1

Client-Server Concurrent Zero Knowledgewith Constant Rounds

and Guaranteed Complexity

Ran Canetti, Abhishek Jain and Omer Paneth

2

Zero-Knowledge Protocols

• Completeness• Soundness • Zero knowledge

𝑃 𝑉𝑥∈𝐿?

[Goldwasser-Micali-Rackoff 85]

3

Completeness

𝑃 𝑉 Accept

𝑥∈𝐿𝑤

4

Soundness

𝑃∗ 𝑉 reject

𝑥∉𝐿

5

Zero-knowledge

𝑃 𝑉 ∗ 𝑆≈𝑐𝑥∈𝐿

6

Why do we care about zero-knowledge?

Used as a sub-protocol in larger cryptographic protocols and systems

Secure composition?

7

Concurrent Composition

𝑃 𝑉

𝑃 𝑉

𝑃 𝑉

𝑥∈𝐿

𝑥∈𝐿

𝑥∈𝐿

𝑤

Session

8

Concurrent Zero Knowledge

𝑉 ∗

[Dwork-Naor-Sahai 98]

𝑃

𝑃

𝑃

𝑥∈𝐿

𝑥∈𝐿

𝑥∈𝐿

𝑤 𝑆≈𝑐

9

Rounds Assumption

Stand-alone zero knowledge

[Feige-Shamir 89][Bellare-Jakobson-Yung 97]

4 OWF

Concurrent zero knowledge

[Richardson-Kilian 99][Kilian-Petrank 01][Prabhakaran-Rosen-Sahai 02]

OWF

[Gupta-Sahai 12][Chung-Lin-Pass 13][Pandey-Prabhakaran-Sahai 13]

Strong assumption:interactive knowledge assumptions

statistically sound P-certificates differing input obfuscation

10

Today

Constant-round protocols

from standard assumptions

Weaker notions of concurrent security

11

Bounded Concurrent ZK[Barak 01]

sessions

Complexity of each sessionRounds

Communication

Assuming collision-resistant hash functions. For bound :

𝑃 𝑉

𝑃 𝑉

𝑃 𝑉

Barak

Barak

Barak

…

12

Barak’s Protocol

Client

Server

Barak

[Persiano-Visconti 05]:set the bound only at protocol run time

This is too early

ClientBarak

ClientBarak

The bound on the number of concurrent sessions is set at protocol design time

13

Standard Model for Concurrent ZK

𝑃 𝑉

𝑃 𝑉

𝑃 𝑉

𝑥∈𝐿

𝑥∈𝐿

𝑥∈𝐿

𝑤

14

Client-Server Concurrent ZK

𝑉

𝑃 𝑉

𝑉

𝑥∈𝐿

𝑥∈𝐿

𝑥∈𝐿

𝑤

Server Clients

[Persiano-Visconti 05]

Increase the communicationas more session start

15

The Persiano-Visconti Protocol

𝑃 𝑉Bonded concurrent

for sessions … active sessions

Finish session

Bonded concurrent for sessions … active sessions

Bonded concurrent for sessions … active sessions

A single session: Concurrent sessions:

16

Protocol Complexity

Barak for sessions

Finish session

Barak for sessions

Barak for sessions Almost the same as

bounded concurrent ZK!

Complexity of each session(For concurrent sessions)

RoundsCommunication𝑃 𝑉

17

The Persiano-Visconti Protocol

Client

Server

Persiano-ViscontiThis is

too lateClientPersiano-Visconti

ClientPersiano-Visconti

The communication complexity is changing at protocol run time

Client does not know what will be the communication complexity of the session!

18

Example: Call Center

“All our lines are currently busy. please hold and your call will be answered shortly…”

“The estimated waiting time is 7 minutes.”

This work: the communication complexity is set at the beginning of every session

19

Our Result

Assuming collision-resistant hash functions

there is a concurrent zero-knowledge protocol

in the client-server modelwith constant-rounds and guaranteed complexity.

Guaranteed complexity:The communication complexity of each session is determined in the beginning of the session

20

for concurrent sessions

determined in the beginning of the session

not determined until the session terminates

This work [Persiano-Visconti]

Communication complexity

Round complexity

6

21

The Protocol

𝑃Start session

Start session

Start session

First sessions to start run Barak’s protocol with bound .

Next sessions run Barak’s protocol with bound .

Next sessions run Barak’s protocol with bound .

Every session runs Barak’s protocol with some bound

22

The Challenge

𝑃Start session

Barak’s protocol with bound

Start session

Start session

… new sessions 𝑉 ∗

Cannot rely directly on bounded concurrency

23

Barak’s simulation

𝑆 sessions

Barak

… 𝑉 ∗Barak

Barak

24

𝑆

𝑆

𝑆

Barak’s simulation

𝑆

sessions

Barak

… 𝑉 ∗Barak

Barak

25

𝑆Barak’s simulation

Barak

Other protocol

Other protocol

… 𝑉 ∗𝑃

𝑃

sessions

Communication complexity Barak’s

26

Proof

A session is of level- if it runs Barak’s protocol with bound .

Observation:If starts sessions,

sessions of level are easy to simulate.

27

𝑉 ∗Level

Level

Level

Level

Level

Level

Level 𝑃…

…

28

𝑆0𝑉∗

Level

Level

Level

Level

Level

Level

Level 𝑃

29

𝑆1𝑆0𝑉∗

Level

Level

Level

Level

Level

Level

Level 𝑃

30

𝑆2𝑆1𝑆0𝑉∗

Level

Level

Level

Level

Level

Level

Level

…

31

Simulation Running Time

…

32[slide: Mira Belenkiy]

Thanks!