Abstract
Non-interactive zero-knowledge (NIZK) arguments allow a prover to convince a verifier about the truthfulness of an \(\mathcal {N}\mathcal {P}\)-statement by sending just one message, without disclosing any additional information. In several practical scenarios, the Fiat-Shamir transform is used to convert an efficient constant-round public-coin honest-verifier zero-knowledge proof system into an efficient NIZK argument system. This approach is provably secure in the random oracle model, crucially requires the programmability of the random oracle and extraction works through rewinds. The works of Lindell [TCC 2015] and Ciampi et al. [TCC 2016] proposed efficient NIZK arguments with non-programmable random oracles along with a programmable common reference string.
In this work we show an efficient NIZK argument with straight-line simulation and extraction that relies on features that alone are insufficient to construct NIZK arguments (regardless of efficiency). More specifically we consider the notion of quasi-polynomial time simulation proposed by Pass in [EUROCRYPT 2003] and combine it with simulation and extraction with non-programmable random oracles thus obtaining a NIZK argument of knowledge where neither the zero-knowledge simulator, nor the argument of knowledge extractor needs to program the random oracle. Still, both the simulator and the extractor are straight-line. Our construction uses as a building block a modification of the Fischlin’s transform [CRYPTO 2005] and combines it with the concept of dense puzzles introduced by Baldimtsi et al. [ASIACRYPT 2016]. We also argue that our NIZK argument system inherits the efficiency features of Fischlin’s transform, which represents the main advantage of Fischlin’s protocol over existing schemes.
Research partly supported by H2020 project PRIVILEDGE #780477.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
When discussing informally we will use the word proof to refer to both unconditionally and computationally sound proofs. Only in the more formal part of the paper we will make a distinction between arguments and proofs.
- 2.
Since our simulator does not run in expected polynomial time, it is not possible to prove results related to the Universal Composable (UC) setting [7]. We observe that the property of our protocol of being concurrently composable is still meaningful as showed in [4] where general concurrent composition with superpolynomial-time computation is considered.
- 3.
The original Pass’ protocol is particularly inefficient due to the number of parallel repetitions required to amplify the soundness. In [15] the author considers an improved version, that uses Merkle trees to reduce the size of the proof. We refer to the introductory section of [15] for more details.
- 4.
We observe that even though the author of [15] talks about Proof of Knowledge, they still need to polynomially bound the number of queries that an adversary can make to the random oracle. To avoid any ambiguity, in this work we consider only the notion of AoK since the malicious prover is implicitly bounded by the number of queries that can be made to the RO.
- 5.
We used the same parameters as in [15] to provide a fair efficiency measurement of our protocol. However, it should be noted that the security parameters can be made larger with a minimal effect on the size of the NIZK proof.
- 6.
The proof for the other case follows using exactly the same arguments but in that case we break the Special HVZK of \(\varPi _0\) instead of \(\varPi _1\).
- 7.
\(\mathcal {A}^{\textsf{SHVZK}}\) can iterate on all possible \(c_j\) since she can pick any possible \(c_j^0\).
- 8.
From this point forward the proof follows exactly the same steps proposed in [15], but for completeness we propose the complete proof.
- 9.
This is the same puzzle used in Theorem 7 of [2].
References
Baldimtsi, F., Kiayias, A., Zacharias, T., Zhang, B.: Indistinguishable proofs of work or knowledge. Cryptology ePrint Archive, Paper 2015/1230 (2015), https://eprint.iacr.org/2015/1230
Baldimtsi, F., Kiayias, A., Zacharias, T., Zhang, B.: Indistinguishable proofs of work or knowledge. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 902–933. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_30
Barak, B., Pass, R.: On the possibility of one-message weak zero-knowledge. In: Theory of Cryptography, First Theory of Cryptography Conference, TCC 2004, Cambridge, MA, USA, 19–21 February 2004, Proceedings.,pp. 121–132 (2004)
Barak, B., Sahai, A.: How to play almost any mental game over the net - concurrent composition via super-polynomial simulation. In: 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2005), 23–25 October 2005, Pittsburgh, PA, USA, Proceedings, pp. 543–552. IEEE Computer Society (2005)
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, 3–5 November 1993, pp. 62–73 (1993)
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 2–4 May 1988, Chicago, Illinois, USA, pp. 103–112 (1988)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14–17 October 2001, Las Vegas, Nevada, USA, pp. 136–145 (2001)
Canetti, R., Jain, A., Scafuro, A.: Practical UC security with a global random oracle. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 597–608 (2014)
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR-composition of sigma-protocols. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 112–141. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_5
Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the fiat-Shamir transform without programmable random oracles. In: Theory of Cryptography - 13th International Conference, TCC 2016-A, Tel Aviv, Israel, 10–13 January 2016, Proceedings, Part II, pp. 83–111 (2016)
Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055745
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Advances in Cryptology - CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, 21–25 August 1994, Proceedings, pp. 174–187 (1994)
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st Annual Symposium on Foundations of Computer Science, St. Louis, Missouri, USA, 22–24 October 1990, vol. I, pp. 308–317. IEEE Computer Society (1990)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Proceedings of Advances in Cryptology - CRYPTO 1986, Santa Barbara, California, USA, 1986, pp. 186–194 (1986)
Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 152–168. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_10
Garay, J.A., MacKenzie, P., Yang, K.: Strengthening zero-knowledge protocols using signatures. J. Cryptol. 19(2), 169–209 (2006)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Guillou, L.C., Quisquater, J.-J.: A Practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_11
Kondi, Y., Abhi Shelat: Improved straight-line extraction in the random oracle model with applications to signature aggregation. Cryptology ePrint Archive, Paper 2022/393 (2022). https://eprint.iacr.org/2022/393
Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and non-programmable random oracle. In: Theory of Cryptography - 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, 23–25 March 2015, Proceedings, Part I, pp. 93–109 (2015)
Maurer, U.: Zero-knowledge proofs of knowledge for group homomorphisms, Des. Codes Cryptogr. 77, 663–676 (2015)
Pass, R.: On Deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_19
Pass, R.: Simulation in quasi-polynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_10
Pass, R.: Alternative variants of zero-knowledge proofs. Master’s thesis, Kungliga Tekniska Högskolan, Licentiate Thesis Stockholm, Sweden (2004)
Pass, R.: Bounded-concurrent secure multi-party computation with a dishonest majority. In: Babai, L. (ed.) Proceedings of the 36th Annual ACM Symposium on Theory of Computing, Chicago, IL, USA, 3–16, June 12004, pp. 232–241. ACM (2004)
Schnorr, C.P.: Efficient Identification and Signatures for Smart Cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ciampi, M., Visconti, I. (2022). Efficient NIZK Arguments with Straight-Line Simulation and Extraction. In: Beresford, A.R., Patra, A., Bellini, E. (eds) Cryptology and Network Security. CANS 2022. Lecture Notes in Computer Science, vol 13641. Springer, Cham. https://doi.org/10.1007/978-3-031-20974-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-20974-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-20973-4
Online ISBN: 978-3-031-20974-1
eBook Packages: Computer ScienceComputer Science (R0)