Concurrent non-malleable zero-knowledge and simultaneous resettable non-malleable zero-knowledge in constant rounds

Concurrent non-malleable zero-knowledge (CNMZK) considers the concurrent execution of zero-knowledge protocols in a setting even when adversaries can simultaneously corrupt multiple provers and verifiers. As far as we know, the round complexity of all the constructions of CNMZK arguments for NP is at least ω(logn). In this paper, we provide the first construction of a constant-round concurrent non-malleable zero-knowledge argument for every language in NP. Our protocol relies on the existence of families of collision-resistant hash functions, one-way permutations and indistinguishability obfuscators. As an additional contribution, we study the composition of two central notions in zero knowledge, the simultaneously resettable zero-knowledge and non-malleable zero-knowledge, which seemingly have stronger proved security guarantees. We give the first construction of a constant-round simultaneously-resettable non-malleable zero-knowledge. To the best of our knowledge, this is the first study to combine the two security concepts described above together in the zero-knowledge protocols.

Zero-knowledge proof systems were introduced by Goldwasser, Micali and Rackofi in (1989). Informally, an interactive proof protocol is zero-knowledge if the prover can convince the verifier that a statement is true without revealing any information other than the fact itself. With such an intriguing nature, zero-knowledge proof has played a central role in the design and study of cryptographic protocols. The notion of concurrent zero knowledge(CZK) was first introduced by Dwork, Naor and Sahai (1998) to consider that many copies of the zero-knowledge protocol are executed simultaneously in an asynchronous network, where messages from different copies may be arbitrarily interleaved by the verifier. The notion of non-malleable zero knowledge(NMZK) was first introduced by Dolev, Dwork and Naor (2000) to consider the execution of zero-knowledge protocol in the setting where the man-in-the-middle adversary interacts with an honest prover in the left session and an honest verifier in the right session.

Concurrent Non-malleable Zero-Knowledge. By combining the concurrent zero-knowledge with the security against man-in-the-middle adversaries, Barak, Prabhakaran and Sahai (2006) introduced a stronger form of zero knowledge referred to as concurrent non-malleable zero knowledge (CNMZK). In such protocol, the adversary can complete control over the communication channel and participate in an unbounded number of concurrent executions. It guarantees that the proofs in the left sessions does not help the adversary to give proofs in the right sessions.

After the original protocol by (Barak et al. 2006), various other concurrent non-malleable ZK protocols have been obtained (Ostrovsky et al. 2008, 2010; Lin et al. 2010; Lin and Pass 2011; Orlandi et al. 2014; Kiyoshima 2015). Lin, Pass, Tseng and Venkitasubramaniam (2010) focused on enhancing the soundness property by combining the notation of robust non-malleable commitments introduced by Lin et al. (2009) with the concurrently extractable commitments (CECom) introduced by Micciancio et al. (2006). They showed a poly(n)-round CNMZKproof for all of NP based on one way function assumption and a \( \widetilde {O}(log(n)) \)-round protocol based on the existence of collision resistant hash-functions(CRHFs). Recently, Orlandi et al. (2014) achieved the first statisticalCNMZKargument system. In their protocol, they used a special kind of commitment scheme called “mixed non-malleable commitment” scheme based on the DDH assumptions. Very recently, Kiyoshima (2015) achieved a poly(n) rounds statisticalCNMZKargument system only assuming the existence of one-way functions. In their protocol, instead of using a non-malleable commitment to commit the real witness (see (Barak et al. 2006; Lin et al. 2010)), they used a constant-round k-robust one-one CCA-secure commitment (Canetti et al. 2010; Lin and Pass 2012; Kiyoshima 2014; Goyal et al. 2015) to commit a random string (e.g., 0ⁿ).

However, we observe that the round complexity of all the above protocols based on the standard assumptions is at least \( \widetilde {O}(\log n) \) rounds. Indeed, in the standard model without set-up assumptions, Canetti, Kilian, Petrank and Rosen (2001) based on earlier works by (Kilian et al. 1998; Rosen 2000) have showed that any black-box concurrent zero-knowledge protocol require at least \(\widetilde {\Omega }(\log n)\) rounds. It can be observed that the lower bound also holds for the black-box concurrent non-malleable zero-knowledge protocol. A breakthrough work was made by Barak in (2001), he proposed the first non-black-box simulation techniques and constructed the first constant-round boundedCZKargument system assuming the existence of CRHFs. Recently, Pandey, Prabhakaran and Sahai (2015) showed a new non-black-box simulation technique independent of the PCP theorem and constructed a 4-round CZKargument system based on the existence of CRHFs and differing-input obfuscation (diO)(Barak et al. 2001; Boyle et al. 2014; Ishai et al. 2015). Very recently, Chung, Lin and Pass (2015) achieved constant-roundCZK with non-uniform soundness assuming the existence of CRHFs, OWP and iO (Barak et al. 2001; Garg et al. 2013) for P/poly. We stress that Ostrovsky, Persiano and Visconti in (2008) have showed a constant-round concurrent non-malleable zero-knowledge argument system for NP in the Bare Public-Key model. However, in this model each verifier have to register the public key in a public file during a preprocessing stage and the secret key is known only to itself. Thus, one natural question we ask in this work is:

Whether a constant rounds concurrent non-malleable zero-knowledge protocol in the standard model can be obtained?

Simultaneous Resettable Zero-Knowledge. The notion of resettable zero-knowledge (rZK) was first introduced by Canetti, Goldreich, Goldwasser and Micali (2000). It requires the zero-knowledge condition holds even when the verifier can reset the prover to reuse the previous randomness. From the definition, we can see that the security of resettable zero-knowledge is stronger than that of concurrent zero-knowledge, because a resetting verifier could emulate any concurrent attack in the CZK protocol. Subsequently, Barak, Goldreich, Goldwasser and Lindell (2001) introduced the notion of resettably-sound zero-knowledge (rsZK). It requires the soundness condition holds even when the prover can reset the verifier to use the same random tape in multiple concurrent executions. Following the two works above, a number of works have investigated the resettable security in zero-knowledge protocols (Deng et al. 2009; Cho et al. 2012; Garg et al. 2012; Chung et al. 2013b, 2014; Bitansky and Paneth 2015; Ostrovsky et al. 2015), which focused on either reducing the complexity assumptions or reducing the round complexity and so on. Recently, Chung et al. (2013a) presented a construction of the simultaneous resettable zero-knowledge protocol with polynomial rounds based on the minimal assumption of one-way functions. Very recently, Chongchitmate et al. (2017) showed a constant-round simultaneous resettable zero-knowledge argument system based on the work of Chung et al. (2015). Thus, another question in this work is:

Whether a constant rounds interactive protocol can be both simultaneous resettable zero-knowledge and non-malleable zero-knowledge?

Our results

In this paper, we combine the forementioned approaches and answer the above question positively. In the main result, we construct the first constant-round non-malleable concurrent zero-knowledge argument system.

Theorem 1

Assuming the existence of collision-resistant hash functions, one-way permutations and iO for P/poly (with slightly super-polynomial security), there exists a constant-round concurrent non-malleable zero-knowledge argument system for NP.

Our additional contribution is that by combining our CNMZK argument system with the approach of (Chongchitmate et al. 2017) and (Deng et al. 2009), we get the first constant-round simultaneously resettable and non-malleable zero-knowledge protocol.

Theorem 2

Assuming the existence of collision-resistant hash functions, one-way permutations and iO for P/poly (with slightly super-polynomial security), there exists a constant-round simultaneously resettable and non-malleable zero-knowledge argument system for NP.

Our techniques

Below, we first recall the techniques in (Barak 2001; Chung et al. 2015; Kiyoshima 2015) and then give an overview of our construction approach.

Barak’s protocol. Barak’s non-black-box zero-knowledge argument system consists of three stages. In stage 1, the verifier V chooses a hash function \( h \xleftarrow {R} \mathcal {H}\) and sends it to the prover P, where \( \mathcal {H} \) is a collision-resistant hash function family. In stage 2, P sends a commitment c←Com(0ⁿ,ρ) to V, where Com is a statistically binding commitment scheme; then V responds with a random string r∈{0,1}²ⁿ to P. In stage 3, P and V start a witness-indistinguishable universal argument(WIUA) system where P proves to V that there exists x∈L or (h,c,r)∈Λ. The language Λ is defined as (h,c,r)∈Λ iff there exists a program Π such that c=Com(h(Π),ρ) and Π on input c can output r within n^{log logn} steps.

The soundness of Barak’s protocol follows from the fact that even if a malicious prover P^∗ tries to commit to some program Π (instead of committing to 0ⁿ), with a high probability, the output of Π(c) will be different from the string r sent by V for every string r∈{0,1}²ⁿ. To prove zero knowledge, just use the code of the malicious verifier V^∗ as trapdoor in stage 2. By the definition of the language Λ, it must holds that c=Com(h(Π))=Com(h(V^∗)) and Π(c)=V^∗(c)=r.

Chung et al.’s constant-round CZK protocol. In (Chung et al. 2013), Chung et.al presented a P-certificates assumption for the language L_c∈P where L_c={(M,x,y):M(x)=y within |x|^c steps}. In a P-certificate system, an efficient prover can generate a short certificate π of a fixed polynomial length (independent of the running-time and size of M) for a tuple (M,x,y) in a prior bounded polynomial time in |x|^c. By using π the verifier can check the validity of the deterministic polynomial-time computation M(x)=y in some fixed polynomial time (independent of the running-time of M). Such proof system has two salient features, i.e., the “non-interactivity” and “succinctness”, which guarantee the simulator can reuse the same certificate in many nested sessions and amortize the cost of generating WIUA proof. We stress that this is essentially to overcome the exponentially blow-up problem in the running time of the concurrent simulation. Based on the Barak’s non-black-box zero-knowledge protocol, they modified the part of the stage 3 and defined a new language Λ. More specifically, they defined that a statement (h,c,r)∈Λ iff there exists a program M, a certificate π, a vector λ=((1,π₁),(2,π₂)⋯) and a vector \( \overrightarrow {m} \) such that c=Com(h(M)), π is a proof for M(λ)=r and each π_j certifies that M(λ_<j) outputs m_j in its j-th communication round (where λ_<j=((1,π₁),(2,π₂)⋯(j−1,π_j−1))).

The soundness can be obtained as follows. Roughly speaking, from the statistically binding property of the Com, for every commitment c (i.e., m₁), there exists a prior fixed deterministic polynomial-time program M. By the unique certificate property of the P-certificate, we can infer that the certificate π₁ for M(·)=m₁ is also uniquely defined. Due to the same analysis, we can conclude that for every j>1, m_j is uniquely defined. Thus, also the unique (accepting) certificate π_j certifying M(λ_<j)=m_j. That is, there is a unique valid vector λ for program M, so there exists a single r satisfied the computation M(λ)=r. From the soundness of the previous Barak’s protocol (Barak 2001), we can obtain that, with a high probability, the string r sent by V will be different from M(λ) for every string r∈{0,1}⁴ⁿ.

To prove the zero-knowledge, the key difference from Barak’s protocol is that each certificate π_i generated during construct the WIUA proofs in stage 3 of a session, can be reused as a part of the input witness λ=((1,π₁),(2,π₂)⋯) for the subsequent sessions that contains this session. Thus, the only expensive part of the generation of the WIUA in each session is the generation of the P-certificates π, which can be generated in a prior bounded polynomial time for the following reasons. Recall that when arriving at the point of stage 3, the simulator S has emulated the partial execution of M and outputted the message r. We assume that the time spent in this part is bounded by |x|^c for some constant \( c \in \mathbb {N} \), where x is the statement M(λ)=r. Then the certificate π for this part computation can be implemented in polynomial time in |x|^c by the P-certificates system. So the whole simulation can be finished in polynomial time, we refer the reader to (Chung et al. 2015) for more detail about this part.

Our Approach on CNMZK. Our protocol attempts to combine the constant-round CZK techniques and the previous CNMZK techniques together. Compared with the work of (Kiyoshima 2015; Lin et al. 2010), we use the non-black-box techniques to reduce the round complexity.

Recall that the definition of standaloneNMZK requires the existence of a simulator-extractor SE that can simulate the view of a man-in-the-middle adversary \( \mathcal {A} \) while simultaneously extracting the witnesses for the statements proved by the adversary in the right interaction. On the high level, in order to satisfy this definition, the traditional method is that the verifier commits a trapdoor in the first stage, and then the prover uses a non-malleable commitment to commit the real witness, finally the prover uses the WIAOK protocol to prove that it either committed a real witness or known the trapdoor. So when considering the CNMZK protocols, intuitively, we need the prover to use a concurrent non-malleable commitment scheme (Pass and Rosen 2005; Lin et al. 2008, 2017; Ciampi et al. 2016; Khurana and Sahai 2017) to commit the real witness. However, we note that this is not necessary, as described in (Barak et al. 2006), since we only need to prove that the adversary still commits the real witness in each session rather than all the right sessions together. That is stand-alone non-malleable commitment is sufficient for our purpose.

By the definition of CNMZK, the crux of the proof is to show that even during simulation, when the simulator commits a fake witness (instead of real witnesses) in left interactions, the man-in-the-middle adversary \( \mathcal {A} \) still cannot change its committed values in right interactions. The most delicate part of the proof is that we need to consider the mutual influence on the both sides of the rewinds when extract the trapdoors in the left and the witnesses in the right. That is we should carefully design a series of hybrids to argument the rewinds do not affect the reduction of the concurrent non-malleability of our zero-knowledge protocol to (non-concurrent) non-malleability of the commitment scheme.

In the previous protocol (Lin et al. 2010), they used a special skill to reduce the difficulty of the proof. More specifically, the prover first uses a non-malleable commitment scheme with a robust property to commit to a witness wtwice (sequentially), and then they designed a series of hybrids to show that the adversary must commit the valid witness (except with a negligible probability) in each case. Otherwise, they can use the adversary to break the non-malleable property with respect to itself or the non-malleable property w.r.t. k-round protocols. In the protocol (Kiyoshima 2015), because their goal is to implement a statisticallyCNMZK argument system, instead of using a non-malleable commitment to commit the witness, they commit a random string (e.g., 0ⁿ). Thus, in their simulation-extractability proof, they can not directly use the extractability of the commitment scheme, instead they have to rewind the sWIAOK proof to extract the witness in the right. Their proof strategy is that assume there exists an adversary which can extract a fake witness in the right, then they can give a series of indistinguishable hybrids to show that even the simulator in the right interaction (act as an honest verifier) just send a commitment with the value 0ⁿ, the adversary still can extract this fake witness, this is a contradiction.

Because our goal is to construct the constant-round concurrent non-malleable zero-knowledge protocol, so the non-malleable commitment scheme should be constant rounds, here we use the constant-round4-robust one-one CCA-secure commitment scheme which first appeared in (Kiyoshima 2015) based Canetti et al. (2010). Such commitment scheme can be based on the minimum assumption of the existence of one way functions. The difference from (Kiyoshima 2015) is that our protocol use the CCA-secure commitment scheme to commit the witness not the random string.

More specifically, the commitment scheme we use has a salient feature, i.e., its security can be guaranteed even the adversaries have access to the committed-value oracle in the right. This advantage brings us the convenience in designing the hybrids since we need not consider the impact on the left side when we do oracle access to the committed-value oracle in the right sessions. Indeed, in our final proof, we use an opposite argument which is essentially the same. Roughly speaking, we consider the following hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), where the former simulator-extractor SE uses the “fake” witness in the i-th left session and the later simulator-extractor SE uses the real witness in the i-th left session, while allowing both SE to access the committed oracle \( \mathcal {O} \). If the adversary \( \mathcal {A} \) can convince the verifier accept a right session and uses a different identity from all the left sessions, then from the soundness of the WIAOK and the binding property of the commitment, the one-one CCA commitment of this right session must commit a right witness except with a negligible probability. Now we can forward it to the external committed-value oracle and obtain its commit value. Next assume there exists an adversary \( \mathcal {A} \) which can distinguish the two simulator-extractor \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), then we can use such adversary to break the witness indistinguishability of the 4-round WISSP or the k-robust CCA security. This gives a contradiction, thus each hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \) are indistinguishable and we can claim that our protocol is concurrent non-malleable zero-knowledge argument. The more details proofs are given in “Constant-round concurrent non-malleable zero-knowledge” section. Since we only add a constant-round commitment on the original constant-roundCZK, the whole protocol also a constant-round protocol, so we can draw the conclusion given in Theorem 1.

Towards Simultaneously-Resettable NMZK. Let us turn to the second question namely the simultaneously-resettable non-malleable zero-knowledge argument system. The formal definition is somewhat complicated and will be given in the “Simultaneously-resettable and non-malleable zero-knowledge” section. Roughly speaking, the protocol need to satisfy the non-malleable security even if the man-in-the-middle adversary \( \mathcal {A} \) can reset the prover to have several interactions in the left, at the same time, \( \mathcal {A} \) can reset the verifier to have multiple interactions in the right. Thus, all the previous protocols will not satisfy our new security requirements, our solution is to enhance the recently result of Chongchitmate et al. (2017) in the following.

In (Chongchitmate et al. 2017) they given a constant-round simultaneously-resettable zero-knowledge argument system. More specifically, they first gave a transformation from any ℓ-round CZKargument system to O(ℓ)-round resettable zero-knowledge argument. Then they can achieve a resettably-sound concurrent zero-knowledge argument(rsCZK) by plugging a constant-roundrZK into a constant-roundCZK system. Finally, following the general transformation of (Deng et al. 2009), they obtained a simultaneously-resettable ZK protocol. We stress that, to the best of our knowledge, this transformation is the most direct route to achieve simultaneously-resettable zero-knowledge argument system (see also (Bitansky and Paneth 2015; Chung et al. 2013a; Canetti et al. 2013)). In this paper, we observe that this construction actually preserves non-malleability: If the original protocol is a constant-round concurrent non-malleable zero-knowledge argument system, then the new one is a constant-round resettably-sound concurrent non-malleable zero-knowledge argument. Further, by applying a combination of the transformations in (Deng et al. 2009), we can achieve a constant-round simultaneously-resettableNMZK, thus we can draw the conclusion given in Theorem 2.

Organization

The rest of this paper is organized as follows. Some necessary preliminaries and security notion are given in “Preliminary” section. The concrete construction and the security analysis for constant-roundCNMZKargument system are described in “Constant-round concurrent non-malleable zero-knowledge” section. Finally, we show how to use our CNMZKargument system to construct the constant-round simultaneously-resettable non-malleableZKargument system in “Simultaneously-resettable and non-malleable zero-knowledge” section.

k-robust (one-one) CCA-secure Commitment Schemes (Canetti et al. 2010)

A tag-based commitment scheme 〈C,R〉 is a commitment scheme where the committer and the receiver receive a tag ∈{0,1}ⁿ (also called id) as common input. An adversary \( \mathcal {A}^{\mathcal {O}} \) can interact with a committed value oracle \( \mathcal {O} \) as a committer by using identities adaptively in many sessions. At the end of each session, if the session is valid, the oracle \( \mathcal {O} \)reveals the unique committed value of that session to \( \mathcal {A} \); otherwise, it sends ⊥. Consider the following probabilistic experiment \( \textsf {IND}_{b}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, 1^{n}, z\right) \). The oracle adversary \( \mathcal {A}^{\mathcal {O}} \) is allowed to adaptively choose an id and a pair of values (v⁰,v¹)∈{0,1}ⁿ as the challenge messages. When the adversary \( \mathcal {A}^{\mathcal {O}} \) receives a commitment to v_b, it guess a bit b^′ as the output of the experiment. The additional constraint is that if during the execution the adversary \( \mathcal {A} \) interacts with \( \mathcal {O} \) using the challenge identity id, then the experiment outputs ⊥.

Definition 1

We say a tag-based commitment scheme 〈C,R〉 is CCA-secure w.r.t. the committed-value oracle\( \mathcal {O} \), if for every PPT oracle machine \( \mathcal {A} \), the following ensembles are computationally indistinguishable:

• \( \left \{\sf {IND}_{0}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, n, z\right) \right \}_{n \in \mathbb {N}, z \in \{0,1\}^{*}}\)

• \( \left \{\sf {IND}_{1}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, n, z\right) \right \}_{n \in \mathbb {N}, z \in \{0,1\}^{*}}\)

Additionally, if 〈C,R〉 is CCA-secure only against adversaries that start a single session with \(\mathcal {O}\), then we say that 〈C,R〉 is one-oneCCA-secure.

The notion of non-malleability w.r.t. arbitrary k-round protocols is introduced in (Lin and Pass 2009), which considers the man-in-the middle adversaries can participate arbitrary k-round protocols in the left when running the commitment scheme in the right. Roughly speaking, we say 〈C,R〉 is k-robust w.r.t \( \mathcal {O} \) if the (joint) output of every k-round interaction with an adversary having access to the oracle \( \mathcal {O} \), can be simulated without the oracle.

Definition 2

Let 〈C,R〉 be a tag-based commitment scheme and \( \mathcal {O} \) be the committed-value oracle. For any constant \( k \in \mathbb {N} \), we say that 〈C,R〉 is k-robust w.r.t. \( \mathcal {O} \) if there exists a PPT oracle machine S such that for any PPT adversary \( \mathcal {A} \) and any k-round PPT interactive Turing machine B, the following are computationally indistinguishable:

• \( \{{\sf {output}}_{B,\mathcal {A}^{\mathcal {O}}}[B(1^{n},x,y)]\leftrightarrow \mathcal {A}^{\mathcal {O}}(1^{n},x,z)\}_{n \in \mathbb {N}, x,y,z \in \{0,1\}^{*}}\)

• \( \{{\sf {output}}_{B,S^{\mathcal {A}}}[B(1^{n},x,y)]\leftrightarrow S^{{\mathcal {A}}}(1^{n},x,z)]\}_{n \in \mathbb {N}, x,y,z \in \{0,1\}^{*}}\)

In our protocol, we use the constant-round 4-robust one-oneCCA-secure commitment scheme (namely CCACom^1:1) which first appeared in (Kiyoshima 2015) and can be constructed from one-way functions based on the result of (Goyal et al. 2015).

Forward-secure PRG (Bellare and Yee 2003; Chung et al. 2013)

Definition 3

(Forward-secure Pseudorandom Generator) We say a polynomial-time computable function is a forward secure pseudorandom generator (fsPRG) if the following properties hold: Consistency: For every \( n,{\ell } \in \mathbb {N} \), s∈{0,1}ⁿ, if fsPRG(s,ℓ)=((s_ℓ,s_ℓ−1,⋯,s₁),(ρ_ℓ,ρ_ℓ−1,⋯,ρ₁)), then fsPRG(s_ℓ,ℓ−1)=((s_ℓ−1,⋯,s₁),(ρ_ℓ−1,⋯,ρ₁)). Forward Security: For every polynomial p(n), the following ensembles are computationally indistinguishable:

• \( \{s\leftarrow U_{n},(\vec {s},\vec {\rho }) \leftarrow \text {\sf {fsPRG}}(s,{\ell }):s_{t},\vec {\rho }_{\leq t}\}\text {} _{n \in \mathbb {N},{\ell }\in [p(n)],t\in {[\ell ]}} \)

• \( \{s_{t} \leftarrow U_{n},\vec {\rho } \leftarrow (U_{n})^{\ell }:s_{t},\vec {\rho }_{\leq t}\}\text {} _{n \in \mathbb {N},{\ell }\in [p(n)],t\in {[\ell }]} \)

where U_n is the uniform distribution over {0,1}ⁿ, and \( \vec {\rho }_{\leq t}=(\rho _{t},\rho _{t-1},\cdots,\rho _{1}). \)

From the definition above, if the seed s_t is exposed then the later sequence (ρ_t+1,ρ_t+2,⋯) are also exposed, but the earlier sequence ρ₁,⋯,ρ_t remain pseudorandom. The existence of a fsPRG is implied by any (traditional) PRG, thus it is also implied by the existence of one-way functions (Håstad et al. 1999).

P-certificates in the delegatable CRS model (Chung et al. 2015)

For every constant \( c \in \mathbb {N} \), consider the language L_c∈P such that L_c={(M,x,y):M(x)=y within |x|^c steps}, let T_M(x) denotes the running time of M on input x.

Definition 4

A tuple of PPT algorithms (Setup,PreGen,CRSGen,P_cert,V_cert), is a P-certificate system in the delegatable CRS model if there exist polynomials ℓ_d,ℓ_κ,ℓ_CRS and ℓ_π, such that the following holds:

• Syntax and Efficiency: for every \( c \in \mathbb {N} \) and every q=(M,x,y)∈L_c, the verification of the statement proceed as follows:

  • 1)CRS Setup:\((PP,K)\xleftarrow {\text {\$}}\textsf {Setup}(1^{n}, c) \), where PP the public parameter and K the key;

  • 2)CRS Preprocessing: d=PreGen(PP,q) where |d| is bounded by ℓ_d;

  • 3)CRS Generation:\( \kappa \xleftarrow {\text {\$}} \textsf {CRSGen}(PP,K,q) \) and CRS=(PP,κ), where |k| is bounded by ℓ_κ and |CRS| is bounded by ℓ_CRS

  • 4)Proof Generation:\( \pi \xleftarrow {\text {\$}} \textsf {P}_{\textsf {cert}}(1^{n}, c, q, CRS)\), where |π| is bounded by l_π and P_cert runs in time poly (1ⁿ,|x|,min(T_M(x),|x|^c))

  • 5)Proof Verification: b =V_cert(1ⁿ,c,CRS,q,π), where V_cert runs in time poly (k,|q|). Additionally, if the verification procedure V_cert is independent of the statement q and the language index c, then we say that the verification algorithm is simple.

• (Perfect) Completeness: For every \( c,c^{\prime } \in \mathbb {N} \), there exists a negligible function μ such that for every q=(M,x,y)∈L_c such that \(\phantom {\dot {i}\!} |q| \leq k^{c^{\prime }} \), the probability that V_cert outputs 1 is 1.

• Selective Strong Soundness: There exists a super-polynomial function T(n)=n^ω(1) and a super-constant function C(n)=ω(1) such that for every probabilistic algorithm P^∗ with running-time bounded by T(n), there exists a negligible function μ(n), such that, for every \( n \in \mathbb {N} \) and c≤C(n),

  $${\begin{aligned} \Pr\left[ \begin{array}{lll} \begin{array}{rll} (q,\textsf{st}) &\xleftarrow{\text{\$}} & P^{*}(1^{n}, c)\\ \textsf{CRS} &\xleftarrow{\text{\$}} & Gen(1^{n}, c)\\ \pi &\xleftarrow{\text{\$}} & P^{*}(\textsf{st}, \textsf{CRS}) \end{array} : \textsf{V}_{\textsf{cert}}(1^{n}, c, CRS, q, \pi)=1 \wedge q\notin L_{c} \end{array} \right] \leq \mu(n) \end{aligned}} $$

• Unique certificate: We say that a P-certificate system is unique if for every \( c \in \mathbb {N} \), string CRS ∈{0,1}^∗ and q∈{0,1}^∗, there exists at most one string π such that V_cert(1ⁿ,c,CRS,q,π)=1.

Theorem 3

(Chung et al. 2015) Assume the existence of an \( i\mathcal {O} \) for P/poly and an injective pseudo-random generator, then there exists a P-certificate system for NTIME (n^w(1)) with (strong) soundness, uniqueness in delegatable CRS Model and the verification algorithm is simple.

Concurrent non-malleable zero-knowledge arguments (Barak et al. 2006; Lin et al. 2010; Kiyoshima 2015)

Let (P,V) be an interactive protocol for a language L, n be the security parameter and m be a polynomial. Consider a PPTman-in-the-middle adversary \( \mathcal {A} \) given the common input (x₁,⋯,x_m) and an auxiliary input z∈{0,1}^∗. On the left, the adversary \( \mathcal {A} \) acts as a verifier V^∗ to interact with m independent copies of P using (id₁,⋯,id_m), and each copy of prover P will be given a valid witness w_i∈R_L(x_i). On the right, the adversary \( \mathcal {A} \) acts as a prover P^∗ that, on common input \(\left (\widetilde {x}_{1},\cdots,\widetilde {x}_{m}\right) \) to prove the validity of each statement using \(\left (\widetilde {\textsf {id}}_{1},\cdots,\widetilde {\textsf {id}}_{m}\right) \). During the experiment, the statements proved in the right interactions and the identities in both the left and right interactions are all chosen by the adversary \( \mathcal {A} \), and the messages of the left sessions can be scheduled by the adversary \( \mathcal {A} \) without any restriction. Let \( \textsf {view}_{\mathcal {A}}(1^{n},x_{1},\cdots,x_{m},z) \) denotes the random variable that describes the view of \( \mathcal {A} \) in the above experiment. Loosely speaking, an interactive proof is a concurrent non-malleable zero-knowledge protocol, if for all man-in-the-middle adversary \( \mathcal {A} \), there exists a PPT machine (called the simulator-extractor) that can simulate both the left and the right interactions for \( \mathcal {A} \), while outputting a witness for each statement proved by the adversary in the right interactions.

Definition 5

An interactive protocol (P,V) for L∈NP is said to be concurrent non-malleable zero-knowledge if for every \( n \in \mathbb {N} \), every polynomial m, and every PPT man-in-the-middle adversary \( \mathcal {A} \) that participates in at most m(n) concurrent executions, there exists a PPT machine SE such that:

1. 1.

   The following ensembles are computationally indistinguishable:

   • \( \{{\sf {view}}_{\mathcal {A}}(\!1^{n},x_{1},\!\cdots \!,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\!\cdots \!,x_{m} \in L\cap \{0,1\}\text {} ^{n},\! z \in \{0,1\}\text {} ^{n} }\)

   • \( \{{\sf {S}}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n}} \)

   where S(1ⁿ,x₁,⋯,x_m,z) is the first output of SE(1ⁿ,x₁,⋯,x_m,z).

2. 2.

   Let \(\left (\widetilde {x}_{1},\cdots,\widetilde {x}_{m}\right) \) be the statements to be proved in the right interactions and \( ({\sf {view}},\{\widetilde {w}_{i}\}\text {} _{i \in m}) \) denote the outputs of SE(1ⁿ,x₁,⋯,x_m,z). For every i∈[m], if the i-th right interaction is accepting and \( \widetilde {\textsf {id}}_{i} \neq \textsf {id}_{j} \) for all j∈[m], then \( \widetilde {w}_{i} \) is a valid witness such that \( R_{L}\left (\widetilde {x}_{i}, \widetilde {w}_{i}\right) = 1 \).

Indistinguishability obfuscation (Barak et al. 2001)

Definition 6

(Indistinguishability obfuscation) A PPT algorithm \( i\mathcal {O} \) is said to be an indistinguishability obfuscator for a collection of polynomial size circuits \( \mathcal {C}=\cup _{n \in \mathbb {N}}\mathcal {C}_{n} \), if it satisfies:

1. 1.

   Functionality: For any \( C \in \mathcal {C} \),

   $$ \underset{i\mathcal{O}}{\Pr}[\forall x : i\mathcal{O}(C)(x)=C(x)]=1~. $$
2. 2.

   Indistinguishability: For any poly-size distinguisher \( \mathcal {D} \) there exists a negligible function μ, such that for any \( n \in \mathbb {N} \), \( C_{1}, C_{2} \in \mathcal {C}_{n} \) of the same size and functionality

   $$ \left|\underset{i\mathcal{O}}{\Pr}[D(i\mathcal{O}(C_{1}))=1] - \underset{i\mathcal{O}}{\Pr}[D(i\mathcal{O}(C_{2}))=1] \right|\leq \mu(n). $$

Resettable zero-knowledge (Canetti et al. 2000)

Let (P,V) be an interactive proof system for a language L, z be an auxiliary input received by V^∗, t=poly(n), \( \overline {x} = x_{1},x_{2},\cdots,x_{t} \in L \cap \{0, 1\}\text {} ^{n} \) be a sequence of common inputs and \( \overline {w} = w_{1},w_{2},\cdots,w_{t}\) be the corresponding witnesses such that (x_i,w_i)∈R_L for i=1,⋯,t. The distribution \( \{\textsf {view}^{P(\overline {w})}_{V^{*}(z)}(\overline {x})\} \) is the view of V^∗ that defined as follows:

1. 1.

   Randomly select and fix t random tapes r₁,r₂,⋯,r_t for P, resulting in deterministic strategies \( P^{(i,j)}=P_{x_{i},w_{i},r_{j}} \), defined by \( P_{x_{i},w_{i},r_{j}}(\alpha)=P(x_{i},w_{i},r_{j},\alpha) \)^{Footnote 1}, for i,j∈[t].

2. 2.

   A resetting verifier V^∗ is allowed to run poly(n)-many sessions with the P^(i,j). V^∗ can send arbitrary messages to each of the P^(i,j) and obtain the responses of P^(i,j) to such message.

3. 3.

   Once V^∗ decides it is done interacting with the P, it produces its view of these interactions.

The distribution \( \{\textsf {S}_{V^{*}(z)}(\overline {x})\}\), indexed by a sequence of common inputs\( \overline {x} = x_{1},x_{2},\cdots,x_{poly(n)} \in L \cap \{0, 1\}\text {} ^{n} \), is the output of an expectedPPT machine S that interacts with V^∗ on common inputs\( \overline {x} \).

Definition 7

(Resettable Zero-knowledge) We say that (P,V) is resettable zero-knowledge if for every PPT adversary V^∗ there exists an expectedPPT simulator \(\phantom {\dot {i}\!} S_{V^{*}} \) such that the for all pairs \( (\overline {x}, \overline {w}) \in R_{L} \), the ensembles \( \left \{{\sf {view}}^{P(\overline {w})}_{V^{*}(z)}(\overline {x})\right \} \) and \( \{\textsf {S}_{V^{*}(z)}(\overline {x})\} \) are computationally indistinguishable

Theorem 4

(Chongchitmate et al. 2017) Assuming the existence of one-way functions, then any ℓ-round concurrent zero-knowledge argument system can be transformed into a O(ℓ)-round resettable zero-knowledge argument system.

Resettably-sound arguments (Barak et al. 2001)

Definition 8

(Resettably-sound arguments). Let (P,V) is an interactive proof protocol for L∈NP. A resetting attack of a cheating prover P^∗ is defined as follows:

1. 1.

   Let t=poly(n), uniformly select and fix t random-tapes r₁,⋯,r_t for V, resulting in deterministic strategies \( V^{(j)}(x) = V_{x,r_{j}} \), defined by \( V_{x,r_{j}}(\alpha) = V(x,r_{j},\alpha) \)^{Footnote 2}, where x∈{0,1}ⁿ and j∈[t]. Each V^(j)(x) is called an incarnation of V.

2. 2.

   P^∗ is allowed to initiate poly(n)-many interactions with the V^(j)(x). The activity of P^∗ proceeds in rounds. In each round, P^∗ chooses x∈{0,1}ⁿ and j∈[t], defines V^(j)(x), and conducts a complete session with it.

We say that (P,V) is a resettably-sound argument if for every polynomial-size resetting attack, the probability that in some session the corresponding V^(j)(x) has accepted and x∉L is negligible.

Theorem 5

(Chung et al. 2014) Assume the existence of one-way functions, then there exists a 4-round resettably-sound zero-knowledge argument of knowledge for every language in NP.

Theorem 6

(Deng et al. 2009, Chongchitmate et al. 2017) Assuming the existence of ZAPs (i.e., 2-round resettably-sound resettable witness-indistinguishable proof systems) and family of pseudorandom functions, then there exists a transformation from a ℓ-round resettably-sound concurrent zero-knowledge argument to a O(ℓ)-round resettably-sound resettable zero-knowledge argument.

Our protocol

In this section, we give our construction of the constant-round concurrent non-malleable zero-knowledge argument system. We use the following building blocks:

1. 1.

   Two-round statistically binding commitment scheme: Com

2. 2.

   O(1)-round 4-robust one-one CCA-secure commitment scheme: CCACom^1:1

3. 3.

   Four-round special-sound witness indistinguishability proofs: WISSP

4. 4.

   O(1)-round witness indistinguishability universal argument: WIUA

5. 5.

   Four-round P-certificates in the delegatable CRS Model: PC

Now consider a language L∈NP and a security parameter n. Let the prover and verifier receive a common inputs x∈{0,1}ⁿ, id∈{0,1}ⁿ. The auxiliary input to the prover is a NP witness w such that R_L(x,w)=1. Let m(n) be a polynomial that upper bounds the number of concurrent sessions, and D be a super-constant bounded by log log logn. Then, our protocol proceeds in five stages as follows:

• In stage 1, the prover P computes c₁=Com(0ⁿ,ρ₁) and sends it to V; V responds with a string \(r \xleftarrow {R} \{0,1\}\text {} ^{4n}\).

• In stage 2, the prover P computes c₂=Com(0ⁿ,ρ₂) and sends it to V. P and V run a WIUA system where P proves to V that there exists \((M,\rho _{1},\mathcal {O}_{\pi },(j,s_{j}),\rho _{2})\) s.t., (h,c₁,c₂,r)∈Λ₁ or exists w s.t., (x,w)∈R_L. In more detail, in the simulation phase, P proves that c₁=Com(h(M)) for a program M and c₂=Com(h(q)) for \( \textsf {q}=((M,\mathcal {O}_{\pi }),(j,s_{j}),r) \). The statement q represents that the oracle program \( M^{\mathcal {O}_{\pi }} \) on input (j,s_j) can output a message r. The oracle \( \mathcal {O}_{\pi } \) stores all the CRS and proof pairs {(CRS_i,π_i)} that generated by the P-certificate system in the current history(see the definition in Table 1).

  Full size table

• In stage 3, the verifier V invokes the algorithm PC.setup to generate (PP,K) and sends the public parameter PP to P. The prover P computes c₃=Com(0ⁿ,ρ₃) and sends it to V. P and V run a WIUA system where P proves to V that there exists \((M,\mathcal {O}_{\pi },(j,s_{j}),d,\rho _{2},\rho _{3})\) s.t., (h,PP,c₂,c₃,r)∈Λ₂ or exists w s.t., (x,w)∈R_L. In more detail, in the simulation phase, P proves that c₂=Com(h(q)) and c₃=Com(d,ρ₃) where d=PC.PreGen(PP,q).

• In stage 4, the verifier V sends an obfuscation algorithm\( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \) to P and gives a ZK argument of the statement \((\textsf {PP},c_{3},\hat {\mathcal {P}}_{\textsf {{CRSGen}}}) \in \Lambda \)₃. In more detail, V proves that there exists \((\textsf {K},\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{\textsf {{Setup}}},\rho _{\textsf {{CRSGen}}},\rho _{i\mathcal {O}})\) such that (PP,K)=PC.Setup(1ⁿ,D,ρ_Setup) and \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} =i\mathcal {O}(\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{i\mathcal {O}}) \). The detailed descriptions of the circuit \( \mathcal {P} \) and \( \mathcal {Q} \) are given in Table 1.

• In stage 5, the prover P computes \(c_{4}=\textsf {CCACom}_{\textsf {id}}^{1:1}(w,\rho _{4})\) under identity id, c₅=Com(0ⁿ,ρ₅) and sends them to V. P and V runs a WISSP system where P proves to V that there exists (d,ρ₃,π) s,t., \( (\textsf {PP},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c_{5}) \in \Lambda _{4} \) or exists w s.t., \(c_{4}=\textsf {CCACom}_{\textsf {id}}^{1:1}(w,\rho _{4})\) and (x,w)∈R_L. In more detail, in the simulation phase, P proves that \( \kappa = \hat {\mathcal {P}}_{\textsf {{CRSGen}}}(d,\rho _{3}) \), c₅=Com((PP,κ),ρ₅) and PC.V_cert(1ⁿ,(PP,κ),π)=1.

The formal protocol CNMZK is described below in Table 1 and Table 2.

Completeness and soundness

Completeness. The completeness of the protocol can be directly obtained from the construction in Table 2. More specifically, for any x∈L, w∈R_L(x) and id∈{0,1}ⁿ, from the completeness of the WIUA system in stage 2 and stage 3, the completeness of the ZK argument system in stage 4 and the completeness of WISSP system in stage 5, we have that Pr[P(w),V(z)(x,id)]=1.

Soundness. The soundness of protocol follows from (1) the binding property of the commitments c₁,c₂,c₃ in stage 1, 2 and 3; (2) the hiding property of \( i\mathcal {O} \) for the circuit \( \mathcal {P} \) in stage 4; (3) the selective strong soundness of P-certificates and (4) the special-soundness of WISSP used in stage 5. Roughly speaking, assume that the statement x∉L. Consider the point where the prover has given the commitment c₃ and is now expecting the verifier message \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \). Because at this point, c₁,c₂,c₃,PP,K are determined, the two circuit \( \mathcal {P} \) and \( \mathcal {Q} \) described in Table 1 are functional equivalent. We assume that, w.l.o.g, \( \mathcal {P} \) and \( \mathcal {Q} \) have the same polynomial size in n, then from the security definition of \( i\mathcal {O} \), we can infer that the secret key K is hiding in the obfuscation circuit \( \hat {\mathcal {P}} \). Otherwise, we can use the adversary to distinguish the circuit \( i\mathcal {O(P)} \) and \( i\mathcal {O(Q)}\), which leads to a contradiction. Next in stage 5, if there exists a PPT cheating P^∗ who can convince the verifier, then from the definition of P-certificate system, there must exist an accepted P-certificate π argument of the statement q is true based on CRS=(PP,κ)except with negligible probability. That is there exists an PPT machine M on input a short bit string (j,s) (of length bounded in 3n) can predict the challenge message r (length of 4n). However, this is information theoretically impossible. Thus, we reach a contradiction through violate the soundness of Barak’s protocol.

Next, we describe the construction of our simulator-extractor SE in “Our simulator-extractor” section and show its correctness satisfies the definition of CNMZK in “The view generated by the simulator” section and “The witnesses output by the extractor” section.

Our simulator-extractor

Recall that the definition of CNMZK requires the existence of a simulator-extractor SE that can simulate the view of a man-in-the-middle adversary \( \mathcal {A} \) while extracting a witness in every accepted right session. Below, we sketch how to build a simulator-extractor. First, we construct a PPT simulator S that simulates the view of \( \mathcal {A} \) but does not extract witnesses in the right seasons. Then, we construct a PPT simulator-extractor SE via the intermediate simulator S, which can simulate the view of \( \mathcal {A} \) and extract the witnesses by the committed value oracle. Simulator S On a high level, S internally invokes \( \mathcal {A} \) and interacts with \( \mathcal {A} \) as honest prover and honest verifier in the following way. To simulate the view of each session in the right interactions, S simply follows the honest verifier strategy. To simulate the view of each session in the left interactions, S uses the description of the adversary \( \mathcal {A} \) as the fake witness and reused the previous generated P-certificates if necessary in a straight-line manner. The formal description of this process will be given below. Finally, S outputs the view of the adversary \( \mathcal {A} \). Simulator SE On a high level, SE simulates the view of \( \mathcal {A} \) by executing S as the first part of its output. For each i∈[m], if the i-th right session is accepted and \( \widetilde {\textsf {id}}_{i} \) is different from id_j for all j∈[m], SE extracts a witness from the session i by oracle access to the one-session committed-value oracle\( \mathcal {O}_{\textsf {cca}} \) of CCACom^1:1.

The view generated by the simulator

In this section, we show that the view generated by S is indistinguishable from the real view of \( \mathcal {A} \):

Lemma 1

The following ensembles are computationally indistinguishable:

• \( \{\textsf {view}_{\mathcal {A}}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n} }\)

• \( \{\textsf {S}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n}} \)

Proof

To simplify the exposition, w.l.o.g, we assume that the man-in-the-middle adversary \( \mathcal {A} \) is a deterministic Turing machine with a non-uniform advice. Let N=c·m denote the total number of messages between the simulator S and \( \mathcal {A} \), where c is the rounds of our CNMZK protocol and m is the total number of concurrent sessions bounded by a polynomial.

We invoke the forward-secure pseudorandom generator to generate the random-tape we needed. Let fsPRG(s,N)=((s_N,⋯,s₁),(ρ_N,⋯,ρ₁)), where s∈{0,1}ⁿ is the random seed and each ρ_j∈{0,1}ⁿ is the randomness used to generate the j-th prover message in the left side.

We use three tables \(\mathcal {V},\mathcal {O}_{\pi },\mathcal {T}\). \( \mathcal {V} \) stores the commitment values in the simulation of the left interaction. \( \mathcal {O}_{\pi } \) stores all the CRS and proof pairs {(CRS_i,π_i)} generated by the P-certificate system in the current history. \( \mathcal {T} \) stores the messages simulated so far in both left and right sides. We initialize \( \mathcal {O}_{\pi },\mathcal {T} \) to be empty and add the code descriptions of the simulator S and \( \mathcal {A} \) to table \( \mathcal {V} \). Next we give a detailed description of the program \( \textsf {S}(1^{n},x_{1},\cdots,x_{m},\mathcal {A},\mathcal {V},\mathcal {O}_{\pi },\mathcal {T},s,N) \):

In each right session, S interacts with \( \mathcal {A} \) simply by following the honest verifier strategy described in our protocol 2. It can generate its random coins by using the PRG on a random seed in this part of the execution. In each left session, do as follows:

• Simulate Stage 1 Upon receiving a hash function h_i in session i, S provides a commitment \( c^{1}_{i} \) to \(M_{i}((\cdot,\cdot),\mathcal {A},\mathcal {T})\), where M_i is an interactive Turing machine with the code description of S and \( \mathcal {A} \) plus the current state of them. Here the first two parameters of M_i will be given when M_i is used as the witness to construct the statement q_i in stage 2.

• Simulate Stage 2 Upon receiving a challenge r_i in session i during the j-th communication round, S retrieves the committed value M_i and provides a commitment \( c^{2}_{i} \) to the trapdoor statement \( \textsf {q}_{i}=((M_{i},\mathcal {O}_{\pi }),(j,s_{j}),r_{i}) \), where s_j is the random seed used by fsPRG in the j-th round. According to our previous definition, the oracle program \( M^{\mathcal {O}_{\pi }} \) on input (j,s_j) can recover all the previous randomness and any oracle queries {CRS_i} that \( M^{\mathcal {O}_{\pi }} \) makes before it outputs r can be answered using the current \( \mathcal {O}_{\pi } \). Thus, the simulator S can use \( (M_{i},\mathcal {O}_{\pi },(j,s_{j})) \) and the corresponding randomness to finish the WIUA for the statement \((h_{i},c^{1}_{i},c^{2}_{i},r_{i}) \in \Lambda \)₁.

• Simulate Stage 3 Upon receiving a challenge PP_i in session i during the j-th communication round, S provides a commitment \( c^{3}_{i} \) to the digest d_i, where d_i=PC.PreGen(PP_i,q_i). Now we can make S use the fake witnesses \( (M_{i},\mathcal {O}_{\pi },(j,s_{j}),d_{i}) \) and the corresponding randomness to finish the WIUA for the statement \((h_{i},\textsf {PP}_{i},c^{2}_{i},c^{3}_{i},r_{i}) \in \Lambda \)₂.

• Simulate Stage 4 Upon receiving an obfuscated program \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \) in session i during the j-th communication round, S interacts with \( \mathcal {A} \) as an honest verifier to finish the ZK argument part.

• Simulate Stage 5 Upon receiving the last message from \( \mathcal {A} \) in Stage 4 of session i, S computes \(\kappa _{i} = \hat {\mathcal {P}}_{\textsf {{CRSGen}}}(d,\rho _{3})\) and π_i=PC.P_cert(q_i,CRS_i). Now for the CRS_i=(PP_i,κ_i), S checks if PC.V_cert(1ⁿ,CRS_i,π_i)=1 and extends the pair (CRS_i,π_i) to the oracle \(\mathcal {O}_{\pi }\), otherwise it will abort. Next, S provides a commitment \( c^{4}_{i} \) to a dummy string i.e., 0ⁿ and a commitment \( c^{5}_{i} \) to CRS_i. Thus, S has all the witnesses \(\phantom {\dot {i}\!} (\textsf {d}_{i},\rho _{\textsf {d}_{i}},\pi _{i}) \) for the statement \(\left (\textsf {PP}_{i},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c^{5}_{i}\right) \in \Lambda \)₄, it can finish the WISSP in stage 5.

Finally, the simulator will output all the messages of the both interactive sides stored in the table \(\mathcal {T}\).

Correctness of the simulation. We observe the correctness of S. By our construction, the only place where abort is likely to happen is when the simulator computes an unaccepted certificate π_i for CRS_i based on a true statement q_i in stage 5. However, the only difference of the P-certificates system used in our protocol is that, instead of sending κ in directly, the verifier first send the indistinguishability obfuscation of the GenCRS algorithm and then give a ZK argument to prove their correctness. Thus, from the perfect correctness of the indistinguishability obfuscator, the completeness of zero-knowledge argument and the perfect completeness of our P-certificates system, it suffices to show that for a true statement q_i, the probability of V_cert(1ⁿ,CRS_i,π_i)≠1 is only negligible. So the probability of simulator output abort is also negligible.

Indistinguishability of the simulation. Now we use the hybrid argument to show the indistinguishability of the simulation, consider 2N hybrid experiments as follows. Experiment Hybⁱ, 0≤i≤N: the first i communication rounds are simulated by simulator S with the pseudo-randomness and fake witness, and all the later communication round j>i are simulated by simulator S with true randomness and the true witnesses. We also define hybrid \( \textsf {Hyb}^{i}_{+} \) that proceed identically as Hybⁱ except that it simulates the i-th round following the honest prover strategy using the real witness.

Claim 1

The output of \( \textsf {Hyb}^{i}_{+} \) and Hybⁱ are computationally indistinguishable. □

Proof

Because \( \textsf {Hyb}^{i}_{+} \) and Hybⁱ differs only which witness (fake or real) is used in the i-round of the left interaction. If in the i-th round the prover message is a commitment to a witness, indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hybⁱ follows directly by the hiding property of the commitment scheme. If in the i-th round the prover message is a message of the WIUA or WISSP subprotocol, indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hybⁱ follows directly by the witness indistinguishability property of the WIUA or WISSP. □

Claim 2

The output of \( \textsf {Hyb}^{i}_{+} \) and Hybⁱ⁺¹ are computationally indistinguishable.

Proof

Because \( \textsf {Hyb}^{i}_{+} \) and Hybⁱ⁺¹ differs only which randomness (true or pseudo) is used in the i-round of the left interaction. The indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hybⁱ⁺¹ follows directly from the forward security of the PRG. □

Finally, it is easy to see that the output of Hyb^N is identical to the output of S, and the output of Hyb⁰ is identical to the real view \( \textsf {view}_{\mathcal {A}} \). Because there are at most polynomial hybrids in this experiment, we can conclude that the output of S is indistinguishable from the output of the real interaction.

Combining the above, the Lemma 1 follows.

The witnesses output by the extractor

Proof

Our simulator-extractor SE in “Our simulator-extractor” section allows the extractor to access the decommitment oracle. We note that this is allowed for the reason of a k-robust CCA-secure commitment scheme used in our protocol. From the definition 2, we know that, for any constant-round k, the joint output of every k-round interaction, with an adversary (here it means the SE) having access to the oracle \( \mathcal {O}_{\textsf {cca}} \), can be simulated without the oracle in polynomial time. That is, the simulator-extractor SE access to the oracle does not help it in participating in any k-round protocols. But allowing the simulator-extractor SE to access the oracle has the following benefits, we only need to pay attention to the impact of the hybrid experiment on SE when switching on the left witness from real to fake, without any further analysis of the interference from the right rewinding. So in the following, we just need to analyze whether such simulator-extractor can output the witness.

Consider the series of hybrids, we define \( \textsf {SE}^{i} \left (\textsf {SE}_{+}^{i}\right)\) the same as SE except that the execution of S is replaced with that of \( \textsf {Hyb}^{i}\left (\textsf {Hyb}_{+}^{i}\right) \). Then, by the definition of CNMZK, we need to argument that, in the experiment SE^N (which identical to SE), for any PPTman-in-the-middle adversary \( \mathcal {A} \) and every x₁,⋯,x_m∈{0,1}ⁿ∩L, such that for each right interaction that is accepted and uses a different identity from all left interactions, the simulator-extractor SE does extract a valid witness of the statement proved.

Observe that in the experiment \( \textsf {SE}_{+}^{0} \), the simulator S holds all the real witnesses of the left sessions and just acts as an honest prover in each left interaction and an honest verifier in each right interaction. Then following from the soundness of our protocol, we can conclude that in every accepted right interaction, \( \mathcal {A} \) commits a real witness in the CCACom^1:1 successfully except with negligible probability. In other words, \( \mathcal {A} \) never cheats in \( \textsf {SE}_{+}^{0} \), so the simulator-extractor can extract the witness with the help of the committed value oracle except with negligible probability.

Next, we observe the experiment SE^N which based on the definition of Hyb^N. Now we assume that there exists a polynomial function p such that \( \mathcal {A} \) cheats in one of the right sessions in the experiment SE^N with probability 1/p(n). In other words, there exists a right session which is accepted and uses a different identity from all the left interactions such that \( \mathcal {A} \) fails to commit to a valid witness in Stage 5 with probability 1/p(n). Then SE^N can not extract the witness from this right session with probability 1/p(n) as well. However, we have that \( \textsf {SE}_{+}^{0} \) can extract the witness from this right session except with negligible probability. Thus, from an average argument, there must exist an i such that the probability of cheating differ by at least a polynomial amount in the hybrids SEⁱ and \( \textsf {SE}_{+}^{i} \) or in the hybrids \( \textsf {SE}_{+}^{i}\) and SEⁱ⁺¹. Therefore, there is a gap between A’s chance of committing the valid witness on the right in \( \textsf {SE}_{+}^{i}\) and SEⁱ⁺¹ or there is a gap between A’s chance of committing the valid witness on the right in SEⁱ and \( \textsf {SE}_{+}^{i} \). We analyze these two cases as follows:

In the first case, the only difference between \( \textsf {SE}_{+}^{i}\) and SEⁱ⁺¹ is which randomness (true or pseudo) is used in the i-round of the left interaction. Therefore, they are computationally indistinguishable from claim 2. In the second case, the only difference between SEⁱ and \( \textsf {SE}_{+}^{i} \) is which witness (fake or real) is used in the i-th round. The former, in stage 5, uses a dummy string 0ⁿ as the committed value of CCACom^1:1 followed with an WISSP for knowing the fake witness instead of the witness w_i of x_i. The latter, in stage 5, acts as an honest prover holding a real witness w_i of x_i. If the gap is due to the committed value of CCACom^1:1, then we can use this gap to break the security of the non-malleable w.r.t itself. If the gap is due to the witness used in the four-round WISSP of the left session, then we can use this gap to break the 4-robustness CCA-secure of CCACom^1:1.

Thus, we reach a contradiction, in the experiment SE^N, \( \mathcal {A} \) must commit to a valid witness in Stage 5 except with negligible probability. We know that the output of SE^N is identical to the output of SE, hence the simulation-extractability of protocol 2 follows.

Combining “The view generated by the simulator” section and “The witnesses output by the extractor” section, the concurrent non-malleable zero-knowledge property follows. This completes the proof of Theorem 1. □

From concurrent NMZK to resettable NMZK

In (Chongchitmate et al. 2017), Chongchitmate et al. gave a transformation from any constant-round concurrent ZK to a constant-round resettable ZK based on (Barak et al. 2001; Deng et al. 2009). We observe that this transformation essentially preserves the non-malleability. That is, if the original protocol is a constant-round concurrentNMZK, then the new protocol will be a constant-round resettableNMZK. We provide the details of the transformation in Table 3, which are taken almost verbatim from (Chongchitmate et al. 2017), except that we require the prover and the verifier to have a extra common id. Then we give a proof about the non-malleability for this new protocol.

Lemma 2

Protocol rNMZK in Table 3 is a constant-round resettable non-malleable ZK argument system.

Proof

The proof of the completeness and soundness conditions are similar to our proof in “The view generated by the simulator” section, and are omitted. The proof of the resettable zero-knowledge can be directly obtained from the Theorem 4, because the protocol CNMZK itself is a constant-roundCZK protocol. Next, we give the analysis of non-malleability.

Roughly speaking, for a man-in-the-middle adversary \( \mathcal {A} \) with an extra power of resetting attack, we need to prove that the view of \( \mathcal {A} \) in the real interaction can be simulated by a simulator without all the witnesses of the left sessions, and there exists an extractor that can extract the witnesses in every accepting right session from this simulated view. More specifically, we first construct a simulator and give an extractor based on this simulator as the previous section. Then, we reduce the security to the underlying assumptions by using a series of hybrids.

Let \( \textsf {H}_{0}=\{\textsf {real-view}_{f_{s}},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) denote the combined view of \( \mathcal {A} \) in the real experiment of the protocol rNMZK and the values extracted by the committed value oracle. Then, following from the soundness of the protocol rNMZK that, except with negligible probability, in every accepting right interaction, \( \mathcal {A} \) commits to a real witness in stage 5 and the extracted value is a real witness as well.

Next, we modify the protocol rNMZK into a protocol rNMZK_F by replacing the pseudorandom function f_s with a truly random function F:{0,1}^∗→{0,1}^l(n). Let \( \textsf {H}_{1}=\{\textsf {real-view}_{F},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) denote the combined view of \( \mathcal {A} \) in the real experiment of the protocol rNMZK_F and the values extracted the committed value oracle. It then follows from the security of pseudorandom function that, the view and the value extracted from oracle are computationally indistinguishable in H₀ and H₁. Otherwise, we can use the adversary to break the indistinguishability between the pseudorandom function family and truly random function family.

Next, we construct our simulator \( \hat {\textsf {S}} \) based on the simulator S in the “The view generated by the simulator” section. We need \( \hat {\textsf {S}} \) to be able to emulate the execution for the man-in-the-middle and resetting adversary \( \mathcal {A} \) in the protocol rNMZK_F. For the adversary \( \mathcal {A} \), we divide its resetting attack in the left into two cases. The first case is that the new first message m₀ sent by \( \mathcal {A} \) is different from all the first messages in the previous sessions on the left. Because our protocol rNMZK_F uses the truly random function F, in such case, we can see it as a new session, and simulator \( \hat {\textsf {S}} \) just does the simulation of the left and right interactions in the same manner as S. Additionally, when executing the part of resettably-roundness ZK protocol, the simulator \( \hat {\textsf {S}} \) will act as an honest verifier on the left. The second case is that the new first message m₀ sent by \( \mathcal {A} \) has been sent in a previous session, and then the simulator \( \hat {\textsf {S}} \) just resends the responses from its history records of the corresponding session. This is because, for a fixed truly random function F, the transcript of the whole session are fixed when the message m₀ is fixed. Otherwise, we can use this experiment to break the binding property of the commitment scheme Com.

Let sim-view_F be the view of \( \mathcal {A} \) in the simulated experiment of the protocol rNMZK_F by the simulator \( \hat {\textsf {S}} \), \( \{\widetilde {w}_{i}\}\text {} _{i\in [m]} \) be the values extracted by the committed value oracle. It is easy to see that the {sim-view_F} and {real-view_F} are computationally indistinguishable, otherwise we can use this experiment to break the concurrent zero-knowledge of the protocol CNMZK. Now denote \( \textsf {H}_{2} = \{\textsf {sim-view}_{F},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) as the combined view of \( \mathcal {A} \) in the simulate and extract experiment of the protocol rNMZK_F. As before, we can construct a series of hybrids as “The witnesses output by the extractor” section to argument that the view and the values are indistinguishable in H₂ and H₁ by reducing to the security of the 4-robust one-one CCA-secure commitment scheme Com^1:1(the non-malleable w.r.t itself or the 4-round WISSP).

More specifically, suppose that when the adversay \( \mathcal {A} \) complete the resetting attack against the prover, the total number of rounds of the left interactions is N^′ and w.l.o.g, we assume N^′ is bounded by a fixed polynomial. For each i∈[N^′], define the simulator \( \hat {\textsf {S}}^{i} \) that the first i communication rounds are simulated by simulator \( \hat {\textsf {S}} \) with the pseudo-randomness and fake witness, and all the later communication round j>i are simulated by simulator \( \hat {\textsf {S}} \) with true randomness and the true witnesses. We also define the simulator \( \hat {\textsf {S}}^{i}_{+} \) that proceed identically as \( \hat {\textsf {S}}^{i} \) except that it simulates the i-th round following the honest prover strategy using the real witness. Then, let us consider the following hybrid experiments. The experiment \( \hat {\textsf {H}}^{i} \left (\hat {\textsf {H}}_{+}^{i}\right)\) is the same as H₂ except that the execution of \( \hat {\textsf {S}} \) is replaced with that of \( \hat {\textsf {S}}^{i}\left (\hat {\textsf {S}}^{i}_{+} \right) \). It is easy to see that the output of \( \hat {\textsf {H}}^{N'} \) is identical to the output of H₂, and the output of \( \hat {\textsf {H}}^{0} \) is identical to the real view of H₁.

Now, assume there exists a polynomial function p, such that the resetting attacker \( \mathcal {A} \) cheats in one of the right sessions in the experiment H₂ with probability 1/p(n). We mean that there exists a right session that is accepted and uses a different identity from all the left interactions, \( \mathcal {A} \) fails to commit to a valid witness in Stage 5 with probability 1/p(n). Then H₂ can not extract the witness from this right session with probability 1/p(n) as well. However, we have that H₁ can extract the witness from this right session except with negligible probability. Thus, from an average argument, there must exist an i such that the probability of cheating differ by at least a polynomial amount in the hybrids \( \hat {\textsf {H}}^{i} \) and \(\hat {\textsf {H}}_{+}^{i} \) or in the hybrids \( \hat {\textsf {H}}_{+}^{i}\) and \( \hat {\textsf {H}}^{i+1} \).

The same analysis as before, the only difference between \( \hat {\textsf {H}}_{+}^{i}\) and \( \hat {\textsf {H}}^{i+1} \) is which randomness (true or pseudo) is used in the i-round of the left interaction, hence the two ensembles are computationally indistinguishable. On the other hand, the only difference between \( \hat {\textsf {H}}^{i} \) and \(\hat {\textsf {H}}_{+}^{i} \) is which witness (fake or real) is used in the i-th round. The former, uses a dummy string 0ⁿ as the committed value of CCACom^1:1 followed with an WISSP for knowing the fake witness instead of the witness w_i of x_i; the latter, acts as an honest prover holding a real witness w_i of x_i. If the gap is due to the committed value of CCACom^1:1, then we can use this gap to break the security of the non-malleable w.r.t itself. If the gap is due to the witness used in the four-round WISSP of the left session, then we can use this gap to break the 4-robustness CCA-secure of CCACom^1:1. Hence, we obtain a contradiction.

Thus, we have that H₂ is computationally indistinguishable from H₁. Recall that in the beginning we have proved that H₁≈H₀, so we have that H₂ is also computationally indistinguishable from H₀. Combining the above, we obtain that the protocol in Table 3 is resettable non-malleable zero-knowledge.

This concludes the proof of Lemma 2. □

Towards constant-round simultaneously-resettable NMZK

Towards the constant-round simultaneously-resettableNMZK, we first transform the constant-roundCNMZK protocol into a constant-round resettably-soundCNMZK (rsCNMZK), which is similar to the method of (Chongchitmate et al. 2017). More specifically, in each round, we let the verifier generate its randomness by using a pseudorandom function f_s:{0,1}^∗→{0,1}^l(n) to his transcript so far. Additionally, we replace the ZK argument in stage 4 with a constant-round rNMZK argument constructed in Table 3.

The final step, to obtain our Theorem 2, we apply the transformation of (Deng et al. 2009) (Theorem 6) to our constant-round rsCNMZK protocol to obtain the constant-round simultaneous resettability NMZK. This step can be proved by using the same approach in “The view generated by the simulator” section based on the analysis of (Deng et al. 2009). Intuitively, on the one hand, a protocol with an extra resettably-sound property will not increase the power of the man-in-the-middle adversary on the right; on the other hand, for a man-in-the-middle adversary with resetting-attack on the left, we can construct a simulator-extractor to simulate its view and extract the witnesses in the right accepted session, otherwise we can use this experiment to break the 4-robust one-one CCA-secure commitment scheme Com^1:1.

Combining “From concurrent NMZK to resettable NMZK” section and “Towards constant-round simultaneously-resettable NMZK” section, the constant-round simultaneously-resettable non-malleable zero-knowledge protocol follows.

This completes the proof of Theorem 2. □

In this paper, we provide the first construction of a constant-round concurrent non-malleable zero-knowledge argument for every language in NP and give a detailed proof for our protocol. Furthermore, by studying the composition of the simultaneously resettable zero-knowledge and the non-malleable zero-knowledge, we give the first construction of a constant-round simultaneously-resettable non-malleable zero-knowledge. However, there is still an interesting question about how to design a round-optimal concurrent non-malleable zero-knowledge argument. Here we leave it as an open problem.

1. 1.

   Here, P(x_i,w_i,r_j,α) denotes the message sent by the strategy P on common input x_i, auxiliary input w_i and random-tape r_j, after seeing the message-sequence α.

2. 2.

   Here, V(x,r_j,α) denotes the message sent by the strategy V on common input x, random-tape r_j, after seeing the message-sequence α.

This work was supported in part by the National Natural Science Foundation of China (Grant No. 61772521), Key Research Program of Frontier Sciences, CAS (QYZDB-SSW-SYS035), and the Open Project Program of the State Key Laboratory of Cryptology. The first author wants to thank Yiwen Gao for making useful comments on the paper.

Affiliations

1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

   Zhenbin Yan, Yi Deng & Yiru Sun

2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

   Zhenbin Yan, Yi Deng & Yiru Sun

Contributions

All authors read and approved the final manuscript.

Corresponding author

Correspondence to Yi Deng.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and Permissions