Abstract
We consider the problem of whether there exist non-trivial constant-round public-coin zero-knowledge (ZK) proofs. To date, in spite of high interest in the problem, there is no definite answer to the question. We focus on the type of ZK proofs that admit a universal simulator (which handles all malicious verifiers), and show a connection between the existence of such proof systems and a seemingly unrelated “program functionality distinguishing” problem: for a natural class of constant-round public-coin ZK proofs (which we call “canonical,” since all known ZK protocols fall into this category), a session prefix output by the universal simulator can actually be used to distinguish a non-trivial property of the next-step functionality of the verifier’s code.
Our result can be viewed as new evidence against the existence of constant-round public-coin ZK proofs, since the existence of such a proof system will bring about either one of the following: (1) a positive result for the above functionality-distinguishing problem, a typical goal in reverse-engineering attempts, commonly believed to be notoriously hard, or (2) a major paradigm shift in simulation strategies, beyond the only known (straight-line simulation) technique applicable to their argument counterpart, as we also argue. Note that the earlier negative evidence on constant-round public-coin ZK proofs is Barack, Lindell and Vadhan [FOCS 2003]’s result, which was based on the incomparable assumption of the existence of certain entropy-preserving hash functions, now known not to be achievable from standard assumptions via black-box reduction.
The core of our technical contribution is showing that there exists a single verifier step for constant-round public-coin ZK proofs whose functionality (rather than its code) is crucial for a successful simulation. This is proved by combining a careful analysis of the behavior of a set of verifiers in the above protocols and during simulation, with an improved structure-preserving version of the well-known Babai-Moran Speedup (de-randomization) Theorem, a key tool of independent interest.
The full version of this paper can be found at the IACR Cryptology ePrint Archive [12].
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We note that the rewinding technique used for simulating the known public-coin protocols simply exploits the “guessing the next verifier’s coins” strategy, and requires that the probability of a correct guess is very high. To meet such a requirement, the verifier’s message has to be short, and as a consequence, the corresponding protocol either has large (non-negligible) soundness error, such as the original Blum’s 3-round proof fro Graph Hamiltonicity [7], or is of super-constant number of rounds, such as the \(\log ^2 n\)-fold sequential repetition of Blum’s proof system.
- 2.
To our knowledge, all known ZK proofs admit a universal simulator, satisfying this stronger requirement.
- 3.
Further, looking ahead, the only place where this property will be used is in the proof of our main theorem (step 3), where we fix a false statement x first and then discuss the properties of the simulator.
- 4.
To match our definition, we can think of these protocols as being of even number rounds by letting the verifier send a dummy message in the first step of the protocol, and denote by \(V^i_2\) the challenge step of the verifier.
- 5.
Recall that an honest prover can compute \(p_1\) without knowledge of the corresponding witness.
- 6.
Note that the second verifier message is bound to the first verifier message \(c_1\), and merging these two steps will simplify the analysis.
- 7.
This auxiliary input is given to S; in our main theorem (Theorem 2) it will be the code of some verifier prefix strategy.
- 8.
In [10], Bellare and Rompel present a randomness-efficient approach to transform \(\mathrm {AM}[k]\) into \(\mathrm {AM}[2]\): to halve the number of rounds of an Arthur-Merlin proof system, they introduce a so-called “oblivious sampler” and use a small amount of randomness to specify roughly O(p) verifier messages in the original proof system. Their proof, however, yields almost the same result as the Speedup Theorem in our setting where we want to maintain the structure of the original proof system, and only care about the number of original verifier random tapes that are needed to make sure the resulting protocol after derandomization is still a proof system.
- 9.
The basic reasoning here applies to a proof system of even number (4) of rounds as well, by having the verifier send a dummy message first.
- 10.
- 11.
For simplicity’s sake, we do not optimize this parameter here.
- 12.
At the k-th verifier step, the number of distinct next-message functions should in fact be \(t_k\). For simplicity, we assume \(t=t_k\) for all \(1\le k\le m\).
References
Babai, L.: Trading group theory for randomness. In: STOC, 1985, pp. 421–429 (1985)
Barak, B.: How to go beyond the black-box simulation barrier. In: FOCS 2001, pp. 106–115 (2001)
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., Kalai, Y.T., López-Alt, A., Wichs, D.: Why “Fiat-Shamir for Proofs” lacks a proof. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 182–201. Springer, Heidelberg (2013)
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)
Barak, B., Lindell, Y.: Strict polynomial-time in simulation and extraction.In: STOC, 2002, pp. 484–493 (2002)
Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, pp. 444–451 (1986)
Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. In: FOCS 2003, pp. 384–393 (2003)
Babai, L., Moran, S.: Arthur-Merlin games: a randomized proof system, and a hierarchy of complexity classes. J. Comput. Syst. Sci. 36(2), 254–276 (1988)
Bellare, M., Rompel, J.: Randomness-efficient oblivious sampling. In: FOCS 1994, pp. 276–287 (1994)
Canetti, R., Chen, Y., Reyzin, L.: On the correlation intractability of obfuscated pseudorandom functions. In: Kushilevitz, E., et al. (eds.) TCC 2016-A. LNCS, vol. 9562, pp. 389–415. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49096-9_17
Deng, Y., Garay, J., Ling, S., Wang, H., Yung, M.: On the implausibility of constant-round public-coin zero-knowledge proofs. Cryptology ePrint Archive, Report 2012/508 (2012). http://eprint.iacr.org/2012/508
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs under general assumptions. SIAM J. Comput. 29, 1–28 (1999)
Goldreich, O.: The Foundations of Cryptography, Volume 1, Basic Techniques Cambridge University Press (2001)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)
Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM. J. Comput. 18(1), 186–208 (1989)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)
Hada, S.: Zero-knowledge and code obfuscation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 443–457. Springer, Heidelberg (2000)
Landi, W.: Undecidability of static analysis. J. LOPLAS 1(4), 323–337 (1992)
Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467–1471 (1994)
Acknowledgements
The authors would like to thank Susumu Kiyoshima and Sanjam Garg for their valuable comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Deng, Y., Garay, J., Ling, S., Wang, H., Yung, M. (2016). On the Implausibility of Constant-Round Public-Coin Zero-Knowledge Proofs. In: Zikas, V., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2016. Lecture Notes in Computer Science(), vol 9841. Springer, Cham. https://doi.org/10.1007/978-3-319-44618-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-44618-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44617-2
Online ISBN: 978-3-319-44618-9
eBook Packages: Computer ScienceComputer Science (R0)