Skip to content

Advertisement

  • Research
  • Open Access

Concurrent non-malleable zero-knowledge and simultaneous resettable non-malleable zero-knowledge in constant rounds

Cybersecurity20181:12

https://doi.org/10.1186/s42400-018-0014-7

  • Received: 22 May 2018
  • Accepted: 7 September 2018
  • Published:

Abstract

Concurrent non-malleable zero-knowledge (CNMZK) considers the concurrent execution of zero-knowledge protocols in a setting even when adversaries can simultaneously corrupt multiple provers and verifiers. As far as we know, the round complexity of all the constructions of CNMZK arguments for NP is at least ω(logn). In this paper, we provide the first construction of a constant-round concurrent non-malleable zero-knowledge argument for every language in NP. Our protocol relies on the existence of families of collision-resistant hash functions, one-way permutations and indistinguishability obfuscators. As an additional contribution, we study the composition of two central notions in zero knowledge, the simultaneously resettable zero-knowledge and non-malleable zero-knowledge, which seemingly have stronger proved security guarantees. We give the first construction of a constant-round simultaneously-resettable non-malleable zero-knowledge. To the best of our knowledge, this is the first study to combine the two security concepts described above together in the zero-knowledge protocols.

Keywords

  • Zero-knowledge
  • Concurrent non-malleable zero-knowledge
  • Simultaneously resettable zero-knowledge
  • Concurrent security computation

Introduction

Zero-knowledge proof systems were introduced by Goldwasser, Micali and Rackofi in (1989). Informally, an interactive proof protocol is zero-knowledge if the prover can convince the verifier that a statement is true without revealing any information other than the fact itself. With such an intriguing nature, zero-knowledge proof has played a central role in the design and study of cryptographic protocols. The notion of concurrent zero knowledge(CZK) was first introduced by Dwork, Naor and Sahai (1998) to consider that many copies of the zero-knowledge protocol are executed simultaneously in an asynchronous network, where messages from different copies may be arbitrarily interleaved by the verifier. The notion of non-malleable zero knowledge(NMZK) was first introduced by Dolev, Dwork and Naor (2000) to consider the execution of zero-knowledge protocol in the setting where the man-in-the-middle adversary interacts with an honest prover in the left session and an honest verifier in the right session.

Concurrent Non-malleable Zero-Knowledge. By combining the concurrent zero-knowledge with the security against man-in-the-middle adversaries, Barak, Prabhakaran and Sahai (2006) introduced a stronger form of zero knowledge referred to as concurrent non-malleable zero knowledge (CNMZK). In such protocol, the adversary can complete control over the communication channel and participate in an unbounded number of concurrent executions. It guarantees that the proofs in the left sessions does not help the adversary to give proofs in the right sessions.

After the original protocol by (Barak et al. 2006), various other concurrent non-malleable ZK protocols have been obtained (Ostrovsky et al. 2008, 2010; Lin et al. 2010; Lin and Pass 2011; Orlandi et al. 2014; Kiyoshima 2015). Lin, Pass, Tseng and Venkitasubramaniam (2010) focused on enhancing the soundness property by combining the notation of robust non-malleable commitments introduced by Lin et al. (2009) with the concurrently extractable commitments (CECom) introduced by Micciancio et al. (2006). They showed a poly(n)-round CNMZKproof for all of NP based on one way function assumption and a \( \widetilde {O}(log(n)) \)-round protocol based on the existence of collision resistant hash-functions(CRHFs). Recently, Orlandi et al. (2014) achieved the first statisticalCNMZKargument system. In their protocol, they used a special kind of commitment scheme called “mixed non-malleable commitment” scheme based on the DDH assumptions. Very recently, Kiyoshima (2015) achieved a poly(n) rounds statisticalCNMZKargument system only assuming the existence of one-way functions. In their protocol, instead of using a non-malleable commitment to commit the real witness (see (Barak et al. 2006; Lin et al. 2010)), they used a constant-round k-robust one-one CCA-secure commitment (Canetti et al. 2010; Lin and Pass 2012; Kiyoshima 2014; Goyal et al. 2015) to commit a random string (e.g., 0n).

However, we observe that the round complexity of all the above protocols based on the standard assumptions is at least \( \widetilde {O}(\log n) \) rounds. Indeed, in the standard model without set-up assumptions, Canetti, Kilian, Petrank and Rosen (2001) based on earlier works by (Kilian et al. 1998; Rosen 2000) have showed that any black-box concurrent zero-knowledge protocol require at least \(\widetilde {\Omega }(\log n)\) rounds. It can be observed that the lower bound also holds for the black-box concurrent non-malleable zero-knowledge protocol. A breakthrough work was made by Barak in (2001), he proposed the first non-black-box simulation techniques and constructed the first constant-round boundedCZKargument system assuming the existence of CRHFs. Recently, Pandey, Prabhakaran and Sahai (2015) showed a new non-black-box simulation technique independent of the PCP theorem and constructed a 4-round CZKargument system based on the existence of CRHFs and differing-input obfuscation (diO)(Barak et al. 2001; Boyle et al. 2014; Ishai et al. 2015). Very recently, Chung, Lin and Pass (2015) achieved constant-roundCZK with non-uniform soundness assuming the existence of CRHFs, OWP and iO (Barak et al. 2001; Garg et al. 2013) for P/poly. We stress that Ostrovsky, Persiano and Visconti in (2008) have showed a constant-round concurrent non-malleable zero-knowledge argument system for NP in the Bare Public-Key model. However, in this model each verifier have to register the public key in a public file during a preprocessing stage and the secret key is known only to itself. Thus, one natural question we ask in this work is:

Whether a constant rounds concurrent non-malleable zero-knowledge protocol in the standard model can be obtained?

Simultaneous Resettable Zero-Knowledge. The notion of resettable zero-knowledge (rZK) was first introduced by Canetti, Goldreich, Goldwasser and Micali (2000). It requires the zero-knowledge condition holds even when the verifier can reset the prover to reuse the previous randomness. From the definition, we can see that the security of resettable zero-knowledge is stronger than that of concurrent zero-knowledge, because a resetting verifier could emulate any concurrent attack in the CZK protocol. Subsequently, Barak, Goldreich, Goldwasser and Lindell (2001) introduced the notion of resettably-sound zero-knowledge (rsZK). It requires the soundness condition holds even when the prover can reset the verifier to use the same random tape in multiple concurrent executions. Following the two works above, a number of works have investigated the resettable security in zero-knowledge protocols (Deng et al. 2009; Cho et al. 2012; Garg et al. 2012; Chung et al. 2013b, 2014; Bitansky and Paneth 2015; Ostrovsky et al. 2015), which focused on either reducing the complexity assumptions or reducing the round complexity and so on. Recently, Chung et al. (2013a) presented a construction of the simultaneous resettable zero-knowledge protocol with polynomial rounds based on the minimal assumption of one-way functions. Very recently, Chongchitmate et al. (2017) showed a constant-round simultaneous resettable zero-knowledge argument system based on the work of Chung et al. (2015). Thus, another question in this work is:

Whether a constant rounds interactive protocol can be both simultaneous resettable zero-knowledge and non-malleable zero-knowledge?

Our results

In this paper, we combine the forementioned approaches and answer the above question positively. In the main result, we construct the first constant-round non-malleable concurrent zero-knowledge argument system.

Theorem 1

Assuming the existence of collision-resistant hash functions, one-way permutations and iO for P/poly (with slightly super-polynomial security), there exists a constant-round concurrent non-malleable zero-knowledge argument system for NP.

Our additional contribution is that by combining our CNMZK argument system with the approach of (Chongchitmate et al. 2017) and (Deng et al. 2009), we get the first constant-round simultaneously resettable and non-malleable zero-knowledge protocol.

Theorem 2

Assuming the existence of collision-resistant hash functions, one-way permutations and iO for P/poly (with slightly super-polynomial security), there exists a constant-round simultaneously resettable and non-malleable zero-knowledge argument system for NP.

Our techniques

Below, we first recall the techniques in (Barak 2001; Chung et al. 2015; Kiyoshima 2015) and then give an overview of our construction approach.

Barak’s protocol. Barak’s non-black-box zero-knowledge argument system consists of three stages. In stage 1, the verifier V chooses a hash function \( h \xleftarrow {R} \mathcal {H}\) and sends it to the prover P, where \( \mathcal {H} \) is a collision-resistant hash function family. In stage 2, P sends a commitment c←Com(0n,ρ) to V, where Com is a statistically binding commitment scheme; then V responds with a random string r{0,1}2n to P. In stage 3, P and V start a witness-indistinguishable universal argument(WIUA) system where P proves to V that there exists xL or (h,c,r)Λ. The language Λ is defined as (h,c,r)Λ iff there exists a program Π such that c=Com(h(Π),ρ) and Π on input c can output r within nlog logn steps.

The soundness of Barak’s protocol follows from the fact that even if a malicious prover P tries to commit to some program Π (instead of committing to 0n), with a high probability, the output of Π(c) will be different from the string r sent by V for every string r{0,1}2n. To prove zero knowledge, just use the code of the malicious verifier V as trapdoor in stage 2. By the definition of the language Λ, it must holds that c=Com(h(Π))=Com(h(V)) and Π(c)=V(c)=r.

Chung et al.’s constant-round CZK protocol. In (Chung et al. 2013), Chung et.al presented a P-certificates assumption for the language LcP where Lc={(M,x,y):M(x)=y within |x|c steps}. In a P-certificate system, an efficient prover can generate a short certificate π of a fixed polynomial length (independent of the running-time and size of M) for a tuple (M,x,y) in a prior bounded polynomial time in |x|c. By using π the verifier can check the validity of the deterministic polynomial-time computation M(x)=y in some fixed polynomial time (independent of the running-time of M). Such proof system has two salient features, i.e., the “non-interactivity” and “succinctness”, which guarantee the simulator can reuse the same certificate in many nested sessions and amortize the cost of generating WIUA proof. We stress that this is essentially to overcome the exponentially blow-up problem in the running time of the concurrent simulation. Based on the Barak’s non-black-box zero-knowledge protocol, they modified the part of the stage 3 and defined a new language Λ. More specifically, they defined that a statement (h,c,r)Λ iff there exists a program M, a certificate π, a vector λ=((1,π1),(2,π2)) and a vector \( \overrightarrow {m} \) such that c=Com(h(M)), π is a proof for M(λ)=r and each πj certifies that M(λ<j) outputs mj in its j-th communication round (where λ<j=((1,π1),(2,π2)(j−1,πj−1))).

The soundness can be obtained as follows. Roughly speaking, from the statistically binding property of the Com, for every commitment c (i.e., m1), there exists a prior fixed deterministic polynomial-time program M. By the unique certificate property of the P-certificate, we can infer that the certificate π1 for M(·)=m1 is also uniquely defined. Due to the same analysis, we can conclude that for every j>1, mj is uniquely defined. Thus, also the unique (accepting) certificate πj certifying M(λ<j)=mj. That is, there is a unique valid vector λ for program M, so there exists a single r satisfied the computation M(λ)=r. From the soundness of the previous Barak’s protocol (Barak 2001), we can obtain that, with a high probability, the string r sent by V will be different from M(λ) for every string r{0,1}4n.

To prove the zero-knowledge, the key difference from Barak’s protocol is that each certificate πi generated during construct the WIUA proofs in stage 3 of a session, can be reused as a part of the input witness λ=((1,π1),(2,π2)) for the subsequent sessions that contains this session. Thus, the only expensive part of the generation of the WIUA in each session is the generation of the P-certificates π, which can be generated in a prior bounded polynomial time for the following reasons. Recall that when arriving at the point of stage 3, the simulator S has emulated the partial execution of M and outputted the message r. We assume that the time spent in this part is bounded by |x|c for some constant \( c \in \mathbb {N} \), where x is the statement M(λ)=r. Then the certificate π for this part computation can be implemented in polynomial time in |x|c by the P-certificates system. So the whole simulation can be finished in polynomial time, we refer the reader to (Chung et al. 2015) for more detail about this part.

Our Approach on CNMZK. Our protocol attempts to combine the constant-round CZK techniques and the previous CNMZK techniques together. Compared with the work of (Kiyoshima 2015; Lin et al. 2010), we use the non-black-box techniques to reduce the round complexity.

Recall that the definition of standaloneNMZK requires the existence of a simulator-extractor SE that can simulate the view of a man-in-the-middle adversary \( \mathcal {A} \) while simultaneously extracting the witnesses for the statements proved by the adversary in the right interaction. On the high level, in order to satisfy this definition, the traditional method is that the verifier commits a trapdoor in the first stage, and then the prover uses a non-malleable commitment to commit the real witness, finally the prover uses the WIAOK protocol to prove that it either committed a real witness or known the trapdoor. So when considering the CNMZK protocols, intuitively, we need the prover to use a concurrent non-malleable commitment scheme (Pass and Rosen 2005; Lin et al. 2008, 2017; Ciampi et al. 2016; Khurana and Sahai 2017) to commit the real witness. However, we note that this is not necessary, as described in (Barak et al. 2006), since we only need to prove that the adversary still commits the real witness in each session rather than all the right sessions together. That is stand-alone non-malleable commitment is sufficient for our purpose.

By the definition of CNMZK, the crux of the proof is to show that even during simulation, when the simulator commits a fake witness (instead of real witnesses) in left interactions, the man-in-the-middle adversary \( \mathcal {A} \) still cannot change its committed values in right interactions. The most delicate part of the proof is that we need to consider the mutual influence on the both sides of the rewinds when extract the trapdoors in the left and the witnesses in the right. That is we should carefully design a series of hybrids to argument the rewinds do not affect the reduction of the concurrent non-malleability of our zero-knowledge protocol to (non-concurrent) non-malleability of the commitment scheme.

In the previous protocol (Lin et al. 2010), they used a special skill to reduce the difficulty of the proof. More specifically, the prover first uses a non-malleable commitment scheme with a robust property to commit to a witness wtwice (sequentially), and then they designed a series of hybrids to show that the adversary must commit the valid witness (except with a negligible probability) in each case. Otherwise, they can use the adversary to break the non-malleable property with respect to itself or the non-malleable property w.r.t. k-round protocols. In the protocol (Kiyoshima 2015), because their goal is to implement a statisticallyCNMZK argument system, instead of using a non-malleable commitment to commit the witness, they commit a random string (e.g., 0n). Thus, in their simulation-extractability proof, they can not directly use the extractability of the commitment scheme, instead they have to rewind the sWIAOK proof to extract the witness in the right. Their proof strategy is that assume there exists an adversary which can extract a fake witness in the right, then they can give a series of indistinguishable hybrids to show that even the simulator in the right interaction (act as an honest verifier) just send a commitment with the value 0n, the adversary still can extract this fake witness, this is a contradiction.

Because our goal is to construct the constant-round concurrent non-malleable zero-knowledge protocol, so the non-malleable commitment scheme should be constant rounds, here we use the constant-round4-robust one-one CCA-secure commitment scheme which first appeared in (Kiyoshima 2015) based Canetti et al. (2010). Such commitment scheme can be based on the minimum assumption of the existence of one way functions. The difference from (Kiyoshima 2015) is that our protocol use the CCA-secure commitment scheme to commit the witness not the random string.

More specifically, the commitment scheme we use has a salient feature, i.e., its security can be guaranteed even the adversaries have access to the committed-value oracle in the right. This advantage brings us the convenience in designing the hybrids since we need not consider the impact on the left side when we do oracle access to the committed-value oracle in the right sessions. Indeed, in our final proof, we use an opposite argument which is essentially the same. Roughly speaking, we consider the following hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), where the former simulator-extractor SE uses the “fake” witness in the i-th left session and the later simulator-extractor SE uses the real witness in the i-th left session, while allowing both SE to access the committed oracle \( \mathcal {O} \). If the adversary \( \mathcal {A} \) can convince the verifier accept a right session and uses a different identity from all the left sessions, then from the soundness of the WIAOK and the binding property of the commitment, the one-one CCA commitment of this right session must commit a right witness except with a negligible probability. Now we can forward it to the external committed-value oracle and obtain its commit value. Next assume there exists an adversary \( \mathcal {A} \) which can distinguish the two simulator-extractor \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), then we can use such adversary to break the witness indistinguishability of the 4-round WISSP or the k-robust CCA security. This gives a contradiction, thus each hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \) are indistinguishable and we can claim that our protocol is concurrent non-malleable zero-knowledge argument. The more details proofs are given in “Constant-round concurrent non-malleable zero-knowledge” section. Since we only add a constant-round commitment on the original constant-roundCZK, the whole protocol also a constant-round protocol, so we can draw the conclusion given in Theorem 1.

Towards Simultaneously-Resettable NMZK. Let us turn to the second question namely the simultaneously-resettable non-malleable zero-knowledge argument system. The formal definition is somewhat complicated and will be given in the “Simultaneously-resettable and non-malleable zero-knowledge” section. Roughly speaking, the protocol need to satisfy the non-malleable security even if the man-in-the-middle adversary \( \mathcal {A} \) can reset the prover to have several interactions in the left, at the same time, \( \mathcal {A} \) can reset the verifier to have multiple interactions in the right. Thus, all the previous protocols will not satisfy our new security requirements, our solution is to enhance the recently result of Chongchitmate et al. (2017) in the following.

In (Chongchitmate et al. 2017) they given a constant-round simultaneously-resettable zero-knowledge argument system. More specifically, they first gave a transformation from any -round CZKargument system to O()-round resettable zero-knowledge argument. Then they can achieve a resettably-sound concurrent zero-knowledge argument(rsCZK) by plugging a constant-roundrZK into a constant-roundCZK system. Finally, following the general transformation of (Deng et al. 2009), they obtained a simultaneously-resettable ZK protocol. We stress that, to the best of our knowledge, this transformation is the most direct route to achieve simultaneously-resettable zero-knowledge argument system (see also (Bitansky and Paneth 2015; Chung et al. 2013a; Canetti et al. 2013)). In this paper, we observe that this construction actually preserves non-malleability: If the original protocol is a constant-round concurrent non-malleable zero-knowledge argument system, then the new one is a constant-round resettably-sound concurrent non-malleable zero-knowledge argument. Further, by applying a combination of the transformations in (Deng et al. 2009), we can achieve a constant-round simultaneously-resettableNMZK, thus we can draw the conclusion given in Theorem 2.

Organization

The rest of this paper is organized as follows. Some necessary preliminaries and security notion are given in “Preliminary” section. The concrete construction and the security analysis for constant-roundCNMZKargument system are described in “Constant-round concurrent non-malleable zero-knowledge” section. Finally, we show how to use our CNMZKargument system to construct the constant-round simultaneously-resettable non-malleableZKargument system in “Simultaneously-resettable and non-malleable zero-knowledge” section.

Preliminary

k-robust (one-one) CCA-secure Commitment Schemes (Canetti et al. 2010)

A tag-based commitment scheme 〈C,R〉 is a commitment scheme where the committer and the receiver receive a tag {0,1}n (also called id) as common input. An adversary \( \mathcal {A}^{\mathcal {O}} \) can interact with a committed value oracle \( \mathcal {O} \) as a committer by using identities adaptively in many sessions. At the end of each session, if the session is valid, the oracle \( \mathcal {O} \)reveals the unique committed value of that session to \( \mathcal {A} \); otherwise, it sends . Consider the following probabilistic experiment \( \textsf {IND}_{b}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, 1^{n}, z\right) \). The oracle adversary \( \mathcal {A}^{\mathcal {O}} \) is allowed to adaptively choose an id and a pair of values (v0,v1){0,1}n as the challenge messages. When the adversary \( \mathcal {A}^{\mathcal {O}} \) receives a commitment to vb, it guess a bit b as the output of the experiment. The additional constraint is that if during the execution the adversary \( \mathcal {A} \) interacts with \( \mathcal {O} \) using the challenge identity id, then the experiment outputs .

Definition 1

We say a tag-based commitment scheme 〈C,R〉 is CCA-secure w.r.t. the committed-value oracle\( \mathcal {O} \), if for every PPT oracle machine \( \mathcal {A} \), the following ensembles are computationally indistinguishable:
  • \( \left \{\sf {IND}_{0}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, n, z\right) \right \}_{n \in \mathbb {N}, z \in \{0,1\}^{*}}\)

  • \( \left \{\sf {IND}_{1}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, n, z\right) \right \}_{n \in \mathbb {N}, z \in \{0,1\}^{*}}\)

Additionally, if 〈C,R〉 is CCA-secure only against adversaries that start a single session with \(\mathcal {O}\), then we say that 〈C,R〉 is one-oneCCA-secure.

The notion of non-malleability w.r.t. arbitrary k-round protocols is introduced in (Lin and Pass 2009), which considers the man-in-the middle adversaries can participate arbitrary k-round protocols in the left when running the commitment scheme in the right. Roughly speaking, we say 〈C,R〉 is k-robust w.r.t \( \mathcal {O} \) if the (joint) output of every k-round interaction with an adversary having access to the oracle \( \mathcal {O} \), can be simulated without the oracle.

Definition 2

Let 〈C,R〉 be a tag-based commitment scheme and \( \mathcal {O} \) be the committed-value oracle. For any constant \( k \in \mathbb {N} \), we say that 〈C,R〉 is k-robust w.r.t. \( \mathcal {O} \) if there exists a PPT oracle machine S such that for any PPT adversary \( \mathcal {A} \) and any k-round PPT interactive Turing machine B, the following are computationally indistinguishable:
  • \( \{{\sf {output}}_{B,\mathcal {A}^{\mathcal {O}}}[B(1^{n},x,y)]\leftrightarrow \mathcal {A}^{\mathcal {O}}(1^{n},x,z)\}_{n \in \mathbb {N}, x,y,z \in \{0,1\}^{*}}\)

  • \( \{{\sf {output}}_{B,S^{\mathcal {A}}}[B(1^{n},x,y)]\leftrightarrow S^{{\mathcal {A}}}(1^{n},x,z)]\}_{n \in \mathbb {N}, x,y,z \in \{0,1\}^{*}}\)

In our protocol, we use the constant-round 4-robust one-oneCCA-secure commitment scheme (namely CCACom1:1) which first appeared in (Kiyoshima 2015) and can be constructed from one-way functions based on the result of (Goyal et al. 2015).

Forward-secure PRG (Bellare and Yee 2003; Chung et al. 2013)

Definition 3

(Forward-secure Pseudorandom Generator) We say a polynomial-time computable function is a forward secure pseudorandom generator (fsPRG) if the following properties hold: Consistency: For every \( n,{\ell } \in \mathbb {N} \), s{0,1}n, if fsPRG(s,)=((s,s−1,,s1),(ρ,ρ−1,,ρ1)), then fsPRG(s,−1)=((s−1,,s1),(ρ−1,,ρ1)). Forward Security: For every polynomial p(n), the following ensembles are computationally indistinguishable:
  • \( \{s\leftarrow U_{n},(\vec {s},\vec {\rho }) \leftarrow \text {\sf {fsPRG}}(s,{\ell }):s_{t},\vec {\rho }_{\leq t}\}\text {} _{n \in \mathbb {N},{\ell }\in [p(n)],t\in {[\ell ]}} \)

  • \( \{s_{t} \leftarrow U_{n},\vec {\rho } \leftarrow (U_{n})^{\ell }:s_{t},\vec {\rho }_{\leq t}\}\text {} _{n \in \mathbb {N},{\ell }\in [p(n)],t\in {[\ell }]} \)

where Un is the uniform distribution over {0,1}n, and \( \vec {\rho }_{\leq t}=(\rho _{t},\rho _{t-1},\cdots,\rho _{1}). \)

From the definition above, if the seed st is exposed then the later sequence (ρt+1,ρt+2,) are also exposed, but the earlier sequence ρ1,,ρt remain pseudorandom. The existence of a fsPRG is implied by any (traditional) PRG, thus it is also implied by the existence of one-way functions (Håstad et al. 1999).

P-certificates in the delegatable CRS model (Chung et al. 2015)

For every constant \( c \in \mathbb {N} \), consider the language LcP such that Lc={(M,x,y):M(x)=y within |x|c steps}, let TM(x) denotes the running time of M on input x.

Definition 4

A tuple of PPT algorithms (Setup,PreGen,CRSGen,Pcert,Vcert), is a P-certificate system in the delegatable CRS model if there exist polynomials d,κ,CRS and π, such that the following holds:
  • Syntax and Efficiency: for every \( c \in \mathbb {N} \) and every q=(M,x,y)Lc, the verification of the statement proceed as follows:
    • 1)CRS Setup:\((PP,K)\xleftarrow {\text {\$}}\textsf {Setup}(1^{n}, c) \), where PP the public parameter and K the key;

    • 2)CRS Preprocessing: d=PreGen(PP,q) where |d| is bounded by d;

    • 3)CRS Generation:\( \kappa \xleftarrow {\text {\$}} \textsf {CRSGen}(PP,K,q) \) and CRS=(PP,κ), where |k| is bounded by κ and |CRS| is bounded by CRS

    • 4)Proof Generation:\( \pi \xleftarrow {\text {\$}} \textsf {P}_{\textsf {cert}}(1^{n}, c, q, CRS)\), where |π| is bounded by lπ and Pcert runs in time poly (1n,|x|,min(TM(x),|x|c))

    • 5)Proof Verification: b =Vcert(1n,c,CRS,q,π), where Vcert runs in time poly (k,|q|). Additionally, if the verification procedure Vcert is independent of the statement q and the language index c, then we say that the verification algorithm is simple.

  • (Perfect) Completeness: For every \( c,c^{\prime } \in \mathbb {N} \), there exists a negligible function μ such that for every q=(M,x,y)Lc such that \(\phantom {\dot {i}\!} |q| \leq k^{c^{\prime }} \), the probability that Vcert outputs 1 is 1.

  • Selective Strong Soundness: There exists a super-polynomial function T(n)=nω(1) and a super-constant function C(n)=ω(1) such that for every probabilistic algorithm P with running-time bounded by T(n), there exists a negligible function μ(n), such that, for every \( n \in \mathbb {N} \) and cC(n),
    $${\begin{aligned} \Pr\left[ \begin{array}{lll} \begin{array}{rll} (q,\textsf{st}) &\xleftarrow{\text{\$}} & P^{*}(1^{n}, c)\\ \textsf{CRS} &\xleftarrow{\text{\$}} & Gen(1^{n}, c)\\ \pi &\xleftarrow{\text{\$}} & P^{*}(\textsf{st}, \textsf{CRS}) \end{array} : \textsf{V}_{\textsf{cert}}(1^{n}, c, CRS, q, \pi)=1 \wedge q\notin L_{c} \end{array} \right] \leq \mu(n) \end{aligned}} $$
  • Unique certificate: We say that a P-certificate system is unique if for every \( c \in \mathbb {N} \), string CRS {0,1} and q{0,1}, there exists at most one string π such that Vcert(1n,c,CRS,q,π)=1.

Theorem 3

(Chung et al. 2015) Assume the existence of an \( i\mathcal {O} \) for P/poly and an injective pseudo-random generator, then there exists a P-certificate system for NTIME (nw(1)) with (strong) soundness, uniqueness in delegatable CRS Model and the verification algorithm is simple.

Concurrent non-malleable zero-knowledge arguments (Barak et al. 2006; Lin et al. 2010; Kiyoshima 2015)

Let (P,V) be an interactive protocol for a language L, n be the security parameter and m be a polynomial. Consider a PPTman-in-the-middle adversary \( \mathcal {A} \) given the common input (x1,,xm) and an auxiliary input z{0,1}. On the left, the adversary \( \mathcal {A} \) acts as a verifier V to interact with m independent copies of P using (id1,,idm), and each copy of prover P will be given a valid witness wiRL(xi). On the right, the adversary \( \mathcal {A} \) acts as a prover P that, on common input \(\left (\widetilde {x}_{1},\cdots,\widetilde {x}_{m}\right) \) to prove the validity of each statement using \(\left (\widetilde {\textsf {id}}_{1},\cdots,\widetilde {\textsf {id}}_{m}\right) \). During the experiment, the statements proved in the right interactions and the identities in both the left and right interactions are all chosen by the adversary \( \mathcal {A} \), and the messages of the left sessions can be scheduled by the adversary \( \mathcal {A} \) without any restriction. Let \( \textsf {view}_{\mathcal {A}}(1^{n},x_{1},\cdots,x_{m},z) \) denotes the random variable that describes the view of \( \mathcal {A} \) in the above experiment. Loosely speaking, an interactive proof is a concurrent non-malleable zero-knowledge protocol, if for all man-in-the-middle adversary \( \mathcal {A} \), there exists a PPT machine (called the simulator-extractor) that can simulate both the left and the right interactions for \( \mathcal {A} \), while outputting a witness for each statement proved by the adversary in the right interactions.

Definition 5

An interactive protocol (P,V) for LNP is said to be concurrent non-malleable zero-knowledge if for every \( n \in \mathbb {N} \), every polynomial m, and every PPT man-in-the-middle adversary \( \mathcal {A} \) that participates in at most m(n) concurrent executions, there exists a PPT machine SE such that:
  1. 1.
    The following ensembles are computationally indistinguishable:
    • \( \{{\sf {view}}_{\mathcal {A}}(\!1^{n},x_{1},\!\cdots \!,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\!\cdots \!,x_{m} \in L\cap \{0,1\}\text {} ^{n},\! z \in \{0,1\}\text {} ^{n} }\)

    • \( \{{\sf {S}}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n}} \)

    where S(1n,x1,,xm,z) is the first output of SE(1n,x1,,xm,z).

     
  2. 2.

    Let \(\left (\widetilde {x}_{1},\cdots,\widetilde {x}_{m}\right) \) be the statements to be proved in the right interactions and \( ({\sf {view}},\{\widetilde {w}_{i}\}\text {} _{i \in m}) \) denote the outputs of SE(1n,x1,,xm,z). For every i[m], if the i-th right interaction is accepting and \( \widetilde {\textsf {id}}_{i} \neq \textsf {id}_{j} \) for all j[m], then \( \widetilde {w}_{i} \) is a valid witness such that \( R_{L}\left (\widetilde {x}_{i}, \widetilde {w}_{i}\right) = 1 \).

     

Indistinguishability obfuscation (Barak et al. 2001)

Definition 6

(Indistinguishability obfuscation) A PPT algorithm \( i\mathcal {O} \) is said to be an indistinguishability obfuscator for a collection of polynomial size circuits \( \mathcal {C}=\cup _{n \in \mathbb {N}}\mathcal {C}_{n} \), if it satisfies:
  1. 1.
    Functionality: For any \( C \in \mathcal {C} \),
    $$ \underset{i\mathcal{O}}{\Pr}[\forall x : i\mathcal{O}(C)(x)=C(x)]=1~. $$
     
  2. 2.
    Indistinguishability: For any poly-size distinguisher \( \mathcal {D} \) there exists a negligible function μ, such that for any \( n \in \mathbb {N} \), \( C_{1}, C_{2} \in \mathcal {C}_{n} \) of the same size and functionality
    $$ \left|\underset{i\mathcal{O}}{\Pr}[D(i\mathcal{O}(C_{1}))=1] - \underset{i\mathcal{O}}{\Pr}[D(i\mathcal{O}(C_{2}))=1] \right|\leq \mu(n). $$
     

Resettable zero-knowledge (Canetti et al. 2000)

Let (P,V) be an interactive proof system for a language L, z be an auxiliary input received by V, t=poly(n), \( \overline {x} = x_{1},x_{2},\cdots,x_{t} \in L \cap \{0, 1\}\text {} ^{n} \) be a sequence of common inputs and \( \overline {w} = w_{1},w_{2},\cdots,w_{t}\) be the corresponding witnesses such that (xi,wi)RL for i=1,,t. The distribution \( \{\textsf {view}^{P(\overline {w})}_{V^{*}(z)}(\overline {x})\} \) is the view of V that defined as follows:
  1. 1.

    Randomly select and fix t random tapes r1,r2,,rt for P, resulting in deterministic strategies \( P^{(i,j)}=P_{x_{i},w_{i},r_{j}} \), defined by \( P_{x_{i},w_{i},r_{j}}(\alpha)=P(x_{i},w_{i},r_{j},\alpha) \)1, for i,j[t].

     
  2. 2.

    A resetting verifier V is allowed to run poly(n)-many sessions with the P(i,j). V can send arbitrary messages to each of the P(i,j) and obtain the responses of P(i,j) to such message.

     
  3. 3.

    Once V decides it is done interacting with the P, it produces its view of these interactions.

     

The distribution \( \{\textsf {S}_{V^{*}(z)}(\overline {x})\}\), indexed by a sequence of common inputs\( \overline {x} = x_{1},x_{2},\cdots,x_{poly(n)} \in L \cap \{0, 1\}\text {} ^{n} \), is the output of an expectedPPT machine S that interacts with V on common inputs\( \overline {x} \).

Definition 7

(Resettable Zero-knowledge) We say that (P,V) is resettable zero-knowledge if for every PPT adversary V there exists an expectedPPT simulator \(\phantom {\dot {i}\!} S_{V^{*}} \) such that the for all pairs \( (\overline {x}, \overline {w}) \in R_{L} \), the ensembles \( \left \{{\sf {view}}^{P(\overline {w})}_{V^{*}(z)}(\overline {x})\right \} \) and \( \{\textsf {S}_{V^{*}(z)}(\overline {x})\} \) are computationally indistinguishable

Theorem 4

(Chongchitmate et al. 2017) Assuming the existence of one-way functions, then any -round concurrent zero-knowledge argument system can be transformed into a O()-round resettable zero-knowledge argument system.

Resettably-sound arguments (Barak et al. 2001)

Definition 8

(Resettably-sound arguments). Let (P,V) is an interactive proof protocol for LNP. A resetting attack of a cheating prover P is defined as follows:
  1. 1.

    Let t=poly(n), uniformly select and fix t random-tapes r1,,rt for V, resulting in deterministic strategies \( V^{(j)}(x) = V_{x,r_{j}} \), defined by \( V_{x,r_{j}}(\alpha) = V(x,r_{j},\alpha) \)2, where x{0,1}n and j[t]. Each V(j)(x) is called an incarnation of V.

     
  2. 2.

    P is allowed to initiate poly(n)-many interactions with the V(j)(x). The activity of P proceeds in rounds. In each round, P chooses x{0,1}n and j[t], defines V(j)(x), and conducts a complete session with it.

     

We say that (P,V) is a resettably-sound argument if for every polynomial-size resetting attack, the probability that in some session the corresponding V(j)(x) has accepted and xL is negligible.

Theorem 5

(Chung et al. 2014) Assume the existence of one-way functions, then there exists a 4-round resettably-sound zero-knowledge argument of knowledge for every language in NP.

Theorem 6

(Deng et al. 2009, Chongchitmate et al. 2017) Assuming the existence of ZAPs (i.e., 2-round resettably-sound resettable witness-indistinguishable proof systems) and family of pseudorandom functions, then there exists a transformation from a -round resettably-sound concurrent zero-knowledge argument to a O()-round resettably-sound resettable zero-knowledge argument.

Constant-round concurrent non-malleable zero-knowledge

Our protocol

In this section, we give our construction of the constant-round concurrent non-malleable zero-knowledge argument system. We use the following building blocks:
  1. 1.

    Two-round statistically binding commitment scheme: Com

     
  2. 2.

    O(1)-round 4-robust one-one CCA-secure commitment scheme: CCACom1:1

     
  3. 3.

    Four-round special-sound witness indistinguishability proofs: WISSP

     
  4. 4.

    O(1)-round witness indistinguishability universal argument: WIUA

     
  5. 5.

    Four-round P-certificates in the delegatable CRS Model: PC

     
Now consider a language LNP and a security parameter n. Let the prover and verifier receive a common inputs x{0,1}n, id{0,1}n. The auxiliary input to the prover is a NP witness w such that RL(x,w)=1. Let m(n) be a polynomial that upper bounds the number of concurrent sessions, and D be a super-constant bounded by log log logn. Then, our protocol proceeds in five stages as follows:
  • In stage 1, the prover P computes c1=Com(0n,ρ1) and sends it to V; V responds with a string \(r \xleftarrow {R} \{0,1\}\text {} ^{4n}\).

  • In stage 2, the prover P computes c2=Com(0n,ρ2) and sends it to V. P and V run a WIUA system where P proves to V that there exists \((M,\rho _{1},\mathcal {O}_{\pi },(j,s_{j}),\rho _{2})\) s.t., (h,c1,c2,r)Λ1 or exists w s.t., (x,w)RL. In more detail, in the simulation phase, P proves that c1=Com(h(M)) for a program M and c2=Com(h(q)) for \( \textsf {q}=((M,\mathcal {O}_{\pi }),(j,s_{j}),r) \). The statement q represents that the oracle program \( M^{\mathcal {O}_{\pi }} \) on input (j,sj) can output a message r. The oracle \( \mathcal {O}_{\pi } \) stores all the CRS and proof pairs {(CRSi,πi)} that generated by the P-certificate system in the current history(see the definition in Table 1).
    Table 1

    The languages used in CNMZK

    Oracle \(\mathcal {O}_{\pi } \):

    \( {\begin {aligned} \mathcal {O}_{\pi }(\textsf {CRS}_{i}) = \left \{\begin {array}{ll} \pi _{i} & \text {if there exists unique}\ \pi _{i} \text {stored in oracle}\ \mathcal {O}_{\pi }\ \text {and} \\ & \textsf {PC}.\textsf {V}_{\textsf {cert}}(1^{n},\textsf {CRS}_{i},\pi _{i}) = 1 \\ \perp & \text {otherwise} \end {array}\right. \end {aligned}} \)

    Circuit \( \mathcal {P}^{n,c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}}\):

    \( {\begin {aligned} \mathcal {P}(d,\rho _{3}) \,=\, \left \{\begin {array}{ll} \kappa & \text {if}\ c_{3}\,=\,\textsf {Com}(d,\rho _{3}),\ \text {then set}\ \kappa \! :=\!\textsf {PC}.\textsf {CRSGen}(\textsf {PP},\textsf {K},d,\rho _{\textsf {{CRSGen}}})\\ \perp & \text {otherwise} \end {array}\right. \end {aligned}} \)

    Equivalent Circuit \( \mathcal {Q}^{n,c_{3},\kappa } \):

    \( \mathcal {Q}(d,\rho _{3}) = \left \{\begin {array}{ll} \kappa &\text {if}\ c_{3}=\textsf {Com}(d,\rho _{3})\\ \perp & \text {otherwise} \end {array}\right. \)

    Language Λ1:

    We say (h,c1,c2,r)Λ1, iff there exist \((M,\rho _{1},\mathcal {O}_{\pi },(j,s_{j}),\rho _{2})\) such that

    \(\rho _{1},\rho _{2},s_{j} \in \{0,1\}\text {} ^{n}, j \in [m], M, \mathcal {O}_{\pi } \in \{0, 1\}\text {} ^{n^{\log \log n}}\);

    c1=Com(h(M),ρ1);

    c2=Com(h(q),ρ2) where \( \textsf {q}=((M,\mathcal {O}_{\pi }),(j,s_{j}),r) \).

    Language Λ2:

    We say (h,PP,c2,c3,r)Λ2, iff there exist \((M,\mathcal {O}_{\pi },(j,s_{j}),d,\rho _{2},\rho _{3})\) such that

    \(d,s_{j},\rho _{2},\rho _{3} \in \{0, 1\}\text {} ^{n}, j \in [m], M, \mathcal {O}_{\pi } \in \{0, 1\}\text {} ^{n^{\log \log n}}\);

    c2=Com(h(q),ρ2) where \( \textsf {q}=((M,\mathcal {O}_{\pi }),(j,s_{j}),r) \);

    c3=Com(d,ρ3) where d=PC.PreGen(PP,q).

    Language Λ3:

    We say \((\textsf {PP},c_{3},\hat {\mathcal {P}}_{\textsf {{CRSGen}}}) \!\in \! \Lambda \)3, iff there exist

    \(\left (\textsf {K},\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{\textsf {{Setup}}}, \rho _{\textsf {{CRSGen}}},\rho _{i\mathcal {O}}\right)\) such that

    \(\textsf {K},\rho _{\textsf {{Setup}}},\rho _{\textsf {{CRSGen}}},\rho _{i\mathcal {O}} \in \{0, 1\}\text {} ^{n}\);

    – (PP,K)=PC.Setup(1n,D,ρSetup);

    \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}}=i\mathcal {O}\left (\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{i\mathcal {O}}\right) \).

    Language Λ4:

    We say \((\textsf {PP},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c_{5}) \in \Lambda \)4, iff there exist (d,ρ3,π) such that

    d,ρ3,π{0,1}n;

    \( \kappa = \hat {\mathcal {P}}_{\textsf {{CRSGen}}}(d,\rho _{3}) \);

    c5=Com((PP,κ),ρ5);

    – PC.Vcert(1n,(PP,κ),π)=1.

  • In stage 3, the verifier V invokes the algorithm PC.setup to generate (PP,K) and sends the public parameter PP to P. The prover P computes c3=Com(0n,ρ3) and sends it to V. P and V run a WIUA system where P proves to V that there exists \((M,\mathcal {O}_{\pi },(j,s_{j}),d,\rho _{2},\rho _{3})\) s.t., (h,PP,c2,c3,r)Λ2 or exists w s.t., (x,w)RL. In more detail, in the simulation phase, P proves that c2=Com(h(q)) and c3=Com(d,ρ3) where d=PC.PreGen(PP,q).

  • In stage 4, the verifier V sends an obfuscation algorithm\( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \) to P and gives a ZK argument of the statement \((\textsf {PP},c_{3},\hat {\mathcal {P}}_{\textsf {{CRSGen}}}) \in \Lambda \)3. In more detail, V proves that there exists \((\textsf {K},\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{\textsf {{Setup}}},\rho _{\textsf {{CRSGen}}},\rho _{i\mathcal {O}})\) such that (PP,K)=PC.Setup(1n,D,ρSetup) and \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} =i\mathcal {O}(\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{i\mathcal {O}}) \). The detailed descriptions of the circuit \( \mathcal {P} \) and \( \mathcal {Q} \) are given in Table 1.

  • In stage 5, the prover P computes \(c_{4}=\textsf {CCACom}_{\textsf {id}}^{1:1}(w,\rho _{4})\) under identity id, c5=Com(0n,ρ5) and sends them to V. P and V runs a WISSP system where P proves to V that there exists (d,ρ3,π) s,t., \( (\textsf {PP},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c_{5}) \in \Lambda _{4} \) or exists w s.t., \(c_{4}=\textsf {CCACom}_{\textsf {id}}^{1:1}(w,\rho _{4})\) and (x,w)RL. In more detail, in the simulation phase, P proves that \( \kappa = \hat {\mathcal {P}}_{\textsf {{CRSGen}}}(d,\rho _{3}) \), c5=Com((PP,κ),ρ5) and PC.Vcert(1n,(PP,κ),π)=1.

The formal protocol CNMZK is described below in Table 1 and Table 2.
Table 2

Constant-round concurrent non-malleable zero-knowledge argument

Common input: xL and identity id{0,1}n.

Auxiliary input to P: wRL(x).

Stage 1: P and V runs a generation protocol as (Barak 2001)

PV: \(h \xleftarrow {R} \mathcal {H}_{n}\)

PV: c1=Com(0n,ρ1)

PV: \(r \xleftarrow {R} \{0,1\}\text {} ^{4n}\)

Stage 2: P runs a WIUA using its auxiliary input w

PV: P sends c2 to V and gives a WIUA argument of the statement xL or (h,c1,c2,r)Λ1, where c2=Com(0n,ρ2).

Stage 3: P runs a WIUA again upon receiving the public parameter PP

PV: V invokes the PC.Setupalgorithm to generate (PP,K) and sends PP to P.

PV: P sends c3 to V and gives a WIUA argument of the statement xL or (h,PP,c2,c3,r)Λ2, where c3=Com(0n,ρ3).

Stage 4: Vdelegates P to generate the CRS

PV: V sends the algorithm\( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \) to P and gives a ZK argument of the statement \((\textsf {PP},c_{3},\hat {\mathcal {P}}_{\textsf {{CRSGen}}}) \in \Lambda \)3, where \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} =i\mathcal {O}(\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{i\mathcal {O}}) \).

Stage 5: P runs a WISSP using its auxiliary input w

PV: P sends (c4,c5) to V and gives a WISSP argument of the statement that (x,w)RL(x) or \( (\textsf {PP},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c_{5}) \in \Lambda _{4} \), where \(c_{4}=\textsf {CCACom}_{\textsf {id}}^{1:1}(w,\rho _{4})\) and c5=Com((PP,κ),ρ5).

Completeness and soundness

Completeness. The completeness of the protocol can be directly obtained from the construction in Table 2. More specifically, for any xL, wRL(x) and id{0,1}n, from the completeness of the WIUA system in stage 2 and stage 3, the completeness of the ZK argument system in stage 4 and the completeness of WISSP system in stage 5, we have that Pr[P(w),V(z)(x,id)]=1.

Soundness. The soundness of protocol follows from (1) the binding property of the commitments c1,c2,c3 in stage 1, 2 and 3; (2) the hiding property of \( i\mathcal {O} \) for the circuit \( \mathcal {P} \) in stage 4; (3) the selective strong soundness of P-certificates and (4) the special-soundness of WISSP used in stage 5. Roughly speaking, assume that the statement xL. Consider the point where the prover has given the commitment c3 and is now expecting the verifier message \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \). Because at this point, c1,c2,c3,PP,K are determined, the two circuit \( \mathcal {P} \) and \( \mathcal {Q} \) described in Table 1 are functional equivalent. We assume that, w.l.o.g, \( \mathcal {P} \) and \( \mathcal {Q} \) have the same polynomial size in n, then from the security definition of \( i\mathcal {O} \), we can infer that the secret key K is hiding in the obfuscation circuit \( \hat {\mathcal {P}} \). Otherwise, we can use the adversary to distinguish the circuit \( i\mathcal {O(P)} \) and \( i\mathcal {O(Q)}\), which leads to a contradiction. Next in stage 5, if there exists a PPT cheating P who can convince the verifier, then from the definition of P-certificate system, there must exist an accepted P-certificate π argument of the statement q is true based on CRS=(PP,κ)except with negligible probability. That is there exists an PPT machine M on input a short bit string (j,s) (of length bounded in 3n) can predict the challenge message r (length of 4n). However, this is information theoretically impossible. Thus, we reach a contradiction through violate the soundness of Barak’s protocol.

Next, we describe the construction of our simulator-extractor SE in “Our simulator-extractor” section and show its correctness satisfies the definition of CNMZK in “The view generated by the simulator” section and “The witnesses output by the extractor” section.

Our simulator-extractor

Recall that the definition of CNMZK requires the existence of a simulator-extractor SE that can simulate the view of a man-in-the-middle adversary \( \mathcal {A} \) while extracting a witness in every accepted right session. Below, we sketch how to build a simulator-extractor. First, we construct a PPT simulator S that simulates the view of \( \mathcal {A} \) but does not extract witnesses in the right seasons. Then, we construct a PPT simulator-extractor SE via the intermediate simulator S, which can simulate the view of \( \mathcal {A} \) and extract the witnesses by the committed value oracle. Simulator S On a high level, S internally invokes \( \mathcal {A} \) and interacts with \( \mathcal {A} \) as honest prover and honest verifier in the following way. To simulate the view of each session in the right interactions, S simply follows the honest verifier strategy. To simulate the view of each session in the left interactions, S uses the description of the adversary \( \mathcal {A} \) as the fake witness and reused the previous generated P-certificates if necessary in a straight-line manner. The formal description of this process will be given below. Finally, S outputs the view of the adversary \( \mathcal {A} \). Simulator SE On a high level, SE simulates the view of \( \mathcal {A} \) by executing S as the first part of its output. For each i[m], if the i-th right session is accepted and \( \widetilde {\textsf {id}}_{i} \) is different from idj for all j[m], SE extracts a witness from the session i by oracle access to the one-session committed-value oracle\( \mathcal {O}_{\textsf {cca}} \) of CCACom1:1.

The view generated by the simulator

In this section, we show that the view generated by S is indistinguishable from the real view of \( \mathcal {A} \):

Lemma 1

The following ensembles are computationally indistinguishable:
  • \( \{\textsf {view}_{\mathcal {A}}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n} }\)

  • \( \{\textsf {S}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n}} \)

Proof

To simplify the exposition, w.l.o.g, we assume that the man-in-the-middle adversary \( \mathcal {A} \) is a deterministic Turing machine with a non-uniform advice. Let N=c·m denote the total number of messages between the simulator S and \( \mathcal {A} \), where c is the rounds of our CNMZK protocol and m is the total number of concurrent sessions bounded by a polynomial.

We invoke the forward-secure pseudorandom generator to generate the random-tape we needed. Let fsPRG(s,N)=((sN,,s1),(ρN,,ρ1)), where s{0,1}n is the random seed and each ρj{0,1}n is the randomness used to generate the j-th prover message in the left side.

We use three tables \(\mathcal {V},\mathcal {O}_{\pi },\mathcal {T}\). \( \mathcal {V} \) stores the commitment values in the simulation of the left interaction. \( \mathcal {O}_{\pi } \) stores all the CRS and proof pairs {(CRSi,πi)} generated by the P-certificate system in the current history. \( \mathcal {T} \) stores the messages simulated so far in both left and right sides. We initialize \( \mathcal {O}_{\pi },\mathcal {T} \) to be empty and add the code descriptions of the simulator S and \( \mathcal {A} \) to table \( \mathcal {V} \). Next we give a detailed description of the program \( \textsf {S}(1^{n},x_{1},\cdots,x_{m},\mathcal {A},\mathcal {V},\mathcal {O}_{\pi },\mathcal {T},s,N) \):

In each right session, S interacts with \( \mathcal {A} \) simply by following the honest verifier strategy described in our protocol 2. It can generate its random coins by using the PRG on a random seed in this part of the execution. In each left session, do as follows:
  • Simulate Stage 1 Upon receiving a hash function hi in session i, S provides a commitment \( c^{1}_{i} \) to \(M_{i}((\cdot,\cdot),\mathcal {A},\mathcal {T})\), where Mi is an interactive Turing machine with the code description of S and \( \mathcal {A} \) plus the current state of them. Here the first two parameters of Mi will be given when Mi is used as the witness to construct the statement qi in stage 2.

  • Simulate Stage 2 Upon receiving a challenge ri in session i during the j-th communication round, S retrieves the committed value Mi and provides a commitment \( c^{2}_{i} \) to the trapdoor statement \( \textsf {q}_{i}=((M_{i},\mathcal {O}_{\pi }),(j,s_{j}),r_{i}) \), where sj is the random seed used by fsPRG in the j-th round. According to our previous definition, the oracle program \( M^{\mathcal {O}_{\pi }} \) on input (j,sj) can recover all the previous randomness and any oracle queries {CRSi} that \( M^{\mathcal {O}_{\pi }} \) makes before it outputs r can be answered using the current \( \mathcal {O}_{\pi } \). Thus, the simulator S can use \( (M_{i},\mathcal {O}_{\pi },(j,s_{j})) \) and the corresponding randomness to finish the WIUA for the statement \((h_{i},c^{1}_{i},c^{2}_{i},r_{i}) \in \Lambda \)1.

  • Simulate Stage 3 Upon receiving a challenge PPi in session i during the j-th communication round, S provides a commitment \( c^{3}_{i} \) to the digest di, where di=PC.PreGen(PPi,qi). Now we can make S use the fake witnesses \( (M_{i},\mathcal {O}_{\pi },(j,s_{j}),d_{i}) \) and the corresponding randomness to finish the WIUA for the statement \((h_{i},\textsf {PP}_{i},c^{2}_{i},c^{3}_{i},r_{i}) \in \Lambda \)2.

  • Simulate Stage 4 Upon receiving an obfuscated program \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \) in session i during the j-th communication round, S interacts with \( \mathcal {A} \) as an honest verifier to finish the ZK argument part.

  • Simulate Stage 5 Upon receiving the last message from \( \mathcal {A} \) in Stage 4 of session i, S computes \(\kappa _{i} = \hat {\mathcal {P}}_{\textsf {{CRSGen}}}(d,\rho _{3})\) and πi=PC.Pcert(qi,CRSi). Now for the CRSi=(PPi,κi), S checks if PC.Vcert(1n,CRSi,πi)=1 and extends the pair (CRSi,πi) to the oracle \(\mathcal {O}_{\pi }\), otherwise it will abort. Next, S provides a commitment \( c^{4}_{i} \) to a dummy string i.e., 0n and a commitment \( c^{5}_{i} \) to CRSi. Thus, S has all the witnesses \(\phantom {\dot {i}\!} (\textsf {d}_{i},\rho _{\textsf {d}_{i}},\pi _{i}) \) for the statement \(\left (\textsf {PP}_{i},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c^{5}_{i}\right) \in \Lambda \)4, it can finish the WISSP in stage 5.

Finally, the simulator will output all the messages of the both interactive sides stored in the table \(\mathcal {T}\).

Correctness of the simulation. We observe the correctness of S. By our construction, the only place where abort is likely to happen is when the simulator computes an unaccepted certificate πi for CRSi based on a true statement qi in stage 5. However, the only difference of the P-certificates system used in our protocol is that, instead of sending κ in directly, the verifier first send the indistinguishability obfuscation of the GenCRS algorithm and then give a ZK argument to prove their correctness. Thus, from the perfect correctness of the indistinguishability obfuscator, the completeness of zero-knowledge argument and the perfect completeness of our P-certificates system, it suffices to show that for a true statement qi, the probability of Vcert(1n,CRSi,πi)≠1 is only negligible. So the probability of simulator output abort is also negligible.

Indistinguishability of the simulation. Now we use the hybrid argument to show the indistinguishability of the simulation, consider 2N hybrid experiments as follows. Experiment Hybi, 0≤iN: the first i communication rounds are simulated by simulator S with the pseudo-randomness and fake witness, and all the later communication round j>i are simulated by simulator S with true randomness and the true witnesses. We also define hybrid \( \textsf {Hyb}^{i}_{+} \) that proceed identically as Hybi except that it simulates the i-th round following the honest prover strategy using the real witness.

Claim 1

The output of \( \textsf {Hyb}^{i}_{+} \) and Hybi are computationally indistinguishable. □

Proof

Because \( \textsf {Hyb}^{i}_{+} \) and Hybi differs only which witness (fake or real) is used in the i-round of the left interaction. If in the i-th round the prover message is a commitment to a witness, indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hybi follows directly by the hiding property of the commitment scheme. If in the i-th round the prover message is a message of the WIUA or WISSP subprotocol, indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hybi follows directly by the witness indistinguishability property of the WIUA or WISSP. □

Claim 2

The output of \( \textsf {Hyb}^{i}_{+} \) and Hybi+1 are computationally indistinguishable.

Proof

Because \( \textsf {Hyb}^{i}_{+} \) and Hybi+1 differs only which randomness (true or pseudo) is used in the i-round of the left interaction. The indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hybi+1 follows directly from the forward security of the PRG. □

Finally, it is easy to see that the output of HybN is identical to the output of S, and the output of Hyb0 is identical to the real view \( \textsf {view}_{\mathcal {A}} \). Because there are at most polynomial hybrids in this experiment, we can conclude that the output of S is indistinguishable from the output of the real interaction.

Combining the above, the Lemma 1 follows.

The witnesses output by the extractor

Proof

Our simulator-extractor SE in “Our simulator-extractor” section allows the extractor to access the decommitment oracle. We note that this is allowed for the reason of a k-robust CCA-secure commitment scheme used in our protocol. From the definition 2, we know that, for any constant-round k, the joint output of every k-round interaction, with an adversary (here it means the SE) having access to the oracle \( \mathcal {O}_{\textsf {cca}} \), can be simulated without the oracle in polynomial time. That is, the simulator-extractor SE access to the oracle does not help it in participating in any k-round protocols. But allowing the simulator-extractor SE to access the oracle has the following benefits, we only need to pay attention to the impact of the hybrid experiment on SE when switching on the left witness from real to fake, without any further analysis of the interference from the right rewinding. So in the following, we just need to analyze whether such simulator-extractor can output the witness.

Consider the series of hybrids, we define \( \textsf {SE}^{i} \left (\textsf {SE}_{+}^{i}\right)\) the same as SE except that the execution of S is replaced with that of \( \textsf {Hyb}^{i}\left (\textsf {Hyb}_{+}^{i}\right) \). Then, by the definition of CNMZK, we need to argument that, in the experiment SEN (which identical to SE), for any PPTman-in-the-middle adversary \( \mathcal {A} \) and every x1,,xm{0,1}nL, such that for each right interaction that is accepted and uses a different identity from all left interactions, the simulator-extractor SE does extract a valid witness of the statement proved.

Observe that in the experiment \( \textsf {SE}_{+}^{0} \), the simulator S holds all the real witnesses of the left sessions and just acts as an honest prover in each left interaction and an honest verifier in each right interaction. Then following from the soundness of our protocol, we can conclude that in every accepted right interaction, \( \mathcal {A} \) commits a real witness in the CCACom1:1 successfully except with negligible probability. In other words, \( \mathcal {A} \) never cheats in \( \textsf {SE}_{+}^{0} \), so the simulator-extractor can extract the witness with the help of the committed value oracle except with negligible probability.

Next, we observe the experiment SEN which based on the definition of HybN. Now we assume that there exists a polynomial function p such that \( \mathcal {A} \) cheats in one of the right sessions in the experiment SEN with probability 1/p(n). In other words, there exists a right session which is accepted and uses a different identity from all the left interactions such that \( \mathcal {A} \) fails to commit to a valid witness in Stage 5 with probability 1/p(n). Then SEN can not extract the witness from this right session with probability 1/p(n) as well. However, we have that \( \textsf {SE}_{+}^{0} \) can extract the witness from this right session except with negligible probability. Thus, from an average argument, there must exist an i such that the probability of cheating differ by at least a polynomial amount in the hybrids SEi and \( \textsf {SE}_{+}^{i} \) or in the hybrids \( \textsf {SE}_{+}^{i}\) and SEi+1. Therefore, there is a gap between A’s chance of committing the valid witness on the right in \( \textsf {SE}_{+}^{i}\) and SEi+1 or there is a gap between A’s chance of committing the valid witness on the right in SEi and \( \textsf {SE}_{+}^{i} \). We analyze these two cases as follows:

In the first case, the only difference between \( \textsf {SE}_{+}^{i}\) and SEi+1 is which randomness (true or pseudo) is used in the i-round of the left interaction. Therefore, they are computationally indistinguishable from claim 2. In the second case, the only difference between SEi and \( \textsf {SE}_{+}^{i} \) is which witness (fake or real) is used in the i-th round. The former, in stage 5, uses a dummy string 0n as the committed value of CCACom1:1 followed with an WISSP for knowing the fake witness instead of the witness wi of xi. The latter, in stage 5, acts as an honest prover holding a real witness wi of xi. If the gap is due to the committed value of CCACom1:1, then we can use this gap to break the security of the non-malleable w.r.t itself. If the gap is due to the witness used in the four-round WISSP of the left session, then we can use this gap to break the 4-robustness CCA-secure of CCACom1:1.

Thus, we reach a contradiction, in the experiment SEN, \( \mathcal {A} \) must commit to a valid witness in Stage 5 except with negligible probability. We know that the output of SEN is identical to the output of SE, hence the simulation-extractability of protocol 2 follows.

Combining “The view generated by the simulator” section and “The witnesses output by the extractor” section, the concurrent non-malleable zero-knowledge property follows. This completes the proof of Theorem 1. □

Simultaneously-resettable and non-malleable zero-knowledge

From concurrent NMZK to resettable NMZK

In (Chongchitmate et al. 2017), Chongchitmate et al. gave a transformation from any constant-round concurrent ZK to a constant-round resettable ZK based on (Barak et al. 2001; Deng et al. 2009). We observe that this transformation essentially preserves the non-malleability. That is, if the original protocol is a constant-round concurrentNMZK, then the new protocol will be a constant-round resettableNMZK. We provide the details of the transformation in Table 3, which are taken almost verbatim from (Chongchitmate et al. 2017), except that we require the prover and the verifier to have a extra common id. Then we give a proof about the non-malleability for this new protocol.
Table 3

Constant-Round Resettable NMZK Argument(rNMZK)

The prover P and the verifier V on common input 1n, x and id, and private input w for P:

1. V sends m0=(Com(r1),,Com(r)) to P, where =O(1) is the number of rounds of the CNMZK protocol.

2. P chooses a random seed s for a pseudorandom function fs:{0,1}→{0,1}l(n) where l(n) is the upper bound of the size of random bits that P needs in each round of the protocol CNMZK in Table 2

3. P and V run protocol CNMZK with the following modifications:

– For each message mi that V sends in the i-th round of CNMZK, V and P run (PrsZK,VrsZK) so that V proves to P that mi is computed using random bits ri that committed in m0 in the first round.

– For each message mi′ that P sends in the i-th round of CNMZK, P applies fs to the transcript so far and uses the output as random bits to compute mi′.

Lemma 2

Protocol rNMZK in Table 3 is a constant-round resettable non-malleable ZK argument system.

Proof

The proof of the completeness and soundness conditions are similar to our proof in “The view generated by the simulator” section, and are omitted. The proof of the resettable zero-knowledge can be directly obtained from the Theorem 4, because the protocol CNMZK itself is a constant-roundCZK protocol. Next, we give the analysis of non-malleability.

Roughly speaking, for a man-in-the-middle adversary \( \mathcal {A} \) with an extra power of resetting attack, we need to prove that the view of \( \mathcal {A} \) in the real interaction can be simulated by a simulator without all the witnesses of the left sessions, and there exists an extractor that can extract the witnesses in every accepting right session from this simulated view. More specifically, we first construct a simulator and give an extractor based on this simulator as the previous section. Then, we reduce the security to the underlying assumptions by using a series of hybrids.

Let \( \textsf {H}_{0}=\{\textsf {real-view}_{f_{s}},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) denote the combined view of \( \mathcal {A} \) in the real experiment of the protocol rNMZK and the values extracted by the committed value oracle. Then, following from the soundness of the protocol rNMZK that, except with negligible probability, in every accepting right interaction, \( \mathcal {A} \) commits to a real witness in stage 5 and the extracted value is a real witness as well.

Next, we modify the protocol rNMZK into a protocol rNMZKF by replacing the pseudorandom function fs with a truly random function F:{0,1}→{0,1}l(n). Let \( \textsf {H}_{1}=\{\textsf {real-view}_{F},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) denote the combined view of \( \mathcal {A} \) in the real experiment of the protocol rNMZKF and the values extracted the committed value oracle. It then follows from the security of pseudorandom function that, the view and the value extracted from oracle are computationally indistinguishable in H0 and H1. Otherwise, we can use the adversary to break the indistinguishability between the pseudorandom function family and truly random function family.

Next, we construct our simulator \( \hat {\textsf {S}} \) based on the simulator S in the “The view generated by the simulator” section. We need \( \hat {\textsf {S}} \) to be able to emulate the execution for the man-in-the-middle and resetting adversary \( \mathcal {A} \) in the protocol rNMZKF. For the adversary \( \mathcal {A} \), we divide its resetting attack in the left into two cases. The first case is that the new first message m0 sent by \( \mathcal {A} \) is different from all the first messages in the previous sessions on the left. Because our protocol rNMZKF uses the truly random function F, in such case, we can see it as a new session, and simulator \( \hat {\textsf {S}} \) just does the simulation of the left and right interactions in the same manner as S. Additionally, when executing the part of resettably-roundness ZK protocol, the simulator \( \hat {\textsf {S}} \) will act as an honest verifier on the left. The second case is that the new first message m0 sent by \( \mathcal {A} \) has been sent in a previous session, and then the simulator \( \hat {\textsf {S}} \) just resends the responses from its history records of the corresponding session. This is because, for a fixed truly random function F, the transcript of the whole session are fixed when the message m0 is fixed. Otherwise, we can use this experiment to break the binding property of the commitment scheme Com.

Let sim-viewF be the view of \( \mathcal {A} \) in the simulated experiment of the protocol rNMZKF by the simulator \( \hat {\textsf {S}} \), \( \{\widetilde {w}_{i}\}\text {} _{i\in [m]} \) be the values extracted by the committed value oracle. It is easy to see that the {sim-viewF} and {real-viewF} are computationally indistinguishable, otherwise we can use this experiment to break the concurrent zero-knowledge of the protocol CNMZK. Now denote \( \textsf {H}_{2} = \{\textsf {sim-view}_{F},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) as the combined view of \( \mathcal {A} \) in the simulate and extract experiment of the protocol rNMZKF. As before, we can construct a series of hybrids as “The witnesses output by the extractor” section to argument that the view and the values are indistinguishable in H2 and H1 by reducing to the security of the 4-robust one-one CCA-secure commitment scheme Com1:1(the non-malleable w.r.t itself or the 4-round WISSP).

More specifically, suppose that when the adversay \( \mathcal {A} \) complete the resetting attack against the prover, the total number of rounds of the left interactions is N and w.l.o.g, we assume N is bounded by a fixed polynomial. For each i[N], define the simulator \( \hat {\textsf {S}}^{i} \) that the first i communication rounds are simulated by simulator \( \hat {\textsf {S}} \) with the pseudo-randomness and fake witness, and all the later communication round j>i are simulated by simulator \( \hat {\textsf {S}} \) with true randomness and the true witnesses. We also define the simulator \( \hat {\textsf {S}}^{i}_{+} \) that proceed identically as \( \hat {\textsf {S}}^{i} \) except that it simulates the i-th round following the honest prover strategy using the real witness. Then, let us consider the following hybrid experiments. The experiment \( \hat {\textsf {H}}^{i} \left (\hat {\textsf {H}}_{+}^{i}\right)\) is the same as H2 except that the execution of \( \hat {\textsf {S}} \) is replaced with that of \( \hat {\textsf {S}}^{i}\left (\hat {\textsf {S}}^{i}_{+} \right) \). It is easy to see that the output of \( \hat {\textsf {H}}^{N'} \) is identical to the output of H2, and the output of \( \hat {\textsf {H}}^{0} \) is identical to the real view of H1.

Now, assume there exists a polynomial function p, such that the resetting attacker \( \mathcal {A} \) cheats in one of the right sessions in the experiment H2 with probability 1/p(n). We mean that there exists a right session that is accepted and uses a different identity from all the left interactions, \( \mathcal {A} \) fails to commit to a valid witness in Stage 5 with probability 1/p(n). Then H2 can not extract the witness from this right session with probability 1/p(n) as well. However, we have that H1 can extract the witness from this right session except with negligible probability. Thus, from an average argument, there must exist an i such that the probability of cheating differ by at least a polynomial amount in the hybrids \( \hat {\textsf {H}}^{i} \) and \(\hat {\textsf {H}}_{+}^{i} \) or in the hybrids \( \hat {\textsf {H}}_{+}^{i}\) and \( \hat {\textsf {H}}^{i+1} \).

The same analysis as before, the only difference between \( \hat {\textsf {H}}_{+}^{i}\) and \( \hat {\textsf {H}}^{i+1} \) is which randomness (true or pseudo) is used in the i-round of the left interaction, hence the two ensembles are computationally indistinguishable. On the other hand, the only difference between \( \hat {\textsf {H}}^{i} \) and \(\hat {\textsf {H}}_{+}^{i} \) is which witness (fake or real) is used in the i-th round. The former, uses a dummy string 0n as the committed value of CCACom1:1 followed with an WISSP for knowing the fake witness instead of the witness wi of xi; the latter, acts as an honest prover holding a real witness wi of xi. If the gap is due to the committed value of CCACom1:1, then we can use this gap to break the security of the non-malleable w.r.t itself. If the gap is due to the witness used in the four-round WISSP of the left session, then we can use this gap to break the 4-robustness CCA-secure of CCACom1:1. Hence, we obtain a contradiction.

Thus, we have that H2 is computationally indistinguishable from H1. Recall that in the beginning we have proved that H1≈H0, so we have that H2 is also computationally indistinguishable from H0. Combining the above, we obtain that the protocol in Table 3 is resettable non-malleable zero-knowledge.

This concludes the proof of Lemma 2. □

Towards constant-round simultaneously-resettable NMZK

Towards the constant-round simultaneously-resettableNMZK, we first transform the constant-roundCNMZK protocol into a constant-round resettably-soundCNMZK (rsCNMZK), which is similar to the method of (Chongchitmate et al. 2017). More specifically, in each round, we let the verifier generate its randomness by using a pseudorandom function fs:{0,1}→{0,1}l(n) to his transcript so far. Additionally, we replace the ZK argument in stage 4 with a constant-round rNMZK argument constructed in Table 3.

The final step, to obtain our Theorem 2, we apply the transformation of (Deng et al. 2009) (Theorem 6) to our constant-round rsCNMZK protocol to obtain the constant-round simultaneous resettability NMZK. This step can be proved by using the same approach in “The view generated by the simulator” section based on the analysis of (Deng et al. 2009). Intuitively, on the one hand, a protocol with an extra resettably-sound property will not increase the power of the man-in-the-middle adversary on the right; on the other hand, for a man-in-the-middle adversary with resetting-attack on the left, we can construct a simulator-extractor to simulate its view and extract the witnesses in the right accepted session, otherwise we can use this experiment to break the 4-robust one-one CCA-secure commitment scheme Com1:1.

Combining “From concurrent NMZK to resettable NMZK” section and “Towards constant-round simultaneously-resettable NMZK” section, the constant-round simultaneously-resettable non-malleable zero-knowledge protocol follows.

This completes the proof of Theorem 2. □

Conclusions

In this paper, we provide the first construction of a constant-round concurrent non-malleable zero-knowledge argument for every language in NP and give a detailed proof for our protocol. Furthermore, by studying the composition of the simultaneously resettable zero-knowledge and the non-malleable zero-knowledge, we give the first construction of a constant-round simultaneously-resettable non-malleable zero-knowledge. However, there is still an interesting question about how to design a round-optimal concurrent non-malleable zero-knowledge argument. Here we leave it as an open problem.

Footnotes
1

Here, P(xi,wi,rj,α) denotes the message sent by the strategy P on common input xi, auxiliary input wi and random-tape rj, after seeing the message-sequence α.

 
2

Here, V(x,rj,α) denotes the message sent by the strategy V on common input x, random-tape rj, after seeing the message-sequence α.

 

Declarations

Acknowledgments

This work was supported in part by the National Natural Science Foundation of China (Grant No. 61772521), Key Research Program of Frontier Sciences, CAS (QYZDB-SSW-SYS035), and the Open Project Program of the State Key Laboratory of Cryptology. The first author wants to thank Yiwen Gao for making useful comments on the paper.

Authors’ contributions

All authors read and approved the final manuscript.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Authors’ Affiliations

(1)
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
(2)
School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

References

  1. Barak, B (2001) How to go beyond the black-box simulation barrier In: 42nd Annual Symposium on Foundations of Computer Science, FOCS, 106–115.. IEEE Computer Society, Las Vegas. https://doi.org/10.1109/SFCS.2001.959885.Google Scholar
  2. Barak, B, Goldreich O, Goldwasser S, Lindell Y (2001) Resettably-sound zero-knowledge and its applications In: 42nd Annual Symposium on Foundations of Computer Science, FOCS, 116–125.. IEEE Computer Society, Las Vegas. https://doi.org/10.1109/SFCS.2001.959886.Google Scholar
  3. Barak, B, Goldreich O, Impagliazzo R, Rudich S, Sahai A, Vadhan SP, Yang K (2001) On the (im)possibility of obfuscating programs In: Advances in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, Proceedings, 1–18.. Springer, Santa Barbara. https://doi.org/10.1007/3-540-44647-8_1.Google Scholar
  4. Barak, B, Prabhakaran M, Sahai A (2006) Concurrent non-malleable zero knowledge In: 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2006), Proceedings, 345–354.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2006.21.View ArticleGoogle Scholar
  5. Bellare, M, Yee BS (2003) Forward-security in private-key cryptography In: Topics in Cryptology - CT-RSA 2003, The Cryptographers’ Track at the RSA Conference, Proceedings, 1–18.. Springer, San Francisco. https://doi.org/10.1007/3-540-36563-X_1.Google Scholar
  6. Bitansky, N, Paneth O (2015) On non-black-box simulation and the impossibility of approximate obfuscation. SIAM J Comput 44(5):1325–1383.MathSciNetView ArticleGoogle Scholar
  7. Boyle, E, Chung K, Pass R (2014) On extractability obfuscation In: Theory of Cryptography - 11th Theory of Cryptography Conference, TCC. Proceedings, 52–73.. Springer, San Diego. https://doi.org/10.1007/978-3-642-54242-8_3.Google Scholar
  8. Canetti, R, Goldreich O, Goldwasser S, Micali S (2000) Resettable zero-knowledge (extended abstract) In: Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing, 235–244.. ACM, Portland. https://doi.acm.org/10.1145/335305.335334.Google Scholar
  9. Canetti, R, Kilian J, Petrank E, Rosen A (2001) Black-box concurrent zero-knowledge requires omega~(log n) rounds In: Proceedings on 33rd Annual ACM Symposium on Theory of Computing, STOC, 570–579.. ACM, Heraklion. http://doi.acm.org/10.1145/380752.380852.Google Scholar
  10. Canetti, R, Lin H, Paneth O (2013) Public-coin concurrent zero-knowledge in the global hash model In: Theory of Cryptography - 10th Theory of Cryptography Conference, TCC. Proceedings, 80–99.. Springer, Tokyo. https://doi.org/10.1007/978-3-642-36594-2_5.Google Scholar
  11. Canetti, R, Lin H, Pass R (2010) Adaptive hardness and composable security in the plain model from standard assumptions In: 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 541–550.. IEEE Computer Society, Las Vegas. https://doi.org/10.1109/FOCS.2010.86.Google Scholar
  12. Cho, C, Ostrovsky R, Scafuro A, Visconti I (2012) Simultaneously resettable arguments of knowledge In: Theory of Cryptography - 9th Theory of Cryptography Conference, TCC. Proceedings, 530–547.. Springer, Taormina. https://doi.org/10.1007/978-3-642-28914-9_30.MATHGoogle Scholar
  13. Chongchitmate, W, Ostrovsky R, Visconti I (2017) Resettably-sound resettable zero knowledge in constant rounds In: Theory of Cryptography - 15th International Conference, TCC, Proceedings, Part II, 111–138.. Springer, Baltimore. https://doi.org/10.1007/978-3-319-70503-3_4.Google Scholar
  14. Chung, K-M, Lin H, Pass R (2013) Constant-round concurrent zero knowledge from p-certificates In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 50–59.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2013.14.Google Scholar
  15. Chung, K-M, Lin H, Pass R (2015) Constant-round concurrent zero-knowledge from indistinguishability obfuscation In: Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Proceedings, Part I, 287–307.. Springer, Santa Barbara. https://doi.org/10.1007/978-3-662-47989-6_14.View ArticleGoogle Scholar
  16. Chung, K-M, Ostrovsky R, Pass R, Venkitasubramaniam M, Visconti I (2014) 4-round resettably-sound zero knowledge In: Theory of Cryptography - 11th Theory of Cryptography Conference, TCC. Proceedings, 192–216.. Springer, San Diego. https://doi.org/10.1007/978-3-642-54242-8_9.Google Scholar
  17. Chung, K-M, Ostrovsky R, Pass R, Visconti I (2013a) Simultaneous resettability from one-way functions In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 60–69.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2013.15.Google Scholar
  18. Chung, K-M, Pass R, Seth K (2013b) Non-black-box simulation from one-way functions and applications to resettable security In: Symposium on Theory of Computing Conference, STOC’13, 231–240.. ACM, Palo Alto. http://doi.acm.org/10.1145/2488608.2488638.Google Scholar
  19. Ciampi, M, Ostrovsky R, Siniscalchi L, Visconti I (2016) Concurrent non-malleable commitments (and more) in 3 rounds In: Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Proceedings, Part III, 270–299.. Springer, Santa Barbara. https://doi.org/10.1007/978-3-662-53015-3_10.View ArticleGoogle Scholar
  20. Deng, Y, Goyal V, Sahai A (2009) Resolving the simultaneous resettability conjecture and a new non-black-box simulation strategy In: 50th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 251–260.. IEEE Computer Society, Atlanta. https://doi.org/10.1109/FOCS.2009.59.Google Scholar
  21. Dolev, D, Dwork C, Naor M (2000) Nonmalleable cryptography. SIAM J Comput 30(2):391–437.MathSciNetView ArticleGoogle Scholar
  22. Dwork, C, Naor M, Sahai A (1998) Concurrent zero-knowledge In: Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing, STOC, 409–418.. ACM, Dallas. http://doi.acm.org/10.1145/276698.276853.Google Scholar
  23. Garg, S, Gentry C, Halevi S, Raykova M, Sahai A, Waters B (2013) Candidate indistinguishability obfuscation and functional encryption for all circuits In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 40–49.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2013.13.Google Scholar
  24. Garg, S, Ostrovsky R, Visconti I, Wadia A (2012) Resettable statistical zero knowledge In: Theory of Cryptography - 9th Theory of Cryptography Conference, TCC. Proceedings, 494–511.. Springer, Taormina. https://doi.org/10.1007/978-3-642-28914-9_28.Google Scholar
  25. Goldwasser, S, Micali S, Rackoff C (1989) The knowledge complexity of interactive proof systems. SIAM J Comput 18(1):186–208. https://doi.org/10.1137/0218012.MathSciNetView ArticleGoogle Scholar
  26. Goyal, V, Lin H, Pandey O, Pass R, Sahai A (2015) Round-efficient concurrently composable secure computation via a robust extraction lemma In: Theory of Cryptography - 12th Theory of Cryptography Conference, TCC, Proceedings, Part I, 260–289.. Springer, Warsaw. https://doi.org/10.1007/978-3-662-46494-6_12.Google Scholar
  27. Håstad, J, Impagliazzo R, Levin LA, Luby M (1999) A pseudorandom generator from any one-way function. SIAM J Comput 28(4):1364–1396.MathSciNetView ArticleGoogle Scholar
  28. Ishai, Y, Pandey O, Sahai A (2015) Public-coin differing-inputs obfuscation and its applications In: Theory of Cryptography - 12th Theory of Cryptography Conference, TCC, Proceedings, Part II, 668–697.. Springer, Warsaw. https://doi.org/10.1007/978-3-662-46497-7_26.Google Scholar
  29. Khurana, D, Sahai A (2017) How to achieve non-malleability in one or two rounds In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, 564–575.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2017.58.Google Scholar
  30. Kilian, J, Petrank E, Rackoff C (1998) Lower bounds for zero knowledge on the internet In: 39th Annual Symposium on Foundations of Computer Science, FOCS ’98, 484–492.. IEEE Computer Society, Palo Alto. https://doi.org/10.1109/SFCS.1998.743499.Google Scholar
  31. Kiyoshima, S (2014) Round-efficient black-box construction of composable multi-party computation In: Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference, Proceedings, Part II, 351–368.. Springer, Santa Barbara. https://doi.org/10.1007/978-3-662-44381-1_20.View ArticleGoogle Scholar
  32. Kiyoshima, S (2015) An alternative approach to non-black-box simulation in fully concurrent setting In: Theory of Cryptography - 12th Theory of Cryptography Conference, TCC, Proceedings, Part I, 290–318.. Springer, Warsaw. https://doi.org/10.1007/978-3-662-46494-6_13.Google Scholar
  33. Lin, H, Pass R (2009) Non-malleability amplification In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC, 189–198.. ACM, Bethesda. http://doi.acm.org/10.1145/1536414.1536442.View ArticleGoogle Scholar
  34. Lin, H, Pass R (2011) Concurrent non-malleable zero knowledge with adaptive inputs In: Theory of Cryptography - 8th Theory of Cryptography Conference, TCC. Proceedings, 274–292.. Springer, Providence. https://doi.org/10.1007/978-3-642-19571-6_17.Google Scholar
  35. Lin, H, Pass R (2012) Black-box constructions of composable protocols without set-up In: Advances in Cryptology - CRYPTO 2012 - 32nd Annual Cryptology Conference. Proceedings, 461–478.. Springer, Santa Barbara. https://doi.org/10.1007/978-3-642-32009-5_27.View ArticleGoogle Scholar
  36. Lin, H, Pass R, Soni P (2017) Two-round and non-interactive concurrent non-malleable commitments from time-lock puzzles In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, 576–587.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2017.59.Google Scholar
  37. Lin, H, Pass R, Tseng WD, Venkitasubramaniam M (2010) Concurrent non-malleable zero knowledge proofs In: Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference. Proceedings, 429–446.. Springer, Santa Barbara. https://doi.org/10.1007/978-3-642-14623-7_23.View ArticleGoogle Scholar
  38. Lin, H, Pass R, Venkitasubramaniam M (2008) Concurrent non-malleable commitments from any one-way function In: Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC, 571–588.. Springer, New York. https://doi.org/10.1007/978-3-540-78524-8_31.Google Scholar
  39. Micciancio, D, Ong SJ, Sahai A, Vadhan S (2006) Concurrent zero knowledge without complexity assumptions In: Theory of Cryptography, Third Theory of Cryptography Conference, TCC, Proceedings, 1–20.. Springer, New York. https://doi.org/10.1007/11681878_1.Google Scholar
  40. Orlandi, C, Ostrovsky R, Rao V, Sahai A, Visconti I (2014) Statistical concurrent non-malleable zero knowledge In: Theory of Cryptography - 11th Theory of Cryptography Conference, TCC. Proceedings, 167–191.. Springer, San Diego. https://doi.org/10.1007/978-3-642-54242-8_8.Google Scholar
  41. Ostrovsky, R, Pandey O, Visconti I (2010) Efficiency preserving transformations for concurrent non-malleable zero knowledge In: Theory of Cryptography, 7th Theory of Cryptography Conference, TCC. Proceedings, 535–552.. Springer, Zurich. https://doi.org/10.1007/978-3-642-11799-2_32.Google Scholar
  42. Ostrovsky, R, Persiano G, Visconti I (2008) Constant-round concurrent non-malleable zero knowledge in the bare public-key model In: Automata, Languages and Programming, 35th International Colloquium, ICALP, Proceedings, 548–559.. Springer, Reykjavik. https://doi.org/10.1007/978-3-540-70583-3_45.View ArticleGoogle Scholar
  43. Ostrovsky, R, Scafuro A, Venkitasubramaniam M (2015) Resettably sound zero-knowledge arguments from owfs - the (semi) black-box way In: Theory of Cryptography - 12th Theory of Cryptography Conference, TCC, Procee6dings, Part I.. Springer, Warsaw. https://doi.org/10.1007/978-3-662-46494-6_15.Google Scholar
  44. Pandey, O, Prabhakaran M, Sahai A (2015) Obfuscation-based non-black-box simulation and four message concurrent zero knowledge for NP In: Theory of Cryptography - 12th Theory of Cryptography Conference, TCC, Proceedings, Part II, 638–667.. Springer, Warsaw. https://doi.org/10.1007/978-3-662-46497-7_25.Google Scholar
  45. Pass, R, Rosen A (2005) Concurrent non-malleable commitments In: 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2005), Proceedings, 563–572.. IEEE Computer Society, Pittsburgh. https://doi.org/10.1109/SFCS.2005.27.View ArticleGoogle Scholar
  46. Rosen, A (2000) A note on the round-complexity of concurrent zero-knowledge In: Advances in Cryptology - CRYPTO 2000, 20th Annual International Cryptology Conference, Proceedings, 451–468.. Springer, Santa Barbara. https://doi.org/10.1007/3-540-44598-6_28.View ArticleGoogle Scholar

Copyright

© The Author(s) 2018

Advertisement