On Constant-Round Concurrent Zero-Knowledge from a Knowledge Assumption

TL;DR

This paper constructs the first constant-round concurrent zero-knowledge protocol in the plain model using a new variant of knowledge assumptions, avoiding previous inefficiencies and providing evidence of plausibility.

Contribution

It introduces a novel, efficient protocol for concurrent zero-knowledge based on a new knowledge of exponent assumption, and offers a flexible framework for expressing and analyzing knowledge assumptions.

Findings

First constant-round concurrent ZK protocol in plain model

Uses a new variant of knowledge of exponent assumption

Provides evidence for the plausibility of the assumption

Abstract

In this work, we consider the long-standing open question of constructing constant-round concurrent zero-knowledge protocols in the plain model. Resolving this question is known to require non-black-box techniques. We consider non-black-box techniques for zero-knowledge based on knowledge assumptions, a line of thinking initiated by the work of Hada and Tanaka (CRYPTO 1998). Prior to our work, it was not known whether knowledge assumptions could be used for achieving security in the concurrent setting, due to a number of significant limitations that we discuss here. Nevertheless, we obtain the following results: 1. We obtain the first constant round concurrent zero-knowledge argument for \textbf{NP} in the plain model based on a new variant of knowledge of exponent assumption. Furthermore, our construction avoids the inefficiency inherent in previous non-black-box techniques such that those of Barak (FOCS 2001); we obtain our result through an efficient protocol compiler. 2. Unlike Hada and Tanaka, we do not require a knowledge assumption to argue the soundness of our protocol. Instead, we use a discrete log like assumption, which we call Diffie-Hellman Logarithm Assumption, to prove the soundness of our protocol. 3. We give evidence that our new variant of knowledge of exponent assumption is in fact plausible. In particular, we show that our assumption holds in the generic group model. 4. Knowledge assumptions are especially delicate assumptions whose plausibility may be hard to gauge. We give a novel framework to express knowledge assumptions in a more flexible way, which may allow for formulation of plausible assumptions and exploration of their impact and application in cryptography.