Abstract
Numerous cryptographic applications require efficient non-interactive zero-knowledge proofs of knowledge (NIZKPoK) as a building block. Typically they rely on the Fiat-Shamir heuristic to do so, as security in the random-oracle model is considered good enough in practice. However, there is a troubling disconnect between the stand-alone security of such a protocol and its security as part of a larger, more complex system where several protocols may be running at the same time. Provable security in the general universal composition model (GUC model) of Canetti et al. is the best guarantee that nothing will go wrong when a system is part of a larger whole, even when all parties share a common random oracle. In this paper, we prove the minimal necessary properties of generally universally composable (GUC) NIZKPoK in any global random-oracle model, and show how to achieve efficient and GUC NIZKPoK in both the restricted programmable and restricted observable (non-programmable) global random-oracle models.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For a full discussion of the subtle differences between observation and programming privileges in the global ROM(s), see Appendix A.2 in the full version [37].
- 2.
As discussed by Camenish et al. [10], the challenger in such a hybrid experiment can make use of techniques like programming and rewinding that are otherwise āillegalā for the simulator to employ in the GUC model.
References
Adida, B.: Helios: web-based open-audit voting. In: Paul, C.. van Oorschot (eds.) Proceedings of the 17th USENIX Security Symposium, pp. 335ā348 (2008)
Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255ā270. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_16
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62ā73 (1993)
Benhamouda, F., Lepoint, T., Loss, J., Orru, M., Raykova, M.: On the (in) security of ROS. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 33ā53. Springer (2021)
Blum, M., De Santis, A., Micali, S., Persiano, G.: Non-interactive zero-knowledge. SIAM J. Comput. 20(6), 1084ā1118 (1991)
Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431ā444. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_31
Bowe, S., Gabizon, A., Miers, I.: Scalable multi-party computation for ZK-snark parameters in the random beacon model. ePrint Archive (2017)
Brands, S.: Rethinking Public Key Infrastructure and Digital Certificatesā Building in Privacy. PhD thesis, Eindhoven Inst. of Tech., The Netherlands (1999)
Camenisch, J., DamgĆ„rd, I.: Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 331ā345. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_25
Camenisch, J., Drijvers, M., Gagliardoni, T., Lehmann, A., Neven, G.: The wonderful world of global random oracles. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 280ā312. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_11
Camenisch, J., Hohenberger, S., Kohlweiss, M., Lysyanskaya, A., Meyerovich, M.: How to win the clonewars: efficient periodic n-times anonymous authentication. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 201ā210. ACM (2006)
Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302ā321. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_18
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93ā118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7
Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268ā289. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_20
Camenisch, J., Michels, M.: Proving in zero-knowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107ā122. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_8
Camenisch, J., Michels, M.: Separability and efficiency for generic group signature schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 413ā430. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_27
Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126ā144. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_8
Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410ā424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136ā145. IEEE (2001)
Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61ā85. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_4
Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19ā40. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_2
Canetti, R., Jain, A., Scafuro, A.: Practical UC security with a global random oracle. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 597ā608 (2014)
Cramer, R., DamgĆ„rd, I., Nielsen, J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280ā300. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_18
Cramer, R., DamgĆ„rd, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174ā187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
Cramer, R., DamgĆ„rd, I., Xing, C., Yuan, C.: Amortized complexity of zero-knowledge proofs revisited: achieving linear soundness slack. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 479ā500. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_17
DamgƄrd, I.: On \(\sigma \)-protocols. University of Aarhus, Department of Computer Science (2002)
Drijvers, M., et al.: On the security of two-round multi-signatures. In: 2019 IEEE Symposium on Security and Privacy, pp. 1084ā1101. IEEE (2019)
Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1ā28 (1999)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186ā194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors (2005). Manuscript. http://www.cryptoplexity.informatik.tu-darmstadt.de/media/crypt/publications_1/fischlinonline-extractor2005.pdf
Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 152ā168. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_10
Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16ā30. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052225
Goh, E.-J., Jarecki, S.: A signature scheme as secure as the Diffie-Hellman problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 401ā415. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_25
Katsumata, S.: A new simple technique to bootstrap various lattice zero-knowledge proofs to QROM secure NIZKs. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 580ā610. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_20
Kondi, Y., Shelat, A.: Improved straight-line extraction in the random oracle model with applications to signature aggregation. Cryptology ePrint Archive (2022)
Lipmaa, H.: Statistical zero-knowledge proofs from diophantine equations (2001). http://eprint.iacr.org/2001/086
Lysyanskaya, A., Rosenbloom, L.N.: Universally composable sigma-protocols in the global random-oracle model. Cryptology ePrint Archive (2022)
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738ā755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Nick, J., Ruffing, T., Seurin, Y.: MuSig2: simple two-round schnorr multi-signatures. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 189ā221. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_8
Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316ā337. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_19
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129ā140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566ā598. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_33
Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755ā784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25
Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288ā304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_19
Watrous, J.: Zero-knowledge against quantum attacks. SIAM J. Comput. 39(1), 25ā58 (2009)
Wikstrƶm, D.: A commitment-consistent proof of a shuffle. In: Boyd, C., Ć”lez Nieto, J.M.G., (eds.), ACISP, pp. 407ā421. Springer (2009)
Acknowledgements
Many thanks to Yashvanth Kondi and abhi shelat for crucial security analysis of our original OR-protocol construction, and to Jack Doerner for insightful discussions about \(\mathcal {F}_{\texttt{NIZK}}\) that inspired our results in Sect. 3.5. This research was supported by NSF grant 2154170, and by grants from Meta.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lysyanskaya, A., Rosenbloom, L.N. (2022). Universally Composable \(\varSigma \)-protocols in the Global Random-Oracle Model. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13747. Springer, Cham. https://doi.org/10.1007/978-3-031-22318-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-22318-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22317-4
Online ISBN: 978-3-031-22318-1
eBook Packages: Computer ScienceComputer Science (R0)