Publicly Verifiable Proofs from Blockchains

Abstract

A proof system is publicly verifiable, if anyone, by looking at the transcript of the proof, can be convinced that the corresponding theorem is true. Public verifiability is important in many applications since it allows to compute a proof only once while convincing an unlimited number of verifiers.

Popular interactive proof systems (e.g., \(\varSigma \)-protocols) protect the witness through various properties (e.g., witness indistinguishability (WI) and zero knowledge (ZK)) but typically they are not publicly verifiable since such proofs are convincing only for those verifiers who contributed to the transcripts of the proofs. The only known proof systems that are publicly verifiable rely on a non-interactive (NI) prover, through trust assumptions (e.g., NIZK in the CRS model), heuristic assumptions (e.g., NIZK in the random oracle model), specific number-theoretic assumptions on bilinear groups or relying on obfuscation assumptions (obtaining NIWI with no setups).

In this work we construct publicly verifiable witness-indistinguishable proof systems from any \(\varSigma \)-protocol, based only on the existence of a very generic blockchain. The novelty of our approach is in enforcing a non-interactive verification (thus guaranteeing public verifiability) while allowing the prover to be interactive and talk to the blockchain (this allows us to circumvent the need of strong assumptions and setups). This opens interesting directions for the design of cryptographic protocols leveraging on blockchain technology.

A. Scafuro—Work supported by NSF grant # 1012798.

L. Siniscalchi and I. Visconti—Research supported in part by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 780477 (project PRIViLEDGE) and in part by “GNCS - INdAM”.

A Standard Tools

Definition 9

(One-way function (OWF)). A function \(f: \{0,1\}^* \rightarrow \{0,1\}^*\) is called one way if the following two conditions hold:

• there exists a deterministic polynomial-time algorithm that on input y in the domain of f outputs f(y);

• for every ppt algorithm \(\mathcal {A}\) there exists a negligible function \(\nu \), such that for every auxiliary input \(z\in \{0,1\}^{\mathsf {poly}(\lambda )}\):

$$ \text{ Pr }\left[ \;y {\leftarrow } \{0,1\}^*: \mathcal {A}(f(y), z)\in f^{-1}(f(y)) \;\right] <\nu (\lambda ). $$

We say, also, that a OWF f is a one-way permutation (OWP) if f is a permutation.

Definition 10

(Hash Function [32]). An hash function is a pair of ppt algorithms \(\varPi =(\mathtt {Gen}, H)\) fulfilling the following:

• \(\mathtt {Gen}\) is a probabilistic algorithm which takes as input a security parameter \(\lambda \) and outputs a key s.

• There exists \(l=\mathsf {poly}(\lambda )\) such that H is (deterministic) polynomial time algorithm that takes as input a key s and any string \(x \in \{0,1\}^*\) and outputs a string \(H(s, x)\in \{0,1\}^{l}\).

Definition 11

(Collision-Resistant Hash Functions (CRHFs) [32]). A hash function \(\varPi =(\mathtt {Gen}, H)\) is collision resistant if for all ppt adversaries \(\mathcal {A}\) there exists a negligible function \(\nu \) such that:

$$ \text{ Pr }\left[ \;H(s, x)=H(s, x') \wedge x\ne x': s\leftarrow \mathtt {Gen}(1^\lambda ),(x, x')\leftarrow \mathcal {A}(s)\;\right] \le \nu (\lambda ) $$

In this paper we denote by \(\mathsf {h}(\cdot )\) a CRHFs where the description of the hash function (i.e., the key s) is publicly available either in the blockchain protocol or in the genesis block of the blockchain.

Definition 12

(Witness Indistinguishable (WI)). An argument/proof system \(\varPi =(\mathcal {P},\mathcal {V})\), is Witness Indistinguishable (WI) for a relation \({\mathcal {R}}\) if, for every malicious ppt verifier \(\mathcal {V}^*\), there exists a negligible function \(\nu \) such that for all \(x,w,w'\) such that \((x, w)\in {\mathcal {R}}\) and \((x, w')\in {\mathcal {R}}\) it holds that:

$$ \Big |\Pr {\langle \mathcal {P}(w),\mathcal {V}^* \rangle (x)=1}-\Pr {\langle \mathcal {P}(w'),\mathcal {V}^*\rangle (x)=1}\Big |<\nu (|x|). $$

Obviously one can generalize the above definitions of WI to their natural adaptive-input variants, where the adversarial verifier can select the statement and the witnesses adaptively, before the prover plays the last round. We note that [23] prove that WI is preserved under self-concurrent composition, i.e. when multiple instance of \(\varPi \) are played concurrently.

Definition 13

(Proof/argument system). A pair of ppt interactive algorithms \(\varPi =(\mathcal {P},\mathcal {V})\) constitute a proof system (resp., an argument system) for an \(\mathcal {N}\mathcal {P}\)-language L, if the following conditions hold:

• Completeness: For every \(x\in L\) and w such that \((x,w)\in {\mathcal {R}}_\mathsf {L}\), it holds that:

  $$\begin{aligned} \text{ Pr }\left[ \;\langle \mathcal {P}(w), \mathcal {V}\rangle (x) =1\;\right] =1. \end{aligned}$$

• Soundness: For every interactive (resp., ppt interactive) algorithm \(\mathcal {P}^{\star }\), there exists a negligible function \(\nu \) such that for every \(x \notin L\) and every z:

  $$\begin{aligned} \text{ Pr }\left[ \;\langle \mathcal {P}^{\star }(z), \mathcal {V}\rangle (x) =1\;\right] < \nu (|x|). \end{aligned}$$

A proof/argument system \(\varPi =(\mathcal {P},\mathcal {V})\) for an \(\mathcal {N}\mathcal {P}\)-language L, enjoys delayed-input completeness if \(\mathcal {P}\) needs x and w only to compute the last round and \(\mathcal {V}\) needs x only to compute the output. Before that, \(\mathcal {P}\) and \(\mathcal {V}\) run having as input only the size of x. The notion of delayed-input completeness was defined in [12].

An interactive protocol \(\varPi =(\mathcal {P},\mathcal {V})\) is public coin if, at every round, \(\mathcal {V}\) simply tosses a predetermined number of coins (i.e. a random challenge) and sends the outcome to the prover. Moreover we say that the transcript \(\tau \) of an execution \(b=\langle \mathcal {P}(z), \mathcal {V}\rangle (x)\) is accepting if \(b=1\).

A 3-round protocol \(\varPi =(\mathcal {P}, \mathcal {V})\) for a relation \({\mathcal {R}}\) is an interactive protocol played between a prover \(\mathcal {P}\) and a verifier \(\mathcal {V}\) on common input x and private input w of \(\mathcal {P}\) s.t. \((x,w)\in {\mathcal {R}}\). In a 3-round protocol the first message \(\mathtt {a}\) and the third message \(\mathtt {z}\) are sent by \(\mathcal {P}\) and the second messages \(\mathtt {c}\) is played by \(\mathcal {V}\). At the end of the protocol \(\mathcal {V}\) decides to accept or reject based on the data that he has seen, i.e. \(x, \mathtt {a},\mathtt {c},\mathtt {z}\).

We usually denote the message \(\mathtt {c}\) sent by \(\mathcal {V}\) as a challenge, and as challenge length the number of bit of \(\mathtt {c}\).

Definition 14

(\(\varSigma \)-Protocol). A 3-round public-coin protocol \(\varPi =(\mathcal {P}, \mathcal {V})\) for a relation \({\mathcal {R}}\) is a \(\varSigma \)-Protocol if the following properties hold:

• Completeness: if \((\mathcal {P}, \mathcal {V})\) follow the protocol on input x and private input w to \(\mathcal {P}\) s.t. \((x,w)\in {\mathcal {R}}\), \(\mathcal {V}\) always accepts.

• Special soundness: if there exists a polynomial time algorithm such that, for any pair of accepting transcripts on input x, \((\mathtt {a},\mathtt {c_1},\mathtt {z_1})\) \((\mathtt {a},\mathtt {c_2},\mathtt {z_2})\) where \(\mathtt {c_1}\ne \mathtt {c_2}\), outputs witnesses w such that \((x,w)\in {\mathcal {R}}\).

• Special Honest Verifier Zero-knowledge (SHVZK): there exists a ppt simulator algorithm \(\mathsf {S}\) that for any \(x\in L\), security parameter \(\lambda \) and any challenge \(\mathtt {c}\) works as follow: \(( \mathtt {a},\mathtt {z}) \leftarrow \mathsf {S}(1^\lambda , x,\mathtt {c})\). Furthermore, the distribution of the output of \(\mathsf {S}\) is computationally indistinguishable from the distribution of a transcript obtained when \(\mathcal {V}\) sends \(\mathsf {S}\) as challenges and \(\mathcal {P}\) runs on common input x and any w such that \((x,w)\in {\mathcal {R}}\).

Definition 15

A perfect \(\varSigma \)-Protocol is \(\varSigma \)-Protocol that satisfies a strong SHVZK requirement, that is:

Perfect Special Honest Verifier Zero-knowledge: there exists a ppt simulator algorithm \(\mathsf {S}\) that for any \(x\in L\), security parameter \(\lambda \) and any challenge \(\mathtt {c}\) works as follow: \(( \mathtt {a},\mathtt {z}) \leftarrow \mathsf {S}(1^\lambda , x,\mathtt {c})\). Furthermore, the distribution of the output of \(\mathsf {S}\) is perfect indistinguishable from the distribution of a transcript obtained when \(\mathcal {V}\) sends \(\mathsf {S}\) as challenges and \(\mathcal {P}\) runs on common input x and any w such that \((x,w)\in {\mathcal {R}}\).

Theorem 3

[16]. Every perfect \(\varSigma \)-protocol is perfect WI.

Theorem 4

[25]. The OR-composition of \(\varSigma \)-Protocols is WI.

Definition 16

A delayed-input 3-round system \(\varPi =(\mathcal {P}, \mathcal {V})\) for relation \({\mathcal {R}}\) enjoys adaptive-input special soundness if there exists a polynomial time algorithm \(\mathtt {Ext}\) such that, for any pair of accepting transcripts \(\mathtt {a},\mathtt {c_1},\mathtt {z_1}\) for input \(x_1\) and \(\mathtt {a},\mathtt {c_2},\mathtt {z_2}\) for input \(x_2\) with \(\mathtt {c_1}\ne \mathtt {c_2}\), outputs witnesses \(w_1\) and \(w_2\) such that \((x_1,w_1)\in {\mathcal {R}}\) and \((x_2,w_2)\in {\mathcal {R}}\).

Definition 17

(Proof of Knowledge [37]). A protocol that is complete \(\varPi =(\mathcal {P}, \mathcal {V})\) is a proof of knowledge (PoK) for the relation \({\mathcal {R}}_\mathsf {L}\) if there exist a probabilistic expected polynomial-time machine \(\mathtt {Ext}\), called the extractor, such that for every algorithm \(\mathcal {P}^\star \), there exists a negligible function \(\nu \), every statement \(x\in \{0,1\}^\lambda \), every randomness \(r\in \{0,1\}^\star \) and every auxiliary input \(z\in \{0,1\}^\star \),

$$ \text{ Pr }\left[ \;\langle \mathcal {P}_{r}^{\star }(z), \mathcal {V}\rangle (x)=1\;\right] \le \text{ Pr }\left[ \;w \leftarrow \mathtt {Ext}^{\mathcal {P}_{r}^{\star }(z)} (x) :(x,w) \in {\mathcal {R}}\;\right] +\nu (\lambda ). $$

We also say that an argument system \(\varPi \) is a argument of knowledge (AoK) if the above condition holds w.r.t. any ppt \(\mathcal {P}^\star \).

In this paper we also consider the adaptive-input PoK/AoK property for all the protocols that enjoy delayed-input completeness. Adaptive-input PoK/AoK ensures that the PoK/AoK property still holds when a malicious prover can choose the statement adaptively at the last round.

Definition 18

Let X, Y be two random variables that takes values in V (i.e., V is the union of supports of X and Y). The statistical distance between X and Y is defined as follows:

$$ \frac{1}{2}\sum _{v \in V} |\text{ Pr }\left[ \;X = v\;\right] - \text{ Pr }\left[ \;Y = v\;\right] |. $$

Definition 19

[36] [s - Source Extractor]. A function \(\mathsf {E}_{n, \lambda }:\{\{0,1\}^n\}^s\rightarrow \{0,1\}^m\) is an extractor for independent \((n, \lambda )\) sources that uses s sources and outputs m bits with error \(\epsilon \), if for any s independent \((n, \lambda )\) sources \(X_1, X_2,\dots , X_s\), we have that

$$ |\mathsf {E}_{n,\lambda }(X_1, X_2,\dots , X_s)-\mathcal {U}_m| \le \epsilon $$

where \(| \cdot |\) denotes the statistical distance.

The author of [36] gave a construction of a 3-source extractor, with parameters \(\lambda \ge \log ^{12} n\), \(m=0.9\lambda \) and \(\epsilon =2^{-\lambda ^{\omega (1)}}\).