## Perfect nizk with adaptive soundness (2007)

### Cached

### Download Links

- [homepages.cwi.nl]
- [homepages.cwi.nl]
- [eprint.iacr.org]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In proceedings of TCC ’07, LNCS series |

Citations: | 28 - 0 self |

### BibTeX

@INPROCEEDINGS{Abe07perfectnizk,

author = {Masayuki Abe and Serge Fehr},

title = {Perfect nizk with adaptive soundness},

booktitle = {In proceedings of TCC ’07, LNCS series},

year = {2007},

pages = {118--136},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. The notion of non-interactive zero-knowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with statistical or even perfect ZK? Groth, Ostrovsky and Sahai recently answered this question in the affirmative. However, in order to achieve adaptive soundness, i.e., soundness against dishonest provers who may choose the target statement depending on the common reference string (CRS), their schemes require some restriction to be put upon the statements to be proven, e.g. an a-priori bound on its size. In this work, we first present a very simple and efficient adaptively-sound perfect NIZK argument system for any NP-language. Besides being the first adaptively-sound statistical NIZK argument for all NP that does not pose any restriction on the statements to be proven, it enjoys a number of additional desirable properties: it allows to re-use the CRS, it can handle arithmetic circuits, and the CRS can be set-up very efficiently without the need for an honest party. We then show an application of our techniques in constructing efficient NIZK schemes for proving arithmetic relations among committed secrets, whereas previous methods required expensive generic NP-reductions. The security of the proposed schemes is based on a strong non-standard assumption, an extended version of the so-called Knowledge-of-Exponent Assumption (KEA) over bilinear groups. We give some justification for using such an assumption by showing that the commonly-used approach for proving NIZK arguments sound does not allow for adaptively-sound statistical NIZK arguments (unless NP ⊂ P/poly). Furthermore, we show that the assumption used in our construction holds with respect to generic adversaries that do not exploit the specific representation of the group elements. We also discuss how to avoid the non-standard assumption in a pre-processing model.

### Citations

880 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...r each multiplication gate consists of only 1 group element, P . Note that this requires less communication than using standard interactive ZK techniques in combination with the Fiat-Shamir heuristic =-=[21]-=-. 4 Efficient Proof for Relations Among Commitments We again consider the problem of proving that a Pedersen commitment C = gchfl "contains" the product c = a * b of a and b committed to by A = gahff ... |

666 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ...erent, no negative result has been proven for argument systems. Groth et al. also proposed a perfect NIZK argument for SAT which is provably secure in Canetti’s Universal Composability (UC) framework =-=[10]-=-. However, besides being much less efficient than their first construction, the scheme still does not guarantee unrestricted security against an adaptive dishonest prover who chooses the target instan... |

411 | Fast probabilistic algorithms for verification of polynomial identities
- Schwartz
- 1980
(Show Context)
Citation Context ... same probability in both cases). In the modified game, however, the polynomials are chosen completely independent of (x, u1, . . . , u2m) and thus we can apply Schwartz' Lemma. 17sLemma 21 (Schwartz =-=[31]-=-). Let q be a prime. For any polynomial P 2 Zq[X1, . . . , Xn] of total degree at most d, the probability that P vanishes on a uniformly distributed tuple (x1, . . . , xn) 2 Znq is at most d/q. 7 Elim... |

389 | Proofs that Yield Nothing but their Validity or All Languages in NP have Zero-Knowledge Proof System
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...with computational ZK or computational soundness (where the proof is also called an argument), or both. However, in contrast to interactive ZK where it has long been known that both flavors can exist =-=[8, 7, 23]-=-, all proposed NIZK proofs or arguments for general NP-languages have computational ZK (see e.g. [6, 20, 5, 27, 15]). Hence the construction of a statistically NIZK (NISZK) argument has remained an op... |

316 |
Minimum Disclosure Proofs of Knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ...with computational ZK or computational soundness (where the proof is also called an argument), or both. However, in contrast to interactive ZK where it has long been known that both flavors can exist =-=[9, 8, 25]-=-, all proposed NIZK proofs or arguments for general NP-languages have computational ZK (see e.g. [6, 21, 7, 30, 34]). Hence the construction of a statistically NIZK (NISZK) arguments2 Masayuki Abe and... |

197 | Noninteractive zero-knowledge
- Blum, DeSantis, et al.
- 1991
(Show Context)
Citation Context ...ever, in contrast to interactive ZK where it has long been known that both flavors can exist [8, 7, 23], all proposed NIZK proofs or arguments for general NP-languages have computational ZK (see e.g. =-=[6, 20, 5, 27, 15]-=-). Hence the construction of a statistically NIZK (NISZK) argument has remained an open problem (until very recently, see below). The question of the existence of NISZK arguments is in particular inte... |

175 |
Multiple non-interactive zero knowledge proofs under general assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...ever, in contrast to interactive ZK where it has long been known that both flavors can exist [8, 7, 23], all proposed NIZK proofs or arguments for general NP-languages have computational ZK (see e.g. =-=[6, 20, 5, 27, 15]-=-). Hence the construction of a statistically NIZK (NISZK) argument has remained an open problem (until very recently, see below). The question of the existence of NISZK arguments is in particular inte... |

140 |
Secure Multiparty Protocols and Zero-Knowledge Proof Systems Tolerating a Faulty Minority
- Beaver
- 1991
(Show Context)
Citation Context ...out statistical NIZK arguments in the pre-processing model, cf. [35, 29, 16], which rely only on general assumptions but require a complicated pre-processing stage. Beaver’s pre-processing techniques =-=[4]-=- can be applied in a straightforward way to yield similarly efficient schemes as we do. However, this approach requires the generation of random commitments with multiplicative relations in the pre-pr... |

122 |
Non-interactive zeroknowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...ng any additional information besides the validity of the statement, provided that a common reference string (CRS) has been properly set up. Since its introduction by Blum, Feldman and Micali in 1988 =-=[6]-=-, NIZK has been a fundamental cryptographic primitive used throughout modern cryptography in essential ways. There is a considerable amount of literature dedicated to NIZK, in particular to the study ... |

101 |
Two theorems on random polynomial time
- Adleman
- 1978
(Show Context)
Citation Context ...put A2(x ?, π, a). Independent repetitions give a large enough success probability. By the NP-completeness, this implies that NP ⊂ BPP/poly = P/poly, where the latter equality was originally shown in =-=[1]-=-. ⊓⊔ 4 Such P ∗ might be inefficient but it is not a problem since as a black-box reduction, A should also work for an inefficient P ∗ . 5 Non-uniform because A may be non-uniform.s16 Masayuki Abe and... |

87 | The complexity of perfect zero-knowledge
- Fortnow
- 1989
(Show Context)
Citation Context ...ase of interactive ZK it is well known that there cannot be statistical NIZK proofs (i.e., both ZK and soundness are unconditional) for NP-complete languages unless the polynomial hierarchy collapses =-=[22, 2, 30]-=-. Hence, when considering general NP-languages, this only leaves room for a NIZK proof with computational ZK or computational soundness (where the proof is also called an argument), or both. However, ... |

83 |
Universally Composable Protocols with Relaxed Set-Up Assumptions
- Barak, Canetti, et al.
(Show Context)
Citation Context ... = e(g, ˆ h). Hence, the set-up of the CRS requires no honest party nor any expensive 2-party (or multi-party) computation. This sort of set-up is captured by the socalled registered public-key model =-=[3]-=-. If the proof of knowledge of w is omitted, so that the verifier only publishes the CRS Σ, then the argument is still witness indistinguishable due to the perfect hiding property of the commitments. ... |

76 | Resettable Zero-Knowledge
- Canetti, Goldreich, et al.
- 2000
(Show Context)
Citation Context ...is provided solely by a (possibly dishonest) verifier without any correctness proof. Thus, it can be viewed as a non-interactive witness indistinguishable argument system in the bare public-key model =-=[12]-=-, or equivalently a (computationally sound) zap [20]. We are not aware of any other NIZK argument or proof that enjoys all these properties. Based on the techniques developed for the perfect NIZK argu... |

70 |
Towards practical public key systems secure against chosen ciphertext attacks
- Damg̊ard
- 1991
(Show Context)
Citation Context ... to efficiently come up with another pair A and Â such that Â = Ax (for the same x) is by raising g and ˆg to some power a: A = g a and Â = ˆga . kea was first introduced and used by Damg˚ard in 1991 =-=[15]-=-, and later, together with an extended version (kea2), by Hada and Tanaka [28]. Recently, Bellare and Palacio [5] showed that kea2 does not hold, and proposed a new extended version called kea3 in ord... |

67 |
Zero knowledge proofs of knowledge without interaction
- DeSantis, Persiano
(Show Context)
Citation Context ...x*, w*) 62 R ^ V(\Sigma , x*, ss*) = 1 \Lambdas<= negl. Such NIZK proof of knowledge with non-black-box extractor might be weaker than the one with universal black-box extractor originally defined in =-=[17]-=-. This issue is analogue to blackbox vs non-black-box ZK where both definitions are widely accepted. Although a stronger definition is in general favorable, a weaker definition has potential to captur... |

67 |
Complexity of a determinate algorithm for the discrete logarithm
- Nechaev
- 1994
(Show Context)
Citation Context ...guarantees a distinguisher for instances that are easy per-se, and thus there is no contradiction. 6 The Security of (X)KEA against Generic Attacks The notion of a generic algorithm is due to Nechaev =-=[29]-=- and Shoup [32], where it was shown that the discrete-log problem is hard for generic algorithms. Informally, a generic algorithm for trying to solve some DL-related problem in a group G is one that d... |

65 | Statistical zero-knowledge languages can be recognized in two rounds. J.Comput
- Aiello, H̊astad
- 1991
(Show Context)
Citation Context ... in case of interactive ZK it is known that there cannot be statistical NIZK proofs (i.e., both ZK and soundness are unconditional) for NP-complete languages unless the polynomial hierarchy collapses =-=[23, 2, 33]-=-. Hence, when considering general NP-languages, this only leaves room for a NIZK proof with computational ZK or computational soundness (where the proof is also called an argument), or both. However, ... |

58 | The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols
- Bellare, Palacio
- 2004
(Show Context)
Citation Context ... power a: A = g a and Â = ˆga . kea was first introduced and used by Damg˚ard in 1991 [15], and later, together with an extended version (kea2), by Hada and Tanaka [28]. Recently, Bellare and Palacio =-=[5]-=- showed that kea2 does not hold, and proposed a new extended version called kea3 in order to save Hada and Tanaka’s results. kea3, which we call xkea for eXtended kea, says that given two pairs (g, ˆg... |

57 | Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond
- Brassard, Crepeau
- 1986
(Show Context)
Citation Context ...with computational ZK or computational soundness (where the proof is also called an argument), or both. However, in contrast to interactive ZK where it has long been known that both flavors can exist =-=[9, 8, 25]-=-, all proposed NIZK proofs or arguments for general NP-languages have computational ZK (see e.g. [6, 21, 7, 30, 34]). Hence the construction of a statistically NIZK (NISZK) arguments2 Masayuki Abe and... |

57 | On the existence of 3-round zero-knowledge protocols. eprint
- Hada, Tanaka
- 1999
(Show Context)
Citation Context ...ill appears to be secure even if xkea should turn out to be false (for the particular generator BGG used), but we cannot prove it anymore formally. This is in contrast to how kea and xkea are used in =-=[25]-=- respectively [4] for 3-round ZK, where there seems to be no simulator anymore as soon as kea is false. 3 A Perfect NIZK Argument for SAT 3.1 Handling Multiplication Gates Let (G, H, q, g, e) be gener... |

56 |
Non-Interactive Zero-Knowledge Proof Systems
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...ever, in contrast to interactive ZK where it has long been known that both flavors can exist [9, 8, 25], all proposed NIZK proofs or arguments for general NP-languages have computational ZK (see e.g. =-=[6, 21, 7, 30, 34]-=-). Hence the construction of a statistically NIZK (NISZK) arguments2 Masayuki Abe and Serge Fehr has remained an open problem (until very recently, see below). The question of the existence of NISZK a... |

55 | On cryptographic assumptions and challenges
- Naor
- 2003
(Show Context)
Citation Context ...h that ^A = Ax is by computing A = gahff and ^A = ^ga^hff. Assumptions like kea and xkea are widely criticized in particular because they do not appear to be "efficiently falsifiable", as Naor put it =-=[28]-=-, though Bellare and Palacio showed that this is not necessarily the case. 2s1.2 Our Result Based on xkea over bilinear groups, we construct an adaptively-sound NIPZK argument for circuit-SAT without ... |

50 |
bounds for discrete logarithms and related problems
- Lower
- 1997
(Show Context)
Citation Context ...actor, such that P ^ pubsBGG, xsZq, hsG,(A, ^A; a, ff)s(AkXA)(pub, gx, h, hx) : ^A = Ax ^ A 6= gahff* <= negl . 6sIt is well known that dla holds provably with respect to generic algorithms (see e.g. =-=[32]-=-), which operate on the group elements only by applying the group operations (multiplication and inversion), but do not make use of the specific representation of the group elements. It is not so hard... |

43 | Zaps and Their Applications
- Dwork, Naor
- 2000
(Show Context)
Citation Context ...y be set-up jointly by the prover and the verifier. Furthermore, it can even be provided solely from a (possibly dishonest) verifier without any correctness proof if we view the proof system as a zap =-=[19]-=- rather than a NIZK. We are not aware of any other NIZK arguments or proofs that enjoy all these desirable properties. Based on the techniques developed for the perfect NIZK argument for SAT, we also ... |

41 |
Efficient multiparty protocols using circuit randomization
- Beaver
(Show Context)
Citation Context ...out statistical NIZK arguments in the pre-processing model, cf. [16, 26, 13], which rely only on general assumptions but require a complicated pre-processing stage. Beaver's pre-processing techniques =-=[3]-=- can be applied in a straightforward way to yield similarly efficient schemes as we do. However, this approach requires the generation of random commitments with multiplicative relations in the pre-pr... |

41 | Perfect non-interactive zero knowledge for
- Groth, Ostrovsky, et al.
- 2006
(Show Context)
Citation Context ...anguages (assuming that one-way functions exist). Statistical NIZK Arguments. Recently, Groth, Ostrovsky and Sahai proposed an elegant construction for a perfect NIZK (NIPZK) argument for circuit-SAT =-=[24]-=- by using bilinear groups. This shows NIZK can come with perfect ZK for any NP-language. However, the scheme only provides security against a non-adaptive dishonest prover who chooses the target insta... |

40 | Universally Composable Security with Global Setup
- Canetti, Dodis, et al.
(Show Context)
Citation Context ... incorporate the CRS, essentially because in the ideal-life model there is no (guaranteed-to-be-correct) CRS. 1 Subtle issues like this one are taken care of in a recent extension of the UC framework =-=[11]-=-, which though requires stronger set-up assumptions than a standard CRS for non-trivial two-party protocols. In conclusion, UC NIZK security provides good enough security under the condition that the ... |

34 | Efficient zero-knowledge proofs of knowledge without intractability assumptions
- Ivan, Damgård, et al.
- 2000
(Show Context)
Citation Context ...ay be generated by the (possibly dishonest) verifier, together with an (interactive) ZK proof of the knowledge of w with g w = h, which can be done very efficiently by using the 4-round ZK proof from =-=[14]-=- for instance. The prover additionally needs to check if e(ˆg, h) = e(g, ˆ h). Hence, the set-up of the CRS requires no honest party nor any expensive 2-party (or multi-party) computation. This sort o... |

26 | An Efficient Non-Interactive Zero-Knowledge Proof System for NP with General Assumptions
- Kilian, Petrank
- 1998
(Show Context)
Citation Context ...ever, in contrast to interactive ZK where it has long been known that both flavors can exist [8, 7, 23], all proposed NIZK proofs or arguments for general NP-languages have computational ZK (see e.g. =-=[6, 20, 5, 27, 15]-=-). Hence the construction of a statistically NIZK (NISZK) argument has remained an open problem (until very recently, see below). The question of the existence of NISZK arguments is in particular inte... |

25 |
Guiseppe Persiano. Non-interactive zeroknowledge
- Blum, Santis, et al.
- 1991
(Show Context)
Citation Context ...-processing phase. This then obviously also allows to extract s in the security proof as required. There are some feasibility results about statistical NIZK arguments in the pre-processing model, cf. =-=[16, 26, 13]-=-, which rely only on general assumptions but require a complicated pre-processing stage. Beaver's pre-processing techniques [3] can be applied in a straightforward way to yield similarly efficient sch... |

22 | Constant-Round Multiparty Computation Using a Black-Box Pseudorandom Generator
- Damgard, Ishai
(Show Context)
Citation Context ...se, whereas with our techniques purely random commitments, which are potentially easier to prepare, suffice. For instance in the multi-player setting, this is known as the linear pre-processing model =-=[14]-=-, and when the number of players is small, using the techniques of [10], one can have a once-and-for-all preprocessing stage that allows to produce an unbounded number of pseudo-random commitments on ... |

21 | Share conversion, pseudorandom secret sharing and applications to secure computation
- Cramer, Damg̊ard, et al.
- 2005
(Show Context)
Citation Context ...tentially easier to prepare, suffice. For instance in the multi-player setting, this is known as the linear pre-processing model [18], and when the number of players is small, using the techniques of =-=[13]-=-, one can have a once-and-for-all preprocessing stage that allows to produce an unbounded number of pseudo-random commitments on the fly. Acknowledgments We would like to thank Alexander Dent for usef... |

18 |
Perfect zero-knowledge languages can be recognized in two rounds
- Aiello, H̊astad
- 1987
(Show Context)
Citation Context ...ase of interactive ZK it is well known that there cannot be statistical NIZK proofs (i.e., both ZK and soundness are unconditional) for NP-complete languages unless the polynomial hierarchy collapses =-=[22, 2, 30]-=-. Hence, when considering general NP-languages, this only leaves room for a NIZK proof with computational ZK or computational soundness (where the proof is also called an argument), or both. However, ... |

16 |
Non-interactive circuit based proofs and non-interactive perfect zero-knowledge with proprocessing
- Damg̊ard
- 1992
(Show Context)
Citation Context ...-processing phase. This then obviously also allows to extract s in the security proof as required. There are some feasibility results about statistical NIZK arguments in the pre-processing model, cf. =-=[35, 29, 16]-=-, which rely only on general assumptions but require a complicated pre-processing stage. Beaver’s pre-processing techniques [4] can be applied in a straightforward way to yield similarly efficient sch... |

16 |
Towards Practical Public-Key Cryptosystems Provably-Secure against Chosen-Ciphertext Attack
- Damg˚ard
- 1991
(Show Context)
Citation Context ...to efficiently come up with another pair A and ^A such that^ A = Ax (for the same x) is by raising g and ^g to some power a: A = ga and ^A = ^ga. kea was first introduced and used by Damg*ard in 1991 =-=[12]-=-, and later, together with an extended version (kea2), by Hada and Tanaka [25]. Recently, Bellare and Palacio [4] showed that kea2 does not hold, and proposed a new extended version called kea3 in ord... |

12 | A.: Non-interactive zero-knowledge from homomorphic encryption
- Damg˚ard, Fazio, et al.
- 2006
(Show Context)
Citation Context ... best of our knowledge, all known schemes only work for secrets from restricted domains such as Z2 and have to rely on generic inefficient reductions to NP-complete problems to handle larger secrets. =-=[17]-=- constructs efficient NIZK argument which allows to prove any arithmetic relations over large field but the CRS can be used only for logarithmic number of times for the sake of soundness. [26] present... |

10 |
The hardness of the DHK problem in the generic group model. Cryptology ePrint Archive, Report 2006/156
- Dent
- 2006
(Show Context)
Citation Context ...rithm must use the specific representation of the elements of that group, and it is likely to fail when some other group (representation) is used. A similar result was independently developed by Dent =-=[18]-=- for non-bilinear groups. Finally, we discuss how to avoid xkea in our NIZK arguments by allowing a pre-processing phase. Our scheme allows very efficient pre-processing where the prover only need to ... |

3 | Unconditional characterizations of non-interactive zeroknowledge
- Pass, Shelat
- 2005
(Show Context)
Citation Context ...ase of interactive ZK it is well known that there cannot be statistical NIZK proofs (i.e., both ZK and soundness are unconditional) for NP-complete languages unless the polynomial hierarchy collapses =-=[22, 2, 30]-=-. Hence, when considering general NP-languages, this only leaves room for a NIZK proof with computational ZK or computational soundness (where the proof is also called an argument), or both. However, ... |

1 |
Minimum resource zero-knwledge proofs
- Kilian, Micali, et al.
- 1989
(Show Context)
Citation Context ...-processing phase. This then obviously also allows to extract s in the security proof as required. There are some feasibility results about statistical NIZK arguments in the pre-processing model, cf. =-=[16, 26, 13]-=-, which rely only on general assumptions but require a complicated pre-processing stage. Beaver's pre-processing techniques [3] can be applied in a straightforward way to yield similarly efficient sch... |

1 |
Perfect NIZK with adaptive soundness. Cryptology ePrint Archive, Report 2006/423
- Abe, Fehr
- 2006
(Show Context)
Citation Context ...ow for statistical ZK unless NP ⊂ P/poly (i.e. unless any NP-problem can be solved by an efficient non-uniform algorithm). Due to lack of space, this result is moved to the full version of this paper =-=[1]-=-.Perfect NIZK with Adaptive Soundness 121 Finally, we discuss how to avoid xkea in our NIZK arguments by allowing a pre-processing phase. Our scheme allows very efficient pre-processing where the pro... |