Abstract
The Fiat-Shamir (FS) transform is a popular technique for obtaining practical zero-knowledge argument systems. The FS transform uses a hash function to generate, without any further overhead, non-interactive zero-knowledge (NIZK) argument systems from public-coin honest-verifier zero-knowledge (public-coin HVZK) proof systems. In the proof of zero knowledge, the hash function is modeled as a programmable random oracle (PRO).
In TCC 2015, Lindell embarked on the challenging task of obtaining a similar transform with improved heuristic security. Lindell showed that, for several interesting and practical languages, there exists an efficient transform in the non-programmable random oracle (NPRO) model that also uses a common reference string (CRS). A major contribution of Lindell’s transform is that zero knowledge is proved without random oracles and this is an important step towards achieving efficient NIZK arguments in the CRS model without random oracles.
In this work, we analyze the efficiency and generality of Lindell’s transform and notice a significant gap when compared with the FS transform. We then propose a new transform that aims at filling this gap. Indeed our transform is almost as efficient as the FS transform and can be applied to a broad class of public-coin HVZK proof systems. Our transform requires a CRS and an NPRO in the proof of soundness, similarly to Lindell’s transform.
Keywords
- Non-interactive Zero-knowledge (NIZK)
- NIZK Argument
- Honest-verifier Zero-knowledge (HVZK)
- Non-programmable Random Oracle (NPRO)
- Efficient NIZK
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Non-interactive zero-knowledge (NIZK) proofsFootnote 1 introduced in [5, 6, 24] are widely used in Cryptography. Such proofs allow a prover to convince a verifier with just one message about the membership of an instance x in a language L without leaking any additional information. NIZK proofs are not possible without a setup assumption and the one proposed initially in [5] is the existence of a Common Reference String (CRS) received as input both by the prover and the verifier. The CRS model has been the standard setup for NIZK in the last 25 years. Another setup that has been proposed in literature is the existence of registered public keys in [2, 13, 21].
Starting with the breakthrough of [29, 30] we know that NIZK proofs in the CRS model exist for any \(\mathtt{{NP}}\) language with the additional appealing feature of using just one CRS for any polynomial number of proofs. Moreover NIZK proofs and their stronger variations [23, 39, 48] have been shown to be not only interesting for their original goal of being a non-interactive version of classic zero-knowledge (ZK) proofs [36, 37], but also because they are powerful building blocks in many applications (e.g., for CCA encryption [45], ZAPs [27, 28]).
Efficient NIZK. Generic constructions of NIZK proofs are rather inefficient since they require to first compute an NP reduction and then to apply the NIZK proof for a given NP-complete language to the instance output by the reduction. A significant progress in efficiency has been proposed in [40] where several techniques have been proposed to obtain efficient NIZK proofs that can be used in bilinear groups.
The most popular use of NIZK proofs in real-world scenarios consists in taking an efficient interactive public-coin honest-verifier zero-knowledge (HVZK) proof system and in making it a NIZK argument through the so called Fiat-Shamir (FS) transform [31]. The FS transform replaces the verifier by calls to a hash function on input the transcript so far. In the random oracle [3] (RO) model the hash function can only be evaluated through calls to an oracle that answers as a random function. The security proof allows the simulator for HVZK to program the RO (i.e., the simulator decides how to answer to a query) and this allows to convert the entire transcript of a public-coin HVZK proof into a single message that is indistinguishable from the single message computed by a honest NIZK prover. The efficiency of the FS transform led to many practical applications. The transform is also a method to obtain signatures of knowledge, as discussed in [14].
The main disadvantage of the FS transform is the fact that the random oracle methodology has been proved to be unsound both in general [7] and both for the specific case [4, 35] of turning identification schemes into signatures as considered in [31]. Nevertheless, the examples of constructions proved secure in the RO model and insecure for any concrete hash function are seemingly artificial while no natural construction has been successfully attacked yet. Therefore the RO methodology remains widely used in practice.
The FS transform applied to 3-round HVZK proofs is one of the major uses of the RO model for real-world protocols, therefore any progress in this research direction (either on the security of the transform, or on its efficiency, or on its generality) is of extreme interest.
In [38] Groth showed an efficient transform for NIZK where soundness is proved requiring a programmable RO while no random oracle is needed to prove zero knowledge.
Efficient NIZK with Designated/Registered Verifiers. A first attempt to get efficient NIZK arguments from some restricted class of 3-round public-coin HVZK proofs without ROs was done by [21] (the proof of soundness required complexity leveraging) and later on by [13] that achieved a weaker form of soundness in the registered public-key model. The limitation of this model is that a NIZK proof can be verified only by a designated verifier (i.e., the proof requires a secret known to the verifier). Moreover there is an inconvenient preliminary registration phase where the verifier has to register her public key.
Lindell’s Transform. Very recently, in [43], Lindell proposed a very interesting transform that can be seen as an attempt towards obtaining efficient constructions without random oracles. Starting from a \({\varSigma \text {-protocol}}\) for a language L (i.e., a special type of 3-round public-coin HVZK proof used already in several efficient constructions of zero knowledge [1, 10, 19, 25, 44, 46, 49, 51, 54]), Lindell shows how to construct an efficient NIZKFootnote 2 argument system for L in the CRS model. Two are the major advantages of Lindell’s transform with respect to the FS transform. First, in Lindell’s transform the proof of ZK does not need the existence of a random oracle and this allows to avoid some issues due to protocol composition [52]. We remark that the proof of ZK for Lindell’s transform needs a CRS but this is unavoidable as one-round ZK in the plain model is possible only for trivial languages. Second, the soundness of Lindell’s transform can be proved by relying on a non-programmable random oracle (NPRO). An NPRO is a RO that in the protocol and in the security proofs can be used only as a black box and can not be programmed by a simulator or by the adversary of a reduction. This is a considerable advantage compared to the FS transform since replacing a RO by an NPRO is a step towards removing completely the need of ROs in a cryptographic construction. Indeed the work of Lindell goes precisely in the direction of solving a major open problem in Cryptography: obtaining an efficient RO-free transform for NIZK arguments to be used in place of the FS transform.
The main drawback of Lindell’s transform is that it requires extra computation on top of the one needed to run the \({\varSigma \text {-protocol}}\) for the language L. In contrast, the FS transform does not incur into any overhead on top of a 3-round public-coin HVZK proof for L. In addition, since 3-round public-coin HVZK proofs are potentially less demanding than \({\varSigma \text {-protocol}}\text {s}\), we have that requiring a \({\varSigma \text {-protocol}}\) as starting protocol for a transform instead of a public-coin HVZK proof may already result in an efficiency loss.
Lindell’s transform is based on a primitive named dual-mode (DM) commitment scheme (DMCS). A DMCS is based on a membership-hard language \(\varLambda \) and each specific commitment takes as input an instance \(\rho \) of \(\varLambda \) and has the following property: if \(\rho \not \in \varLambda \), the DM commitment is perfectly binding; on the other hand, if \(\rho \in \varLambda \), the DM commitment can be arbitrarily equivocated if a witness for \(\rho \in \varLambda \) is known. Moreover, the two modes are indistinguishableFootnote 3. Lindell showed that DMCSs can be constructed efficiently from \({\varSigma \text {-protocol}}\text {s}\) for membership-hard languages and also provided a concrete example based on the language of Diffie-Hellman tuples (DH). Then, Lindell’s transform shows how to combine DM commitments and \({\varSigma \text {-protocol}}\text {s}\) along with a hash functionFootnote 4 to obtain an efficient NIZK argument.
1.1 Our Results
In this paper, we continue the study of generic and efficient transforms from 3-round public-coin HVZK proofs to NIZK arguments.
We start by studying the generality and efficiency of Lindell’s transform in terms of the \({\varSigma \text {-protocol}}\) used for instantiating the DMCS (and in turn instantiating the CRS) and the \({\varSigma \text {-protocol}}\) to which the transform is applied. As a result, we point out a significant gap in generality and efficiency of Lindell’s transform compared to the FS transform.
Then we show an improved transform that is based on weaker requirements. Specifically, our transform only requires computational HVZK and optimal soundness instead of perfect special HVZKFootnote 5 and special soundness. More interestingly and surprisingly despite being based on weaker requirements, our transform is also significantly more efficient than Lindell’s transform and very close to the efficiency of the FS transform. We next discuss our contributions in more details.
The Classes of \(\varSigma \) -protocols Needed in [43]. Lindell defines \({\varSigma \text {-protocol}}\text {s}\) as 3-round public-coin proofs that enjoy perfect special HVZK and special soundness. The former property means that the simulator on input any valid statement x and challenge e can compute (a, z) such that the triple (a, e, z) is perfectly indistinguishable from an accepting transcript where the verifier sends e as challenge. Special soundness instead means that from any two accepting transcripts (a, e, z) and \((a,e',z')\) for the same statement x that share the first message but have different challenges \(e \ne e'\), one can efficiently compute a witness w for \(x \in L\). Lindell in [42] shows a construction of a DMCS from any (defined as above) \({\varSigma \text {-protocol}}\) for a membership-hard languageFootnote 6.
The Efficiency of Lindell’s Transform. Lindell’s transform uses a DMCS derived from a \({\varSigma \text {-protocol}}\,\varPi _{\varLambda }=(\mathcal {P}_{\varLambda },\mathcal {V}_{\varLambda })\) for language \(\varLambda \) whose commitment algorithm com works by running the simulator of \(\varPi _\varLambda \). The CRS contains an instance \(\rho \) of \(\varLambda \) along with the description of a hash function h. The argument produced by the NIZK \(\varPi =(\mathcal {P},\mathcal {V})\) for \(x \in L\) starting from a \({\varSigma \text {-protocol}}\,\varPi _L=(\mathcal {P}_{L},\mathcal {V}_{L})\) for L is computed as a tuple \((a',e,z,r)\) where \(a'={\mathtt {com}}(a,r)\), \(e=h(x|a')\), and z is the 3rd round of \(\varPi _L\) answering to the challenge e and having a as first round. The verifier checks that \(a'\) is a commitment of a with randomness r, that e is the output of \(h(x|a')\) and that (a, e, z) is accepted by \(\mathcal {V}_{L}\).
As an example, in [43] Lindell discussed the use of the \({\varSigma \text {-protocol}}\) for the language DH for which the transform produces a very efficient NIZK proof; indeed the additional cost is of only 8 modular exponentiations: 4 to be executed by the prover and 4 by the verifier.
In this work we notice however that there is a caveat when analyzing the efficiency of Lindell’s transform. The caveat is due to the message space of the DMCS. Indeed, once the CRS is fixed the max length of a message that can be committed to with only one execution of com is limited to the challenge length \(l_\varLambda \) of \(\varPi _\varLambda \). Therefore in case the first round a of \(\varPi _L\) is much longer than \(l_\varLambda \), the transform of Lindell requires multiple executions of com therefore suffering of a clear efficiency loss.
We show indeed in Tables 2 and 3 that Lindell’s transform can generate in the resulting NIZK argument a blow up of the computations compared to what \(\mathcal {P}_L\) and \(\mathcal {V}_L\) actually do, and therefore compared to the FS transform.
Our Transform. In this paper, we present a different transform that is closer to the FS transform both on generality and on efficiency.
Our transform can be used to obtain a NIZK for any language L with a 3-round HVZK proofs enjoying optimal soundness (i.e., a weaker soundness requirement compared to special soundness). The CRS can be instantiated based on any membership-hard language \(\varLambda \) with a 3-round HVZK proofs enjoying optimal soundness. More specifically, we do not require perfect HVZK nor special HVZK for the involved \({\varSigma \text {-protocol}}\text {s}\). Moreover, instead of special soundness, we will just require that, for any false statement and any first round message a, there is at most one challenge c that can be answered correctly. This is clearly a weaker requirement than special soundness and was already used by [44].
Essentially we just need that both protocols \(\varPi _L\) and \(\varPi _\varLambda \) are 3-round public-coin HVZK proofs with optimal soundness. Our transform produces a NIZK argument \(\varPi =(\mathcal {P},\mathcal {V})\) that does not require multiple executions of \(\varPi _L\) and \(\varPi _\varLambda \) and, therefore, it remains efficient under any scenario without suffering of the previously discussed issue about challenge spaces in Lindell’s transform.
Techniques. We start by considering the FS transform in the NPRO model and by noticing that, as already claimed and proved in [53], if the original 3-round public-coin HVZK proof is witness indistinguishable (WI)Footnote 7, then the transformed protocol is still WI, and of course the proof of WI is RO free.
Notice that as in [43], \(\mathcal {P}\) and \(\mathcal {V}\) need a common hash function (modeled as an NPRO in the soundness proof) to run the protocol and this can be enforced through a setup (i.e., a non-programmable CRS [47], or a global hash function [9]). The use of the FS transform in the NPRO model is not sufficient for our purposes. Indeed we want generality and the HVZK proof might not be witness indistinguishable. Moreover we should make a witness available to the simulator. We solve this problem by using the OR composition of 3-round perfect HVZK proofs proposed in [18]. We will let the prover \(\mathcal {P}\) for NIZK to prove that either \(x \in L \vee \rho \in \varLambda \). We notice that in [18] the proposed OR composition is proved to guarantee WI only when applied to two instances of the same language having a public-coin perfect HVZK proof. We can avoid this limitation using a generalization discussed already in [32, 33] that allows the OR composition different protocols for different languages relying on computational HVZK only.
1.2 Comparison
Here we compare the computational effort, both for the prover and the verifier, required to execute Lindell’s NIZK argument, our NIZK argument and the FS one. The properties of the three transforms are summarized in Table 1. The cost for the prover can be found in Table 2, while the one for the verifier can be found in Table 3. The comparison of the computational effort is performed with respect to three \({\varSigma \text {-protocol}}\text {s}\) Footnote 8. Roughly speaking, in the comparisons, we consider the CRS to contain an instance of the the language DH of Diffie-Hellman triples with respect to 1024-bit prime \(p_\textsc {crs}\) and consider two \({\varSigma \text {-protocol}}\text {s}\): the one to prove that a triples is Diffie-HellmanFootnote 9 with respect to a prime p, for which we consider the cases in which p is 1024-bit and 2048-bit longFootnote 10, and the \({\varSigma \text {-protocol}}\) for graph isomorphism (GI). For the \({\varSigma \text {-protocol}}\) for graph isomorphism, we count only the modular exponentiations and do not count other operations (e.g., random selection of a permutation and generation of the adjacency matrix of permuted graphs) since they are extremely efficient and clearly dominated by the cost of modular exponentiations. A detailed description of the \({\varSigma \text {-protocol}}\text {s}\) and of the way we measure the computational effort is found in Sect. 6.
The tables give evidence of the fact that while Lindell’s transform on some specific cases can replace the FS transform by paying a small overhead, in other cases there is a significant loss in performance. Our transform instead remains very close to the FS transform both when considering the amount of computation and when considering the generality of the protocols that can be given as input to the transform.
Which Protocols can be Given in Input to the Transform? We stress that our transform allows for additional proof systems to be used for instantiating the CRS and for obtaining a NIZK argument system. This is not only a theoretical progress. Indeed there exist efficient constructions such as the one of [51] that is a variation of the one of [44]. The construction of [51] is an efficient 3-round HVZK proof system with optimal soundness for a language L and is not a \({\varSigma \text {-protocol}}\) for the corresponding relation \({\mathcal {R}}_L\). For further details, see Appendix B.
2 HVZK Proof Systems and \(\varSigma \)-Protocols
We denote the security parameter by n and use “|” as concatenation operator (i.e., if a and b are two strings then by a|b we denote the concatenation of a and b). For a finite set S, \(x\leftarrow S\) denotes the algorithm that chooses x from S with uniform distribution.
A polynomial-time relation \({\mathcal {R}}\) (or polynomial relation, in short) is a subset of \(\{0, 1\}^*\times \{0,1\}^*\) such that membership of (x, w) in \({\mathcal {R}}\) can be decided in time polynomial in |x|. For \((x,w)\in {\mathcal {R}}\), we call x the instance and w a witness for x. For a polynomial-time relation \({\mathcal {R}}\), we define the NP-language \(L_{{\mathcal {R}}}\) as \(L_{{\mathcal {R}}}=\{x|\exists w: (x, w)\in {\mathcal {R}}\}\). We will model a random oracle as a random function \(\mathcal {O}:\{0,1\}^* \rightarrow \{0,1\}^n\). Analogously, unless otherwise specified, for an NP-language L we denote by \({\mathcal {R}}_L\) the corresponding polynomial-time relation (that is, \({\mathcal {R}}_L\) is such that \(L=L_{{\mathcal {R}}_L}\)).
We remark that for simplicity we will omit the modulus in modular arithmetic calculations.
For two interactive machines A and B, we denote by \(\langle A(\alpha ),B(\beta )\rangle (\gamma )\) the distribution of B’s output after running on private input \(\beta \) with A using private input \(\alpha \), both running on common input \(\gamma \). Typically, one of the two machines receives the security parameter \(1^n\) as input.
Definition 1
A pair of PPT interactive machines \((\mathcal {P}_L,\mathcal {V}_L)\) constitutes a proof system (resp., an argument system) for NP-language L, if the following conditions hold:
-
Completeness. For every \(x\in L\) and w such that \((x,w)\in {\mathcal {R}}_L\), it holds:
$$\begin{aligned} \text{ Prob }\left[ \;\langle \mathcal {P}_L(w,1^n), \mathcal {V}_L \rangle (x) =1\;\right] =1. \end{aligned}$$ -
Soundness. For every interactive (resp., PPT interactive) machine \(\mathcal {P}_L^{\star }\), there exists a negligible function \(\nu \) such that for every \(x \notin L\) and every z:
$$\begin{aligned} \text{ Prob }\left[ \;\langle \mathcal {P}_L^{\star }(z,1^n), \mathcal {V}_L \rangle (x) =1\;\right] \le \nu (n). \end{aligned}$$
An interactive protocol \(\varPi _L=(\mathcal {P}_L,\mathcal {V}_L)\) is public coin if, at every round, \(\mathcal {V}_L\) simply tosses a predetermined number of coins (random challenge) and sends the outcome to the prover.
In a 3-round public-coin protocol \(\varPi _L=(\mathcal {P}_L, \mathcal {V}_L)\) for an \(\mathtt{{NP}}\)-language L, \(\mathcal {P}_L\) and \(\mathcal {V}_L\) receive the common input x and, additionally, \(\mathcal {P}_L\) receives security parameter \(1^n\) in unary and w such that \((x,w)\in {\mathcal {R}}_L\) as private input. The interaction, with challenge length l, proceeds as follows:
-
The 3-round public-coin protocol \(\varPi _L\):
-
1.
\(\mathcal {P}_L\), on input \(1^n,x\) and w, computes message a and sends it to \(\mathcal {V}_L\).
-
2.
\(\mathcal {V}_L\) chooses a random challenge \(e \leftarrow \{0, 1\}^{l}\) and sends it to \(\mathcal {P}_L\).
-
3.
\(\mathcal {P}_L\), on input x, w, e, and the randomness used to compute a, computes message z and sends it to \(\mathcal {V}_L\).
-
4.
\(\mathcal {V}_L\) decides to accept or reject based on its view (i.e., (x, a, e, z)).
A triple (a, e, z) of messages exchanged during the execution of a 3-round proof (resp., argument) system is called a 3-round transcript. We say that a 3-round transcript (a, e, z) is an accepting transcript for x if the argument system \(\varPi _L\) instructs \(\mathcal {V}_L\) to accept based on the values (x, a, e, z). Two accepting 3-rounds transcripts (a, e, z) and \((a',e',z')\) for an instance x constitute a collision if \(a=a'\) and \(e \ne e'\).
Definition 2
A 3-round proof or argument system \(\varPi _L=(\mathcal {P}_L, \mathcal {V}_L)\) for NP-language L is Honest-Verifier Zero Knowledge (HVZK) if there exists a PPT simulator algorithm \(\mathsf {Sim}\) that takes as input security parameter \(1^n\) and instance \(x\in L\) and outputs an accepting transcript for x. Moreover, the distribution of the output of the simulator on input x is computationally indistinguishable from the distribution of the honest transcript obtained when \(\mathcal {V}_L\) and \(\mathcal {P}_L\) run \(\varPi _L\) on common input x and any private input w such that \((x,w)\in {\mathcal {R}}_L\).
If the transcripts are identically distributed we say that \(\varPi _L\) is perfect HVZK.
Definition 3
A 3-round public-coin proof system \(\varPi _L=(\mathcal {P}_L,\mathcal {V}_L)\) for language L with challenge length l enjoys optimal soundness if for every \(x\not \in L\) and for every first-round message a there is at most one challenge \(e\in \{0,1\}^{l}\) for which there exists a third-round message z such that (a, e, z) is accepting for x.
Note that any 3-round public-coin optimally sound proof system with challenge length l has soundness error \(2^{-l}\) [44].
Definition 4
A 3-round public-coin proof system \(\varPi _L=(\mathcal {P}_L, \mathcal {V}_L)\) with challenge length l is a \({\varSigma \text {-protocol}}\) for an \(\mathtt{{NP}}\)-language L if it enjoys the following properties:
-
Completeness. If \((x,w)\in {\mathcal {R}}_L\) then all honest 3-round transcripts for (x, w) are accepting.
-
Special Soundness. There exists an efficient algorithm \(mathsf{Extract}\) that, on input x and a collision for x, outputs a witness w such that \((x,w)\in {\mathcal {R}}_L\).
-
Special Honest Verifier Zero Knowledge (special HVZK). There exists a PPT simulator algorithm \(\mathsf {Sim}\) that takes as input security parameter \(1^n\), \(x\in L\) and \(e\in \{0,1\}^{l}\) and outputs an accepting transcript for x where e is the challenge. Moreover for all l-bit strings e, the distribution of the output of the simulator on input (x, e) is perfect indistinguishable from the distribution of the 3-round honest transcript obtained when \(\mathcal {V}_L\) sends e as challenge and \(\mathcal {P}_L\) runs on common input x and any private input w such that \((x,w)\in {\mathcal {R}}_L\).
Sometimes, we will abuse notion and say that a proof system or \({\varSigma \text {-protocol}}\) is for a polynomial relation \({\mathcal {R}}\) instead of referring to NP-language \(L_{\mathcal {R}}\).
It is easy to see that \({\varSigma \text {-protocol}}\text {s}\) enjoy optimal soundness. The converse, however, is not true. See Appendix B for an example of an optimal-sound 3-round public-coin proof system that does not enjoy special soundness (and is special perfect HVZK).
In order not to overburden the descriptions of protocols and simulators, we will omit the specification of the security parameter when it is clear from the context.
2.1 3-Round Public-Coin HVZK Proofs and WI
Following [33], for an NP-language L, we define \(\hat{L}\) to be the input language that includes both L and all false instances that are well formed and can be used by an adversarial prover in order to prove a false statement. More formally, \(L\subseteq \hat{L}\) and membership in \(\hat{L}\) can be tested in polynomial time. We implicitly assume that a verifier executes the protocol only if the common input \(x\in \hat{L}\); otherwise, it rejects immediately.
Definition 5
A 3-round public-coin proof system \(\varPi =(\mathcal {P}_L,\mathcal {V}_L)\) is Witness Indistinguishable (WI) for polynomial relation \({\mathcal {R}}\) if, for every malicious verifier \(\mathcal {V}^{\star }_L\), there exists a negligible function \(\nu \) such that for all x, w, \(w'\) with \((x, w)\in {\mathcal {R}}\) and \((x, w')\in {\mathcal {R}}\), it holds that:
The notion of a perfect WI 3-round proof system is obtained by requiring that \(\nu (n)=0\).
Sometimes we abuse the above definition and say that a proof system is WI for a NP-language L instead of referring to the associated polynomial relation \({\mathcal {R}}_L\).
We recall the following result.
Theorem 1
([18]). Every 3-round public-coin proof system with perfect HVZK for an NP-language L is perfect WI for \({\mathcal {R}}_L\).
2.2 Challenge Lengths of 3-Round HVZK Proofs
Challenge-Length Amplification. The challenge of a 3-round public-coin proof system with HVZK and optimal soundness can be extended through parallel repetition.
Lemma 1
Let \(\varPi _L\) be a 3-round public-coin proof system with optimal soundness for \(\mathtt{{NP}}\)-language L that enjoys perfect HVZK and has challenge length l. The protocol \(\varPi _L^k\) consisting of k parallel instances of \(\varPi _L\) is a 3-round public-coin proof system for relation L that enjoys perfect HVZK, has optimal soundness and has challenge length \(k\cdot l\).
Proof
The HVZK it is preserved by \(\varPi _L^k\) for the same arguments of [18]. About the optimal soundness of \(\varPi _L^k\), it is simple to see that if the protocol \(\varPi _L^k\) in not optimal sound then also \(\varPi _L\) is not optimal sound.
A similar lemma can be proved for a \({\varSigma \text {-protocol}}\) (as in [15, 16, 32]) for which HVZK is not perfect.
Challenge-Length Reduction. We now show that starting from any 3-round public-coin proof system that enjoys HVZK and has optimal soundness with challenge length l, one can construct a 3-round public-coin proof system that still enjoys HVZK, has optimal soundness but works with a shorter challenge. Moreover perfect HVZK is preserved. A similar transformation was shown in [20] for the case of \({\varSigma \text {-protocol}}\) that are special perfect HVZK.
Lemma 2
Let \(\varPi _L\) be a HVZK 3-round public-coin proof system for L with optimal soundness and challenge length l. Then for every \(l'<l\), there exists a 3-round public-coin proof system \(\varPi '_L\) for L with HVZK and optimal soundness and challenge length \(l'\). Protocol \(\varPi '_L\) has the same efficiency as \(\varPi _L\) and, moreover, if \(\varPi _L\) is perfect HVZK so is \(\varPi '_L\).
Proof
Following is a description of \(\varPi '_L\).
Common input: instance x for an \(\mathtt{{NP}}\)-language L.
Private input of \(\mathcal {P}'_L\): w s.t. \((x,w) \in {\mathcal {R}}_L\).
The protocol \(\varPi '_L\):
-
1.
\(\mathcal {P}'_L\) computes \(a\leftarrow \mathcal {P}_L(x, w)\) and sends it to \(\mathcal {V}'_L\);
-
2.
\(\mathcal {V}'_L\) randomly chooses challenge \(e \leftarrow \{0,1\}^{l'}\) and sends it to \(\mathcal {P}'_L\);
-
3.
\(\mathcal {P}'_L\) randomly chooses \(pad\leftarrow \{0,1\}^{(l-l')}\), sets \(e'=e|pad\), computes \(z\leftarrow \mathcal {P}_L(x,w,a,e')\) and sends \(z'=(z, pad)\) to \(\mathcal {V}'_L\);
-
4.
\(\mathcal {V}'_L\) outputs the output of \(\mathcal {V}_L(x, a, e|pad, z)\).
Completeness follows directly from the completeness of \(\varPi \).
HVZK. We can consider the simulator \(\mathsf {Sim}'\), that on input x runs as follows:
-
1.
run \((a,e', z) \leftarrow \mathsf {Sim}(x)\);
-
2.
set pad equal to the last \(l-l'\) bits of \(e'\), and set e equal to the fist \(l'\) bits of \(e'\);
-
3.
output (a, e, (z, pad)).
This concludes the proof.
Optimal soundness follows directly from the optimal soundness of \(\varPi \).
The following theorem follows from Lemmas 1 and 2,
Theorem 2
Suppose NP-language L admits a HVZK 3-round public-coin proof system \(\varPi _L\) that has optimal soundness and challenge length l. Then for any \(l'>0\) there exists HVZK 3-round public-coin proof system \(\varPi _L^\prime \) that has optimal soundness and challenge length \(l'\). If \(l'\le l\) then \(\varPi _L^{'}\) is as efficient as \(\varPi _L\). Otherwise the communication and computation complexities of \(\varPi _L^{'}\) are at most \(l'/l\) times the ones of \(\varPi _L\). Moreover, perfect HVZK is preserved.
2.3 3-Round Public-Coin HVZK Proofs for or Composition of Statements
In this section we recall the construction of [18] that starts from a HVZK 3-round public-coin proof system \(\varPi _L\) for an NP-language L and constructs a HVZK 3-round public-coin proof system \(\varPi _{L\vee L}\) for the “OR” language of L; that is the NP-language \(L\vee L=\{(x_0,x_1): x_0\in L \vee x_1\in L\}.\) Below we give the descriptions of the prover \(\mathcal {P}_{L\vee L}\) and of the verifier \(\mathcal {V}_{L\vee L}\) of \(\varPi _{L \vee L}\). In the description, we let \(\mathsf {Sim}\) denote the simulator for \(\varPi _L\) and l denote the challenge length of \(\varPi _L\). We also let \(b\in \{0,1\}\) be such that w is a witness for \(x_b\in L\); that is, \((x_b,w)\in {\mathcal {R}}_L\).
-
Common input: instances \(x_0,x_1\) for an \(\mathtt{{NP}}\)-language L.
-
Private input of \(\mathcal {P}_{L\vee L}\): w s.t \((x_0,x_1,w) \in \hat{{\mathcal {R}}}_{L\vee L}\).
-
The protocol \(\varPi _{L\vee L}\):
-
1.
\(\mathcal {P}_{L \vee L}\) computes \(a_b\leftarrow \mathcal {P}_L(x_b,w)\), \((a_{1- b},e_{1-b},z_{1-b})\leftarrow \mathsf {Sim}(x_{1-b})\) and sends \((a_0,a_1)\) to \(\mathcal {V}_{L \vee L}\).
-
2.
\(\mathcal {V}_{L \vee L}\) chooses at random challenge \(e \leftarrow \{0,1\}^{l}\) and sends e to \(\mathcal {P}_{L\vee L}\).
-
3.
\(\mathcal {P}_{L \vee L}\) sets \(e_b=e\oplus e_{1-b}\), computes \(z_b\leftarrow \mathcal {P}_L(x_{b},w, a_b, e_{b})\) and outputs \(\left( (e_{0},e_{1}),(z_{0}, z_{1})\right) \).
-
4.
\(\mathcal {V}_{L \vee L} \left( (x_0,x_1),(a_0,a_1),e, ((e_0,e_1),(z_0,z_1))\right) \). \(\mathcal {V}_{L \vee L}\) accepts if and only if \(e=e_0\oplus e_1\) and \(\mathcal {V}_L(x_0,a_0,e_0,z_0)=1\) and \(\mathcal {V}_L(x_1,a_1,e_1,z_1)=1\).
Theorem 3
([18, 33]). If \(\varPi _L\) is a HVZK 3-round public-coin proof system with optimal soundness for NP-language L then \(\varPi _{L\vee L}\) is a HVZK 3-round public-coin proof system with optimal soundness for NP-language \(L\vee L\) and is WI for polynomial-time relation
Moreover if \(\varPi _L\) is perfect HVZK then \(\varPi _{L\vee L}\) is perfect WI for polynomial-time relation
We remark that results of [18, 33] are known to hold for \({\varSigma \text {-protocol}}\) s, but in the proof of WI they use only HVZK. Therefore their results also hold starting from a HVZK 3-round public-coin proof system with optimal soundness (and not necessarily special soundness) that we consider in the above theorem. Indeed we observe that \(\varPi _{L \vee L}\) has optimal soundness for the following reason. Suppose that \(\varPi _{L \vee L}\) does not enjoy optimal soundness. This means that for a false instance and the same first round \((a_0,a_1)\) there are two accepting conversation, namely:
with \(e\ne e'\). Then it must be the case that for some \(b=0\) or \(b=1\), \(e_b\ne e'_b\) and then \((a_b,e_b,z_b)\) \((a_b,e'_b,z'_b)\) are two accepting transcripts with the same first round for the protocol \(\varPi _L\), and thus the optimal soundness of \(\varPi _L\) is violated.
It is possible to extend the above construction to handle two different \(\mathtt{{NP}}\)-languages \(L_0\), \(L_1\) that admit HVZK 3-round public-coin proof system with optimal soundness. Indeed by Theorem 2, we can assume, without loss of generality, that \(L_0\) and \(L_1\) have 3-round public-coin proof systems \(\varPi _{L_0}\) and \(\varPi _{L_1}\) with the same challenge length. Assuming that \(L_0\) and \(L_1\) have 3-round public-coin proof systems \(\varPi _{L_0}\) and \(\varPi _{L_1}\) that are HVZK and have optimal soundness with the same challenge length. We can apply the same construction outlined above to obtain a 3-round public-coin proof system \(\varPi _{L_0 \vee L_1}\) that enjoys HVZK and has optimal soundness for relation
We have the following theorem.
Theorem 4
If \(\varPi _{L_0}\) and \(\varPi _{L_1}\) are HVZK 3-round public-coin proof systems with optimal soundness for \(\mathtt{{NP}}\)-languages \(L_0\) and \(L_1\) then \(\varPi _{L_0 \vee L_1}\) is a HVZK 3-round public-coin proof system with optimal soundness for the for NP-language
\(L_0\vee L_1=\{(x_0,x_1): x_0\in L_0 \vee x_1\in L_1\}\) and is WI for polynomial-time relation
Moreover, if \(\varPi _{L_0}\) and \(\varPi _{L_1}\) are perfect then \(\varPi _{L_0\vee L_1}\) is perfect WI for polynomial-time relation \(\hat{{\mathcal {R}}}_{L\vee L}\).
3 Non-Interactive Argument Systems
Part of the definitions of this section are taken from [43].
Definition 6
A non-interactive argument system for an \(\mathtt{{NP}}\)-language L consists of three PPT machines \((\mathcal {CRS},\mathcal {P},\mathcal {V})\), that have the following properties:
-
Completeness: for all \((x,w) \in {\mathcal {R}}_L\), it holds that:
$$\begin{aligned} \text{ Prob }\left[ \;\sigma \leftarrow \mathcal {CRS}(1^n);\mathcal {V}(\sigma ,x,\mathcal {P}(\sigma ,x,w))=1\;\right] =1. \end{aligned}$$ -
Adaptive Soundness: for every PPT function \(f:\{0,1\}^{poly(n)} \rightarrow \{0,1\}^n \setminus L\) for all PPT prover \({ {\mathcal {P}}^\star }\), there exists a negligible function \(\nu \), such that for all n:
$$\begin{aligned} \text{ Prob }\left[ \;\sigma \leftarrow \mathcal {CRS}(1^n);\mathcal {V}^\mathcal {O}(\sigma ,f(\sigma ),{ {\mathcal {P}}^\star }^{\mathcal {O}}(\sigma ))=1\;\right] \le \nu (n) \end{aligned}$$where \(\mathcal {O}:\{0,1\}^* \rightarrow \{0,1\}^n\) is a random function.
Definition 7
A non-interactive argument system is adaptive unbounded zero knowledge (NIZK) for an \(\mathtt{{NP}}\)-language L if there exists a probabilistic PPT simulator S such that for every PPT function
for every polynomial \(p(\cdot )\) and for every PPT malicious verifier \({ {\mathcal {V}}^\star }\), there exists a negligible function \(\nu \) such that,
where \(f_1\) and \(f_2\) denote the first and second output of f, respectively, and \(R_f(\mathcal {P}^f(n,p))\) and \(S_f(n,p)\) denote the output from the following experiments.
Real proofs \(R_f(\mathcal {P}^f(n,p))\):
-
\(\sigma \leftarrow \mathcal {CRS}(1^n)\) a common reference string is sampled.
-
For \(i = 1, \dots , p(n)\) (initially \(\mathbf {x}\) and \(\mathbf {\pi }\) are empty):
-
\(x_i \leftarrow f_1(\sigma , \mathbf {x},\mathbf {\pi })\): the next statement \(x_i\) to be proven is chosen.
-
\(\pi _i \leftarrow \mathcal {P}(\sigma , f_1(\sigma , \mathbf {x},\mathbf {\pi }), f_2(\sigma , \mathbf {x},\mathbf {\pi }) )\): the ith proof is generated.
-
set \(\mathbf {x}=x_1\dots x_i\) and \(\mathbf {\pi }=\pi _1\dots \pi _i\).
-
-
output (\(\sigma , \mathbf {x},\mathbf {\pi }\)).
Simulation \(S_f(n,p)\):
-
\(\sigma \leftarrow S (1^n)\) a common reference string is sampled.
-
For \(i = 1, \dots , p(n)\) (initially \(\mathbf {x}\) and \(\mathbf {\pi }\) are empty):
-
\(x_i \leftarrow f_1(\sigma , \mathbf {x},\mathbf {\pi })\): the next statement \(x_i\) to be proven is chosen.
-
\(\pi _i \leftarrow S(x_i)\): simulator S generates a simulated proof \(\pi _i\) that \(x_i \in L\).
-
set \(\mathbf {x}=x_1\dots x_i\) and \(\mathbf {\pi }=\pi _1\dots \pi _i\).
-
-
output (\(\sigma , \mathbf {x},\mathbf {\pi }\)).
Definition 8
A non-interactive argument system is adaptive unbounded witness indistinguishable (NIWI) for an \(\mathtt{{NP}}\)-language L if for every PPT adversary \({ {\mathcal {V}}^\star }\), for every PPT function
and for every polynomial \(p(\cdot )\), there exists a negligible function \(\nu \) such that
where \({\mathcal {R}}^{\wedge }_L=\{(x,w^0,w^1): (x,w^0)\in {\mathcal {R}}_L\wedge (x,w^1)\in {\mathcal {R}}_L\}\) and \(R_b^{\mathcal {P},f}\) is the following experiment. \(R_b^{\mathcal {P},f}(n,p)\):
-
\(\sigma \leftarrow \mathcal {CRS}(1^n)\).
-
For \(i=1,\ldots ,p(n)\) (initially \(\mathbf {x}\) and \(\mathbf {\pi }\) are empty):
-
\((x_i,w^0_i,w^1_i)\leftarrow f(\sigma ,\mathbf {x},\mathbf {\pi })\):
statement \(x_i\) to be proven and witnesses \(w^0_i, w^1_i\) for \(x_i\) are generated.
-
\(\pi _i \leftarrow \mathcal {P}(\sigma ,x_i,w^b_i)\): the ith proof is generated.
-
set \(\mathbf {x}=x_1\dots x_i\) and \(\mathbf {\pi }=\pi _1\dots \pi _i\).
-
-
output \((\sigma ,\mathbf {x},\mathbf {\pi })\).
4 NIWI Argument Systems from 3-Round HVZK Proofs
In this section we discuss the FS transform in the NPRO model in order to obtain a NIWI argument system \(\varPi =(\mathcal {P},\mathcal {V})\) for a polynomial relation \({\mathcal {R}}_L\). We start from a 3-round public-coin WI HVZK proof system with optimal soundness \(\varPi _L=(\mathcal {P}_L,\mathcal {V}_L)\) for L. \(\mathcal {P}\) and \(\mathcal {V}\) have access to an NPRO \(H:\{0,1\}^*\rightarrow \{0,1\}^n\). We describe \(\varPi \) below and we assume that the challenge length of \(\varPi _L\) is the security parameter n.
-
Common input: instance x for \(\mathtt{{NP}}\)-language L.
-
Private input to \(\mathcal {P}\): w s.t. \((x,w)\in {\mathcal {R}}_L\).
-
Common reference string: \(\mathcal {CRS}\) samples a key s for a hash function family H and sets \(\sigma =s\).
-
1.
\(\mathcal {P}\rightarrow \mathcal {V}\): The prover \(\mathcal {P}\) executes the following steps:
-
1.1.
\(a\leftarrow \mathcal {P}_L(x,w)\);
-
1.2.
\(e\leftarrow H_s(x,a)\);
-
1.3.
\(z\leftarrow \mathcal {P}_L(x,w,a,e)\);
-
1.4.
send \(\pi =(a,e,z)\) to \(\mathcal {V}\).
-
1.1.
-
2.
\(\mathcal {V}'\)s output: \(\mathcal {V}\) outputs 1 if and only if \(\mathcal {V}_L(x,a,e,z)=1\) and \(e=H_s(x,a)\).
The following theorem was proved by Yung and Zhao in [53] (see Claim 1, page 4). For completeness, we provide a proof of the claim below.
Theorem 5
([53]). Let \(\varPi _L\) be a 3-round public-coin WI proof system for the polynomial relation \({\mathcal {R}}_L\). Then \(\varPi \) is adaptive WI for \({\mathcal {R}}_L\) in the CRS model.
Proof
We show that \(\varPi \) is adaptive WI for \({\mathcal {R}}_L\) through the following hybrids.
-
1.
\(\mathcal {H}_1\) is the experiment \(R_0^{\mathcal {P},f}(n,p)\) (Definition 8), where \(\mathcal {P}\) for \(j=1,\dots ,p(n)\) executes \(\varPi \) and outputs \(\pi _j\) using the first of the two witnesses given in output by f.
-
2.
\(\mathcal {H}_i\) (with \(i>0\)) differs from \(\mathcal {H}_1\) in the first i interactions, where \(\mathcal {P}\) executes \(\varPi \) using the second witness given in output by f. Namely: \(\mathcal {P}\) on input \((x_j,w_j^1)\) executes \(\varPi \) and outputs \(\pi _j\) using \(w^1_j\) for all j : \(1 \le j < i\). Instead, for the interactions \(i \le j < p(n)+1\), \(\mathcal {P}\) on input \((x_j,w_j^0)\) executes \(\varPi \) using \(w^{0}_j\) as a witness and outputs \(\pi _j\).
-
3.
\(\mathcal {H}_{p(n)+1}\) is the experiment \(R_1^{\mathcal {P},f}(n,p)\) (Definition 8), where \(\mathcal {P}\) for \(j=1,\dots ,p(n)\) executes \(\varPi \) and outputs \(\pi _j\) using the second witness given in output by f.
\(\mathcal {H}_i \approx \mathcal {H}_{i+1}\): Suppose there exists a malicious adversary \(\mathcal {V}^{\star }\) that distinguishes between the experiments \(\mathcal {H}_i\) and \(\mathcal {H}_{i+1}\) with \(1\le i\le p(n)\), then we can show that there exists an adversary \(\mathcal {A}\) that breaks the WI property of \(\varPi _L\). The reduction works as follows.
-
1.
For \(j=1,\dots ,i-1\), \(\mathcal {A}\) on input \((x_j, w^1_j)\) executes \(\varPi \) using \(w_j^1\) to obtain \(\pi _j\).
-
2.
For \(j=i\), \(\mathcal {A}\) interacts with the WI challenger of \(\varPi _L\) as follows:
-
(a)
\(\mathcal {A}\) has on input \((x_j, w^0_j, w^1_j)\) and sends it to the challenger of WI;
-
(b)
the challenger computes and sends the first message \(a_j\) to \(\mathcal {A}\);
-
(c)
\(\mathcal {A}\) computes \(e_j=H_s(a_j)\) and sends it to the challenger of WI;
-
(d)
the challenger computes and sends \(z_j\) to \(\mathcal {A}\);
-
(e)
\(\mathcal {A}\) sends \(\pi _j=(a_j,e_j,z_j)\) to \(\mathcal {V}^{\star }\);
-
(f)
\(\mathcal {A}\) adds to \(\mathbf {x}\) the theorem \(x_j\) and to \(\mathbf {\pi }\) the proof \(\pi _j\).
-
(a)
-
3.
\(\forall j=i+1,\dots ,p(n)\) \(\mathcal {A}\) on input \((x_j, w^0_j)\) executes \(\varPi \) using \(w_j^0\) to obtain \(\pi _j\).
-
4.
Set \(\mathbf {x}=x_1,\dots ,x_{p(n)}\) and \(\mathbf {\pi }=\pi _1,\dots ,\pi _{p(n)}\).
\(\mathcal {A}\) sends \(\mathbf {x}\) and \(\mathbf {\pi }\) to \(\mathcal {V}^{\star }\) and outputs what \(\mathcal {V}^{\star }\) outputs.
We now observe that if the challenger of WI has used the first witness we are in \(\mathcal {H}_i\) otherwise we are in \(\mathcal {H}_{i+i}\). It follows that \(R_0^{\mathcal {P},f}(n,p) \equiv \mathcal {H}_1 \approx \cdots \approx \mathcal {H}_{p(n)} \approx \mathcal {H}_{p(n)+1}\equiv R_1^{\mathcal {P},f}(n,p)\) to conclude the proof.
Adaptive Soundness. To prove soundness we follow [43] and use the fact that, for every function g, with a sufficiently large co-domain, relation \({\mathcal {R}}=\{(x,g(x))\}\) is evasive [8] in the NPRO model. A relation \({\mathcal {R}}\) is evasive if, given access to a random oracle \(\mathcal {O}\), it is infeasible to find a string x so that the pair \((x,\mathcal {O}(x))\in {\mathcal {R}}\).
Theorem 6
Let \(\varPi _L\) be a 3-round public-coin proof system with optimal soundness for the NP-language L, and let H be a non programmable random oracle. Then, \(\varPi \) is a non-interactive argument system with (adaptive) soundness for L in the NPRO model.
Proof
Completeness of \(\varPi \) follows from the completeness of \(\varPi _L\). Let \(\mathcal {O}\) be an NPRO. In order to prove the soundness of \(\varPi \) we use the fact that for any function g, the relation \({\mathcal {R}}=\{(x, g(x))\}\) is evasive. We define the function g s.t. \(g(x,a)=e\), where there exists z such that the transcript (a, e, z) is accepting for the instance x. If \(x \notin L\) by the optimal soundness property we have that for every a there is a single e for which there is some z so that (a, e, z) is accepting. Therefore g is a function, as required and it follows that the relation \({\mathcal {R}}=\{((x,a),g(x,a))\}\) is evasive. Suppose that there exist a polynomial function f and a malicious prover \({ {\mathcal {P}}^\star }\) such that \({ {\mathcal {P}}^\star }\) proves a false statement (i.e., \(\mathcal {V}^\mathcal {O}(\sigma ,f(\sigma ),{ {\mathcal {P}}^\star }^{\mathcal {O}}(\sigma ))=1\), where \(\sigma \leftarrow \mathcal {CRS}(1^n)\)) with non-negligible probability, then there is an adversary \(\mathcal {A}\) that finds (x, a) s.t. \(\mathcal {O}(x,a)=g(x,a)\) with non-negligible probability. The adversary \(\mathcal {A}\) works as follows. First, it runs \(\sigma \leftarrow \mathcal {CRS}(1^n)\). Then it runs \((x,a,e,z)\leftarrow { {\mathcal {P}}^\star }(\sigma )\). Finally it outputs \((x,\mathcal {O}(x,a))\). From the contradicting assumption we know that \(\mathcal {V}^\mathcal {O}(\sigma ,f(\sigma ),(a,e,z))=1\) with non-negligible probability. This implies that the transcript \((a,\mathcal {O}(x,a),z)\) is accepting with non-negligible probability. Since \(x \notin L\) there exists only one e for which \((a,\mathcal {O}(x,a),z)\) is accepting. Therefore we have that with non-negligible probability it holds that \(\mathcal {O}(x,a)=e\) (i.e., \(\mathcal {O}(x,a)=g(x,a)\)) and this contradicts the fact that any function g is evasive for an NPRO.
5 Our Transform: NIZK from HVZK
From the previous section we know that if we have a 3-round HVZK proof system with optimal soundness \(\varPi _{L \vee \varLambda }=(\mathcal {P}_{L \vee \varLambda }, \mathcal {V}_{L \vee \varLambda })\) for polynomial relation
that is also WI for polynomial relation
we can apply the FS transform to make it non-interactive still preserving WI and soundness. To run the protocol a common hash function is needed and such a function is modeled as an NPRO in the proof of soundness.
Here we make use of the above result in order to transform a 3-round HVZK proof system with optimal soundness for an \(\mathtt{{NP}}\)-language L into a NIZK argument for L in the CRS model using an NPRO in the proof of soundness. The transformed NIZK argument \(\varPi =(\mathcal {P},\mathcal {V})\) is described below.
-
Common input: instance x for an \(\mathtt{{NP}}\)-language L.
-
Private input of \(\mathcal {P}\): w s.t \((x,w) \in {\mathcal {R}}_{L}\).
-
Common reference string: \(\mathcal {CRS}\) on input \(1^n\) runs \(\rho \leftarrow S_{\varLambda }(1, 1^n)\) where \(\varLambda \) is an membership-hard language and samples a key s for a hash function family H. Then it sets \(\sigma =(\rho ,s)\).
-
\(\mathcal {P}\rightarrow \mathcal {V}\): \(\mathcal {P}\) executes the following steps:
-
1.
\(a \leftarrow \mathcal {P}_{L \vee \varLambda }((x,\rho ),w)\);
-
2.
\(e \leftarrow H_s(x,a)\);
-
3.
\(z \leftarrow \mathcal {P}_{L \vee \varLambda }((x,\rho ),w,a,e)\);
-
4.
send \(\pi =(a,e,z)\) to \(\mathcal {V}\).
-
1.
-
\(\mathcal {V}'s\) output: \(\mathcal {V}\) accepts if and only if \(\mathcal {V}_{L \vee \varLambda }((x,\rho ),a,e,z)=1\) and \(e=H_s(x,a)\).
In our construction we suppose that the challenge length of \(\varPi _\varLambda \) is n, where n denotes the security parameter. Therefore to use the OR composition of [18] we need to consider a 3-round public-coin proof system with HVZK and optimal soundness \(\varPi _L\) for \({\mathcal {R}}_L\) that has challenge length n and therefore soundness error \(2^{-n}\)). This is not a problem because we can use Theorem 2 to transform every 3-round public-coin proof system with HVZK and optimal soundness with challenge \(n'\) (where \(n' \ne n\)) to another one with challenge length n. More precisely, if \(n'>n\) we can use Lemma 2 to reduce \(n'\) to n almost for free. If \(n'<n\) we need to use Lemma 1, therefore we have to run multiple executions of \(\varPi _L\) to apply the OR composition of [18]. Notice that this potential computational effort is implicit also for the FS transform and for Lindell’s transform. Indeed if the original 3-round public-coin proof system with HVZK and optimal soundness has just a one-bit (or in general a short) challenge then clearly the resulting NIZK is not sound. Therefore the parallel repetition of the 3-round public-coin proof system with HVZK and optimal soundness is required before applying the transform in order to reduce the soundness error (see Sect. 2.2).
Theorem 7
Let \(\varPi _{L \vee \varLambda }\) be a 3-round public-coin proof system for polynomial relation \(\hat{{\mathcal {R}}}_{L\vee \varLambda }\) that is WI for polynomial relation \({\mathcal {R}}_{L\vee \varLambda }\). Then \(\varPi \) is zero knowledge for \({\mathcal {R}}_L\) in the CRS model.
Proof
The simulator S works as follows:
-
1.
S on input \(1^n\), runs \((\rho ,\omega )\leftarrow S_{\varLambda }(0, 1^n)\); samples a key s for a hash function and sets \(\sigma =\{\rho , s\}\) and outputs \(\sigma \).
-
2.
S on input \(\sigma ,\omega \) and \(x_i\) (for every \(i=1,\dots ,{p(n)}\)) computes \(a \leftarrow \mathcal {P}_{L\vee \varLambda }((x_i,\rho ),\omega )\), \(e \leftarrow H_s(x_i,a)\) and \(z \leftarrow \mathcal {P}_{L\vee \varLambda }((x_i,\rho ),\omega ,a,e)\). It outputs \(\pi _i= (a,e,z)\).
We show that the output of S is computationally indistinguishable from a real transcript given in output by \(\mathcal {P}\) in a real execution of \(\varPi \) through the following hybrids games.
-
1.
\(\mathcal {H}_0\) is the experiment \(R_f( \mathcal {P}^f(n,p))\) (Definition 7).
-
2.
\(\mathcal {H}_1\) differs from \(\mathcal {H}_0\) in the way that \(\rho \) is generated. Indeed in \(\mathcal {H}_1\) we have that \(\sigma \) is computed by running \(S_{\varLambda }(0, 1^n)\). The second output \(\omega \) of \(S_{\varLambda }\) is not used. Clearly \(\mathcal {H}_0\) and \(\mathcal {H}_1\) are indistinguishable otherwise the membership-hard property of \(\varLambda \) would be contradicted. More details on this reduction will be given below.
-
3.
\(\mathcal {H}_2\) differs from \(\mathcal {H}_1\) just on the witness used by \(\mathcal {P}_{L\vee \varLambda }\). Indeed now \(\omega \) is used as witness. The WI property of \(\varPi _{L \vee \varLambda }\) guarantees that \(\mathcal {H}_2\) can not be distinguished from \(\mathcal {H}_1\). More details on this reduction will be given below. Notice that \(\mathcal {H}_2\) corresponds to the simulation.
\(\mathcal {H}_0 \approx \mathcal {H}_1\): If there exists a malicious verifier \({ {\mathcal {V}}^\star }\) that distinguishes between \(\mathcal {H}_0\) and \(\mathcal {H}_1\), then there exists an adversary \(\mathcal {A}\) that breaks the membership-hard property of \(\varLambda \). The reduction works as follows.
-
1.
\(\mathcal {A}\) queries the challenger of \(S_{\varLambda }\) that sends back \(\rho \).
-
2.
\(\mathcal {A}\) samples a key s for a hash function family H and sets \(\sigma =\{\rho ,s\}\).
-
3.
\(\mathcal {A}\) on input \((x_i,w_i)\in {\mathcal {R}}_L\) for \(i=1,\dots ,p(n)\) computes the following steps:
3.1. compute \(a_i \leftarrow \mathcal {P}_{L\vee \varLambda }((x_i,\rho ),w_i)\);
3.2. compute \(e_i \leftarrow H_s(x_i,a_i)\);
3.3. compute \(z_i \leftarrow \mathcal {P}_{L\vee \varLambda }((x_i,\rho ),w_i,a_i,e_i)\);
3.4. set \(\pi _i=(a_i,e_i,z_i)\);
3.5. set \(\mathbf {x}=x_1,\dots ,x_i\) and \(\mathbf {\pi }=\pi _1,\dots ,\pi _i\).
-
4.
\(\mathcal {A}\) sends \(\sigma , \mathbf {x},\mathbf {\pi }\) to \(\mathcal {V}^{\star }\).
-
5.
\(\mathcal {A}\) outputs the output of \({ {\mathcal {V}}^\star }\).
We now observe that if the challenger of a sampling algorithm \(S_{\varLambda }\) sends \(\rho \notin \varLambda \) we are in \(\mathcal {H}_0\) otherwise we are in \(\mathcal {H}_1\). This implies that \(\mathcal {H}_0 \approx \mathcal {H}_1\).
\(\mathcal {H}_1 \approx \mathcal {H}_2\) : If there exists a distinguisher \({ {\mathcal {V}}^\star }\) that distinguishes between \(\mathcal {H}_1\) and \(\mathcal {H}_2\), then there exists an adversary \(\mathcal {A}\) against the adaptive NIWI property of \(\varPi _{L \vee \varLambda }\), therefore contradicting Theorem 5. The reduction works as follows.
-
1.
\(\mathcal {A}\) runs \((\rho , \omega )\leftarrow S_{\varLambda }(0, 1^n)\), samples a key s for a hash function and sets \(\sigma =\{\rho ,s\}\).
-
2.
\(\mathcal {A}\) has on input a PPT function \(f=(f_1,f_2)\) and defines \(f'=(f'_1, f'_2)\) as follows: \(f'(\sigma , \mathbf {t},\mathbf {\pi })\) on input a CRS \(\sigma \), a vector of theorems \(\mathbf {t}=(x_1,\rho ),\dots ,(x_{p(n)},\rho )\) and a vector of proofs \(\mathbf {\pi }=\pi _1,\dots ,\pi _{p(n)}\) returns \((f_1(\sigma , \mathbf {x},\mathbf {\pi }), \rho ), (f_2(\sigma , \mathbf {x},\mathbf {\pi }), \omega )\).
-
3.
\(\mathcal {A}\) interacts with the challenger of adaptive NIWI, using \(f'\), in order to obtain \(x_i\), \(\pi _i=\{a_i,e_i,z_i\}\), for \(i=1,\dots ,p(n)\).
-
4.
\(\mathcal {A}\) sets \(\mathbf {x}=x_1,\dots ,x_{p(n)}\) and \(\mathbf {\pi }=\pi _1,\dots ,\pi _{p(n)}\).
-
5.
\(\mathcal {A}\) sends \(\sigma , \mathbf {x},\mathbf {\pi }\) to \({ {\mathcal {V}}^\star }\) and outputs the output of \({ {\mathcal {V}}^\star }\).
We now observe that if the challenger of NIWI chooses the first witness \(w_i\) we are in \(\mathcal {H}_1\) otherwise we are in \(\mathcal {H}_2\). This implies that \(\mathcal {H}_1 \approx \mathcal {H}_2\). We can thus conclude that \(\mathcal {H}_0 \approx \mathcal {H}_1 \approx \mathcal {H}_2\) and therefore the output of S is computational indistinguishable from a real transcript.
Theorem 8
Let \(\varPi _{L\vee \varLambda }\) be a 3-round public-coin HVZK proof system with optimal soundness for relation \({\mathcal {R}}_{L\vee \varLambda }\), and WI for relation \(\hat{{\mathcal {R}}}_{L\vee \varLambda }\), and let H be an NPRO. Then, \(\varPi \) is a non-interactive argument system with adaptive soundness for the relation \({\mathcal {R}}_L\) in the CRS model using the NPRO model for soundness.
Proof
The completeness of \(\varPi \) follows from the completeness of \(\varPi _{L\vee \varLambda }\). In order to prove adaptive soundness we notice that an adversarial prover proving a false statement \(x \in L\) can be directly reduced to an adversarial prover proving a false statement for \(\varPi _{L\vee \varLambda }\) in the NPRO model. This contradicts Theorem 6. Indeed the only subtlety that is worthy to note is that when the adversarial prover runs the protocol, we have that the statement “\(\rho \in \varLambda \)” stored in the CRS is false, therefore if also the instance “\(x \in L\)” proved by the prover is false then the OR composition of the two statements is also false.
6 Details on Some \(\varSigma \)-Protocols
First of all we need to briefly introduce two \({\varSigma \text {-protocol}}\)s, one to prove that a tuple is a DH tuple (\(\varPi _{\mathcal {DH}}\) [41]), and the other one to prove that two graphs are isomorphic (\(\varPi _\mathcal {GH}\) [34]). Our comparison assumes that the CRS is a DH tuple \(((G_\textsc {crs}, q_\textsc {crs}, p_\textsc {crs}, g_\textsc {crs}),A_\textsc {crs},B_\textsc {crs},C_\textsc {crs})\) with \(p_\textsc {crs}\) and \(q_\textsc {crs}\) primes such that \(p_\textsc {crs}=2q_\textsc {crs}+1\) and \(|p_\textsc {crs}|=1024\). We distinguish two cases. In the first one the prover wants to prove that a tuple ((G, q, p, g), A, B, C) is a DH tuple, and in the other one the prover tries to convince the verifier that two graphs \(G_0\) and \(G_1\) with n vertices each are isomorphic.
A \(\varSigma \) -protocol for Diffie-Hellman tuples. We consider the following polynomial-time relation \({\mathcal {R}}_{{\mathcal {DH}}}=\{(((G,q,g),A=g^r, B=h, C=h^r), r): B^r=C \}\) over cyclic groups \(G_q\) of prime-order q. Typically, G is the subgroup of quadratic residues of \({\mathbb {Z}_p}\) for prime \(p=2q+1\). We next briefly describe \({\varSigma \text {-protocol}}\, \varPi _{\mathcal {DH}}=(\mathcal {P}_{\mathcal {DH}}, \mathcal {V}_{\mathcal {DH}})\) for \({\mathcal {R}}_{\mathcal {DH}}\).
-
Common input: instance x and language DH.
-
Private input of \(\mathcal {P}_{\mathcal {DH}}\): r.
-
The protocol \(\varPi _{\mathcal {DH}}\):
-
1.
\(\mathcal {P}_{\mathcal {DH}}\) picks \(t\in \mathbb {Z}_q\) at random, computes and sends \(a=g^t\) , \(b=h^t\) to \(\mathcal {V}_{\mathcal {DH}}\);
-
2.
\(\mathcal {V}_{\mathcal {DH}}\) chooses a random challenge \(e\in \mathbb {Z}_q\) and sends it to \(\mathcal {P}_{\mathcal {DH}}\);
-
3.
\(\mathcal {P}_{\mathcal {DH}}\) computes and sends \(z=t+er\) to \(\mathcal {V}_{\mathcal {DH}}\);
-
4.
\(\mathcal {V}_{\mathcal {DH}}\) checks \( g^z=a\cdot A^e\ \mathtt{AND}\ h^z=b\cdot C^e\) accepts if and only if it is the case.
We show the special HVZK simulator \(\mathsf {Sim}\) for \(\varPi _{\mathcal {DH}}\). \(\mathsf {Sim}\), on input x and a challenge e of length \(|q|-1\) executes the following steps:
-
1.
randomly chooses \(z\in \mathbb {Z}_q\);
-
2.
computes \(a=g^z\cdot A^{-e}\);
-
3.
computes \(b=h^z\cdot C^{-e}\).
Graph Isomorphism. We show a \({\varSigma \text {-protocol}}\, \varPi _\mathcal {GH}=(\mathcal {P}_\mathcal {GH}, \mathcal {V}_\mathcal {GH})\) to prove that two graphs are isomorphic. Given two graphs \(G_0\) and \(G_1\), prover \(\mathcal {P}_\mathcal {GH}\) wants to convince verifier \(\mathcal {V}_\mathcal {GH}\) that he knows a permutation \(\phi \) such that \(\phi (G_0)=G_1\).
-
Common input: theorem \(x=(G_0, G_1)\).
-
Private input of \(\mathcal {P}_\mathcal {GH}\): \(\phi \).
-
The protocol \(\varPi _\mathcal {GH}\):
-
1.
\(\mathcal {P}_\mathcal {GH}\) randomly chooses a permutation \(\psi \) and a bit \(b\in \{0,1\}\), computes and sends \(P=\psi (G_b)\);
-
2.
\(\mathcal {V}_\mathcal {GH}\) chooses and sends a random bit \(b'\in \{0,1\}\) \(\mathcal {P}_\mathcal {GH}\);
-
3.
\(\mathcal {P}_\mathcal {GH}\) sends the permutation \(\tau \) to \(\mathcal {V}_\mathcal {GH}\), where
$$\begin{aligned} \tau ={\left\{ \begin{array}{ll} \psi &{} if \,\, b=b'\\ \psi \phi ^{-1} &{} if \,\, b=0, b'=1\\ \psi \phi &{} if \,\, b=1,b'=0 \end{array}\right. } \end{aligned}$$ -
4.
\(\mathcal {V}_\mathcal {GH}\) accepts if and only if \(P=\tau (G_{b'})\).
Computational Effort: Two Cases. We show a summary of the comparison among our transform and Lindell’s transform in Tables 2 and 3. The cost is measured by considering the computations in terms of number of exponentiations made by \(\mathcal {P}\) and of \(\mathcal {V}\). In our comparison we consider that a CRS contains a DH tuple \(((G_\textsc {crs},q_\textsc {crs},p_\textsc {crs},g_\textsc {crs}),A_\textsc {crs},B_\textsc {crs},C_\textsc {crs})\) with \(|p_\textsc {crs}|=n=1024\), with security parameter n (therefore \(|q_\textsc {crs}|=1023\)). We consider two cases. In the first one we use the NIZK argument to prove that a tuple ((G, q, p, g), A, B, C) is a DH tuple; in particular we take in account two sub-cases: when \(p=1024\) and when \(p=2048\). In the second case we use the NIZK argument to prove the isomorphism between two graphs \(G_0\) and \(G_1\), and we assume that \(k=n^2\) bits are needed to represent a graph with n vertices. We stress that Lindell’s transform needs to commit the first round of a \({\varSigma \text {-protocol}}\) (plus the instance to be proved, but for our comparison we ignore that the instance has to be committed) associated to the language that we take into account (the language of the DH tuples or the language of the isomorphic graphs). Therefore, using the described CRS, to commit to a string of 1023 bit, 4 exponentiations are required. This is a consequence of the fact that the commitment is made by executing the simulator associated with \(\varPi _{\mathcal {DH}}\) (with \(|q_\textsc {crs}|=1023\)).
Case 1: proving that a tuple is a DH tuple.
-
[43]. When the instance to be proved is ((G, q, p, g), A, B, C) with \(p=1024\), the prover \(\mathcal {P}\) needs to compute \(a=g^t\), \(b=h^t\) (as describe before) and needs to commit to them. The total size of a and b is 2048 bits, therefore to commit to 2048 bits we need to execute the DM commitment 3 times. This implies that the prover needs to compute \(3\cdot 4\) exponentiations mod \(p_\textsc {crs}\) and 2 exponentiations mod p. The verifier \(\mathcal {V}\)needs to checks if open of the DM commitments was correct, and also needs to compute \(g^z=a\cdot A^ep\) and \(h^z=b\cdot C^e\). For this reason the verifier needs to compute \(3\cdot 4\) exponentiations mod \(p_\textsc {crs}\) plus 4 exponentiations mod p. With the same arguments we can count the amount of exponentiations needed to prove that the instance is a DH tuple with \(p=2048\).
-
Our transform. When \(|p|=1024\) (resp., \(|p|=2048\)) the prover need to run the simulator \(\mathsf {Sim}\) of \(\varPi _{\mathcal {DH}}\) with the instance \(((G_\textsc {crs},q_\textsc {crs},p_\textsc {crs},g_\textsc {crs}), A_\textsc {crs}, B_\textsc {crs},C_\textsc {crs})\) (this costs 4 exponentiations), also we need to compute \(a=g^t \) , \(b=h^t \). The total number of exponentiations is 6 (2 exponentiations mod p, and 4 exponentiations mod \(p_\textsc {crs}\)). The verifier needs to perform two times the verifier’s algorithm for \(\varPi _{\mathcal {DH}}\), one with the instance \(((G_\textsc {crs},q_\textsc {crs},p_\textsc {crs},g_\textsc {crs}), A_\textsc {crs},B_\textsc {crs},C_\textsc {crs})\), the other one with the instance
((G, q, p, g), A, B, C), for a total amount of 4 exponentiations mod \(p_\textsc {crs}\), and 4 exponentiations mod p.
Case 2: Graph isomorphism.
-
[43]. We consider that the instance to be proved is composed by two graphs \((G_0, G_1)\). Also we assume that to represent one graph with n vertices \(k=n^2\) bits are necessary. In this case we remark that because the security parameter is \(n=1024\) we need to execute n times the protocol \(\varPi _\mathcal {GH}\) described before. For the described assumptions we have that the first round of \(\varPi _\mathcal {GH}\) is \(P=\sigma (G_b)\) and \(|P|=n^2\). Therefore the prover needs to run n executions of the DM commitment function to commit to P, where each of them costs 4 exponentiations. Also we need to execute n iteration of this process, for a total amount of \(4n^2\) exponentiations mod \(p_\textsc {crs}\). Even in this case the verifier needs to checks if all opens with respect to the n commitments are correctly computed for a total amount of \(4n^2\) exponentiations mod \(p_\textsc {crs}\).
-
Our transform. In this case the prover \(\mathcal {P}\)computes only 2 exponentiations mod p to compute the first round of \(\varPi _{\mathcal {DH}}\). The verifier runs the verifier’s algorithm of \(\varPi _{\mathcal {DH}}\) that costs 4 exponentiations mod p.
Notes
- 1.
When discussing informally we will use the word proof to mean both an unconditionally sound proof and a computationally sound proof (i.e., an argument). Only in the more formal part of the paper we will make a distinction between arguments and proofs.
- 2.
Lindell’s NIZK argument is a not an argument of knowledge in contrast to the NIZK argument obtained through an FS transform.
- 3.
- 4.
In the proof of soundness this function will be modeled as an NPRO.
- 5.
- 6.
- 7.
We use WI both to mean witness indistinguishable and witness indistinguishability.
- 8.
We consider the same \({\varSigma \text {-protocol}}\) discussed in [43] and in addition we consider the one for Graph Isomorphism since it has the special property of having a very long first round that can be computed very efficiently.
- 9.
See Sect. 6 for a formal definition of the polynomial relation and the respective \({\varSigma \text {-protocol}}\) s.
- 10.
Clearly, in case p is such that \(|p|<|p_\textsc {crs}|\), then Lindell’s transform has a slightly smaller number of exponentiations with respect to the number of exponentiations that we count in the tables.
References
Almeida, J.B., Bangerter, E., Barbosa, M., Krenn, S., Sadeghi, A.-R., Schneider, T.: A certifying compiler for zero-knowledge proofs of knowledge based on sigma-protocols. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 151–167. Springer, Heidelberg (2010)
Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally composable protocols with relaxed set-up assumptions. In: 45th Symposium on Foundations of Computer Science (FOCS 2004), Rome, Italy, 17–19 October 2004
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, pp. 62–73, 3–5 November 1993
Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., Kalai, Y.T., López-Alt, A., Wichs, D.: Why “fiat-shamir for proofs” lacks a proof. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 182–201. Springer, Heidelberg (2013)
Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991)
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, Chicago, Illinois, USA, pp. 103–112, 2–4 May 1988
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing, Dallas, Texas, USA, pp. 209–218, 23–26 May 1998
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)
Canetti, R., Lin, H., Paneth, O.: Public-coin concurrent zero-knowledge in the global hash model. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 80–99. Springer, Heidelberg (2013)
Catalano, D., Dodis, Y., Visconti, I.: Mercurial commitments: minimal assumptions and efficient constructions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 120–144. Springer, Heidelberg (2006)
Catalano, D., Visconti, I.: Hybrid trapdoor commitments and their applications. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 298–310. Springer, Heidelberg (2005)
Catalano, D., Visconti, I.: Hybrid commitments and their applications to zero-knowledge proof systems. Theor. Comput. Sci. 374(1–3), 229–260 (2007)
Chaidos, P., Groth, J.: Making sigma-protocols non-interactive without random oracles. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 650–670. Springer, Heidelberg (2015)
Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006)
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR composition of Sigma-protocols. IACR Cryptology ePrint Archive 2015, 810 (2015). http://eprint.iacr.org/2015/810
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR composition of sigma-protocols. In: Theory of Cryptography - 13th Theory of Cryptography Conference, TCC 2016-A, Tel Aviv, Israel, 10–13 January 2016
Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the Fiat-Shamir transform without programmable random oracles. IACR Cryptology ePrint Archive, 770 (2015). http://eprint.iacr.org/2015/770
Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)
Damgård, I.B.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000)
Damgård, I.: On \(\Sigma \)-protocol (2010). http://www.cs.au.dk/ ivan/Sigma.pdf
Damgård, I.B., Fazio, N., Nicolosi, A.: Non-interactive zero-knowledge from homomorphic encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 41–59. Springer, Heidelberg (2006)
Damgård, I., Groth, J.: Non-interactive and reusable non-malleable commitment schemes. In: Proceedings of the 35th Annual ACM Symposium on Theory of Computing, San Diego, CA, USA, pp. 426–437, 9–11 June 2003
De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001)
De Santis, A., Micali, S., Persiano, G.: Non-interactive zero-knowledge proof systems. In: Advances in Cryptology - CRYPTO 1987, A Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Santa Barbara, California, USA, pp. 52–72, 16–20 August 1987
Di Crescenzo, G., Visconti, I.: Concurrent zero knowledge in the public-key model. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 816–827. Springer, Heidelberg (2005)
Dodis, Y.: G22.3220-001/g63.2180 Advanced Cryptography - Lecture 3 (Fall 2009)
Dwork, C., Naor, M.: Zaps and their applications. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, Redondo Beach, California, USA, pp. 283–293, 12–14 November 2000
Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Comput. 36(6), 1513–1543 (2007)
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string. In: 31st Annual Symposium on Foundations of Computer Science, St. Louis, Missouri, USA, vol. I, pp. 308–317, 22–24 October 1990
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)
Garay, J.A., MacKenzie, P., Yang, K.: Strengthening zero-knowledge protocols using signatures. J. Cryptology 19(2), 169–209 (2006)
Garay, J.A., MacKenzie, P.D., Yang, K.: Strengthening zero-knowledge protocols. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 177–194. Springer, Heidelberg (2003)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design. In: 27th Annual Symposium on Foundations of Computer Science, Toronto, Canada, pp. 174–187, 27–29 October 1986
Goldwasser, S., Kalai, Y.T.: On the (in)security of the fiat-shamir paradigm. In: 44th Symposium on Foundations of Computer Science (FOCS 2003), Proceedings, Cambridge, MA, USA, pp. 102–113, 11–14 October 2003
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: Proceedings of the 17th Annual ACM Symposium on Theory of Computing, Providence, Rhode Island, USA, pp. 291–304, 6–8 May 1985
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Groth, J.: Honest verifier zero-knowledge arguments applied. Dissertation Series DS-04-3, BRICS. PhD thesis, xii+119 (2004)
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006)
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)
Lindell, Y.: An efficient transform from Sigma Protocols to NIZK with a CRS andnon-programmable random oracle. Cryptology ePrint Archive, Report 2014/710 (2014). http://eprint.iacr.org/2014/710/20150906:203011
Lindell, Y.: An efficient transform from Sigma Protocols to NIZK with a CRS and non-programmable random oracle. Cryptology ePrint Archive, Report 2014/710 (2014). http://eprint.iacr.org/2014/710/20150906:203011
Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and non-programmable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015)
Micciancio, D., Petrank, E.: Simulatable commitments and efficient concurrent zero-knowledge. In: Biham, Eli (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 140–159. Springer, Heidelberg (2003)
Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, pp. 427–437, 13–17 May 1990
Ostrovsky, R., Pandey, O., Visconti, I.: Efficiency preserving transformations for concurrent non-malleable zero knowledge. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 535–552. Springer, Heidelberg (2010)
Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003)
Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: 40th Annual Symposium on Foundations of Computer Science, FOCS 1999, New York, NY, USA, pp. 543–553, 17–18 October 1999
Scafuro, A., Visconti, I.: On round-optimal zero knowledge in the bare public-key model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 153–171. Springer, Heidelberg (2012)
Schnorr, C.-P.: Efficient Identification and Signatures for Smart Cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)
Visconti, I.: Efficient zero knowledge on the internet. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 22–33. Springer, Heidelberg (2006)
Wee, H.: Zero knowledge in the random oracle model, revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 417–434. Springer, Heidelberg (2009)
Yung, M., Zhao, Y.: Interactive zero-knowledge with restricted random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 21–40. Springer, Heidelberg (2006)
Yung, M., Zhao, Y.: Generic and practical resettable zero-knowledge in the bare public-key model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 129–147. Springer, Heidelberg (2007)
Acknowledgments
We thank Alessandra Scafuro and Berry Schoenmakers for various useful discussions on \({\varSigma \text {-protocol}}\text {s}\). An updated version of this work appears in [17].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Dual Mode Commitments and the Need for Strong \({\varSigma \text {-protocol}}\text {s}\)
The following definition of a dual-mode commitment scheme (DMCS, in short) is from [43].
Definition 9
([43]). A dual-mode commitment scheme (DMCS) is a tuple of PPT algorithms \(({\mathsf {GenCRS}},{\mathsf {Com}},{\mathsf {Scom}})\) such that:
-
\({\mathsf {GenCRS}}(1^n)\) outputs a common reference string, denoted by \(\rho \).
-
\(({\mathsf {GenCRS}},{\mathsf {Com}})\): when \(\rho \leftarrow {\mathsf {GenCRS}}(1^n)\) and \(m \in \{0, 1\}^n\), algorithm \({\mathsf {Com}}_\rho (m;r)\) with randomness r is a non-interactive perfectly-binding commitment scheme.
-
\(({\mathsf {Com}}, {\mathsf {Scom}})\): For every PPT adversary \(\mathcal {A}\) and every polynomial \(p(\cdot )\), the output of the following two experiments is computationally indistinguishable:
\(Real_{{\mathsf {Com}}, \mathcal {A}}(1^n)\) | \(Simulation_{{\mathsf {Scom}}}(1^n)\) |
---|---|
– \(\rho \leftarrow {\mathsf {GenCRS}}(1^n)\) | – \(\rho \leftarrow {\mathsf {Scom}}(1^n)\) |
– For \(i = 1, \dots , p(n)\): | – For \(i = 1, \dots , p(n)\): |
1. \(m_i \leftarrow \mathcal {A}(\rho , \mathbf {c} , \mathbf {r} )\) | 1. \(c_i \leftarrow {\mathsf {Scom}}\) |
2. \(r_i \leftarrow \{0, 1\}^{\text{ poly }(n)}\) | 2. \(m_i\leftarrow \mathcal {A}(\rho , \mathbf {c} , \mathbf {r})\) |
3. \(c_i = {\mathsf {Com}}_\rho (m_i; r_i)\) | 3. \(r_i \leftarrow {\mathsf {Scom}}(m_i)\) |
4. Set \(\mathbf {c} = c_1, \dots , c_i\) and \(\mathbf {r} = r_1, \dots , r_i\) | 4. Set \(\mathbf {c} = c_1, \dots , c_i\) and \(\mathbf {r} = r_1, \dots , r_i\) |
– Output \(\mathcal {A}(\rho , m_1, r_1, \dots , m_{p(n)}, r_{p(n)})\) | – Output \(\mathcal {A}(\rho , m_1, r_1, \dots , m_{p(n)}, r_{p(n)})\) |
Membership-Hard Languages with Efficient Sampling. Lindell defines a membership-hard language \(\varLambda \) as a language such that one can efficiently sampleoth instances that belong to the language and instances that do not belong to the language. Still distinguishing among these two types of instances is hard. This is formalized through a sampling algorithm \(S_\varLambda \) that on input a bit b outputs an instance \(\rho \in \varLambda \) along with a witness \(\omega \) when \(b = 0\), and outputs an instance \(\rho \not \in \varLambda \) otherwise. No polynomial-time distinguisher on input \(\rho \) can guess b with probability non-negligibly better than 1 / 2. Let \(S_\varLambda ^\rho \) denote the instance part of the output (i.e., without the witness when b is 0).
Definition 10
([43]). Let \(\varLambda \) be a language. We say that \(\varLambda \) is membership-hard with efficient sampling if there exists a PPT sampler \(S_\varLambda \) such that for every PPT distinguisher \(\mathcal {D}\) there exists a negligible function \(\mu \) such that:
There are several popular membership-hard languages in literature. We will in particular consider the one considered by Lindell in [43]: the language DH of Diffie-Hellman triples.
Lindell’s construction of a DMCS from \(\varSigma \) -protocols. Let us describe Lindell’s construction of a DMCS from any membership-hard language \(\varLambda \) admitting a \({\varSigma \text {-protocol}}\, \varPi _\varLambda =(\mathcal {P}_\varLambda ,\mathcal {V}_\varLambda )\) with simulator \(\mathsf {Sim}_\varLambda \) for perfect special HVZK.
-
Regular \(\rho \) generation: Run sampler \(S_\varLambda \) for \(\varLambda \) with input \((1,1^n)\) and receive back \(\rho \) (recall that \(\rho \notin \varLambda \)).
-
Commitment: To commit to a value \(m \in \{0, 1\}^n\) with randomness r, \({\mathsf {Com}}\) sets \(e=m\), runs \(\mathsf {Sim}_\varLambda (\rho , e)\) with randomness r and obtains (a, z). The output of \({\mathsf {Com}}\) is the commitment \(c=a\) and the decommitment information (e, r).
-
Decommitment: To decommit, provide e, z and the receiver checks that
\(\mathcal {V}_\varLambda (\rho ,a,e,z) = 1\).
-
Simulator \({\mathsf {Scom}}\):
-
On input \(1^n\), \({\mathsf {Scom}}\) runs the sampler \(S_\varLambda \) with input \((0, 1^n)\), and receives back \((\rho ,\omega )\) (recall that \(\rho \in \varLambda \) and \(\omega \) is a witness to this fact). Then, \({\mathsf {Scom}}\) computes \(a = \mathcal {P}_\varLambda (\rho ,\omega )\), sets \(c = a\) and outputs \((c,\rho )\).
-
On input \(m \in \{0, 1\}^n\), \({\mathsf {Scom}}\) sets \(e=m\) and outputs \(z = \mathcal {P}_\varLambda (\rho ,\omega ,a,e)\).
-
1.1 A.1 A Subtlety in Lindell’s Construction: The Need of Strong \({\varSigma \text {-protocol}}\text {s}\)
We now discuss a subtlety in the construction of a DMCS from any \({\varSigma \text {-protocol}}\) for a membership-hard language given in [43]. We stress that the content of this section does not apply when considering [42].
We observe that the construction of a DMCS from any \({\varSigma \text {-protocol}}\) for a membership-hard language given in [43] works when the \({\varSigma \text {-protocol}}\) is equipped with a simulator such that when the simulator gets as randomness the 3rd round of the prover, then the simulator is able to output the same first round of the prover. This special property has been investigated in [26] where it was called strong perfect special HVZK. In more details, a \({\varSigma \text {-protocol}}\) is strong perfect special HVZK if it admits a simulator \(\mathsf {Sim}\) that on input any challenge e outputs a transcript (a, e, z) that is perfectly indistinguishable from the distribution of the transcript generated by the prover when the challenge is e, but in addition it is required that the transcript is computed by sampling the 3rd round uniformly at random. The strong perfect special HVZK property is formalized below.
Definition 11
([26]). The special perfect HVZK property is strong if there exists a PPT simulator \(\mathsf {Sim}\) for the special perfect HVZK property that on input \(x\in L_{\mathcal {R}}\) and a challenge “e” works by sampling the 3rd round “z” uniformly at random and then computing the 1st round “a” deterministically from “x, e” and “z”.
Lindell’s construction of a DMCS showed in [43] requires a simulator for strong perfect special HVZK.
A \({\varSigma \text {-protocol}}\ ,\varPi _{DH}\) for DH . Now we show an artificial but useful example that shows a \({\varSigma \text {-protocol}}\) with a simulator \(\mathsf {Sim}\) for perfect special HVZK that however does not works if strong perfect special HVZK is desired.
The most widely used \({\varSigma \text {-protocol}}\,\varPi _{DH}=(\mathcal {P}_{DH},\mathcal {V}_{DH})\) for the language DH consists in running in parallel two instances of a \({\varSigma \text {-protocol}}\) for DLog each proving knowledge a discrete logarithm. The two instances are linked together by having the verifier send the same challenge and expecting to receive the same third-round message. Schnorr’s protocol [50] constitutes a natural choice for a \({\varSigma \text {-protocol}}\) for DLog.
Consider instead instantiating the \({\varSigma \text {-protocol}}\) for DH with the following \({\varSigma \text {-protocol}}\, \varPi _{DLog}=(\mathcal {P}_{{DLog}},\mathcal {V}_{{DLog}})\) for proving knowledge of the discrete logarithm w of x with base g. \(\mathcal {P}_{{DLog}}\) first selects another random group element \(x'\) along with its discrete logarithm \(w'\) to the base g and then sends \(x'\) to \(\mathcal {V}_{{DLog}}\). Then \(\mathcal {P}_{{DLog}}\) and \(\mathcal {V}_{{DLog}}\) run two instances of Schnorr’s \({\varSigma \text {-protocol}}\) using the same challenge so that \(\mathcal {P}_{{DLog}}\) proves to \(\mathcal {V}_{{DLog}}\) knowledge of both w and \(w'\). Clearly, \(\varPi _{DLog}\) is a \({\varSigma \text {-protocol}}\) for DLog (this comes from the fact that the AND of two \({\varSigma \text {-protocol}}\text {s}\) is still a \({\varSigma \text {-protocol}}\) and from the fact that knowledge of a pair \((w,w')\) implies knowledge of w) and, consequently, \(\varPi _{DH}\) instantiated with \(\varPi _{DLog}\) is a \({\varSigma \text {-protocol}}\) for DH. Moreover notice that \(\varPi _{DLog}\) admits a simulator \(\mathsf {Sim}_{DLog}^\star \) for perfect HVZK that uses the simulator of Schnorr’s protocol to compute the transcript of the first instance, while it uses the prover of Schnorr’s protocol for producing the transcript associated to \(x'\), after having selected \(x'\) along with a witness \(w'\) when the protocol starts. We now provide a formal description of this \({\varSigma \text {-protocol}}\).
More precisely we show a \({\varSigma \text {-protocol}}\,\varPi _{DLog}=(\mathcal {P}_{DLog},\mathcal {V}_{DLog})\) for relation \({\mathcal {R}}_{DLog}=\{ ((\mathcal {G},g,q, x), w): x=g^w\}\) that is special perfect HVZK and such that there exists a simulator for special perfect HVZK that does not satisfy the requirement of strong perfect special HVZK of \(\varPi _{DLog}\) (see Definition 11).
-
Common Input: (\(\mathcal {G},g,q, x\)) and relation \({\mathcal {R}}_{DLog}\).
-
Input of \(\mathcal {P}_{DLog}\): w t.c \(((\mathcal {G},g,q, x),w) \in {\mathcal {R}}_{DLog}\).
-
The protocol \(\varPi _{DLog}\):
-
1.
\(\mathcal {P}_{DLog}\) chooses \(r_0\), \(r_1\), \(w_1\) at random from \(\mathcal {Z}_q\), and \(g_1\) at random from \(\mathcal {G}\). Then it computes \((a_0, a_1)=(g^{r_0},g^{r_1}_1)\), and \(x_1=g_1^{w_1}\). \(\mathcal {P}_{DLog}\) sends \((a_0,g_1, x_1, a_1)\) to \(\mathcal {V}_{DLog}\).
-
2.
\(\mathcal {V}_{DLog}\) chooses a random challenge \(e \leftarrow \{0, 1\}^{l}\) (where \(2^l<q\)) and sends e to \(\mathcal {P}_{DLog}\).
-
3.
\(\mathcal {P}_{DLog}\) computes \(z_0=r_0+e w\) and \(z_1=r_1+e w_1\) it sends (\(z_0,z_1\)) to \(\mathcal {V}_{DLog}\).
-
4.
\(\mathcal {V}_{DLog}\) checks \(g^{z_0}=a_0x^e\) and \(g_1^{z_1}=a_1x_1^e\) accepts if and only if it is the case.
Special HVZK The simulator \(\mathsf {Sim}\) of \(\varPi _{DLog}\) on input the theorem \((\mathcal {G},g,q, x)\) and challenge e works as follows:
-
1.
pick \(z_0, r_1, w_1\) at random from \(\mathcal {Z}_q\) and \(g_1\) at random from \(\mathcal {G}\).
-
2.
compute \(a_0=g^{z_0}x^{-e} \) and \(a_1=g_1^{r_1}\).
-
3.
compute \(x_1=g_1^{w_1}\) and \(z_1=r_1+e w_1\).
-
4.
return \((a_0, g_1, x_1,a_1,z_0,z_1)\).
Completeness. In order to see that completeness holds, observe that when \(\mathcal {P}_{DLog}\) runs the protocol honestly we have:
Special Soundness. Let \((a_0, g_1, x_1,a_1,e, z_0,z_1)\) \((a_0, g_1, x_1,a_1,e',z'_0,z'_1)\) be a collision. We have that \(g^{z_0}=a_0x^e\) and \(g^{z'_0}=a_0x^{e'}\), and thus we have \(g^{z_0-z'_0}=x^{e-e'}\) that implies that \(x=g^{\frac{z_0-z'_0}{e-e'}}\), therefore \(w=\frac{z_0-z'_0}{e-e'}\).
Special Perfect HVZK. We now check that the transcript returned by \(\mathsf {Sim}\), on input the theorem \((\mathcal {G},g,q, x)\) and challenge e, is identically distributed w.r.t. the transcript obtained from the interaction between \(\mathcal {P}_{DLog}\) and \(\mathcal {V}_{DLog}\), when the challenge is e. The transcript differs only in the computation of \(a_0\) and \(z_0\). In the case of the \(\mathcal {P}_{DLog}\) \(a_0=g^{r_0}\) where \(r_0\) is chosen uniformly at random and \(z_0=r_0+ew\). Instead, \(\mathsf {Sim}\) chooses \(z_0\) uniformly at random and \(r_0=z_0-ew\), therefore clearly \(\mathsf {Sim}\) and \(\mathcal {P}_{DLog}\) produce \(a_0\) and \(z_0\) with the same distribution.
\(\varPi _{DH}\) does not produce a DMCS. We observe that Lindell’s construction of a DMCS from any \({\varSigma \text {-protocol}}\) for a membership-hard language [43] does not seem to work when \(\varPi _{DH}\) is used as \({\varSigma \text {-protocol}}\). Indeed consider the steps of experiments \(Real_{{\mathsf {Com}}, \mathcal {A}}(1^n)\) and \(Simulation_{{\mathsf {Scom}}}(1^n)\) in which \(\mathcal {A}\) obtains as input \((\rho ,\mathbf {c},\mathbf {r})\) and consider iteration with \(i=2\) of the loop.
In \(Real_{{\mathsf {Com}},\mathcal {A}}(1^n)\), \(\mathcal {A}\)’s view includes \((m_1,r_1,c_1)\) and thus \(\mathcal {A}\) can check that indeed \(c_1\) is the output of \({\mathsf {Com}}(m_1;r_1)\). This means that in the above construction, \(c_1\) is the first component of the pair given in output by \(\mathsf {Sim}_\varLambda (\rho , e)\) when running with randomness \(r_1\), and this is precisely the way in which \(c_1\) was produced in Step 3 when \(i=1\). Therefore the check of \(\mathcal {A}\) succeeds in \(Real_{{\mathsf {Com}}, \mathcal {A}}(1^n)\).
In \(Simulation_{{\mathsf {Scom}}}(1^n)\), \(\mathcal {A}\)’s view includes \((m_1,r_1,c_1)\) and thus \(\mathcal {A}\) can still perform the check that \(c_1\) is the output of \({\mathsf {Com}}(m_1;r_1)\) by running \(\mathsf {Sim}_\varLambda (\rho , e)\) with randomness \(r_1\). However, in this case it is not true that \(c_1\) is computed by running \({\mathsf {Com}}(m_1;r_1)\). Indeed, in the execution of \(Simulation_{{\mathsf {Scom}}}(1^n)\), \(c_1\) is computed by running \(c_1 \leftarrow {\mathsf {Scom}}\) and then \(r_1\) is computed by running \(r_1 \leftarrow {\mathsf {Scom}}(m_1)\). In the above construction \({\mathsf {Scom}}\) computes \(c_1\) and \(r_1\) as the 1st and 3rd messages that are computed by \(\mathcal {P}_\varLambda \) when the challenge is \(m_1\). Therefore whenever the 3rd round \(r_1\) computed by \(\mathcal {P}_\varLambda \) does not correspond to a randomness that can be given as input to \(\mathsf {Sim}_\varLambda (\rho ,m_1)\) to get the same \(c_1\) computed by \(\mathcal {P}_\varLambda \), we have that the check of \(\mathcal {A}\) fails.
By noticing that the 3rd round \(r_1\) of \(\mathcal {P}_{DH}\) in \(\varPi _{DH}\) does not give any information about the random instance \(x'\) of DLog that \(\mathcal {P}'_{DH}\) would compute and that would be part of \(c_1\), we have that there exists a simulator for DH, using internally \(\mathsf {Sim}_{DLog}^\star \), that on input \((\rho ,m_1)\) and running with randomness \(r_1\) computes \(c_1\) only with negligible probability and thus the above \(\mathcal {A}\) is a successful distinguisher of experiments \(Real_{{\mathsf {Com}}, \mathcal {A}}(1^n)\) and \(Simulation_{{\mathsf {Scom}}}(1^n)\).
B An Optimal-Sound (and Not Special Sound) 3-Round Perfect Special HVZK Proof
In this section we show a 3-round public-coin perfect special HVZK proof system that is optimal sound and not special sound. First of all we briefly describe the \({\varSigma \text {-protocol}}\) of [44] to prove that, given a commitment and a message m, m is committed in \(\mathtt {com}\). Then we show the protocol of [51] that is a modification of [44] and given a commitment \(\mathtt {com}\) and a value \(\varPsi \), allows to prove that the discrete logarithm of \(\varPsi \) is committed in \(\mathtt {com}\).
In order to describe the protocol of [44] and [51] we consider two prime p and q s.t. \(p=2q+1\), a group of order \(\mathcal {G}\) of order q such that the DDH assumption is hard. Also we consider two random elements, g and h, taken from \(\mathcal {G}\). We next describe \({\varSigma \text {-protocol}}\,\varPi _{Com}=(\mathcal {P}_{Com},\mathcal {V}_{Com})\) of [44] for relation
-
Common Input: \((\mathcal {G},g,v,h, \mathtt {com}=(\hat{g}, \hat{h}),q)\) and relation \({\mathcal {R}}_{Com}\).
-
Input of \(\mathcal {P}_{Com}\): w s.t. \(((\mathcal {G},v, g,h, \mathtt {com}=(\hat{g}, \hat{h}),q),w) \in {\mathcal {R}}_{Com}\).
-
The protocol \(\varPi _{Com}\):
-
1.
The prover \(\mathcal {P}_{Com}\) chooses r from \(\mathcal {Z}_q\) and sends \(( \widetilde{g}=g^r,\widetilde{h}=h^r)\) to \(\mathcal {V}_{Com}\);
-
2.
The verifier \(\mathcal {V}_{Com}\) chooses a random challenge \(e \leftarrow \mathcal {Z}_q\) and sends e to \(\mathcal {P}_{Com}\);
-
3.
\(\mathcal {P}_{Com}\) sends \(z=ew+r\) to \(\mathcal {V}_{Com}\);
-
4.
\(\mathcal {V}_{Com}\) checks that \(\hat{g}^{e} \widetilde{g}=g^z\) and \(\left( \frac{\hat{h}}{h^v}\right) ^e \widetilde{h}=h^z\) accepts if and only if the checks are successful.
In [51] a similar protocol was used to prove that com is a commitment of the discrete logarithm of a value \(\varPsi \in \mathcal {G}\) with \(h^{\psi }=\varPsi \). Formally the protocol is for the \(\mathtt{{NP}}\) language
and for the corresponding relation
The protocol follows \(\varPi _{Com}\) with the differences that the common input is \((\mathcal {G}, q,g,\varPsi =h^\psi ,h, \mathtt {com}=(\hat{g}, \hat{h})\) and that the verifier decide whether to accept or not checking if it holds that \(\hat{g}^{e} \widetilde{g}=g^z\) and \(\left( \frac{\hat{h}}{\varPsi }\right) ^e \widetilde{h}=h^z\). While this protocol preserves the perfect special HVZK property, it is not a proof of knowledge for \({\mathcal {R}}_L\) and neither special sound even though it still enjoys optimal soundness. We now proceed more formally.
Optimal soundness. We now consider an instance that is not in the \(\mathtt{{NP}}\) language L, and show that, once the first round of the protocol is fixed, there exists only one challenge e s.t. the prover can answer successfully computing the third round z of the protocol. Consider the instance \(\left( \varPsi =h^\psi , \mathtt {com}=(\hat{g}=g^w, \hat{h}=h^{w+\psi \prime })\right) \notin L\) (with \(\psi \ne \psi \prime \)). Assume by contradiction that given the fist round of the protocol (\(\widetilde{g}, \widetilde{h}\)) there exist two distinct challenges \(e_0\) and \(e_1\) for which the prover can make the verifier accept with answers \(z_0\), \(z_1\) respectively. In the end we prove that \(\psi =\psi \prime \).
Proof
Since the verifier accepts, it must be that for all \(i\in \{0,1\}\), the following checks are successful: \(\hat{g}^{e_i} \widetilde{g}=g^{z_i}\) and \(\left( \frac{\hat{h}}{\varPsi }\right) ^{e_i} \widetilde{h}=h^{z_i}\). It follows that \(\hat{g}^{e_0-e_1}=g^{z_0-z_1}\) and \(\left( \frac{\hat{h}}{\varPsi }\right) ^{e_0-e_1}=h^{z_0-z_1}\). Suppose that \(h=g^\omega \), we get
Therefore, if \(e_0\ne e_1\) we get the contradiction that \(\psi =\psi \prime \).
The Protocol is not Special Sound for \({\mathcal {R}}_L\) . To argue that the protocol of [51] is not special sound, we note that in order to compute a commitment of the discrete logarithm of \(\varPsi \), knowledge of this discrete logarithm is not necessary since it is possible to compute \(\mathtt {com}=(\hat{g},h^w\cdot \varPsi )\) with \(w\in \mathbb {Z}_q\). Indeed, notice that the discrete logarithm \(\psi \) of \(\varPsi \) is never used in the proof. Formally, we suppose that the protocol is special sound for the polynomial relation \({\mathcal {R}}_L\) and then construct an adversary \(\mathcal {A}\) that, given \(Y=g^y\in \mathcal {G}\), returns the discrete logarithm y of Y.
We have shown that there exist 3-round public-coin proof systems that are optimal sound and not special sound. It also easy to observe that special soundness implies optimal soundness. Indeed, consider an \(\mathtt{{NP}}\)-Language L and a corresponding relation \({\mathcal {R}}_L\). All \({\varSigma \text {-protocol}}\text {s}\) for \({\mathcal {R}}_L\) must also be 3-round HVZK proofs for L with optimal soundness. If not, than the violation of optimal soundness (\(\mathcal {P}^\star \) for a false statement can generate (a, c, z) and \((a,c',z')\) with \(c'\) different from c and both accepting) implies directly also a violation of special soundness.
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I. (2016). A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles. In: Kushilevitz, E., Malkin, T. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), vol 9563. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49099-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-662-49099-0_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49098-3
Online ISBN: 978-3-662-49099-0
eBook Packages: Computer ScienceComputer Science (R0)