The knowledge complexity of interactive proof systems
SIAM Journal on Computing
Witness indistinguishable and witness hiding protocols
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
Journal of the ACM (JACM)
On the Composition of Zero-Knowledge Proof Systems
SIAM Journal on Computing
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Concurrent and resettable zero-knowledge in poly-loalgorithm rounds
STOC '01 Proceedings of the thirty-third annual ACM symposium on Theory of computing
Black-Box Concurrent Zero-Knowledge Requires (Almost) Logarithmically Many Rounds
SIAM Journal on Computing
Concurrent Zero Knowledge with Logarithmic Round-Complexity
FOCS '02 Proceedings of the 43rd Symposium on Foundations of Computer Science
Lower Bounds for Zero Knowledge on the Internet
FOCS '98 Proceedings of the 39th Annual Symposium on Foundations of Computer Science
How to Go Beyond the Black-Box Simulation Barrier
FOCS '01 Proceedings of the 42nd IEEE symposium on Foundations of Computer Science
Strict Polynomial-Time in Simulation and Extraction
SIAM Journal on Computing
On the concurrent composition of zero-knowledge proofs
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Concurrent zero knowledge without complexity assumptions
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Resettable statistical zero knowledge
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
Hi-index | 0.01 |
The round-complexity of black-box zero-knowledge has for years been a topic of much interest. Results in this area generally focus on either proving lower bounds in various settings (e.g., Canetti, Kilian, Petrank, and Rosen [3] prove concurrent zero-knowledge (cζϰ) requires Ω(log n/ log log n) rounds and Barak and Lindell [2] show no constant-round single-session protocol can be zero-knowledge with strict poly-time simulators), or giving upper bounds (e.g., Prabhakaran, Rosen, and Sahai [15] give a cζϰ protocol with ω(log n) rounds). In this paper we show that though proving upper bounds seems to be quite different from demonstrating lower bounds, underlying both tasks there is a single, simple combinatorial game between two players: a rewinder and a scheduler. We give two theorems relating the success of rewinders in the game to both upper and lower bounds for black-box zero-knowledge in various settings (sequential composition, concurrent composition, etc). Our game and theorems unify the previous results in the area, simplify the task of proving upper and lower bounds, and should be useful in showing future results in the area.