Resumable Zero-Knowledge for Circuits from Symmetric Key Primitives

Abstract

Consider the scenario that the prover and the verifier perform the zero-knowledge (ZK) proof protocol for the same statement multiple times sequentially, where each proof is modeled as a session. We focus on the problem of how to resume a ZK proof efficiently in such scenario. We introduce a new primitive called resumable honest verifier zero-knowledge proof of knowledge (resumable HVZKPoK) and propose a general construction of the resumable HVZKPoK for circuits based on the “MPC-in-the-head" paradigm, where the complexity of the resumed session is less than that of the original ZK proofs. To ensure the knowledge soundness for the resumed session, we identify a property called extractable decomposition. Interestingly, most block ciphers satisfy this property and the cost of resuming session can be reduced dramatically when the underlying circuits are implemented with block ciphers. As a direct application of our resumable HVZKPoK, we construct a post quantum secure stateful signature scheme, which makes Picnic3 suitable for blockchain protocol. Using the same parameter setting of Picnic3, the sign/verify time of our subsequent signatures can be reduced to 3.1%/3.3% of Picnic3 and the corresponding signature size can be reduced to 36%. Moreover, by applying a parallel version of our method to the well known Cramer, Damgård and Schoenmakers (CDS) transformation, we get a compressed one-out-of-N proof for circuits, which can be further used to construct a ring signature from symmetric key primitives only. When the ring size is less than \(2^4\), the size of our ring signature scheme is only about 1/3 of Katz et al.’s construction.

A Proof of Theorem 1

Proof

Completeness. This property follows from the correctness of the underlying MPC protocol \(\mathrm{\Pi }\) used in \(\pi ^{F}\) and \(\pi ^{f}\).

Resumable Honest Verifier Zero-Knowledge. We need to consider the simulator for all \(q(\kappa )\) sessions instead of only one, where the simulation for the transcripts generated by \(\pi ^F\) and \(\pi ^{f}\) follows the idea of [38]. Let \(\textsf {Sim}_\mathrm{\Pi }\) denotes the simulator of the MPC protocol \(\mathrm{\Pi }\). The simulator \(\textsf {Sim}\) of \(\varPi _{Res}\) is described as follows.

• Simulation for initial session \(\textsf {session}(1)\).

  1. 1.

     \(\textsf {Sim}\) chooses random \(\mathcal {C}\) and \(\mathcal {P}\) as the challenge for the preprocessing phase and the online phase respectively.

  2. 2.

     For each instance \(j \not \in \mathcal {C}\), \(\textsf {Sim}\) prepares \(\lambda _{j}\) using \(\{\textsf {state}_{j, i, 1}\}_{i \in [n]}\) and generates the corresponding \(\textsf {resp}_{pre, 1}^{F}\) as an honest prover would do in the preprocessing phase.

  3. 3.

     For each instance \(j \in \mathcal {C}\), \(\textsf {Sim}\) chooses a random masked input for the MPC protocol and \(n - 1\) random states for \(n - 1\) parties determined by \(\mathcal {P}\). Then, \(\textsf {Sim}\) runs \(\textsf {Sim}_\mathrm{\Pi }\) to simulate the views of the n parties during the MPC protocol and computes corresponding \(\textsf {com}_{on, 1}^{F}\). Notice that \(\textsf {Sim}\) can get the corresponding intermediate masked value \(\hat{w}^{\prime }_{j}\) for each instance \(j \in \mathcal {C}\) from the simulated views. As mentioned in Sect. 2.1, the indistinguishability between the simulated execution of \(\textsf {Sim}_\mathrm{\Pi }\) and the real execution relies on the security of the underlying PRG.

  4. 4.

     \(\textsf {Sim}\) computes \(\textsf {com}_{pre, 1}^{F}\) and \(\textsf {resp}_{on, 1}^{F}\) according to the transcripts generated in step 2 and 3. For the generation of \(\textsf {com}_{pre, 1}^{F}\), the state of the party in \(\mathcal {P}\) of each instance can be set by 0-string with appropriate length.

  5. 5.

     \(\textsf {Sim}\) randomly chooses \(\textsf {seed}_{2}^\mathrm{\Delta }\) and \(\{\textsf {state}'_{j, i, 2}\}_{j \in \mathcal {C}, i \in [n]}\), and computes the corresponding commitment \(\textsf {com}_{pre,2}^f\). Generate \(\textsf {com}_{on, 1}\) as the commitment to \(\textsf {com}_{on, 1}^{F}||\textsf {com}_{pre,2}^f||\textsf {seed}_{2}^\mathrm{\Delta }||\{\textsf {state}'_{j, n, 2}\}_{j \in \mathcal {C}}\).

• Simulation for subsequent session \(\textsf {seesion}(t)\), where \(1 < t \le q(\kappa )\).

  1. 1.

     \(\textsf {Sim}\) chooses a random \(\mathcal {P}\) as the challenge for the online phase.

  2. 2.

     For each instance \(j \in \mathcal {C}\), \(\textsf {Sim}\) computes the rerandomized intermediate masked input \(\hat{w}^{\prime }_{j} \oplus \mathrm{\Delta }_{j}\), in which \(\hat{w}^{\prime }_{j}\) is the intermediate masked value of \(\textsf {seesion}(1)\) and \(\mathrm{\Delta }_{j}\) is generated by \(\textsf {seed}_{t}^\mathrm{\Delta }\). Note that \(\textsf {Sim}\) has \(n - 2\) parties’ states determined by \(\mathcal {P}\). Then, \(\textsf {Sim}\) runs \(\textsf {Sim}_\mathrm{\Pi }\) to simulate the views of n parties during the MPC protocol, and computes corresponding \(\textsf {com}_{on, t}^{f}\).

  3. 3.

     \(\textsf {Sim}\) randomly chooses \(\textsf {seed}_{t+1}^\mathrm{\Delta }\) and \(\{\textsf {state}'_{j, i, t+1}\}_{j \in \mathcal {C}, i \in [n]}\), and computes the corresponding commitment \(\textsf {com}_{pre,t+1}^f\). Generate \(\textsf {com}_{on, t}\) as the commitment to \(\textsf {com}_{on, t}^{f}||\textsf {com}_{pre,t+1}^f||\textsf {seed}_{t+1}^\mathrm{\Delta }||\{\textsf {state}'_{j, n, t+1}\}_{j \in \mathcal {C}}\).

Following a standard hybrid argument, we have that the transcript generated by \(\textsf {Sim}\) is computationally indistinguishable from that of a real protocol, where the indistinguishability relies on the indistinguishability of the simulated transcripts generated by \(\textsf {Sim}_\mathrm{\Pi }\) and the hiding property of the commitment scheme.

Resumable Knowledge Soundness. The proof of the resumable knowledge soundness is similar to that of [5, 38], except that we need to show that there exists a witness extractor \(\mathcal {E}\) for each session, especially the resumed session.

We first show the soundness error \(\xi (M, n, \tau )\). Since \(\varPi _{Res, 1}\) is similar to that of the original KKW except additional processing for the masks of the next session. The soundness error \(\xi _{1}\) of \(\varPi _{Res, 1}\) is the same as that of [38]. That is,

$$ \xi _{1}(M, n, \tau ) = \max \limits _{0 \le c \le \tau } \left\{ \frac{\left( {\begin{array}{c}M-c\\ M-\tau \end{array}}\right) }{\left( {\begin{array}{c}M\\ M-\tau \end{array}}\right) \cdot n^{\tau -c}} \right\} , $$

where c denotes the number of preprocessing emulations where the malicious prover cheats.

On the soundness error of \(\varPi _{Res, 2}\), recall the soundness game mentioned in Sect. 3, where the malicious prover can invoke the “honest" prover to interact with the verifier for polynomially-many sessions, say \( \mathrm{\textsf {session}}(1)\), ..., \( \mathrm{\textsf {session}}(t-1)\) for \(1 < t \le q(\kappa )\), and tries to convince the verifier in \(\textsf {session}(t)\) without the help of the “honest" prover. Note that the masks for \(\textsf {session}(t)\) are generated by the honest prover in \(\textsf {session}(t-1)\). So a malicious prover of session t can cheat only in the online phase, where he must cheat in one of the views of the \(n - 1\) parties. Thus, the probability that the prover will not be detected in \(\varPi _{Res, 2}\) is \( \xi _{t}(M, n, \tau ) = \frac{1}{(n-1)^{\tau }}. \) Therefore, we have \(\xi (M, n, \tau ) = \max \left\{ \xi _{1}(M, n, \tau ), \xi _{t}(M, n, \tau ) \right\} ,\) for any \(1 < t \le q(\kappa )\). Next, we proceed to prove the resumable knowledge soundness property by showing how to construct \(\mathcal {E}\) to extract a valid witness for each session. As explained above, the proof of knowledge soundness in [5] can be applied to \(\varPi _{Res, 1}\) directly. We focus on \(\varPi _{Res, 2}\) of \(\textsf {session}(t)\), where \(1 < t \le q(\kappa )\). For simplicity we assume that the commitment scheme is perfectly binding.

We first prove that if the success probability of cheating \(\delta _{t}(x) > \xi _{t}(M, n, \tau )\), then there exists at least one MPC instance of \(\mathcal {C}\), where the prover has committed to a valid intermediate value \(w'\). Considering the deterministic prover with fixed random tape, let v be a 0/1-vector with length \((n-1)^{\tau }\), where each entry corresponds to a possible challenge for the online phase of \(\mathcal {V}^{(t)}\) and 1 denotes the event of success. Hence, we have that \(\delta _{t}(x)\) is the fraction of ‘1’ entries in v and the number of ‘1’ entries in v is higher than 1 due to \(\delta _{t}(x) > \xi _{t}(M, n, \tau ) = \frac{1}{(n-1)^{\tau }}\). That is, there must exist two accepting transcripts with different challenges \(\{p_{j}\}_{j \in \mathcal {C}}\) and \(\{p'_{j}\}_{j \in \mathcal {C}}\) such that \(p_{j} \ne p'_{j}\) for an MPC instance j. That means all the views of the parties in instance j are correct and the witness used in this instance must be a valid intermediate value \(w'\).

However, since f is just a part of F, it may be easy for a malicious prover to find a different \(w^{*} \ne w'\) such that \(f(w^{*}) = 1\). It seems that any malicious prover who can find such a \(w^{*}\) can cheat in the next session by computing \(\lambda _{w^{*}} = w' \oplus \lambda _{w'} \oplus w^{*}\) and generating the corresponding n shares of \(\lambda _{w^{*}} \oplus \mathrm{\Delta }\). ( \(w' \oplus \lambda _{w'}\) can be extracted during the verification of the initial session.) Thanks to the binding property of the commitment \(\textsf {com}_{on, t}\) in \(\pi _{cert}\), it is hard for the adversary to provide consistency proof using such \(w^{*}\) and \(\lambda _{w^{*}} \). For instance, in session\((t-1)\), \(\textsf {com}_{on, t-1}\) is the commitment of \(\textsf {com}_{on, t-1}^{f}|| \textsf {com}_{pre, t}^{f}||\textsf {seed}_{t}^\mathrm{\Delta }\) \(||\{\textsf {state}'_{j, n, t}\}_{j \in \mathcal {C}}\), where (\(\textsf {com}_{on, t-1}\), \(\textsf {com}_{pre, t}^{f}\), \(\textsf {seed}_{t}^\mathrm{\Delta }\), \(\{\textsf {state}'_{j, n, t}\}_{j \in \mathcal {C}}\)) are public. The rerandomized mask for session(t), say \(\lambda _{w'} \oplus \mathrm{\Delta }\), is determined by (\(\textsf {com}_{pre, t}^{f}\), \(\textsf {seed}_{t}^\mathrm{\Delta }\), \(\{\textsf {state}'_{j, n, t}\}_{j \in \mathcal {C}}\)) and is hard to be modified due to \(\textsf {com}_{on, t-1}\). (The use of mask \(\lambda _{w^*}\) such that \(\lambda _{w^*}\ne \lambda _{w'} \oplus \mathrm{\Delta }\) will be detected by checking the consistency of \(\textsf {com}_{on, t-1}\) and \(\textsf {com}_{pre, t}^{f}\).) Therefore, a malicious prover needs to (1) guess the challenge sent by the verifier successfully, which happens with probability \(\frac{1}{n-1}\) for each instance, or (2) find \(n-1\) random seeds which can be used to generate an \((n-1)\)-out-of-\((n-1)\) secret-sharing of \(\lambda _{w^{*}} \oplus \mathrm{\Delta } \oplus [\lambda _{w'} \oplus \mathrm{\Delta }]_{n}\), where each share is generated by running PRG with the corresponding random seed. This can be done with negligible probability assuming the underlying PRG is secure. Hence, \(\textsf {com}_{on, t-1}\) and \(\textsf {com}_{pre, t}^f\) guarantee the consistency of \(w'\) in session(t) with w.

Next, we show how to extract the witness using two accepting transcripts with \(\{p_{j}\}_{j \in \mathcal {C}}\) and \(\{p'_{j}\}_{j \in \mathcal {C}}\) when the challenge for j is different. Since \(p_{j} \ne p'_{j}\), the transcripts with \(p_j\) reveals \(n-1\) shares of the masks of the intermediate masked input, whereas the transcripts with \(p'_j\) reveals the remaining shares (Notice that the shares of the n-th party is public). Hence, we can get all the shares to recover the intermediate value \(w'\). Due to the special property of the decomposition for F, the witness w can be further extracted from \(w'\).

To sum up, the extractor \(\mathcal {E}\) is described as follows.

1. 1.

   Run \(\varPi _{Res, 2}\) with the prover in session t until the event of success happens, in order to find an ‘1’ entry of the vector v, where the corresponding challenge is \(\{p_{j}\}_{j \in \mathcal {C}}\).

2. 2.

   Run \(\varPi _{Res, 2}\) with the prover in session t (using different challenges) until a different ‘1’ entry is found, where the corresponding challenge is \(\{p'_{j}\}_{j \in \mathcal {C}}\) such that \(p_{j} \ne p'_{j}\).

3. 3.

   Extract the witness \(\omega \) in execution j using the related transcripts with \(\{p_{j}\}_{j \in \mathcal {C}}\) and \(\{p'_{j}\}_{j \in \mathcal {C}}\). If \(F(w) = y\), output w and halt.

Let \(\delta _{t}(x) = \xi _{t}(M, n, \tau ) + \epsilon _{t}(x)\) for some \(\epsilon _{t}(x) > 0\). The expected running time of the step 1 and 2 is \(\frac{1}{\delta _{t}(x)} < \frac{1}{\epsilon _{t}(x)}\) and the running time of step 3 depends on the running time of F(w) with common input x, which is supposed to be more efficient than step 1 and 2. Therefore, a valid witness can be extracted in \(O(\frac{1}{\epsilon _{t}(x)})\) expected number of steps.

Resumption Efficiency. \(\varPi _{Res,2}\) consists of \(\pi ^f\) and the consistency proof \(\pi _{cert}\). Since \(\pi ^f\) is a simplified KKW proof for the partial circuits of F (without cut-and-choose), the complexity of \(\pi ^f\) is much smaller than that of the original KKW proof for F. Recall that \(\pi _{cert}\) mainly consists of \(\textsf {com}_{on, 2}\) and \(\textsf {seed}_{3}^\mathrm{\Delta }\). So the complexity of \(\pi _{cert}\) just takes a very small portion of \(\pi ^f\). Hence, although the overall complexity of \(\varPi _{Res,2}\) depends on the concrete decomposition of F, \(\varPi _{Res,2}\) is much efficient than that of the original KKW proof \(\varPi '\) for F in general.

   \(\square \)