Theory of Cryptography

Volume 5978 of the series Lecture Notes in Computer Science pp 535-552

Efficiency Preserving Transformations for Concurrent Non-malleable Zero Knowledge

  • Rafail OstrovskyAffiliated withUniversity of California
  • , Omkant PandeyAffiliated withUniversity of California
  • , Ivan ViscontiAffiliated withUniversity of Salerno


Ever since the invention of Zero-Knowledge by Goldwasser, Micali, and Rackoff [1], Zero-Knowledge has become a central building block in cryptography - with numerous applications, ranging from electronic cash to digital signatures. The properties of Zero-Knowledge range from the most simple (and not particularly useful in practice) requirements, such as honest-verifier zero-knowledge to the most demanding (and most useful in applications) such as non-malleable and concurrent zero-knowledge. In this paper, we study the complexity of efficient zero-knowledge reductions, from the first type to the second type. More precisely, under a standard complexity assumption (ddh), on input a public-coin honest-verifier statistical zero knowledge argument of knowledge π′ for a language L we show a compiler that produces an argument system π for L that is concurrent non-malleable zero-knowledge (under non-adaptive inputs – which is the best one can hope to achieve [2,3]). If κ is the security parameter, the overhead of our compiler is as follows:

  • The round complexity of π is \(r+\tilde{O}(\log\kappa)\) rounds, where r is the round complexity of π′.

  • The new prover \(\mathcal{P}\) (resp., the new verifier \(\mathcal{V}\)) incurs an additional overhead of (at most) \(r+{\kappa\cdot\tilde{O}(\log^2\kappa)}\) modular exponentiations. If tags of length \(\tilde{O}(\log\kappa)\) are provided, the overhead is only \(r+{\tilde{O}(\log^2\kappa)}\) modular exponentiations.

The only previous concurrent non-malleable zero-knowledge (under non-adaptive inputs) was achieved by Barak, Prabhakaran and Sahai [4]. Their construction, however, mainly focuses on a feasibility result rather than efficiency, and requires expensive \({\mathcal{NP}}\)-reductions.