Introduction. Since its introduction, the concept of a zero-knowledge proof system and the sim- ... In [13], Barak presented a non-black-box constant-round bounded- concurrent .... Let ãP, V ã be an interactive or argument system for a language.
Single-Prover Concurrent Zero Knowledge in Almost Constant Rounds� Giuseppe Persiano and Ivan Visconti Dipartimento di Informatica ed Appl., Universit` a di Salerno, Italy {giuper, visconti}@dia.unisa.it
Abstract. In this paper we study the round complexity of concurrent zero-knowledge arguments and show that, for any function β(n) = ω(1), there exists an unbounded concurrent zero-knowledge argument system with β(n) rounds. Our result assumes that the same prover is engaged in several concurrent sessions and that the prover has a counter whose value is shared across concurrent executions of the argument. Previous constructions for concurrent zero knowledge required a (almost) logarithmic number of rounds [Prabhakaran et al. - FOCS 2002] in the plain model or seemingly stronger set-up assumptions. Moreover, we construct two β(n)-round unbounded concurrent zeroknowledge arguments that are mutually concurrent simulation sound for any β(n) = ω(1). Here we assume that each party has access to a counter and that the two protocols are used by the same two parties to play several concurrent sessions of the two protocols.
1
Introduction
Since its introduction, the concept of a zero-knowledge proof system and the simulation paradigm have been widely used to prove the security of many protocols. The notion of concurrent zero knowledge [2] formalizes security in a scenario in which several verifiers access concurrently a prover and maliciously coordinate their actions so to extract information from the prover. In [3] it has been showed ˜ that in the black-box model Ω(log n) round are necessary for concurrent zero knowledge for non-trivial languages. The first concurrent zero-knowledge proof system for N P has been given by [4] that showed that O(n� ) are sufficient for any � > 0. Poly-logarithmic round-complexity was achieved in [5] and, finally, ˜ in [1] it is shown that O(log n) rounds are sufficient. The proof systems presented in [4, 5, 1] are black-box zero knowledge and the round-complexity of the proof system of [1] is almost optimal in view of the lower bound proved in [3]. Thus unlike the stand-alone case, black-box concurrent zero knowledge cannot be achieved in a constant number of rounds. �
Work supported by Network of Excellence ECRYPT under contract IST-2002507932.
L. Caires et al. (Eds.): ICALP 2005, LNCS 3580, pp. 228–240, 2005. c Springer-Verlag Berlin Heidelberg 2005 �
Single-Prover Concurrent Zero Knowledge in Almost Constant Rounds
229
Different models have been presented in which round-efficient black-box concurrent zero knowledge is possible. In [2, 6, 7] constant-round concurrent zeroknowledge proof systems have been presented by relaxing the asynchrony of the model or the zero-knowledge property. In [8, 9], constant-round concurrent zero-knowledge proof systems have been presented assuming the existence of a common reference string or a shared random string (i.e., a trusted third party) while in [10] a constant-round concurrent zero-knowledge with concurrent soundness argument system is shown by assuming that there exists a public repository that contains the public keys of the verifiers. Furthermore, Pass [12] gave a constant-round concurrent zero-knowledge argument with a super-polynomialtime simulator. In [13], Barak presented a non-black-box constant-round boundedconcurrent zero-knowledge argument system. The construction of [13] assumes that the maximum number of concurrent sessions is known in advance. Simulation-sound zero knowledge. Simulation-sound zero knowledge has been introduced in [14] for the purpose of constructing cryptosystems secure against adaptive chosen-ciphertext attacks. This concept is related to the concept of non-malleability introduced in [15]. Indeed, both notions deal with an adversary (called the man-in-the-middle) that simultaneously participates to many executions of two proof systems and acts as a prover in the former and as a verifier in the latter. The adversary has complete control over the scheduling of the messages in the executions of the protocols. Informally, two zero-knowledge proof systems are said mutually concurrent simulation sound if the information that the man-in-the-middle adversary collects as a verifier from concurrent sessions played with a simulated prover of the former proof system does not help him to prove a false statement in the latter proof system and vice versa. Here the manin-the-middle can choose to see simulated proofs of true and false statements. Simulation-sound zero knowledge plays an important role for proving the security of protocols. Indeed, when the simulation paradigm is used to prove the security of a protocol, the simulator could, in some cases, need to simulate the proof of a false statement. Here simulation soundness is crucial since the adversary could gain knowledge from such a proof in order to prove a false statement in another protocol. Our results. In this paper we show that, for any function β such that β = ω(1), there exists a β(n)-round concurrent zero-knowledge argument system for any language in N P. Our argument system assumes that: 1) the prover is equipped with a counter that counts the total number of bits he has sent so far in all sessions; 2) the argument system remains zero knowledge provided that one single prover is engaged by the adversarial verifier in any polynomial number of (unbounded) concurrent sessions. We stress that our set-up assumptions seem no-stronger than the ones made in [2, 6, 7, 8, 10]. Comparing our result with the bounded-concurrent result of [13], we stress that our construction does not assume knowledge of an a-priori bound on the number of concurrent sessions. On the other hand, our construction requires a super-constant number of rounds. Finally, we remark that the
230
G. Persiano and I. Visconti
concurrent zero-knowledge property of our construction is obtained by means of an efficient simulator. Relying upon our construction of concurrent zero knowledge we present two β(n)-round argument systems that are concurrent zero knowledge and mutually concurrent simulation sound for any β = ω(1). Here we require set-up assumptions inherited from the concurrent zero-knowledge argument on which they are based: 1) each party is equipped with a counter that is used to keep track of the total length of some of the messages sent; 2) the two protocols are played by the same two players with roles inverted. Comparison with known assumptions. In the past, round-efficient concurrent zero knowledge has been achieved by making assumptions that decrease the power of an adversarial concurrent verifier. For example timing assumptions (used in [2, 6, 7]) limit the power of adversarially scheduling the communication between prover and verifier (by imposing a bound on the delays experienced by the messages), bounded concurrency (used in [13]) upper bounds the number of concurrent sessions. When concurrent zero knowledge is obtained in presence of a common reference string [8, 9], the adversarial concurrent verifier is assumed not to corrupt the party that generated a common reference string and that this party securely preserves (or erases) any secret information about the string. In contrast, our assumptions are quite different in nature. Let us discuss the case of concurrent zero knowledge (the same discussion can be used for the two arguments that are mutually concurrent simulation-sound and concurrent zeroknowledge). First of all, we claim that the need of a counter for a prover is a very weak assumption. Indeed, we only require that the adversarial concurrent verifier cannot modify the value of the counter of the prover. Our results continue to hold if the adversary is allowed to read the value of the counter. Our second requirement forbids an adversarial concurrent verifier the execution of concurrent sessions with different provers. In comparison with the assumptions made in the literature, in our case the adversarial verifier can still open any polynomial number of concurrent sessions with complete control on the scheduling of the messages. There is no bound on the delay of the messages and no trusted party is assumed. Instead, the zero-knowledge property concerns an attack of an adversarial verifier that tries to gain knowledge from a given prover. It is interesting that such a restriction allows the design of round-efficient and concurrent-secure protocols. Constant-round arguments. Our construction leaves as an open problem the construction (even under our set-up assumptions) of a constant-round concurrent zero-knowledge argument for all N P and of constant-round mutually concurrent simulation-sound and concurrent zero-knowledge arguments. Indeed for the case of zero knowledge one would like to prove the following informal statement. Statement 1 (Open problem.). There exist a constant c and an argument system (P, V ) such that for all constants k and all adversaries V � that open at most nk concurrent sessions, (P, V ) takes at most c rounds and the view of V � can be simulated in polynomial time.
Single-Prover Concurrent Zero Knowledge in Almost Constant Rounds
231
Instead we prove the following weaker statement which can be seen as an intermediate result towards the proof of Statement 1. Statement 2. There exists an argument system (P, V ) such that for all constants k and all adversaries V � that open at most nk concurrent sessions, there exists a constant c such that (P, V ) takes at most c rounds and the view of V � can be simulated in polynomial time. Indeed, in our construction the number of rounds depends on the degree of concurrency. However, we show that a super-polynomial number of sessions are needed in order to force a super-constant number of rounds. Statement 2 should be contrasted with the following statement proved in [13] (corresponding to bounded-concurrent zero knowledge). Statement 3 ([13]). There exists a constant c such that for all constants k there exists an argument system (P, V ) such that for all adversaries V � that open at most nk of concurrent sessions, (P, V ) takes at most c rounds and the view of V � can be simulated in polynomial time.
2
Concurrent Zero Knowledge
We now define the zero knowledge requirement that is of interest for this paper: concurrent zero knowledge. Definition 1. Let �P, V � be an interactive or argument system for a language L. We say that a probabilistic polynomial-time adversarial verifier V � is a concurrent adversary if it concurrently runs a polynomial number of interaction with a prover P , without any restrictions over the scheduling of the messages in the different interactions with P . Moreover we say that the transcript of such a concurrent interaction consists of the common inputs and the sequence of prover and verifier messages exchanged during the interaction. We refer to viewP V � (x) as the random variable describing the content of the random tape of V � and the transcript of the concurrent interactions between P and V � . Definition 2. Let �P, V � be an interactive argument system for a language L. We say that �P, V � is concurrent zero knowledge if, for each probabilistic polynomial-time concurrent adversary V � there exists a probabilistic polynomialtime algorithm SV � such that the ensembles {viewP V � (x)}x∈L and {SV � (x)}x∈L are computationally indistinguishable. The above definition (and our construction of a concurrent zero-knowledge argument system) considers the case of a single prover that potentially runs several sessions with the adversarial verifier. Such a definition can be extended to a multi-prover setting in which the adversarial verifier concurrently runs a polynomial number of sessions with possibly different provers. In the standard model when a concurrent adversary is considered, the multi-prover setting and
232
G. Persiano and I. Visconti
the single-prover setting coincide since a single-prover in each interaction is oblivious of the existence of each other interaction. Instead in our settings, we rely on the fact that the prover knows an upper bound on the length of the view of the verifier he is interacting with and this is possible if there is only one prover. We now present our construction of a concurrent zero-knowledge argument system for any language in N P. We start by describing the model in Section 2.1, we give a high-level description of the protocol in Section 2.2, we describe its main components in Section 2.3 and 2.4, and, finally, the protocol and the proofs of its properties are presented in Section 2.5. 2.1
The Model
Our (unbounded) concurrent zero-knowledge argument system requires a model richer than the standard plain model for concurrent zero knowledge used by the previous unbounded-concurrent black-box zero-knowledge argument systems of [4, 1, 5] and the bounded-concurrent non-black-box zero-knowledge argument system of [13]. Indeed, our argument system is based on the following two set-up assumptions. 1. The prover is equipped with a counter that counts the total number of bits that he has sent in all the sessions. The counter can not be modified by the adversarial verifier. 2. The argument system is zero knowledge provided that the same prover is engaged by the adversarial verifier in any polynomial number of concurrent sessions. The first assumption requires that the prover is stateful as the counter is shared by all concurrent sessions. Moreover, the adversarial verifier cannot modify this value. The fact that the adversarial verifier can run many concurrent sessions against only one prover is a consequence of the first assumption since in general a stateful prover behaves differently from another stateful prover when their states are different. Obviously, this does not constitute an issue in the plain model for concurrent zero knowledge where the prover is stateless. 2.2
A High Level Description
Our protocol follows the FLS paradigm [16] that has been used for the boundedconcurrent zero-knowledge argument system of Barak [13]. An FLS-type protocol is composed of two subprotocols: a preamble subprotocol and a witnessindistinguishable argument subprotocol. In an FLS-type protocol, the goal of the preamble subprotocol is to allow prover and verifier that are interacting on input a statement “x ∈ L”, to create an augmented statement “(x ∈ L) ∨ (τ ∈ Λ)” to be proved later in the witness-indistinguishable argument subprotocol. In [13], the auxiliary statement “τ ∈ Λ” informally stands for “com is the commitment of h(A) where A is a program that on input a sufficiently short string tr outputs r in time bounded by a slightly super-polynomial function”. The simulator of [13]
Single-Prover Concurrent Zero Knowledge in Almost Constant Rounds
233
sets A equal to the description of the adversary and tr to its view. To guarantee soundness it is enough that r is sufficiently longer than tr. Since we want unbounded-concurrent zero knowledge, we cannot give a bound on the length of the string tr. Instead, our preamble consists of several iterations (corresponding to increasing values for the length of tr) in which the prover asks the verifier for increasingly long strings r. The prover stops when he receives a string r whose length is at least twice the length of the transcript of all the concurrent sessions1 . The prover maintains a counter to count the length of the transcript of the concurrent sessions. Notice that since the number of rounds of the preamble is not known at the beginning of the protocol, the randomness owned by the verifier could be not sufficient to complete the protocol. Therefore, we assume that the verifier has at least an n-bit random string that he stretches round by round of the preamble by means of a pseudorandom generator. A non-black-box simulator S, interacting with a concurrent adversary V � and given access to the code of V � , commits to its code and randomness by setting A = V � . Then in the argument subprotocol S proves that there exists a string tr (the transcript of the interaction between the simulator and V � ) for which the machine whose code has been committed (that is V � ) would give as output r when receiving tr as input. The statement is obviously true and S has a witness for it (i.e., the decommitment, the description of the adversary and the sufficiently short transcript). S finishes by running the prover’s program for the witness indistinguishable argument. Notice that the simulator runs the same number of sub-preambles played by the prover. For the round complexity of the protocol, it can be seen that for each constant k there exists a constant ck such that, if the adversary starts at most nk concurrent sessions, the protocols will take at most ck rounds. Thus, for any function β(n) = ω(1), we can conclude that, for any polynomial number of concurrent sessions, our protocol takes (for sufficiently large n) at most β(n) rounds. 2.3
The Preamble Subprotocol
Auxiliary inputs. On input x of length n, prover P has a witness w for x ∈ L and a counter c that is shared by all concurrent executions of P . The preamble step by step. Let H = {hα } be an ensemble of collision-resistant hash functions secure against nO(log n) -time adversaries. Each function of hα ∈ H maps any string to a string of length 3|α|. V randomly picks a hash function h by randomly picking an n-bit string α and sends (a description of) h = hα to P . Moreover V picks a random seed s for the pseudorandom generator G and will use the output of G on input s as a random tape. 1
The transcript of a session that we consider here consists of all the messages sent by the prover.
234
G. Persiano and I. Visconti
Then the prover uses a statistically binding commitment scheme (G, Com, Dec) to compute (com, dec) = Com(h(0n )), sends com to the verifier and increments c by |com|. Now the prover and the verifier repeat the following iteration, starting with i = 1, until the preamble is declared completed: 1. at the i-th iteration, V randomly picks a 2ni -bit string ri and sends it to the prover; 2. if c ≤ ni then the preamble is declared completed and P sends the bit “1” to V to mark the end of the preamble; otherwise, P sends the bit “0” to ask V to perform iteration i = i + 1. In both cases, P increments the counter c by 1. 2.4
The Argument Subprotocol
The argument subprotocol consists in the execution of a witness-indistinguishable universal argument for proving statement “(x ∈ L) ∨ (τ ∈ Λ).” We stress that during the execution of the argument subprotocol the prover increments c to keep track of the number of bits he has sent. Let us now describe the language Λ and the string τ . We say that (h, com, r) ∈ Λ if (com, dec) = Com(h(A)) and there exists tr of length |tr| < |r|/2 such that A, on input tr, outputs r in at most nlog log n/2 steps. The triple τ = (h, com, r) used by the prover in the argument subprotocol consists of the (description of the) collision-resistant hash function h picked by the verifier, the commitment com sent by the prover and the last string r sent by the verifier during the preamble protocol. Obviously, the prover runs the witness indistinguishable universal argument subprotocol for Ntime(nlog log n ) for proving statement “(x ∈ L) ∨ (τ ∈ Λ)” using w such that (x, w) ∈ RL as witness. The simulator instead uses his knowledge of the code of the verifier to compute (com, dec) = Com(h(V � )) in the preamble. Therefore, if V � in the i-th iteration of the loop of the preamble subprotocol, on input a transcript tr of the messages sent by the simulator such that |tr| ≤ ni , outputs a 2ni -bit message r, the triple (dec, V � , tr) is a witness for (h, com, r) ∈ Λ and therefore for “(x ∈ L)∨(τ ∈ Λ)”. Thus the simulator runs the code of the prover of the witness-indistinguishable universal argument subprotocol using (dec, V � , tr) as witness. 2.5
The Concurrent Zero-Knowledge Argument System
Our concurrent zero-knowledge argument system for all languages in N P combines the preamble subprotocol from Section 2.3 and the witness-indistinguishable universal argument for Ntime(nlog log n ) from Section 2.4. By using the techniques introduced in [17] our construction only needs the existence of collision-resistant hash function ensembles that are secure with respect to polynomial-time algorithms.
Single-Prover Concurrent Zero Knowledge in Almost Constant Rounds
235
Theorem 1. Assuming the existence of collision-resistant hash function ensembles that are secure against polynomial-time algorithms, then there exists (constructively) a β(n)-round concurrent zero-knowledge argument system for N P for any β(n) = ω(1). The proof of Theorem 1, is omitted from this extended abstract.
3
Concurrent Simulation Soundness
In this section we show that the concurrent zero-knowledge argument system presented in Section 2 can be used to construct two mutually concurrent simulationsound and concurrent zero-knowledge argument systems. More precisely, in this section we show that, under set-up assumptions similar to those used to construct the concurrent zero-knowledge argument of Section 2, there exists (constructively) a pair of β(n)-round concurrent zero-knowledge argument systems that are mutually concurrent simulation sound for any β = ω(1). Man-in-the-middle adversary. The strong notion of simulation-sound zero knowledge deals with an adversary A that mounts a man-in-the-middle attack at two arguments SSP0 = �P0 , V0 � and SSP1 = �P1 , V1 �. The adversary A acts as a verifier in an instance of protocol SSP0 and as a prover in a (concurrently played) instance of protocol SSP1 . A has complete control of the communication channel and can decide the scheduling of the messages. Informally, SSP0 is simulation sound with respect to SSP1 if the “simulated” proof of a (possibly false) statement seen by A as a verifier of SSP0 does not help him to prove a false statement in SSP1 . If SSP0 = SSP1 then we say that SSP0 is self simulation sound. If SSP0 is simulation sound with respect to SSP1 and SSP1 is simulation sound with respect to SSP0 then we say that SSP0 and SSP1 are mutually simulation sound. A concurrent man-in-the-middle adversary A is allowed to play several concurrent instances of SSP0 and SSP1 (instead of just one for each protocol). In this case, if the “simulated” proofs of both true and false statements in SSP0 do not help A to prove a false statement in SSP1 we say that SSP0 is concurrently simulation sound with respect to SSP1 . We will consider this stronger notion of simulation soundness. S0 ,A (x1 , . . . , xpoly(n) , x�1 , . . . , x�poly(n) )} the distribution We denote by {outA,V 1 of the output of V1 after a concurrent man-in-the-middle attack of A. We assume that in SSP0 , S0 simulates the proofs for both true and false statements (x1 , . . . , xpoly(n) ) and in SSP1 A tries to prove statements (x�1 , . . . , x�poly(n) ). The output of V1 in such an experiment is therefore a vector of bits (b1 , . . . , bpoly(n) ) where bi = 1 means that V1 accepted the proof for x�i while bi = 0 means that V1 rejected the proof for x�i , for i = 1, . . . , poly(n). We now give a formal definition of concurrent simulation soundness that we use in our construction.
236
G. Persiano and I. Visconti
Definition 3. Let SSP0 = �P0 , V0 � and SSP1 = �P1 , V1 � be two argument systems for a language L. We say that SSP0 is concurrently simulation-sound with respect to SSP1 if, for any concurrent man-in-the-middle adversary A, there exists a probabilistic polynomial-time algorithm SA such the probability that the SA ,A (x1 , . . . , xpoly(n) , x�1 , . . . , x�poly(n) )} is 1 and x�i �∈ L for i-th bit of {outA,V 1 i ∈ {1, . . . , poly(n)} is negligible. 3.1
The Additional Assumptions of Our Model
We show in the next section a pair of mutually (unbounded) concurrent simulation-sound and concurrent zero-knowledge arguments. For our constructions we will need set-up assumptions very similar to the ones used for concurrent zero knowledge. As for the case of concurrent zero knowledge, we do not assume the existence of any trusted third party nor of trusted sources of shared randomness. Our protocol is based on the following two set-up assumptions. 1. Each party is equipped with a counter that gives at each step the total number of bits he has sent so far in all sessions in which he acts as a prover in both protocols and as a verifier in only one of the two protocols. 2. SSP0 and SSP1 are played by the same two players with roles inverted. As in the previous construction, the first assumption makes the parties stateful since they need to propagate the value of the counter across concurrent sessions. The fact that we need to restrict the adversary to mount an attack against only one player (although this single player is allowed to play both as a prover and as a verifier in several concurrent sessions) is a consequence of our first set-up assumption. Indeed for stateless parties, it does not make a difference whether the prover and verifier that are interacting with the man-in-the-middle adversary are the same or not. We stress that in this model, the argument system of Section 2 is also concurrent non-malleable (we stress that non-malleability requires that proofs of true statements do not help the adversary for proving a different statement) and concurrent zero-knowledge. Indeed, the fact that we only have to deal with two parties implies that the simulator controls both the prover and the verifier played by the honest parties (in particular the simulator has access to the randomness used by these algorithms) which makes things much easier. This approach does not work for obtaining simulation soundness; in this case the adversary can request to see the (simulated) proofs of polynomially many true and false statements which makes the design of concurrent simulation-sound argument systems more difficult. Let us now concentrate on simulation soundness. 3.2
The Mutually Concurrent Simulation-Sound Argument Systems
In this section we describe the two argument systems that are mutually concurrent simulation-sound and concurrent zero knowledge, that is both are concurrent zero knowledge and each one is concurrently simulation sound with respect to the other one.
Single-Prover Concurrent Zero Knowledge in Almost Constant Rounds
237
For our construction, we use some techniques introduced in [11], and therefore we need cryptographic primitives that are secure with respect to superpolynomial-time adversaries. Using an ensemble of collision resistant hash functions that is secure against T (n)O(1) -adversaries, the universal argument presented in [17, 13] is sound with respect to adversaries running in time T (n). By plugging such a strengthened universal argument in the concurrent zero-knowledge argument system of Section 2, and assuming that even in the preamble such stronger hash functions are used, we have that the resulting concurrent zero-knowledge argument systems is sound against adversaries running in time T (n). In order to obtain two mutually concurrent simulation-sound and concurrent zero-knowledge argument systems, we use the following approach. We show a concurrent zero-knowledge argument system SSP1 that has also a straightline simulator that by running in time nO(log n) inverts a one-way permutation (here we use the recent techniques of [12, 11]). We then show a concurrent zero2 knowledge argument system SSP0 that is sound with respect to nO(log n) adversaries. Informally, concurrent simulation soundness of SSP1 with respect to SSP0 is proved in the following way. An adversarial prover P0� for SSP0 that proves a false statement while concurrently interacting in any polynomial number of sessions as a prover of SSP0 and as a verifier of SSP1 can be used to break the stand-alone soundness of SSP0 . We use here the existence of an nO(log n) time straight-line simulator for SSP1 , since it can be easily extended to play also the role of verifier in SSP0 2 , therefore a relay strategy for the session in which P0� proves a false statement can be use to break in time nO(log n) the stand-alone 2 soundness of SSP0 that is assumed to work against nO(log n) adversaries. For proving the concurrent simulation soundness of SSP0 with respect to SSP1 we use a different technique since the previous approach can not work in both directions at the same time. The idea is that for proving the simulation soundness of SSP0 with respect to SSP1 , it is necessary to consider an adversary P1� that plays both the role of prover in concurrent sessions of SSP1 and the role of verifier in concurrent sessions of SSP0 . The zero-knowledge simulator of SSP0 suffices here for simulation soundness but it has to consider the view of the adversary P1� that also includes the messages that he receives in SSP1 . In case P1� has proved a false statement for SSP1 , we get a contradiction with respect to the stand-alone soundness of SSP1 . This can be achieved by performing a relay strategy with a real verifier V1 . The original parameter (i.e., the counter) of the concurrent zero-knowledge argument system of Section 2 includes in SSP0 the messages of the sessions of SSP0 received by P1� when playing the role of verifier and the messages of SSP1 received by P1� when playing the role of prover. Since the same does not hold for SSP1 (where the prover only counts the bits sent as 2
This additional work does not damage the simulation of SSP1 since such simulation is not based on the knowledge of the code of the adversary and its input. Instead, the simulation is based on the power of breaking a primitive that is assumed to be hard for no(log n) -time algorithms.
238
G. Persiano and I. Visconti
a prover of SSP1 ), the communication complexity of SSP1 is short enough to allow the desired round complexity in SSP0 . We now give the details of the two protocols while the formal proofs are omitted from this extended abstract. The first protocol. The first of the two mutually concurrent simulation-sound and concurrent zero-knowledge arguments is referred to as SSP0 and is the concurrent zero-knowledge protocol of Section 2 with the following modification. First of all, SSP0 is the strengthened concurrent zero-knowledge argument sys2 tem (as discussed above) that is sound against nO(log n) -adversaries (i.e., we 2 set T (n) = nO(log n) ). For this reason, we assume the existence of an ensemble of hash functions that are collision resistant with respect to algorithms run2 ning in time nO(log n) . Moreover, the counter is incremented also by |m| when a message m is sent as a verifier in some concurrent execution of SSP1 . Obviously, when only concurrent zero knowledge is considered, this last case never occurs. During the universal argument phase the prover proves the statement “x ∈ L ∨ τ = (h, com, r) ∈ Λ” where h is the collision resistant hash function selected by the verifier, com is the commitment sent by the prover and r is the last message sent by the verifier during the preamble. It is easy to see that the modified protocol is still concurrent zero knowledge and has the same round complexity as the one discussed in Section 2. For proving (stand-alone) soundness, notice that by the soundness and the weak proof of knowledge properties of the witness indistinguishable universal argument, an extractor algorithm obtains in time nO(log log n) the witness used by the adversarial prover for proving a false statement. Therefore, in this case he obtains a triple (dec, M, tr) such that M(tr) = r where |tr| ≤ |r|/2, and M outputs r in at most nlog log n/2 steps. The second protocol. The second of the two mutually concurrent simulationsound arguments is referred to as SSP1 and is the concurrent zero-knowledge protocol of Section 2 with the following modifications. First of all, SSP1 is the strengthened concurrent zero-knowledge argument system (as discussed above) that is witness indistinguishable with respect to nO(log n) -adversaries (i.e., we set T (n) = nO(log n) ). Then we assume the existence of a one-way permutation f such that f is hard to invert with respect to algorithms running in time nO(log log n) but can be inverted in time nO(log n) . In the first round the verifier still chooses an hash function. In addition, V picks a random string u in the domain of f and sends v = f (u) to the prover. The language Λ is the same used for the concurrent zero-knowledge argument system of Section 2: τ = (h, com, r) ∈ Λ if com is a commitment of h(A) and there exists a string tr such that |tr| ≤ |r|/2, and M(tr) outputs r in at most nlog log n/2 steps. During the witness indistinguishable universal argument of knowledge the prover proves knowledge of a witness y for either (x, y) ∈ L or τ = (h, com, r) ∈ Λ or such that f (y) = v. It is easy to see that the modified protocol is still concurrent zero knowledge and has the same round complexity as the original one. Only the (stand-alone) soundness property is affected by this update. However, notice that the only
Single-Prover Concurrent Zero Knowledge in Almost Constant Rounds
239
difference with respect to soundness of the argument system of Theorem 1 is that the extractor of the universal argument could also extract a witness y such that f (y) = v. However, since the extractor runs in time nO(log log n) , we have that the one-way permutation is inverted in time no(log n) that contradicts the assumed hardness of f . Protocol SSP1 admits also a quasi-polynomial-time simulator that by running in time nO(log n) inverts any polynomial number of one-way permutations and therefore can simulate in a straight-line fashion any polynomial number of session of SSP1 without using knowledge of the description of the adversarial verifier. Notice that such a simulator still has to run the algorithm of the prover during the preamble, in order to maintain the same round complexity of the real prover.
References 1. Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent Zero-Knowledge with Logarithmic Round Complexity. In Proc. of FOCS ’02, IEEE Computer Society Press 366–375 2. Dwork, C., Naor, M., Sahai, A.: Concurrent Zero-Knowledge. In Proc. of STOC ’98, ACM (1998) 409–418 3. Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-Box Concurrent ZeroKnowledge Requires ω(log n) Rounds. In Proc. of STOC ’01, ACM (2001) 570–579 4. Richardson, R., Kilian, J.: On the Concurrent Composition of Zero-Knowledge Proofs. Proceeding of Eurocrypt ’99. Vol. 1592 of LNCS, Springer-Verlag (1999) 415–431 5. Kilian, J., Petrank, E.: Concurrent and Resettable Zero-Knowledge in PolyLogarithmic Rounds. In Proc. of STOC ’01, ACM (2001) 560–569 6. Dwork, C., Sahai, A.: Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints. In Proc. of Crypto ’98. Vol. 1462 of LNCS, Springer-Verlag (1998) 442–457 7. Goldreich, O.: Concurrent Zero-Knowledge with Timing, Revisited. In Proc. of STOC ’02, ACM (2002) 332–340 8. Damgard, I.: Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. In Proc. of Eurocrypt ’00. Vol. 1807 of LNCS, Springer-Verlag (2000) 418–430 9. Blum, M., De Santis, A., Micali, S., Persiano, G.: Non-Interactive Zero-Knowledge. SIAM J. on Computing 20 (1991) 1084–1118 10. Di Crescenzo, G., Persiano, G., Visconti, I.: Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model. In Proc. of Crypto ’04. Vol. 3152 of LNCS, Springer-Verlag (2004) 237–253 11. Pass, R., Rosen, A.: Bounded-Concurrent Secure Two-Party Computation in a Constant Number of Rounds. In Proc. of FOCS ’03, IEEE Computer Society Press (2003) 12. Pass, R.: Simulation in Quasi-Polynomial Time and Its Applications to Protocol Composition. In Proc. of Eurocrypt ’03. Vol. 2045 of LNCS, Springer-Verlag (2003) 160–176 13. Barak, B.: How to Go Beyond the Black-Box Simulation Barrier. In Proc. of FOCS ’01, IEEE Computer Society Press (2001) 106–115
240
G. Persiano and I. Visconti
14. Sahai, A.: Non-Malleable Non-Interactive Zero Knowledge and Adaptive ChosenCiphertext Security. In Proc. of FOCS ’99, IEEE Computer Society Press (1999) 543–553 15. Dolev, D., Dwork, C., Naor, M.: Non-Malleable Cryptography. SIAM J. on Computing 30 (2000) 391–437 16. Feige, U., Lapidot, D., Shamir, A.: Multiple Non-Interactive Zero Knowledge Proofs Under General Assumptions. SIAM J. on Computing 29 (1999) 1–28 17. Barak, B., Goldreich, O.: Universal Arguments and Their Applications. In: IEEE Conference on Computational Complexity (CCC ’02), IEEE Computer Society Press (2002)
