On Round-Optimal Zero Knowledge in the Bare Public-Key Model

Scafuro, Alessandra; Visconti, Ivan

doi:10.1007/978-3-642-29011-4_11

Cited by 14 publications

(12 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The issue here is that, such simulation strategy does not apply to the selective opening setting where multiple sessions are played in parallel with possibly different abort probabilities. Similar issues have been pointed out in [22] on previous work on round-optimal concurrent zero knowledge with bare public keys. The same issue on simulatability holds for the (t + 3, 1)-round scheme.…”

Section: (33)-round Scheme From One-way Permutationssupporting

confidence: 73%

Revisiting Lower and Upper Bounds for Selective Decommitments

Ostrovsky

Rao²,

Scafuro

et al. 2013

Theory of Cryptography

Self Cite

View full text Add to dashboard Cite

In [6,7], Dwork et al. posed the fundamental question of existence of commitment schemes that are secure against selective opening attacks (SOA, for short). In [2] Bellare, Hofheinz, and Yilek, and Hofheinz in [13] answered it affirmatively by presenting a scheme which is based solely on the non-black-box use of a one-way permutation needing a super-constant number of rounds. This result however opened other challenging questions about achieving a better round complexity and obtaining fully black-box schemes using underlying primitives and code of the adversary in a black-box manner. Recently, in TCC 2011, Xiao ([23]) investigated on how to achieve (nearly) optimal SOA-secure commitment schemes where optimality is in the sense of both the round complexity and the black-box use of cryptographic primitives. The work of Xiao focuses on a simulation-based security notion of SOA. Moreover, the various results in [23] focus only on either parallel or concurrent SOA. In this work we first point out various issues in the claims of [23] that actually reopen several of the questions left open in [2,13]. Then, we provide new lower bounds and concrete constructions that produce a very different state-of-the-art compared to the one claimed in [23].

show abstract

Section: (33)-round Scheme From One-way Permutationssupporting

confidence: 73%

Revisiting Lower and Upper Bounds for Selective Decommitments

Ostrovsky

Rao²,

Scafuro

et al. 2013

Theory of Cryptography

Self Cite

View full text Add to dashboard Cite

show abstract

“…The bare public key model was proposed in [5] where, before any interaction starts, every player is required to declare a public key and store it in a public file (which never changes once the sessions start). In this model it is known how to obtain constant-round concurrent zero knowledge with concurrent soundness under standard assumptions [13,35,36,34]. This model has also been used for constant-round concurrent non-malleable zero knowledge [25] and various constant-round resettable and simultaneously resettable protocols [22,39,11,9,10,38,37,7].…”

Section: Related Workmentioning

confidence: 99%

Constant-Round Concurrent Zero Knowledge in the Bounded Player Model

Goyal

Jain

Ostrovsky

et al. 2013

Advances in Cryptology - ASIACRYPT 2013

Self Cite

View full text Add to dashboard Cite

Abstract. In [18] Goyal et al. introduced the bounded player model for secure computation. In the bounded player model, there are an a priori bounded number of players in the system, however, each player may execute any unbounded (polynomial) number of sessions. They showed that even though the model consists of a relatively mild relaxation of the standard model, it allows for round-efficient concurrent zero knowledge. Their protocol requires a super-constant number of rounds. In this work we show, constructively, that there exists a constant-round concurrent zero-knowledge argument in the bounded player model. Our result relies on a new technique where the simulator obtains a trapdoor corresponding to a player identity by putting together information obtained in multiple sessions. Our protocol is only based on the existence of a collision-resistance hash-function family and comes with a "straight-line" simulator. We note that this constitutes the strongest result known on constantround concurrent zero knowledge in the plain model (under well accepted relaxations) and subsumes Barak's constant-round bounded concurrent zero-knowledge result. We view this as a positive step towards getting constant round fully concurrent zero-knowledge in the plain model, without relaxations.

show abstract

“…The security provided by the SHVZK property is clearly insufficient as it gives no immediate guarantees against verifiers who deviates from the protocol. Despite of this, the success of Σ-protocols and their impact in various constructions [1,2,6,[9][10][11][12]14,15,20,22,25,27,32,33,36,37,40,41,43] is a fact. This is due to a breakthrough of Cramer et al [18] that adds WI to the security of Σ-protocol.…”

Section: Introductionmentioning

confidence: 99%

Improved OR-Composition of Sigma-Protocols

Ciampi

Persiano

Scafuro

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

In [18] Cramer, Damgård and Schoenmakers (CDS) devise an OR-composition technique for Σ-protocols that allows to construct highly-efficient proofs for compound statements. Since then, such technique has found countless applications as building block for designing efficient protocols. Unfortunately, the CDS OR-composition technique works only if both statements are fixed before the proof starts. This limitation restricts its usability in those protocols where the theorems to be proved are defined at different stages of the protocol, but, in order to save rounds of communication, the proof must start even if not all theorems are available. Many round-optimal protocols ([21, 30,41,44]) crucially need such property to achieve round-optimality, and, due to the inapplicability of CDS's technique, are currently implemented using proof systems that requires expensive NP reductions, but that allow the proof to start even if no statement is defined (a.k.a., LS proofs from Lapidot-Shamir [31]). In this paper we show an improved OR-composition technique for Σ-protocols, that requires only one statement to be fixed when the proof starts, while the other statement can be defined in the last round. This seemingly weaker property is sufficient for the applications, where typically one of the theorems is fixed before the proof starts. Concretely, we show how our new OR-composition technique can directly improve the round complexity of the efficient perfect quasi-polynomial time simulatable argument system of Pass [38] (from four to three rounds) and of efficient resettable WI arguments (from five to four rounds).

show abstract

On Round-Optimal Zero Knowledge in the Bare Public-Key Model

Cited by 14 publications

References 31 publications

Revisiting Lower and Upper Bounds for Selective Decommitments

Revisiting Lower and Upper Bounds for Selective Decommitments

Constant-Round Concurrent Zero Knowledge in the Bounded Player Model

Improved OR-Composition of Sigma-Protocols

Contact Info

Product

Resources

About