Efficiency Preserving Transformations for Concurrent Non-malleable Zero Knowledge

Ever since the invention of Zero-Knowledge by Goldwasser, Micali, and Rackoff [1], Zero-Knowledge has become a central building block in cryptography with numerous applications, ranging from electronic cash to digital signatures. The properties of Zero-Knowledge range from the most simple (and not particularly useful in practice) requirements, such as honest-verifier zero-knowledge to the most demanding (and most useful in applications) such as non-malleable and concurrent zero-knowledge. In this paper, we study the complexity of efficient zero-knowledge reductions, from the first type to the second type. More precisely, under a standard complexity assumption (ddh), on input a public-coin honest-verifier statistical zero knowledge argument of knowledge π′ for a language L we show a compiler that produces an argument system π for L that is concurrent non-malleable zero-knowledge (under non-adaptive inputs – which is the best one can hope to achieve [2, 3]). If κ is the security parameter, the overhead of our compiler is as follows: – The round complexity of π is r + Õ(log κ) rounds, where r is the round complexity of π′. – The new prover P (resp., the new verifier V) incurs an additional overhead of (at most) r + κ · Õ(log κ) modular exponentiations. If tags of length Õ(log κ) are provided, the overhead is only r + Õ(log κ) modular exponentiations. The only previous concurrent non-malleable zero-knowledge (under nonadaptive inputs) was achieved by Barak, Prabhakaran and Sahai [4]. Their construction, however, mainly focuses on a feasibility result rather than efficiency, and requires expensive NP-reductions. ? Supported in part by IBM Faculty Award, Xerox Innovation Group Award, the Okawa Foundation Award, Intel, Teradata, NSF grants 0716835, 0716389, 0830803, 0916574 and U.C. MICRO grant. ?? Supported in part by NSF grants 0716835, 0716389, 0830803, 0916574, and the European Commission grants of the third author ? ? ? Supported in part by the European Commission through the EU IST program under Contract IST-2002-507932 ECRYPT, and through the EU ICT program under Contract ICT-2007-216646 ECRYPT II. 2 Rafail Ostrovsky, Omkant Pandey, Ivan Visconti