Skip to main content

ZK-PCPs from Leakage-Resilient Secret Sharing

Abstract

Zero-Knowledge PCPs (ZK-PCPs; Kilian, Petrank, and Tardos, STOC ‘97) are PCPs with the additional zero-knowledge guarantee that the view of any (possibly malicious) verifier making a bounded number of queries to the proof can be efficiently simulated up to a small statistical distance. Similarly, ZK-PCPs of Proximity (ZK-PCPPs; Ishai and Weiss, TCC ‘14) are PCPPs in which the view of an adversarial verifier can be efficiently simulated with few queries to the input. Previous ZK-PCP constructions obtained an exponential gap between the query complexity q of the honest verifier, and the bound \(q^*\) on the queries of a malicious verifier (i.e., \(q={\mathsf {poly}}\log \left( q^*\right) \)), but required either exponential-time simulation, or adaptive honest verification. This should be contrasted with standard PCPs, that can be verified non-adaptively (i.e., with a single round of queries to the proof). The problem of constructing such ZK-PCPs, even when \(q^*=q\), has remained open since they were first introduced more than 2 decades ago. This question is also open for ZK-PCPPs, for which no construction with non-adaptive honest verification is known (not even with exponential-time simulation). We resolve this question by constructing the first ZK-PCPs and ZK-PCPPs which simultaneously achieve efficient zero-knowledge simulation and non-adaptive honest verification. Our schemes have a square-root query gap, namely \(q^*/q=O\left( \sqrt{n}\right) \), where n is the input length. Our constructions combine the “MPC-in-the-head” technique (Ishai et al., STOC ‘07) with leakage-resilient secret sharing. Specifically, we use the MPC-in-the-head technique to construct a ZK-PCP variant over a large alphabet, then employ leakage-resilient secret sharing to design a new alphabet reduction for ZK-PCPs which preserves zero-knowledge.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2

Notes

  1. We stress that a larger gap is preferable to a smaller one, since it means the proof can be verified with few queries, while guaranteeing zero-knowledge even when a malicious verifier makes many more queries (compared to the honest verifier).

  2. In this context, we note that if one only requires ZK against the honest verifier, then non-adaptive ZK-PCPs and ZK-PCPPs are known. (This is implicit in [26, 28] for ZK-PCPs and ZK-PCPPs respectively, via standard soundness amplification.) Consequently, our non-adaptive ZK-PCPs and ZK-PCPPs (with ZK against malicious verifiers) do not improve the round complexity in applications that only require ZK against the honest-verifier (e.g., the ZK arguments of [24], and the commit-and-prove protocols of [26]).

  3. We note that several PCP constructions (e.g., [17]) use more elaborate alphabet reduction techniques for efficiency reasons (in particular, their goal is to achieve quasi-linear length proofs with \(O\left( 1\right) \) query complexity and a constant soundness error). A \(\log \left| {\Sigma }\right| \) blowup is less significant in the context of zero-knowledge PCPs, where the query complexity is anyway \(\omega \left( 1\right) \) since we wish to have a negligible soundness error.

  4. Due to some technical issues, the construction is actually somewhat more involved, see Sect. 5 for the construction and further details.

  5. In fact, \(\widehat{C}\) operates on encoded inputs, however to simplify the discussion we disregard this at this point, and provide a more accurate discussion in Sect. 2.2.2.

  6. Specifically, Decatur et al. [16] construct a linear code \(C\subseteq \{0,1\}^n\) with constant rate and probing-resilience against a constant fraction of leaked bits (as noted above, such codes are known as ZK codes). It was observed in [4, Lemma 2] that linear ZK codes are also equivocal.

  7. An example of such a protocol is the variant of the BGW protocol [8] presented in [13, Theorem 5.2].

  8. Namely, there are \({{t/2} \atopwithdelims ()k}\) ways of choosing k edges among the t/2 edges. Then, we choose either of the two vertices incident on the selected edges.

  9. In fact, as will be evident from the proof, it suffices that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is ZK against non-adaptive malicious verifiers.

  10. We note that [31] do not consider strongly correct secret sharing schemes, but their Shamir-based scheme is strongly correct because Shamir’s scheme is strongly correct (see discussion in Sect. 3.3).

  11. We stress that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is non-adaptive in the sense that the honest verifier is non-adaptive, but ZK holds against possibly adaptive verifiers.

  12. Notice that this step uses the fact that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is ZK against possibly adaptive verifiers.

  13. In fact, as will be evident from the proof, it suffices that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is ZK against non-adaptive malicious verifiers.

  14. We stress that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is non-adaptive in the sense that the honest verifier is non-adaptive, but ZK holds against possibly adaptive verifiers.

References

  1. D. Aggarwal, I. Damgård, J.B. Nielsen, M. Obremski, E. Purwanto, J.L. Ribeiro, M. Simkin, Stronger leakage-resilient and non-malleable secret sharing schemes for general access structures, in CRYPTO, Proceedings, Part II (2019), pp. 510–539

  2. S. Arora, C. Lund, R. Motwani, M. Sudan, M. Szegedy, Proof verification and hardness of approximation problems, in FOCS, Proceedings (1992), pp. 14–23

  3. S. Arora, S. Safra, Probabilistic checking of proofs; A new characterization of NP, in FOCS, Proceedings (1992), pp. 2–13

  4. M. Ball, D. Dachman-Soled, S. Guo, T. Malkin, L.-Y. Tan, Non-malleable codes for small-depth circuits, in FOCS (2018), pp. 826–837

  5. F. Benhamouda, A. Degwekar, Y. Ishai, T. Rabin, On the local leakage resilience of linear secret sharing schemes, in CRYPTO, Proceedings (2018), pp. 531–561

  6. M. Ball, D. Dachman-Soled, M. Kulkarni, T. Malkin, Non-malleable codes for bounded depth, bounded fan-in circuits, in EUROCRYPT (2016), pp. 881–908

  7. E. Ben-Sasson, O. Goldreich, P. Harsha, M. Sudan, S.P. Vadhan, Robust PCPs of proximity, shorter PCPs and applications to coding, in STOC, Proceedings (2004), pp. 1–10

  8. M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in STOC (1988), pp. 1–10

  9. E. Ben-Sasson, M. Sudan, Short PCPs with polylog query complexity. SIAM J. Comput., 38(2), 551–607 (2008)

  10. R. Canetti, I. Damgård, S. Dziembowski, Y. Ishai, T. Malkin, On adaptive vs. non-adaptive security of multiparty protocols, in EUROCRYPT, Proceedings (2001), pp. 262–279

  11. S.G. Choi, D. Dachman-Soled, T. Malkin, H. Wee, Black-box construction of a non-malleable encryption scheme from any semantically secure one, in TCC (2008), pp. 427–444

  12. S.G. Choi, D. Dachman-Soled, T. Malkin, H. Wee, A black-box construction of non-malleable encryption from semantically secure encryption. J. Cryptol., 31(1), 172–201 (2018)

  13. R. Cramer, I. Damgård, J.B. Nielsen, Secure Multiparty Computation and Secret Sharing (Cambridge University Press, 2015)

  14. F. Davì, S. Dziembowski, D. Venturi, Leakage-resilient storage, in SCN, Proceedings (2010), pp. 121–137

  15. S.E. Decatur, O. Goldreich, D. Ron, A probabilistic error-correcting scheme. IACR Cryptol. ePrint Arch., 1997, 5 (1997)

  16. S.E. Decatur, O. Goldreich, D. Ron, Computational sample complexity. SIAM J. Comput., 29(3), 854–879 (1999)

  17. I. Dinur, The PCP theorem by gap amplification, in STOC, Proceedings (2006), pp. 241–250

  18. S. Dziembowski, K. Pietrzak, Intrusion-resilient secret sharing, in FOCS, Proceedings (2007), pp. 227–237

  19. I. Dinur, O. Reingold, Assignment testers: towards a combinatorial proof of the PCP-theorem, in FOCS, Proceedings (2004), pp. 155–164

  20. V. Goyal, A. Kumar, Non-malleable secret sharing, in STOC, Proceedings (2018), pp. 685–698

  21. S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof-systems (extended abstract), in STOC, Proceedings (1985), pp. 291–304

  22. Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge from secure multiparty computation, in STOC, Proceedings (2007), pp. 21–30

  23. Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput., 39(3), 1121–1152 (2009)

  24. Y. Ishai, M. Mahmoody, A. Sahai, On efficient zero-knowledge PCPs, in TCC, Proceedings (2012), pp. 151–168

  25. Y. Ishai, A. Sahai, M. Viderman, M. Weiss, Zero knowledge LTCs and their applications, in RANDOM, Proceedings (2013), pp. 607–622

  26. Y. Ishai, M. Weiss, Probabilistically checkable proofs of proximity with zero-knowledge, in TCC, Proceedings (2014), pp. 121–145

  27. Y. Ishai, M. Weiss, G. Yang, Making the best of a leaky situation: zero-knowledge PCPs from leakage-resilient circuits, in TCC, Proceedings (2016), pp. 3–32

  28. J. Kilian, E. Petrank, G. Tardos, Probabilistically checkable proofs with zero knowledge, in STOC, Proceedings (1997), pp. 496–505

  29. T. Mie, Short PCPPs verifiable in polylogarithmic time with \(O\)(1) queries. Ann. Math. Artif. Intell., 56(3–4), 313–338 (2009)

  30. A. Shamir, How to share a secret. Commun. ACM, 22(11), 612–613 (1979)

  31. A. Srinivasan, P.N. Vasudevan, Leakage resilient secret sharing and applications, in CRYPTO, Proceedings (2019), pp. 480–509

  32. M. Weiss, Secure Computation and Probabilistic Checking. PhD Thesis (2016)

Download references

Acknowledgements

We thank the anonymous ITC‘21 reviewers for their helpful comments, in particular for pointing out the connection to RPEs and noting that the ZK code of [16, Theorem 2.2] is equivocal. The first and third authors are supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. The first author is supported by ISF grant No. 1316/18. The first and second authors are supported by DARPA under Contract No. HR001120C0087. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mor Weiss.

Additional information

Communicated by Amit Sahai.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Hazay, C., Venkitasubramaniam, M. & Weiss, M. ZK-PCPs from Leakage-Resilient Secret Sharing. J Cryptol 35, 23 (2022). https://doi.org/10.1007/s00145-022-09433-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-022-09433-3

Keywords

  • Zero knowledge
  • Probabilistically checkable proofs
  • Leakage resilience
  • Secret sharing
  • Probabilistically checkable proofs of proximity
  • Secure multi-party computation