Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity Ran Canetti, Abhishek Jain and Omer Paneth 1.

Slides:



Advertisements
Similar presentations
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Advertisements

Secure Composition of Cryptographic Protocols
Uni Paderborn Germany Never Trust Victor An alternative resettable zero-knowledge proof system Olaf Müller Michael Nüsken.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Nir Bitansky and Omer Paneth. Interactive Proofs.
On Virtual Grey-Box Obfuscation for General Circuits Nir Bitansky Ran Canetti Yael Tauman-Kalai Omer Paneth.
28.2 Functionality Application Software Provides Applications supply the high-level services that user access, and determine how users perceive the capabilities.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
G Robert Grimm New York University Pulling Back: How to Go about Your Own System Project?
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.
Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai
On the Implausibility of Differing-Inputs Obfuscation (and Extractable Witness Encryption) with Auxiliary Input Daniel Wichs (Northeastern U) with: Sanjam.
Practical Private Computation and Zero- Knowledge Tools for Privacy-Preserving Distributed Data Mining Yitao Duan and John Canny
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Messaging is an important means of communication between two systems. There are 2 types of messaging. - Synchronous messaging. - Asynchronous messaging.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Generic and Practical Resettable Zero- Knowledge in the Bare Public-Key Model Moti Yung RSA Laboratories and CS Dept. of Columbia University Yunlei Zhao.
Nir Bitansky and Omer Paneth. Program Obfuscation.
6.897: Selected Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest Scribe?
Chapter 17 - Clients + Servers = Distributed Computing Introduction Large Computers Use Networks For Input and Output Small Computers Use Networks To Interact.
Non-interactive quantum zero-knowledge proofs
Introduction to Obfuscation Mohammad Mahmoody University of Virginia *some slides borrowed from abhi shelat.
NIR BITANSKY, OMER PANETH, ALON ROSEN ON THE CRYPTOGRAPHIC HARDNESS OF FINDING A NASH EQUILIBRIUM.
Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)
CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
Boaz Barak, Nir Bitansky, Ran Canetti, Yael Tauman Kalai, Omer Paneth, Amit Sahai.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
Verifiable Outsourcing of Computation Ron Rothblum.
Derandomization & Cryptography
Modern symmetric-key Encryption
Zero Knowledge Proofs. 20 Years after its Invention
Alessandra Scafuro Practical UC security Black-box protocols
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Fiat-Shamir for Highly Sound Protocols is Instantiable
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Post-Quantum Security of Fiat-Shamir
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity Ran Canetti, Abhishek Jain and Omer Paneth 1

Zero-Knowledge Protocols Completeness Soundness Zero knowledge 2 [Goldwasser-Micali-Rackoff 85]

Completeness Accept 3

Soundness reject 4

Zero-knowledge 5

Why do we care about zero-knowledge? Used as a sub-protocol in larger cryptographic protocols and systems Secure composition? 6

Concurrent Composition Session 7

Concurrent Zero Knowledge [Dwork-Naor-Sahai 98] 8

RoundsAssumption Stand-alone zeroknowledge [Feige-Shamir 89] [Bellare-Jakobson-Yung97] 4OWF Concurrent zeroknowledge [Richardson-Kilian99] [Kilian-Petrank01] [Prabhakaran-Rosen-Sahai 02] OWF [Gupta-Sahai12] [Chung-Lin-Pass 13] [Pandey-Prabhakaran-Sahai13] Strong assumption: interactive knowledgeassumptions statistically sound P-certificates differing input obfuscation 9

Today Constant-round protocols from standard assumptions Weaker notions of concurrent security 10

Bounded Concurrent ZK [ Barak 01 ] Complexity of each session Rounds Communication Barak … 11

Barak’s Protocol Client Server Barak [Persiano-Visconti 05]: set the bound only at protocol run time This is too early Client Barak Client Barak The bound on the number of concurrent sessions is set at protocol design time 12

Standard Model for Concurrent ZK 13

Client-Server Concurrent ZK ServerClients [ Persiano-Visconti 05] Increase the communication as more session start 14

The Persiano-Visconti Protocol … Finish session … … A single session:Concurrent sessions: 15

Protocol Complexity Finish session Almost the same as bounded concurrent ZK! Rounds Communication 16

The Persiano-Visconti Protocol Client Server Persiano-Visconti This is too late Client Persiano-Visconti Client Persiano-Visconti The communication complexity is changing at protocol run time Client does not know what will be the communication complexity of the session! 17

Example: Call Center “All our lines are currently busy. please hold and your call will be answered shortly…” “The estimated waiting time is 7 minutes.” This work: the communication complexity is set at the beginning of every session 18

Our Result Assuming collision-resistant hash functions there is a concurrent zero-knowledge protocol in the client-server model with constant-rounds and guaranteed complexity. Guaranteed complexity: The communication complexity of each session is determined in the beginning of the session 19

determined in the beginning of the session not determined until the session terminates This work[Persiano-Visconti] Communication complexity Round complexity 6 20

The Protocol Start session Every session runs Barak’s protocol with some bound 21

The Challenge Start session … Cannot rely directly on bounded concurrency 22

Barak’s simulation Barak … 23

Barak’s simulation Barak … 24

Barak’s simulation Barak Other protocol … 25

Proof 26

… … 27

28

29

… 30

Simulation Running Time … 31

[slide: Mira Belenkiy] Thanks! 32

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.