Skip to main content
SpringerLink
Log in

On the Implausibility of Constant-Round Public-Coin Zero-Knowledge Proofs

  • Conference paper
  • First Online:
Security and Cryptography for Networks (SCN 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9841))

Included in the following conference series:

Abstract

We consider the problem of whether there exist non-trivial constant-round public-coin zero-knowledge (ZK) proofs. To date, in spite of high interest in the problem, there is no definite answer to the question. We focus on the type of ZK proofs that admit a universal simulator (which handles all malicious verifiers), and show a connection between the existence of such proof systems and a seemingly unrelated “program functionality distinguishing” problem: for a natural class of constant-round public-coin ZK proofs (which we call “canonical,” since all known ZK protocols fall into this category), a session prefix output by the universal simulator can actually be used to distinguish a non-trivial property of the next-step functionality of the verifier’s code.

Our result can be viewed as new evidence against the existence of constant-round public-coin ZK proofs, since the existence of such a proof system will bring about either one of the following: (1) a positive result for the above functionality-distinguishing problem, a typical goal in reverse-engineering attempts, commonly believed to be notoriously hard, or (2) a major paradigm shift in simulation strategies, beyond the only known (straight-line simulation) technique applicable to their argument counterpart, as we also argue. Note that the earlier negative evidence on constant-round public-coin ZK proofs is Barack, Lindell and Vadhan [FOCS 2003]’s result, which was based on the incomparable assumption of the existence of certain entropy-preserving hash functions, now known not to be achievable from standard assumptions via black-box reduction.

The core of our technical contribution is showing that there exists a single verifier step for constant-round public-coin ZK proofs whose functionality (rather than its code) is crucial for a successful simulation. This is proved by combining a careful analysis of the behavior of a set of verifiers in the above protocols and during simulation, with an improved structure-preserving version of the well-known Babai-Moran Speedup (de-randomization) Theorem, a key tool of independent interest.

The full version of this paper can be found at the IACR Cryptology ePrint Archive [12].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We note that the rewinding technique used for simulating the known public-coin protocols simply exploits the “guessing the next verifier’s coins” strategy, and requires that the probability of a correct guess is very high. To meet such a requirement, the verifier’s message has to be short, and as a consequence, the corresponding protocol either has large (non-negligible) soundness error, such as the original Blum’s 3-round proof fro Graph Hamiltonicity [7], or is of super-constant number of rounds, such as the \(\log ^2 n\)-fold sequential repetition of Blum’s proof system.

  2. 2.

    To our knowledge, all known ZK proofs admit a universal simulator, satisfying this stronger requirement.

  3. 3.

    Further, looking ahead, the only place where this property will be used is in the proof of our main theorem (step 3), where we fix a false statement x first and then discuss the properties of the simulator.

  4. 4.

    To match our definition, we can think of these protocols as being of even number rounds by letting the verifier send a dummy message in the first step of the protocol, and denote by \(V^i_2\) the challenge step of the verifier.

  5. 5.

    Recall that an honest prover can compute \(p_1\) without knowledge of the corresponding witness.

  6. 6.

    Note that the second verifier message is bound to the first verifier message \(c_1\), and merging these two steps will simplify the analysis.

  7. 7.

    This auxiliary input is given to S; in our main theorem (Theorem 2) it will be the code of some verifier prefix strategy.

  8. 8.

    In [10], Bellare and Rompel present a randomness-efficient approach to transform \(\mathrm {AM}[k]\) into \(\mathrm {AM}[2]\): to halve the number of rounds of an Arthur-Merlin proof system, they introduce a so-called “oblivious sampler” and use a small amount of randomness to specify roughly O(p) verifier messages in the original proof system. Their proof, however, yields almost the same result as the Speedup Theorem in our setting where we want to maintain the structure of the original proof system, and only care about the number of original verifier random tapes that are needed to make sure the resulting protocol after derandomization is still a proof system.

  9. 9.

    The basic reasoning here applies to a proof system of even number (4) of rounds as well, by having the verifier send a dummy message first.

  10. 10.

    For example, the n-folded parallel version of Blum’s 3-round proof for Graph Hamiltonicity [7], or the 3-round proof for Graph Isomorphism [18].

  11. 11.

    For simplicity’s sake, we do not optimize this parameter here.

  12. 12.

    At the k-th verifier step, the number of distinct next-message functions should in fact be \(t_k\). For simplicity, we assume \(t=t_k\) for all \(1\le k\le m\).

References

  1. Babai, L.: Trading group theory for randomness. In: STOC, 1985, pp. 421–429 (1985)

    Google Scholar 

  2. Barak, B.: How to go beyond the black-box simulation barrier. In: FOCS 2001, pp. 106–115 (2001)

    Google Scholar 

  3. Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  4. Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., Kalai, Y.T., López-Alt, A., Wichs, D.: Why “Fiat-Shamir for Proofs” lacks a proof. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 182–201. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  5. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  6. Barak, B., Lindell, Y.: Strict polynomial-time in simulation and extraction.In: STOC, 2002, pp. 484–493 (2002)

    Google Scholar 

  7. Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, pp. 444–451 (1986)

    Google Scholar 

  8. Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. In: FOCS 2003, pp. 384–393 (2003)

    Google Scholar 

  9. Babai, L., Moran, S.: Arthur-Merlin games: a randomized proof system, and a hierarchy of complexity classes. J. Comput. Syst. Sci. 36(2), 254–276 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  10. Bellare, M., Rompel, J.: Randomness-efficient oblivious sampling. In: FOCS 1994, pp. 276–287 (1994)

    Google Scholar 

  11. Canetti, R., Chen, Y., Reyzin, L.: On the correlation intractability of obfuscated pseudorandom functions. In: Kushilevitz, E., et al. (eds.) TCC 2016-A. LNCS, vol. 9562, pp. 389–415. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49096-9_17

    Chapter  Google Scholar 

  12. Deng, Y., Garay, J., Ling, S., Wang, H., Yung, M.: On the implausibility of constant-round public-coin zero-knowledge proofs. Cryptology ePrint Archive, Report 2012/508 (2012). http://eprint.iacr.org/2012/508

  13. Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs under general assumptions. SIAM J. Comput. 29, 1–28 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  14. Goldreich, O.: The Foundations of Cryptography, Volume 1, Basic Techniques Cambridge University Press (2001)

    Google Scholar 

  15. Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)

    Google Scholar 

  16. Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)

    Article  MathSciNet  MATH  Google Scholar 

  17. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM. J. Comput. 18(1), 186–208 (1989)

    Article  MathSciNet  MATH  Google Scholar 

  18. Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  19. Hada, S.: Zero-knowledge and code obfuscation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 443–457. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  20. Landi, W.: Undecidability of static analysis. J. LOPLAS 1(4), 323–337 (1992)

    Article  Google Scholar 

  21. Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467–1471 (1994)

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank Susumu Kiyoshima and Sanjam Garg for their valuable comments.

Author information

Authors and Affiliations

  1. SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Yi Deng

  2. Yahoo Research, Sunnyvale, USA

    Juan Garay

  3. Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore

    San Ling & Huaxiong Wang

  4. Snapchat and Columbia University, New York, USA

    Moti Yung

Authors
  1. Yi Deng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Juan Garay
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. San Ling
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Huaxiong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Moti Yung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yi Deng .

Editor information

Editors and Affiliations

  1. Rensselaer Polytechnic Institute, Troy, New York, USA

    Vassilis Zikas

  2. University of Salerno, Fisciano, Italy

    Roberto De Prisco

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Deng, Y., Garay, J., Ling, S., Wang, H., Yung, M. (2016). On the Implausibility of Constant-Round Public-Coin Zero-Knowledge Proofs. In: Zikas, V., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2016. Lecture Notes in Computer Science(), vol 9841. Springer, Cham. https://doi.org/10.1007/978-3-319-44618-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-44618-9_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-44617-2

  • Online ISBN: 978-3-319-44618-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation