client-server concurrent zero knowledge with constant rounds and guaranteed complexity
DESCRIPTION
Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity. Ran Canetti, Abhishek Jain and Omer Paneth. Zero-Knowledge Protocols. [ Goldwasser-Micali-Rackoff 85]. Completeness Soundness Zero knowledge. Completeness. Accept. Soundness. reject. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/1.jpg)
1
Client-Server Concurrent Zero Knowledgewith Constant Rounds
and Guaranteed Complexity
Ran Canetti, Abhishek Jain and Omer Paneth
![Page 2: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/2.jpg)
2
Zero-Knowledge Protocols
• Completeness• Soundness • Zero knowledge
𝑃 𝑉𝑥∈𝐿?
[Goldwasser-Micali-Rackoff 85]
![Page 3: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/3.jpg)
3
Completeness
𝑃 𝑉 Accept
𝑥∈𝐿𝑤
![Page 4: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/4.jpg)
4
Soundness
𝑃∗ 𝑉 reject
𝑥∉𝐿
![Page 5: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/5.jpg)
5
Zero-knowledge
𝑃 𝑉 ∗ 𝑆≈𝑐𝑥∈𝐿
![Page 6: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/6.jpg)
6
Why do we care about zero-knowledge?
Used as a sub-protocol in larger cryptographic protocols and systems
Secure composition?
![Page 7: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/7.jpg)
7
Concurrent Composition
𝑃 𝑉
𝑃 𝑉
𝑃 𝑉
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑤
Session
![Page 8: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/8.jpg)
8
Concurrent Zero Knowledge
𝑉 ∗
[Dwork-Naor-Sahai 98]
𝑃
𝑃
𝑃
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑤 𝑆≈𝑐
![Page 9: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/9.jpg)
9
Rounds Assumption
Stand-alone zero knowledge
[Feige-Shamir 89][Bellare-Jakobson-Yung 97]
4 OWF
Concurrent zero knowledge
[Richardson-Kilian 99][Kilian-Petrank 01][Prabhakaran-Rosen-Sahai 02]
OWF
[Gupta-Sahai 12][Chung-Lin-Pass 13][Pandey-Prabhakaran-Sahai 13]
Strong assumption:interactive knowledge assumptions
statistically sound P-certificates differing input obfuscation
![Page 10: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/10.jpg)
10
Today
Constant-round protocols
from standard assumptions
Weaker notions of concurrent security
![Page 11: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/11.jpg)
11
Bounded Concurrent ZK[Barak 01]
sessions
Complexity of each sessionRounds
Communication
Assuming collision-resistant hash functions. For bound :
𝑃 𝑉
𝑃 𝑉
𝑃 𝑉
Barak
Barak
Barak
…
![Page 12: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/12.jpg)
12
Barak’s Protocol
Client
Server
Barak
[Persiano-Visconti 05]:set the bound only at protocol run time
This is too early
ClientBarak
ClientBarak
The bound on the number of concurrent sessions is set at protocol design time
![Page 13: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/13.jpg)
13
Standard Model for Concurrent ZK
𝑃 𝑉
𝑃 𝑉
𝑃 𝑉
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑤
![Page 14: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/14.jpg)
14
Client-Server Concurrent ZK
𝑉
𝑃 𝑉
𝑉
𝑥∈𝐿
𝑥∈𝐿
𝑥∈𝐿
𝑤
Server Clients
[Persiano-Visconti 05]
Increase the communicationas more session start
![Page 15: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/15.jpg)
15
The Persiano-Visconti Protocol
𝑃 𝑉Bonded concurrent
for sessions … active sessions
Finish session
Bonded concurrent for sessions … active sessions
Bonded concurrent for sessions … active sessions
A single session: Concurrent sessions:
![Page 16: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/16.jpg)
16
Protocol Complexity
Barak for sessions
Finish session
Barak for sessions
Barak for sessions Almost the same as
bounded concurrent ZK!
Complexity of each session(For concurrent sessions)
RoundsCommunication𝑃 𝑉
![Page 17: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/17.jpg)
17
The Persiano-Visconti Protocol
Client
Server
Persiano-ViscontiThis is
too lateClientPersiano-Visconti
ClientPersiano-Visconti
The communication complexity is changing at protocol run time
Client does not know what will be the communication complexity of the session!
![Page 18: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/18.jpg)
18
Example: Call Center
“All our lines are currently busy. please hold and your call will be answered shortly…”
“The estimated waiting time is 7 minutes.”
This work: the communication complexity is set at the beginning of every session
![Page 19: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/19.jpg)
19
Our Result
Assuming collision-resistant hash functions
there is a concurrent zero-knowledge protocol
in the client-server modelwith constant-rounds and guaranteed complexity.
Guaranteed complexity:The communication complexity of each session is determined in the beginning of the session
![Page 20: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/20.jpg)
20
for concurrent sessions
determined in the beginning of the session
not determined until the session terminates
This work [Persiano-Visconti]
Communication complexity
Round complexity
6
![Page 21: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/21.jpg)
21
The Protocol
𝑃Start session
Start session
Start session
First sessions to start run Barak’s protocol with bound .
Next sessions run Barak’s protocol with bound .
Next sessions run Barak’s protocol with bound .
Every session runs Barak’s protocol with some bound
![Page 22: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/22.jpg)
22
The Challenge
𝑃Start session
Barak’s protocol with bound
Start session
Start session
… new sessions 𝑉 ∗
Cannot rely directly on bounded concurrency
![Page 23: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/23.jpg)
23
Barak’s simulation
𝑆 sessions
Barak
… 𝑉 ∗Barak
Barak
![Page 24: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/24.jpg)
24
𝑆
𝑆
𝑆
Barak’s simulation
𝑆
sessions
Barak
… 𝑉 ∗Barak
Barak
![Page 25: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/25.jpg)
25
𝑆Barak’s simulation
Barak
Other protocol
Other protocol
… 𝑉 ∗𝑃
𝑃
sessions
Communication complexity Barak’s
![Page 26: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/26.jpg)
26
Proof
A session is of level- if it runs Barak’s protocol with bound .
Observation:If starts sessions,
sessions of level are easy to simulate.
![Page 27: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/27.jpg)
27
𝑉 ∗Level
Level
Level
Level
Level
Level
Level 𝑃…
…
![Page 28: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/28.jpg)
28
𝑆0𝑉∗
Level
Level
Level
Level
Level
Level
Level 𝑃
![Page 29: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/29.jpg)
29
𝑆1𝑆0𝑉∗
Level
Level
Level
Level
Level
Level
Level 𝑃
![Page 30: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/30.jpg)
30
𝑆2𝑆1𝑆0𝑉∗
Level
Level
Level
Level
Level
Level
Level
…
![Page 31: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/31.jpg)
31
Simulation Running Time
…
![Page 32: Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813e81550346895da8ac0a/html5/thumbnails/32.jpg)
32[slide: Mira Belenkiy]
Thanks!