Abstract
The established bounds on the round-complexity of (black-box) concurrent zero-knowledge (\(\mathrm {c}\mathcal {ZK}\)) consider adversarial verifiers with complete control over the scheduling of messages of different sessions. Consequently, such bounds only represent a worst case study of concurrent schedules, forcing \(\widetilde{\varOmega }(\log n)\) rounds for all protocol sessions. What happens in “average” cases against random schedules? Must all sessions still suffer large number of rounds?
Rosen and Shelat first considered such possibility, and constructed a \(\mathrm {c}\mathcal {ZK}\) protocol that adjusts its round-complexity based on existing network conditions. While they provide experimental evidence for its average-case performance, no provable guarantees are known.
In general, a proper framework for studying and understanding the average-case schedules for \(\mathrm {c}\mathcal {ZK}\) is missing. We present the first theoretical framework for performing such average-case studies. Our framework models the network as a stochastic process where a new session is opened with probability p or an existing session receives the next message with probability \(1-p\); the existing session can be chosen either in a first-in-first-out (\(\mathsf {FIFO}\)) or last-in-first-out (\(\mathsf {LIFO}\)) order. These two orders are fundamental and serve as good upper and lower bounds for other simple variations. We also develop methods for establishing provable average-case bounds for \(\mathrm {c}\mathcal {ZK}\) in these models. The bounds in these models turn out to be intimately connected to various properties of one-dimensional random walks that reflect at the origin. Consequently, we establish new and tight asymptotic bounds for such random walks, including: expected rate of return-to-origin, changes of direction, and concentration of “positive” movements. These results may be of independent interest.
Our analysis shows that the Rosen-Shelat protocol is highly sensitive to even moderate network conditions, resulting in a large fraction of non-optimal sessions. We construct a more robust protocol by generalizing the “footer-free” condition of Rosen-Shelat which leads to significant improvements for both \(\mathsf {FIFO}\) and \(\mathsf {LIFO}\) models.
Research supported in part by NSF grant 1907908, the MITRE Innovation Program, and a Cisco Research Award. The views expressed are those of the authors and do not reflect the official policy or position of the funding agencies.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We were not able to find these results, or derive them as simple corollaries of known results, in any standard texts on probability such as [17].
- 2.
For canonical protocols, we can allow an inconsequential first message from the prover (see Sect. 2.4).
- 3.
We provide the derivation in the full version of this work [1].
- 4.
The statement of this definition in [36] actually has (Vk) instead of (p1) as A’s nested message. However, we believe that it is a typo and by (Vk) authors really mean the presence of second stage messages; this is guaranteed by having (p1) in the definition but not by (Vk). Indeed, many nested protocols may terminate without ever reaching (Vk). If (Vk) is used in the definition, the simulator in [36] will run in exponential time even for the simple concurrent schedule described in [13] (and shown in red in Fig. 1 in [36]).
References
Aiyer, A., Liang, X., Nalini, N., Pandey, O.: Random walks and concurrent zero-knowledge. Cryptology ePrint Archive, Report 2020/082 (2020). https://eprint.iacr.org/2020/082
Alon, N., Spencer, J.H.: The Probabilistic Method. Wiley, Hoboken (2004)
Barak, B.: How to go beyond the black-box simulation barrier. In: Proceedings of the 42Nd IEEE Symposium on Foundations of Computer Science, FOCS 2001, p. 106. IEEE Computer Society, Washington, DC (2001)
Barak, B., et al.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge. In: STOC, pp. 235–244 (2000)
Canetti, R., Jain, A., Paneth, O.: Client-server concurrent zero knowledge with constant rounds and guaranteed complexity. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 337–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_19
Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zero-knowledge requires\(\backslash \)tilde \(\{\varOmega \}\)(log n) rounds. In: Proceedings of the Thirty-Third Annual ACM Symposium on Theory of Computing, pp. 570–579. ACM (2001)
Canetti, R., Lin, H., Paneth, O.: Public-coin concurrent zero-knowledge in the global hash model. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 80–99. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_5
Chung, K.-M., Lin, H., Pass, R.: Constant-round concurrent zero-knowledge from indistinguishability obfuscation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 287–307. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_14
Chung, K.-M., Lin, H., Pass, R.: Constant-round concurrent zero knowledge from p-certificates. In: 2013 IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS), pp. 50–59. IEEE (2013)
Di Crescenzo, G., Persiano, G., Visconti, I.: Constant-round resettable zero knowledge with concurrent soundness in the bare public-key model. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 237–253. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_15
Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_36
Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, STOC 1998, pp. 409–418. ACM, New York (1998)
Dwork, C., Sahai, A.: Concurrent zero-knowledge: reducing the need for timing constraints. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 442–457. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055746
Essifi, R., Peigné, M.: Return probabilities for the reflected random walk on N0. J. Theor. Probab. 28(1), 231–258 (2015)
Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, 13–17 May 1990, pp. 416–426 (1990)
Feller, W.: An Introduction to Probability Theory and its Applications, vol. 1 (1968)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013)
Goldreich, O.: Concurrent zero-knowledge with timing, revisited. In: STOC, pp. 332–340 (2002)
Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. In: Paterson, M.S. (ed.) ICALP 1990. LNCS, vol. 443, pp. 268–282. Springer, Heidelberg (1990). https://doi.org/10.1007/BFb0032038
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, STOC 1985, pp. 291–304. ACM, New York (1985)
Goyal, V., Jain, A., Ostrovsky, R., Richelson, S., Visconti, I.: Concurrent zero knowledge in the bounded player model. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 60–79. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_4
Gupta, D., Sahai, A.: On constant-round concurrent zero-knowledge from a knowledge assumption. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 71–88. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_5
Hada, S., Tanaka, T.: On the existence of 3-round zero-knowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055744
Ishai, Y., Pandey, O., Sahai, A.: Public-coin differing-inputs obfuscation and its applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 668–697. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_26
Kilian, J., Petrank, E.: Concurrent and resettable zero-knowledge in poly-logarithmic rounds. In: Proceedings of the Thirty-third Annual ACM Symposium on Theory of Computing, STOC 2001, pp. 560–569. ACM (2001)
Kilian, J., Petrank, E., Rackoff, C.: Lower bounds for zero knowledge on the Internet. In: FOCS, pp. 484–492 (1998)
Lalley, S.P.: Return probabilities for random walk on a half-line. J. Theor. Probab. 8(3), 571–599 (1995)
Lamport, L.: Fast paxos. Distrib. Comput. 19(2), 79–103 (2006)
Pandey, O., Prabhakaran, M., Sahai, A.: Obfuscation-based non-black-box simulation and four message concurrent zero knowledge for NP. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 638–667. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_25
Pass, R., Tseng, W.-L.D., Venkitasubramaniam, M.: Eye for an eye: efficient concurrent zero-knowledge in the timing model. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 518–534. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_31
Persiano, G., Visconti, I.: Single-prover concurrent zero knowledge in almost constant rounds. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 228–240. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468_19
Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity. In: Proceedings of the 43rd Annual IEEE Symposium on Foundations of Computer Science, pp. 366–375. IEEE (2002)
Richardson, R., Kilian, J.: On the concurrent composition of zero-knowledge proofs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 415–431. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_29
Rosen, A.: A note on the round-complexity of concurrent zero-knowledge. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 451–468. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_28
Rosen, A., Shelat, A.: Optimistic concurrent zero knowledge. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 359–376. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_21
Scafuro, A., Visconti, I.: On round-optimal zero knowledge in the bare public-key model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 153–171. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Aiyer, A., Liang, X., Nalini, N., Pandey, O. (2020). Random Walks and Concurrent Zero-Knowledge. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds) Applied Cryptography and Network Security. ACNS 2020. Lecture Notes in Computer Science(), vol 12146. Springer, Cham. https://doi.org/10.1007/978-3-030-57808-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-57808-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57807-7
Online ISBN: 978-3-030-57808-4
eBook Packages: Computer ScienceComputer Science (R0)