On Round-Optimal Zero Knowledge in the Bare Public-Key Model

In this paper we revisit previous work in the BPK model and point out subtle problems concerning security proofs of concurrent and resettable zero knowledge (cZK and rZK, for short). Our analysis shows that the cZK and rZK simulations proposed for previous (in particular all round-optimal) protocols are distinguishable from real executions. Therefore some of the questions about achieving round optimal cZK and rZK in the BPK model are still open. We then show our main protocol, ΠcZK, that is a round-optimal concurrently sound cZK argument of knowledge (AoK, for short) for NP under standard complexitytheoretic assumptions. Next, using complexity leveraging arguments, we show a protocol ΠrZK that is round-optimal and concurrently sound rZK for NP. Finally we show that ΠcZK and ΠrZK can be instantiated efficiently through transformations based on number-theoretic assumptions. Indeed, starting from any language admitting a perfect Σ-protocol, they produce concurrently sound protocols Π̄cZK and Π̄rZK, where Π̄cZK is a round-optimal cZKAoK, and Π̄rZK is a 5-round rZK argument. The rZK protocols are mainly inherited from the ones of Yung and Zhao [31].