Witness Signatures and Non-Malleable Multi-Prover Zero-Knowledge Proofs

Motivated by the goal of removing trusted setup assumptions from cryptography, we introduce the notion of witness signatures. This primitive allows any party with a valid witness to an NP statement to sign a message on behalf of that statement. We also require these signatures to be unforgeable: that is, producing a signature on a new message (even given several message, signature pairs) should be as hard as computing a witness to the NP statement itself. Witness signatures are closely related to previously well-studied notions such as non-malleable non-interactive zero knowledge arguments, and signatures of knowledge. In this work, we formalize this notion and show that most natural definitions are impossible in the plain model without any setup assumptions. While still wanting to avoid a central trusted setup, we turn to the tamper proof hardware token model of Katz (Eurocrypt 2007). Interestingly, we show witness signatures in the hardware token model are closely related to what we call non-malleable multi-prover zero-knowledge proofs in the plain model (i.e. without hardware tokens). We initiate the study of nonmalleable multi-prover zero-knowledge proofs, and, provide an unconditional construction of single round non-malleable two-prover zero-knowledge proofs. We then use this primitive to obtain an unconditional construction of witness signatures in the hardware token model. Our construction makes a novel use of non-malleable codes. In particular, we crucially rely on the notion of many-many non-malleable codes introduced recently by Chattopadhyay, Goyal and Li (ECCC 2015). Our construction is unconditional, is extremely efficient (in terms of computation, number of tokens, and rounds of interaction with the token), and, only relies on elementary computations such as inner products. Finally, this construction yields signatures which can only be verified a bounded number of times. Towards that end, we show how to extend it to get the unbounded (polynomial) verification property relying on the minimal additional assumption of one-way functions. We also show that obtaining unconditional unbounded-verifiable witness signatures under black-box extraction, is impossible even with access to an unbounded number of stateful tamper-proof hardware tokensthereby giving a matching lower bound. This is done by relying on the techniques from the work of Goyal et al (Crypto 2012) (which in turn builds on techniques from the black-box separation literature). In particular, we rely on the notion of “inaccessible entropy" introduced in prior works. ∗Microsoft Research, India. Email: vipul@microsoft.com. †UCLA, USA. Email: aayushjainiitd@gmail.com. Work done in part while at Microsoft Research, India. ‡UCLA, USA. Email: dakshita@cs.ucla.edu. Work done in part during an internship at Microsoft Research, India.

[1]  Venkatesan Guruswami,et al.  Non-malleable Coding Against Bit-Wise and Split-State Tampering , 2013, Journal of Cryptology.

[2]  Yevgeniy Dodis,et al.  Non-malleable Reductions and Applications , 2015, Electron. Colloquium Comput. Complex..

[3]  David Zuckerman,et al.  Non-malleable Codes against Constant Split-State Tampering , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[4]  Gil Cohen,et al.  Local Correlation Breakers and Applications to Three-Source Extractors and Mergers , 2015, 2015 IEEE 56th Annual Symposium on Foundations of Computer Science.

[5]  Pratyay Mukherjee,et al.  Continuous Non-malleable Codes , 2014, IACR Cryptol. ePrint Arch..

[6]  Yehuda Lindell,et al.  An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-programmable Random Oracle , 2015, TCC.

[7]  Mark Zhandry,et al.  How to Avoid Obfuscation Using Witness PRFs , 2016, TCC.

[8]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[9]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[10]  Brent Waters,et al.  Witness encryption and its applications , 2013, STOC '13.

[11]  Manoj Prabhakaran,et al.  Explicit Non-malleable Codes Against Bit-Wise Tampering and Permutations , 2015, CRYPTO.

[12]  Hovav Shacham,et al.  Advances in Cryptology – CRYPTO 2018 , 2002, Lecture Notes in Computer Science.

[13]  Daniel Wichs,et al.  Efficient Non-Malleable Codes and Key Derivation for Poly-Size Tampering Circuits , 2014, IEEE Transactions on Information Theory.

[14]  Jonathan Katz,et al.  Universally Composable Multi-party Computation Using Tamper-Proof Hardware , 2007, EUROCRYPT.

[15]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[16]  Gérard D. Cohen,et al.  Non-malleable codes from the wire-tap channel , 2011, 2011 IEEE Information Theory Workshop.

[17]  Feng-Hao Liu,et al.  Tamper and Leakage Resilience in the Split-State Model , 2012, IACR Cryptol. ePrint Arch..

[18]  B. Abdolmaleki Non-Malleable Codes , 2017 .

[19]  Stefan Dziembowski,et al.  Non-Malleable Codes from Two-Source Extractors , 2013, IACR Cryptol. ePrint Arch..

[20]  Omer Reingold,et al.  Inaccessible entropy , 2009, STOC '09.

[21]  Yuval Ishai,et al.  Founding Cryptography on Tamper-Proof Hardware Tokens , 2010, IACR Cryptol. ePrint Arch..

[22]  Shachar Lovett,et al.  Non-malleable codes from additive combinatorics , 2014, STOC.

[23]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[24]  Gérard D. Cohen,et al.  Secure network coding and non-malleable codes: Protection against linear tampering , 2012, 2012 IEEE International Symposium on Information Theory Proceedings.

[25]  Omer Reingold,et al.  Finding Collisions in Interactive Protocols - A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[26]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[27]  Aggelos Kiayias,et al.  BiTR: Built-in Tamper Resilience , 2011, IACR Cryptol. ePrint Arch..

[28]  Vipul Goyal,et al.  Non-malleable extractors and codes, with their many tampered extensions , 2015, IACR Cryptol. ePrint Arch..

[29]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[30]  Yuval Ishai,et al.  Interactive Locking, Zero-Knowledge PCPs, and Unconditional Cryptography , 2010, Electron. Colloquium Comput. Complex..

[31]  Adi Shamir,et al.  A one-round, two-prover, zero-knowledge protocol for NP , 1995, Comb..