article

Concurrent zero-knowledge

Authors:

Amit SahaiAuthors Info & Claims

Journal of the ACM (JACM), Volume 51, Issue 6

Pages 851 - 898

https://doi.org/10.1145/1039488.1039489

Published: 01 November 2004 Publication History

Abstract

Concurrent executions of a zero-knowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zero-knowledge in toto. In this article, we study the problem of maintaining zero-knowledge.We introduce the notion of an (α, β) timing constraint: for any two processors P₁ and P₂, if P₁ measures α elapsed time on its local clock and P₂ measures β elapsed time on its local clock, and P₂ starts after P₁ does, then P₂ will finish after P₁ does. We show that if the adversary is constrained by an (α, β) assumption then there exist four-round almost concurrent zero-knowledge interactive proofs and perfect concurrent zero-knowledge arguments for every language in NP. We also address the more specific problem of Deniable Authentication, for which we propose several particularly efficient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions without recourse to timing, that is, in the standard model.

References

[1]

Agrawal, M., Kayal, N., and Saxena, N. 2002. Primes is in P. Manuscript.]]

[2]

Bach, E., and Shallit, J. 1996. Algorithmic Number Theory: Efficient Algorithms. MIT Press, Cambridge, Mass.]]

[3]

Barak, B. 2001. How to Go Beyond the Black-Box Simulation Barrier. In Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., pp. 106--115.]]

[4]

Bellare, M., and Goldwasser, S. 1996. Encapsulated key escrow. Manuscript, Nov. (Earlier version was MIT Laboratory for Computer Science Technical Report 688, April 1996.)]]

[5]

Bellare, M., Jakobsson, M., and Yung, M. 1997. Round-optimal zero-knowledge arguments based on any one-way function. In Advances in Cryptology---EUROCRYPT '97 Proceedings. Lecture Notes in Computer Science, vol. 1233. Springer-Verlag, New York, pp. 280--305.]]

[6]

Bellare, M., and Yung, M. 1996. Certifying permutations: Noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptology 9, 3, 149--166.]]

[7]

Ben-Or, M., Goldwasser, S., and Wigderson, A. 1988. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proceedings of the 20th Symposium on Theory of Computing. ACM, New York, pp. 1--10.]]

[8]

Beth, T., and Desmedt, E. 1991. Identification tokens--or: Solving the chess grandmaster problem. In Advances in Cryptology---CRYPTO '90. Lecture Notes in Computer Science, vol. 537. Springer-Verlag, New York, pp. 169--177.]]

[9]

Blum, M. 1982. Coin flipping by telephone: A protocol for solving impossible problems. In Advances in Cryptology: A Report on CRYPTO 81 (August 24--26). Department of Electrical and Computer Engineering, U. C. Santa Barbara, ECE Report 82-04. pp. 11--15.]]

[10]

Blum, M. 1986. How to prove a theorem so no one else can claim it. In Proceedings of the International Congress of Mathematicians (Berkeley, Calif.). pp. 1444--1451.]]

[11]

Blum, M., De Santis, A., Micali, S., and Persiano, G. 1991. Noninteractive zero-knowledge. SIAM J. Comput. 20, 6, pp. 1084--1118.]]

[12]

Blum M., Feldman, P., and Micali, S. 1988. Non-interactive zero-knowledge proof systems. In Proceedings of the 20th ACM Symposium on the Theory of Computing (Chicago, Ill.). ACM, New York, pp. 103--112.]]

[13]

Boneh, D., and Naor, M. 2000. Timed commitments. In Advances in Cryptology---CRYPTO 2000. Lecture Notes in Computer Science, vol. 1880. Springer-Verlag, New York, pp. 236--254.]]

[14]

Brands, S., and Chaum, D. 1994. Distance-bounding protocols. In Advances in Cryptology---EUROCRYPT'93. Lecture Notes in Computer Science, vol. 765. Springer Verlag, New York, pp. 344--359.]]

[15]

Brassard, G., Chaum, D., and Crépeau, C. 1988. Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37, 2, 156--189.]]

[16]

Brassard, G., Crépeau, C., and Yung, M. 1991. Constant-round perfect zero-knowledge computationally convincing protocols. Theoret. Comput. Sci. 84, 23--52.]]

[17]

Canetti, R. 2001. Universally composable security: A new paradigm for cryptographic protocols. In Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., pp. 136--145.]]

[18]

Canetti, R., Dwork, C., Naor, M., Ostrovsky, R. 1997. Deniable encryption. In Advances in Cryptology---Crypto'97 Proceeding. Springer-Verlag, New York, pp. 90--104.]]

[19]

Canetti, R., Goldreich, O., Goldwasser, S., and Micali, S. 2000. Resettable zero-knowledge. In Proceedings of the 32 Annual ACM Symposium on Theory of Computing (Portland, Ore., May). ACM, New York (Updated version available at the Cryptology ePrint Archive, record 1999/022, http://eprint.iacr.org/.)]]

[20]

Canetti, R., Kilian, J., Petrank, E., and Rosen, A. 2002. Black-box concurrent zero-knowledge requires Ω(log n) rounds. SIAM J. Comput. 32, 1, 1--47.]]

[21]

Chaum, D., and van Antwerpen, H. 1990. Undeniable signatures. In Advances in Cryptology---CRYPTO'89. Lecture Notes in Computer Science, vol. 435. Springer-Verlag, New York, pp. 212--216.]]

[22]

Chaum, D., van Heijst, E., and Pfitzmann, B. 1992. Cryptographically strong undeniable signatures, unconditionally secure for the signer. In Advances in Cryptology---CRYPTO'91. Lecture Notes in Computer Science, vol. 576. Springer-Verlag, New York, pp. 470--484.]]

[23]

Cramer, R., and Damgård, I. 1996. New generation of secure and practical RSA-based signatures. In Advances in Cryptology---CRYPTO '96. Lecture Notes in Computer Science, vol. 1109. Springer-Verlag, New York, pp. 173--185.]]

[24]

Cramer, R., and Shoup, V. 1998. A practical public-key cryptosystem provably secure against adaptive chosen ciphertext attack. Advances in Cryptology---CRYPTO'98. Lecture Notes in Computer Science, vol. 1462. Springer-Verlag, New York, pp. 13--25.]]

[25]

Damgård, I. 2000. Efficient concurrent zero-knowledge in the auxiliary string model. In Advances in Cryptology---EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807. Springer, pp. 418--430.]]

[26]

Di Crescenzo, G., Ishai, Y., and Ostrovsky, R. 1998. Non-interactive and non-malleable commitment. Proc. 30th Annual ACM Symposium on the Theory of Computing, Dallas, pp. 141--150.]]

[27]

Di Crescenzo, G., and Ostrovsky, R. 1999. On concurrent zero-knowledge with pre-processing. In Advances in Cryptology---CRYPTO'99. Lecture Notes in Computer Science, vol. 1666. Springer-Verlag, New York, pp. 485--502.]]

[28]

Dolev, D., Dwork, C., and Naor, M. 2000. Non-malleable cryptography. SIAM J. Comput. 30, 2, 391--437.]]

[29]

Dwork, C., and Naor, M. 1993. Pricing via processing-or-combatting junk mail. In Advances in Cryptology---CRYPTO'92. Lecture Notes in Computer Science, vol. 740. Springer-Verlag, New York, pp. 139--147.]]

[30]

Dwork, C., and Naor, M. 1996. Method for message authentication from non-malleable crypto systems. US Patent No. 05539826, issued Aug. 29th 1996.]]

[31]

Dwork, C., and Naor, M. 1998. An efficient existentially unforgeable signature scheme and its applications. J. Crypt., 11, 187--208.]]

[32]

Dwork, C., and Naor, M. 2000. Zaps and their applications. In Proceedings of the 41st Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., pp. 283--293.]]

[33]

Dwork, C., Naor, M., Reingold, O., and Stockmeyer, L. 2003. Magic functions. J. ACM 50, 6, 852--921.]]

[34]

Dwork, C., Naor, M., and Sahai, A. 1998. Concurrent zero-knowledge. In Proceedings of the 30th ACM Symposium on the Theory of Computing. ACM, New York, pp. 409--418.]]

[35]

Dwork, C., and Sahai, A. 1998. Concurrent zero-knowledge: Reducing the need for timing constraints. Lecture Notes in Computer Science, vol. 1462. Springer-Verlag, New York, pp. 442--457.]]

[36]

Dwork, C., Shaltiel, R., Smith, A., and Trevisan, L. 2003. An analysis of a two-round zero-knowledge protocol. In Proceedings of the 1st Theory of Cryptography Conference. Springer-Verlag, New York, pp. 101--120.]]

[37]

Dwork, C., and Stockmeyer, L. 2002. Two-round zero knowledge and proof auditors. In Proceedings of the 34th Annual ACM Symposium on Theory of Computing. ACM, New York, pp. 322--331.]]

[38]

Feige, U. 1990. Alternative models for zero knowledge interactive proofs. Ph.D. dissertation, Weizmann Institute of Science, Rehovot, Israel.]]

[39]

Feige, U., Fiat, A., and Shamir, A. 1988. Zero knowledge proofs of identity. J. Crypt. 1, 2, 77--94.]]

[40]

Feige, U., and Shamir, A. 1990. Witness indistinguishable and witness hiding protocols. In Proceedings of the 22nd ACM Symposium on the Theory of Computing. ACM, New York, pp. 416--426.]]

[41]

Feige, U., and Shamir, A. 1989. Zero knowledge proofs of knowledge in two rounds. In Advances in Cryptology---CRYPTO'89. Lecture Notes in Computer Science, vol. 435. Springer-Verlag, New York, pp. 526--544.]]

[42]

Feige, U., Lapidot, D., and Shamir, A. 1990. Multiple non-interactive zero-knowledge proofs based on a single random string. In Proceedings of 31st IEEE Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., pp. 308--317.]]

[43]

Genaro, R., Krawczyk, H., and Rabin, T. 1997. RSA-based undeniable signatures. In Advances in Cryptology---CRYPTO'97. Lecture Notes in Computer Science, vol. 1294. Springer-Verlag, New York, pp. 132--149.]]

[44]

Goldreich, O. 2001. Foundations of Cryptography, vol. 1. Cambridge University Press.]]

[45]

Goldreich, O. 2002. Concurrent zero-knowledge with timing, revisited. In Proceedings of the 34th ACM Symposium on Theory of Computing. ACM, New York, pp. 332--340.]]

[46]

Goldreich, O., Goldwasser, S., and Micali, S. 1986. How to construct random functions. J. ACM 33, 792--807.]]

[47]

Goldreich, O., Goldwasser, S., and Micali, S. 1999. Interleaved zero-knowledge in the public-key model, theory of cryptography library, Record 99-15, July. (Available: verb+http:// philby.ucsd.edu/1999.html.)]]

[48]

Goldreich, O., and Kahan, A. 1996. How to construct constant-round zero-knowledge proof systems for NP. J. Crypt. 9, 3, 167--190.]]

[49]

Goldreich, O., and Krawczyk, H. 1996. On the composition of zero knowledge proof systems. SIAM J. Comput. 25, 1, 169--192.]]

[50]

Goldreich, O., Micali, M., and Wigderson, A. 1987. How to play any mental game. In Proceedings of the 19th ACM Symposium on Theory of Computing. ACM, New York, pp. 218--229.]]

[51]

Goldreich, O., Micali, S., and Wigderson, A. 1991. Proofs that yield nothing but their validity, and a methodology of cryptographic protocol design. J. ACM 38, 691--729.]]

[52]

Goldreich, O., and Oren, Y. 1994. Definitions and properties of zero-knowledge proof systems. J. Crypt. 7, 1 (Winter), 1--32.]]

[53]

Goldreich, O., and Petrank, E. 1991. Quantifying knowledge complexity. In Proceedings of the 31st IEEE Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., pp. 59--68.]]

[54]

Goldwasser, S., and Micali, S. 1984. Probabilistic encryption. J. Comput. Syst. Sci. 28 (Apr.), 270--299.]]

[55]

Goldwasser, S., Micali, S., and Rackoff, C. 1989. The knowledge complexity of interactive proof-systems. SIAM J. Comput. 18, 1, 186--208.]]

[56]

Goldwasser, S., Micali, S., and Rivest, R. 1988. A secure digital signature scheme. SIAM J. Comput. 17, 2, 281--308.]]

[57]

Håstad, J., Impagliazzo, R., Levin, L., and Luby, M. 1999. Construction of pseudorandom generator from any one-way function. SIAM J. Comput. 28, 1364--1396.]]

[58]

Katz, J. 2003. Efficient and non-malleable proofs of plaintext knowledge and applications. In Advances in Cryptology---EUROCRYPT'2003. Lecture Notes in Computer Science, vol. 2656. Springer-Verlag, New York, pp. 211--228.]]

[59]

Kilian, J., and Petrank, E. 1998. An efficient non-interactive zero-knowledge proof system for NP with general assumptions. J. Crypt. 11, 1, 1--27.]]

[60]

Kilian, J., and Petrank, E. 2001. Concurrent zero-knowledge in poly-logarithmic rounds. In Proceedings of the 33rd annual ACM Symposium on Theory of Computing. ACM, New York, 560--569.]]

[61]

Kilian, J., Petrank, E., and Rackoff, C. 1998. Lower bounds for zero knowledge on the internet. In Proceedings of 39th IEEE Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., pp. 484--492.]]

[62]

Kocher, P. 1996. Timing attacks on implementations of diffie-hellman, RSA, DSS and other systems. In Advances in Cryptology---CRYPTO '96. Lecture Notes in Computer Science, vol. 1109. Springer-Verlag, New York, pp. 104--113.]]

[63]

Krawczyk, H., and Rabin, T. 2000. Chameleon hashing signatures. In Proceedings of Network and Distributed Systems Security Symposium (NDSS). Internet Society, pp. 143--154.]]

[64]

Naor, M. 1991. Bit commitment using pseudo-randomness. J. Crypt. 4, 151--158.]]

[65]

Naor, M. 2002. Deniable ring authentication. In Advances in Cryptology---CRYPTO '2002. Lecture Notes in Computer Science. Springer-Verlag, New York, pp. 481--498.]]

[66]

Prabhakaran, M., Rosen, A., and Sahai, A. 2002. Concurrent zero knowledge with logarithmic round complexity. In Proceedings of the 43rd IEEE Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., pp. 366--375.]]

[67]

Rackoff, C., and Simon, D. 1992. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology---CRYPTO '91. Lecture Notes in Computer Science, vol. 576. Springer-Verlag, New York, pp. 433--444.]]

[68]

Richardson, R., and Kilian, J. 1999. On the concurrent composition of zero-knowledge proofs. In Advances in Cryptology---EUROCRYPT '99. Lecture Notes in Computer Science, vol. 1592. Springer-Verlag, New York, pp. 415--431.]]

[69]

Rivest, R., Shamir, A., and Adleman, L. 1978. A method for obtaining digital signature and public key cryptosystems. Commun. ACM 21, 120--126.]]

[70]

Rivest, R. L., Shamir, A., and Wagner, D. A. 1996. Time-puzzles and time-release crypto. manuscript (Available: http://theory.lcs.mit.edu/ rivest/RivestShamirWagner-timelock.ps.)]]

[71]

Rosen, A. 2000. A note on the round-complexity of concurrent zero-knowledge. In Advances in Cryptology---CRYPTO'2000. Lecture Notes in Computer Science, vol. 1880. Springer-Verlag, New York, pp. 451--468.]]

[72]

Sahai, A. 1999. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In Proceedings of the 40th ACM Symposium on Theory of Computing. ACM, New York, pp. 543--553.]]

Cited By

Gajland PJanneck JKiltz E(2024)Ring Signatures for Deniable AKEM: Gandalf’s FellowshipAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68376-3_10(305-338)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68376-3_10
Benz LBeskorovajnov WEilebrecht SGröll RMüller MMüller-Quade J(2024)Chosen-Ciphertext Secure Dual-Receiver Encryption in the Standard Model Based on Post-quantum AssumptionsPublic-Key Cryptography – PKC 202410.1007/978-3-031-57728-4_9(257-288)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57728-4_9
Bhushan KObbattu SPrabhakaran MRaghunath R(2024)R3PO: Reach-Restricted Reactive Program Obfuscation and Its ApplicationsPublic-Key Cryptography – PKC 202410.1007/978-3-031-57725-3_3(61-91)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57725-3_3
Show More Cited By

Index Terms

Concurrent zero-knowledge
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption
2. Theory of computation
  1. Design and analysis of algorithms
  2. Models of computation
    1. Concurrency
      1. Parallel computing models

Recommendations

Strengthening Zero-Knowledge Protocols Using Signatures

Recently there has been an interest in zero-knowledge protocols with stronger properties, such as concurrency, simulation soundness, non-malleability, and universal composability. In this paper we show a novel technique to convert a large class of ...
Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority

A multiparty protocol to compute a function f(x ₁, ..., x _n) operates as follows: each of n processors holds an input x _i, and jointly they must compute and reveal f(x ₁, ..., x _n) without revealing any additional information about the inputs. The ...
Case study: ID-based non-interactive zero-knowledge proof system based on one-out-of-two non-interactive oblivious transfer

In this paper, we propose an ID-based non-interactive zero-knowledge proof system based on the 1-out-of-2 noninteractive oblivious transfer protocol. This zero-knowledge proof system is secure against a newly discovered cheating attack.

Comments

Information & Contributors

Information

Published In

cover image Journal of the ACM

Journal of the ACM Volume 51, Issue 6

November 2004

191 pages

ISSN:0004-5411

EISSN:1557-735X

DOI:10.1145/1039488

Issue’s Table of Contents

Copyright © 2004 ACM.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2004

Published in JACM Volume 51, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

102
Total Citations
View Citations
2,351
Total Downloads

Downloads (Last 12 months)67
Downloads (Last 6 weeks)5

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gajland PJanneck JKiltz E(2024)Ring Signatures for Deniable AKEM: Gandalf’s FellowshipAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68376-3_10(305-338)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68376-3_10
Benz LBeskorovajnov WEilebrecht SGröll RMüller MMüller-Quade J(2024)Chosen-Ciphertext Secure Dual-Receiver Encryption in the Standard Model Based on Post-quantum AssumptionsPublic-Key Cryptography – PKC 202410.1007/978-3-031-57728-4_9(257-288)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57728-4_9
Bhushan KObbattu SPrabhakaran MRaghunath R(2024)R3PO: Reach-Restricted Reactive Program Obfuscation and Its ApplicationsPublic-Key Cryptography – PKC 202410.1007/978-3-031-57725-3_3(61-91)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57725-3_3
Liu YHuang WZhuo MZhou SLi M(2023)Mobile Payment Protocol with Deniably Authenticated PropertySensors10.3390/s2308392723:8(3927)Online publication date: 12-Apr-2023
https://doi.org/10.3390/s23083927
Ahmad SRass SSchartner P(2023)False-Bottom Encryption: Deniable Encryption From Secret SharingIEEE Access10.1109/ACCESS.2023.328828511(62549-62564)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3288285
van Wier JAtashpendar ARoenne P(2023)Deniable Public-Key Authenticated Quantum Key ExchangeInnovative Security Solutions for Information Technology and Communications10.1007/978-3-031-52947-4_8(97-112)Online publication date: 23-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-52947-4_8
Perera MNakamura THashimoto MYokoyama HCheng CSakurai K(2022)A Survey on Group Signatures and Ring Signatures: Traceability vs. AnonymityCryptography10.3390/cryptography60100036:1(3)Online publication date: 19-Jan-2022
https://doi.org/10.3390/cryptography6010003
Wong D(2022)Complete decomposition of dihedral groups with application to key exchange protocolAsian-European Journal of Mathematics10.1142/S179355712350074216:05Online publication date: 28-Oct-2022
https://doi.org/10.1142/S1793557123500742
Zeng SZhang HHao FLi H(2022)Deniable-Based Privacy-Preserving Authentication Against Location Leakage in Edge ComputingIEEE Systems Journal10.1109/JSYST.2021.304962916:2(1729-1738)Online publication date: Jun-2022
https://doi.org/10.1109/JSYST.2021.3049629
Hou HZeng SLi H(2022)Privacy-preserving “Check-in Award” Service in Location-based Social NetworksPeer-to-Peer Networking and Applications10.1007/s12083-022-01352-115:5(2364-2375)Online publication date: 26-Jul-2022
https://doi.org/10.1007/s12083-022-01352-1
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents