Skip to main content

Constant-Round Leakage-Resilient Zero-Knowledge from Collision Resistance


In this paper, we present a constant-round leakage-resilient zero-knowledge argument system for \(\mathcal {NP}\) under the assumption of the existence of collision-resistant hash function families. That is, using a collision-resistant hash function, we construct a constant-round zero-knowledge argument system that has the following zero-knowledge property: even against any cheating verifier that obtains an arbitrary amount of leakage on the prover’s internal secret state, a simulator can simulate the verifier’s view by obtaining the same amount of leakage on the witness. Previously, leakage-resilient zero-knowledge proofs/arguments for \(\mathcal {NP}\) were constructed only under a relaxed security definition (Garg et al., in: CRYPTO’11, pp 297–315, 2011) or under the DDH assumption (Pandey, in: TCC’14, pp 146–166, 2014). Our leakage-resilient zero-knowledge argument system satisfies an additional property that it is simultaneously leakage-resilient zero-knowledge, meaning that both zero-knowledge and soundness hold in the presence of leakage.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8


  1. In [35], it is pointed out that nowadays leakage tolerance is the commonly accepted term for this security notion. Nevertheless, in this paper we use the term “leakage resilience” for this security notion for consistency with previous works [22, 36].

  2. A constant-round one can be constructed from collision-resistant hash functions [19, 34] and a polynomial-round one can be constructed from one-way functions [29].

  3. This is because in the protocol of [22], the verifier commits to the challenge message of Blum’s Hamiltonicity protocol in advance and hence a cheating prover can easily break soundness by obtaining the challenge message via leakage.

  4. Chung et al. [14] showed that the simulation technique of Barak can be modified so that it requires only one-way functions. However, the simulation technique of Chung et al. involves rewinding of the adversary and therefore is no longer straight-line simulation.

  5. More precisely, td is trapdoor information for biasing the outcome of a coin-tossing protocol that is executed between the prover and the verifier to determine the parameter of an equivocal commitment scheme. However, for simplicity, we think that td is trapdoor information of an equivocal commitment scheme in this overview.

  6. This idea is also used in [5, 32].

  7. What is actually used here is adaptive security, which guarantees that for each underlying commitment, it is possible to compute randomness \(\mathsf {tape}_0\) and \(\mathsf {tape}_1\) such that \(\mathsf {tape}_b\) explains the commitment as a commitment to b for each \(b\in \{0,1 \}\).

  8. This extractability is used only in the proof of soundness. Hence, the proof of zero-knowledge works even in the presence of this extractable commitment scheme.

  9. We notice that although the simulator can use the equivocality of \(\mathsf {H}\textsf {-}\mathsf {Com}\) (which we have introduced to remove the extraction of td), the simulator cannot naively use it for simulating the prover’s messages. This is because when \(V^*\) obtains leakage that includes the randomness that has been used for some of the \(\mathsf {H}\textsf {-}\mathsf {Com}\) commitments, \(V^*\) may be able to determine the committed values of them from the leakage and thus may be able to detect any equivocation on them.

  10. Actually, we use an adaptively secure \(\mathsf {H}\textsf {-}\mathsf {Com}\) [13, 32]. See Footnote 7.

  11. In the “inner” \(\mathsf {H}\textsf {-}\mathsf {Com}\), the underlying commitment scheme is \(\mathsf {Com}\) as before.

  12. For the definition of pseudorandom generators, see [25].


  1. P. Ananth, V. Goyal, O. Pandey, Interactive proofs under continual memory leakage, in CRYPTO (2014), pp. 164–182

  2. R. Anderson, M. Kuhn, Tamper resistance: a cautionary note, in WOEC (1996), pp. 1–11

  3. B. Barak, How to go beyond the black-box simulation barrier, in FOCS (2001), pp. 106–115

  4. G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)

    MathSciNet  Article  Google Scholar 

  5. N. Bitansky, R. Canetti, S. Halevi, Leakage-tolerant interactive protocols, in TCC (2012), pp. 266–284

  6. F. Benhamouda, A. Degwekar, Y. Ishai, T. Rabin, On the local leakage resilience of linear secret sharing schemes, in CRYPTO (2018), pp. 531–561

  7. N. Bitansky, D. Dachman-Soled, H. Lin, Leakage-tolerant computation with input-independent preprocessing, in CRYPTO (2014), pp. 146–163

  8. B. Barak, O. Goldreich, Universal arguments and their applications, SIAM J. Comput. 38(5), 1661–1694 (2008)

    MathSciNet  Article  Google Scholar 

  9. E. Boyle, S. Garg, A. Jain, Y.T. Kalai, A. Sahai, Secure computation against adaptive auxiliary information, in CRYPTO (2013), pp. 316–334

  10. E. Boyle, S. Goldwasser, A. Jain, Y.T. Kalai, Multiparty computation secure against continual memory leakage, in STOC (2012), pp. 1235–1254

  11. E. Boyle, S. Goldwasser, Y.T. Kalai, Leakage-resilient coin tossing. Distrib. Comput. 27(3), 147–164 (2014)

  12. R. Canetti, S. Goldwasser, O. Poburinnaya, Adaptively secure two-party computation from indistinguishability obfuscation, in TCC (2015), pp. 557–585

  13. R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in STOC (2002), pp. 494–503

  14. K. Chung, R. Pass, K. Seth, Non-black-box simulation from one-way functions and applications to resettable security. SIAM J. Comput. 45(2), 415–458 (2016)

    MathSciNet  Article  Google Scholar 

  15. R. Canetti, O. Poburinnaya, M. Venkitasubramaniam, Better two-round adaptive multi-party computation, in PKC (2017), pp. 396–427

  16. R. Canetti, O. Poburinnaya, M. Venkitasubramaniam, Equivocating Yao: constant-round adaptively secure multiparty computation in the plain model, in STOC (2017), pp. 497–509

  17. D. Dachman-Soled, J. Katz, V. Rao, Adaptively secure, universally composable, multiparty computation in constant rounds, in TCC (2015), pp. 586–613

  18. D. Dachman-Soled, F.-H. Liu, H.-S. Zhou, Leakage-resilient circuits revisited - optimal number of computing components without leak-free hardware, in EUROCRYPT (2015), pp. 131–158

  19. I. Damgård, T.P. Pedersen, B. Pfitzmann, Statistical secrecy and multibit commitments. IEEE Trans. Inf. Theory 44(3), 1143–1151 (1998)

    MathSciNet  Article  Google Scholar 

  20. U. Feige, A. Shamir, Zero knowledge proofs of knowledge in two rounds, in CRYPTO (1989), pp. 526–544

  21. V. Goyal, Y. Ishai, H.K. Maji, A. Sahai, A.A. Sherstov, Bounded-communication leakage resilience via parity-resilient circuits, in FOCS (2016)

  22. S. Garg, A. Jain, A. Sahai, Leakage-resilient zero knowledge, in CRYPTO (2011), pp. 297–315

  23. O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(3), 167–190 (1996)

    MathSciNet  Article  Google Scholar 

  24. S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)

    MathSciNet  Article  Google Scholar 

  25. O. Goldreich, Foundations of Cryptography: Volume 1, Basic Tools (Cambridge University Press, August 2001)

  26. O. Goldreich, Foundations of Cryptography: Volume 2, Basic Applications (Cambridge University Press, May 2004)

  27. S. Garg, A. Polychroniadou, Two-round adaptively secure MPC from indistinguishability obfuscation, in TCC (2015), pp. 614–637

  28. J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

    MathSciNet  Article  Google Scholar 

  29. I. Haitner, M.-H. Nguyen, S.J. Ong, O. Reingold, S.P. Vadhan, Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function. SIAM J. Comput. 39(3), 1153–1218 (2009)

  30. P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in CRYPTO (1996), pp. 104–113

  31. Y.T. Kalai, L. Reyzin, A survey of leakage-resilient cryptography. Cryptology ePrint Archive, Report 2019/302 (2019).

  32. Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer. J. Cryptol. 24(4), 761–799 (2011)

    MathSciNet  Article  Google Scholar 

  33. M. Naor, Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991)

    Article  Google Scholar 

  34. M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications, in STOC (1989), pp. 33–43

  35. R. Ostrovsky, G. Persiano, I. Visconti, Impossibility of black-box simulation against leakage attacks, in CRYPTO (2015), pp. 130–149

  36. O. Pandey, Achieving constant round leakage-resilient zero-knowledge, in TCC (2014), pp. 146–166

  37. R. Pass, A. Rosen, Concurrent nonmalleable commitments. SIAM J. Comput. 37(6), 1891–1925 (2008)

    MathSciNet  Article  Google Scholar 

  38. R. Pass, A. Rosen, New and improved constructions of nonmalleable cryptographic protocols. SIAM J. Comput. 38(2), 702–752 (2008)

    MathSciNet  Article  Google Scholar 

  39. R. Pass, H. Wee, Black-box constructions of two-party protocols from one-way functions, in TCC (2009), pp. 403–418

  40. J.-J. Quisquater, D. Samyde, Electromagnetic analysis (EMA): measures and counter-measures for smart cards, in E-smart (2001), pp. 200–210

  41. A. Srinivasan, P.N. Vasudevan, Leakage resilient secret sharing and applications, in CRYPTO (2019), pp. 480–509

  42. A.C.-C. Yao, How to generate and exchange secrets (extended abstract), in FOCS (1986), pp. 162–167

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Susumu Kiyoshima.

Additional information

Communicated by Alon Rosen.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is based on an earlier article: Constant-round Leakage-resilient Zero-knowledge from Collision Resistance, in Proceedings of EUROCRYPT 2016, ©IACR 2016, Parts of this work were done while the author was a member of NTT Secure Platform Laboratories.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kiyoshima, S. Constant-Round Leakage-Resilient Zero-Knowledge from Collision Resistance. J Cryptol 35, 16 (2022).

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI:


  • zero-knowledge
  • leakage resilience
  • non-black-box simulation
  • instance-dependent commitment