barak
Server
Client
Barak
Client
[Persiano-Visconti 05]:
set the bound only at protocol run time
12
Standard Model for Concurrent ZK
𝑃
𝑤
𝑃
𝑃
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑉
𝑉
𝑉
13
Client-Server Concurrent ZK
[Persiano-Visconti 05]
Server
Clients
𝑥∈𝐿
𝑤
𝑃
𝑥∈𝐿
𝑥∈𝐿
𝑉
𝑉
𝑉
Increase the communication
as more session start
14
The Persiano-Visconti Protocol
A single session:
𝑃
Concurrent sessions:
Bonded concurrent
for 𝑛 sessions
> 𝑛 active sessions
Bonded concurrent
for 𝑛2 sessions
> 𝑛2 active sessions
Bonded concurrent
for 𝑛3 sessions
𝑉
< 𝑛3 active sessions
Finish session
15
Protocol Complexity
Barak for
𝑛 sessions
𝑃
Barak for
𝑛2 sessions
Barak for
𝑛3 sessions
Complexity of each session
(For 𝑛𝑐 concurrent sessions)
𝑉
Rounds
𝑂(𝑐)
Communication 𝑃𝑜𝑙𝑦(𝑛𝑐 )
Almost the same as
bounded concurrent ZK!
Finish session
16
The Persiano-Visconti Protocol
The communication complexity
is changing at protocol run time
Persiano-Visconti
Server
Persiano-Visconti
Persiano-Visconti
Client
Client
This is
too late
Client
Client does not know what will be the
communication complexity of the session!
17
Example: Call Center
“All our lines are currently busy. please hold
and your call will be answered shortly…”
“The estimated waiting time is 7 minutes.”
This work: the communication complexity
is set at the beginning of every session
18
Our Result
Assuming collision-resistant hash functions
there is a concurrent zero-knowledge protocol
in the client-server model
with constant-rounds and guaranteed complexity.
Guaranteed complexity:
The communication complexity of each session is
determined in the beginning of the session
19
This work
Round
complexity
6
[Persiano-Visconti]
𝑂(𝑐)
for 𝑛𝑐 concurrent sessions
Communication
determined in the
not determined
complexity
beginning of the session until the session terminates
20
The Protocol
Every session runs Barak’s protocol with some bound
First 𝑛 sessions to start run
Barak’s protocol with bound 𝑛.
𝑃
Next 𝑛2 − 𝑛 sessions run
Barak’s protocol with bound 𝑛2 .
Start session
Start session
Start session
Next 𝑛3 − 𝑛2 sessions run
Barak’s protocol with bound 𝑛3 .
21
The Challenge
Cannot rely directly on bounded concurrency
Start session
Start session
𝑃
>𝑛
Barak’s protocol
with bound 𝑛
𝑉∗
new sessions
Start session
22
Barak’s simulation
𝑆
Barak
Barak
…
𝑉∗
≤ 𝐵 sessions
Barak
23
Barak’s simulation
𝑆
Barak
𝑆
Barak
𝑆
…
𝑆
Barak
𝑉∗
≤ 𝐵 sessions
24
Barak’s simulation
𝑆
𝑃
Barak
Other protocol
…
Other protocol
𝑃
𝑉∗
≤ 𝐵 sessions
Communication
complexity ≤ Barak’s
25
Proof
A session is of level-𝑖
if it runs Barak’s protocol with bound 𝑛𝑖 .
Observation:
If 𝑉 ∗ starts ≤ 𝑛𝑐 sessions,
sessions of level 𝑐 are easy to simulate.
26
…
Level 𝑐
Level 𝑐 − 1
Level 𝑐
𝑃
Level 𝑐 − 2
𝑉∗
Level 𝑐
Level 𝑐 − 1
Level 𝑐
…
27
𝑆0
Level 𝑐
Level 𝑐 − 1
Level 𝑐
𝑃
Level 𝑐 − 2
Level 𝑐
𝑉∗
Level 𝑐 − 1
Level 𝑐
28
𝑆1
𝑆0
Level 𝑐
Level 𝑐 − 1
Level 𝑐
𝑃
Level 𝑐 − 2
Level 𝑐
𝑉∗
Level 𝑐 − 1
Level 𝑐
29
𝑆2
𝑆1
𝑆0
Level 𝑐
Level 𝑐 − 1
Level 𝑐
…
Level 𝑐 − 2
Level 𝑐
𝑉∗
Level 𝑐 − 1
Level 𝑐
30
Simulation Running Time
∗
𝑇 𝑆0 = 𝑃𝑜𝑙𝑦 𝑇(𝑉 )
𝑇 𝑆1 = 𝑃𝑜𝑙𝑦 𝑇(𝑆0 )
…
𝑇 𝑆𝑐 = 𝑃𝑜𝑙𝑦 𝑇(𝑆𝑐−1 )
31
Thanks!
[slide: Mira Belenkiy]
32