The Knowledge Complexity of Interactive Proof Systems

Abstract. We give improved upper bounds on the communication complexity of optimally-resilient secure multiparty computation in the cryptographic model. We consider evaluating an n-party randomized function and show that if f can be computed by a circuit of size c, then O(cn 2 κ) is an upper bound for active security with optimal resilience t < n/2 and security parameter κ. This improves on the communication complexity of previous protocols by a factor of at least n. This improvement comes from the fact that in the new protocol, only O(n) messages (of size O(κ) each) are broadcast during the whole protocol execution, in contrast to previous protocols which require at least O(n) broadcasts per gate.Furthermore, we improve the upper bound on the communication complexity of passive secure multiparty computation with resilience t < n from O(cn 2 κ) to O(cnκ). This improvement is mainly due to a simple observation.

Section: The Ideal Evaluationmentioning

confidence: 99%

Upper Bounds on the Communication Complexity of Optimally Resilient Cryptographic Multiparty Computation

Hirt

Nielsen

2005

“…One is "interactive proof" and the other is "interactive argument". The former requires that even a computationally unrestricted prover should be unable to make the verifier accept x / ∈ L, except with negligible (in n) probability [GMR85]. On the other hand, the latter requires that any cheating prover restricted to PPT should be unable to make the verifier accept x / ∈ L, except with negligible (in n) probability [BrCr86].…”

Section: Interactive Argumentsmentioning

confidence: 99%

Zero-Knowledge and Code Obfuscation

Hada

2000

118

Abstract. In this paper, we investigate the gap between auxiliary-input zero-knowledge (AIZK) and blackbox-simulation zero-knowledge (BSZK). It is an interesting open problem whether or not there exists a protocol which achieves AIZK, but not BSZK. We show that the existence of such a protocol is closely related to the existence of secure code obfuscators. A code obfuscator is used to convert a code into an equivalent one that is difficult to reverse-engineer. This paper provides security definitions of code obfuscation. By their definitions, it is easy to see that the existence of the gap implies the existence of a cheating verifier such that it is impossible to obfuscate any code of it. Intuitively, this means that it is possible to reverse-engineer any code of such a cheating verifier. Furthermore, we consider the actual behavior of such a cheating verifier. In order to do so, we focus on two special cases in which the gap exists: (1) there exists a constant round public-coin AIZK interactive argument for a language outside of BPP. (2) there exists a 3-round secret-coin AIZK interactive argument for a language outside of BPP. In the former case, we show that it is impossible to securely obfuscate a code of a cheating verifier behaving as a pseudorandom function. A similar result is shown also in the latter case. Our results imply that any construction of constant round public-coin or 3-round secret-coin AIZK arguments for non-trivial languages essentially requires a computational assumption with a reverse-engineering property.

“…None of these protocols are known to be zero-knowledge or even witness hiding. In general, a parallelization of a sequential zero-knowledge proof [7] will often satisfy the conditions.…”

Section: Introductionmentioning

confidence: 99%

Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols

Cramer¹,

Damgård

Schoenmakers³

836

675

Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S, we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to a subset of n problem instances corresponding to a qualified set of participants. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, this can lead to witness hiding protocols, even if P did not have this property. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P. Our results use no unproven complexity assumptions.