Perfect NIZK with Adaptive Soundness

This paper presents a very simple and efficient adaptively-sound perfect NIZK argument system for any NP-language. In contrast to recently proposed schemes by Groth, Ostrovsky and Sahai, our scheme does not pose any restriction on the statements to be proven. Besides, it enjoys a number of desirable properties: it allows to re-use the common reference string (CRS), it can handle arithmetic circuits, and the CRS can be set-up very efficiently without the need for an honest party. We then show an application of our techniques in constructing efficient NIZK schemes for proving arithmetic relations among committed secrets, whereas previous methods required expensive generic NP-reductions. The security of the proposed schemes is based on a strong non-standard assumption, an extended version of the so-called Knowledge-of-Exponent Assumption (KEA) over bilinear groups. We give some justification for using such an assumption by showing that the commonly-used approach for proving NIZK arguments sound does not allow for adaptively-sound statistical NIZK arguments (unless NP ⊂ P/poly). Furthermore, we show that the assumption used in our construction holds with respect to generic adversaries that do not exploit the specific representation of the group elements. We also discuss how to avoid the non-standard assumption in a pre-processing model.

[1]  Yuval Ishai,et al.  Constant-Round Multiparty Computation Using a Black-Box Pseudorandom Generator , 2005, CRYPTO.

[2]  Hoeteck Wee Lower Bounds for Non-interactive Zero-Knowledge , 2007, TCC.

[3]  Rafail Ostrovsky,et al.  Minimum resource zero knowledge proofs , 1989, 30th Annual Symposium on Foundations of Computer Science.

[4]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[5]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[6]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[7]  Alfredo De Santis,et al.  Zero-knowledge proofs of knowledge without interaction , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[8]  Joe Kilian,et al.  An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions , 1998, Journal of Cryptology.

[9]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[10]  Ivan Damgård,et al.  Non-interactive Zero-Knowledge from Homomorphic Encryption , 2006, TCC.

[11]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[12]  Moni Naor,et al.  Zaps and Their Applications , 2007, SIAM J. Comput..

[13]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[14]  Johan Håstad,et al.  Perfect zero-knowledge languages can be recognized in two rounds , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[15]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[16]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[17]  Ivan Damgård,et al.  Non-Interactive Circuit Based Proofs and Non-Interactive Perfect Zero-knowledge with Proprocessing , 1992, EUROCRYPT.

[18]  Alexander W. Dent The Hardness of the DHK Problem in the Generic Group Model , 2006, IACR Cryptol. ePrint Arch..

[19]  A. D. Santis,et al.  Zero-Knowledge Proofs of Knowledge Without Interaction (Extended Abstract) , 1992, FOCS 1992.

[20]  Rafail Ostrovsky,et al.  Minimum Resource Zero-Knowledge Proofs (Extended Abstract) , 1989, CRYPTO.

[21]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[22]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[23]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[24]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[25]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[26]  Leonard M. Adleman,et al.  Two theorems on random polynomial time , 1978, 19th Annual Symposium on Foundations of Computer Science (sfcs 1978).

[27]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[28]  Abhi Shelat,et al.  Unconditional Characterizations of Non-interactive Zero-Knowledge , 2005, CRYPTO.

[29]  Johan Håstad,et al.  Statistical Zero-Knowledge Languages can be Recognized in Two Rounds , 1991, J. Comput. Syst. Sci..

[30]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[31]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[32]  Lance Fortnow The Complexity of Perfect Zero-Knowledge (Extended Abstract) , 1987, STOC 1987.

[33]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[34]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[35]  Yuval Ishai,et al.  Share Conversion, Pseudorandom Secret-Sharing and Applications to Secure Computation , 2005, TCC.

[36]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[37]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[38]  Silvio Micali,et al.  Non-Interactive Zero-Knowledge with Preprocessing , 1988, CRYPTO.

[39]  Ran Canetti,et al.  Resettable Zero-Knowledge , 1999, IACR Cryptol. ePrint Arch..

[40]  Silvio Micali,et al.  Non-Interactive Zero-Knowledge Proof Systems , 1987, CRYPTO.

[41]  Ivan Damgård,et al.  Efficient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions , 2000, Public Key Cryptography.

[42]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[43]  Gilles Brassard,et al.  Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[44]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[45]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[46]  Lance Fortnow,et al.  The Complexity of Perfect Zero-Knowledge , 1987, Proceeding Structure in Complexity Theory.

[47]  Rafail Ostrovsky,et al.  Minimum resource zero-knowledge proofs (extended abstracts) , 1989, CRYPTO 1989.

[48]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.