Responsive Round Complexity and Concurrent Zero-Knowledge

  • Authors:
  • Tzafrir Cohen;Joe Kilian;Erez Petrank

  • Affiliations:
  • -;-;-

  • Venue:
  • ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
  • Year:
  • 2001

Quantified Score

Hi-index 0.00

Visualization

Abstract

The number of communication rounds is a classic complexity measure for protocols; reducing round complexity is a major goal in protocol design. However, when the communication time is inconstant, and in particular, when one of the parties intentionally delays its messages, the round complexity measure may become meaningless. For example, if one of the rounds takes longer than the rest of the protocol, then it does not matter if the round complexity is bounded by a constant or by a polynomial. In this paper, we propose a complexity measure called responsive round complexity. Loosely speaking, a protocol has responsive round complexity m with respect to Party A, if it makes the following guarantee. If A's longest delay in responding to a message in a run of the protocol is t, then, in that run, the overall communication time is at most mċ t. The logic behind this definition is that if a party responds quickly to a message, whether it has a good connection or it just chooses not to delay its messages, then this party deserves to get an overall quicker running time. Responsive round complexity is particularly interesting in a setting where a party may gain something by delaying its messages. In this case, the delaying party does not deserve the same response time as another party that behaves nicely. We demonstrate the significance of responsive round complexity by presenting a new protocol for concurrent zero-knowledge. The new protocol is a black-box concurrent zero knowledge proof for all languages in NP with round complexity Õ(log2 n) but responsive round complexity Õ(log n). While the round complexity of the new protocol is similar to what is known from previous works, its responsive round complexity is a significant improvement: all known concurrent zero-knowledge protocols require Õ(log2 n) rounds. Furthermore, in light of the known lower bounds, the responsive round complexity of this protocol is basically optimal.