Zero-knowledge proof systems were introduced by Goldwasser, Micali and Rackofi in (1989). Informally, an interactive proof protocol is zero-knowledge if the prover can convince the verifier that a statement is true without revealing any information other than the fact itself. With such an intriguing nature, zero-knowledge proof has played a central role in the design and study of cryptographic protocols. The notion of concurrent zero knowledge(CZK) was first introduced by Dwork, Naor and Sahai (1998) to consider that many copies of the zero-knowledge protocol are executed simultaneously in an asynchronous network, where messages from different copies may be arbitrarily interleaved by the verifier. The notion of non-malleable zero knowledge(NMZK) was first introduced by Dolev, Dwork and Naor (2000) to consider the execution of zero-knowledge protocol in the setting where the man-in-the-middle adversary interacts with an honest prover in the left session and an honest verifier in the right session.
Concurrent Non-malleable Zero-Knowledge. By combining the concurrent zero-knowledge with the security against man-in-the-middle adversaries, Barak, Prabhakaran and Sahai (2006) introduced a stronger form of zero knowledge referred to as concurrent non-malleable zero knowledge (CNMZK). In such protocol, the adversary can complete control over the communication channel and participate in an unbounded number of concurrent executions. It guarantees that the proofs in the left sessions does not help the adversary to give proofs in the right sessions.
After the original protocol by (Barak et al. 2006), various other concurrent non-malleable ZK protocols have been obtained (Ostrovsky et al. 2008, 2010; Lin et al. 2010; Lin and Pass 2011; Orlandi et al. 2014; Kiyoshima 2015). Lin, Pass, Tseng and Venkitasubramaniam (2010) focused on enhancing the soundness property by combining the notation of robust non-malleable commitments introduced by Lin et al. (2009) with the concurrently extractable commitments (CECom) introduced by Micciancio et al. (2006). They showed a poly(n)-round CNMZKproof for all of NP based on one way function assumption and a \( \widetilde {O}(log(n)) \)-round protocol based on the existence of collision resistant hash-functions(CRHFs). Recently, Orlandi et al. (2014) achieved the first statisticalCNMZKargument system. In their protocol, they used a special kind of commitment scheme called “mixed non-malleable commitment” scheme based on the DDH assumptions. Very recently, Kiyoshima (2015) achieved a poly(n) rounds statisticalCNMZKargument system only assuming the existence of one-way functions. In their protocol, instead of using a non-malleable commitment to commit the real witness (see (Barak et al. 2006; Lin et al. 2010)), they used a constant-round k-robust one-one CCA-secure commitment (Canetti et al. 2010; Lin and Pass 2012; Kiyoshima 2014; Goyal et al. 2015) to commit a random string (e.g., 0n).
However, we observe that the round complexity of all the above protocols based on the standard assumptions is at least \( \widetilde {O}(\log n) \) rounds. Indeed, in the standard model without set-up assumptions, Canetti, Kilian, Petrank and Rosen (2001) based on earlier works by (Kilian et al. 1998; Rosen 2000) have showed that any black-box concurrent zero-knowledge protocol require at least \(\widetilde {\Omega }(\log n)\) rounds. It can be observed that the lower bound also holds for the black-box concurrent non-malleable zero-knowledge protocol. A breakthrough work was made by Barak in (2001), he proposed the first non-black-box simulation techniques and constructed the first constant-round boundedCZKargument system assuming the existence of CRHFs. Recently, Pandey, Prabhakaran and Sahai (2015) showed a new non-black-box simulation technique independent of the PCP theorem and constructed a 4-round CZKargument system based on the existence of CRHFs and differing-input obfuscation (diO)(Barak et al. 2001; Boyle et al. 2014; Ishai et al. 2015). Very recently, Chung, Lin and Pass (2015) achieved constant-roundCZK with non-uniform soundness assuming the existence of CRHFs, OWP and iO (Barak et al. 2001; Garg et al. 2013) for P/poly. We stress that Ostrovsky, Persiano and Visconti in (2008) have showed a constant-round concurrent non-malleable zero-knowledge argument system for NP in the Bare Public-Key model. However, in this model each verifier have to register the public key in a public file during a preprocessing stage and the secret key is known only to itself. Thus, one natural question we ask in this work is:
Whether a constant rounds concurrent non-malleable zero-knowledge protocol in the standard model can be obtained?
Simultaneous Resettable Zero-Knowledge. The notion of resettable zero-knowledge (rZK) was first introduced by Canetti, Goldreich, Goldwasser and Micali (2000). It requires the zero-knowledge condition holds even when the verifier can reset the prover to reuse the previous randomness. From the definition, we can see that the security of resettable zero-knowledge is stronger than that of concurrent zero-knowledge, because a resetting verifier could emulate any concurrent attack in the CZK protocol. Subsequently, Barak, Goldreich, Goldwasser and Lindell (2001) introduced the notion of resettably-sound zero-knowledge (rsZK). It requires the soundness condition holds even when the prover can reset the verifier to use the same random tape in multiple concurrent executions. Following the two works above, a number of works have investigated the resettable security in zero-knowledge protocols (Deng et al. 2009; Cho et al. 2012; Garg et al. 2012; Chung et al. 2013b, 2014; Bitansky and Paneth 2015; Ostrovsky et al. 2015), which focused on either reducing the complexity assumptions or reducing the round complexity and so on. Recently, Chung et al. (2013a) presented a construction of the simultaneous resettable zero-knowledge protocol with polynomial rounds based on the minimal assumption of one-way functions. Very recently, Chongchitmate et al. (2017) showed a constant-round simultaneous resettable zero-knowledge argument system based on the work of Chung et al. (2015). Thus, another question in this work is:
Whether a constant rounds interactive protocol can be both simultaneous resettable zero-knowledge and non-malleable zero-knowledge?
Our results
In this paper, we combine the forementioned approaches and answer the above question positively. In the main result, we construct the first constant-round non-malleable concurrent zero-knowledge argument system.
Theorem 1
Assuming the existence of collision-resistant hash functions, one-way permutations and iO for P/poly (with slightly super-polynomial security), there exists a constant-round concurrent non-malleable zero-knowledge argument system for NP.
Our additional contribution is that by combining our CNMZK argument system with the approach of (Chongchitmate et al. 2017) and (Deng et al. 2009), we get the first constant-round simultaneously resettable and non-malleable zero-knowledge protocol.
Theorem 2
Assuming the existence of collision-resistant hash functions, one-way permutations and iO for P/poly (with slightly super-polynomial security), there exists a constant-round simultaneously resettable and non-malleable zero-knowledge argument system for NP.
Our techniques
Below, we first recall the techniques in (Barak 2001; Chung et al. 2015; Kiyoshima 2015) and then give an overview of our construction approach.
Barak’s protocol. Barak’s non-black-box zero-knowledge argument system consists of three stages. In stage 1, the verifier V chooses a hash function \( h \xleftarrow {R} \mathcal {H}\) and sends it to the prover P, where \( \mathcal {H} \) is a collision-resistant hash function family. In stage 2, P sends a commitment c←Com(0n,ρ) to V, where Com is a statistically binding commitment scheme; then V responds with a random string r∈{0,1}2n to P. In stage 3, P and V start a witness-indistinguishable universal argument(WIUA) system where P proves to V that there exists x∈L or (h,c,r)∈Λ. The language Λ is defined as (h,c,r)∈Λ iff there exists a program Π such that c=Com(h(Π),ρ) and Π on input c can output r within nlog logn steps.
The soundness of Barak’s protocol follows from the fact that even if a malicious prover P∗ tries to commit to some program Π (instead of committing to 0n), with a high probability, the output of Π(c) will be different from the string r sent by V for every string r∈{0,1}2n. To prove zero knowledge, just use the code of the malicious verifier V∗ as trapdoor in stage 2. By the definition of the language Λ, it must holds that c=Com(h(Π))=Com(h(V∗)) and Π(c)=V∗(c)=r.
Chung et al.’s constant-round CZK protocol. In (Chung et al. 2013), Chung et.al presented a P-certificates assumption for the language Lc∈P where Lc={(M,x,y):M(x)=y within |x|c steps}. In a P-certificate system, an efficient prover can generate a short certificate π of a fixed polynomial length (independent of the running-time and size of M) for a tuple (M,x,y) in a prior bounded polynomial time in |x|c. By using π the verifier can check the validity of the deterministic polynomial-time computation M(x)=y in some fixed polynomial time (independent of the running-time of M). Such proof system has two salient features, i.e., the “non-interactivity” and “succinctness”, which guarantee the simulator can reuse the same certificate in many nested sessions and amortize the cost of generating WIUA proof. We stress that this is essentially to overcome the exponentially blow-up problem in the running time of the concurrent simulation. Based on the Barak’s non-black-box zero-knowledge protocol, they modified the part of the stage 3 and defined a new language Λ. More specifically, they defined that a statement (h,c,r)∈Λ iff there exists a program M, a certificate π, a vector λ=((1,π1),(2,π2)⋯) and a vector \( \overrightarrow {m} \) such that c=Com(h(M)), π is a proof for M(λ)=r and each πj certifies that M(λ<j) outputs mj in its j-th communication round (where λ<j=((1,π1),(2,π2)⋯(j−1,πj−1))).
The soundness can be obtained as follows. Roughly speaking, from the statistically binding property of the Com, for every commitment c (i.e., m1), there exists a prior fixed deterministic polynomial-time program M. By the unique certificate property of the P-certificate, we can infer that the certificate π1 for M(·)=m1 is also uniquely defined. Due to the same analysis, we can conclude that for every j>1, mj is uniquely defined. Thus, also the unique (accepting) certificate πj certifying M(λ<j)=mj. That is, there is a unique valid vector λ for program M, so there exists a single r satisfied the computation M(λ)=r. From the soundness of the previous Barak’s protocol (Barak 2001), we can obtain that, with a high probability, the string r sent by V will be different from M(λ) for every string r∈{0,1}4n.
To prove the zero-knowledge, the key difference from Barak’s protocol is that each certificate πi generated during construct the WIUA proofs in stage 3 of a session, can be reused as a part of the input witness λ=((1,π1),(2,π2)⋯) for the subsequent sessions that contains this session. Thus, the only expensive part of the generation of the WIUA in each session is the generation of the P-certificates π, which can be generated in a prior bounded polynomial time for the following reasons. Recall that when arriving at the point of stage 3, the simulator S has emulated the partial execution of M and outputted the message r. We assume that the time spent in this part is bounded by |x|c for some constant \( c \in \mathbb {N} \), where x is the statement M(λ)=r. Then the certificate π for this part computation can be implemented in polynomial time in |x|c by the P-certificates system. So the whole simulation can be finished in polynomial time, we refer the reader to (Chung et al. 2015) for more detail about this part.
Our Approach on CNMZK. Our protocol attempts to combine the constant-round CZK techniques and the previous CNMZK techniques together. Compared with the work of (Kiyoshima 2015; Lin et al. 2010), we use the non-black-box techniques to reduce the round complexity.
Recall that the definition of standaloneNMZK requires the existence of a simulator-extractor SE that can simulate the view of a man-in-the-middle adversary \( \mathcal {A} \) while simultaneously extracting the witnesses for the statements proved by the adversary in the right interaction. On the high level, in order to satisfy this definition, the traditional method is that the verifier commits a trapdoor in the first stage, and then the prover uses a non-malleable commitment to commit the real witness, finally the prover uses the WIAOK protocol to prove that it either committed a real witness or known the trapdoor. So when considering the CNMZK protocols, intuitively, we need the prover to use a concurrent non-malleable commitment scheme (Pass and Rosen 2005; Lin et al. 2008, 2017; Ciampi et al. 2016; Khurana and Sahai 2017) to commit the real witness. However, we note that this is not necessary, as described in (Barak et al. 2006), since we only need to prove that the adversary still commits the real witness in each session rather than all the right sessions together. That is stand-alone non-malleable commitment is sufficient for our purpose.
By the definition of CNMZK, the crux of the proof is to show that even during simulation, when the simulator commits a fake witness (instead of real witnesses) in left interactions, the man-in-the-middle adversary \( \mathcal {A} \) still cannot change its committed values in right interactions. The most delicate part of the proof is that we need to consider the mutual influence on the both sides of the rewinds when extract the trapdoors in the left and the witnesses in the right. That is we should carefully design a series of hybrids to argument the rewinds do not affect the reduction of the concurrent non-malleability of our zero-knowledge protocol to (non-concurrent) non-malleability of the commitment scheme.
In the previous protocol (Lin et al. 2010), they used a special skill to reduce the difficulty of the proof. More specifically, the prover first uses a non-malleable commitment scheme with a robust property to commit to a witness wtwice (sequentially), and then they designed a series of hybrids to show that the adversary must commit the valid witness (except with a negligible probability) in each case. Otherwise, they can use the adversary to break the non-malleable property with respect to itself or the non-malleable property w.r.t. k-round protocols. In the protocol (Kiyoshima 2015), because their goal is to implement a statisticallyCNMZK argument system, instead of using a non-malleable commitment to commit the witness, they commit a random string (e.g., 0n). Thus, in their simulation-extractability proof, they can not directly use the extractability of the commitment scheme, instead they have to rewind the sWIAOK proof to extract the witness in the right. Their proof strategy is that assume there exists an adversary which can extract a fake witness in the right, then they can give a series of indistinguishable hybrids to show that even the simulator in the right interaction (act as an honest verifier) just send a commitment with the value 0n, the adversary still can extract this fake witness, this is a contradiction.
Because our goal is to construct the constant-round concurrent non-malleable zero-knowledge protocol, so the non-malleable commitment scheme should be constant rounds, here we use the constant-round4-robust one-one CCA-secure commitment scheme which first appeared in (Kiyoshima 2015) based Canetti et al. (2010). Such commitment scheme can be based on the minimum assumption of the existence of one way functions. The difference from (Kiyoshima 2015) is that our protocol use the CCA-secure commitment scheme to commit the witness not the random string.
More specifically, the commitment scheme we use has a salient feature, i.e., its security can be guaranteed even the adversaries have access to the committed-value oracle in the right. This advantage brings us the convenience in designing the hybrids since we need not consider the impact on the left side when we do oracle access to the committed-value oracle in the right sessions. Indeed, in our final proof, we use an opposite argument which is essentially the same. Roughly speaking, we consider the following hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), where the former simulator-extractor SE uses the “fake” witness in the i-th left session and the later simulator-extractor SE uses the real witness in the i-th left session, while allowing both SE to access the committed oracle \( \mathcal {O} \). If the adversary \( \mathcal {A} \) can convince the verifier accept a right session and uses a different identity from all the left sessions, then from the soundness of the WIAOK and the binding property of the commitment, the one-one CCA commitment of this right session must commit a right witness except with a negligible probability. Now we can forward it to the external committed-value oracle and obtain its commit value. Next assume there exists an adversary \( \mathcal {A} \) which can distinguish the two simulator-extractor \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), then we can use such adversary to break the witness indistinguishability of the 4-round WISSP or the k-robust CCA security. This gives a contradiction, thus each hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \) are indistinguishable and we can claim that our protocol is concurrent non-malleable zero-knowledge argument. The more details proofs are given in “Constant-round concurrent non-malleable zero-knowledge” section. Since we only add a constant-round commitment on the original constant-roundCZK, the whole protocol also a constant-round protocol, so we can draw the conclusion given in Theorem 1.
Towards Simultaneously-Resettable NMZK. Let us turn to the second question namely the simultaneously-resettable non-malleable zero-knowledge argument system. The formal definition is somewhat complicated and will be given in the “Simultaneously-resettable and non-malleable zero-knowledge” section. Roughly speaking, the protocol need to satisfy the non-malleable security even if the man-in-the-middle adversary \( \mathcal {A} \) can reset the prover to have several interactions in the left, at the same time, \( \mathcal {A} \) can reset the verifier to have multiple interactions in the right. Thus, all the previous protocols will not satisfy our new security requirements, our solution is to enhance the recently result of Chongchitmate et al. (2017) in the following.
In (Chongchitmate et al. 2017) they given a constant-round simultaneously-resettable zero-knowledge argument system. More specifically, they first gave a transformation from any ℓ-round CZKargument system to O(ℓ)-round resettable zero-knowledge argument. Then they can achieve a resettably-sound concurrent zero-knowledge argument(rsCZK) by plugging a constant-roundrZK into a constant-roundCZK system. Finally, following the general transformation of (Deng et al. 2009), they obtained a simultaneously-resettable ZK protocol. We stress that, to the best of our knowledge, this transformation is the most direct route to achieve simultaneously-resettable zero-knowledge argument system (see also (Bitansky and Paneth 2015; Chung et al. 2013a; Canetti et al. 2013)). In this paper, we observe that this construction actually preserves non-malleability: If the original protocol is a constant-round concurrent non-malleable zero-knowledge argument system, then the new one is a constant-round resettably-sound concurrent non-malleable zero-knowledge argument. Further, by applying a combination of the transformations in (Deng et al. 2009), we can achieve a constant-round simultaneously-resettableNMZK, thus we can draw the conclusion given in Theorem 2.
Organization
The rest of this paper is organized as follows. Some necessary preliminaries and security notion are given in “Preliminary” section. The concrete construction and the security analysis for constant-roundCNMZKargument system are described in “Constant-round concurrent non-malleable zero-knowledge” section. Finally, we show how to use our CNMZKargument system to construct the constant-round simultaneously-resettable non-malleableZKargument system in “Simultaneously-resettable and non-malleable zero-knowledge” section.