Optimally Sound Sigma Protocols Under DCRA

Abstract

Given a well-chosen additively homomorphic cryptosystem and a \(\varSigma \) protocol with a linear answer, Damgård, Fazio, and Nicolosi proposed a non-interactive designated-verifier zero knowledge argument in the registered public key model that is sound under non-standard complexity-leveraging assumptions. In 2015, Chaidos and Groth showed how to achieve the weaker yet reasonable culpable soundness notion under standard assumptions but only if the plaintext space order is prime. It makes use of \(\varSigma \) protocols that satisfy what we call the optimal culpable soundness. Unfortunately, most of the known additively homomorphic cryptosystems (like the Paillier Elgamal cryptosystem that is secure under the standard Decisional Composite Residuosity Assumption) have composite-order plaintext space. We construct optimally culpable sound \(\varSigma \) protocols and thus culpably sound non-interactive designated-verifier zero knowledge protocols for NP under standard assumptions given that the least prime divisor of the plaintext space order is large.

A Preliminaries: DFN

1.1 A.1 RPK Model

In the registered public key (RPK, [3]) model, we assume that everybody has an access to a key registration functionality \(F_{kr}\). A party (say, Alice) generates her public and secret key pair, and then sends both (together with used random coins) to \(F_{kr}\), who verifies that the keys were created correctly (this means that to register her public key, Alice must know the corresponding private key), and then stores the public key together with Alice’s identity in a repository.

Later, Bob (for this, it is not necessary for Bob to register his public key) can query \(F_{kr}\) and then retrieve the public key of Alice together with a corresponding certificate. On the other hand, in security proofs, we may give an adversary control over \(F_{kr}\), enabling access not only to the public but also to the secret key of Alice. While every party can use a different \(F_{kr}\), all parties need to trust \(F_{kr}\) of other parties in the following sense. \(F_{kr}\) guarantees that

1. (i)

   the public keys of uncorrupted parties are safe (the corresponding secret key is chosen randomly, and kept secret from the adversary), and

2. (ii)

   the public keys of corrupted parties are well-formed (the functionality has seen the corresponding secret key).

Hence, Alice must trust her \(F_{kr}\) to do key registration correctly, and Bob must trust that Alice’s \(F_{kr}\) has verified that Alice knows the corresponding secret key.

As noted in [3, 16], one can make this model more realistic by letting Alice to send her public key to \(F_{kr}\) and then give an interactive zero knowledge proof that she knows the corresponding private key. In the security proof, we can then construct an adversary who rewinds Alice to extract her private key.

1.2 A.2 NIDVZK Argument Systems

In a non-interactive designated verifier zero knowledge (NIDVZK, [12]) argument system in the RPK model, the verifier has a public key \(\mathcal {Z}{.}\mathsf {pk}\) and a corresponding secret key \(\mathcal {Z}{.}\mathsf {sk}\) specific to this argument system, that she has set up by using a trusted functionality \(F_{kr}\). An NIDVZK argument system \(\mathcal {Z}\) consists of the following three efficient algorithms:

 

\(\mathcal {Z}{.}\mathsf {G}(1^\kappa )\)::

generates, registers (by using \(F_{kr}\)), and then returns a key pair \((\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk})\).

\(\mathcal {Z}{.}\mathsf {P}(\mathcal {Z}{.}\mathsf {pk}, x, w)\)::

given a public key \(\mathcal {Z}{.}\mathsf {pk}\) obtained from \(F_{kr}\), an input \(x\) and a witness w, returns a proof \(\pi \).

\(\mathcal {Z}{.}\mathsf {V}(\mathcal {Z}{.}\mathsf {sk}, x, \pi )\)::

given a secret key, an input \(x\), and a proof \(\pi \), returns either 1 (accept) or 0 (reject).

 

Next, \(\mathcal {Z}= (\mathcal {Z}{.}\mathsf {G}, \mathcal {Z}{.}\mathsf {P}, \mathcal {Z}{.}\mathsf {V})\) is an NIDVZK argument system⁴ for \(\mathcal {R}\) with culpable soundness for \(\mathcal {R}^{guilt}\), if it is perfectly complete, culpably sound [28] for \(\mathcal {R}^{guilt}\), and statistically (or computationally) composable zero knowledge, given that the parties have access to the certified public key of the verifier. More precise definitions follow.

Let \(\ell _x (\kappa )\) be a polynomial, such that (common) inputs of length \(\ell _x (\kappa )\) correspond to security parameter \(\kappa \). Then let \(\mathcal {R}_\kappa = \{ (x, w): bitlength (x) = \ell _x (\kappa ) \}\) and \(\mathcal {L}_{\mathcal {R}, \kappa } = \{ x: (\exists w) (x, w) \in \mathcal {R}_\kappa \}\), where again w has polynomial length.

\(\mathcal {Z}\) is perfectly complete, if for all \(\kappa \in \mathbb {N}\), all \((x, w) \in \mathcal {R}_\kappa \), and all \((\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk}) \in \mathcal {Z}{.}\mathsf {G}(1^\kappa )\), \(\mathcal {Z}{.}\mathsf {V}(\mathcal {Z}{.}\mathsf {sk}, x, \mathcal {Z}{.}\mathsf {P}(\mathcal {Z}{.}\mathsf {pk}, x, w)) = 1\).

In our constructions we will get zero-knowledge even if the adversary knows the secret verification key. This strong type of zero-knowledge is called composable zero-knowledge in [25] due to it making composition of zero-knowledge arguments easier. More precisely, it is required that even an adversary who knows the secret key (or trapdoor, in the CRS model) cannot distinguish between the real and the simulated argument, [25].

Definition 4

\(\mathcal {Z}\) is computationally composable zero-knowledge if there exists an efficient simulator \(\mathcal {Z}{.}\mathsf {sim}\), such that for all probabilistic polynomial-time stateful adversaries \(\mathcal {A}\),

$$\begin{aligned} \Pr \left[ \begin{aligned}&(\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk}) \leftarrow \mathcal {Z}{.}\mathsf {G}(1^\kappa ), \\&(x, w) \leftarrow \mathcal {A}(\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk}), \\&\pi \leftarrow \mathcal {Z}{.}\mathsf {P}(\mathcal {Z}{.}\mathsf {pk}, x, w): \\&(x, w) \in \mathcal {R}\wedge \mathcal {A}(\pi ) = 1 \end{aligned} \right] \approx _\kappa \Pr \left[ \begin{aligned}&(\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk}) \leftarrow \mathcal {Z}{.}\mathsf {G}(1^\kappa ),\\&(x, w) \leftarrow \mathcal {A}(\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk}), \\&\pi \leftarrow \mathcal {Z}{.}\mathsf {sim}(\mathcal {Z}{.}\mathsf {sk}, x):\\&(x, w) \in \mathcal {R}\wedge \mathcal {A}(\pi ) = 1 \end{aligned} \right] . \end{aligned}$$

\(\mathcal {Z}\) is statistically composable zero-knowledge if this holds for all (not necessarily efficient) adversaries \(\mathcal {A}\). A statistically composable zero-knowledge argument system is perfectly composable, if \(\approx _\kappa \) can be replaced with \(=\) (i.e., the above two probabilities are in fact equal).

In the case of culpable soundness [28], we only consider false statements from some language \(\mathcal {L}_{guilt} \subseteq \overline{\mathcal {L}}\) characterized by a relation \(\mathcal {R}^{guilt}\). We require a successfully cheating prover to output, together with an input \(x\) and a successful argument \(\pi \), also a guilt witness \(w_{guilt}\) such that \((x, w_{guilt}) \in \mathcal {R}^{guilt}\). That is, we require a successful cheater to be aware of the fact that she cheated.

Formally, \(\mathcal {Z}\) is (non-adaptively) culpably sound for \(\mathcal {R}^{guilt}\), if for all probabilistic polynomial-time adversaries \(\mathcal {A}\),

$$\begin{aligned} \Pr \left[ \begin{aligned}&(\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk}) \leftarrow \mathcal {Z}{.}\mathsf {G}(1^\kappa ), (x, \pi , w_{guilt}) \leftarrow \mathcal {A}(\mathcal {Z}{.}\mathsf {pk}):\\&(x, w_{guilt}) \in \mathcal {R}^{guilt} \wedge \mathcal {Z}{.}\mathsf {V}(\mathcal {Z}{.}\mathsf {sk}, x, \pi ) = 1 \end{aligned} \right] \approx _\kappa 0. \end{aligned}$$

Note that culpable soundness is implicitly computational (defined only w.r.t. to an efficient adversary), thus a culpably sound proof system is always an argument system.

In our applications, \(w_{guilt}\) will be the secret key of the cryptosystem, about which the NIDVZK arguments are about. For example, in an NIDVZK argument that the plaintext is 0 (or Boolean), \(w_{guilt}\) is equal to the secret key that enables to decrypt the ciphertext. Such culpable soundness is fine in many applications, as we will discuss at the end of the current subsection.

Finally, for some \(\varrho = \varrho (\kappa )\), \(\mathcal {Z}\) is \(\varrho \)-adaptively culpably sound for \(\mathcal {R}^{guilt}\), if for all probabilistic polynomial-time adversaries \(\mathcal {A}\),

$$\begin{aligned} \Pr \left[ \begin{aligned}&(\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk}) \leftarrow \mathcal {Z}{.}\mathsf {G}(1^\kappa ), (x, \pi , w_{guilt}) \leftarrow \mathcal {A}^{\mathcal {Z}{.}\mathsf {V}(\mathcal {Z}{.}\mathsf {sk}, \cdot , \cdot )} (\mathcal {Z}{.}\mathsf {pk}):\\&(x, w_{guilt}) \in \mathcal {R}^{guilt} \wedge \mathcal {Z}{.}\mathsf {V}(\mathcal {Z}{.}\mathsf {sk}, x, \pi ) = 1 \end{aligned} \right] \approx _\kappa 0. \end{aligned}$$

Here, the adversary is allowed to make up to \(\varrho \) queries to the oracle \(\mathcal {Z}{.}\mathsf {V}\).

As shown in [16], one can handle cases where the adversary has an access to a logarithmic number of queries, simulating their answers by guessing their answers; this still guarantees that her success probability is inverse polynomial.

On Culpable Soundness. We will prove culpable soundness [28] of argument systems about the plaintexts of a cryptosystem by showing that if an adversary outputs an accepting argument and the secret key \(\mathsf {sk}\), then she has broken an underlying assumption. This version of culpable soundness is acceptable since in protocols that we are interested in, there always exists a party (namely, the verifier) who knows \(\mathsf {sk}\). Hence, the cheating adversary together with the verifier can break the (non-culpable) soundness of the argument system.

Thus, such culpable soundness is very natural the RPK model, especially if we assume that the verifier has provided an interactive zero knowledge proof of knowledge of \(\mathsf {sk}\) while registering it with the authority. Then, in the soundness proof, we can just construct an adversary who first retrieves \(\mathsf {sk}\) from the latter zero knowledge proof, and then uses the culpable soundness adversary whom we already have.

1.3 A.3 DFN Transform for the Paillier Elgamal Cryptosystem

Consider the DFN [16] transformation, given the Paillier Elgamal cryptosystem \(\varPi = (\varPi {.}\mathsf {K}, \mathsf {VK}, \mathsf {E}, \mathsf {D})\) where the plaintext space is \(\mathbb {Z}_{N^{s}}\) for some reasonably large s. W.l.o.g., we assume that the same cryptosystem is used to encrypt the challenge e and the witness plaintexts and the same value of s, but by using the different secret and public keys where one secret key \(\mathsf {sk}_e\) is known by the verifier and another secret key \(\mathsf {sk}\) is (possibly) known by the prover. For the sake of efficiency, one could use different cryptosystems or at least different values of s but we will avoid the general case not to clutter the notation.

This transformation assumes that the original \(\varSigma \)-protocol \(\mathcal {S}\) is has a linear answer and optimal culpable soundness using some relation \(\mathcal {R}^{guilt}\), see Sect. 2.3. More precisely, we assume that \(\mathcal {R}^{guilt}\) is as defined by Eq. (9).

The description of the DFN transform is given in Fig. 5. The following theorem and its proof follows [12, 16] in its structure. The part of using the extractor to achieve culpable soundness is from [12] while the idea of letting the constructed adversary \(\mathcal {A}_{\pi }\) answer randomly to oracle queries goes back to [12, 16]. The latter means that we only get \(O (\log \kappa )\)-adaptive soundness.

Theorem 5

Assume that \(\mathcal {S}\) is a complete and computationally (resp., statistically) special HVZK \(\varSigma \) protocol with a linear answer for \(\mathcal {R}\) that is optimally culpably sound for \(\mathcal {R}^{guilt}\). Let \(\varPi = (\mathsf {K}, \mathsf {VK}, \mathsf {E}, \mathsf {D})\) be the Paillier Elgamal cryptosystem. Then the NIDVZK argument system for \(\mathcal {R}\) of Fig. 5 is \(\varrho \)-adaptively computationally culpably sound for \(\mathcal {R}^{guilt}\) of Eq. (9) for \(\varrho = O (\log \kappa )\), and computationally (resp., statistically) composable zero knowledge for \(\mathcal {R}\).

Fig. 5.

The DFN transform for the Paillier Elgamal cryptosystem. Here we assume \(s = \max _i \lceil \log _N (z_{2 i} + 1) \rceil \) is fixed by the description of \(\mathcal {S}{.}\mathsf {P}\) and thus known to the verifier

Proof

Adaptive culpable Soundness. We show that if a cheating prover \(\mathcal {A}_{zk}\) returns a good challenge \(e'\) for the NIDVZK argument system with some probability \(\varepsilon = \delta \), then we can break the message recovery security of \(\varPi \) with probability \(\varepsilon _\pi = 1 / (\varrho 2^\varrho ) \delta \).

For this, we note that \(\mathcal {A}_{zk}\) gets information about e from two sources, from \({\varvec{c}}_e\) and from the response of the verifier to different queries. We now construct an adversary \(\mathcal {A}_\pi \) that, given access to \(\mathcal {A}_{zk}\), breaks the message recovery security of \(\varPi \) (where the public key \(\mathcal {Z}{.}\mathsf {pk}\) includes \({\varvec{c}}_e\)). It uses the extractor \(\mathcal {S}{.}\mathsf {EX}\), who — given that the prover is dishonest and such a challenge exists — returns the good challenge \(e'\).

First, the challenger uses \(\mathcal {Z}{.}\mathsf {G}(1^\kappa )\) to generate a secret key \(\mathcal {Z}{.}\mathsf {sk}= (\mathsf {sk}_e, e)\) and a public key \(\mathcal {Z}{.}\mathsf {pk}= (\mathsf {pk}_e, {\varvec{c}}_e)\), and sends \(\mathcal {Z}{.}\mathsf {pk}\) to \(\mathcal {A}_\pi \). \(\mathcal {A}_\pi \) then runs \(\mathcal {A}_{zk}^{\mathcal {Z}{.}\mathsf {V}(\mathcal {Z}{.}\mathsf {sk}; \cdot , \cdot )} (\mathcal {Z}{.}\mathsf {pk})\). Assume \(\mathcal {A}_{zk}\) replies with a tuple \((x_{i}, \pi _{i}, w_{i})\). Since \(\mathcal {A}_{zk}\) is successful, \(\mathcal {A}_\pi \) emulates the verifier by replying with a random bit b. Once \(\mathcal {A}_{zk}\) stops (say after \(\varrho = \varTheta (\log \kappa )\) steps), \(\mathcal {A}_\pi \) chooses uniformly one tuple \((x_{i_0}, \pi _{i_0}, w_{i_0})\), and then runs the extractor with the input \((x_{i_0}, w_{i_0})\), and obtains either “accept”, or a candidate challenge \(e'\). Then, \(\mathcal {A}_\pi \) outputs what the extractor outputs.

With probability \(2^{-\varrho } = 2^{- \varTheta (\log \kappa )} = \kappa ^{- \varTheta (1)}\), all bits that \(\mathcal {A}_\pi \) chose are equal to the bits that the verifier would have sent. Since \(\mathcal {A}_{zk}\) is successful, then with a non-negligible probability, one of the input/argument tuples, say \((x_{i_1}, \pi _{i_1}, w_{i_1})\), is such that \((x_{i_1}, w_{i_1}) \in \mathcal {R}^{guilt}\) but the verifier accepts. With probability \(1 / \varrho = \varTheta (1 / \log \kappa )\), \(i_0 = i_1\). Thus, with probability \(\varepsilon _\pi = \frac{\delta }{\varrho 2^\varrho } = \kappa ^{- \varTheta (1)}\), \(\mathcal {A}_\pi \) has given to the extractor an input \((x_{i_0}, w_{i_0}) \in \mathcal {R}^{guilt}\) such that there exists \(\pi _{i_0}\) such that the verifier accepts \((x_{i_0}, \pi _{i_0}, w_{i_0})\). With such inputs, since the verifier accepts, there exists a good challenge \(e'\), and the extractor outputs it. In this case, \(\mathcal {A}_\pi \) has returned a good \(e'\).

Finally, if the verifier accepts then due to the optimal culpable soundness, the value \(e'\) returned by the extractor must be equal to the value e that has been encrypted by \({\varvec{c}}_e\). Since the only information that \(\mathcal {A}_{\pi }\) has about e is given in \({\varvec{c}}_e\) (since \(\mathcal {A}_\pi \)’s random answers do not reveal anything), this means that \(\mathcal {A}_{\pi }\) has returned the plaintext of \({\varvec{c}}_e\) with non-negligible probability, and thus break the message recovery security of \(\varPi \).

Composable Zero Knowledge. Assume that \((\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk}) \leftarrow \mathcal {Z}{.}\mathsf {G}(1^\kappa )\), and \((x, w) \leftarrow \mathcal {A}(\mathcal {Z}{.}\mathsf {sk}, \mathcal {Z}{.}\mathsf {pk})\). The simulator \(\mathcal {Z}{.}\mathsf {sim}(\mathcal {Z}{.}\mathsf {sk}, x)\) can obtain e from \({\varvec{c}}_e\) by decrypting it. Given e, he runs \(\mathcal {S}{.}\mathsf {sim}(x, e)\) to obtain an accepting view \(({\varvec{c}}_a, e, {\varvec{z}})\). He then computes \({\varvec{c}}_z \leftarrow \mathsf {E}_{\mathsf {pk}_e} ({\varvec{z}})\) and returns \(\pi \leftarrow ({\varvec{c}}_a, {\varvec{c}}_z)\).

We now show that the transcript comes from a distribution that is indistinguishable from that of the real view. Consider the following hybrid simulator \(\mathcal {Z}{.}\mathsf {sim}^w\) that gets the witness w as part of the input. \(\mathcal {Z}{.}\mathsf {sim}^w\) does the following:

1. 1.

   Create \(({\varvec{c}}_a, {\varvec{z}}_1, {\varvec{z}}_2) \leftarrow \mathcal {S}{.}\mathsf {P}(x, w)\) and the \(\varSigma \) protocol transcript \(({\varvec{c}}_a, e, {\varvec{z}})\), \({\varvec{z}} \leftarrow e {\varvec{z}}_\mathbf{1 } + {\varvec{z}}_\mathbf{2 }\), by following the \(\varSigma \)-protocol.

2. 2.

   Encrypt \({\varvec{z}}\) component-wise to get \({\varvec{c}}_z\).

3. 3.

   Return \(\pi \leftarrow ({\varvec{c}}_a, {\varvec{c}}_z)\)

Since the encryption scheme is blindable, such a hybrid argument is perfectly indistinguishable from the real argument. Since the \(\varSigma \)-protocol is specially HVZK, hybrid arguments and simulated arguments are computationally indistinguishable. If the \(\varSigma \)-protocol is statistically specially HVZK, then hybrid arguments and simulated arguments (and thus also real arguments and simulated arguments) are statistically indistinguishable.    \(\square \)