Abstract
Consider the scenario that the prover and the verifier perform the zero-knowledge (ZK) proof protocol for the same statement multiple times sequentially, where each proof is modeled as a session. We focus on the problem of how to resume a ZK proof efficiently in such scenario. We introduce a new primitive called resumable honest verifier zero-knowledge proof of knowledge (resumable HVZKPoK) and propose a general construction of the resumable HVZKPoK for circuits based on the “MPC-in-the-head" paradigm, where the complexity of the resumed session is less than that of the original ZK proofs. To ensure the knowledge soundness for the resumed session, we identify a property called extractable decomposition. Interestingly, most block ciphers satisfy this property and the cost of resuming session can be reduced dramatically when the underlying circuits are implemented with block ciphers. As a direct application of our resumable HVZKPoK, we construct a post quantum secure stateful signature scheme, which makes Picnic3 suitable for blockchain protocol. Using the same parameter setting of Picnic3, the sign/verify time of our subsequent signatures can be reduced to 3.1%/3.3% of Picnic3 and the corresponding signature size can be reduced to 36%. Moreover, by applying a parallel version of our method to the well known Cramer, Damgård and Schoenmakers (CDS) transformation, we get a compressed one-out-of-N proof for circuits, which can be further used to construct a ring signature from symmetric key primitives only. When the ring size is less than \(2^4\), the size of our ring signature scheme is only about 1/3 of Katz et al.’s construction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abe, M., Ambrona, M., Bogdanov, A., Ohkubo, M., Rosen, A.: Non-interactive composition of sigma-protocols via share-then-hash. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 749–773. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_25
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: ACM CCS 2017, pp. 2087–2104. ACM Press, New York (2017). https://doi.org/10.1145/3133956.3134104
Avanzi, R., et al.: Crystals-kyber. NIST PQC Round 3, 4 (2020)
Baum, C., Nof, A.: Concretely-efficient zero-knowledge arguments for arithmetic circuits and their application to lattice-based cryptography. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 495–526. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_17
Baum, C., de Saint Guilhem, C.D., Kales, D., Orsini, E., Scholl, P., Zaverucha, G.: Banquet: short and fast signatures from AES. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 266–297. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_11
Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_19
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge with no trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 701–732. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_23
Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_6
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 103–128. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_4
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von neumann architecture. In: 23rd USENIX Security Symposium, pp. 781–796. USENIX Association, San Diego, CA (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/ben-sasson
Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991). https://doi.org/10.1137/0220068
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Bootle, J., Groth, J.: Efficient batch zero-knowledge arguments for low degree polynomials. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 561–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_19
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334 (2018). https://doi.org/10.1109/SP.2018.00020
Chase, M., et al.: The picnic signature scheme, design document v2. 1 (2019)
Chase, M., et al.: The picnic signature scheme, design document v2. 2. Available at https://microsoft.github.io/Picnic/ (2020)
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: ACM CCS 2017, pp. 1825–1842. ACM Press, New York (2017). https://doi.org/10.1145/3133956.3133997
Costello, C., et al.: Geppetto: versatile verifiable computation. In: 2015 IEEE Symposium on Security and Privacy, pp. 253–270 (2015). https://doi.org/10.1109/SP.2015.23
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
Ding, J., Chen, M.S., Petzoldt, A., Schmidt, D., Yang, B.Y.: Rainbow. NIST PQC Round 3, 4 (2020)
Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999). https://doi.org/10.1137/S0097539792230010
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Fischlin, M., Harasser, P., Janson, C.: Signatures from sequential-or proofs. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 212–244. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_8
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37
Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: 25th USENIX Security Symposium, pp. 1069–1083. USENIX Association, Austin, TX (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/giacomelli
Goel, A., Green, M., Hall-Andersen, M., Kaptchuk, G.: Stacking sigmas: a framework to compose \(\sigma \)-protocols for disjunctions. Cryptology ePrint Archive, Report 2021/422 (2021). https://ia.cr/2021/422
Goel, A., Green, M., Hall-Andersen, M., Kaptchuk, G.: Efficient set membership proofs using MPC-in-the-head. In: Proceedings on Privacy Enhancing Technologies 2022(2), 304–324 (2022). https://doi.org/10.2478/popets-2022-0047
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity and a methodology of cryptographic protocol design. In: SFCS 1986, pp. 174–187. IEEE Computer Society Press (1986). https://doi.org/10.1109/SFCS.1986.47
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989). https://doi.org/10.1137/0218012
Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_19
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_21
Henry, R., Goldberg, I.: Batch proofs of partial knowledge. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 502–517. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_32
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: STOC 2007, pp. 21–30. ACM Press, New York (2007). https://doi.org/10.1145/1250790.1250794
Kales, D., Zaverucha, G.: Improving the performance of the picnic signature scheme. Cryptology ePrint Archive, Report 2020/427 (2020). https://eprint.iacr.org/2020/427
Katz, J.: Digital signatures. Springer Science & Business Media (2010)
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: ACM CCS 2018, pp. 525–537. ACM Press, New York (2018). https://doi.org/10.1145/3243734.3243805
Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252 (2013). https://doi.org/10.1109/SP.2013.47
Peng, K., Bao, F.: Batch ZK proof and verification of OR logic. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 141–156. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01440-6_13
Rescorla, E., Dierks, T.: The transport layer security (TLS) protocol version 1.3. RFC 8446, https://doi.org/10.17487/RFC8446, August 2018 (2018)
de Saint Guilhem, C.D., De Meyer, L., Orsini, E., Smart, N.P.: BBQ: using AES in picnic signatures. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 669–692. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_27
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zksnarks without trusted setup. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 926–943 (2018). https://doi.org/10.1109/SP.2018.00060
Zhang, H., Wei, P., Xue, H., Deng, Y., Li, J., Wang, W., Liu, G.: Resumable zero-knowledge for circuits from symmetric key primitives. Cryptology ePrint Archive, Report 2022/556 (2022). https://eprint.iacr.org/2022/556
Acknowledgements
We would like to thank the anonymous reviewers for their insightful and helpful comments. Handong Zhang, Puwen Wei, Jinsong Li, Wei Wang and Guoxiao Liu were supported by the National Key Research and Development Program of China (Grant No. 2018YFA0704702), Shandong Provincial Key Research and Development Program (Major Scientific and Technological Innovation Project) (Grant No.2019JZZY010133) and Shandong Provincial Natural Science Foundation (Grant No. ZR2020MF053). Haiyang Xue was supported by the National Natural Science Foundation of China (Grant No. 62172412). Yi Deng was supported by the National Natural Science Foundation of China (Grant No. 61932019 and No. 61772522), the Key Research Program of Frontier Sciences, CAS (Grant No. QYZDB-SSW-SYS035) and Natural Science Foundation of Beijing (Grant No. M22003).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 1
A Proof of Theorem 1
Proof
Completeness. This property follows from the correctness of the underlying MPC protocol \(\mathrm{\Pi }\) used in \(\pi ^{F}\) and \(\pi ^{f}\).
Resumable Honest Verifier Zero-Knowledge. We need to consider the simulator for all \(q(\kappa )\) sessions instead of only one, where the simulation for the transcripts generated by \(\pi ^F\) and \(\pi ^{f}\) follows the idea of [38]. Let \(\textsf {Sim}_\mathrm{\Pi }\) denotes the simulator of the MPC protocol \(\mathrm{\Pi }\). The simulator \(\textsf {Sim}\) of \(\varPi _{Res}\) is described as follows.
-
Simulation for initial session \(\textsf {session}(1)\).
-
1.
\(\textsf {Sim}\) chooses random \(\mathcal {C}\) and \(\mathcal {P}\) as the challenge for the preprocessing phase and the online phase respectively.
-
2.
For each instance \(j \not \in \mathcal {C}\), \(\textsf {Sim}\) prepares \(\lambda _{j}\) using \(\{\textsf {state}_{j, i, 1}\}_{i \in [n]}\) and generates the corresponding \(\textsf {resp}_{pre, 1}^{F}\) as an honest prover would do in the preprocessing phase.
-
3.
For each instance \(j \in \mathcal {C}\), \(\textsf {Sim}\) chooses a random masked input for the MPC protocol and \(n - 1\) random states for \(n - 1\) parties determined by \(\mathcal {P}\). Then, \(\textsf {Sim}\) runs \(\textsf {Sim}_\mathrm{\Pi }\) to simulate the views of the n parties during the MPC protocol and computes corresponding \(\textsf {com}_{on, 1}^{F}\). Notice that \(\textsf {Sim}\) can get the corresponding intermediate masked value \(\hat{w}^{\prime }_{j}\) for each instance \(j \in \mathcal {C}\) from the simulated views. As mentioned in Sect. 2.1, the indistinguishability between the simulated execution of \(\textsf {Sim}_\mathrm{\Pi }\) and the real execution relies on the security of the underlying PRG.
-
4.
\(\textsf {Sim}\) computes \(\textsf {com}_{pre, 1}^{F}\) and \(\textsf {resp}_{on, 1}^{F}\) according to the transcripts generated in step 2 and 3. For the generation of \(\textsf {com}_{pre, 1}^{F}\), the state of the party in \(\mathcal {P}\) of each instance can be set by 0-string with appropriate length.
-
5.
\(\textsf {Sim}\) randomly chooses \(\textsf {seed}_{2}^\mathrm{\Delta }\) and \(\{\textsf {state}'_{j, i, 2}\}_{j \in \mathcal {C}, i \in [n]}\), and computes the corresponding commitment \(\textsf {com}_{pre,2}^f\). Generate \(\textsf {com}_{on, 1}\) as the commitment to \(\textsf {com}_{on, 1}^{F}||\textsf {com}_{pre,2}^f||\textsf {seed}_{2}^\mathrm{\Delta }||\{\textsf {state}'_{j, n, 2}\}_{j \in \mathcal {C}}\).
-
1.
-
Simulation for subsequent session \(\textsf {seesion}(t)\), where \(1 < t \le q(\kappa )\).
-
1.
\(\textsf {Sim}\) chooses a random \(\mathcal {P}\) as the challenge for the online phase.
-
2.
For each instance \(j \in \mathcal {C}\), \(\textsf {Sim}\) computes the rerandomized intermediate masked input \(\hat{w}^{\prime }_{j} \oplus \mathrm{\Delta }_{j}\), in which \(\hat{w}^{\prime }_{j}\) is the intermediate masked value of \(\textsf {seesion}(1)\) and \(\mathrm{\Delta }_{j}\) is generated by \(\textsf {seed}_{t}^\mathrm{\Delta }\). Note that \(\textsf {Sim}\) has \(n - 2\) parties’ states determined by \(\mathcal {P}\). Then, \(\textsf {Sim}\) runs \(\textsf {Sim}_\mathrm{\Pi }\) to simulate the views of n parties during the MPC protocol, and computes corresponding \(\textsf {com}_{on, t}^{f}\).
-
3.
\(\textsf {Sim}\) randomly chooses \(\textsf {seed}_{t+1}^\mathrm{\Delta }\) and \(\{\textsf {state}'_{j, i, t+1}\}_{j \in \mathcal {C}, i \in [n]}\), and computes the corresponding commitment \(\textsf {com}_{pre,t+1}^f\). Generate \(\textsf {com}_{on, t}\) as the commitment to \(\textsf {com}_{on, t}^{f}||\textsf {com}_{pre,t+1}^f||\textsf {seed}_{t+1}^\mathrm{\Delta }||\{\textsf {state}'_{j, n, t+1}\}_{j \in \mathcal {C}}\).
-
1.
Following a standard hybrid argument, we have that the transcript generated by \(\textsf {Sim}\) is computationally indistinguishable from that of a real protocol, where the indistinguishability relies on the indistinguishability of the simulated transcripts generated by \(\textsf {Sim}_\mathrm{\Pi }\) and the hiding property of the commitment scheme.
Resumable Knowledge Soundness. The proof of the resumable knowledge soundness is similar to that of [5, 38], except that we need to show that there exists a witness extractor \(\mathcal {E}\) for each session, especially the resumed session.
We first show the soundness error \(\xi (M, n, \tau )\). Since \(\varPi _{Res, 1}\) is similar to that of the original KKW except additional processing for the masks of the next session. The soundness error \(\xi _{1}\) of \(\varPi _{Res, 1}\) is the same as that of [38]. That is,
where c denotes the number of preprocessing emulations where the malicious prover cheats.
On the soundness error of \(\varPi _{Res, 2}\), recall the soundness game mentioned in Sect. 3, where the malicious prover can invoke the “honest" prover to interact with the verifier for polynomially-many sessions, say \( \mathrm{\textsf {session}}(1)\), ..., \( \mathrm{\textsf {session}}(t-1)\) for \(1 < t \le q(\kappa )\), and tries to convince the verifier in \(\textsf {session}(t)\) without the help of the “honest" prover. Note that the masks for \(\textsf {session}(t)\) are generated by the honest prover in \(\textsf {session}(t-1)\). So a malicious prover of session t can cheat only in the online phase, where he must cheat in one of the views of the \(n - 1\) parties. Thus, the probability that the prover will not be detected in \(\varPi _{Res, 2}\) is \( \xi _{t}(M, n, \tau ) = \frac{1}{(n-1)^{\tau }}. \) Therefore, we have \(\xi (M, n, \tau ) = \max \left\{ \xi _{1}(M, n, \tau ), \xi _{t}(M, n, \tau ) \right\} ,\) for any \(1 < t \le q(\kappa )\). Next, we proceed to prove the resumable knowledge soundness property by showing how to construct \(\mathcal {E}\) to extract a valid witness for each session. As explained above, the proof of knowledge soundness in [5] can be applied to \(\varPi _{Res, 1}\) directly. We focus on \(\varPi _{Res, 2}\) of \(\textsf {session}(t)\), where \(1 < t \le q(\kappa )\). For simplicity we assume that the commitment scheme is perfectly binding.
We first prove that if the success probability of cheating \(\delta _{t}(x) > \xi _{t}(M, n, \tau )\), then there exists at least one MPC instance of \(\mathcal {C}\), where the prover has committed to a valid intermediate value \(w'\). Considering the deterministic prover with fixed random tape, let v be a 0/1-vector with length \((n-1)^{\tau }\), where each entry corresponds to a possible challenge for the online phase of \(\mathcal {V}^{(t)}\) and 1 denotes the event of success. Hence, we have that \(\delta _{t}(x)\) is the fraction of ‘1’ entries in v and the number of ‘1’ entries in v is higher than 1 due to \(\delta _{t}(x) > \xi _{t}(M, n, \tau ) = \frac{1}{(n-1)^{\tau }}\). That is, there must exist two accepting transcripts with different challenges \(\{p_{j}\}_{j \in \mathcal {C}}\) and \(\{p'_{j}\}_{j \in \mathcal {C}}\) such that \(p_{j} \ne p'_{j}\) for an MPC instance j. That means all the views of the parties in instance j are correct and the witness used in this instance must be a valid intermediate value \(w'\).
However, since f is just a part of F, it may be easy for a malicious prover to find a different \(w^{*} \ne w'\) such that \(f(w^{*}) = 1\). It seems that any malicious prover who can find such a \(w^{*}\) can cheat in the next session by computing \(\lambda _{w^{*}} = w' \oplus \lambda _{w'} \oplus w^{*}\) and generating the corresponding n shares of \(\lambda _{w^{*}} \oplus \mathrm{\Delta }\). ( \(w' \oplus \lambda _{w'}\) can be extracted during the verification of the initial session.) Thanks to the binding property of the commitment \(\textsf {com}_{on, t}\) in \(\pi _{cert}\), it is hard for the adversary to provide consistency proof using such \(w^{*}\) and \(\lambda _{w^{*}} \). For instance, in session\((t-1)\), \(\textsf {com}_{on, t-1}\) is the commitment of \(\textsf {com}_{on, t-1}^{f}|| \textsf {com}_{pre, t}^{f}||\textsf {seed}_{t}^\mathrm{\Delta }\) \(||\{\textsf {state}'_{j, n, t}\}_{j \in \mathcal {C}}\), where (\(\textsf {com}_{on, t-1}\), \(\textsf {com}_{pre, t}^{f}\), \(\textsf {seed}_{t}^\mathrm{\Delta }\), \(\{\textsf {state}'_{j, n, t}\}_{j \in \mathcal {C}}\)) are public. The rerandomized mask for session(t), say \(\lambda _{w'} \oplus \mathrm{\Delta }\), is determined by (\(\textsf {com}_{pre, t}^{f}\), \(\textsf {seed}_{t}^\mathrm{\Delta }\), \(\{\textsf {state}'_{j, n, t}\}_{j \in \mathcal {C}}\)) and is hard to be modified due to \(\textsf {com}_{on, t-1}\). (The use of mask \(\lambda _{w^*}\) such that \(\lambda _{w^*}\ne \lambda _{w'} \oplus \mathrm{\Delta }\) will be detected by checking the consistency of \(\textsf {com}_{on, t-1}\) and \(\textsf {com}_{pre, t}^{f}\).) Therefore, a malicious prover needs to (1) guess the challenge sent by the verifier successfully, which happens with probability \(\frac{1}{n-1}\) for each instance, or (2) find \(n-1\) random seeds which can be used to generate an \((n-1)\)-out-of-\((n-1)\) secret-sharing of \(\lambda _{w^{*}} \oplus \mathrm{\Delta } \oplus [\lambda _{w'} \oplus \mathrm{\Delta }]_{n}\), where each share is generated by running PRG with the corresponding random seed. This can be done with negligible probability assuming the underlying PRG is secure. Hence, \(\textsf {com}_{on, t-1}\) and \(\textsf {com}_{pre, t}^f\) guarantee the consistency of \(w'\) in session(t) with w.
Next, we show how to extract the witness using two accepting transcripts with \(\{p_{j}\}_{j \in \mathcal {C}}\) and \(\{p'_{j}\}_{j \in \mathcal {C}}\) when the challenge for j is different. Since \(p_{j} \ne p'_{j}\), the transcripts with \(p_j\) reveals \(n-1\) shares of the masks of the intermediate masked input, whereas the transcripts with \(p'_j\) reveals the remaining shares (Notice that the shares of the n-th party is public). Hence, we can get all the shares to recover the intermediate value \(w'\). Due to the special property of the decomposition for F, the witness w can be further extracted from \(w'\).
To sum up, the extractor \(\mathcal {E}\) is described as follows.
-
1.
Run \(\varPi _{Res, 2}\) with the prover in session t until the event of success happens, in order to find an ‘1’ entry of the vector v, where the corresponding challenge is \(\{p_{j}\}_{j \in \mathcal {C}}\).
-
2.
Run \(\varPi _{Res, 2}\) with the prover in session t (using different challenges) until a different ‘1’ entry is found, where the corresponding challenge is \(\{p'_{j}\}_{j \in \mathcal {C}}\) such that \(p_{j} \ne p'_{j}\).
-
3.
Extract the witness \(\omega \) in execution j using the related transcripts with \(\{p_{j}\}_{j \in \mathcal {C}}\) and \(\{p'_{j}\}_{j \in \mathcal {C}}\). If \(F(w) = y\), output w and halt.
Let \(\delta _{t}(x) = \xi _{t}(M, n, \tau ) + \epsilon _{t}(x)\) for some \(\epsilon _{t}(x) > 0\). The expected running time of the step 1 and 2 is \(\frac{1}{\delta _{t}(x)} < \frac{1}{\epsilon _{t}(x)}\) and the running time of step 3 depends on the running time of F(w) with common input x, which is supposed to be more efficient than step 1 and 2. Therefore, a valid witness can be extracted in \(O(\frac{1}{\epsilon _{t}(x)})\) expected number of steps.
Resumption Efficiency. \(\varPi _{Res,2}\) consists of \(\pi ^f\) and the consistency proof \(\pi _{cert}\). Since \(\pi ^f\) is a simplified KKW proof for the partial circuits of F (without cut-and-choose), the complexity of \(\pi ^f\) is much smaller than that of the original KKW proof for F. Recall that \(\pi _{cert}\) mainly consists of \(\textsf {com}_{on, 2}\) and \(\textsf {seed}_{3}^\mathrm{\Delta }\). So the complexity of \(\pi _{cert}\) just takes a very small portion of \(\pi ^f\). Hence, although the overall complexity of \(\varPi _{Res,2}\) depends on the concrete decomposition of F, \(\varPi _{Res,2}\) is much efficient than that of the original KKW proof \(\varPi '\) for F in general.
\(\square \)
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, H. et al. (2022). Resumable Zero-Knowledge for Circuits from Symmetric Key Primitives. In: Nguyen, K., Yang, G., Guo, F., Susilo, W. (eds) Information Security and Privacy. ACISP 2022. Lecture Notes in Computer Science, vol 13494. Springer, Cham. https://doi.org/10.1007/978-3-031-22301-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-22301-3_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22300-6
Online ISBN: 978-3-031-22301-3
eBook Packages: Computer ScienceComputer Science (R0)