Etudes in Non-Interactive
Zero-Knowledge
by
abhi shelat
Submitted to the Department of Electrical Engineering and Computer
Science in partial fulfillment of the requirements for the degree of
Doctor of Philosophyin Computer Science
at the
MASSACHUSETTS INSTITUTE OF TECHNOLOGY
December 2005
© Massachusetts Institute of Technology., MMV. All rights reserved.
Author .
......
k..........:
.........
X... .........
Department of E
1Engineeringand Computer Science
December 2005
Certified by ...........
*
'/M:~'
j-
.......................
/
Accepted
by.....
.
·
.-.
'i'.i
Silvio Micali
Professor
Thesis Supervisor
-7-)
r....
.o..........
z
MASSACHUSTS INSTITTE
OF TECHNOY
......
Arthur C. Smith
JUL
1
2006
Chairman, Department Committee on Graduate Students
LIBRARIES
ARCHIVES
Contents
List of Protocols
i
Introduction
2
Basics
2.I
2.2
3
4
5
3
8
NIZK Models and Definitions
3.I
Non-interactive Proofs in the Trusted Setup model ........
3.2
Adding the Zero Knowledge Property to NI Proofs ......
3.3 The Hidden Bits Model ......................
NIZK in the Public Parameter Model
4.1
Construction Based on a One-Way Function ..........
4.2
One-Way Functions Are Necessary ...............
4.3 Lower bounds for Statistical NIZK ...............
8
20
20
.
.
22
23
z6
2.
27
.
.
30
32
NIZK in the Secret Parameter Model
36
5.1
37
Construction
(Unconditional)
.................
6 NIZK in the Designated VerifierModel
6.i
6.2
6.3
7
I6
6
Notation and Assumptions ....................
Computational Indistinguishability ................
Definition ............................
Construction Based on Semantically-Secure Encryption ....
Application: Non-malleable Encryption ............
Unique NIZK
7.i
Definition .........
7.2
Construction Based on Quadratic Residuosity .........
42
42
44
48
58
59
60
Bibliography
72
Index
77
2
List of Protocols
27.I
NIZK. Proof System in the Public Parameter Model
27
37.I
NIZK Proof System in the Secret Parameter Model
37
44.I
NIZK Proof System in the Designated Verifier Model
44
52.I
Non-Malleable Encryption Scheme I from a Designated Verifier
62.I
NIZK
52
uniZK Single Theorem Proof System for 3SAT
62
3
Acknowledgments
So I was prepared actually for the possibility that the
game theory work would not be regarded as
acceptable as a thesis in the mathematics
department...
John Nash, Nobel Prize Autobiography
in the cave of ignorance. My advisor Silvio Micali pulled
me out from that labyrinthous crypt and helped me parlay my potential into
a degree. I sincerely appreciate his patience and long-term investment in me.
STARTED THIS WORK
To my Master's thesis advisor Madhu Sudan, I too bestow gratitude, as he was an
unruffled coach during my rookie at-bats against grammar compression.
I especially want to thank Rafael Pass for our prolific discussions, and Matt
Lepinski, Chris Peikert and Vinod Vaikuntanathan for being top-ranker coauthors. My eonic experience at MIT owes much to my fellow toilers: Susan
Hohenberger, Eric Lehman, Moses Liskov, Mike Rosenblum, Adam Smith, and
office mates, Sofya Raskhodnikova, Grant Wang, and Steve Weis. Kudos to Be
Blackburn who brings humanity to the goodpeople of our theory group.
Finally, there are three individuals who have borne the brunt of the burden of my
moodiness during my painful enlightenment. These are my parents ANIL and ILA
and my brother ANANG, who have all added their own harmonies to my life.
Please forgive me any omissions.
4
Abstract
Prover interactivelyconvinces Verifier
that theorem 7r is true in such a way that (a) a corrupt Prover cannot convince
Verifier of a false theorem and (b) a corrupt Verifier cannot "learn" anything other
than the fact that r is true.
N a ZERO-KNOWLEDGE PROOF [GMR85],
In a NON-INTERACTIVE
ZERO-KNOWLEDGE PROOF [BFM88],
the Provermust do the
above by sending only a single message to Verifier! To make this possible, Prover
and Verifier are not tabula rasa, but rather born with some setup information.
Much in the fashion of a musical TUDE, in this thesis, we explore several
variations on the setup assumptions for non-interactive zero-knowledge in order
to enjoy a richer understanding.
Our labor brings forth
* various unconditional characterizations of computational and statistical
NIZK proofs,
* new constructions that have practical applications to non-malleable encryption and CCAz encryption,
* new constructions which form the building blocks of "fair" versions of
interactive zero-knowledge and collusion-free multi-party computation
protocols,
* and conceptual contributions which underlie the recent works on how
cryptography can be used to achieve equilibrium in game theory.
6
I
Introduction
etude(d'tzid): a brief musical composition, usually
for piano, fashioned to instruct an instrumentalist in
a particular technical problem, such as scales or trills.
This thesis explores variations of the following scenario, first introduced in [BFM88]:
Prover has a theorem 7r and Verifier has curiosity but limited
patience. Prover sends a single message to convince Verifier that 7r
is true, but wishes to reveal no extra information other than the fact
that 7r is true.
To keep it clean, honest parties should be able to prove theorems,
a corrupt Prover should be unable to prove false theorems, and a
corrupt Verifier should be unable to "tease" extra information about
7ror anything else from the proof
The scenario is appealing, as it both mimics the common form of a proof while
implementing its corejfinction in a strikingly minimal way-nothing other than
the fact that the theorem is true is revealed!
While in practice, we often present proofs to deliberately convey extra
understanding, there are also practical situations in which we prefer not to.
Proving one's age via presentation of a driver's license, for example, often
unnecessarily reveals an address. The issue becomes more important in the
context of secure protocols where proofs can be used to convince the other parties
that everyone is honestly following the instructions. In such situations, zeroknowledge is critical the protocol's security, and non-interactively is critical for its
efficiency. As a final point, non-interactivity can facilitate otherwise impossible
tasks (we explore this point more in the last chapter).
8
INTRODUCTION
INTRODUCTION
99
Given the interest in said scenario, Blum, Feldman and Micali [BFM88] were
the first to formalize it under the notion of non-interactivezero-knowledge (NIZIK)
proofi. The same authors also present a protocol which achieves the notion, albeit,
in a slightly tweaked model. In their construction, Prover and Verifier are given
access to a common, randomly chosen binary string.
It has since been shown by Goldreich and Oren [GO94] that to achieve the
strong notion of zero-knowledge in a non-interactive setting, some type of setup
assumption is necessary. In other words, Prover and Verifier cannot be tabula
rasa, but must instead be born with some information before the proof protocol
begins.
Much in the fashion of a musical TUDE, in this thesis, we explore several
variations on the setup assumptions for non-interactive zero-knowledge in order
to enjoy a richer understanding of the primitive. We begin our investigation by
categorizing the known setup assumptions into two major groups.
Public Parameter Setup. In this model, also known as the Common Reference
String Model, a string is "ideally" chosen according to some polynomialtime samplable distribution and made available to both the Prover and
Verifier before the protocol. Such a setup can be used to select -say-safe
primes, group parameters, or public keys for encryption schemes, etc. See
for example[DAMOO, CLOS02].
Notice that the originally proposed setup from [BFM88], the common
random string model in which a uniformly random string is made available
to both the Prover and Verifier, is a special case. Many NIZK schemes have
been implemented in this model
[sMP87, BFM88,
FLS99,
DMP88,
BDMP9I,
KP98, DCO 0oi].
Secret Parameter Setup. Cramer and Damglrd [CDo4] explicitly introduce
the Secret Parameter setup model in which the Prover and Verifier obtain
correlated (possibly different) private information before the protocol.
More generally, the secret parameter model encompasses the pre-processing
model in which the Prover and Verifier engage in an arbitrary interactive
protocol, at the end of which, both Prover and Verifier receive a private
output. (This follows because any arbitrary protocol for pre-processing can
be viewed as a polynomial-time sampler from a well-defined distribution.)
Such a setup model is studied in [KMo89, DMP88, DAM93].
The above setup models can be implemented in a variety of ways, which may
or may not require their own independent assumptions (For example, secure
two-party computations protocols can be used to pick a random string.) In this
work, we sidestep the discussion of how trusted setups are implemented, and
focus instead on the various implications of the two models.
We begin with a thorough characterization of the public parameter model.
INTRODUCTION
INTRODUCTION
IO
I0
Public ParameterModel
For computational NIZK in the public parameter model, we first show that oneway functions are both necessary and sufficient. The results in this section assume
that Prover is unbounded (as is typical in the literature on characterizing the
complexity of languages which admit zero-knowledge proofs).
Informal Theorem [Upper bound] If (non-uniform) one-way functions
exist, then computational NIZK proof systems in the public parameter
model exist for every language in AM.
Informal Theorem [Lower bound] The existence of computational NIZK
systems in the public parameter model for a hard-on-average language
implies the existence of (non-uniform) one-way functions.
Our upper bound improves on the construction of Feige, Lapidot, and
Shamir [FLS99] which uses one-way permutations (albeit in the common random
string model, whereas our construction requires a public parameter). Our lower
bound, which applies to the weaker non-adaptive definition of zero-knowledge,
was only known for interactive zero-knowledge proofs [ow93]. We therefore
present a (quite) different and relatively simple direct proof for the case of NIZK
in the public parameter model.
Notice that by combining these two main theorems, we obtain our first
unconditional characterization of computational NIZK proofs in the public
parameter model:
Either NIZKproofi exist onlyfor "easy"languages(ie., languagesthat are not
hard-on-average), or NIZKproofi exist unconditionallyfor every language in
AM(i.e., for every language which admits a non-interactiveproof).
This type of "all-or-nothing" property was known for interactive zero-knowledge
proofs, but not for NIZK because prior constructions of NIZK relied on one-way
permutations instead of one-way functions.
Statistical NIZK in the Public ParameterModel
We next turn our attention to statistical NIZK proofs for NP-complete languages.
We show that such proofs are unlikely to exist since unless the polynomial
hierarchy collapses, NP is not contained in AMfn coAM [BHz87].
Informal Theorem [Lower bound] In the public parameter model, noninteractive statistical (non-adaptive) zero-knowledge proof systems only
exist for languages in AMn coAM.
Previously, Aiello and Histad [AH9I] showed a similar type of lower bound for
interactive zero-knowledge proofs. Although their results extend to the case of
NIZK in the common random string model, they do not extend to the general
INTRODUCTION
INTRODUCTION
II
II
public parameter model. I Indeed, our proof relies on different (and considerably
simpler) techniques.
In the case of the stronger notion of statistical adaptive NIZK, we arrive at an
even stronger result.
Informal Theorem [Lower bound] Non-interactive statistical adaptive
zero-knowledge proof systems only exist for languages in BPP/i (i.e., the
class of languages decidable in probabilistic polynomial time with one bit
of advice, which depends only on the length of the instance).
By an argument of Adleman, this in particular means that all languages which
have statistical adaptive NIZK in the public-parameter model can be decided by
polynomial-sized circuits.
We note that a similar strengthening for the non-adaptive case is unlikely, as
statistical non-interactive zero-knowledge proof systems for languages which are
conjectured to be "hard" are known (e.g., see [GMR98]).
Secret Parameter Model
One naturally suspects that the secret-parameter setup is more powerful than its
public-parameter counterpart. Indeed, in game theory, a well-known result due
to Aumann [AUM74] states that players having access to correlated secret strings
can achieve a larger class of equilibria, and in particular, better payoffs, than if
they only share a common public string. This intuition does not mislead:
Informal Theorem [Upper bound] In the secret parameter model, noninteractive perfect zero-knowledge proofs exist unconditionally for all languages in AM.
This resukltis obtained by combining the work of [FLs99] with an adaptation of
Kilian's work on implementing commitments using oblivious transfer [KIL88].
Previously, for general NP languages, only computationalNIZK proof systems
were known in the secret-parameter setup model [DMP88, FLS99, IKMo89, DFNO5].
Furthermore, these systems relied on various computational assumptions, such as
the existence of one-way permutations. Recently, Cramer and Damglrd [CDO4]
constructed statistical NIZK proofs in this model for specificlanguages related to
discrete logarithms. (On the other hand, their results apply to an unbounded
number of proofs, whereas ours do not.)
As a corollary of our result, we obtain a complete characterization of
computational, statistical and perfect NIZK in the secret parameter model.
Namely, we show that NIP = NIZK = NISZK = NIPZK = AM, where NIP denotes
the class of languages having non-interactive proofs, and NIZK, NISZK and
'This follows because the definition of zero-knowledge requires the simulator to output the
random coins of the Verifier, and this is essential to the result in [AI-19i].In contrast, the definition
of NIZK in the Public Parameter model does not require the Simulator to output the random
coins used by the trusted-party to generate the public parameter.
INTRODUCTION
12
I2
INTRODUCTION
NIPZK denotes the classes of languages having non-interactive computational,
statistical and perfect zero-knowledge proofs respectively.
Designated Verifiers:A Special Case of the Secret Parameter Model
Out of respect for chronology, and to honor the practice of theory, I shall mention
that during the study of the secret parameter model, Rafael and I were excited to
realize that the designatedverifier model, as first described by [jsi96], was a special
case. Because our results in the secret parameter model were so strong, it was
natural to hope for similar phenomena in the designated verifier case.
A designated verifier proof system in one in which the Verifier receives secret
information as well as any information given to the Prover. In other words, there
is a public parameter, as well as a secret one given to the Verifier, and so only the
designatedVerifier can verify the proof
To bring an air of practicality to the issue, notice that the Cramer-Shoup [cs98,
cs02] CCAz encryption
scheme
can be viewed as making
use of designated
verifier proofs which are based on specific number-theoretic assumptions. In
Chapter 6, we are able to construct a designated verifier non-interactive zeroknowledge proofs from any semantically-secure cryptosystem.
Informal Theorem Every semantically secure encryption schemes can be
used to construct a designated verifier NIZK proof system for any language
L c NP.
At a high-level, our approach is to crush a special zero-knowledge 3-round Eprotocol for NP into a non-interactive proof This task is quite easy, for example,
if we assume the random-oracle model. However, to do so without any other
complexity assumptions, we exploit the fact that many s-protocols only require
the Verifier to send a single challenge bit. Thus, for any first message of such a Eprotocol, there are only two possible Prover responses. The prover can therefore
encrypt both responses using two separate encryption keys. In the designatedverifier model, we can give the verifier one of the decryption keys (as his secret
information) to decrypt only one of the responses and check the proof Note that
Prover does not know which of the two decryption keys is given to Verifier. By
repeating the same protocol enough times, this scheme can be proven sound.
Applications to Non-Malleable Encryption
It is a boon that our designated verifier proof system plays a delectable role in the
construction of non-malleable encryption schemes (under CPA attacks).
The most basic goal of an encryption scheme is to guarantee the privacy
of data. The notion of semantic security of an encryption scheme, as defined
by Goldwasser and Micali [GM84], is the universally accepted formalization of
the privacy of a public-key encryption scheme. Intuitively, semantic security
guarantees that a ciphertext does not reveal anything about the message it
conceals.
INTRODUCTION
13
Non-malleability [DDNOO], defined by Dolev, Dwork and Naor, is a stronger
notion of security for encryption schemes. In addition to the privacy guarantee,
non-malleability of an encryption scheme guarantees that it is infeasible to modijj
a ciphertext a into one, or many, other ciphertexts of messages related to the
decryption of a. To be sure, it turns out that many semantically secure encryption
schemes, including the original one proposed in [GM84], are easily malleable.
Thus, non-malleability is a strictly stronger requirement than semantic security.
Moreover, non-malleablity is often times indispensible in practical applications.
For example, no one would consider secure an electronic "sealed-bid" auction in
which an adversary can consistently bid exactly one more dollar than the previous
bidder!
The importance of non-malleability raises an important question:
Can any semantically secure encryption scheme be immunized
against malleability attacks?
The seminal work of Dolev, Dwork and Naor answers this question affirmatively.
They show how to perform such an "immunization" assuming the existence
of trapdoor permutations. Subsequently, several other constructions of nonmalleable encryption schemes have been presented under various numbertheoretic assumptions, e.g. decisional Diffie-Hellman (DDH) [cs98], and
quadratic-residuosity [cso2]. Nevertheless, there exist some notable computational assumptions under which semantically secure encryption schemes exist,
yet no non-malleable encryption schemes are known, e.g. computational DiffieHellman (CDH), and the worst-case hardness of various lattice-problems [AD97,
GGH97, REGO5]).
With our designated verifier proofs, however, we can immunize without any
extra assumptions.
Informal Theorem Assume the existence of a semantically secure encryption scheme. Then there exists a non-malleable encryption scheme.
To be sure, the DDNLite [NAoo3, DWO99, GLO3] scheme also satisfies the
original definition of non-malleability proposed in [DDNOO].
However, the
scheme we present satisfies an even stronger definition of non-malleability which
we present in Chapter ??. Moreover, while it has been shown that neither the
original definition of non-malleability for encryption nor the DDNLite scheme
guarantees anything when the adversary is given severalencrytpions of messages
instead of just one, we prove in Chapter ?? that our definition does compose in
this way, and therefore our scheme satisfies a stronger property.
Unique Non-interactive Zero-Knowledge
In the final section of this thesis, we investigate a "dual" version of the designated
Verifier model in which the Prover is given secret information.
In this model, we construct a novel type of NIZK system, uniZK, which
guarantees that, for any x E L, any prover -honest or malicious-can only
INTRODUCTION
I4
produce a single uniZK proof for every witness he knows. In other words, we
build a "one-witness, one proof" non-interactive zero-knowledge proof system.
As with the designated verifier system, our prover algorithm is efficient, and
in contrast to all of the previous constructions, the proof system in this section
can be used multiple times after the setup phase.
The issue of uniqueness in a cryptographic primitive has been addressed
in various other contexts. Goldwasser and ?? show that a unique signature
scheme implies the existence of a NIZK proof system. Verifiable decryption and
encryption primitives also rely on some notion of uniqueness. Philosophically,
it is interesting to consider proof systems which guarantee zero-knowledge while
being so highly constrained.
Our interest in the "one-witness, one-proof" property
stems from the question of when during a protocol player randomness is required
for security
Since the seminal work of Goldwasser and Micali [GM84], it is a sin qua non
that secure protocols, and thus any zero-knowledge protocol, be it interactive or
not, require the parties involed to use random coins.
Naively, one might consider constructing a minimally probabilistic system
by replacing the probabilistic prover of any NIZK system with one who first
APPLICATIONSOF uNIZK
chooses a short random seed for a pseudo-random
function
[GGM86] and acts
deterministically ever after. However, while this would be conceptually simple to
do, it would also be impossible for an efficient verifier to check that the prover
indeed behaved in such a fashion instead of flipping new coins for each proof
Since nothing in cryptography is true unless it can be proven, what we need
instead is for the Prover's determinism to be made universally verifiable.
The traditional method to prove a property of one's behavior is to use zeroknowledge proofs. But since zero-knowledge requires randomness itself, the
classicalcryptographic approach to achieving verifiable determinism does not
work.
Instead, if it is known that each witness for a statement x E L admits exactly
one proof acceptable by the uniZK verifier, then we can indirectly guarantee that
the Prover acts deterministically during a proof stage-he can only utter one
proof is he only knows one witness! And in many contexts, it is both the case
that only one witness exists for a theorem.
SUBLIMINALCHANNELSJust as NIZK proofs have been useful in larger protocols,
uniZK proofs have found there use in protocols which aim to eliminate
the steganographic or subliminal channels that are inherent in all known
cryptographic protocols. Doing so has resulted in interactive zero-knowledge
protocols which satisfy a stronger notion of "fairness" [LMSO5B]and secure
function evaluation protocols which limit the extent to which a coalition of
corrupted players can use the messages of a protocol to plan their deviating
strategies [LMSo5A]. This later concept of collusion-freeness has also found
applications to game-theoretic scenarios in which it is crucial to prevent players
INTRODUCTION
15
from "signalling" one another in order to maintain incentive structures and
equilibrium properties.
The Pedigree of These Results
The results in Chapters 4 and 5 appear in [IPsos]. The results from Chapter 6
are a subset of the results presented in [PSVOS].Chapter 7 comes from results
in [LMso5B] and [LMSOSA].
2'I
Basics
In this chapter, we introduce the quintessential concepts of theoretical cryptography. Our discussion begins with computational assumptions, such as oneway functions and trapdoor permutations. In §2.2, we define computational
indistinguishability of distributions.
2.I
Notation and Assumptions
and [GMR88]. Let
We shall closely follow the notation introduced in [BDMP9I]
N be the set of integers. If k E N, then k denotes the string consisting of
the symbol 1 concatenated k times. A function (.) from non-negative integers
to reals is called negligible if for every constant c > 0 and all sufficiently large
n, ji(n) < n -C . An efficientalgorithm is a probabilistic algorithm running in
expected polynomial time. If S is a probability space, then "x - S" denotes the
probabilistic algorithm consisting of choosing an element x at random according
Slp(x)" denotes
to S and returning x. If p is a predicate, then the notation "x
the assignment consisting of choosing an element x at random according to S,
and returning the first x such that p(x) is true. Let Si, S2,... be probability
S 2; ... : p(x 1 , x2,.. .)] denotes
spaces, then the notation Pr[xl +- Si; 2
the probability that the predicate p(Xl, x 2 ,...) is true after the ordered execution
-
4-
of the assignmentsxi
-
S;
2
-
Si; ... IfS, T, . . . are probabilityspaces,
S; y - T;... : (x,y, ... )} denotes the new probability
the notation {x
space over {(x, y,.. )} generated by the ordered execution of the assignments
x S, y T,
.
One-way Functions
Intuitively, one-way functions are functions which are easy to compute, but
computationally hard to invert. Here "easy" means, achievable in polynomial
I6
2.I. NOTATION AND ASSUMPTIONS
I7
time (in the size of the input), and "hard" means not achievable in polynomial
time.
Definition 17.0. (One-way Function) A function
one-way if the following two conditions are true:
f: {0, 1}* - {0, 1}* is called
* Easy to compute: There exist a deterministic polynomial-time algorithm
A such that on input x, A outputs f(x).
* Hard to invert: For every probabilistic polynomial-time algorithm A, every
polynomial p(.), all sufficiently large n's, and every auxiliary input z E
{o, 1}*,
Pr [x - {0,l1}n;y
-
A(f(x), z) : f(x) = f(y)] <
1
p (n)'
TrapdoorOne-way Permutations
A collection of permutations with indicies in J is a set {fi : Di
Di}ie
such
that each fi is I-I on the corresponding set Di.
Such a collection is called a trapdoor permutation if there exists four
probabilistic polynomial-time algorithms (I, S, F, F - 1) such that the following
properties hold:
I.
On input a security parameter 1', the function I {1}* samples an index and a trapdoor such that for every integer n,
x {0, 1}*
Pr [I(1' ) E JAnx {O,1}*]> 1 - 2-n
2.
On input an index a e
, the function S almost uniformly samples the
domain of ft g. That is, for every integer n and alpha e n,
Pr[S(a) D,] > 1 - 2-n
and
Pr[D(i) = xjS(a) E DO]D
=
()
ID(a)I
3. Easy to evaluate: For every integer n, i e an, and x e Di,
Pr [F(i,x) = fi(x)] > 1 -24. Hard to invert: For every probabilistic polynomial-time algorithm A, every
positive polynomial p and all sufficienty large n,
Pr [(i,t)
-
I(1n); x - S(i);A(i, f(x)) = x] <
1
5. Inverting with trapdoor:
Pr [F-1(t, fi(x)) = x] > 1 -2 - n
A(I(ln),R)
=
I8
BASICS
Hard-on-average Language
Definition 17.1 (Hard-on-average Language). A language L is hard-on-average if
there exists a p.p.t. sampling algorithm G such that for every non-uniform p.p.t.
algorithm A, every polynomial p(.), and every sufficiently large n,
1
1
Pr [x *- G(1n): A(x) correctly decideswhether x E L] < 2 + ()
2.2
Computational Indistinguishability
Imagine being asked to determine whether two n-bit strings are similar. Such a
task is quite simple as long as n is not too big: simply compare the two inputs bit
by bit.
Suppose now that you are asked to distinguish two sets, X and Y, of n-bit
strings. Moreover, suppose that the sets are defined in such a way that they can
only be accessed by (repeatedly) sampling an element from them. This might
be the case, say, when X and Y represent physical processes which can only be
observed. Thus, one can imagine the sets X and Y as black boxes, whose only
interface consist of a button, which when pressed, outputs an element which is
chosen according to some underlying (and unknown) probability distribution.
In this case, how and when is it possible to determine whether the two sets are
similar or not?
One approach to this problem is to determine the statistical difference
between the two probability distributions. The statistical difference between two
distributions, X and Y, is definedby EaEXUY IPrx(a) - Pry (a) .
Example I8.I Let Xn be the probability distribution which assigns equal mass to
all even numbers between 0 and 2'n and zero to all other values. Let Yn be the
distribution which does the same to all even numbers between zero and 2' - 1.
Thus, each outcome in Xn occurs with probability 2 - (n-1) and each outcome
of Yn occurs with probability 1/(2 n - 1 - 1). Letting m = n - 1, the statistical
difference between Xn and Yn is therefore
Pr(a) -Pr(a){
a=2,4,6,...2 n
X
= 2m |m-m
2
m'l
2m - 1
+ 2'm = 2m=
2n
-2 m
Using techniques from statistics, it is possible to show that if two sets have
statistical difference y, then by sampling the two distributions approximately -1
times, it is possible to distinguish the two sets with high probability. Moreover,
this experiment is essentially optimal, and so y-I sets a fundamental lower bound
on the amount of time it will take to distinguish such sets. Thus, for example, any
experiment that distinguishes Xn and Yn will require time on the order of 2 n-2 .
To any observer who takes fewer samples, the two sets will be indistinguishable
with high-probability- we call such sets statisticallyindistinguishable.
I9
2.2. COMPUTATIONAL INDISTINGUISHABIITY
2.2. COMPUTATIONALINDISTINGUISHABILITY
19
Because our eventual goal is to understand what efficient algorithms are
able to distinguish, we consider a more relaxed notion of closeness which is
computational indistinguishability. Roughly, we say that two sequences of probability distributions {Xk} and {Yk} over finite binary strings are computationally
indistinguishable if, as k grows large, no efficient algorithm can tell Xk and
Yk apart. Notice, that if {Xk} and {Yk} this property is a consequence of
being statistically indistinguishable, but under certain well-defined mathematical
assumptions,
That is, it becomes infeasible to determine whether a given sample has been
drawn from Xk or Yk,because all efficient experiments (i.e., those whose results
we hope to "see in our lifetime") yield essentially identical results.
It is often useful to write computational indistinguishability in terms of
general ensembles-i.e., probability distributions indexed by a countable subset
I of {0, 1}* - using polynomial-size (distinguishing) circuits rather than
polynomial-time (distinguishing) algorithms.'
By 1(k) we denote some negligiblefunction, i.e., one such that, for all c > 0
and all sufficiently large k, (k) < 1/kc.
Definition i9.i. Two ensembles {X1, },oEIand {YW}wEIwith identical index set
I are said to be computationally indistinguishable (over I) if for every polynomialsize circuit family {Dk}keN, every sufficiently large k, and every w E In {0, 1}k,
we have
IPr[Dk(X,) = 1]- Pr[Dk(Y,,) = 1 < (k).
Lemma xi9.i. If {A}k and {B}k are ensemblessuch that {A}
F: {0, 1}* - S is an efficientlycomputablefunction, then F{A}
Furthermore, ifS is a finite set, then F{A}
{B} and
F{B}.
F{B}.
F{B}-that
is,
Proof Assume for the sake of contradiction that F{A}
there exists a distinguisher D which distinguishes the two distributions. This
immediately implies that A can be distinguished from B. Simply run the
efficiently computable function F on the sample, feed the result to D, and return
whatever D computes. The advantage that D has in distinguishing F{A} from
F{B} contradicts the computational indistinguishability of A and B.
When S is a finite set, suppose that the two distributions F{A} and F{B}
are not statistically close, meaning that ZZ.EAnB I Pr[x E A] - Pr[x E B]I >
p(k) for some polynomial p(0 where k indexes the ensembles A, B. Since
the range of F is finite, there exists some element, f
F{A} for which
IPr[f
F{A}] - Pr[f
F{B} > p(k)/ISI. This fact provides the basis
for a simple polynomial time distinguisher for the ensembles A, B which has
polynomial advantage. The distinguisher simply runs F on its sample, and if the
resulting value is f, then it returns either A or B (depending on the sign of the
L
difference of the probabilities in the expression above).
'Recall a polynomial-size circuit family is a sequence {Dk} of combinatorial circuits with
AND and NOT gates, such that there exists a constant d for which each Dk has at most kd gates.
3
NIZK: Models and Definitions
PROOF SYSTEM is a protocol between two parties, a Prover,
and a Verifier, which guarantees three properties: honest parties can prove
true theorems, a malicious Prover cannot convince the Verifier to accept a false
theorem; a malicious Verifier cannot learn anything from an interaction beyond
the validity of the theorem.
Non-interactive zero-knowledge (NIZK) was proposed by Blum, Feldman,
and Micali [BFM88] to investigate the minimal interaction necessary for zeroknowledge proofs. To achieve the absolute minimal amount of interaction-that
is, a single message from the Prover to the Verifier-some setup assumptions are
provably necessary [G0o94]. In this chapter, we define an abstracted notion of
a setup for NIZK. In the remaining chapters, we investigate the different setup
models by finding protocols and applications in them.
ZERO-KNOWLEDGE
3.I
Non-interactive Proofs in the Trusted Setup model
In the trusted setup model, every non-interactive proof system has an associated
distribution 9 over binary strings of the form (sv, sp). During a setup phase, a
trusted party samples from 9 and privately hands the Prover sp and the Verifier
sv. The Prover and Verifier then use their respective values during the proof
phase. We emphasize that the following definition only models single-theorem
proof systems (i.e., after setup, only one theorem of a fixed size can be proven).'
Definition zo.i (Non-Interactive Proofs in the Secret/Public Parameter Model).
A triple of algorithms, (9, P, V), is called a non-interactive proof system in
the secret parameter model for a language L if the algorithm 9 is probabilistic
'While our definition only considers single-theorem proof systems, all of our results extend
also to proof systems for an apriori bounded number of fixed-size statements.
20
3.I. NON-INTERACTIVE PROOFS IN THE TRUSTED SETUP MODEL
2I
polynomial-time, the algorithm V is a deterministic polynomial-time and there
exists a negligible function such that the following two conditions hold:
* COMPLETENESS:
For everyx E L
Pr [ (sv, sp)
(-(1);
7r -- P(x, sp) : V(x, sv, w) = 1] >
1 -
(X[)
* SOUNDNESS:
For every x , L, every algorithm B
Pr [ (sv, sp) - 9(1); 7r' - B(x, sp) : V(x, sv, r') = 1] < i(Ixl)
If 9 is such that sv is always equal to sp then we say that (9, P, V) is in the
public parameter model.
Remark 2I.I. In our definition, as with the original one in [BFM88],the Verifier is
modeled by a deterministic polynomial time machine. By a standard argument
due to Babai and Moran [BM88],this choice is without loss of generality since a
probabilistic Verifier can be made to run deterministically through repetition and
the embedding of the Verifier's random coins in the setup information.
Let NIP denote the class of languages having non-interactive proof systems.
For the rest of this paper, we distinguish the secret parameter model from the
public parameter model using the superscripts SEc and rub respectively. We start
by observing that NIPPUBand NIPSEcare equivalent.
Lemma 2I.I. AM=NIP PUB = NIPSEC
For completeness, we provide a proof of this result below.
Proof The lemma follows from the next three claims.
Claim 2.I. AMC NIP'UB.
Proof Let (A, M) be an Arthur-Merlin protocol for a language L. Consider
the following NIPPUBprotocol, (, P, V) for L. Let 9 be defined according
to A's first message. (Note that since (A, M) is a public coin protocol, this
first message is independent of the statement.) Let P = M and V(x, v, 7r)
be defined according to A's decision procedure given random coins sv, theorem
x, and message r. The completeness and soundness follow directly from the
l
definition of (A, M); thus we conclude that L e NIPPUB.
Claim 21I.2. NIP eUB C NIPSEC.
Proof The claim follows directly from the definition.
Claim zI.3. NIPECC AM
[
NIZK: MODELS AND DEFINITIONS
22
Proof Let (9, P, V) be a NIPSECprotocol for the language L. Define the IP [2]
protocol (P', V') as follows. On input x, V' runs (l1xI) to generate (sv, sp)
and sends sp to P'. Then, P' runs P(x, sp) and sends the resulting proof 7rto
V'. Finally, V' accepts iff V(x, sv, 7r) accepts. The soundness and completeness
follow directly. By combining the results of Goldwasser and Sipser [Gs86] and
Babai and Moran [BM88], we conclude that L is in AM.
3.2 Adding the Zero Knowledge Property to NI Proofs
We next introduce non-interactive zero-knowledge proofs. In the original nonadaptive definition of zero-knowledge from [BFM88], there is one simulator,
which, after seeing the statement to be proven, generates both the public string
and the proof at the same time. In a later adaptive definition from [FLS99], there
are two simulators--the first of which must output a string before seeing any
theorems. The stronger adaptive definition guarantees zero-knowledge even when
the statements are chosen after the trusted setup has finished.2 Here, we choose
to present a weaker (and simpler) adaptive definition similar to the one used
in [CDO4]. The main reasons for this choice are that (a) a weaker definition
only strengthens our lower bounds and (b) our definition is meaningful also for
languages outside of NP, whereas the definitions of [FLS99, GOLO4] only apply
to languages in NP. Nevertheless, we mention that for languages in NP, our
upper bounds (and of course the lower bounds) also hold for the stricter adaptive
definitions of [FLS99, GOLO4].
Finally, we mention that the definitions still assume the Prover is unbounded.
In later chapters, we shall present new definitions specially tailored to the case
when the Prover algorithm is not unbounded 3
Definition 22zz.I (Non-Interactive Zero-Knowledge in the Secret/Public Parameter
Model). Let (9, P, V) be an non-interactive proof system in the secret (public)
parameter model for the language L. We say that (, P, V) is non-adaptively
zero-knowledge in the secret (public) parameter model if there exists a p.p.t.
simulator S such that the following two ensembles are computationally indistinguishable by polynomial-sized circuits (when the distinguishing gap is a function
of xl)
{(sv,sp) {((S'V I '7)
(ln); 7r - P(sp,x): (svr) }zxeL
S·X)
NV I
)
ziL
We say that (, P, V) is adaptively zero-knowledge in the secret (public)
parameter model if there exists two p.p.t. simulators S 1 , S2 such that the
2 One might also study an adaptive notion of soundness for non-interactive proofs. We do
not pursue this line since every sound non-interactive proof system can be made adaptively sound
via parallel repetition.
3
We will still only consider proofi where soundness must hold against unbounded adversaries.
3.3. THE HIDDEN
BITS MODEL
23
following two ensembles are computationally indistinguishable by polynomialsized circuits.
{(sv,sp) -{ (shi, aux) -
(1n); r _-P(sp,x) : (v,7r) }EL
S (n); 7r/ - S2 (x, aux)
: (,7r
t)
}EL
We furthermore say that (, P, V) is perfect (statistical) zero-knowledgeif the
above ensembles are identically distributed (statistically close).
For notation purposes, we will use NIZK, NISZK, and NIPZK to denote the
class of languages having computational, statistical, and perfect non-interactive
zero-knowledge proof systems respectively.
3.3 The Hidden Bits Model
We shall find it useful in Chapters 4 and 5 to use the "hidden bits" model as
described in [FLs99]. In this model, the Prover and Verifier share a hidden string
R, which only the Prover can access. Additionally, the Prover can selectively
reveal to the Verifier any portion of the string R. Informally, a proof in the
hidden bits model consists of a triplet (7r, RI, I) where I is a sequence of indicies,
I c {1, 2, ... , RI }, representing the portion of R that the prover wishes to reveal
to the verifier, RI is the substring of R indexed by I, and 7ris a proof string. I is
often called the set of revealed bits and 7r is often called the certificate.
A formal definition from Goldreich [GOLOI]is presented below.
Definition 23.1 (Non-interactive zero-knowledge Proofs in the Hidden Bits
Model). A pair of machines, (P, V), is called an non-interactive proof system
in the Hidden Bits model, for a language L, if the machine V is a deterministic
polynomial-time and the following three conditions hold
* COMPLETENESS: For every x
L,
Pr[V(x, r, I, RI) = 1] > 1 where (r, I)
(Ixl)
- P(x, R), R is a random variable uniformly distributed in
{O,1}P1YO(Il'),
andRi isthesubstringofRatpositions I c {1,2, ...,poly(lx)}.
That is, RI =
r,...,riand I = (il,..., n).
* SOUNDNESS:For
every x 0 L, and every algorithm B,
Pr[(V(x, 7r,I, RI) = 1] < /s(Ixl)
where (r, I)
B(x, R), R is a random variable uniformly distributed in
{O,1}POlY(Ixl),
and RI is the substring of R at positions I c {1, 2,...,poly(Ixj)}.
-
* ZERO-KNOWLEDGE:
Zero-knowledge is defined as in Definition 22.I except
that every occurrence of (sv, 7r) should be replaced by {7r,I, RI}IEL.
z4
24~
~
NIZK: MODELS AND DERNMITONS
NIK MOEL AN DEINTIN
The following theorem is shown by Feige, Lapidot and Shamir.
Theorem 23.I ([FLs99]). There existsa non-interactiveperfect zero-knowledgeproof
system in the hidden bits modelfor any languagein NP.
By using the standard technique of transforming an AMproof into the
NP statement that "there exists a short Prover message which convinces the
polynomial-time Verifier," their result can be extended to any language in AMas
follows.
Theorem 24.I. There existsa non-interactivepefectzero-knowledgeproofsystem in
the hidden bits modelfor any language in AM.
Proof Let (A, M) be an Arthur-Merlin protocol for a language L in AM. We
construct non-interactive perfect zero-knowledge proof system (P, V) in the
hidden bits model for L as follows. The Prover P proceeds as follows:
i. Split the hidden string R into two parts R 1 , R 2 .
2. Compute the message 7r= A(x, R 1 ) (the message that A would have sent
M on input R1 ).
3. Reveal R 1 to the Verifier.
4. Use R 2 with a non-interactive perfect zero-knowledge proof system (P', V')
in the hidden bits model to prove the following NP statement: "There
exists a message 7r such that AR 1 (x, 7r) accepts" (where AR1 denotes the
output of A with random coins fixed to R1). By Theorem 23.I, such a
system, (P', V'), exists.
Completeness and soundness follow from the properties of the non-interactive
perfect zero-knowledge protocol used in Step 3. To show that this protocol is
zero-knowledge, we describe a simulator that proceeds as follows. First, randomly
choose a message RS, and then run the simulator S' for (P', V') to produce
(7r', R,, I'), a simulated proof for the statement in Step 3. Let I denote the
indices of revealed bits and set it to the union of [1,..., IR I](to include all the
revealed bits for R ) and I' (to include all of the revealed bits in the simulated
proof). Let R denote the openings for bits revealed and set it to the union of
R1 and RI. It follows from the facts that R' is uniformly chosen and that S'
produces a perfect simulation, that the simulation by S is perfect.
[
NIZK in the Public Parameter
Model
IN
we restrict our study to the simplest setting in which only a
single theorem is proven in the public parameter model. Also, we consider
security against unbounded provers. (That is, we consider proof systems as
opposed to argument systems.) Following similar studies in the interactive
allow the honest prover
setting-see for example [AD99, SV03, VAD04]-we
algorithm to be inefficient (although some of our constructions have efficient
prover algorithm for languages in NP).
Our investigation also considers both adaptive and non-adaptive definitions
of zero-knowledge for non-interactive proofs. Briefly, the difference between
these two is that the adaptive variant guarantees that the zero-knowledge property
holds even if the theorem statement is chosen after the trusted setup has finished,
whereas the non-adaptive variant does not provide this guarantee. The first two
sections of this chapter establish that one-way functions are both sufficient for
computational NIZK protocols in this model, and are necessary to construct
protocols for any non-trivial languages. By combining these two results, we
obtain the following unconditional characterization of NIZK:
THIS
CHAPTER,
Either NIZKPUB only contains "easy" languages (i.e., languages that
are not hard-on-average), or it "hits the roof", (i.e., contains all of
AM).
We remark that such an all-or-nothing property was not possible before since the
only constructions required one-way permutations instead of functions. Finally,
in §4.3, we show various lower bounds for the case of statistical NIZK in this
model.
26
4-I- CONSTRUCTION BASED ON A ONE-WAY FUNCTION
4.1. CONSTRUCTION BASED ON A ONE-WAY FUNCTION
4.I
27
27
Construction Based on a One-Way Function
We show how to implement the hidden bits model in the public-parameter model
based on a one-way function. Recall that [FLS99] implements the hidden bits
model using a one-way permutation and a hard-core predicate. The reason for
using a one-way permutation is to give the Prover a short certificate for opening
each bit in only one way (the certificate being the pre-image of the one-way
permutation). A similar technique fails with one-way functions since a string
may have either zero or many pre-images, and therefore a malicious Prover may
be able to open some hidden bits as either zero or one.
Another approach would be to use a one-way function in order to construct a
pseudo-random generator [HILL99], and then to represent a o value as a pseudorandom string and a I as a truly random string (in some sense, this technique is
reminiscent of the one used by Naor for bit commitment schemes from pseudorandom generators [NAO9I]).
The Prover can thus open a o value by revealing
a seed to the pseudo-random string. However, there is no way for the Prover to
convince a Verifier that a string is truly random.
We overcome this problem by forming a reference string consisting of pairs
of 2k-bit strings, (a, /3)in which exactly one of the two strings is pseudo-random
while the other is truly random. More precisely, the o-value is encoded as a pair
in which a is generated pseudo-randomly by expanding a k bit seed into a 2k
bit string, while /3 is chosen uniformly at random from {O, 1}2 k. The -value is
encoded the opposite way: a is chosen randomly, while /3 is generated pseudorandomly. The Prover can now reveal a o or a I by revealing the seed for either a
or /3.
Lemma 27.I. Assume the existence of one-way fiunctions. Let (P, V) be a noninteractive (adaptive) zero-knowledgeproof systemfor the language L
NP in the
hidden bits model. If P is an efficient prover, then, there exists a non-interactive
(adaptive)zero-knowledge
proof system(P', V') for the languageL in the public
parameter model.
Proof Let (P, V) be an NIZK proof system in the hidden bits model, let G
{0, 1}k __ {O, 1}2k be a pseudo-random generator and let L E NP be a language
with witness relation RL. Consider protocol 27.I.
PROTOCOL 27.27.I:
NIZK
PROOF SYSTEM IN THE PUBLIC PARAMETER
MODEL
Common Input: an instance x E L and a security parameter In
Public Parameter set-up:
I.
-(ln)s, where ? proceeds as follows:
Select m random bits a = Ol, ... , a,r.
28
NIZK IN THE PUBLIC PARAMETER MODEL
28~~~~
2.
NIKI
H ~
ULC AAEE
OE
For each i
[1, m], generate two strings ai and pi as follows:
ai
k.
G(vi) where vi is a uniformly chosen string of length
32 or
3. LetT~
-r
3
i
4. Output
{O, 1}2k
(ai, O/)
if ri = 1
(,3i, ai)
otherwise
= Tl,...,
Tm.
Prover'salgorithm:On input x, s,
I. Compute R =
,... , Cm from s by the following procedure.
Parse s into m pairs (al, bl),.. , (am, bm). For each pair (ai, bi),
determine (in exponential time) which of either ai or bi are
pseudo-random (i.e, in the range of G). In the former case, set
vi = 0, and in the latter, ai = 1, and let vi denote the seed used
to generate the pseudo-random value. If both ai and bi are in the
range of G, then output abort.
2. Compute the lexographically first witness
w satisfying RL(X,
w).
3. Run the Prover algorithm (r, RI, I) -- P(x, w, R). Recall that
the set RI consists of bits {r I i
[1,m].
E
I} and I consists of indices in
4. Output (r, RI, I, {vi I i E I}).
Verifier'salgorithm:On input (x, r, RI, I, {vi Ii c I})
I. Verify each opening in RI is consistent with s and vi. Parse s into
m pairs (a, ba),.. .,(am, bm). For each i I, run t - G(vi)
and if t = ai, set vi = 1, if t = bi, then set ai = 0 (if neither
or both conditions are met, then reject the proof). Finally, verify
that ri = ai.
2.
Run the Verifier algorithm V(x, r, RI, I) and accept iff V
accepts.
Completeness follows from the corresponding completeness of
(P, V) and the fact that P' aborts only with negligible probability.
COMPLETENESS
Assume for the moment that a cheating prover P'* is only able to
open R in one manner. In this case, the soundness of (P, V) carries over to
(P', V') in the same way as in Lemma 36.i. All that remains is to show that R
can only be opened in one way. Below, we argue that this happens with high
probability.
SOUNDNESS
29
4.IL CONSTRUCTION BASED ON A ONE-W~AYFUNCTION
4..CNTUTO
AE O
N-A
UCIN2
Note that there are a maximum of 2n pseudo-random strings in G's support.
On the other hand, there are 2 2n strings of length 2n. Therefore, a randomly
sampled length-2n string will be pseudo-random with probability at most 2 - .
Thus, for any pair (ai, bi), the probability that both values are pseudo-random is
at most 2 -' . By the union bound, the probability that there is one such pair in s
is upper-bounded by n2-.
S' = S, S2 for (, P', V') which
uses the simulator S for (P, V) as a subroutine. First, (, aux) - S(1n)
generates s as a sequence of pairs (i, /3i) in which both a and
are pseudorandom. The aux value contains all of the seeds, ui, wi, for the pseudo-random
values ao and 3 respectively. The simulator S2 works by running simulator S(x)
ZERO-KNOWLEDGE
We present a simulator
to generate (r', R, I)
S-(x) and then outputting (r', R, I, {v'
Ii
I})
where v' equals ui if ri = 0 and wi otherwise. In order to show the validity of
the simulation, consider the following four hybrid distributions.
* Let H 1 denote the ensemble (s, 7r) in which the honest Prover runs on a
string s generated according to 9.
* Let H 2 denote the output of the above experiment with the exception that
9 provides all pre-images {vi} to an efficient prover algorithm Peff' which
also receives the lexographically first witness w for x and then only runs
Step 3 and 4 of P"s algorithm.
* Let H 3 denote the output of the second experiment with the exception that
s is generated by SI (1n), and that furthermore, SI (1 n ) gives either ui or
wi (randomly chosen) to Peff for all i E [1, m].
* Let H 4 denote the output of the third experiment with the exception that
7ris generated by S2(x, aux) and ui, wi in aux is given to Peff. Notice that
this distribution corresponds exactly to the output of S'.
In order to show the validity of the simulation, we need to show that H1 and
H 4 are indistinguishable. First, notice that H1 and H 2 are identically distributed.
The two claims below combined with the triangle inequality complete the proof.
Claim 29.a. H 2 is computationally indistinguishablefrom H 3 .
Proof Suppose, for contradiction, that the efficient algorithm D 3 distinguishes
H 2 and H 3. We construct a new (non-uniform) distinguisher D3 which
distinguishes between an n-tuple of pseudo-random strings and an n-tuple of
random strings (a standard hybrid between these two n-tuples can be then used
to contradict the pseudo-randomness of G). The non-uniform D 3 proceeds as
follows (given the statement x and the lexographically first witness w as advice):
On input an n-tuple q = (ql, . . . , q,), executethe experimentdefinedin H 2, but
replace the truly random values in each pair of s generated by 9, by the n values
in q. In other words, if in the ith pair (ai, bi)-say ai was pseudo-random-then
NIZK IN THE PUBLIC PARAMETER MODEL
NIZK IN THE PUBLIC PARAMETERMODEL
30
30
replace bi with q. Finally, D3 runs the distinguisher D 3 on the output of the
experiment.
We start by observing that if q is pseudo-random, then the output of the
experiment run by D3 is identically distributed to H3 . On the other hand, if q is
truly random, then the same is identically distributed to the experiment in H 2 .
Therefore, D3 distinguishes n-tuples of pseudo-random values from n-tuples of
[]
truly random values with the same advantage as D3.
Claim
30.x.
H 3 is computationally indistinguishablefrom H 4.
Proof Suppose, for contradiction, that the efficient algorithm D 4 distinguishes
H3 and H4. We construct a new distinguisher D4 which breaks the zeroknowledge property of (P,V).
On input (x, r, R, I), D4 executes the
experiment in H3 , and runs D 4 on the output from that experiment, with the
exception that the proof is replaced with (x, r, RI) and an opening set {vi} is
generated for RI using the values provided by S 1 in the H3 experiment. Notice
that if the input comes from a simulator S, then the output of this distribution
corresponds exactly to H3 . On the other hand, if the output comes from a
real Prover, then the distribution corresponds to H3 . Therefore, D 4 breaks the
[1
simulator S with the same advantage as D 4 .
El
Remark 30.i. Note that we explicitly require two properties from the NIZK proof
system (P, V) in the hidden bits model: first, that P is an efficient Prover,
and secondly, that the zero-knowledge property is defined for non-uniform
distinguishers. Both of these requirements stem from the fact that the Prover
in our new protocol is unbounded, which creates complications in the hybrid
arguments. We thus obtain the following characterization:
finctions exist, thenfor both adaptive and
Theorem 30.1. If (non-uniform) one-wayJ
non-adaptive definitions ofzero-knowledge, NIZI u B = NIPUB =AM.
Proof By Thm. 23.i and Lemma 27.I, NP C NIZKPUB. Using techniques from
the proof of Thm. 24.I, we can extend this result to show that AMC NIZKPUB.
El
By definition, NIZKvt C NIPPUB.Finally, by Lemma 2I.i, NIPPUB =AM.
4.2
One-Way Functions Are Necessary
We proceed to show that (non-uniform) one-way functions are necessaryfor noninteractive zero-knowledge for "hard" languages. This stands in contrast to the
secret parameter model where unconditional results are possible.
Theorem 30.2. If there existsa non-adaptiveNIZK proof systemfor a hard-onaveragelanguage L, then (non-uniform) one-wayfunctions exist.
4.2. ONE-WAY FUNCTIONS ARE NECESSARY
31
Proof Let (, P, V) be a non-adaptive NIZK system for L in the public
parameter model and let S be the simulator for (P, V). Furthermore, suppose
that L is hard-on-average for the polynomial-time samplable distribution G.
Now, consider the following two distributions:
G(1') (x, sV)}
{(SV, sp) -- 9(ln), x
{((s Tr) S(x, ln), x
(4)
G(1 n ) · (X, s))
(4-2)
We show that the above distributions are (non-uniformly) computationally
indistinguishable, but statistically "far". By a result of Goldreich [GOL9o] (relying
on [HILL99]) the existence of such distributions implies the existence of (nonuniform) one-way functions.
Claim 31.1i. The distributions (4.i) and (4.2) are computationally indistinguishable.
Proof We first note that conditioned on x being a member of language L, the
above distributions are computationally indistinguishable by the zero-knowledge
property of (P, V). It then follows from the hardness of L that the above
distributions must be computationally indistinguishable, even without this
restriction.
We proceed to give a formal proof for the above intuition, by closely following
[vAD99]
(See Claim 4.8.7 therein) which provides a proof for a similar statement.
Let the joint random variable (X,, S3) be distibuted according to distribution
(4.I). Analogously, let the joint random variable (X4, S 4) be distributed
accoring to (4.2). Consider any a non-uniform probabilistic polynomial-time
distinguisher D. We show that the following expression is negligible:
IPr[D(X, S)
=
1] -Pr[D(X 4, S 4 ) = 1]1
For ease of notation, we shall write abbreviate the conditional probability
Pr[D(X/,
) = 1IX E L] as [DilX i
L . Thus, the above expression
can be written as
ID3 -
41 = ([D 3lX3 E L] + [D3 lX
= I([D31X. E L]- [D4 IX
¢
4
E
L) - ([D 4 IX 4 E L] + [D3 lX 4
L]) + ([D3 1X3
L]- [D4 IX
4
¢
¢
L])I
L])j
(*)
Recall that the zero-knowledge property of (P, V) guarantees that
[D 3 IX3 E L]-
[D4 JX 4. e
L]I < (n)
for some negligible function it(n). Therefore, by substituting and adding a
positive amount to the right-side, and for some negligible function ,('(n) we
can rewrite (*) as
D3 -
4
(n) + ([D3 IXn ¢ L] -[D 4 IXn
L]) + ((n) -[D 3lX3 E L] + [D4 lX 4n e L])
3
< 2(n) + ([D3 lX ¢ L]- [D3 IXn E L]) + ([D4 X 4 E L] - [D4 Xn4 ¢ L])
41<
< 2(n) + 2A n)
NIZK IN THE PUBLIC PARAMETER MODEL
32
where the last inequality follows from the fact that L is hard-on-average, and so
any polynomial-time distinguisher has at most l't(n) advantage in deciding an
[
element which has been sampled from G(ln).
Claim 32..
The distributions (4.I) and (4.2) are not statisticallyindistinguishable.
Proof We show that the distributions (4.) and (4.2) are statistically "far"
conditioned on instances x ¢ L. It then follows from the fact that L is roughly
balanced over G (due the hard-on-average property of L over G) that (4.I) and
(4.2) are statistically "far" apart.
Note that on instances x , L, the soundness property of (P, V) guarantees
that very few strings generated by 9 have proofs which are accepted by the
Verifier (otherwise, a cheating prover can, in exponential time, find such proofs
and thereby violate the soundness condition). On the other hand, since L is
hard-on-average, and since S runs in polynomial time, most of the strings sv
generated by S have proofs which are accepted by V (otherwise, S can be used
to decide L). Therefore, the distributions (4.) and (4.2z)are statistically far apart,
E]
conditioned on instances x ¢ L.
[]
4.3
Lower bounds for Statistical NIZK
In this section we present severe lower bounds for the class of statistical NIZK in
the public parameter model. (This stands in stark contrast to the secret parameter
model, where statistical NIZK can be obtained for all of AM.) We first present
a lower bound for statistical NIZK under the non-adaptive definition of zeroknowledge. We thereafter sharpen the bound under the more restrictive adaptive
definition.
The Non-Adaptive Case
In analogy with the result by [AH9I] for interactive zero-knowledge, we show that
only languages in the intersection of AMand coAM have statistical NIZK proof
systems in the public parameter model.
Theorem 32.1. If L has a statisticalnon-adaptiveNIZKproof systemin the public
parameter model, then L C AM n coAM.
Proof Let (, P, V) be a statistical NIZK proof system in the public parameter
for the language L with simulator S. We show that L E AM and that L E coAM.
The former statement follows directly from Lemma 2I.I. To prove the latter one,
we present a two-round proof system for proving x ¢ L. (Note that by the results
of [GS86, BM88] it is sufficient to present a two-round private coin proof system.)
Verifier Challenge:
4-3.4.3.
LOER BOUNDS FOR
LOWERBOUNDS FO
STATISTICAL NIZK
STATISTIAL NIZK
33
3
I. Run the simulator (ao, 7r') - S(x) and the sampling algorithm
al - D(1llxl) to generate public parameter strings ao and al.
2.
Run V on input (o, 7r') to check if the honest verifier accepts the
simulated proof. If V rejects, then output "accept" and halt.
3. Otherwise, flip a coin b E 0,1 and send a
=
Ub
to the prover.
The Prover response:
I. Upon receiving an input string a, check if there exists a proof 7r which
the honest verifier V accepts (i.e., V(x, ca,7r) = 1).
2.
If so, output3 = 0; otherwise,output /3= 1.
The Verifieracceptance condition:
I. Upon receiving string
otherwise.
3, output "accept" if
= b, and reject
We show that if x ¢ L, then the Prover (almost) always convinces
the Verifier. If the Verifier sent the string u, the Prover always responds with
,3 = 0, which makes the Verifier always accept. This follows since the Verifier
only sends ao if the simulated proof was accepting, which implies that there is at
least one accepting proof of x E L for (P, V). If the Verifier sent the string al,
then by the soundness of (P, V), the probability (over the coins of the Verifier)
that there exists a proof for x c L is negligible. Therefore, except with negligible
probability, the Prover responds with 3 = 1 and the Verifier accepts.
COMPLETENESS
Intuitively, this protocol relies on the same logic as the graph nonisomorphism protocol. If x
L, then the (exponential time) Prover cannot
distinguish whether a was generated by the simulator or by the sampler 9,
and therefore can only convince the Verifier with probability 1/2. This follows
from the statistical zero-knowledge property of (P, V). It only remains to show
that the probability (over the random coins of the Verifier) that the Verifier
accepts statements x
L in step (2), without further interaction, is negligible.
This follows from the zero-knowledge (and completeness) property of (P, V).
Otherwise, V would distinguish between simulated proofs and real ones (since
by completeness, the honest prover P succeeds with high probability.)
[1
SOUNDNESS
Remark 33.I. Using techniques from the proof of Thm. 32.1, one can show that
the class NISZKUB reduces to the problem of Statistical Difference, which is
complete for SZK [svo3]'. Thus, an alternative way to prove this theorem would
be to present such a reduction and then invoke the results of [AH9I].
'This should be contrasted with Statistical Difference from Random and Image Density,
which are the complete problems for NISZK in the Common Random String model. These
problems are not known to be reducible to Statistical Difference
NIZK IN THE PUBLIC PARAMETER MODEL
34
NZ NTEPBI
34
AAEE
OE
The Adaptive Case
In this section we sharpen our results from the previous section by showing that
under the adaptive definition of zero-knowledge, NISZK is contained in BPP/i,
i.e. the class of languages decidable in probabilistic polynomial time with one
AAbit of advice (which depends on the length of the instance). Note that this
class of languages is decidable by (deterministic) polynomial-sized circuits.
If L has a non-interactive adaptive statistical zero-knowledgeproof
in thepublicparametermodel4thenL c BPP/1.
Theorem
34.I.
Proof Let (, P, V) be a non-interactive adaptive statistical zero-knowledge
proof system for L with simulators Si and S2.
We first observe that by the statistical zero-knowledge property, for every n
for which L contains an instance of length n, the output of S1i(1n) must be
statistically close to the output of g(1n). This follows because the output of
Si (1n) is independent of the theorem statement.
This observation suggests the following probabilistic polynomial time decision procedure D(x) for L, which obtains a one-bit non-uniform advice
indicating whether L contains any instances of length xl.
On input an instance x,
I.
If the non-uniform adviceindicates that L contains no instances of
length Ixl, directly reject.
2.
Otherwise, run (a', aux)
3. Run 7r'
-
-
S (11Ix) to generate a public parameter.
S 2 (x, aux) to produce a putative proof
4. Run V(x, ao',7r') and accept iff V accepts.
Note that when x e L, then D accepts with overwhelming probability due to
the completeness and zero-knowledge property of (9, P, V). If x ¢ L and there
are no instances of length xl in L, then D always rejects due to the non-uniform
advice. It remains to show that when x ¢ L, and there exists instances of length
xl in L, then D rejects with high probability.
Assume, for sake of reaching contradiction, that there exists a polynomial p(.)
such that for infinitely many lengths n, L contains instances of length n yet there
exists an instance x 0 L of length n, such that
Pr (a',aux) S- 1(lll); r' - S2(x,aux): V(x,a',')=1
>
(4.3)
We show how this contradicts the fact that the output of S1 and are statistically
close (when L contains instances of length n). By the soundness of (, P, V),
there exists a negligible function ,u such that for any unbounded prover P*,
Pr [a -
(1Zl); 7r'.- P*(x,o') V(x,a, r') = 1] < tt(Ixl)
(4-4)
4.3. LOWER BOUNDS FOR STATISTICAL NIZK
35
Consider an exponential time non-uniform distinguisher C, which on input
a" (and advice x), enumerates all proof strings 7r' to determine if any of them
convince V to accept x. If so, C outputs o, and otherwise outputs I.
If a" is generated by S1, then by (4.3), such a proof string r' exists with
noticeable probability. On the other hand, if a" comes from 9, then by (4.-4),
such a proof string only exists with negligible probability. We conclude that C
distinguishes the output of S1 from that of 9 with a non-negligible advantage.
[]
NIZK in the Secret Parameter
Model
"...the difficulties that confront a conspirator are infinite ...because
he who conspires cannot act alone, nor can he take a companion
except from those whom he believes to be malcontents, and as soon
as you have opened your mind to a malcontent you have given him
the material with which to content himself, for by denouncing you
he can look for every advantage..."
Nicolo Machiavelli, The Prince, Chap. XIX
the previous chapter, we show how to implement the hidden-bits model
using a one-way function in the public parameter model. Combining this
result with the NIZK protocol of Feige, Lapidot and Shamir [FLs99] led to our
constructive result. Our implementation of the hidden bits model, however,
degrades the quality of zero-knowledge-in particular, the resulting protocol is
only computational zero-knowledge. In this chapter, we show how to avoid
this degradation in the secret parameter model. Let us briefly recall the secret
parameter model.
N
Cramer and Damgard [CDO4] explicitly introduce the
Secret Parameter setup model in which the Prover and Verifier obtain correlated
(possibly different) private information.
More generally, the secret parameter model encompasses the Pre-processing
Model in which the Prover and Verifier engage in an arbitrary interactive protocol,
at the end of which, both Prover and Verifier receive a private output. (This
follows because any arbitrary protocol for pre-processing can be viewed as a
polynomial-time sampler from a well-defined distribution.) Such a setup model
is studied in [KMO89,DMP88, DAM93].
SECRET PARAMETERSETUP.
36
5.I. CONSTRUCTION (UNCONDITIONAL)
5.I
37
Construction (Unconditional)
Lemma 36.1. Let (P, V) be a non-interactive perfect zero-knowledgeproof system
for the language L in the hidden bits model. Then, there exists a non-interactive
perfect adaptive zero-knowledgeproofsystem (P', V') for the language L in the secret
parametermodel Furthermoreif (P, V) has an efficientprover,then (P', V') has
one as well.
We implement the hidden bits model by providing the Prover and Verifier
correlated information about each bit of the hidden string. In particular, each
bit is split into shares using a simple secret sharing scheme. The Prover is given
all of the shares, but the Verifier is only given a random subset of them. (The
particular subset is unknown to the Prover.) This is done in such a way that
the Verifier has no information about the bit, but nonetheless, the Prover cannot
reveal the bit in two different ways except with exponentially small probability.
We note that this technique is similar to the one used in [L88] to obtain
commitments from oblivious transfer and to the one in [KMo89]to obtain NIZK
with pre-processing (we remark that their resulting NIZK still requires additional
computational assumptions, even when ignoring the assumptions necessary for
their pre-processing). Our protocol is described below.
PROTOCOL 37.37.i:
NIZK
PROOF SYSTEM IN THE SECRET PARAMETER
MODEL
Common Input: an instance x of a language L with witness relation
and : security parameter.
Secret Parameter Setup:
(ln)
-*
RL
(sp, sv) proceeds as follows on input
1n:
I. (Pick a random string) Sample m random bits,
2.
a = e1,..
, am.
(Generate XOR shares) For i c [1, m] and j c [1, n], sample a
random bit Tf. Let Ti' = a® . (Notice that the n pairs (I, T!)
for j E [1, n] are n random "XOR shares" of the bit ai.)
3. (Select half of each share) For i c [1, m] and j
random bit bn. Let pi' as follows:
{
E
[1, n], sample a
otherwise
(In other words, the values {pi } are randomly selected "halves"
from each of the n XOR shares for ai.)
NIZK IN THE SECRET PARAMETER MODEL
38
38NZ
NTESCE
AAEE
OE
4. The private output sp is the set of nm pairs (,'
) for i,j E
[1, m] x [1, n]. Note that the string a is easily derived from sp.
5. The private output sv is the set of nm pairs {(pi, b)} for i, j E
[1,m] x [1,n].
Prover algorithm:On input (x, sp),
I. Compute R = l, . . ., am by setting ai = r/ EDA.
2. Run the algorithm (r, RI, I) -- P(x, R). Recall that the set RI
consists of bits {ri i
I} and I consists of indices in [1, m].
3. Output (r, RI, I, {oi I i E I}) where oi denotes the opening
I, oi consists of all n shares
of bit ai. That is, for all i
((, 7),
· ,(, Tn))of a,.
Verifieralgorithm:On input (x, sv, 7r,RII,, {oii
I),
I. Verify that each opening in RI is consistent with oi and with sv.
That is, for i c I, inspect the n pairs, (,
), .. , (n, T) in
oi, and check that for all j E [1,n], p' is equal to either q or T
(depending on whether by = 0 or 1 respectively). If any single
check fails, then reject the proof Finally, check that ri = T GDl.
2.
Verify the proof by running V(x, RI, I, 7r) and accept if and only
if V accepts.
Proof Let (P, V) be a non-interactive zero-knowledge proof system for the
language L which requires a hidden-bit string of length m. Consider the new
proof system (9, P', V') in the secret parameter model described in protocol 37.I.
COMPLETENESS
Completeness follows from the completeness of the (P, V).
Assume, for contradiction, that there exists a cheating prover P'* that
succeeds in proving a statement x with non-negligible probability. We show how
to convert P'* into a cheating prover P* for (P, V). P* internally incorporates
P'* and proceeds as follows: on input x, R:
SOUNDNESS
i. Generate sp, sv in a random way that is "consistent" with R (i.e., run step
2-4 in description of 9, using R in place of a).
2.
Run P'*(x, sp) - (x, RI, I, rr,{oi})
3. Output (x, RI, I, 7r) where r consists of the opening certificates for each
bit in RI.
5.I. CONSTRUCTION (UNCONDITIONAL)
39
Assume for the moment that the R 1 generated by P*' is always consistent
with R. We then claim that P* convinces the verifier V with non-negligible
probability.
Since the distribution of sp produced in Step I is identical to the output
distribution of 9 (since the input R is chosen in the same way as a), the
simulated view of P*' is perfect. Therefore, using our assumption on RI, P*'
succeeds in outputting a proof that convinces the honest verifier V with nonnegligible probability. This follows from the fact that the second step of V'
includes running V, and therefore if V' accepts with non-negligible probability,
then V must also accept with non-negligible probability.
Recall that the above argument relied on the fact that RI is always consistent
with R. Below, we show that conditioned on the verifier accepting, R is
inconsistent with R with negligible probability, which concludes the proof of
soundness.
Claim 39.I.
x
Let (x, RI, I, r) be the output of a proveron input (x, R) such that
L and (x, RI, I, 7r) is accepted by the honest verifier Then RI is inconsistent
with R with negligible
probability
Intuitively, since the Prover does not know which of the two bits that the
Verifier knows for any given share, it cannot succeed in cheating on any single
share with probability greater than 1/2. Since each bit is represented by n
sharings, the probability that the Prover can open any ai in two different ways is
less than 2 - . More formally, assume that P*' generates an RI that is inconsistent
with R with non-negligible probability. This means there is a specific index i in
which they are inconsistent: in other words, let r' denote the ith bit revealed in
RI and let ri be the ith bit in R; then r $Ari with non-negligible probability.
This intuitively means that P*' can predict the n bits b, . . ., bi with nonnegligible probability-indeed, these values are computable sp and the sharings
in oi. However, since P*" 's view is independent of bl,. . . , bi, and since they can
take 2 n different values, we reach a contradiction.
The simulator for our proof system proceeds as follows:
first run the simulator for (P, V) on x to generate (r', R, I'). Then use the
procedure in steps 2-4 of 9 to generate a pair (sv, sp) which is consistent with
R', and Step 3 of P"s algorithm to generate a set of openings {oi i ci I}. Finally,
output (sv, 7r', R', I', {oi}). Since the simulation of (P, V) is perfect and since
the generation of sv and {oi} is also perfect, we conclude that simulation is
ZERO-KNOWLEDGE
perfect.
[
Armed with this Lemma, we can now prove our main theorem concerning
non-interactive zero-knowledge in the secret parameter model.
Theorem39.i. N/PsEc = NIZKEC = NISZKsEc = NIPZK sEc =AM
'In particular, (based on standard information theory argument) this implies that P*' is a
program which can compress a string of 3n bits (the sharings of ai and the bits bb,
b) in less
than 3n + 1 bits.
40
NIZK IN THE SECRET PARAMETER MODEL
Proof NIPZKSEC C NISZKSEC C NIZK s EC C NIPSEC follows by definition.
Lemma 2zI.i shows that NIPSEC =AM, therefore, it suffices to show that AMC
U
NIPZKSEC.This follows by combining Lemma 36.I and Thm. 24.1.
We note that Lemma 36.1 also gives an upper
bound on the class of perfect zero-knowledge proofs in the hidden bits model.
As a corollary, we obtain the following characterization.
RELATED CHARACTERIZATIONS
Corollary 40.I. The classofperfect zero-knowledgeproofi in the hidden bits model
equalsAM.
Proof By Thm. 24.I, the class of perfect zero-knowledge proofs in the hidden
bits model contains AM. For the opposite containment, let L be in the class
of languages with perfect-zero knowledge proofs in the hidden bits model. By
Lemma 36.i, language L is contained in NIPZKSEc,and thus contained in NIPSEC
which is equal to AMby Lemma 2I.i.
E]
6
NIZK in the Designated Verifier
Model
N this chapter we study an asymmetric case of the secret parameter model in
which Prover and Verifier receive a public parameter, and in addition, the
Verifier receives a secret one. Later, Verifier uses the secret information
to verify
any proof produced by the Prover. Such designated verifier proof system [jsi96]
have been considered before. To be concrete, the non-malleable encryption
scheme of Cramer-Shoup [cs98, CS02] can be interpreted as making use of
designated verifier proofs based on specific number-theoretic assumptions.
The main technical result of this chapter is to show that designated verifier
non-interactive zero-knowledge proofs can be constructed from any semanticallysecure cryptosystem.
Our overall approach is to crush a 3-round E protocol into a one-round proof
by having the prover encrypt all possible third-round responses to the verifier's
challenge.
Because we use a E protocols
in which the verifier's challenge is a
single bit, this approach is feasible and results in short proofs. Then notable
benefit of this approach is that the only complexity assumption we need is the
existence of a semantically-secure encryption scheme.
It has been recently pointed out that Camenisch and Damgird construct
a similar protocol in [CDoo] to construct an interactive Verifiable Encryption
scheme.
6.I
Definition
In the designated verifier model, every non-interactive proof system has an
associated polynomial-time sampleable distribution ? over binary strings of the
form (P, sp). During a setup phase, a trusted party samples from 9, publishes
42
6.1. DEFINITION
6.I. DEFINITION
43
4
PP and privately hands the Verifier sP. The Prover and Verifier then use their
respective values during the proof phase.
This definition is very similar to the definition of NIZK proofs in the secret
parameter model . The difference between the secret parameter model this
definition is that, whereas in the secret parameter model, the prover might be
given some secretinformation, we insist that this not be the case.
Definition 43.1 (Designated Verifier Non-Interactive Zero-Knowledge Proof
System). A triple of algorithms, (, P, V), is called a designated verifier noninteractive zero-knowledge proof system for an NP-language L with witness
relation RL, if the algorithms 9 and P are probabilistic polynomial-time,
the algorithm V is deterministic polynomial-time and there exists a negligible
function g such that the following three conditions hold:
* COMPLETENESS:For every (x, w) e RL
Pr [ (PP, P) -
(11lX); 7r
-
P(PP, x,w)
: V(PP, P,x,w) = 1 ] > 1-(Ixl)
*SOUNDNESS:For every prover algorithm B
Pr [ (PP, sP) - R(11x1); (x', r')
- B(PP, x);
'
L A V(PP,SP, x', 7r') = 1 ] < l(xl)
* ADAPTIVEZERO-KNOWLEDGE: For every p.p.t. theorem chooser A, there
exists a p.p.t. simulator S = (S1, S 2 ) such that the outputs of the following
experiments are indistinguishable.
ExptA(k)
Expts(k)
k)
SP
) (1
(x, w) - A(PP)
(PP,
-r
P(PP, x, w)
(PP, SP,STATE) --
S1 (1k)
(x, w) - A(PP)
7r'
S 2 (PP, SP, x, STATE)
If (x, w) 0 RL, output 1
If (x, w) ~ RL, output
Else output (PP, sP, x, r)
Else output (PP, sP, x, 7r')
REMARKS:
I. This definition of NIZK is well-suited for constructing encryption schemes
because we only require the decryptor, who also chooses the public key, to
be able to verify the proofs-in contrast to standard NIZK proofs, these
are so-called "designated verifier" proofs. The Cramer-Shoup cryptosystem
and its generalization via smooth-projective hash functions also employ
these types of proofs.
2. Note that Definition 43.i requires that the Verifier V is a deterministic
machine. This extra restriction is only used to simplify the exposition of
our constructions.
NIZK IN THE DESIGNATED VERIFIER MODEL
OE
44
44
NIKI
H EINTDVRFE
6.2z Construction Based on Semantically-Secure
Encryption
Before giving a high-level view of our protocol, let us briefly recall the structure
of a 3-round honest-verifier zero-knowledge proof of knowledge for NP such
as Blum's Hamiltonicity protocol. The protocol consists of four algorithms,
(P 1 , P 2 , V1 , V2 )
(a,
s)
+_ P1(x, w)
a
b
Cb
Vl(x,a) where b ER {O, 1}
P2 -- (s,b)
V 2 (a,
b, cb, x)
P computes a message a based on the statement x and witness w, V challenges
with a random bit, and P responds with co or Cl. If x E L, then V 2 (a, b, Cb, x)
L, then for any a,
accepts for all b
{0, 1}. On the other hand, if x
V 2(a, b, z, x) accepts for at most one b c {0, 1}. Moreover, there is an efficient
algorithm E that extracts a witness for x, given (a, co, cl).
prover receives k pairs of public encryption keys
as the public parameter. The verifier receives the same k pairs, but in addition,
receives the secret for exactly one key in each pair. A proof consists of k triples.
To generate the ith triple, the prover runs s-protocol using both 0 and 1 as the
verifier's challenge to produce a triple (ai, co,i, cl,i). The prover encrypts this
triple as (ai, Encpc.i(co,i), EnCPKl (l,i)).
To verify the proof, V considers each triple (ai, ao,i, al,i) by decrypting
either the second or third component using the secret key he knows, and then
running the s-protocol verifier on (ai, fi, Decaf1 ,i).
CONSTRUCTION SUMMARY.The
Theorem 44.I. Assume there exists a semantically secureencryption scheme. Then
there existsa designatedverifier NIZKproofsystem for any languageL E NP.
Proof Let (Gen, Enc,Dec) be a semantically secure encryption scheme.
PROTOCOL 44.44.I:
MODEL
NIZK
PROOF SYSTEM IN THE DESIGNATED VERIFIER
Designated VerifierSetup 9 ( k).
I.
For i = 1, .. ., k andb = 0,1 run pki, si4) -Gen(lk) to getk
key-pairs (PK, sK').
2. Flip coins fi
-{0, 1} for i =1,..., k.
6.2. CONSTRUCTION BASED ON SEMANTICALLY-SECURE ENCRYPTION
)]_ 1 and sPdvf [fisK fi] k 1. Output
3. Define Ppdv f [(P4 ,
(PPd,
45
SPdv).
Prover P(Pdv, x, w). For i = 0, .. , k, run the 3-round protocol with
independent random coins as follows
(ai,si) -Pl (x,w)
P2 (s, b) for both b =0,1
-- EnCPKb,i(Cb,i) for b = O 1.
Cb,i ab,i
def
and output 7r = [(ai, ao,i, al,/)]i1
Verifier V(Ppdv, sPdv, x, 7r).
i. Parse 7r into k triples of the form (ai, ao,i, al,i).
2.
For i = 1,...,
k, compute mi
dlef
verifierV 2(ai, fi, mi).
3. If all k proofs are accepted, output
DecsK (afi,i) and run the
ACCEPT,
else output
REJECT.
Now, we prove that (, P, V) constructed above is a designated verifier
NIZK proof system. The completeness property follows from the completeness
of the 3-round E protocol.
Proposition45.x. (, P, V) is sound
Proof Our protocol is sound for the same reason that parallel-repetition of the Eprotocol is sound: when x V L, a prover's ability to produce an accepting proof
is equivalent to producing a k-bit value f, which is information-theoretically
hidden. In the following probability analysis, B' represents an adversary which
runs B, extracts d from the resulting proof and outputs (, x) instead.
Pr
[(PPdv, SPdv) -
< Pr
[(PPdV,SPdv-)
; (,
x) - B(PPdv) :
; (a,
x)-
L A V(PPdv, Spdv,7r, x) = 1]
B'(PPdv) : x
LA 3
/
V2 (ai, fi, mi, x)= 1]
i
< Pr
[(PPdVsPdv)-
; (, x) - B'(PPdv);b-
(d) : b= fl
< 2- k
The first inequality follows because whenever B succeeds, the encryptions in 7r
must correspond to some plaintext messages mi.
The second inequality follows from the special soundness property of Eprotocols: if x
L, then for every a, V2 (a, b,, x) accepts for at most one'
'Technically, we must also handle the case when there is no b such that V2 (a, b, , x) accepts.
Of course, this implies that the probability of the verifier accepting a proof containing a is o.
46
NIZK IN THE DESIGNATED VERIFIER MODEL
NIZK iN THE DESIGNATED VERIFIER MODEL~~~~~~~~~~~~~~~~~~~~~~~~~~~~
46
b
{0, 1}. Thus, when z ¢ L, there is a computable function Vx mapping
d to the unique vector of bits b = (bi,... , bk) for which AV 2 (ai, bi, mi, x) = 1
(for some mh). Because there is only one such b, when x g L and V accepts, the
vector f used by V to check the proofs must coincide with b.
The third inequality follows because by construction, PK is informationtheoreticallyindependentof f = (fl,-- , fk). In other words, for any vector
: (f, PK) = (, PK)] = 2 - k . This
of bits b= (bl, ... , bk), Pr[(PPdv,SPdv) -9
immediately implies that for any algorithm B": ppdv +{O0, 1} k (in particular,
the algorithm which runs B' and applies o to the output),
Pr[(PPdv,
SPdv)
+- 9;
b +- B"(PPdV
) b=
< 2-k.
]
Proposition46.i. (9, P, V) satisfiesadaptivezero-knowledge.
Proof At a high level, adaptive zero-knowledge follows from the zero-knowledge
of the 3-round E protocol and the semantic security of the encryption scheme.
For any theorem-choosing algorithm A, we construct a simulator S = (S 1 , S2)
that works as follows.
SIMULATOR (S1, S 2 ) FOR DESIGNATED VERIFIER NIZK
S (lk):
Follow the instructions of the sampling algorithm
9
(1k) and output
(PPdv, SPdv, e).
S2(PPdv, SPdv, X, STATE)
For each i = 1,. . , k, repeatedly run the E-protocol simulator S to
produce transcripts (ai, bi,Cb1 ) until bi = fi.
Output the proof
7r
[ai, Encpre((1 - bi)' Cbi), EncpK1(bi cbi )]
ad xp~ar iditigisabew
Toshw
ha heditrbtinsinEXt
To show that the distributions in ExptA and Expt' are indistinguishable, we
present the following series of games.
Game o: Same as EXptAexcept 9 is replaced by S1.
Game 1 through k: Same as Game o, except that in the first i triples of the proof
7r, the ciphertext ah-f is replaced by EncpKi(0).
Game k + 1 through 2k: Same as Game k, except that the first i triples of the
proof 7r are generated by S2 and and the remaining k - i proofs are
generated by P.
6.2. CONSTRUCTION BASED ON SEMANTICALLY-SECURE ENCRYPTION
47
Notice that ExptA is identical to Game o and Expts is identical to Game 2k. We
establish ExptA -, Expts through the following two claims, which contradict the
asumption.
Claim 47.I.
Game 1 is indistinguishablefrom Game k.
(Breaking the encryption.) Now suppose there exists an algorithm D which
distinguishes Game from Game k with non-negligible advantage r/. This
implies there exists some j for which D distinguishes game Game j* and Game
j* + 1 with advantage at least r/k. B' first guesses j
[1, k]. It then uses
(x, w) (which is part of the output of the Game) to generate the E-protocol
prover messages (aj, co,j, cl,j) used in the jth triple of the proof B' submits
the messages (0, cl-xj) as its challenges. (Recall in an indistinguishability attack,
one of these messages is randomly chosen, encrypted and returned to B'.) Upon
receipt of a ciphertext y, B' produces the proof 7r exactly as described in Game j
with the exception that it uses y in place of
fi. Finally, B' feeds the proof 7r
to D and echoes its output.
Conditioned on guessing j correctly, observe that the distribution of r is
exactly the distribution of Game j* if y is an encryption of clfj
and the
distribution of Game j* + 1 otherwise. Thus, a simple probability calculation
shows that B"s advantage in breaking the encryption scheme is A, which
contradicts the security of Enc.
Claim 47.2. Game k is indistinguishablefrom Game 2k.
(Breaking the E-protocol simulator.) A hybrid argument similar to the one used in
Claim 47.I applies. Assume by contradiction, there exists some j* and D which
distinguishes Game j* and Game j* + 1 with advantage at least rl/k
B" receives as input a transcript (a, b, c). If V 2 (a, b, c) = 0 (i.e., the transcript
is not accepting), then output 0 immediately. Otherwise, guess j E [1, k]. If
xj :~ b, then output a random guess. Otherwise, use (PK, SK, x, w) to generate
a proof as described in Game j. Replace the jth triple with (a, EncpKo((1 - b)
c), EncpKi (b- c)), feed the resulting proof 7r to D and echo its output.
Once again, conditioned on guessing j correctly and on xj = b, the
distribution of 7r is identical to that of Game j* if the input transcript is a
real prover transcript, and identical to that of Game j* + 1 if the transcript
is simulated. Recall that fj is chosen uniformly, and so Pr[fj = b] = /.
Thus, B"'s advantage in breaking the E-protocol simulator is +2 which is a
contradiction.
Notice that our designated verifier NIZK protocol is also a proof of
knowledge although we do not claim it specifically.
REMARK:
NIZK IN THE DESIGNATED VERIFIER MODEL
48
6.3 Application: Non-malleable Encryption
Encryption
We define the notion of an encryption scheme with no decryption error. Note
that the restriction of encryption schemes to have no decryption error is without
loss of generality, since Dwork, Naor and Reingold [DNRO4] show that any
encryption scheme with decryption errors can turned into one that is immune
to them. Effectively, immunity to decryption errors is captured by the perfect
correctnesscondition below, which states that with overwhelming probability over
the choice of keys, eachciphertext has a unique decryption.
Definition 48.i (Encryption Scheme). A triple (Gen, Enc, Dec) is an encryption
scheme, if Gen and Enc are ppt algorithms and Dec is a deterministic polynomialtime algorithm such that:
Perfect Correctness. There exists a polynomial p(k) and a negligible function
Is(k) such that, for every messagem, and every r,
Pr[r9
-
{0, 1}P(k); (PK, SK) - Gen(lk; rg); DecsK(EncpK(m; re)) 5/ m] </L(k).
Semantically Secure Encryption
The notion of semantic security of encryptions has been shown to be equivalent [GM84]to the following definition of indistingushability, which is technically
more convenient to work with.
Definition 48.2 (Indistinguishability of Encryptions). Let II = (Gen, Enc, Dec)
be an encryption scheme and let the random variable INDb(II, A, k) where b E
{0, 1}, A is a ppt algorithm and k, £ E N denote the result of the following
probabilistic experiment:
INDb(II, A, k):
(PK, sK) - Gen (1k)
(mO0,M1 , STATEA) - A(PK)
Output [EncpK(mb), STATEA]
We say that (Gen, Enc, Dec) is indistinguishable
under a chosen-plaintext
attack if V p.p.t. algorithms A the following two ensembles are computationally
indistinguishable:
{INDo(II,
A,k)} k
{NIND(II,
A,k)}
Non-malleable Encryption
The following definition of non-malleable encryption is inspired by the recent
definition of non-malleable commitments in [Ro5s].
Definition 48.3 (Non-Malleable Encryption). Let II = (Gen, Enc, Dec) be an
encryption scheme and let the random variable NMEb(H, A, k, £) where b
6-3. APPLICATION: NON-LALLEABLE ENCRYPTION
6.3. APPLICATION: NON-MALLEABLEENCRYPTION
49
49
{0, 1}, A = (A1 , A2 ) and k, £ E N denote the result of the following probabilistic
experiment:
NMEb(II, A, k, ):
(PK, SK) +-
Gen(lk)
(mo,ml, STATEA) - A (PK)
y ,- EncpK(mb)
(cl, . ., ce)
Output (dl,
A2(Y, STATEA)
.. ,
de) where d =
{i
_I
DecSK(Ci)
ifci
=
y
otherwisei
=y
otherwise
We say that (Gen, Enc, Dec) is non-malleable under a chosen-plaintext attack
if V p.p.t. algorithms A = (A 1 , A 2 ) and for any polynomial p(k), the following
two ensembles are computationally indistinguishable:
{ NMEo(II, A, k,p(k))}
EN
{NMEI(H, A, k, p(k))}
The notion of non-malleability under a CCAI or CCA2 attack is similarly
defined by giving either A1 or both A1 and A2 access to a decryption oracle.
Let us remark on the natural similarity of the above definition with the
definition of indistinguishable security of an encryption scheme. Indeed, the
first four lines of the experiment are exactly the same. In the last step, we add the
requirement that the decryptions of the output of A2 are indistinguishable in the
two experiments. This captures the requirement that even the decryption of the
adversary's output must be computationally independent of the values (even when
if they are encrypted) received as inputs.
Our definition is a conceptual and syntactic simplification of "comparisonbased non-malleability" (CNM) introduced by Bellare, Desai, Pointcheval, and
Rogaway [BDPR98]. While our notion is cleaner, it also implies all other definitions of non-malleability. Below, we show that our definition of non-malleability
implies CNM. Bellare and Sahai [BS99] show that CNM is equivalent to both
simulation-based non-malleability from [DDNOO] and so therefore our definition
will also imply SNM.
We feel that our definition both highlights the essense of non-malleability
for encryption schemes and, similar to the original notion of indistinguishable
security, provides the most technically convenient formalization to use in larger
proofs.
Definition 48.3 Implies CNM/SNM Non-malleability
Let us first recall the notion of CNM non-malleability put forth by Bellare
Briefly, the CNM definition requires that the following two
et al. [BDPR98].
experiments be indistinguishable.
NIZK IN THE DESIGNATED VERIFIER MODEL
50
CNMB,I(k)
CNMB,n(k)
-- Gen(lk)
(PK, SK)
(M, s)
4-
Bo1(PK)
x -- M
y +- EncpK(x)
(R, cl,..., ce)- B°02(, y)
DecsK(cl, ,Ce)
(dl,...,di)
Output I iff (y 74cj) A R(x, dl, . , dt)
(PK, SK)
-
Gen(1k)
B° ' (PK)
--M
(M, )
x,
y- EncPK(i)
(R, ...,
e)
(d, . .., de)
Output I iff (^
B°2(, )
t)
DeCSK(,
...
,
F) A R(x, dl, ... , d)
63
Towards simplicity, our definition first eliminates the requirement that adversary B1 produce a sampling algorithm M. This step is completely unnecessary
since the sampling algorithm is only used to sample two messages-a task which
can be subsumed by B1 himself Second, we eliminate the requirement that
B 2 produce an explicit relation R and for the experiment to output whether
R is satisfied. Both of these steps are implicit in the notion of computational
indistinguishability.
Theorem 5o.i. Definition 48.3 implies CNM.
Proof Let II = (Gen, Enc, Dec) be an encryption scheme.
Let B = (B 1 , B 2 ) be a CNM adversary with advantage a = AdvB-atk(k).
We construct a new adversary (A1 , A2 ) and distinguisher D that together succeed
in distinguishing
N ME1 from N ME 0 with advantage a as follows:
A 2 (y, s'):
AO'(PK):
(R, ca-) B2 (s, y)
(M, s) -- B°1 (PK)
ce+l +- EncpK(mo, R)
(mo, ml) - M
c1,
C£+1
Output
s' ~--(, mo, PK)
Output (mo, ml, s').
D(dl,i, . dt+l):
(to, R) -di+l
Output I iffVi, di 7 1
and R(mo, d, .. .,do)
By inspection, one can verify that
i. Pr[D(NME(II,
2.
A, k, + 1)) = 1] = Pr[CNMB,n(k) = 1]
Pr[D(NME(I, A,k, + 1)) = 1]= Pr[CNMB,n(k)= 1]
Because II satisfies Definition 48.3, a must be negligible and so II must also
satisfy CNM.
[]
Many Message Non-Malleability
Notice that Definition 48.3 only applies when the adversary A2 receives one
encryption as an input. In practice, an adversary may receive severalencryptions, and we would still like to guarantee non-malleability. Although such a
guarantee is mentioned as a sin qua non of encryption in the original paper by
6.3.
APPLICATION: NON-MALLEABLE ENCRYPTION
5I
5'
6.3.APPLICATION: NON-MALLEABLE ENCRYPTION
Dolev, Dwork, and Naor [DDNOO], Gennaro and Lindell [GLo3, p.7] explicitly
mention that one-message non-malleability does not imply many-message nonmalleability.
Our simpler definition, however, resolves the confusion affirmatively with a
rather simple proof Below we show that our definition implies the strongest
form of many-message non-malleability.
For convenience, we use a to denote a vector of messages (al, . . ., aj), and by
EncpK(d) we mean the component-wise encryption (EncpK(ai),..., EncpK(aj))
where each encryption uses independent randomness.
Definition 5i.I (Many Message Non-Malleability). Let II = (Gen, Enc, Dec)
be an encryption scheme and let the random variable mrnNMb(I,A, k, £) where
b
{0,1}, A = (A1 ,A 2) and k, E N denote the result of the following
probabilistic experiment:
mNMb(HII,A, k, i):
(PK,SK) - Gen(1k)
(o, ri,, STATE)- A1 (PK)whereIoI01=
Z - EnCPK(b)
((cl,t1),. . ., (ce, t))
1-I= f
{_I
- A2 (/, STATE)
Output (dl ..., de) where di =
DecsK(I)
DeCSK(Ci)
if
c e/
otherwise
otherwise
We say that (Gen, Enc, Dec) is non-malleable under a chosen-plaintext attack
if V p.p.t. algorithms A = (A 1 , A 2) and for all polynomials £t(), the following
two ensembles are computationally indistinguishable:
{mNMo(II, A, k, (k))}
EN
{mNMl(I,A,k,(k))
Theorem 5i.I. A encryption scheme is non-malleable if it is many messagenonmalleable.
Proof The backwards direction is clear. To prove the forward implication,
consider an adversary A = (A 1 , A2 ) and a distinguisher D which breaks the
many-message non-malleability of II with advantage i/. We shall use A, D to
break the non-malleability of II with advantage q//2.
Let us define a new experiment mNM(bl,...,be)(II, A, k, ) indexed by an g-bit
string (bl, . . ., be) which is the same as mNMo(II, A, k, f) except in the third line
(change is underlined):
i
(EncPK(m~ ),.
.., EnCPK(mt))
e-i
Define B(i) = (--J7
,i 1,.T,
and note that mNMo = mNMB(0) and
mNM = mnNMB(e).Because D distinguishes mNMo from mNM1 , there exists
some *
[1,£] such that D distinguishes mNMB(g*) from mNMB(g*+l) with
advantage r/i. This suggests the following adversary:
NIZK IN THE DESIGNATED VERIFIER MODEL
NIZK IN THE DESIGNATEDVERIFIERMODEL
52
52
tfl, STATE). Finally, A'
A (PK) guesses g E [1, ], feeds PK to A1 to get (o,
outputs (mo,g, ml,g) as its challenge pair and both message vectors, j, PK, and
STATE
as its state variable.
Adversary A(y, STATE')simulates the replaced line 3 of experiment mNMB()
to A 2 to produce
with the exception that it replaces the yj with y. It then feeds Y7
(cl, . . , ce) and outputs this vector.
Conditioned on j = g*, then NMEo(A',A') = mNMB(g)(Al,A2) and
NME (A', A') is identical to mNMB(g*)(A1,A 2). Because A' guesses correctly
with probability 1/E, D's overall advantage in breaking the single-message nonmalleability is r/' = 1/£ 2 .
By assumption, r' must be negligible, which implies that 7rmust be as well,
and so II is also be many-message non-malleable.
[E
Construction
Theorem 2.I (Main Theorem, restated). Assume there exists a semantically secure
encryption scheme. Then, there exists a non-malleable encryptionscheme.
The construction of non-malleable encryption is exactly the DDN construction, in which the standard NIZK proof is replaced with a designated verifier
NIZK proof By Theorem 44.i, designated verifier NIZK proofs for all L E NP
can be constructed assuming the existence of a semantically secure encryption
scheme. We remark that the proof of DDN directly carries over when using such
a designated verifier NIZK. For completeness, we include it below, in a slightly
simplified form due to the fact that we only consider CPA security and not CCA
security as considered in DDN.
Proof (of Theorem 52.) Let (Gen, Enc, Dec) be any semantically secure encryption scheme. Let (Gensig,Sign, Ver) be any existentially unforgeable one-time
signature scheme.
Define the NP-language L by the witness relation
RL((C1,{ ,,Ck),(PK1,..
.
,PKk)) =
{[m,(rl, .. ,rn)] IVi E [1,n, ci = EncpiK(m;ri)}
Let (, P, V) be a designated verifier NIZK proof system for L. Such a
proof system exists by Theorem 44.I. Now, consider the encryption scheme II =
(NMGen, NMEnc, NMDec) defined as follows.
PROTOCOL 52.52.I:
NON-MALLEABLE ENCRYPTION SCHEME II FROM A
DESIGNATED VERIFIER
NMGen(lk):
NIZK
6.3. APPLICATION:
NON-MALLEABLE ENCRYPTION
53
Gen2k times to generate key-pairs (PK4,ski)i[1,k,bE{o0,1}.
Sample a universal one-way hash function h - Hk.
I. Run
2.
3. Set (sp,
4.
PP)
PK
(1k).
-
def
{((
PP, h
XLet
((PKi, PKi))=l,
d
and SK
def
=
{((SK,S4i))t=1,SPI.
NMEncPK(m):
I. Run
the signature
(SKSIG,VKSIG) 4-
2.
Set (bl, . . , bk)
key-generation
algorithm
to generate
Gensig(lk).
- h(vKsIG).
3. For i = 1, .. , k, compute the ciphertexts ci = EncpKi (m; ri).
4. Run r 4to
generate
P((cl,...,ck),(m,PK1,...,PKk,rl,...,rk),PP)
[(c1,...,ck),(PKb
a
designated
verifier
proof
7r
that
,...,PKbk)] E L
5. Compute the signature a - SignsKsIG(, 70)-
6. Output the ciphertext [
, VS
vsi, ,
].
NMDecsK(c):
I. Run the signature-verifier VervcsIG [(6,7),
Ver rejects.
2.
or], and output
if
Run the verifier V((, -'K),7r,sp) of the designated verifier NIZK
proof. Output
if V rejects.
3. Otherwise, decrypt cl with the corresponding secret-keys to get
messagesml and output ml.
Proposition
53.I. ProtocolII defined above is a non-malleable encryptionscheme.
Proof Let the experiments NMEb, for b E {0, 1}*, be defined as in Definition
48.3. We show that for every p.p.t adversary A = A, A2 , and every polynomial
p.
NMEo(HI,
A, k,p(k))}k k N
{NMEi(I,
A,k,p(k))}k
Towards this goal, define an experiment NME that proceeds just as NMEb with
the following differences:
I. The encryption keys PK, K are generated by ) honestly running the keygeneration algorithm for all 2n encryption schemes, and 2) running the
designated verifier simulator S1 to generate (P, s).
NIZK IN THE DESIGNATED VERIFIER MODEL
NIZK IN THE DESIGNATEDVERIFIERMODEL
54
54
2.
Instead of providing an "honestly" encrypted message of mb to A2 , in step 4
of NMEnc, replace 7rwith a simulated proof using S 2 .
The following claim follows directly from the adaptive zero-knowledge property
of the NIZK (note that we here rely on the fact that the the simulator also outputs
the secret key of the verifier)
Claim 54-1.
{NMEb(II,
A, k,p(k))
}E
{NME,(,
A, k,p(k))
}k
Furthermore, the following claim follows from the unforgability of the
signature scheme, combined with the semantical security of the encryption
scheme.
Claim54.2. {NME'o(II,A, k,p(k))}k
Combining Claim
54.i
and Claim
{NME (I, A, k,p(k))}
k
54.2,
{NMEo(H,A, k,p(k))}
keN
we have
Z {NMEo(n, A, k,p(k))}
{ NME (II,A,k,p(k))
c
}ke
{NMEi(H,A,k,p(k))}k
[]
To conclude the proof, note that Designated Verifer NIZK and one-time
signatures can both be construted from any semantically secure encryption
scheme. The former follows from Theorem 44.I, and the later from the fact
that public key encryption implies one-way functions [] and one-way functions
are sufficient for one-time signatures [].
Below, we prove the two claims.
Proof of Claim 54.2. Assume, for contradiction, that the claim is false. First,
consider the experiment NME" which proceeds just as NME' but where the
experiment outputs failed NIZK if in one of the decryptions, the NIZK was
accepting but all n ciphertext didn't decrypt to the same value. It follows directly
from the soundness of the NIZK that
{NME'(II,
A, k,p(k))}
{NMEg(H, A, k,p(k))}
We conclude that (by our assumption)
{NME"(IA,k, p(k))}
N;
NME-(IIA~k~p(k))}e
(6.i)
We show how this contradicts the semantical security of n encryptions using
m
= AmultiEnc, AmultiEnc). AmultiEnc on
Enc. Consider the machine (AMULENc
input the public keys PK1, . . ., PKn proceeds as follows:
6-3-APPLICATION:
6.3.
NON-MALLEABLE ENCRYPTION
APPLICATION: NON-MALLEABLE ENCRYPTION
55
55
I.
Run the signature key-generation algorithm:
2.
Generate n new public/secret keys pairs (PK,, siK),...
- Gensig(1k)
VKSIG, SKSIG
x , s,
by run-
ning Gensig(lk) n times.
3. Let (bl, .., bn) denote the bit representation of VKSIG.
4. DefinePK =- PK/, and PK-b
5. Run
PP,
= PK
SP, STATEnik *- S1 (1k ) to generate a public and secret key for the
NIZK.
6. Let mo, ml, STATEA - Al((PK0, PK'),...,
7. Output m0o,ml, (stateA,
(K,
PKc), PP).
VKSIG,SKSIG, PP, SP, STATEnizk, (SKi,...
Amu ltiEnc on input the ciphertexts c = cl, ... , cn and state (VKSIG,
proceeds as follows:
Sign c, r using
3. Feed C
SKz)).
SKSIG, (/,
..
c to generate a simulated proof 7r.
I. Run S2(STATEniZk on input
2.
,
SKSIG obtaining
the signature a.
= VKSIG, C, r, a, STATEA to A 2
4. Decrypt the ciphertexts Ci' =
to obtain the cipher texts C',.
vKSIG'i, ci, 7ri, a i
.
C.
as follows:
a) If Ci = C output L.
b) Check using sP if 7ri is accepting, otherwise ouput
c) Check using
d) If C'
SKSIG
if Oi is accepting, otherwise output
$ C, but VKSIGi=
VKSIG,then A 2
.
halts and outputs fail.
e) Otherwise there must exist some index j such that the j'th bit of
VKSIGiis different from the jth bit ofVKSIG.
f) use SK'j to decrypt c and output this value.
5. Output all the decrypted ciphertext.
We start by noting that under the (unjustified) assumption that claim that
AM u ltiEnc
never outputs fail and that NME" never outputs failedNIZK it holds
that
{INDb(mlti,
AMultiEnc
k) }
= NME{NMEQ(II, A, k,p(k))}
However, by the unforgability of the signature scheme used, it follows that
the probability that AMUltiEnC outputs fail is negligible. Furhtermore, by the
soundness of the NIZK it also holds that the probability that NME" outputs
failedNIZKis negligible. Thus,
,
sK
i))
NIZK IN THE DESIGNATED VERIFIER MODEL
56
{INDb(m'ultiir, A
tiEn,
k
}
,) NME{NME'(I, A, k,p(k))z}
(6.2)
We conclude that by Equation 6.I, and 6.2
{INDo(multiw, Am
, k) }
ken
{ IND (multi7r, Am
which contradicts the semantical security of n encryptions of Enc.
, k) } kEN
0
[]
Unique NIZK
In 53 Studies on Chopins tudes...Godowsky operates
under the basic premise that whatever elaborate
passagework Chopin assigned to the right hand can
and should be played by the left. On top of that, he
smothers the right hand with lily-gilding
countermelodies and serpentine filigree.
Marc Andre Hamelin
INTHIS CHAPTER
we study a "dual" of the designated verifier model in which the
Prover is given a secret parameter related to the public one. In such a system
we are able to construct construct a novel type of NIZK system, uniZK, which
guarantees that, for any x
L, any prover -honest or malicious-can only
produce a single uniZK proof for every witness he knows. In other words, we
build a "one-witness, one proof" non-interactive zero-knowledge proof system.
As with the designated verifier system, our prover algorithm is efficient. In
contrast to all of the previous constructions, however, our proof system can be
used multiple times after the setup phase.
The eventual use for a uniZK proof system is the
construction of tabula rasa proof systems in which the prover and verifier's
probabilism is confined to a preprocessing phase after which not only is the
Prover made totally deterministic, but his determinism is actually made universally
verifiable. In this case, one can achieve a fair notion of zero-knowledge [LMso5B]
in a multi-verifier scenario. In Fair ZK, if an interaction is zero-knowledge for one
honest verifier, then it must also be zero-knowledge for all other verifiers. The
uniZK proof system is also an instrumental part of constructing collusion-free
multi-party computation protocols [LMSO5A].
APPLICATIONS OF UNIZK
58
7.I. DEFINITION
7.1. DEFINITION
59
59
FORMALIZING UNIZK
The easiest way to formalize uniZK would be demanding that, every x
L, no matter how many witnesses it may have, has a single uniZK proof.
Unfortunately, no such uniZK system may exist. (We certainly do not know
how to construct one.)
A second way might be demanding the existence of a unique uniZK proof
for each NP-witness. Unfortunately, relative to our steganography-free goals,
such a definition may not be sufficiently meaningful, because it leaves open the
possibility for a malicious prover to choose from a multiplicity of uniZK proofs
by "rewriting" then. Assume that an efficient, malicious prover P' were given a
witness w of a theorem x belonging to an NP-language L with computationally
unique witnesses. Then, w would be the only witness of x c L known to P', and
by Completeness, P' could certainly produce one uniZK proof, ri,. But now, if
from 7rw,one could also compute additional uniZK proofs for z E L, P' could
compute a multiplicity of uniZK proofs for x E L from a single witness!
We thus formalize uniZK by demanding that (for most reference strings x
and public keys PK) the honest algorithm P forms an easy-to-invert bijection
between the witness set of x c L (denoted Wx) and the set of acceptable uniZK
proofs (denoted IIPK(X, a)). This captures the notion that any prover "can only
produce a single uniZK proof for any witness he knows:" his ability to produce
multiple uniZK proofs from a single witness can solely originate from his ability
of producing multiple witnesses from a single one.
To complete our formalization, we must handle the case of a cheating prover
who posts an invalid public key PK*; that is, a key that does not pass a proper
inspection of an honest verifier. In this case, it is reasonable for the verifier to
reject any subsequent proof: after all, he knows for certain that the prover is
malicious! Therefore, our definition requires that either the set of acceptable
proofs I/p* (x, a) is empty, or else there exists a secret key SK* such that
P(x,., Cr,SK*) forms an efficient bijection from 14 to HpK* (x, a). For this
to be meaningful, however, such spdv*should be unique, that is, there must be a
function sk (possibly hard to compute) mapping any "reasonable looking" public
key PK* to the right sdv*.
In sum, our definitionstatesthat unlessHIPK*(X, a) is empty, P(x, , a, sk(PK*))
forms an efficient bijection from Wx to HIPK* (X, a).
7.I
Definition
Let L be an NP language, and RL be its corresponding, polynomial-time relation.
We say that a sequence of pairs of strings, (X1, Wl), (X2, w2), .. , is a theoremwitness sequencefor L if each xi E L and wi c RL(xi).
Definition 59.i. A triple of efficient algorithms, (G, P, V), where P is deterministic, is a unique non-interactive zero-knowledge (uniZK)
proof system for an
NP-language L if there exists a positive constant c and a negligible function A
such that the following properties are satisfied:
60
UNIQUE NIZK
COMPLETENESS:
V theorem-witness sequences (x 1 , wi), (x 2 , w2),...
for L, and
for all k
Pr (, p'p,sp)
7r
2 = P(x 2
2
= P(xl , Wi, ' SP, 1);
1
,a, ,,2) ... : AiV(xi,a,PP,,i,i) = 1 J
( l k) ; Tr
1
ADAPTIVE
SOUNDNESS:
V algorithms P* and for sufficiently large k E N
Pr [a {- (o, 1}k; (x*, pp*, r*, i)
P*(a)
x*
L A V(a, x*, Pp*, 7r*,i) = ] < (k)
ZERo-KNOWLEDGENESS: an efficient algorithm S such that V theoremwitness sequences (xl, wI), (2, w2 ), . . for L, the outputs of the following two
experiments are computationally indistinguishable:
Expts(k)
ExptA(k)
(S,pp, Sp) +_ o(1 k )
7ri
-
P(X,
7r2
-
P(x
2,
((
,
) ,_-S (1 k )
Wi, SP, 1)
7r
S 2 (xl,
w2, sp, 2)
7r2-
S 2 (x 2, 2, z')
Output (a pp, r,1, r2, ... )
1, z')
Output (, Pip',
7r, 2,...)
UNIQUENESS:3 a deterministic function sk(.) and an efficient deterministic
algorithm p-1 such that Vx c L, Vi > 0, and VPP* E {0, 1}*,
(Irip.(XU)l > o)
P(
Pr
, x, , sk(pp*), i) : Wx
1
riPp
(x, ar) A
> 1-(k)
p-'(a,x,,sk(pp*),i) ri P. (x,u ) W.
where Wx = {w : w c RL(x)} and FriP.(x,a) = {1r: V(x,a,i,,i)
7.2
= 1}.
Construction Based on Quadratic Residuosity
We can construct a uniZK system based on the hardness of the quadratic residuosity problem [GM84] by modifying the protocol of Blum, De Santis, Micali
and Persiano [BDMPgI]. We note the similarity of both our starting point and
approach with that of Naor's work on countable NIZK proof systems [NAo96].
Let us first review the hardness assumptions we make.
'We can also make a uniZK system for CIRCUIT-SAT by combining the single-theorem
protocol of Damgard [DAM93] with the multi-theorem techniques of Blum, De Santis, Micali
and Persiano.
6I
7.2. CONSTRUCTION BASED ON QUADRATIC RESIDUOSITY
The Quadratic Residuosity Assumption
The quadratic residuosity assumption was first used by Goldwasser and Micali [GM84] to construct a semantically-secure encryption scheme. It has
been extensively used since then because quadratic residues exhibit a natural
homomorphic property.
A number x is a quadratic residue modulo N if there is another number y
such that y2 = x mod N. Let us define the quadratic residue predicte QN(X)
as follows:
QN(X)
s.t. y 2 = x
if 3y E Z
{
I
mod N
o.w.
For a number y, let ( ) denote the Jacobi symbol of y with respect to N.
Recall that the Jacobi symbol can be computed in polynomial time in the bit
representation length of N. Define JN+= {y E Zk I (~) = 1} as the set of
Jacobi-symbol+1 in ZN.
An integer N is a Blum integer of size k if and only if N = pq where p and
q are prime numbers of length k which are both congruent to 3 mod 4. For
k E N, let the set Blumk be the set of Blum integers of size k.
The Quadratic Residuosity Assumption states that when N is chosen
randomly from the set of Blum integers, there is no family of efficient algorithms
for computing the predicate QN () on random instances that is significantly more
correct than guessing.
Definition 6i.i. The Quadratic Residuosity Assumption is that for every constant c, and for every family of polynomial-sized circuits Ak(., ), there exists a
sufficiently large k such that
Pr [N
+A~'-~~ 1 ! +kc
Blumk; Y - JN; Ak(N, y) = QN(Y)] <
In the sequel, we refer to the following family of languages.
Definition 6I.z. Let language NQR(k) be
NQR(k) = {(x, y) s.t. x E Blumk, y E J+1 , Qx(y) = 1}
Before presenting our main result, we present a theorem from
which we use in our construction.
[BDMP9I]
Theorem 6i.I (Theorem 4.3 from [BDMP9I]). Thereexistsaperfectnon-interactive
zero-knowledge proof system (A, B) for the language NQR(lk) in the common
random string model.
Main Construction
Theorem 6i.z. Ifthe Quadratic Residuosityassumption holds, then there exist uniZK
systemsfor 3SAT
62
UNIQUE NIZK
UNIQUE NIZK|
62
Let us first introduce some notation. Let (ai,..., am) be a tuple of k-bit
integers that have Jacobi symbol +1 mod x. If (bi, . , bin) is tuple of bits
then we say that (ai,... ,am) has type (bi,... , bin) if each ai is a square mod x
if and only if bi is 0. If (Cl, . . ., c,m)is a tuple of k-bit integers then we say that
(a, ... , am) and (ci,... , Cm) have the same type if ai is a square mod x if and
only if ci is a square mod x.
A prover who knows the factorization of x can prove that the tuple
(a, ... , am) has type (bi,..., bin) by providing, for each i, a square root of
aiybi mod x. Similarly,a prover can prove that (a, . . , am) and (c 1, ... ,
)
have the same type by providing, for each i, a square root of aici mod x. To
make these proofs unique, whenever the prover provides a square root, Prover
must provide the root with Jacobi-symbol +1 which is less than x/2. (Since x is
a Blum integer, there is exactly one such root for every quadratic residue.) The
verifier rejects any proof in which a different square root is provided.
Following [BDMP9I], we first present a proof system for the single theorem
case. Let 3 SAT be the language of satisfiable boolean 3-CNF formulas. Let
0 E 3SAT be a theorem with m clauses and variables vi, .. , vn and let w be
a satisfying assignment for 0.
Theorem 6z.I. If the Quadratic ResiduosityAssumption holds, then there exists a
uniZKproofsystem for a singletheorem 0 E 3SAT
Proof Considerprotocol 62.I.
PROTOCOL 62.62.I:
.
UNIZK SINGLE THEOREM PROOF SYSTEM FOR
3SAT
I
Pi =
mo 4 and set x =
PK = (, y) and
P1P2. Choose a quadratic non-residue y. Output
re- L-
I ..
-
c1l-): choose two c bit primes P1,P2
SK = (Pl,P2, Yy).
Prover P(lk,
_]
.t.
O, SK, 0, W):
I. Break the reference string ar into three parts, p1, p2, p3 where
jpiI = 16k3, P21= 64k 2 n and P31 = 192k2 mlogm.
2. Use random string P1 and the prover algorithm A to generate a
proof 7ri that (x, y) E NQR(k). (The only slight modification
is that whenever A gives a square-root, give the one with Jacobi
symbol +1 which is less than x/2.)
3. Parse P2 into k-bit integers, skip any integers that are not in Zn+.
Output Il if, after exhausting P2 in this manner, there are fewer
than 8kn acquired integers.
Do the same for p3. Output
ifthere are fewer than 24km
acquired integers.
7.2. CONSTRUCTION BASED ON QUADRATIC RESIDUOSITY
4. Parse the first 8kn integers acquired in step 3 into n pairs of k-bit
integers such that each pair is either of type (1, 0) or type (0, 1).
To do this, consider each pair (s, t) (in order) and either give V
mod x and discard the pair or give v/s-t mod x and output the
pair. Once n pairs have been selected, ignore any remaining pairs.
If n pairs cannot be selected,output .
5. Now define a value ui corresponding to each variable vi in 0 as
follows: let ui be the quadratic residue in the ith pair acquired
in step 4 if vi is false in w, and to the non-residue in the pair
otherwise.
Output(ul, ..., un).
6. Let Vd, ve and vf be the three variables that appear in dclausej of
0. For each clause j of 0, output the triple (aj, bj, cj) where aj
is equal to ud if vd appears non-negated in the clause or to the
product of Ud and y mod x otherwise. The values bj and cj are
analogously defined.
7. Interpret the integers acquired from p3 as 8km log m triples of
integers. Place a comma after each sequence of 8k log m triples
and denote the jth such sequence as Tj. For j = 1, . . ., m, select
8 triples from Tj that all have different types via the following
process: within a set of 8k log m triples, inspect each triple in
the order in which they appear and either select it or provide
a proof that it is of the same type as a previously selected
triple. If fewer than 8 triples have been selected by the end,
output . Otherwise prove that one of the selected triples has
type (0, 0, 0) (by providing square roots for each element of the
triple) and discard it. Denote the remaining 7 selectedtriples as
((a'31.
i)
((X7 37
yT))
8. For each clause j of 05,show that for some 1 < t < 7, (aj, bj, cj)
is of the same type as (a,,
-yi).
f,
Note, this proves that the
clause is satisfied since the identified triple (aj, /3j, yj) is not of
type (0,0,0).
(7r2,7 4 , 7r5 , r,
ated during step I.
9. Output
T7r
8 )
where 7rs refers to the string gener-
VerifierV(lk, a, PK, , 7r):
I.
If 7r =
for any I then reject.
Run the honest-prover algorithm as per step 1,2,4 and 7 to
generate r2, 7t4, 7r7 and verify that the corresponding proof string
parts are equivalent. Also verify that every root given in the proof
string is an element of Z + is less than x/2. Reject if not.
3. As per [DMP9gI], verify 7r3, which is the proof that (x, y) is wellformed.
2.
63
64
64UIUENZ
UNIQUE NIZK
4.Verify 7r5 by making sure that each pair is handled, and that the
proof string contains a proper root of the pair.
5. Verify 7r8 by checking that for each set of triples, the prover has
handled the pairs in order, and that each of the proofs given
between triples is sound. Finally, verify that the opened pair is
of type ( 0, 0)
6. For each clause, verify the proof that it is associated with one of
it's remaining seven selected triples.
Completeness only fails when the honest Prover outputs .
This occurs in step 2 with probability 2 -k . For the rest of the process, we shall
vigorously use independence and the Chernoff bound. Recall that a randomly
chosen k-bit integer a will be in Z + with probability greater than 1/4. Thus, the
expected number of integers which are not skipped in step 3 is 48k(n + mn). By
the Chernoff bound, the probability of I1at step 3 is therefore upper-bounded
by e - k(n+m). By similar calculation, we can upper-bound the failure probability
at step 4 by e - kn. Finally, step 7 is an instance of the Coupon Collector'sproblem.
Let event E(a,b,c) be the probability of not collecting type (a, b, c). Because each
coupon or type occurs with probability 1/8, we have
COMPLETENESS:
Pr[E(a,b,c)]<
1
1 - -8
8k log m
< 2 -1.25klogm
By the union bound, the probability that some type is not collected is therefore
upper-bounded by 8 . 2 -125klogm . Applying the union bound again, the
probability of failure at step 4 is < 2 -kl°g m m < 2 -k, and applying the union
bound over all steps completes the proof.
SOUNDNESS: Assume that some algorithm P' can produce a proof 7r' for some
0' 3SAT such that for a non-negligible fraction of strings aor,V(lk, a, rpp,0', 7r') =
1. In this case one of two events must occur: (a) either (x, y) written in 7r' is not in
NQR(k), or (b) (, y) E NQR(k) and a contains 8km log m consecutive triples
parsed in step 7 which belong to the union of only 7 types (instead of 8). This
follows because if not (a), then 7r' contains a well-defined truth assignment for
the variables of 5' (this assignment is generated in step 4 and 5). Because 0' is not
satisfiable, there is some unsatisfied clause j' induced by this assignment. Because
the proof of equality for two triples has soundness 1 when (x, y) E NQR(k), the
only way for 7r' to cause V to accept in this case is for there to be two triples of
type (0, 0, O) selected during the parsing of the j'th sequence in step 7.
Finally, the only way for two triples of the same type to be selected is if some
type is missing from the sequence of 8km log m triples. If no type is missing from
the sequence, but P' selects two triples of the same type, then by pigeonholing,
7.2. CONSTRUCTION BASED ON QUADRATIC RESIDUOSITY
65
there some type is left unselected. Recall P' must process every triple by either
showing it is equivalent to a previous triple or selecting it. By the soundness of
the equality proof for triples and by the assumption, both cases are impossible.
To complete the argument, the soundness of the proof system for NQR
implies that (a) occurs with probability less than 2 -k 2 . In the case of (b), as
per the completeness section, the probability that some type t is not collected
from the sequence of 8km log m triples is bounded by 2 -k n . Overall, the union
bound therefore implies the soundness error is less than 2 -km + 2- / 2 .
The crucial idea behind the simulator for this protocol is to
produce a public parameter (x', y') NQR(k) and to create a string P2 which
allows the simulator to succeed in step 4 and 5 in a special way. Normally, if
(x, y) is a well-formed proving pair, then with high probabality over the common
random string, the pairs chosen in step 4 must be of type (0, 1) or (1, 0). On the
other hand, if (x', y') V NQR(k), then the pairs chosen can be of type (1, 1). In
this case, each clause is always satisfied and so P' can always succeed in making
the Verifier accept.
ZERo-KNOWLEDGE
Si (lk): Run 9 (k)
to generatep = (x,y, pl,p2, pa) and s = (PI,p2).
Choose a quadratic residue y'
Z + . Generate p' _ S(1k) by running
the simulator for the proof system for NQR(k). Generate p2 from P2 by
replacing every quadratic residue with a randomly chosen quadratic nonresidue in Z + . Set the auxiliary information z to be a randomly chosen
8kn bit string. Output iPP'= (x, y', pI, p2, P3), SP' = siP,z.
S2(sP,
, Z):
I. Generate 7r - S(x', y') by running the NQR simulator.
Parse p' as per step 3 of the honest prover algorithm and let Pi (si, ti) be the ith pair that remains. Generate 7rl by repeating the
following process until 8kn pairs have been selected: Read the string
2.
=
z 1z2 ....
If zi = 1 then discard pi by outputting
/s
mod x. Otherwise, select Pi by outputting /ty
mod x. (This
is always possible because si, ti are non-residues and y is a residue by
construction.)
3. Generate 7r' by randomly selecting one of the values from the pairs
in 7r~ for each variable i = 1, .. ., n.
4. Generate 7r7and 7r8as per the honest Prover algorithm.
We define one intermediate Game.
Game I: This is the same experiment as ExptA with the exception that a
simulated proof that (x, y)
NQR(k) is given in step 2 of the proof
instead of the real proof.
The security of the NQR proof system implies that the output of ExptA and
Game are indistinguishable. The following claim completes the proof that the
protocol satisfies the zero-knowledge property.
66
UNIQUE NIZK
Claim 65.I. The output of Game r and ExPtB,S1 ,s2 are computationally indistinguishable.
Assume, for the sake of contradiction that distinguisher D has advantage ac
in distinguishing the two experiments. We shall use D to construct an algorithm
which solves the quadratic residuosity problem with advantage ma.
QR(x, y):
I.
Producept, 7r2
-
S(x, y).
z. Produce p2, 7r4 as follows. Pick a random string z of length 8kn and
let zi denote the ith bit. For i = 1,.., 8kn do:
a) Initialize counter j = 0.
b) ri, si
Z+; bi - {0,1}
c) If zi = 0 then output a "discarded" pair. That is, based on bi
append either (ri2, s2) or (-ri2, -s2) to p' and append rs to 1r4.
d) If zi = 1 then increment j - j + 1 and let
{
-r, yrs
yr,
yr
if w(j) = TRUE
s
otherwise
Define Uj = yujsi 2 . Based on bi, append either (uj, Uj) or
(uj, uj) to p and rj to 7r4.
3. Produce 7r.5 by assigning variable vj to the label uj produced earlier.
4. Produce 7 by running the following procedure for each dclause
j of 0:
For i= 1,..., 8kmlogm, do
[(O 0,0),. .. ,(1,1,1)] and
a) Randomly pick a type (e,f,g)
+
values ai, bi, ci E Z .
b) Produce triple Ti = (-yea?, -yfb?, -y9c?) and append to p.
c) If this is the first occurrence of type (e, f, g), select Ti. Otherwise, generate a proof that Ti is equivalent to the first occurrence
of type (e, f, g) (by using the appropriate roots chosen during
construction) and append it to 7r5.
5. Produce ms by running the following procedure for each clause j =
(Xa V Xb V xc):
Let Sj = (a, ub, uc) (if a variable in clause j is negated, then take ut
instead). Let t = (e, f, g) to be the truth-type for clause j under
assignment w( (e.g., if clause j is (X5 V X8 V xg) and w(x5) =
1, w(x8) = 0, w(xg) = 1, then the truth type is t = (1,0,1)).
Finally, let Tj,(e,,g) be the selected triple of type (e, f, g) produced
for clause j in 7r7
Append the proof
(
-uaya,
/-ub y,
/UCy) to 7r8. To
compute the square roots, exploit the fact that each term contains
an even power of y, and even number of - s, and a product of
squares for which the roots are known by construction. Moreover,
7.2.
CONSTRUCTION BASED ON QUADRATIC RESIDUOSITY
67
by construction, the square roots will also have Jacobi-symbol +1
and can be easily transformed to the canonical root.
6. Set 7r = (4, 7r5, r7, 7r8), run D((x, y), 7r) and echo the output.
One can verify that when y is a non-residue, the input distribution to algorithm
D is identical to Game whereas when y is a residue, the input is identical to
EXPtB,S 1,s
2
UNIQUENESS:
Proof Define the secret key extraction function, skO, to take in a proving pair
= (x, y) and return the factorization of x. We now observe that if PP is not
properly constructed, then with overwhelmingly high probability over the choice
of random string, the verifier rejects any proof (because of soundness in Step 2),
and therefore IlHpp
(a, 0) is empty and uniqueness is trivially satisfied.
Therefore, we restrict attention to the case when rP is properly formed. First
we observe that P (with auxiliary inputs a, X and the factorization of x) is a
deterministic function and that by completeness it maps W into Ilpp (a, ¢).
We now construct an efficient algorithm p-1 (with the same auxiliary inputs)
and show that it is the inverse of P. Finally, we show P and p 1 are bijections
by proving that p-' is an injection.
Let P- on input 7r E IHpp(a, ) inspect the portion 7r5,,use the factorization
of x to determine the quadratic character (mod x) of ul, . . , urn, and output
the corresponding assignment w. By inspecting step 5, one can verify that p-1
returns the exact assignment used to generate 7r,so P-' is the inverse of P.
All that remains to be shown is that p-1 is injective. Let 7r - P(a, X, w, sk(pr)).
We show that if r* 7rand yet P-l (a, X, 7r*,sk(PP)) = w then 7r* g Ipp(a, q).
We establish this using case analysis. Suppose the first point at which 7r and 7r*
differ is portion ri. Case I below handles this possibility:
(The verifer has run the honest prover algorithm to parse PI, P2, P3 and make
sure the parsing of the strings is done properly and all roots are the
canonical ones.)
Case 2: Let R (for root) be the first k-bit value where 7r and r* differ. The
verifer will reject any R that is not a Jacobi symbol I element less than x/2
or which when squared is not equal to either r (the corresponding k bit
value in p or yr( mod x). Since y is a non-residue, either r or yr has no
square roots and since x is a Blum integer only one (of the four) square
roots can pass the test.
Case 4: This is similar to the previous case. Let R represent the root in which
7r and 7r* differ and let (s, t) represent the corresponding pair in P2. The
verifier squares R and expects to see either st mod x or yst mod x, and
because only one of these values has a root, only one R passes the test.
68
UNIQUE NIZK
UNIQUE NIZK
68
Case 5: This case is impossible because by assumption, p- 1 maps both 7r and
7r* to the same witness.
Case 7: We first argue that the sub-proof used to show that two triples are of
the same type is sound. This follows directly from the fact that (x, y) is
properly formed.
We next show that r* cannot select two triples of the same type. If r*
selects two triples of the same type, then some type, is not selected. With
high probability, this unselected type appears in the set of 8k2 triples.
Therefore, the Verifier rejects 7r*since 7r*cannot prove that the unselected
type is similar to a previously selected triple. Hence, 7r* must select all 8
types.
If r and 7r*select the same 8 triples, then the fact that 7r*is rejected follows
from the fact that each quadratic residue has exactly one Jacobi symbol I
root less than x/2.
Assume 7r and 7r*select different triples. If 7r selects a triple that r* does
not, then r* must give a false proof that this triple was the same as a
previously selected one, and we already know that the Verifier rejects such
proofs. Alternatively, if 7r*selects a triple not selected by r, then 7r*cannot
contain 8 different types, and we know that the Verifier rejects in this case
as well.
in
~,
Case 8: As in the previouse case, for each j, the selected triples (4, AY)
both 7r and r* must be the same and must contain 8 distinct types. By the
soundness of the sub-proof that two triples are the same type, both 7r and
7r* must give a proof about the same pair of triples for each clause. Finally,
by similar reasoning to Step 4, the verifier will reject the proof in 7r*.
E
As in [BDMP9I],
theorem one.
we now transform the single theorem system to a multiple
We start by breaking the random string a into five
pieces, P1, P2, P3, rT and r2. We use P, to prove that (xo, yo) in a proper proving
pair . This is done exactly as in Step 2. At this point, x0 and Yocan be used
with P2, P3 to prove the first theorem as in the single theorem case (starting from
Step 3 as the correctness of (xo, yo) has already been established).
At this point, our construction diverges from [BDMP9I]. Originally, for the
second theorem, the prover in [BDMP9I] randomly selects completely new proving
and then uses (xo, yo) and T1 along with the single
pairs (oo, Yoo)and (o01, Yo01)
CONSTRUCTION OVERVIEW:
'We have changed notation from (, y) above to (o, yo) in order to match the notation
from [BDMP9I]
7.2. CONSTRUCTION BASED ON QUADRATIC RESIDUOSITY
69>
theorem system to prove the auxiliary theorem, "(xoo, Yoo) and (xo1, yol) are
properly formed proving pairs." 3 This approach, however, does not work in
our setting because selecting new random values after posting the public key
compromises the Uniqueness property.
To circumvent this difficulty, we add a seed, s, for a pseudo-random function
f [GGM86] to the prover's secret key, and a perfectly binding commitment to s
to the prover's public key. Now whenever the prover in [BDMP9I] is instructed to
prove that
"(Xobl...bj0, obj...bjo) and (X0b1...bil,Yobl...b 1 l) are properly formed
proving pairs"
our prover instead proves that
"(ob 1 ...bjo, Y0bj...bjo)
9
and
(b
1 ... b1l, Yobl...bil)
are generated
using
(1k) with coins f(0b 1 ... bi)
Observe that this auxiliary theorem is an NP-statement whose length is a fixed
polynomial in k and can therefore be proven using the single theorem uniZK
system with a sufficiently long Ti. This assures both that (x0b1 ...bjo, Yob ...b O) and
(X0b1 ...bi 1, Yob ...b,1) have the necessary properties and also that the prover had no
choice in selecting these values (given his public key).4
We can also extend our system to work for theorems of arbitrary size by using
techniques similar to those in [BDMr9I]. Let X be an arbitrarily long formula and
let (, )) be the next unused proving pair in the construction described above.
First, use (, 9) to complete steps 3 through 6. Observe that we cannot continue
with step 7 because T2 is not long enough to accommodate all of the clauses of q.
Instead, for each dclause,we form the NP-statement
In clause j of X, the triple (aj, bj, cj) contains one non-residue in
Z+
z2.
Note that the length of this statement is fixed and independent of the size
of 0. Therefore, by making T2 sufficiently long, we can prove each of these
statement as separate theorems using the successor pairs of (x, Y) as per the multitheorem construction. Note that the prover has no choices because the form of
the statement and the order in which they are proven are fixed by the theorem 0.
The proof that this scheme is complete, sound, and zeroknowledge closely follows the corresponding proofs in [BDMP9I]. Therefore, we
will only sketch a proof that our construction satisfies Uniqueness. The only
SECURITY PROPERTIES
3In general, [BDMP9I]
describes a tree structure in which (xob,...b, Yob,... bj) is used to certify
yob,...bil) which are then used to prove the bl ... biffh and
(XObl...bio, yOb, ... bO) and (obl...bil,
bl ... bi h theorems.
4Note here that we need to use a commitment scheme with only a single valid decommit
message (to assure that the prove does not have a choice in selecting the witness for the auxiliary
theorem).
70
UNIQUE NIZK
difference in the multi-theorem case is that 7r and 7r* might use different pairs
(x, y) -7 (x*, y*) to prove theorem i. This means that (x*, y*) is not the output
of the honest prover algorithm with coins specified by the committed seed in the
prover's public key. In this case, by the soundness of the single-theorem proof
system, the verifier will reject any auxiliary proof certifying (x*, y*).
PROBLEM. We deliberately
choose 3SAT (over, say, 3-Colorability) because, in order to satisfy the Uniqueness
property, our multi-theorem construction requires a reduction from general NPstatements to 3-SAT formula which preserves the number of witnesses (in our
case, one to one). Notice that even parsimonious reductions for 3-colorability
map one witness to six possible colorings.
REMARK: CHOOSING THE RIGHT NP-COMPLETE
REMARK: CHOOSING THE RIGHT COMPLEXITY ASSUMPTION. There are several
NIZK systems based on the more general assumption that trap-door permutations exist (e.g., [FLS99] and [KP98]). Adapting such systems to admit Unique
proofs, however, seems to require substantially new techniques.
Bibliography
[AH9I]
W Aiello and J. Histad. Statistical zero-knowledge languages can be
recognized in two rounds. J Comput. Syst. Sci, 42:327-345, 99I. 0,
II,
[AD97]
32, 33
Mikl6s Ajtai and Cynthia Dwork. A public-key cryptosystem with
worst-case/average-case equivalence. In STOC, pages 284-293, 1997.
I3
[AUM74]
R. Aumann. Subjectivity and correlation in randomized strategies.
J Math. Econ.,1:67-96, 974. II
[BM88]
L. Babai and S. Moran. Arthur-merlin games: A randomized proof
system, and a hierarchy of complexity classes. J. Comput. Syst. Sci,
36(2):254-276,
988. 2I, 22, 32
[BDPR98]
Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations among notions of security for public-key encryption
schemes. In CRYPTO, pages 26-45, 998. 49
[BS99]
Mihir Bellare and Amit Sahai. Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization. In CRYPTO, pages 59-536, 1999. 49
[BDMP9I]
M. Blum, A. De Santis, S. Micali, and G. Persiano. Noninteractive
zero-knowledge. SIAMJ. Computing,20(6):i084-iii8,
i99I.
9, i6,
60, 6i, 62, 63, 68, 69
[BFM88]
Non-interactive zeroM. Blum, P. Feldman, and S. Micali.
knowledge and its applications. In Proc. 20th ACM Symp. on Theory
of Computing,pagesI03-II2, 988. 6, 8, 9, 20, 2I, 22
[BHZ87]
R. Boppana, J. Hastad, and S. Zachos. Does co-NP have short
987. IO
interactive proofs? Inf Process.Lett., 25(2):I27-132,
[CDOO]
Jan Camenisch and Ivan B. Damgard. Verifiable encryption, group
encryption, and their applications to group signatures and signature
sharing schemes. In Asiacrypt 2000. volume 1976 ofLNCS, pages 331-
345,2000. 42
72
73
[CLOso2]
R. Canetti, Y Lindell, R. Ostrovsky, and A. Sahai. Universally
composable two-party and multi-party secure computation.
In
STOC 02, pages 494-503, 2002. 9
[CDO4]
R. Cramer and I. DamgArd. Secret-key zero-knowledge and non-
interactive verifiableexponentiation. In TCC o04,2004.
9, II, 22,
36
[CS98]
Ronald Cramer and Victor Shoup. A practical public key cryptosystern provably secure against adaptive chosen ciphertext attack. In
CRYPTO, pages I3-25, I998. 12, I3, 42
[cso2]
Ronald Cramer and Victor Shoup. Universal hash proofs and a
paradigm for adaptive chosen ciphertext secure public-key encryption. In EUROCRYPT,pages 45-64, 2002. 12, I3, 42
[DAM93]
Non-interactive circuit based proofs and nonI. Damglrd.
interactive perfect zero knowledge with preprocessing. In EUROCRYPT92, pages 34I-355, I993. 9, 36, 6o
[DAMOO]
I. DamgArd. Efficient concurrent zero-knowledge in the auxiliary
string model. In EUROCRYPT2000, pages 4i8-430, 2000. 9
[DFN05]
I. DamgArd, N. Fazio, and A. Nicolosi. Secret-key zero-knowledge
protocols for NP and applications to threshold cryptography.
Manuscript, 2005. II
[DCO+OI]
A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, and Amit
Sahai. Robust non-interactive zero knowledge. CRYPTO oi, pages
566-598, 200I. 9
[DMP88]
A. De Santis, S. Micali, and G. Persiano. Non-interactive zeroknowledge with preprocessing. In CRYPTO88,pages 269-282, i988.
9, II, 36
[DDNOO]
Danny Dolev, Cynthia Dwork, and Moni Naor.
cryptography.SIALMJ Comput.,30(2):39I-437,
2000.
Nonmalleable
3, 49, 51
[DWO99] Cynthia Dwork. The non-malleability lectures. Course notes for
Stanford CS 359, 999. http://theory.stanford.edu/ gdurf/cs359-99.
'3
[DNRo4]
Cynthia Dwork, Moni Naor, and Omer Reingold. Immunizing
encryption schemes from decryption errors. In EUROCRYPT, pages
342-360, 2004. 48
[FLs99]
Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple noninteractive
zero knowledge proofs under general assumptions. SIAMJ. Comput.,
29(I):I-28,
999. 9, 10, II, 22, 23, 24, 27, 36, 70
BIBLIOGRAPHY
BIBLIOGRAPHY
74
74
[GMR98]
R. Gennaro, D. Micciancio, and T. Rabin. An efficient noninteractive statistical zero-knowledge proof system for quasi-safe
prime products. In CCS 98, pages 67-72, 998. i
[GLO3]
Rosario Gennaro and Yehuda Lindell. A framework for passwordbased authenticated key exchange. In EUROCRYPT, pages 524-543,
2003.
3, 5I
[GOL90]
O. Goldreich. A note on computational indistinguishability. Inf
Process. Lett., 34(6):277-28I,
I990. 3I
[Go94]
O.
Goldreich and Y Oren.
Definitions and properties of zero-
knowledgeproof systems.J. Crypt., 7(I):I-32, I994. 20
[GOLOI]
Oded Goldreich. Foundations of Cryptography,Volume I, volume
Cambridge University Press, May 200I. 23
[GOL04]
Oded Goldreich. Foundations of Cryptography,Volume 2. Cambridge
UniversityPress,2004.
[GGH97]
I.
22
Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Public-key
cryptosystems from lattice reduction problems. In CRYPTO, pages
112-131, 1997.
13
[GGM86]
Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to
construct random functions. Journal of the ACM, 33(4):792-807,
October 986. 4, 69
[Go94]
Oded Goldreich and Yair Oren. Definitions and properties of zeroknowledgeproof systems.Journalof Cryptology,7(I):I-32, 994. 9
[GMR85]
S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity
of interactive proof-systems. In Proc. 17th ACM Symp. on Theory of
Computing, pages 29I-304, 985. 6
[GS86]
S. Goldwasser and M. Sipser. Private coins versus public coins in
interactive proof systems. In Proc. 18th ACM Symp. on Theory of
Computing, pages 59-68, 986. 22, 32
[GM84]
Shafi Goldwasser and Silvio Micali. Probabilistic encryption.
Comput. Syst. Sci.,
[GMR88]
[HILL99]
28(2):270-299,
984.
I2,
J
I3, 14, 48, 6o, 6I
Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital
signature scheme secure against adaptive chosen-message attacks.
SIAMJ. Computing, 7(2):28I-3o8, April 988. 6
J. Histad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM J. Comput.,
28(4):I364-I396,
999. 27, 31
75
[si96]
Markus Jakobsson, Kazue Sako, and Russell Impagliazzo. Designated
verifier proofs and their applications. In EUROCRYPT, pages I43154, I996.
2, 42
[KIL88]
J. Kilian. Founding cryptography on oblivious transfer. In Proc. 20th
ACM Symp. on Theory of Computing, pages 20-3I, I988. II, 37
[KMo89]
J. Kilian, S. Micali, and R. Ostrovsky. Minimum resource zeroknowledge proofs. In FOCS 89, pages 474-479, 1989. 9, II, 36, 37
[KP98
Joe Kilian and Erez Petrank. An efficient noninteractive zeroJ.
knowledge proof system for np with general assumptions.
998. 9, 70
Cryptology,II(I):I-27,
]
[LMSOSA]
Collusion-free
Matt Lepinski, Silvio Micali, and abhi shelat.
protocols. In Proc. 37th ACM Symp. on Theory of Computing, pages
543-552,
[LMS05B]
May 2005.
4, I5, 58
Matt Lepinski, Silvio Micali, and abhi shelat. Fair-zero knowledge.
Conf, pages 245-263, 2005. I4,
In Proc.2nd Theoryof Cryptography
I5, 58
[NAo9I]
M. Naor.
Bit commitment using pseudorandomness.
J. Crypt.,
4(2):151-158,1991. 27
[NAo96]
Moni Naor. Evaluation may be easier than generation. In Proc. 28th
ACM Symp. on Theoryof Computing,pages74-83, 996. 60
[NA003]
Moni Naor. A taxonomy of encryption scheme security, 2003.
[ow93]
R. Ostrovsky and A. Wigderson. One-way fuctions are essential for
non-trivial zero-knowledge. In ISTCS, pages 3-I7, 993. 0
[PRos]
Rafael Pass and Alon Rosen. Concurrent non-malleable commitments. In FOCS, pages 563-572, 2005. 48
[Psos]
Rafael Pass and abhi shelat. Unconditional characterizations of noninteractive zero-knowledge. In CRYPTO, pages 118-134, 2005. 15
[Psvos]
Rafael Pass, abhi shelat, and Vinod Vaikuntanathan. Construction
of a non-malleable encryption scheme from any semantically secure
encryption scheme. Submitted, November 2005. 15
[REnG05]
Oded Regev. On lattices, learning with errors, random linear codes,
and cryptography. In STOC, pages 84-93, 2005. 13
[SVO3]
A. Sahai and S. Vadhan. A complete problem for statistical zero
knowledge. J. ACM, 50(2):I96-249, 2003. 26, 33
I3
BIBLIOGRAPHY
76
[sMP87]
A. De Santis, S. Micali, and G. Persiano. Non-interactive zeroknowledge proof systems. In Proc. CRYPTO 87, pages 52-72, I987.
9
[vAD99]
S. Vadhan. A Study of StatisticalZero-Knowledge Proofi. PhD thesis,
MIT, I999. 26, 3I
[VAD04]
S. Vadhan. An unconditional study of computational zero knowledge. In FOCS o4,pages I76-I85, 2004. 26
Index
I8, 0
77