Three-Round Public-Coin Bounded-Auxiliary-Input Zero-Knowledge Arguments of Knowledge

Abstract

This paper investigates the exact round complexity of public-coin (bounded-auxiliary-input) zero-knowledge arguments of knowledge (ZKAOK). It is well-known that Barak’s non-black-box ZK [FOCS 01], which can be adapted to a ZKAOK, is the first one achieving constant-round, public-coin and strict-polynomial-time simulation properties, and admitting a 6-round implementation shown by Ostrovsky and Visconti [ECCC 12]. This achieves the best exact round complexity for public-coin ZKAOK ever known, to the best of our knowledge. As for a specific case of bounded-auxiliary-input verifiers, i.e. the auxiliary inputs are of bounded-size, no previous works explicitly considered to improve the general result on the exact round number of public-coin ZKAOK in this case. It is also noticeable that when ignoring the argument of knowledge property, Barak et al. [JCSS 06] showed based on two-round public-coin universal arguments which admit a candidate construction of the two-round variant of Micali’s CS-proof, there exists a two-round public-coin plain/bounded-auxiliary-input ZK argument.

So an interesting question in ZKAOK is how to improve the exact round complexity of public-coin ZKAOK in both the general and the above specific cases. This paper provides an improvement for the specific case. That is, we show that also based on two-round public-coin universal arguments, there exists a 3-round public-coin bounded-auxiliary-input ZKAOK for \(\mathbf {NP}\) which admits a strict-polynomial-time non-black-box simulator and an expected-polynomial-time extractor.

A Preliminaries

This section contains the notations and definitions used throughout this paper.

1.1 A.1 Basic Notions

A function \(\mu (\cdot )\), where \(\mu : \mathbb {N}\rightarrow [0,1]\) is called negligible if \(\mu (n)=n^{-\omega (1)}\) (i.e., \(\mu (n)< \frac{1}{{p(n)}}\) for all polynomial \(p(\cdot )\) and large enough \(n\)’s). We will sometimes use \(\mathsf{neg }(n)\) to denote an unspecified negligible function. We say that two probability ensembles \(\{ X_n \} _{n \in \mathbb {N}}\) and \(\{ Y_n \} _{n \in \mathbb {N}}\) are computationally indistinguishable if for every polynomial-sized circuit family \(\{ C_n \} _{n \in \mathbb {N}}\) it holds that \(|\Pr [C_n (X_n ) = 1] - \Pr [C_n (Y_n ) = 1]|=\mathsf{neg }(n)\). We will sometimes abuse notation and say that the two random variables \(X_n\) and \(Y_n\) are computationally indistinguishable when each of them is a part of a probability ensemble such that these ensembles \(\{ X_n \} _{n \in \mathbb {N}}\) and \(\{ Y_n \} _{n \in \mathbb {N}}\) are computationally indistinguishable. We will also sometimes drop the index \(n\) from a random variable if it can be inferred from the context. In most of these cases, \(n\) will be the security parameter.

1.2 A.2 Commitment Schemes

A commitment scheme allows a party to digitally commit to a particular string, and then to reveal this value at a later time.

Definition 4

A non-interactive perfectly-binding computationally-hiding commitment scheme is a polynomial-time computable sequence of functions \(\{C_n\}_{n\in N}\) where \(C_n: \{0,1\}^n \times \{0,1\}^{p(n)} \rightarrow \{0,1\}^{q(n)}\), and \(p(\cdot ),q(\cdot )\) are some polynomials, that satisfies:

Perfect Binding. For every \(x\!\ne \!x'\!\in \!\{0,1\}^n\), \(C_n(x, \{0,1\}^{p(n)}) \cap C_n(x', \{0,1\}^{p(n)})\) \( =\phi \).

Computational Hiding. For every \(x,x'\in \{0,1\}^n\), the random variables \(C_n(x;\) \(U_n)\) and \(C_n(x';U_n)\) are computationally indistinguishable.

A non-interactive perfectly-binding computationally-hiding commitment scheme can be constructed under the assumption that one-way permutations exist [9].

1.3 A.3 Interactive Proofs and Arguments

An interactive proof [19] is a two-party protocol, where one party is called the prover and the other party is called the verifier. We use the following definition.

Definition 5

An interactive protocol \((P,V)\) is called an interactive proof system for a language \(L\) if the following conditions hold:

Efficiency: The number and total length of messages exchanged between \(P\) and \(V\) are polynomially bounded and \(V\)is a probabilistic polynomial-time machine.

Perfect completeness: If \(x\in L\), then \(V\) will always accept \(x\).

Soundness: If \(x\notin L\), then the probability that \(V\) accepts \(x\) is \(\mathsf{neg }(n)\).

Let \(L \in \mathbf {NP}\), an interactive argument for \(L\) [10] is the following variation on the definition of an interactive proof.

1. 1.

   The soundness requirement is relaxed to quantify only over prover strategies \(P^*\) that can be implemented by a polynomial-sized circuit.

2. 2.

   The system is required to have an efficient prover strategy.

1.4 A.4 Zero-Knowledge

We present the definition of zero-knowledge [19] as follows.

Definition 6

((Auxiliary-Input) Zero-Knowledge). Let \(L=L(R)\) be some language and let \((P,V)\) be an interactive proof or argument for \(L\). We say \((P,V)\) is auxiliary-input zero-knowledge if there exists a probabilistic polynomial-time algorithm, called simulator, such that for every polynomial-sized circuit \(V^*\) and every \((x,w)\in R\), the following two probability variables are computationally indistinguishable:

1. The view of \(V^*\) in the real execution of \((P(w),V^*)(x)\).

2. The output of the simulator on input \((x, V^*)\).

If Definition 6, if the size of \(V^*\) should be bounded by an a-priori polynomial, we call \((P,V)\) is bounded-auxiliary-input zero-knowledge, and if \(V^*\) is a PPT machine, we call \((P,V)\) is plain zero-knowledge.

We say that a simulator is black-box if the only use it makes of its input \(V^*\) is to call it as a subroutine and thus we call \((P,V)\) black-box zero-knowledge and otherwise we call \((P,V)\) non-black-box zero-knowledge.

1.5 A.5 Witness Indistinguishability

In a witness indistinguishable proof system [13] if both \(w_1\) and \(w_2\) are witnesses that \(x\in L\), then it is infeasible for the verifier to distinguish whether the prover used \(w_1\) or \(w_2\) as auxiliary input. The formal definition is below.

Definition 7

Let \(L=L(R)\) be some language and \((P,V)\) be a proof or argument system for \(L\). We say that \((P,V)\) is witness indistinguishable if for any polynomial-sized circuit \(V^*\), any \(x,w_1,w_2\) where \((x,w_1)\in R\) and \((x,w_2)\in R\) such that the view of \(V^*\) in the interaction with \(P(x,w_1)\) is computationally indistinguishable from the view of \(V^*\) in the interaction with \(P(x,w_2)\).

1.6 A.6 Proof of Knowledge

In a proof or argument of knowledge [6, 12, 19, 29] the prover should convince the verifier that it also knows a witness for \(x\in L\). It means if the verifier is convinced with some probability \(p\) by some (possibly cheating) prover strategy, then by applying an efficient algorithm, called the knowledge extractor, to the cheating prover’s strategy and private inputs, it is possible to obtain a witness for \(x\in L\), with probability (almost equal to) \(p\). The formal definition is below.

Definition 8

Let \(L=L(R)\) and let \((P, V)\) be a proof/argument system for \(L\). We say that \((P, V)\) is a proof/argument of knowledge for \(L\) if there exists a probabilistic (expected) polynomial-time algorithm \(E\) (called the knowledge extractor) such that for every polynomial-sized prover strategy \(P^*\) and for every \(x\in \{0,1\}^n\), if we let \(p_*\) denote \(P^*\)’s convincing probability, then \(E(P^*,x)\) outputs a witness for \(x\in L\) with probability \(p_*-\mathsf neg (n)\).

We say that a proof/argument of knowledge has a black-box extractor if the knowledge extractor algorithm \(E\) uses its first input (i.e., \(P^*\)) as a black-box subroutine (i.e., oracle). Otherwise, we say it a non-black-box extractor.

1.7 A.7 Universal Arguments

Universal arguments, introduced by [3], are interactive arguments of knowledge for proving membership in \(\mathbf {NEXP}\). For sake of simplicity, we introduce the definition of universal arguments only for an universal language \(L_\mathcal{U}\): the tuple \(\langle M,x,t \rangle \) is in \(L_\mathcal{U}\) if \(M\) is the verifying machine that accepts \((x,w)\) within \(t\) steps. Clearly, every language in \(\mathbf {NE}\) is linear-time reducible to \(L_\mathcal{U}\) and every language in \(\mathbf {NEXP}\) is polynomial-time reducible to \(L_\mathcal{U}\).

Definition 9

An universal argument system is a pair of strategies, denoted \((P, V )\), that satisfies the following properties:

Efficient verification: There exists a polynomial \(p\) such that for any \(y = (M,x,t)\), the total time spent by the (probabilistic) verifier strategy \(V\), on common input \(y\), is at most \(p(|y|)\). In particular, all messages exchanged in the protocol have length smaller than \(p(|y|)\).

Completeness by a relatively-efficient prover: For every \((y= ( M,x,t ) ,w)\) in \(R_\mathcal{U} \), \(\Pr [\langle P(w),V \rangle (M,x,t)] = 1] = 1\).

Furthermore, there exists a polynomial \(p\) such that the total time spent by \(P(w)\), on common input \((M,x,t)\), is at most \( p(T_M (x,w)) \le p(t)\).

Computational soundness: For every polynomial-sized circuit family \(\{\! \tilde{P}_n \!\} _{n \in \mathbb {N}}\), and every \((M,x,t) \in \{ 0,1\} ^n \backslash L_\mathcal{U} \), \(\Pr [\langle \tilde{P}_n, V\rangle (M,x,t)] = 1] <\mathsf neg (n)\).

A weak proof of knowledge property: For every positive polynomial \(p\) there exists a positive polynomial \(p'\) and a probabilistic polynomial-time oracle machine \(E\) such that the following holds:

For every polynomial-sized circuit family \(\{ \tilde{P}_n \} _{n \in \mathbb {N}}\) and every sufficiently long \(y = (M,x,t) \in \{ 0,1\} ^* \) if \(\Pr [\langle \tilde{P}, V(M,x,t)] = 1] > \frac{1}{{p(|y|)}}\) then \(\Pr [E^{\tilde{P}*} (y) = C \;{\text {s.t.}}\; [C]\in R_\mathcal{U} (y)] > \frac{1}{{p'(|y|)}}\) (where \([C]\) denotes the function computed by the Boolean circuit \(C\)). The oracle machine \(E\) is called a (knowledge) extractor.

Note that the weaker proof of knowledge property may be considered as an auxiliary feature, which can not be mandated by the basic definition of universal arguments. [3] gave a construction of 4-round public-coin universal arguments with the weak proof of knowledge property. A candidate of 2-round public-coin constructions is the 2-round variant of Micali’s CS proof [26].

1.8 A.8 The LS Proof System in [23]

Now we describe the 3-round WIPOK protocol for the \(\mathbf {NP}\)-complete language graph Hamiltonicity (HC), provided by Lapidot and Shamir in [23]. This construction is special in that only the size of the public input needs to be known before the last round. The actual public input can therefore be decided during the execution of a larger protocol.

Let \(k\) be the number of vertexes of graph \(G\). \(G\) is represented by a \(k\times k\) adjacency matrix \(GMatrix\) where \(GMatrix[i][j] = 1\) if there exists an edge between vertexes \(i\) and \(j\) in \(G\). A non-edge position \((i,j)\) is a pair of vertexes that are not connected in \(G\) and for which \(GMatrix[i][j] = 0\). LS consists of \(k\) parallel executions (with the same input \(G\)) of Protocol 2.

As noted by [27] LS enjoys the three properties. The first is witness indistinguishability. The second one is proof of knowledge: Getting the answer for both \(b= 0\) and \(b= 1\) allows the extraction of the cycle. The reason is the following. For \(b= 0\) one gets the random cycle \(C\). Then for \(b= 1\) one gets the permutation mapping the random cycle in the actual cycle \(w\) that is given to \(P\). The third is that the first step is independent of the witness and the public input, since it only requires the sampling of a random-cycle (\(k\) is the size of the public input and must be known in advance). The witness and the public input are used only in the last Step.