On Round-Optimal Zero Knowledge in the Bare Public-Key Model

  • Alessandra Scafuro
  • Ivan Visconti
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


In this paper we revisit previous work in the BPK model and point out subtle problems concerning security proofs of concurrent and resettable zero knowledge (\(\mathsf{c}{\mathcal{ZK}}\) and \({\mathsf{r}{\mathcal{ZK}}}\), for short). Our analysis shows that the \({\mathsf c}{\mathcal{ZK}}\) and \({\mathsf{r}}{\mathcal{ZK}}\) simulations proposed for previous (in particular all round-optimal) protocols are distinguishable from real executions. Therefore some of the questions about achieving round optimal \({\mathsf{c}}{\mathcal{ZK}}\) and \({\mathsf{r}\mathcal{ZK}}\) in the BPK model are still open. We then show our main protocol, \(\Pi_{\mathsf{c}{\mathcal{ZK}}}\), that is a round-optimal concurrently sound \(\mathsf{c}\mathcal{ZK}\) argument of knowledge (AoK, for short) for NP under standard complexity-theoretic assumptions. Next, using complexity leveraging arguments, we show a protocol \(\Pi_{\mathsf{r}\mathcal{ZK}}\) that is round-optimal and concurrently sound \({\mathsf{r}}{\mathcal{ZK}}\) for NP. Finally we show that \({\Pi_{\mathsf{c}\mathcal{ZK}}}\) and \(\Pi_{{\mathsf{r}}{\mathcal{ZK}}}\) can be instantiated efficiently through transformations based on number-theoretic assumptions. Indeed, starting from any language admitting a perfect Σ-protocol, they produce concurrently sound protocols \({\bar \Pi_{\mathsf{c}\mathcal{ZK}}}\) and \(\bar \Pi_{\mathsf{r}\mathcal{ZK}}\), where \({\bar \Pi_{\mathsf{c}\mathcal{ZK}}}\) is a round-optimal \(\mathsf{c}\mathcal{ZK}\mathsf{AoK}\), and \({\bar \Pi}_{{\mathsf{r}{\mathcal{ZK}}}}\) is a 5-round \({\mathsf{r}}{\mathcal{ZK}}\) argument. The \({\mathsf{r}}{\mathcal{ZK}}\) protocols are mainly inherited from the ones of Yung and Zhao [31].


Commitment Scheme Modular Exponentiation Main Thread Zero Knowledge Honest Prover 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alwen, J., Persiano, G., Visconti, I.: Impossibility and Feasibility Results for Zero Knowledge with Public Keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 135–151. Springer, Heidelberg (2005)Google Scholar
  2. 2.
    Blum, M.: How to Prove a Theorem So No One Else Can Claim It. In: Proceedings of the International Congress of Mathematicians, pp. 1444–1451 (1986)Google Scholar
  3. 3.
    Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable Zero-Knowledge (Extended Abstract). In: STOC 2000, pp. 235–244. ACM (2000)Google Scholar
  4. 4.
    Cho, C., Ostrovsky, R., Scafuro, A., Visconti, I.: Simultaneously Resettable Arguments of Knowledge. In: TCC 2012. LNCS. Springer, Heidelberg (2012)Google Scholar
  5. 5.
    Cramer, R., Damgård, I., Schoenmakers, B.: Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  6. 6.
    Di Crescenzo, G.: Minimal Assumptions and Round Complexity for Concurrent Zero-Knowledge in the Bare Public-Key Model. In: Ngo, H.Q. (ed.) COCOON 2009. LNCS, vol. 5609, pp. 127–137. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Di Crescenzo, G., Persiano, G., Visconti, I.: Constant-Round Resettable Zero Knowledge with Concurrent Soundness in the Bare Public-Key Model. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 237–253. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Di Crescenzo, G., Persiano, G., Visconti, I.: Improved Setup Assumptions for 3-Round Resettable Zero Knowledge. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 530–544. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Di Crescenzo, G., Visconti, I.: Concurrent Zero Knowledge in the Public-Key Model. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 816–827. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Di Crescenzo, G., Visconti, I.: On Defining Proofs of Knowledge in the Bare Public Key Model. In: ICTCS 2007, pp. 187–198. World Scientific (2007)Google Scholar
  11. 11.
    Dwork, C., Naor, M., Sahai, A.: Concurrent Zero-Knowledge. In: STOC 1998, pp. 409–418. ACM (1998)Google Scholar
  12. 12.
    Feige, U., Lapidot, D., Shamir, A.: Multiple Non-Interactive Zero Knowledge Proofs Based on a Single Random String. In: FOCS 1990, pp. 308–317. IEEE (1990)Google Scholar
  13. 13.
    Feige, U., Shamir, A.: Zero Knowledge Proofs of Knowledge in Two Rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, Heidelberg (1990)Google Scholar
  14. 14.
    Goldreich, O., Kahan, A.: How to Construct Constant-Round Zero-Knowledge Proof Systems for NP. J. Cryptology 9(3), 167–190 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  15. 15.
    Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols Techniques and Constructions. Springer (2010)Google Scholar
  16. 16.
    Lapidot, D., Shamir, A.: Publicly Verifiable Non-Interactive Zero-Knowledge Proofs. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353–365. Springer, Heidelberg (1991)Google Scholar
  17. 17.
    Micali, S., Reyzin, L.: Min-Round Resettable Zero-Knowledge in the Public-Key Model. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 373–393. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Micali, S., Reyzin, L.: Soundness in the Public-Key Model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 542–565. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Naor, M., Reingold, O.: Number-Theoretic Constructions of Efficient Pseudo-Random Functions. J. ACM 51(2), 231–262 (2004)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Ostrovsky, R., Persiano, G., Visconti, I.: Constant-Round Concurrent Non-Malleable Zero Knowledge in the Bare Public-Key Model. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 548–559. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Ostrovsky, R., Rao, V., Scafuro, A., Visconti, I.: Revisiting Lower and Upper Bounds for Selective Decommitments. In: Cryptology ePrint Archive, Report 2011/536 (2011)Google Scholar
  22. 22.
    Pedersen, T.P.: Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  23. 23.
    Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent Zero Knowledge with Logarithmic Round-Complexity. In: FOCS 2002, pp. 366–375 (2002)Google Scholar
  24. 24.
    Reyzin, L.: Zero-Knowledge with Public Keys, Ph.D. Thesis. MIT (2001)Google Scholar
  25. 25.
    Richardson, R., Kilian, J.: On the Concurrent Composition of Zero-Knowledge Proofs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 415–431. Springer, Heidelberg (1999)Google Scholar
  26. 26.
    Schnorr, C.P.: Efficient Signature Generation for Smart Cards. Journal of Cryptology 4(3), 239–252 (1991)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Visconti, I.: Efficient Zero Knowledge on the Internet. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 22–33. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Yao, A.C.C., Yung, M., Zhao, Y.: Concurrent Knowledge-Extraction in the Public-Key model. ECCC 14(002) (2007)Google Scholar
  29. 29.
    Yao, A.C.C., Yung, M., Zhao, Y.: Concurrent Knowledge Extraction in the Public-Key Model. In: Abramsky, S., Gavoille, C., Kirchner, C., Meyer auf der Heide, F., Spirakis, P.G. (eds.) ICALP 2010, Part I. LNCS, vol. 6198, pp. 702–714. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Deng, Y., Feng, D., Goyal, V., Lin, D., Sahai, A., Yung, M.: Resettable Cryptography in Constant Rounds – The Case of Zero Knowledge. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 390–406. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  31. 31.
    Yung, M., Zhao, Y.: Generic and Practical Resettable Zero-Knowledge in the Bare Public-Key Model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 129–147. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    Zhao, Y.: Concurrent/Resettable Zero-Knowledge with Concurrent Soundness in the Bare Public-Key Model and its Applications. In: Cryptology ePrint Archive, Report 2003/265 (2003)Google Scholar
  33. 33.
    Zhao, Y., Deng, X., Lee, C.H., Zhu, H.: Resettable Zero-Knowledge in the Weak Public-Key Model. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 123–139. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Alessandra Scafuro
    • 1
  • Ivan Visconti
    • 1
  1. 1.Dipartimento di InformaticaUniversity of SalernoItaly

Personalised recommendations