Wei-Lung Dustin Tseng

On the Composition of Public-Coin Zero-Knowledge Protocols

We show that only languages in BPP have public-coin black-box zero-knowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any setup) and in the bare public key model (where the prover and the verifier have registered public keys). We complement this result by constructing a public-coin black-box zero-knowledge proof based on one-way functions that remains secure under any a priori bounded number of concurrent executions. A key step (of independent interest) in the analysis of our lower bound shows that any public-coin protocol, when repeated sufficiently in parallel, satisfies a notion of “resettable soundness” if the verifier picks its random coins using a pseudorandom function.

Towards non-black-box lower bounds in cryptography

We consider average-case strengthenings of the traditional assumption that coNP is not contained in AM. Under these assumptions, we rule out generic and potentially non-black-box constructions of various cryptographic primitives (e.g., one-way permutations, collision-resistant hash-functions, constant-round statistically hiding commitments, and constant-round black-box zero-knowledge proofs for NP) from one-way functions, assuming the security reductions are black-box.

Public-Coin Parallel Zero-Knowledge for NP

We show that, assuming the existence of collision-resistant hash functions, every language in NP has a constant-round public-coin zero-knowledge argument that remains secure under unbounded parallel composition (a.k.a. parallel zero knowledge.) Our protocol is a variant of Barak’s zero-knowledge argument (FOCS 2001), and has a non-black-box simulator. This result stands in sharp contrast with the recent result by Pass, Tseng and Wikstrom (Crypto 2010) showing that only languages in BPP have public-coin parallel zero-knowledge arguments with black-box simulators.

Eye for an eye: efficient concurrent zero-knowledge in the timing model

We present new and efficient concurrent zero-knowledge protocols in the timing model. In contrast to earlier works—which through artificially-imposed delays require every protocol execution to run at the speed of the slowest link in the network—our protocols essentially only delay messages based on the actual response time of each verifier (which can be significantly smaller).

The knowledge tightness of parallel zero-knowledge

We investigate the concrete security of black-box zero- knowledge protocols when composed in parallel. As our main result, we give essentially tight upper and lower bounds (up to logarithmic factors in the security parameter) on the following measure of security (closely related to knowledge tightness): the number of queries made by black-box simulators when zero-knowledge protocols are composed in parallel. As a function of the number of parallel sessions, k, and the round complexity of the protocol, m, the bound is roughly k1/m. We also construct a modular procedure to amplify simulator-query lower bounds (as above), to generic lower bounds in the black-box concurrent zero-knowledge setting. As a demonstration of our techniques, we give a self-contained proof of the o(logn /loglogn) lower bound for the round complexity of black-box concurrent zero-knowledge protocols, first shown by Canetti, Kilian, Petrank and Rosen (STOC 2002). Additionally, we give a new lower bound regarding constant-round black-box concurrent zero-knowledge protocols: the running time of the black-box simulator must be at least nΩ(logn).