Instance-Dependent Commitment Schemes and the Round Complexity of Perfect Zero-Knowledge Proofs

نویسنده

  • Lior Malka
چکیده

We study the question whether the number of rounds in public-coin perfect zero-knowledge (PZK) proofs can be collapsed to a constant. Despite extensive research into the round complexity of interactive and zero-knowledge protocols, there is no indication how to address this question. Furthermore, the main tool to tackle this question is instance-dependent commitments, but currently such schemes are only statistically hiding, whereas we need perfectly hiding schemes. We give the first perfectly hiding instance-dependent commitment scheme. This scheme can be constructed from any problem that has a PZK proof. We then show that obtaining such a scheme that is also constant-round is not only sufficient, but also necessary to collapse the number of rounds in PZK proofs. Hence, we show an equivalence between the tasks of obtaining the commitment, and collapsing the rounds. Our idea also yields an elegant equivalence between zero-knowledge and commitments. In the second part of the paper we construct a non-interactive, perfectly hiding scheme whose binding property holds on all but an exponentially small fraction of the inputs. Informally, this shows that the rounds in public-coin PZK proofs can be collapsed if we can guarantee that the prover is not choosing its randomness from a small set. We formalize this condition using a preamble, which we then apply to some simple cases. An interesting consequence of independent interest is that we use the circuits from the study of NIPZK in the commitment scheme of Naor [39], and this leads to a new perfectly-hiding instance-dependent commitment for NIPZK problems with a small soundness error.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Generic yet Practical ZK Arguments from any Public-Coin HVZK

In this work, we present a generic yet practical transformation from any public-coin honest-verifier zero-knowledge (HVZK) protocols to normal zero-knowledge (ZK) arguments. By “generic”, we mean that the transformation is applicable to any public-coin HVZK protocol under any one-way function (OWF) admitting Σ-protocols. By “practical” we mean that the transformation does not go through general...

متن کامل

4-Round Concurrent Non-Malleable Commitments

The round complexity of non-malleable commitments and non-malleable zero knowledge arguments has been an open question for long time. Very recent results of Pass [TCC 2013] and of Goyal et al. [FOCS 2014, STOC 2016], gave almost definitive answers. In this work we show how to construct round-efficient non-malleable protocols via compilers. Starting from protocols enjoying limited non-malleabili...

متن کامل

Linear Zero-Knowledegde - A Note on Efficient Zero-Knowledge Proofs and Arguments

We present a zero-knowledge proof system [19] for any NP language L, which allows showing that x ∈ L with error probability less than 2−k using communication corresponding to O(|x|) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment scheme with a particular set of properties. We suggest an efficient implementation based on factoring. We ...

متن کامل

Linear Zero - Knowledge - A Note on E cientZero - Knowledge Proofs

We present a zero-knowledge proof system 19] for any NP language L, which allows showing that x 2 L with error probability less than 2 ?k using communication corresponding to O(jxj c) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment scheme with a particular set of properties. We suggest an eecient implementation based on factoring. We ...

متن کامل

An Equivalence Between Zero Knowledge and Commitments

We show that a language in NP has a zero-knowledge protocol if and only if the language has an “instance-dependent” commitment scheme. An instance-dependent commitment schemes for a given language is a commitment scheme that can depend on an instance of the language, and where the hiding and binding properties are required to hold only on the YES and NO instances of the language, respectively. ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • Electronic Colloquium on Computational Complexity (ECCC)

دوره 15  شماره 

صفحات  -

تاریخ انتشار 2008