Average case complete problems
SIAM Journal on Computing
The knowledge complexity of interactive proof-systems
STOC '85 Proceedings of the seventeenth annual ACM symposium on Theory of computing
Zero-knowledge proofs of identity
Journal of Cryptology
The knowledge complexity of interactive proof systems
SIAM Journal on Computing
Witness indistinguishable and witness hiding protocols
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
EUROCRYPT '89 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
Journal of the ACM (JACM)
Zero knowledge proofs of knowledge in two rounds
CRYPTO '89 Proceedings on Advances in cryptology
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions
SIAM Journal on Computing
Resettable zero-knowledge (extended abstract)
STOC '00 Proceedings of the thirty-second annual ACM symposium on Theory of computing
Foundations of Cryptography: Basic Tools
Foundations of Cryptography: Basic Tools
On Defining Proofs of Knowledge
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Resettably-Sound Zero-Knowledge and its Applications
FOCS '01 Proceedings of the 42nd IEEE symposium on Foundations of Computer Science
How to Go Beyond the Black-Box Simulation Barrier
FOCS '01 Proceedings of the 42nd IEEE symposium on Foundations of Computer Science
Bounded-concurrent secure multi-party computation with a dishonest majority
STOC '04 Proceedings of the thirty-sixth annual ACM symposium on Theory of computing
New and improved constructions of non-malleable cryptographic protocols
Proceedings of the thirty-seventh annual ACM symposium on Theory of computing
Proceedings of the thirty-eighth annual ACM symposium on Theory of computing
Lower bounds for non-black-box zero knowledge
Journal of Computer and System Sciences - Special issue on FOCS 2003
Secure Two-Party Computation of Squared Euclidean Distances in the Presence of Malicious Adversaries
Information Security and Cryptology
Information Security and Cryptology
An Identification Scheme with Tight Reduction
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
TCC'07 Proceedings of the 4th conference on Theory of cryptography
Resettable zero-knowledge in the weak public-key model
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Simulation in quasi-polynomial time, and its application to protocol composition
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
On constant-round concurrent zero-knowledge
TCC'08 Proceedings of the 5th conference on Theory of cryptography
On the round complexity of zero-knowledge proofs based on one-way permutations
LATINCRYPT'10 Proceedings of the First international conference on Progress in cryptology: cryptology and information security in Latin America
Concurrent zero-knowledge with timing, revisited
Theoretical Computer Science
The knowledge tightness of parallel zero-knowledge
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
On the Composition of Public-Coin Zero-Knowledge Protocols
SIAM Journal on Computing
A note on constant-round concurrent zero-knowledge arguments of knowledge for NP
IDCS'12 Proceedings of the 5th international conference on Internet and Distributed Computing Systems
Concurrent zero knowledge in the bounded player model
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
Non-black-box simulation in the fully concurrent setting
Proceedings of the forty-fifth annual ACM symposium on Theory of computing
Hi-index | 0.00 |
The notion of efficient computation is usually identified in cryptography and complexity with probabilistic polynomial time. However, until recently, in order to obtain constant-round zero-knowledge proofs and proofs of knowledge (for NP), one had to allow simulators and knowledge-extractors to run in time which is only polynomial on the average (i.e., expected polynomial time). Whether or not allowing expected polynomial-time is necessary for obtaining constant-round zero-knowledge proofs and proofs of knowledge, has been posed as an important open question. This question is interesting not only for its theoretical ramifications, but also because expected polynomial time simulation is not closed under composition. Therefore, in some cases security is not maintained when a protocol that utilizes expected polynomial time simulation (or extraction) is used as a part of a larger protocol.A partial answer to the question of the necessity (or non-necessity) of expected polynomial-time was provided recently by Barak, who gave the first constant-round zero-knowledge argument with a strict (in contrast to expected) polynomial-time simulator. His was also the first protocol that is not black-box zero-knowledge. That is, the simulator in his protocol utilizes the description of the code of the verifier in an essential way.In this paper, we completely resolve the question of expected polynomial-time in zero-knowledge arguments and arguments of knowledge. First, we show that there exist constant-round zero-knowledge arguments of knowledge with strict polynomial-time extractors. As in the simulator of Barak's zero-knowledge protocol, the extractor for our proof of knowledge is not black-box and uses the code of the prover in an essential way.On the negative side, we show that non-black-box techniques are essential to both strict polynomial-time simulation and extraction. That is, we show that no constant-round zero-knowledge argument (or proof) can have a strict polynomial-time black-box simulator. Similarly, we show that no constant-round zero-knowledge argument (or proof) of knowledge can have a strict polynomial-time black-box knowledge extractor. Thus, for constant-round black-box zero-knowledge arguments (resp., arguments of knowledge), it is imperative that the simulator (resp., extractor) be allowed to run in expected polynomial-time.