## Perfect non-interactive zero knowledge for NP (2006)

### Cached

### Download Links

- [www.math.ucla.edu]
- [www.iacr.org]
- [eprint.iacr.org]
- [www.cs.ucla.edu]
- [eprint.iacr.org]
- [www.cs.ucla.edu]
- [www.math.ucla.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Proceedings of Eurocrypt 2006, volume 4004 of LNCS |

Citations: | 39 - 3 self |

### BibTeX

@INPROCEEDINGS{Groth06perfectnon-interactive,

author = {Jens Groth and Rafail Ostrovsky and Amit Sahai},

title = {Perfect non-interactive zero knowledge for NP},

booktitle = {Proceedings of Eurocrypt 2006, volume 4004 of LNCS},

year = {2006},

pages = {339--358},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Non-interactive zero-knowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2-secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zero-knowledge protocols. However, while for interactive zeroknowledge we know how to construct statistical zero-knowledge argument systems for all NP languages, for non-interactive zero-knowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK:- We construct the first perfect NIZK argument system for any NP

### Citations

620 | Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067
- Canetti
- 2005
(Show Context)
Citation Context ...perfect NIZK argument. We generalize our techniques to construct perfect NIZK arguments that satisfy Canetti’s UC definition of security. Canetti introduced the universal composability (UC) framework =-=[7]-=- as a general method to argue security of protocols in an arbitrary environment. It is a strong security definition; in particular it implies non-malleability [17], and security when arbitrary protoco... |

366 | A hard-core predicate for all one-way functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...E(k) and returns c. We require that the cryptosystem have errorless decryption as defined earlier. Trapdoor permutations imply pseudorandom cryptosystems, we can use the Goldreich-Levin hard-core bit =-=[21]-=- of a trapdoor permutation to make a one-time356 Jens Groth, Rafail Ostrovsky, and Amit Sahai pad. In the concrete case of the BGN cryptosystem, we observe that it implies hardness of factorization a... |

303 | Minimum disclosure proofs of knowledge - Brassard, Chaum, et al. - 1988 |

190 | Noninteractive zero-knowledge
- Blum, Santis, et al.
- 1991
(Show Context)
Citation Context ...ional NIZK proof systems for proving a single statement about any NP language. The first computational NIZK proof system for multiple theorems was constructed by Blum, De Santis, Micali, and Persiano =-=[2]-=-. Both [3] and [2] based their NIZK systems on certain number-theoretic assumptions (specifically, the hardness of deciding quadratic residues modulo a composite number). Feige, Lapidot, and Shamir [1... |

168 |
Multiple noninteractive zero knowledge proofs under general assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...2]. Both [3] and [2] based their NIZK systems on certain number-theoretic assumptions (specifically, the hardness of deciding quadratic residues modulo a composite number). Feige, Lapidot, and Shamir =-=[18]-=- showed how to construct computational NIZK proofs based on any trapdoor permutation. The above work, and the plethora of research on NIZK that followed, mainly considered NIZK where the zero-knowledg... |

156 | Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security
- Sahai
- 1999
(Show Context)
Citation Context ...pdoor commitments were first implicitly constructed in [15], and explicitly in [16, 28]. The tag-based simulation soundness property is based on the notion of simulation soundness introduced by Sahai =-=[32]-=- for NIZK proofs. Aside from [15, 16, 28], other constructions of tag-based simulation sound commitments or schemes that can easily be transformed into tagbased simulation-sound commitments have appea... |

146 | Evaluating 2-dnf formulas on ciphertexts
- Boneh, Goh, et al.
(Show Context)
Citation Context ... two decades of research on NIZK, the answer to this question was not known. In this paper, we answer this question in the affirmative, based on a number-theoretic complexity assumption introduced in =-=[4]-=-. 1 Such systems where the soundness holds computationally have come to be known as argument systems, as opposed to proof systems where the soundness condition must hold unconditionally. 2 We note tha... |

115 |
Non-Interactive Zero-Knowledge and Its Applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...m Intel, and an Alfred P. Sloan Foundation Research Fellowship.Perfect Non-Interactive Zero Knowledge for NP 343 In context with previous work – statistical zero knowledge: Blum, Feldman, and Micali =-=[3]-=- introduced the notion of NIZK in the common random string model and showed how to construct computational NIZK proof systems for proving a single statement about any NP language. The first computatio... |

115 |
Moni Naor. Non-malleable cryptography
- Dolev, Dwork
- 2000
(Show Context)
Citation Context ...niversal composability (UC) framework [7] as a general method to argue security of protocols in an arbitrary environment. It is a strong security definition; in particular it implies non-malleability =-=[17]-=-, and security when arbitrary protocols are executed concurrently. We define NIZK arguments in the UC framework and construct a NIZK argument that satisfies the UC security definition. From the theory... |

87 | The Complexity of Perfect Zero-Knowledge
- Fortnow
- 1989
(Show Context)
Citation Context ...rks came far short of working for all NP languages, and in fact NP-complete languages cannot have (even interactive) statistical zero-knowledge proof systems unless the polynomial hierarchy collapses =-=[19, 1]-=- 3 . Unless our computational complexity beliefs are wrong, this leaves open only the possibility of argument systems. Do there exist statistical NIZK arguments for all NP languages? Despite nearly tw... |

59 | Efficient and Non-Interactive Non-Malleable Commitments
- Crescenzo, Katz, et al.
- 2001
(Show Context)
Citation Context ...e return (verification,sid, ssid,0). Fig. 3. NIZK argument functionality FNIZK. Perfectly hiding commitment scheme with extraction. A perfectly hiding commitment scheme with extraction (first used in =-=[16]-=- in the setting of perfectly hiding non-malleable commitment) has the following property. We can run a key generation algorithm hk ← Khiding(1k ) to get a hiding key hk, or we can alternatively run a ... |

57 | Non-transitive transfer of confidence: A perfect zeroknowledge interactive protocol for sat and beyond
- Brassard, Crèpeau
- 1986
(Show Context)
Citation Context ... the theorem being proven. In the case of interactive zero knowledge, it has long been known that all NP statements can in fact be proven using statistical (in fact, perfect) zero knowledge arguments =-=[6, 5]-=-; that is, even a computationally unbounded party would not learn anything beyond the correctness of the theorem being proven, though we must assume that the prover, only during the execution of the p... |

53 | On Deniabililty in the Common Reference String and Random Oracle Models
- Pass
- 2003
(Show Context)
Citation Context ...string π can verify the truth of the statement and can use the string to convince others about the truth of the statement. The NIZK argument is not deniable; quite on the contrary, it is transferable =-=[30]-=-. For this reason, and because the protocol and the security proof becomes a little simpler, we suggest a different functionality FNIZK to capture the essence of NIZK arguments. 6.2 Tools We will need... |

42 |
Amit Sahai. Universally composable two-party and multi-party secure computation
- Canetti, Lindell, et al.
- 2002
(Show Context)
Citation Context ... upon corruption of a party, it learns the entire history of the internal state of this party. Prior to our result, no NIZK protocol was known to be UC-secure against dynamic/adaptive adversaries. In =-=[8]-=-, it was observed that De Santis et al. [11] achieve UC-security, but only for the setting with static adversaries (in the non-erasure model). 2 Non-interactive Zero-Knowledge Let R be an efficiently ... |

41 | Non-interactive and reusable non-malleable commitment schemes
- Damg˚ard, Groth
- 2003
(Show Context)
Citation Context ...ZK proofs. Aside from [15, 16, 28], other constructions of tag-based simulation sound commitments or schemes that can easily be transformed into tagbased simulation-sound commitments have appeared in =-=[11, 8, 20, 10, 24, 25]-=-. The tag-based simulation-soundness property means that a commitment using tag remains binding even if we have made equivocations for commitments using different tags. For all non-uniform polynomial ... |

37 | A complete problem for statistical zero knowledge
- Sahai, Vadhan
(Show Context)
Citation Context ...pe, and therefore it includes NIZK, even for the common reference string which is not uniform. See also [31] for an alternative proof. 3 See also [22] appendix regarding subtleties of this proof, and =-=[33]-=- for an alternative proof.344 Jens Groth, Rafail Ostrovsky, and Amit Sahai Our results. Our main results, which we describe in more detail below, are: - Significantly more efficient NIZK proofs for c... |

36 | On simulation-Sound Trapdoor Commitments
- MacKenzie, Yang
- 2003
(Show Context)
Citation Context ...openck,ek(c, m, tag) and returns r and A does not submit the same tag twice to the oracle. Tag-based simulation-sound trapdoor commitments were first implicitly constructed in [15], and explicitly in =-=[16, 28]-=-. The tag-based simulation soundness property is based on the notion of simulation soundness introduced by Sahai [32] for NIZK proofs. Aside from [15, 16, 28], other constructions of tag-based simulat... |

28 | One-way functions, hard on average problems, and statistical zeroknowledge proofs
- Ostrovsky
- 1991
(Show Context)
Citation Context ...edge property is perfect. Statistical ZK (including statistical NIZK 2 ) for any nontrivial language for both proofs and arguments were shown to imply the existence of a one-way function by Ostrovsky =-=[29]-=-. Statistical NIZK proof systems were further explored by De Santis, Di Crescenzo, Persiano, and Yung [14] and Goldreich, Sahai, and Vadhan [23], who gave complete problems for the complexity class as... |

27 | Strengthening zero-knowledge protocols using signatures
- Garay, MacKenzie, et al.
- 2003
(Show Context)
Citation Context ...ZK proofs. Aside from [15, 16, 28], other constructions of tag-based simulation sound commitments or schemes that can easily be transformed into tagbased simulation-sound commitments have appeared in =-=[11, 8, 20, 10, 24, 25]-=-. The tag-based simulation-soundness property means that a commitment using tag remains binding even if we have made equivocations for commitments using different tags. For all non-uniform polynomial ... |

24 | Can statistical zero knowledge be made non-interactive? or on the relationship of szk and niszk
- Goldreich, Sahai, et al.
- 1999
(Show Context)
Citation Context ... imply the existence of a one-way function by Ostrovsky [29]. Statistical NIZK proof systems were further explored by De Santis, Di Crescenzo, Persiano, and Yung [14] and Goldreich, Sahai, and Vadhan =-=[23]-=-, who gave complete problems for the complexity class associated with statistical NIZK proofs. However, these works came far short of working for all NP languages, and in fact NP-complete languages ca... |

18 |
Perfect zero-knowledge languages can be recognized in two rounds
- Aiello, H˚astad
- 1987
(Show Context)
Citation Context ...rks came far short of working for all NP languages, and in fact NP-complete languages cannot have (even interactive) statistical zero-knowledge proof systems unless the polynomial hierarchy collapses =-=[19, 1]-=- 3 . Unless our computational complexity beliefs are wrong, this leaves open only the possibility of argument systems. Do there exist statistical NIZK arguments for all NP languages? Despite nearly tw... |

18 |
Rafail Ostrovsky, Giuseppe Persiano, and Amit Sahai. Robust non-interactive zero knowledge
- Santis, Crescenzo
- 2002
(Show Context)
Citation Context ...entire history of the internal state of this party. Prior to our result, no NIZK protocol was known to be UC-secure against dynamic/adaptive adversaries. In [8], it was observed that De Santis et al. =-=[11]-=- achieve UC-security, but only for the setting with static adversaries (in the non-erasure model). 2 Non-interactive Zero-Knowledge Let R be an efficiently computable binary relation. For pairs (x, w)... |

15 |
Image density is complete for non-interactive-szk
- Santis, Crescenzo, et al.
- 1998
(Show Context)
Citation Context ...oth proofs and arguments were shown to imply the existence of a one-way function by Ostrovsky [29]. Statistical NIZK proof systems were further explored by De Santis, Di Crescenzo, Persiano, and Yung =-=[14]-=- and Goldreich, Sahai, and Vadhan [23], who gave complete problems for the complexity class associated with statistical NIZK proofs. However, these works came far short of working for all NP languages... |

15 |
Yvail Ishai, and Rafail Ostrovsky. Non-interactive and non-malleable commitment
- Crescenzo
- 1998
(Show Context)
Citation Context ...Tcomck,tk(m, tag); r ← Topenck,ek(c, m, tag) and returns r and A does not submit the same tag twice to the oracle. Tag-based simulation-sound trapdoor commitments were first implicitly constructed in =-=[15]-=-, and explicitly in [16, 28]. The tag-based simulation soundness property is based on the notion of simulation soundness introduced by Sahai [32] for NIZK proofs. Aside from [15, 16, 28], other constr... |

15 |
Non-interactive circuit based proofs and non-interactive perfect zero-knowledge with preprocessing
- Damg˚ard
(Show Context)
Citation Context ...g of size at least O(k 3 ) and the NIZK proofs of size at least O(|C|k 2 ). For comparison with the most efficient previous work, please see Table 1. Reference CRS size Proof Size Assumption Damg˚ard =-=[9]-=- O(|C|k 2 + k 3 ) O(|C|k 2 + k 3 ) Quadratic Residuosity Kilian-Petrank [27] O(|C|k 2 ) O(|C|k 2 ) Trapdoor Permutations Kilian-Petrank [27] O(k 3 ) O(|C|k 3 ) Trapdoor Permutations De Santis et al. [... |

12 |
and Erez Petrank. An efficient noninteractive zero-knowledge proof system for np with general assumptions
- Kilian
- 1998
(Show Context)
Citation Context ... O(k|C|), where |C| is the size of the circuit. This is a significant result in its own right; the most efficient NIZK proof systems for an NP-complete problem with efficient provers previously known =-=[27]-=- required a reference string of size at least O(k 3 ) and the NIZK proofs of size at least O(|C|k 2 ). For comparison with the most efficient previous work, please see Table 1. Reference CRS size Proo... |

9 |
Randomness-optimal characterization of two NP proof systems
- Santis, Crescenzo, et al.
- 2002
(Show Context)
Citation Context ...] O(|C|k 2 + k 3 ) O(|C|k 2 + k 3 ) Quadratic Residuosity Kilian-Petrank [27] O(|C|k 2 ) O(|C|k 2 ) Trapdoor Permutations Kilian-Petrank [27] O(k 3 ) O(|C|k 3 ) Trapdoor Permutations De Santis et al. =-=[12, 13]-=- O(k + |C| ε ) poly(|C|k) NIZK & One-Way Functions This paper O(k) O(|C|k) Subgroup Decision [4] Table 1. Comparison of CRS size and NIZK proof size for efficient-prover NIZK proof systems for circuit... |

6 | Honest verifier zero-knowledge arguments applied
- Groth
(Show Context)
Citation Context ...ZK proofs. Aside from [15, 16, 28], other constructions of tag-based simulation sound commitments or schemes that can easily be transformed into tagbased simulation-sound commitments have appeared in =-=[11, 8, 20, 10, 24, 25]-=-. The tag-based simulation-soundness property means that a commitment using tag remains binding even if we have made equivocations for commitments using different tags. For all non-uniform polynomial ... |

5 | Cryptography in subgroups of Z∗ n
- Groth
- 2005
(Show Context)
Citation Context |

4 |
Non-interactive zero-knowledge: A low-randomness characterization of np
- Santis, Crescenzo, et al.
- 1999
(Show Context)
Citation Context ...] O(|C|k 2 + k 3 ) O(|C|k 2 + k 3 ) Quadratic Residuosity Kilian-Petrank [27] O(|C|k 2 ) O(|C|k 2 ) Trapdoor Permutations Kilian-Petrank [27] O(k 3 ) O(|C|k 3 ) Trapdoor Permutations De Santis et al. =-=[12, 13]-=- O(k + |C| ε ) poly(|C|k) NIZK & One-Way Functions This paper O(k) O(|C|k) Subgroup Decision [4] Table 1. Comparison of CRS size and NIZK proof size for efficient-prover NIZK proof systems for circuit... |

4 |
Rafail Ostrovsky, and Amit Sahai. Perfect noninteractive zero-knowledge for np
- Groth
- 2005
(Show Context)
Citation Context ...dge, it can be omitted if perfect zero-knowledge is not needed. The resulting protocol can be seen in Figure 4. We use the notation from Section 6.2. We prove the following theorems in the full paper =-=[26]-=-. in the FCRSTheorem 4. The protocol in Figure 6 securely realizes FNIZK hybrid model. Theorem 5. The UC NIZK argument in Figure 4 is perfect zero-knowledge. Corollary 1. Bilinear groups as described ... |

2 |
Rafail Ostrovsky, and Erez Petrank. Computational complexity and knowledge complexity
- Goldreich
- 1998
(Show Context)
Citation Context ... require the simulator to produce Verifier’s random tape, and therefore it includes NIZK, even for the common reference string which is not uniform. See also [31] for an alternative proof. 3 See also =-=[22]-=- appendix regarding subtleties of this proof, and [33] for an alternative proof.344 Jens Groth, Rafail Ostrovsky, and Amit Sahai Our results. Our main results, which we describe in more detail below,... |

2 |
and Abhi Shelat. Characterizing non-interactive zero-knowledge in the public and secret parameter models
- Pass
(Show Context)
Citation Context ...] is for honest-verifier SZK, and does not require the simulator to produce Verifier’s random tape, and therefore it includes NIZK, even for the common reference string which is not uniform. See also =-=[31]-=- for an alternative proof. 3 See also [22] appendix regarding subtleties of this proof, and [33] for an alternative proof.344 Jens Groth, Rafail Ostrovsky, and Amit Sahai Our results. Our main result... |