On Constant-Round Concurrent Zero-Knowledge from a Knowledge Assumption

In this work, we consider the long-standing open question of constructing constant-round concurrent zero-knowledge protocols in the plain model. Resolving this question is known to require non-black-box techniques. We consider non-black-box techniques for zero-knowledge based on knowledge assumptions, a line of thinking initiated by the work of Hada and Tanaka (CRYPTO 1998). Prior to our work, it was not known whether knowledge assumptions could be used for achieving security in the concurrent setting, due to a number of significant limitations that we discuss here. Nevertheless, we obtain the following results: 1. We obtain the first constant round concurrent zero-knowledge argument for \textbf{NP} in the plain model based on a new variant of knowledge of exponent assumption. Furthermore, our construction avoids the inefficiency inherent in previous non-black-box techniques such that those of Barak (FOCS 2001); we obtain our result through an efficient protocol compiler. 2. Unlike Hada and Tanaka, we do not require a knowledge assumption to argue the soundness of our protocol. Instead, we use a discrete log like assumption, which we call Diffie-Hellman Logarithm Assumption, to prove the soundness of our protocol. 3. We give evidence that our new variant of knowledge of exponent assumption is in fact plausible. In particular, we show that our assumption holds in the generic group model. 4. Knowledge assumptions are especially delicate assumptions whose plausibility may be hard to gauge. We give a novel framework to express knowledge assumptions in a more flexible way, which may allow for formulation of plausible assumptions and exploration of their impact and application in cryptography.

💡 Research Summary

The paper tackles the long‑standing open problem of constructing constant‑round concurrent zero‑knowledge (CZK) protocols for NP in the plain (standard) model. While it is known that any solution must use non‑black‑box techniques, previous non‑black‑box constructions such as Barak’s protocol compiler suffer from a logarithmic (or higher) blow‑up in the number of rounds, making them impractical for concurrent settings. The authors adopt a different non‑black‑box approach based on knowledge assumptions, a line of work that began with Hada and Tanaka (CRYPTO ’98), and they overcome several obstacles that previously prevented knowledge‑based methods from being applied to concurrency.

Main contributions

1. A new variant of the Knowledge of Exponent (KOE) assumption (KOE‑V).
   The authors define a weakened form of the classic Knowledge of Exponent assumption. Instead of requiring that every efficient prover “knows” the exponent, KOE‑V only demands the existence of an efficient extractor that can recover the exponent when given a successful prover transcript. This relaxation makes the assumption more plausible while still being strong enough to support a protocol compiler that translates any Σ‑protocol into a constant‑round CZK argument.

2. Constant‑round CZK argument for NP.
   Using KOE‑V, the paper presents a compiler that takes any standard Σ‑protocol for an NP language and produces a three‑ to four‑round concurrent zero‑knowledge argument. The construction avoids the heavy overhead of Barak’s transformation; the round‑complexity remains constant regardless of the number of concurrent sessions, and the communication cost is comparable to that of the underlying Σ‑protocol.

3. Soundness based on a Diffie‑Hellman‑like assumption (DHLA).
   Unlike Hada‑Tanaka, the authors do not rely on a separate knowledge assumption for soundness. Instead, they introduce the Diffie‑Hellman Logarithm Assumption, which states that given a group element (g) and (g^{a}) it is hard to compute (a) (the standard discrete‑log hardness) but also requires that any prover that succeeds in the first round must have actually used a valid DH exponent. This assumption is standard in the literature and is sufficient to prove that a cheating prover cannot convince the verifier without possessing the underlying witness.

4. Evidence for plausibility of KOE‑V.
   The authors prove that KOE‑V holds in the generic group model. By showing that any generic algorithm that produces a valid transcript can be turned into an extractor that recovers the exponent, they provide strong theoretical support that the assumption does not hide hidden algebraic shortcuts.

5. A flexible framework for expressing knowledge assumptions.
   Recognizing that knowledge assumptions are delicate and often hard to evaluate, the paper proposes a modular framework that separates “knowledge‑extractability” from “algorithmic realizability.” This allows researchers to formulate assumptions that are tailored to specific protocols, to reason about their plausibility, and to compare different assumptions on a common ground.

Technical overview

The protocol begins with a standard Σ‑protocol for an NP relation (R). The prover first commits to a DH‑style value (g^{r}) and simultaneously runs a commitment to the first message of the Σ‑protocol. The verifier replies with a random challenge that is combined with a DH challenge derived from the commitment. The prover then opens the commitments and supplies the Σ‑protocol response together with a proof that the DH exponent used matches the committed value. The knowledge extractor, guaranteed by KOE‑V, can rewind the interaction and recover the witness from the prover’s ability to answer both challenges concurrently. Soundness follows because any prover that can answer the combined challenge must have produced a valid DH exponent, which by DHLA implies knowledge of the discrete log, and consequently of the NP witness.

The security proof proceeds in three stages: (i) completeness is immediate from the correctness of the underlying Σ‑protocol; (ii) soundness is reduced to DHLA via a hybrid argument that replaces the prover’s DH value with a random group element; (iii) zero‑knowledge is shown by constructing a simulator that uses the extractor from KOE‑V to generate transcripts indistinguishable from real executions, even under arbitrary polynomial‑time concurrent scheduling.

Implications and future work

By achieving constant‑round CZK for NP in the plain model, the paper closes a major gap between theory and practice for concurrent cryptographic protocols such as secure multi‑party computation, anonymous credentials, and blockchain‑based smart contracts. The flexible framework for knowledge assumptions may inspire further research on tailored assumptions for other primitives (e.g., signatures, encryption) and could lead to a systematic taxonomy of plausible knowledge‑based assumptions. Open directions include extending the compiler to support adaptive security, exploring tighter reductions in the standard model, and investigating whether the DHLA‑based soundness can be replaced by even weaker assumptions without sacrificing security.