Skip to main content
Springer Nature Link
Log in

Resettable Statistical Zero-Knowledge for \(\ensuremath {\textsf{NP}}\)

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2024 (CRYPTO 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14928))

Included in the following conference series:

Abstract

Resettable statistical zero-knowledge [Garg–Ostrovsky–Visconti–Wadia, TCC 2012] is a strong privacy notion that guarantees statistical zero-knowledge even when the prover uses the same randomness in multiple proofs.

In this paper, we show an equivalence of resettable statistical zero-knowledge arguments for \(\ensuremath {\textsf{NP}}\) and witness encryption schemes for \(\ensuremath {\textsf{NP}}\).

  • Positive result: For any \(\ensuremath {\textsf{NP}}\) language \({\textbf {L}}\), a resettable statistical zero-knowledge argument for \({\textbf {L}}\) can be constructed from a witness encryption scheme for \({\textbf {L}}\) under the assumption of the existence of one-way functions.

  • Negative result: The existence of even resettable statistical witness-indistinguishable arguments for \(\ensuremath {\textsf{NP}}\) imply the existence of witness encryption schemes for \(\ensuremath {\textsf{NP}}\) under the assumption of the existence of one-way functions.

The positive result is obtained by naturally extending existing techniques (and is likely to be already well-known among experts). The negative result is our main technical contribution.

To explore workarounds for the negative result, we also consider resettable security in a model where the honest party’s randomness is only reused with fixed inputs. We show that resettable statistically hiding commitment schemes are impossible even in this model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    If zero-knowledge is only required to hold against honest verifiers or bounded-auxiliary-input verifiers, deterministic-prover zero-knowledge arguments for non-trivial languages are known to exist [4, 14, 19].

  2. 2.

    We focus on those that study resettable security in the plain model, i.e., without relying on any trusted setup (such as common reference strings).

  3. 3.

    In order to break computational soundness, cheating provers need to break the underlying hardness assumptions during protocol executions.

  4. 4.

    When the honest prover strategy is allowed to be computationally unbounded, positive results are also known for, e.g., \(\ensuremath {\textsf{SZK}}\).

  5. 5.

    This observation is likely to be already well-known among experts in the area.

  6. 6.

    While a prior positive result [22] gives a resettable statistical zero-knowledge proof for a subclass of \(\ensuremath {\textsf{NP}}\), this result gives a resettable statistical zero-knowledge argument for \(\ensuremath {\textsf{NP}}\).

  7. 7.

    In concurrent zero-knowledge, multiple proofs are generated using independent randomness in each execution. In resettable zero-knowledge, multiple proofs are generated using the same randomness.

  8. 8.

    In this overview, a resetting adversary is informally defined as an adversarial party that can force honest parties to reuse the same randomness in multiple executions.

  9. 9.

    Following GOVW [22], we consider resettable statistical zero-knowledge in the model where cheating verifiers run in polynomial time and distinguishers run in unbounded time.

  10. 10.

    GOVW [22] does not explicitly define this primitive, and implicitly obtains it by combining \(\textsf{Com}_{{\textbf {L}}}\), a pseudorandom function, and a sophisticated rewinding technique developed in the context of concurrent zero-knowledge [39].

  11. 11.

    Witness encryption schemes were previously used in similar ways in the context of deterministic-prover zero-knowledge arguments/proofs [4, 14, 19].

  12. 12.

    For technical reasons, when the commitments in Steps 1 and 2 are computationally hiding, the consistency proof in Step 3 must guarantee zero-knowledge. Fortunately, a resettably sound zero-knowledge argument for \(\ensuremath {\textsf{NP}}\) can be obtained from one-way functions [13], and we use it in our construction.

  13. 13.

    There, on input two graphs \((G_0, G_1)\), the verifier sends a random isomorphic copy of \(G_b\) for a random \(b\in \{0,1 \}\) and checks whether the prover replies with b.

  14. 14.

    This implication is shown by using that (i) given a true statement, the secret value predicted by the verifier can be efficiently obtained using any corresponding witness (this is because of correctness), and (ii) given a false statement, the secret value predicted by the verifier is computationally hidden (this is because of soundness).

  15. 15.

    Similar constructions were previously considered in the contexts of deterministic-prover zero-knowledge [4] and witness maps [8].

  16. 16.

    The general case can be handled with a little care.

  17. 17.

    \(P(1^{\lambda }, x_{\lambda , i}, w_{\lambda , i}, \alpha ; \textsf{rnd}_j)\) denotes the message sent by P on input \((1^{\lambda }, x_{\lambda , i}, w_{\lambda , i})\) and random tape \(\textsf{rnd}_j\) after seeing the message-sequence \(\alpha \).

  18. 18.

    Polynomial-size resetting attacks are those such that the cheating provers take polynomial-length non-uniform inputs and run in polynomial time.

  19. 19.

    To consider honest prover strategies that are implementable in probabilistic polynomial time, we need to supply P with an adequate \(\ensuremath {\textsf{NP}}\) witness. Thus, we consider a resetting attack that for every selected \(x\in {\textbf {L}}\) also provides P with \(w\in {\textbf {R}}_{{\textbf {L}}}(x)\). In this case, we require that when \(V^{(j)}(x)\) interacts with P(xw), it rejects with negligible probability.

  20. 20.

    In [19], the equivalence is shown for stronger versions of predictable arguments and witness encryption schemes (predictable arguments of knowledge and extractable witness encryption schemes, respectively). However, as mentioned in [19], the equivalence also holds for predictable arguments and witness encryption schemes.

  21. 21.

    For notational simplicity, we assume that the reveal phase proceeds as follows: (i) the committer reveals the committed value and the random tape that it used in the commit phase; (ii) the receiver checks whether the revealed committed value and random tape reproduce the transcript of the commit phase.

  22. 22.

    The definition of a resetting attack (Definition 7) is modified as follows. (1) A sequence \((x'_1, \ldots , x'_t)\) such that \(x'_k\in {\textbf {L}}'\) is fixed at the beginning of the experiment. (2) The incarnations of V are defined as \(\{V^{(j, k)}(x) \}_{j,k\in [t]}\), where each \(V^{(j, k)}(x) = V_{x, x'_k, \textsf{rnd}_j}\) is defined by \(V_{x, x'_k, \textsf{rnd}_j}(\alpha ) = V(x, x'_k, \alpha ; \textsf{rnd}_j)\). (3) When interacting with an incarnation of V, the cheating prover \(P^*\) chooses x, j, and k to define \(V^{(j, k)}(x)\).

  23. 23.

    That is, the requirement is that for any \(x\in {\textbf {L}}\) and \(x'\not \in {\textbf {L}}\), a proof generated with common input \((x, x')\) and private input \(w_x^{(0)}\) is statistically indistinguishable from a proof generated with common input \((x, x')\) and private input \(w_x^{(1)}\).

  24. 24.

    The description of the construction differs slightly from that given in the technical overview (Sect. 2.1). Specifically, \(\textsf{RECom}_{{\textbf {L}}}\) is instantiated in Steps 1(b) and 3 using \(\textsf{Com}_{{\textbf {L}}}\), a pseudorandom function, and the so-called PRS preamble [39].

References

  1. Austrin, P., Chung, K.M., Mohammad, M., Pass, R., Seth, K.: On the impossibility of cryptography with tamperable randomness. Algorithmica 79, 1052–1101 (2017). https://doi.org/10.1007/s00453-016-0219-7

    Article  MathSciNet  Google Scholar 

  2. Barak, B., Goldreich, O., Goldwasser, S., Lindell, Y.: Resettably-sound zero-knowledge and its applications. In: 42nd FOCS, pp. 116–125. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959886

  3. Baron, J., Ostrovsky, R., Visconti, I.: Nearly simultaneously resettable black-box zero knowledge. In: Czumaj, A., Mehlhorn, K., Pitts, A., Wattenhofer, R. (eds.) ICALP 2012. LNCS, vol. 7391, pp. 88–99. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31594-7_8

    Chapter  Google Scholar 

  4. Bitansky, N., Choudhuri, A.R.: Characterizing deterministic-prover zero knowledge. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 535–566. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_19

    Chapter  Google Scholar 

  5. Bitansky, N., Kellner, M., Shmueli, O.: Post-quantum resettably-sound zero knowledge. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part I. LNCS, vol. 13042, pp. 62–89. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90459-3_3

    Chapter  Google Scholar 

  6. Bitansky, N., Paneth, O.: On non-black-box simulation and the impossibility of approximate obfuscation. SIAM J. Comput. 44(5), 1325–1383 (2015)

    Article  MathSciNet  Google Scholar 

  7. Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: 32nd ACM STOC, pp. 235–244. ACM Press (2000). https://doi.org/10.1145/335305.335334

  8. Chakraborty, S., Prabhakaran, M., Wichs, D.: Witness maps and applications. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part I. LNCS, vol. 12110, pp. 220–246. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_8

    Chapter  Google Scholar 

  9. Cho, C., Ostrovsky, R., Scafuro, A., Visconti, I.: Simultaneously resettable arguments of knowledge. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 530–547. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_30

    Chapter  Google Scholar 

  10. Chongchitmate, W., Ostrovsky, R., Visconti, I.: Resettably-sound resettable zero knowledge in constant rounds. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part II. LNCS, vol. 10678, pp. 111–138. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_4

    Chapter  Google Scholar 

  11. Chung, K.-M., Ostrovsky, R., Pass, R., Venkitasubramaniam, M., Visconti, I.: 4-round resettably-sound zero knowledge. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 192–216. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_9

    Chapter  Google Scholar 

  12. Chung, K.M., Ostrovsky, R., Pass, R., Visconti, I.: Simultaneous resettability from one-way functions. In: 54th FOCS, pp. 60–69. IEEE Computer Society Press (2013). https://doi.org/10.1109/FOCS.2013.15

  13. Chung, K.M., Pass, R., Seth, K.: Non-black-box simulation from one-way functions and applications to resettable security. SIAM J. Comput. 45(2), 415–458 (2016)

    Article  MathSciNet  Google Scholar 

  14. Dahari, H., Lindell, Y.: Deterministic-prover zero-knowledge proofs. Cryptology ePrint Archive, Report 2020/141 (2020). https://eprint.iacr.org/2020/141

  15. Deng, Y., Goyal, V., Sahai, A.: Resolving the simultaneous resettability conjecture and a new non-black-box simulation strategy. In: 50th FOCS. pp. 251–260. IEEE Computer Society Press (2009). https://doi.org/10.1109/FOCS.2009.59

  16. Deng, Y., Lin, D.: Instance-dependent verifiable random functions and their application to simultaneous resettability. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 148–168. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_9

    Chapter  Google Scholar 

  17. Dodis, Y., Ong, S.J., Prabhakaran, M., Sahai, A.: On the (im)possibility of cryptography with imperfect randomness. In: 45th FOCS, pp. 196–205. IEEE Computer Society Press (2004). https://doi.org/10.1109/FOCS.2004.44

  18. Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: 30th ACM STOC, pp. 409–418. ACM Press (1998). https://doi.org/10.1145/276698.276853

  19. Faonio, A., Nielsen, J.B., Venturi, D.: Predictable arguments of knowledge. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 121–150. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_6

    Chapter  Google Scholar 

  20. Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press (2013). https://doi.org/10.1109/FOCS.2013.13

  21. Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 467–476. ACM Press (2013). https://doi.org/10.1145/2488608.2488667

  22. Garg, S., Ostrovsky, R., Visconti, I., Wadia, A.: Resettable statistical zero knowledge. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 494–511. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_28

    Chapter  Google Scholar 

  23. Goldreich, O.: Foundations of Cryptography: Basic Tools, vol. 1. Cambridge University Press, Cambridge (2001)

    Book  Google Scholar 

  24. Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991). https://doi.org/10.1145/116825.116852

    Article  MathSciNet  Google Scholar 

  25. Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994). https://doi.org/10.1007/BF00195207

    Article  MathSciNet  Google Scholar 

  26. Goyal, V., Moriarty, R., Ostrovsky, R., Sahai, A.: Concurrent statistical zero-knowledge arguments for np from one way functions. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 444–459. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_27

    Chapter  Google Scholar 

  27. Haitner, I., Nguyen, M.H., Ong, S.J., Reingold, O., Vadhan, S.: Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function. SIAM J. Comput. 39(3), 1153–1218 (2009)

    Article  MathSciNet  Google Scholar 

  28. Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

    Article  MathSciNet  Google Scholar 

  29. Itoh, T., Ohta, Y., Shizuya, H.: A language-dependent cryptographic primitive. J. Cryptol. 10(1), 37–50 (1997). https://doi.org/10.1007/s001459900018

    Article  MathSciNet  Google Scholar 

  30. Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, pp. 60–73. ACM Press (2021). https://doi.org/10.1145/3406325.3451093

  31. Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from LPN over \(\mathbb{F}_p\), DLIN, and PRGs in \({NC}^0\). In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, vol. 13275, pp. 670–699. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-06944-4_23

  32. Kiyoshima, S.: Statistical concurrent non-malleable zero-knowledge from one-way functions. J. Cryptol. 33(3), 1318–1361 (2020). https://doi.org/10.1007/s00145-020-09348-x

    Article  MathSciNet  Google Scholar 

  33. Micali, S., Reyzin, L.: Soundness in the public-key model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 542–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_32

    Chapter  Google Scholar 

  34. Müller-Quade, J., Unruh, D.: Long-term security and universal composability. J. Cryptol. 23(4), 594–671 (2010). https://doi.org/10.1007/s00145-010-9068-8

    Article  MathSciNet  Google Scholar 

  35. Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991). https://doi.org/10.1007/BF00196774

    Article  Google Scholar 

  36. Orlandi, C., Ostrovsky, R., Rao, V., Sahai, A., Visconti, I.: Statistical concurrent non-malleable zero knowledge. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 167–191. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_8

    Chapter  Google Scholar 

  37. Ostrovsky, R., Scafuro, A., Venkitasubramanian, M.: Resettably sound zero-knowledge arguments from OWFS - the (semi) black-box way. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 345–374. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_15

    Chapter  Google Scholar 

  38. Pass, R., Tseng, W.-L.D., Wikström, D.: On the composition of public-coin zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 160–176. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_10

    Chapter  Google Scholar 

  39. Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity. In: 43rd FOCS, pp. 366–375. IEEE Computer Society Press (2002). https://doi.org/10.1109/SFCS.2002.1181961

  40. Tsabary, R.: Candidate witness encryption from lattice techniques. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part I. LNCS, vol. 13507, pp. 535–559. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15802-5_19

  41. Vaikuntanathan, V., Wee, H., Wichs, D.: Witness encryption and null-IO from evasive LWE. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part I. LNCS, vol. 13791, pp. 195–221. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22963-3_7

Download references

Author information

Authors and Affiliations

  1. NTT Social Informatics Laboratories, Tokyo, Japan

    Susumu Kiyoshima

Authors
  1. Susumu Kiyoshima
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Susumu Kiyoshima .

Editor information

Editors and Affiliations

  1. Boston University, Boston, MA, USA

    Leonid Reyzin

  2. University of Waterloo, Waterloo, ON, Canada

    Douglas Stebila

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kiyoshima, S. (2024). Resettable Statistical Zero-Knowledge for \(\ensuremath {\textsf{NP}}\). In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14928. Springer, Cham. https://doi.org/10.1007/978-3-031-68400-5_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-68400-5_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-68399-2

  • Online ISBN: 978-3-031-68400-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships