View
219
Download
0
Category
Preview:
Citation preview
1
Client-Server Concurrent Zero Knowledgewith Constant Rounds
and Guaranteed Complexity
Ran Canetti, Abhishek Jain and Omer Paneth
2
Zero-Knowledge Protocols
• Completeness• Soundness • Zero knowledge
𝑃 𝑉𝑥∈𝐿?
[Goldwasser-Micali-Rackoff 85]
3
Completeness
𝑃 𝑉 Accept
𝑥∈𝐿𝑤
4
Soundness
𝑃∗ 𝑉 reject
𝑥∉𝐿
5
Zero-knowledge
𝑃 𝑉 ∗ 𝑆≈𝑐𝑥∈𝐿
6
Why do we care about zero-knowledge?
Used as a sub-protocol in larger cryptographic protocols and systems
Secure composition?
7
Concurrent Composition
𝑃 𝑉
𝑃 𝑉
𝑃 𝑉
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑤
Session
8
Concurrent Zero Knowledge
𝑉 ∗
[Dwork-Naor-Sahai 98]
𝑃
𝑃
𝑃
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑤 𝑆≈𝑐
9
Rounds Assumption
Stand-alone zero knowledge
[Feige-Shamir 89][Bellare-Jakobson-Yung 97]
4 OWF
Concurrent zero knowledge
[Richardson-Kilian 99][Kilian-Petrank 01][Prabhakaran-Rosen-Sahai 02]
OWF
[Gupta-Sahai 12][Chung-Lin-Pass 13][Pandey-Prabhakaran-Sahai 13]
Strong assumption:interactive knowledge assumptions
statistically sound P-certificates differing input obfuscation
10
Today
Constant-round protocols
from standard assumptions
Weaker notions of concurrent security
11
Bounded Concurrent ZK[Barak 01]
sessions
Complexity of each sessionRounds
Communication
Assuming collision-resistant hash functions. For bound :
𝑃 𝑉
𝑃 𝑉
𝑃 𝑉
Barak
Barak
Barak
…
12
Barak’s Protocol
Client
Server
Barak
[Persiano-Visconti 05]:set the bound only at protocol run time
This is too early
ClientBarak
ClientBarak
The bound on the number of concurrent sessions is set at protocol design time
13
Standard Model for Concurrent ZK
𝑃 𝑉
𝑃 𝑉
𝑃 𝑉
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑤
14
Client-Server Concurrent ZK
𝑉
𝑃 𝑉
𝑉
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑤
Server Clients
[Persiano-Visconti 05]
Increase the communicationas more session start
15
The Persiano-Visconti Protocol
𝑃 𝑉Bonded concurrent
for sessions … active sessions
Finish session
Bonded concurrent for sessions … active sessions
Bonded concurrent for sessions … active sessions
A single session: Concurrent sessions:
16
Protocol Complexity
Barak for sessions
Finish session
Barak for sessions
Barak for sessions Almost the same as
bounded concurrent ZK!
Complexity of each session(For concurrent sessions)
RoundsCommunication𝑃 𝑉
17
The Persiano-Visconti Protocol
Client
Server
Persiano-ViscontiThis is
too lateClientPersiano-Visconti
ClientPersiano-Visconti
The communication complexity is changing at protocol run time
Client does not know what will be the communication complexity of the session!
18
Example: Call Center
“All our lines are currently busy. please hold and your call will be answered shortly…”
“The estimated waiting time is 7 minutes.”
This work: the communication complexity is set at the beginning of every session
19
Our Result
Assuming collision-resistant hash functions
there is a concurrent zero-knowledge protocol
in the client-server modelwith constant-rounds and guaranteed complexity.
Guaranteed complexity:The communication complexity of each session is determined in the beginning of the session
20
for concurrent sessions
determined in the beginning of the session
not determined until the session terminates
This work [Persiano-Visconti]
Communication complexity
Round complexity
6
21
The Protocol
𝑃Start session
Start session
Start session
First sessions to start run Barak’s protocol with bound .
Next sessions run Barak’s protocol with bound .
Next sessions run Barak’s protocol with bound .
Every session runs Barak’s protocol with some bound
22
The Challenge
𝑃Start session
Barak’s protocol with bound
Start session
Start session
… new sessions 𝑉 ∗
Cannot rely directly on bounded concurrency
23
Barak’s simulation
𝑆 sessions
Barak
… 𝑉 ∗Barak
Barak
24
𝑆
𝑆
𝑆
Barak’s simulation
𝑆
sessions
Barak
… 𝑉 ∗Barak
Barak
25
𝑆Barak’s simulation
Barak
Other protocol
Other protocol
… 𝑉 ∗𝑃
𝑃
sessions
Communication complexity Barak’s
26
Proof
A session is of level- if it runs Barak’s protocol with bound .
Observation:If starts sessions,
sessions of level are easy to simulate.
27
𝑉 ∗Level
Level
Level
Level
Level
Level
Level 𝑃…
…
28
𝑆0𝑉∗
Level
Level
Level
Level
Level
Level
Level 𝑃
29
𝑆1𝑆0𝑉∗
Level
Level
Level
Level
Level
Level
Level 𝑃
30
𝑆2𝑆1𝑆0𝑉∗
Level
Level
Level
Level
Level
Level
Level
…
31
Simulation Running Time
…
32[slide: Mira Belenkiy]
Thanks!
Recommended