Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Zero-knowledge (ZK) proofs introduced in [36] provide a powerful tool in designing a variety of cryptographic protocols. Since then, they have been an important building block in various applications. Zero-knowledge proofs allow a prover to convince a verifier about the validity of a statement, while giving no information beyond the truth of the statement. Informally, an honest prover should always convince a verifier about a true statement (completeness). Moreover, a malicious verifier learns nothing beyond the validity of the statement (zero-knowledge) and a malicious prover cannot convince a verifier of a false statement (soundness). In addition to soundness, a ZK protocol in which the prover’s witness can be extracted by a simulator offers proof of knowledge.

It is known that every language in NP has a zero-knowledge proof system [34]. Despite this, proving generic statements is inefficient in practice, and there are few techniques that allow efficient proofs. These techniques almost always apply to a restricted set of languages, with a series of works [13, 39, 40, 68] on proving algebraic relationships like knowledge of roots, discrete logarithms etc.

Kilian’s zero-knowledge argument [50] achieves sub-linear communication, but relies on PCP and is of theoretical interest. Groth [37] gave the first constant-size non-interactive ZK proofs. Since then, many constructions of SNARKs (Succinct non-interactive arguments of knowledge) have been presented [26, 28, 38, 60], and have been implemented as well [23, 64]. Though SNARKs have short proofs and allow efficient verification, they have shortcomings in prover efficiency. The prover performs public-key operations proportional to the size of the circuit representing the statement. In addition, they rely on a large trusted parameter; for example, a long common reference string (CRS).

Around the same time that ZK was introduced, Yao introduced secure two-party computation (2PC) and garbled circuits (GC) [69]. The problem of general multi-party computation (MPC) [10, 33, 70] considers a set of parties holding private inputs with the task of computing a joint function while preserving certain desired security properties. An interesting line of recent works [3, 12, 21, 31, 42, 43, 45, 48] establishes connections between MPC and ZK, and use the techniques of 2PC and MPC for truly efficient ZK protocols. The two main streams of works connecting MPC with efficient ZK protocols rely on “MPC-in-the-head” approach [45, 46] and garbled circuit based approach [48], as elaborated below.

1.1 Efficient ZK Protocols

Ishai et al. [45, 46] show how to use an MPC protocol to obtain a ZK proof for an NP relation in the commitment-hybrid model. This approach, called “MPC-in-the-head”, provides a powerful tool to obtain black-box constructions for generic statements without relying on expensive Karp reductions. Recently, this technique spurred progress in constructing practical ZK protocols [20, 31] resulting in efficient ZK arguments tailored for Boolean circuits, known as ‘ZKBoo’ and ‘ZKBoo++’ respectively. They study variants of the “MPC-in-the-head” framework, plug in different MPC protocols, and provide concrete estimates of soundness. In yet another recent attempt, [3] proposes ‘Ligero’, a 4 round interactive ZK argument with sub-linear (in the circuit size) proof-size relying on interactive PCPs and plugging in a refined MPC of [25] in the “MPC-in-the-head” approach. Specifically, they achieve a proof size of \(\mathcal {O}(\lambda \sqrt{|C|\log |C|})\). The construction uses Reed Solomon Codes from coding theory techniques. The marked improvement in the proof size is obtained by careful tweaking of the protocol parameters. The prover and verifier time is \(\mathcal {O}(|C|\log |C|)\) symmetric key operations, and without any public key operations. The protocol does not require any setup and the security is proven in the stand-alone setting. The constructions of [3, 20, 31] can be made non-interactive using the Fiat-Shamir heuristic in the programmable RO model.

Jawurek et al. [48] construct a UC-secure ZK protocol (referred to as ZKGC henceforth) using garbled circuits as the primary building block. The communication required for their protocol is linear in the size of the circuit implementing the NP relation, and is also concretely efficient as it achieves malicious security with only one garbled circuit. However, the protocol is inherently interactive. ZKGC is essentially a version of Yao’s original constant-round 2PC protocol where the GC constructor has no input; this yields full malicious security at little overhead over the semi-honest case as Yao’s protocol in this case is already secure against a malicious evaluator. The protocol uses oblivious transfer (OT). The use of OT in ZK protocols dates back to [51]. Notably, Zero-knowledge, when viewed as a special case of 2PC, allows for a relaxation in the properties required of the underlying GCs, as noted in [48]. This led to the introduction of the notion of privacy-free garbling schemes [27], which are optimized for the ZK setting of [48]. A privacy-free garbling scheme only achieves authenticity, and leverages privacy-freeness in order to save on communication and computation costs of garbling. Privacy-free GCs are further studied by Zahur et al. [71], who construct a privacy-free scheme using the HalfGates approach. Their privacy-free scheme makes use of FreeXOR [53] to garble and evaluate XOR gates at no cost, and produces only one ciphertext when garbling an AND gate (along with two calls to a hash function H). Their construction comprises the current state-of-the-art in privacy-free garbling for circuits. When formulaic circuits are of concern, [54] shows how to do privacy-free garbling with zero ciphertext and with information-theoretic security.

The interactive schemes based on garbled circuits allow for the flexibility of how the keys for the underlying GCs are constructed and how the garbled input (i.e. witness) is encoded. This leads to interesting applications making non-blackbox use of ZKGC [21, 52]. For instance, Kolesnikov et al. [52] introduce a new primitive called “attribute selective encryption” as a method of input encoding in ZKGC in order to construct attribute-based key-exchange. This allows a client to prove to a server that it holds a certificate corresponding to its attributes issued by a trusted authority, and that these attributes satisfy a policy constructed by the server. Note that only proving knowledge of attributes satisfying a given policy is insufficient in this setting. Another point of comparison is that the PROM assumption required by non-interactive ‘MPC-in-the-head’ based ZK protocols can be used to construct highly efficient adaptively secure garbled circuits [8] allowing ZKGC and our protocol to be cast in the online-offline paradigm, with all circuit-dependent communication moved to a preprocessing stage.

Lastly, we note that all of the above protocols deal with static adversaries, where the adversary is allowed to choose the party it wishes to corrupt only at the outset of the protocol. In this work, we are interested in building efficient concurrently composable ZK protocols that can tolerate adaptive adversaries [6, 15]. In the following section, we summarize the literature on practical ZK protocols for non-algebraic statements, and zero-knowledge protocols secure against adaptive adversaries.

1.2 Adaptively Secure Zero-Knowledge

An adaptive adversary may dynamically decide which party to corrupt as the protocol progresses. Its choice of corruptions may be adapted according to the specific information it sees, possibly even corrupting both the parties. Tolerating an adaptive adversary in a ZK protocol in the UC setting requires a straight-line simulator that can generate a transcript on behalf of the prover without knowledge of the witness, and later be able to “explain” the transcript for any given witness (i.e. concoct valid-looking corresponding local randomness). In [6], the authors show that the zero-knowledge proof system of GMW [35] is not secure against adaptive adversaries or else the polynomial hierarchy collapses, and proceed to build ZK arguments. This work is further advanced in [18] where UC-secure ZK arguments are presented relying on adaptive commitments schemes. In [59], it is shown that adaptive ZK proofs exist for all of NP assuming only one-way functions. They present constructions of adaptively secure ZK proofs from adaptive instance dependent commitment schemes.

Adaptive ZK via Adaptive MPC. The recent work of Cannetti et al. [19] shows how to construct constant-round two party computation using garbled circuits in the standard model. They solve the problem of equivocating a garbled circuit in order to explain the view of a constructor who has already sent a GC in Yao’s protocol by means of a functionally equivocal encryption scheme. However this comes at the cost of a GC whose size is quadratic in the size of the circuit that is garbled. Previous adaptively secure constant round secure computation protocols have relied on obfuscation [16, 22, 24].

Adaptive ZK from MPC-in-the-Head Approach. We note that the “MPC-in-the-head” approach is likely to generate adaptively secure ZK protocols by relying on adaptive commitments and possibly adaptively secure MPC. An adaptive commitment scheme is used to commit to the views of the virtual parties. The adaptive commitment schemes from standard assumptions [41, 42] may be taxing in terms of both communication and round efficiency. Alternatively, the commitments used in IKOS-style protocols can be implemented in the programmable random oracle model, allowing the simulator to equivocate committed views, which yields adaptive security in a straightforward manner. Another related method is via non-committing encryption (NCE), an approach that has in other circumstances allowed circumvention of known lower bounds in the plain model. For instance, the adaptively secure garbling scheme of [8] uses a programmable RO to achieve NCE, which results in the circumvention of a lower bound in the online communication complexity of adaptively secure garbling schemes shown by Applebaum et al. [5].

Adaptive ZK via 2PC-in-the-Head [42]. The work of [42] uses the “MPC-in-the-head” technique [46] to construct adaptive ZK proofs. Their use of interactive hashing [62] to construct instance dependent commitments to equivocate committed views requires a non-constant number of rounds. The overall round complexity of their adaptive ZK protocol is \(\mathcal {O}(\mu \log \mu )\), where \(\mu \) is the soundness parameter. The proof size is \(\mathcal {O}(\mu |\mathbf {C} | \mathsf {poly}(\lambda ))\) and the \(\mathsf {poly}(\lambda )\) factor is \(\varOmega (\lambda )\). While their scheme can be made constant round by plugging in the appropriate instance-dependent commitment scheme, it comes at the cost of proofs that are quadratic in the size of the circuit implementing the NP relation.

In this work, we explore the possibility of building protocols that lie at the intersection of all of these desirable qualities. Specifically we address the following question:

Can we construct constant-round UC-secure ZK protocols that are secure against adaptive corruptions, with proof size linear in the size of the circuit that implements the NP relation?

1.3 Our Contributions

Inspired by the recent progress in the domain of garbling schemes as primitives and interesting applications of garbled circuit (GC) based ZK protocols, we revisit ZK protocols from GCs. Recent works including [21, 52] make non-blackbox use of the GC-based ZK protocols of [48], exploiting particularly the way the keys for the underlying GCs are constructed and the method by which the garbled input (i.e. witness) is encoded. Such applications will directly benefit from any improvement in the domain of garbled circuit based ZK protocols. Our contributions are listed below.

Efficient Constant-Round Adaptively Secure ZK Protocols. While security against static adversaries provides a convenient stepping-stone for designing protocols against strong malicious attacks, a general real-life scenario certainly calls for adaptive security where the adversary can use its resources in a gradual fashion, making dynamic corruption decisions as the protocol progresses. Our first contribution is to show that the ZK protocol of [48] can be proven to be adaptively secure in the UC setting if the underlying oblivious transfer (OT) primitive satisfies a mild adaptive security guarantee. Namely, we require that the receiver’s communication can be equivocated to any input of the receiver. Such an OT is referred to as receiver equivocal OT (RE-OT). We show that the framework of [65] itself, in one of its incarnation, provides RE-OT. Specifically, the mode of [65] that offers statistical security for the receiver also offers the flavor of adaptive security that we demand from RE-OT. The main observation instrumental in crafting the adaptive proof of security for ZKGC is that the constructor of GC has no input. Therefore, the primary challenge of explaining the randomness of the GC construction in post-execution corruption case is bypassed.

Next, we focus on reducing the exact round complexity of ZKGC style protocols. We propose a three-round protocol. Since neither zero-knowledge proofs nor arguments can be achieved in less than four rounds without additional assumptions [32], we devise our protocols in the CRS model where the CRS is short unlike those used in SNARKs. Starting with ZKGC, our three-round protocol cuts down two rounds in [48] using the idea of conditional opening [12] of a secret information that enables garbled circuit verification. That is, the key to GC verification can be unlocked only when the prover possesses a valid witness. Though fairly simple, implementing this idea makes the security proof of the resulting protocol challenging and subtle due to a circularity issue. Loosely speaking, when the prover does not hold a valid witness, the authenticity of GC should translate to the security of the key and at the same time, the security of the key should translate to the authenticity of the GC. We handle this issue by implementing the conditional disclosure via encryption in the Random Oracle Model (ROM). While the ZKGC protocol requires at least 5 rounds in its most round-efficient instantiation, we improve the complexity to three at no additional cost of communication (in fact with slight improvement), and little change in computation (one hash invocation versus a commitment in [48]). We show this protocol to be adaptively secure too, when plugged in with RE-OTs.

In terms of concrete proof size (communication), our three-round protocol yields a better result than ZKBoo [31] (and even it’s more efficient successor ZKB++ [20]) both in its interactive and non-interactive form with the right choice of the security parameters. We assume that circuit C computes the statement to be proven. While our three-round ZK needs a communication of \(\lambda |C |\) bits (ignoring the circuit-independent parts), [31] needs at least \(3.41 \lambda |C |\) to achieve the same (\(\frac{1}{2^{\lambda }}\)) soundness. In the table below, we compare our protocol asymptotically with the existing efficient constructions. Let ‘PKE’ and ‘SKE’ denote the number of public key and respectively secret key operations. We note that RE-OT can be efficiently constructed assuming DDH assumption, with no overhead over the regular OT in the framework of [65] (Table 1).

Table 1. Comparison among zero knowledge protocols
Full size table

2-Round Zero-Knowledge Proofs. We next investigate the possibility of building efficient GC based ZK protocols with fewer than three rounds of interaction. In the spirit similar to that of [42], our two round protocol borrows techniques from non-interactive two-party computation (2PC) literature [1, 44, 61] except for the following: We do not need the gadgets for input consistency checks of the prover, and input recovery mechanisms in case of inconsistent outputs [56, 57, 61, 67]. Our protocol is a proof, while most known efficient ZK protocols and our three round protocol are only arguments. The two round ZK may be cast as a sigma protocol and by applying the Fiat-Shamir transform, one may obtain NIZK arguments in the random oracle model. Finally, we observe that for the 2-round and NIZK argument we do not rely on the authenticity property of the garbling scheme. However, more efficient garbled circuit constructions by giving up on authenticity is precluded by the result of [4]. While the result of [4] needs to encode a different circuit (the underlying circuit augmented with a MAC computation) to achieve authenticity using a private scheme, we show a similar result while encoding the same underlying circuit. Both results essentially show that any garbling scheme that satisfies privacy also has authenticity.

1.4 Organization

We begin by briefly discussing definitions and constructions required for this work in Sect. 2. In Sect. 3 we show that the ZK protocol of [48] is adaptively secure. Section 4 presents our three-round ZK protocol from conditional disclosure. Section 5 discusses our 2-round ZK. We include our result on authenticity-free garbling in the full version.

2 Preliminaries

Notation. We denote probabilistic polynomial time by \(\textsc {ppt} \). Let \(\lambda \) be the security parameter. [n] and [mn] for \(n>m\) denote the sets \(\{1,\dots ,n\}\) and \(\{m,m+1,\ldots ,n\}\) respectively. \(|\varvec{t}|\) denote the number of bits in a string \(\varvec{t}\). We use || to denote concatenation of bit strings, and write \(x \overset{R}{\leftarrow } \mathcal {X}\) to mean sampling a value x uniformly from the set \(\mathcal {X}\). A function \(f(\cdot )\) is said to be negligible if \(\forall c \in \mathbb {N}\), there exists \(n_0 \in \mathbb {N}\) such that \(\forall n \ge n_0,f(n) < n^{-c}\). Let S be an infinite set and \(X = \{X_s\}_{s \in S}, Y = \{Y_s\}_{s \in S}\) be distribution ensembles. We say X and Y are computationally indistinguishable, if for any \(\textsc {ppt} \) distinguisher \(\mathcal {D}\) and all sufficiently large \(s \in S\), we have \(|\Pr [\mathcal {D}(X_s) = 1] - \Pr [\mathcal {D}(Y_s) = 1]| < 1 / p(|s|)\) for every polynomial \(p(\cdot )\). In the following, we review few building blocks. The ZK and Oblivious Transfer (OT) functionality are recalled in Appendix B.

2.1 Garbled Circuits

The work of Bellare et al. [9] formalizes Garbling Schemes as a primitive for modular use in cryptographic protocols, by defining several notions of security, including obliviousness, privacy and authenticity, of which we are interested in the latter two. Informally, privacy aims to protect the privacy of encoded inputs, while authenticity captures the unforgeability of the output of a garbled circuit evaluation. Majority of the schemes in the literature, including the classical scheme of Yao [70], satisfy the two aforementioned properties. Using the language of [9] for circuits; the circuit itself is a directed acyclic graph, where each gate g is indexed by its outgoing wire, and its left and right incoming wires A(g) and B(g) are numbered such that \(g>B(g)>A(g)\). Also, a circuit output wire can not be an input wire to any gate. We denote the number of input wires, gates and output wires using nq and m respectively in a circuit \(C \).

At a high-level, a garbling scheme consists of the following algorithms: \(\mathsf {Gb}\) takes a circuit as input and outputs a garbled circuit, encoding information, and decoding information. \(\mathsf {En}\) takes an input x and encoding information and outputs a garbled input \(\mathbf {X} \). \(\mathsf {Ev}\) takes a garbled circuit and garbled input \(\mathbf {X} \) and outputs a garbled output \(\mathbf {Y} \). \(\mathsf {De}\) takes a garbled output \(\mathbf {Y} \) and decoding information and outputs a plain circuit-output (or an error, \(\bot \)). Finally, we use an additional verification algorithm in the garbling scheme that output 1 or 0 based certain validity checks performed on a triple \((C,\mathbf {C},e)\). Formally, a garbling scheme is defined by a tuple of functions \(\mathsf {Garble} = (\mathsf {Gb}, \mathsf {En}, \mathsf {Ev}, \mathsf {De}, \mathsf {Ve})\), described as follows:

  • Garble algorithm \(\mathsf {Gb} \left( 1^\lambda , C \right) \): A randomized algorithm which takes as input the security parameter and a circuit \(C: {{\{0,1\}}^{n}} \rightarrow {{\{0,1\}}^{m}} \) and outputs a tuple of strings \((\mathbf {C}, e, d)\), where \(\mathbf {C} \) is the garbled circuit, \(e \) denotes the input-wire labels, and \(d \) denotes the decoding information.

  • Encode algorithm \(\mathsf {En} \left( x, e \right) \): a deterministic algorithm that outputs the garbled input \(\mathbf {X} \) corresponding to input x.

  • Evaluation algorithm \(\mathsf {Ev} \left( \mathbf {C}, \mathbf {X} \right) \): A deterministic algorithm which evaluates garbled circuit \(\mathbf {C} \) on garbled input \(\mathbf {X} \), and outputs a garbled output \(\mathbf {Y} \).

  • Decode algorithm \(\mathsf {De} \left( \mathbf {Y}, d \right) \): A deterministic algorithm that outputs the plaintext output corresponding to \(\mathbf {Y} \) or \(\bot \) signifying an error if the garbled output \(\mathbf {Y} \) is invalid.

  • Verify algorithm \(\mathsf {Ve} \left( C, \mathbf {C}, e \right) \): A deterministic algorithm which takes as input a circuit \(C:{{\{0,1\}}^{n}} \mapsto \{0,1\}^m\), a garbled circuit (possibly malicious) \( \mathbf {C} \), encoding information e, and outputs 1 when \(\mathbf {C} \) is a valid garbling of \(C\), and 0 otherwise.

A garbling scheme may satisfy several properties such as correctness, privacy, authenticity and notions of verifiability. The definitions for correctness, privacy and authenticity are standard: correctness enforces that a correctly garbled circuit, when evaluated, outputs the correct output of the underlying circuit; privacy aims to protect the privacy of encoded inputs; authenticity enforces that the evaluator can only learn the output label that corresponds to the value of the function. We use two notions of verifiability. One of the notions enforces that the garbling of a circuit indeed implements the specified plaintext circuit \(C\). This notion of verification is used in our two-round protocol, NIZK and also in the Yao-based 2PC protocols using cut-and-choose (where the check circuits are verified according to this notion) [56, 57, 61, 67]. The other notion of verifiability introduced in [48] enforces that the garbled output corresponding to a given clear output can be extracted for a verified tuple \((C,\mathbf {C},e)\). This is used in our three round protocol. For the sake of completeness, we give the definitions of these properties in Appendix A.

We are interested in a class of garbling schemes referred to as projective in [9]. When garbling a circuit \(C:{{\{0,1\}}^{n}} \mapsto {{\{0,1\}}^{m}} \), a projective garbling scheme produces encoding information of the form \(e = \left( {k} _i^0, {k} _i^1 \right) _{i\in [n]}\), and the encoded input \(\mathbf {X} \) corresponding to \(x=\left( x_i\right) _{i\in [n]}\) can be interpreted as \(\mathbf {X} = \mathsf {En} (x,e) = \left( {k} _i^{x_i} \right) _{i\in [n]}\).

2.2 Hash Function and Random Oracle Model

We use a hash function \(H : \{0,1\}^* \rightarrow \{0,1\}^{\mathsf {poly}(\lambda )}\) which we model as a random oracle. Namely, we prove the security of our protocol assuming that H implements a functionality \(\mathcal {F}_\textsc {RAND}\) which for different inputs x, returns uniform random output values from the range of H(x). In the proof, we rely on observability of H i.e. the reduction can observe the queries made to the H by the distinguisher of certain two views. Note that the simulator does not observe queries to the random oracle.

3 Adaptive Security of [JKO13]

In this section, we show that the garbled circuit based ZKGC protocol is adaptively secure when instantiated with an OT that satisfies a special property of Receiver Equivocality. We formalize the notion of Receiver Equivocal Oblivious Transfer which is an OT primitive with mild adaptive security guarantees. Essentially, we require that the view of a receiver be reconstructable in the case of a post-execution corruption. A similar notion was introduced in [7]. We show that the OT framework of [65] is already receiver equivocal when it is instantiated with statistical security against a corrupt sender (“decryption mode”). We then show that when the zero-knowledge protocol of [48] is instantiated with RE-OT, it achieves adaptive security without any additional effort. Below, we formulate RE-OT, recall the construction of [48], describe the adaptive proof of security of [48] and conclude with an instantiation of RE-OT.

Definition of RE-OT. An oblivious transfer protocol is said to be receiver equivocal if it is possible to produce the receiver’s message in the protocol without committing to a choice bit. For this to be meaningful, we also require that it be possible to efficiently generate the local randomness which when combined with either choice bit would make an honest receiver output the same message. This is formalized by requiring the existence of a simulator \(\mathcal {S}^\mathsf {RE}\) which can perform this task, in Definition 3.1.

Definition 3.1

Let \(\varPi _\mathsf {OT} = (\varPi _\mathsf {OT} ^\textsf {S},\varPi _\mathsf {OT} ^\textsf {R})\) be a 2-round OT protocol securely implementing the \(\mathcal {F}_{\textsf {OT}}\) functionality in the CRS model where \(\textsf {S}\) and \(\textsf {R}\) run their respective algorithms as specified by \(\varPi _\mathsf {OT} ^\textsf {S}(\mathsf {crs},a_0,a_1,m^\textsf {R};r^\textsf {S})\) and \(\varPi _\mathsf {OT} ^\textsf {R}(\mathsf {crs},\sigma ;r^\textsf {R})\) respectively. Here, \(a_0,a_1\) are the sender’s inputs, \(\sigma \) is the receiver’s choice bit, \(r^\textsf {S},r^\textsf {R}\) are the sender’s and receiver’s respective local randomness, and \(m^\textsf {R}\) is the receiver’s message. Let \((\mathsf {crs},t)\) be the output of the setup functionality for an instance of the protocol, where \(\mathsf {crs}\) is the string that both parties have access to, and t is the corresponding trapdoor which is accessible only to the simulator \(\mathcal {S}\). Then \(\varPi _\mathsf {OT} \) is an RE-OT if there exists an algorithm \(\mathcal {S}^\mathsf {RE}\left( \mathsf {crs},t\right) \) which outputs \(\left( m^\textsf {R}, r^\textsf {R}_0, r^\textsf {R}_1\right) \) such that \(m^\textsf {R}= \varPi _\mathsf {OT} ^\textsf {R}(\mathsf {crs},0;r^\textsf {R}_0) = \varPi _\mathsf {OT} ^\textsf {R}(\mathsf {crs},1;r^\textsf {R}_1)\), and \(r^\textsf {R}_0,r^\textsf {R}_1 {\mathop {\approx }\limits ^{s}}r^\textsf {R}\).

On the use of a CRS. We note here that there is nothing inherent in receiver equivocation that demands a CRS to implement RE-OT. As we are interested in achieving UC-security, we take the liberty of assuming that the protocol realizing RE-OT will make use of a CRS. However, this does not preclude the existence of RE-OT in the standalone model without a CRS, or even a UC-secure RE-OT in the Global Random Oracle hybrid model [17] alone.

Fig. 1.
figure 1

Zero-knowledge from garbled circuits [48]

Full size image

3.1 Recap of [JKO13]

We recall the ZKGC protocol below in the \((\mathcal {F}_{\textsf {COT}},\mathcal {F}_{\textsf {COM}})\) hybrid model. The functionalities are presented in Appendix B (Fig. 1).

3.2 Proof of Adaptive Security for [JKO13] from RE-OT

In this section we show that instantiating the ZKGC protocol with RE-OT satisfying Definition 3.1 yields a UC-secure protocol realizing \(\mathcal {F}^{R}_{\mathsf {ZK}}\) (see Fig. 10) tolerating adaptive adversaries.

Recalling Static Proof of Security. The simulator for a corrupt \(\mathsf {P}\) plays the role of an honest verifier \(\mathsf {V}\). It constructs and communicates a correct garbled circuit, extracts the witness acting on behalf of \(\mathcal {F}_{\textsf {COT}}\) functionality, and accepts the proof only if the extracted witness is a valid one. On the other hand the real verifier accepts when the opening of the commitment is the correct output wire key Z. In \(\mathcal {F}_{\textsf {COM}}\)-hybrid model, we can show that a malicious prover who is able make a real verifier output ‘accept’ (but not the simulator) can be used to break authenticity of the underlying garbling scheme. We can use such a malicious prover \(\mathsf {P}^*\) to construct an adversary \(\mathcal {A}\) for the authenticity game of [9] as follows:

  1. 1.

    \(\mathcal {A}\) receives the invalid witness \(x^*\) from \(\mathsf {P}^*\) on behalf of \(\mathcal {F}_{\textsf {COT}}\) and forwards it to the authenticity challenger.

  2. 2.

    \(\mathcal {A}\) receives \(\mathbf {C},X\) from the authenticity challenger and forwards it to \(\mathsf {P}^*\)

  3. 3.

    \(\mathcal {A}\) receives forged key \(Z'\) from \(\mathsf {P}^*\) on behalf of \(\mathcal {F}_{\textsf {COM}}\) and submits it to the authenticity challenger.

Clearly, the event that \(\mathcal {A}\) successfully forges an output for the given \(\mathbf {C},X\) is equivalent to the event that \(\mathsf {P}^*\) convinces a verifier to output ‘accept’ without a valid witness. By authenticity of the garbling scheme, this event occurs with negligible probability.

The simulator for a corrupt \(\mathsf {V}\) receives the encoding information from \(\mathsf {V}\) on behalf of the \(\mathcal {F}_{\textsf {COT}}\) functionality and extracts the output 1-key Z using received garbled circuit and encoding information. It then sends Z to the verifier only after receiving the correct encoding information from \(\mathsf {V}\) in the open-all phase. Otherwise, it sends \(\bot \) to \(\mathsf {V}\). Security in this case follows from the verifiability (that allows extraction of the output key from encoding information) of the underlying garbling scheme.

Adaptive Proof of Security. The bottleneck faced in simulating garbled circuit based protocols for post-execution corruptions usually lies in “explaining” the randomness of the GC constructor once her input is known. In the case of two-party computation, equivocating the view of the garbled circuit constructor requires heavy machinery such as in Canetti et al. [19]. However in the ZKGC protocol verifier \(\mathsf {V}\) is the GC constructor and has no input. The simulator can therefore run the code of honest \(\mathsf {V}\), which includes being an honest sender in the OT protocol (this is also why our OT need not achieve full-fledged adaptive security). On the prover’s side, receiver equivocality of the OT allows a simulator to equivocate an adaptively corrupted prover’s view of the OT protocol, as per the witness once known. We make the observation that every step of \(\mathsf {P}\) following the OT is independent of the witness. Specifically, once the output key Z has been obtained by evaluating the GC sent by \(\mathsf {V}, \mathsf {P}\) does not use the witness again. Note that the simulator does not need the witness to obtain Z; the ZKGC simulator invokes the \(\varPi _\mathsf {OT} \) simulator in order to extract all inputs of \(\mathsf {V}\) and obtain all keys of the GC. Once the simulator obtains Z, the code of honest \(\mathsf {P}\) can be run to complete the simulation. The implication of this for simulation of a post-execution corruption of \(\mathsf {P}\) is that no additional work needs to be done besides equivocating the view of \(\mathsf {P}\) in the OT. We now give a formal proof for all the cases:

  • Simulation for \(\mathsf {V}\) . The verifier, until it is corrupted, can be simulated following the static simulator for the corrupt \(\mathsf {P}\), irrespective of when \(\mathsf {P}\) is corrupted. As recalled above, the simulation can be carried out by running the code of honest verifier (constructing a correct garbled circuit, participating in the RE-OTs with the correct encoding information and sending the correctly constructed garbled circuit). Upon corruption, the simulator can explain to the corrupt \(\mathsf {V}\) the communication by means of the randomness used in its honest execution of \(\mathsf {V}\)’s code. The indistinguishability follows from the proof in the static corrupt prover case.

  • Simulation for \(\mathsf {P}\) . If the prover is corrupted at the outset, then there is nothing to simulate. So we consider the worst scenario of post-execution corruption. If the verifier is also not corrupt during the construction of the garbled circuit, then simulator acts on behalf of both the honest parties and runs the code of honest verifier. In the \(\mathcal {F}_{\textsf {COM}}\)-hybrid model, the simulator, without having access to the actual witness, runs \(\left( m^\textsf {R}, r^\textsf {R}_0,r^\textsf {R}_1\right) \leftarrow \mathcal {S}^\mathsf {RE}\left( \mathsf {crs},t\right) \) to generate the transcript that needs to be communicated on behalf of \(\mathsf {P}\) in RE-OT instances. The rest of the simulation is straight-forward irrespective of whether the verifier is corrupt or not. In the final step, the simulator may have to communicate Z which it picked itself while simulating \(\mathsf {V}\) in this case. When \(\mathsf {P}\) is corrupt in the end, its input \(x_i\) to the \(i^\text {th}\) RE-OT instance can be explained as per any input using the randomness \(r^\textsf {R}_{x_i}\) returned by \( \mathcal {S}^\mathsf {RE}\) of the RE-OTs. On the other hand, if \(\mathsf {V}\) was corrupt before the garbled circuit construction phase, then the simulator gets Z via unlocking the GC using encoding information extracted from the corrupt \(\mathsf {V}\)’s communication. The rest remains the same as the previous case.

    Security in the former case follows via receiver equivocality of RE-OT. In the latter, it follows additionally from verifiability that ensures the encoding information leads to the correct Z with high probability.

3.3 Instantiation of RE-OT

The OT framework of [65] is already receiver equivocal as per Definition 3.1 when instantiated in “decryption mode”. The protocol can be constructed efficiently under the Decisional Diffie Hellman, Quadratic Residuosity, or Learning With Errors hardness assumptions. For simplicity, in this paper we recall the instantiation of \(\varPi _\mathsf {PVW} \) and describe \(\mathcal {S}^\mathsf {RE}_\mathsf {PVW} \) under the DDH hardness assumption alone (Fig. 2).

Fig. 2.
figure 2

RE-OT assuming DDH: as per [65]

Full size image

Theorem 3.2

The protocol \(\varPi _\mathsf {PVW} \) in Fig. 2 is a RE-OT, assuming that DDH is hard for \(\mathbb {G}\).

Proof

The protocol \(\varPi _\mathsf {PVW} \) in Fig. 2 is proven to realize the \(\mathcal {F}_{\textsf {OT}}\) functionality in the UC model by Peikert et al. [65]. It is easy to see how \(\mathcal {S}^\mathsf {RE}_\mathsf {PVW} \) allows for receiver equivocation as per Definition 3.1:

  • The randomness \(r^\textsf {R}_\sigma \) provided is interpreted as \(\textsf {R}\)’s secret exponent \(\alpha \).

  • Recall that the message \(m^\textsf {R}\) is \(\left( g_0^r,h_0^r\right) \), and candidate randomness output by \(\mathcal {S}^\mathsf {RE}_\mathsf {PVW} \) is \(r^\textsf {R}_0=r\), and \(r^\textsf {R}_1=r^\textsf {R}_0\cdot t^{-1}=r \cdot t^{-1}\).

  • Correctness of message \(m^\textsf {R}\) can be seen as follows:

    1. 1.

      \(\varPi _\mathsf {PVW} \left( \mathsf {crs},0;r^\textsf {R}_0\right) \) will output \(\left( g_0^{r^\textsf {R}_0},h_0^{r^\textsf {R}_0}\right) = \left( g_0^r, h_0^r\right) = m^\textsf {R}\)

    2. 2.

      \(\varPi _\mathsf {PVW} \left( \mathsf {crs},1;r^\textsf {R}_1\right) \) will output \(\left( g_1^{r^\textsf {R}_1}, h_1^{r^\textsf {R}_1}\right) = \left( g_1^{\left( r\cdot t^{-1}\right) }, h_1^{\left( r\cdot t^{-1}\right) }\right) \)

      Recall that the trapdoor t relates \(g_0\) to \(g_1\) as \(g_0^t = g_1\) and similarly \(h_0^t=h_1\). Therefore we have that \(\left( g_1^{\left( r\cdot t^{-1}\right) }, h_1^{\left( r\cdot t^{-1}\right) }\right) = \left( g_0^r, h_0^r\right) = m^\textsf {R}\).

  • Finally, \(r^\textsf {R}_0,r^\textsf {R}_1=r,r\cdot (t^{-1})\) are clearly uniformly random, as r is sampled uniformly at random.

   \(\square \)

Also note that RE-OT is strictly weaker than OT with security against adaptive corruptions; any protocol satisfying the latter notion will necessarily be receiver-equivocal in order for the receiver’s view to be fully simulatable in the event of a post-execution corruption.

4 Zero Knowledge in Three Rounds

In this section, we present a 3-round ZK protocol against a malicious verifier requiring just one GC in the non-programmable random oracle model, with no increase in communication complexity. Our protocol achieves this by a technique for non-interactive GC verification which allows us to remove the commitment and OT-open-all phases from ZKGC. Our approach is reminiscent of the technique of conditional disclosure of secrets (CDS) [30]. CDS has since been generalized [47], and used in several works, including in applications to improve round complexity of protocols [2, 11]. We show that the protocol is adaptively secure when the underlying OTs are receiver equivocal.

4.1 High-Level Idea

The high round cost of ZKGC makes it undesirable for many applications. However its usage of only one GC for an actively secure protocol is an attractive feature, prompting us to examine whether we can improve on the number of rounds required to realize ZK with only one GC. We now describe our intuition behind the protocol, beginning with informal observations about the number of rounds in ZKGC. Assuming the ZKGC paradigm to be broadly characterized by a protocol where the verifier \(\mathsf {V}\) constructs a GC which is then evaluated by prover \(\mathsf {P}\), we make the following (informal) observations:

  • As \(\mathsf {V}\) constructs the GC, \(\mathsf {P}\)’s witness bits must be encoded as garbled input and delivered by means of an OT. The most efficient UC-secure OT in the literature [65] requires 2 rounds to instantiate.

  • Assuming the underlying GC to be statically secure in the terminology of Bellare et al. [8], the GC can at best be sent to \(\mathsf {P}\) along with the final message of the OT (if not after the OT).

  • \(\mathsf {P}\) must communicate some information as a ‘response’ to \(\mathsf {V}\)’s GC ‘challenge’; for instance the garbled output obtained as a result of evaluating the GC with her witness. This must necessarily be after she receives the GC, adding at least one more round after the OT.

In summary, it appears that the ZKGC paradigm requires at least 2 rounds for the OT, plus the GC transmission, and one round following that. Therefore, a 3-round ZK protocol appears to be optimal in the ZKGC paradigm, informally suggesting the optimality of our protocol. In the following, we make several observations that are instrumental to our protocol.

Conditional Verification of Garbled Circuits. We begin by making the following observation about the original ZKGC protocol: even a prover who does not have a witness is given the chance to first commit to her garbled output and verify that the GC she received was correctly generated. Verification of the GC is a process that takes two additional rounds of interaction in their protocol. We ask, can we use conditional disclosure of secrets to reduce the number of rounds: “can we provide some additional information with a GC that will allow an evaluator to non-interactively verify that the GC was correctly constructed only when it possess a valid witness?” We answer this question in the affirmative, at least for the ZKGC setting. An idea somewhat similar in spirit was proposed in [12] to construct a three-round ‘weak’ ZK protocol from a garbling scheme and point-obfuscation. That is, knowing the witness gives the prover access to a secret via a garbled circuit handed over by the verifier. The secret, then, can be used to unlock the seed that opens the garbled circuit and enables verifying the correct construction of the GC. Technique-wise, we depart from the work of [12] as follows. The secret is encoded in the circuit output in [12] and hence, privacy of the garbling circuit is one of the properties they rely on to achieve soundness. On the contrary, the secret, in our case is the output key corresponding to bit 1 and hence, soundness is achieved via authenticity. Qualitatively, their protocol is not a full-fledged ZK, is in the plain model, has a non-black-box simulator and relies on strong assumptions such as obfuscation. Our ZK protocol is proven UC-secure with a black-box simulator and relies on standard assumptions, albeit assuming a CRS setup.

Interestingly, the intuition behind the ability of [48] to achieve full black-box simulation was that the relaxation in round complexity rendered the four-round barrier in the plain model [32] inapplicable. However, our result demonstrates that the trusted setup required to implement a full black-box simulatable two-round OT is sufficient to construct a three round zero-knowledge argument using the concretely efficient [48] technique and a non-programmable random oracle.

Our intuition is implemented as follows: Given that \(\left( \mathbf {C},\left\{ ({k} _j^0,{k} _j^1)\right\} _{j\in [n]},\right. \left. ({k} ^0,{k} ^1)\right) \leftarrow \mathsf {Gb} \left( 1^\lambda ,C \right) \) and an honest \(\mathsf {P}\) has obtained encoded input \(\mathbf {X} =\left( {k} _j^{x_j}\right) _{j\in [n]}\) for a witness \(x = (x_1\ldots ,x_n)\), she can compute \({k} ^1=\mathsf {Ev} \left( \mathbf {C},\mathbf {X} \right) \). Now that \(\mathsf {P}\) has evaluated the GC, we wish to enable her to ‘open’ the GC and verify that it was constructed correctly. To do this, we provide her with a ciphertext encrypting some useful information. Concretely, the ciphertext \(T=H({k} ^{1}) \oplus r^\textsf {S}\), where H is a random oracle and \(r^\textsf {S}\) contains the randomness used by the sender in the OT instances. Once \(\mathsf {P}\) gets this randomness, she can unlock \(\left\{ {k} _j^0,{k} _j^1\right\} _{j \in [n]} \) and can verify if the circuit has been constructed correctly. In the following, we formalize the property needed from the OT protocol, namely that the randomness of the sender reveals the inputs of the sender.

Sender-Extractability of OT. Let \(\varPi _\mathsf {OT} = (\varPi _\mathsf {OT} ^\textsf {S},\varPi _\mathsf {OT} ^\textsf {R})\) be a 2-round OT protocol securely implementing the \(\mathcal {F}_{\textsf {OT}}\) functionality in the CRS model where \(\textsf {S}\) and \(\textsf {R}\) run their respective algorithm as specified by \(\varPi _\mathsf {OT} ^\textsf {S}\) and \(\varPi _\mathsf {OT} ^\textsf {R}\) respectively. Let \(\mathsf {crs}\) be the string that both parties have access to. We denote the first message of the protocol sent by the receiver \(\textsf {R}\) by \(m^\textsf {R}= \varPi _\mathsf {OT} ^\textsf {R}(\mathsf {crs},\sigma ;r^\textsf {R})\) where \(\sigma \) is \(\textsf {R}\)’s choice bit and \(r^\textsf {R}\) his randomness. Let the input of the sender \(\textsf {S}\) be \(a_0,a_1\); we denote the second message of the OT protocol, sent by \(\textsf {S}\), by \(m^\textsf {S}= \varPi _\mathsf {OT} ^\textsf {S}(\mathsf {crs}, a_0,a_1, m^\textsf {R};r^\textsf {S})\). The receiver can now compute the chosen message, \(x_\sigma = \varPi _\mathsf {OT} ^\textsf {R}(\mathsf {crs}, \sigma , m_\textsf {S}; r^\textsf {R})\). We assume that \(\varPi _\mathsf {OT} \) has the following sender-extractable property: revealing the randomness of the sender, allows the receiver to reconstruct the sender’s messages correctly with high probability. That is, there exists a public efficiently computable function, \(\mathsf {Ext} \) such that \(\mathsf {Ext} (\mathsf {crs},{\mathcal T}_\mathsf {OT} (a_0,a_1,\sigma ),r^\textsf {S})\) outputs \((a_0,a_1)\) where \({\mathcal T}_\mathsf {OT} (a_0,a_1,\sigma )\) refers to the transcript of \(\varPi _\mathsf {OT} \) with sender’s input as \(a_0,a_1\) and receiver’s input as \(\sigma \). Namely, \({\mathcal T}_\mathsf {OT} (a_0,a_1,\sigma ) = (m^\textsf {R},m^\textsf {S})\) where \(m^\textsf {R}\) and \(m^\textsf {S}\) are as defined above.

Definition 4.1

A protocol \(\varPi _\mathsf {OT} \) is a secure sender-extractable OT protocol if

  • it securely implements \(\mathcal {F}_{\textsf {OT}}\) in the presence of malicious adversaries, and

  • \(\forall \) \(a_0,a_1,\sigma \), such that \(|a_0|,|a_1|\le poly\left( \lambda \right) \), \(\sigma \in \{0,1\}, \exists \) a PPT algorithm \(\mathsf {Ext} \) such that the following probability is negligible in \(\lambda \).

    $$\begin{aligned} \Pr \left( \begin{matrix} (a'_0, a'_1) \ne (a_0,a_1) : \mathsf {Ext} (\mathsf {crs}, {\mathcal T}_\mathsf {OT} (a_0,a_1,\sigma ), r^\textsf {S}) = (a'_0, a'_1) \end{matrix} \right) . \end{aligned}$$

We note that the protocol of [65] is UC-secure in the CRS model, is 2-rounds, and satisfies the sender-extractability property of Definition 4.1. We use such a protocol in our construction.

4.2 Our Construction

At a high-level, our construction proceeds as follows. The verifier constructs a garbled circuit of the circuit \(C \) implementing the relation. The prover obtains the wire keys corresponding to his witness via an OT protocol. Now, the verifier sends the garbled circuit to the prover, and, in addition, a ciphertext. This ciphertext allows the prover to open and verify the garbled circuit, but only if he possesses a valid witness. The complete description of our protocol \(\varPi _\mathsf {ZK3}\) is presented in Fig. 3. We now prove security of \(\varPi _\mathsf {ZK3} \) in Universal Composability (UC) framework. As we do not rely on programming the Random Oracle, we can also adapt our proof in the UC setting to use a Global Random Oracle [17].

Theorem 4.2

Let \(\mathsf {Garble} \) be a correct, authentic, verifiable garbling scheme, \(\varPi _\mathsf {OT} \) be an sender-extractable OT protocol, and H be an extractable random oracle. The protocol \(\varPi _\mathsf {ZK3} \) in Fig. 3 securely implements \(\mathcal {F}^{R}_{\mathsf {ZK}}\) in the presence of malicious adversaries.

Proof

To prove the security of our protocol, we describe two simulators. The simulator \(\mathcal {S}_\mathsf {P}\) simulates the view of a corrupt prover and appears in Fig. 4. The simulator \(\mathcal {S}_\mathsf {V}\) simulates the view of a corrupt verifier and is presented in Fig. 5.

Fig. 3.
figure 3

3-round GC based zero knowledge protocol

Full size image

Security against a Corrupt Prover \({\mathbf {\mathsf{{P}}}}^{\varvec{\star }}\) . We now prove that \(\textsc {ideal}_{\mathcal {F}^{R}_{\mathsf {ZK}}, \mathcal {S}_\mathsf {P},\mathcal {Z}} {\mathop {\approx }\limits ^{c}} \textsc {real}_{\varPi _\mathsf {ZK3}, \mathcal {A},\mathcal {Z}}\) when \(\mathcal {A} \) corrupts \(\mathsf {P}\). We begin by noting that the simulated and the real worlds are identical when \(\mathsf {P}\) uses a valid witness x. The view of a malicious \(\mathsf {P}^\star \) who does not possess a valid witness x is proven to be computationally close to the simulation through an intermediate hybrid \({\textsc {hyb}}_1\). The hybrid \({\textsc {hyb}}_1\) is constructed identically to \(\textsc {ideal}_{\mathcal {F}^{R}_{\mathsf {ZK}}, \mathcal {S}_\mathsf {P},\mathcal {Z}}\) with the exception of the criterion to output \(\mathsf {accept}\). In \({\textsc {hyb}}_1\), the verifier accepts if \(\mathsf {P}^\star \) outputs the correct \({k} ^1\) (as in the \(\textsc {real}\) view) regardless of the witness used. We begin our analysis by noting that unless a \(\mathsf {P}^\star \) queries the correct \({k} ^1\) to the random oracle H, the string T appears completely random. Therefore, given that a \(\mathsf {P}^\star \) attempting to distinguish between the \(\textsc {real}\) view and the view generated by \({\textsc {hyb}}_1\), we branch our analysis into the following cases:

Fig. 4.
figure 4

Simulator \(\mathcal {S}_\mathsf {P}\)

Full size image

  • \(\mathsf {P}^\star \) does not output the correct \({k} ^1\) in either world. Here we assume that a \(\mathsf {P}^\star \) also does not query the correct \({k} ^1\) to the random oracle H to be able to unlock ciphertext T. If the prover does indeed query the correct \({k} ^1\) to H with non-negligible probability, we move on to the next case. A \(\mathsf {P}^\star \) who is successful in distinguishing \(\textsc {real}_{\varPi _\mathsf {ZK3}, \mathcal {A},\mathcal {Z}}\) from \({\textsc {hyb}}_1\) in this case can be used to break OT sender security. The reduction computes a garbled circuit \(\mathbf {C} \) and sends the input keys to the OT challenger (by means of the environment for the OTs) as the sender’s input. The reduction then extracts the input x of \(\mathsf {P}^\star \) and forwards to the OT challenger as the choice bits of the receiver. The response of OT challenger who computes the sender’s message either by invoking a real sender i.e. as \(m^\textsf {S}_j = \varPi _\mathsf {OT} ^\textsf {S}(\mathsf {crs},{k} _{j}^{0}, {k} _{j}^{1},m^\textsf {R}_j;r^\textsf {S}_j), \forall j\in [n]\) or by invoking a simulator i.e. as \(m^\textsf {S}_j = \varPi _\mathsf {OT} ^\textsf {S}(\mathsf {crs},{k} _{j}^{x_j}, 0^{\lambda },m^\textsf {R}_j;r^\textsf {S}_j), \forall j\in [n]\) is sent to the reduction who further forwards the message to \(\mathsf {P}^\star \) along with \(\mathbf {C} \) and a random T. In case the OT challenger invokes a simulator the view of \(\mathsf {P}^\star \) is identical to \({\textsc {hyb}}_1\), whereas when the OT challenger uses a real execution of \(\varPi _\mathsf {OT} \) the view of \(\mathsf {P}^\star \) is identical to \(\textsc {real}\) (T is random given that the correct \({k} ^1\) is never queried to H). Therefore, the probability of distinguishing between the REAL and \({\textsc {hyb}}_1\) view translates to the probability of distinguishing between the real and the simulated view of the OT protocols for the case when the receiver is corrupt.

  • \(\mathsf {P}^\star \) outputs the correct \({k} ^1\) in \(\mathbf{real }_{\varPi _\mathsf {ZK3}, \mathcal {A},\mathcal {Z}}\) with significantly higher probability than in \(\mathbf{hyb}_1\) . This case is similar to the previous case in that \(\mathsf {P}^\star \) can be used to break sender security of the OT by computing \(\mathbf {C} \) locally in the reduction. If \(\mathsf {P}^\star \) outputs a correct \({k} ^1\), the reduction is interacting with \(\varPi _\mathsf {OT} \) whereas if not, the challenger must have invoked the simulator for \(\varPi _\mathsf {OT} \). The advantage of this reduction is the difference in probabilities with which \(\mathsf {P}^\star \) forges \({k} ^1\) successfully in the \(\textsc {real}\) and \({\textsc {hyb}}_1\) worlds.

  • \(\mathsf {P}^\star \) outputs the correct \({k} ^1\) in both worlds with almost the same probability. The corrupt \(\mathsf {P}^\star \) can be used directly to break authenticity of the garbling scheme. Clearly the OT message corresponding to inactive input keys are not used by the corrupt \(\mathsf {P}\); the ability to output the correct \({k} ^1\) must be derivative of the ability to forge a key for the garbled circuit alone. It is therefore straightforward to use \(\mathsf {P}^\star \) to forge \({k} ^1\) for a given garbled circuit \(\mathbf {C} \), as its view can be generated as per \({\textsc {hyb}}_1\), which does not require the inactive garbled circuit keys to compute the OT messages.

Note that in Cases 2 and 3, we consider a \(\mathsf {P}^\star \) who outputs \({k} ^1\) to be equivalent to a \(\mathsf {P}^\star \) who queries the random oracle on \({k} ^1\) to unlock T in its effort to distinguish \(\textsc {real}\) from \({\textsc {hyb}}_1\). Instead of receiving \({k} ^1\) directly from \(\mathsf {P}^\star \), our reductions will observe its query to the random oracle.

Finally \(\textsc {ideal}_{\mathcal {F}^{R}_{\mathsf {ZK}}, \mathcal {S}_\mathsf {P},\mathcal {Z}}\) deviates from \({\textsc {hyb}}_1\) only in its criteria to output \(\mathsf {accept}\). Only a corrupt \(\mathsf {P}\) who is able to output \({k} ^1\) will be able to distinguish \({\textsc {hyb}}_1\) from \(\textsc {ideal}_{\mathcal {F}^{R}_{\mathsf {ZK}}, \mathcal {S}_\mathsf {P},\mathcal {Z}}\). Such a \(\mathsf {P}\) can be used directly to forge an output key for a given \(\mathbf {C} \) with the same probability (which by authenticity of the garbling scheme, must be negligible).

Security against a Corrupt Verifier \({\mathbf {\mathsf{{V}}}}^{\varvec{\star }}\) . We now argue that \(\textsc {ideal}_{\mathcal {F}^{R}_{\mathsf {ZK}}, \mathcal {S}_\mathsf {V},\mathcal {Z}} {\mathop {\approx }\limits ^{c}} \textsc {real}_{\varPi _\mathsf {ZK3}, \mathcal {A},\mathcal {Z}}\) when \(\mathcal {A} \) corrupts \(\mathsf {V}\). The above two views of \(\mathsf {V}^{*}\) are shown to be indistinguishable via a series of intermediate hybrids.

  • \({\textsc {hyb}}_0\): Same as \( \textsc {real}_{\varPi _\mathsf {ZK3}, \mathcal {A},\mathcal {Z}}\).

  • \({\textsc {hyb}}_1\): Same as \({\textsc {hyb}}_0\), except that OT First Message phase is emulated by invoking the simulator of \(\varPi _\mathsf {OT} \) for corrupt receiver.

  • \({\textsc {hyb}}_2\): Same as \({\textsc {hyb}}_1\), except that \({k} ^1\) is computed in the following way instead of running \(\mathsf {Ev} (\mathbf {C},\mathbf {X})\). The simulator of \(\varPi _\mathsf {OT} \) for corrupt receiver is used to extract \(({k} _{j}^0, {k} _{j}^1)\) for \(j \in [n]\). Then \(\mathsf {Ve} _2(C, \mathbf {C}, \lbrace {k} _{j}^0, {k} _{j}^1\rbrace _{j \in [n]})\) is run. If the output is 0, the prover aborts. Otherwise \(\mathsf {Ve} _1\left( \mathbf {C},e,1\right) \) is run to extract \({k} ^1\) and the prover runs the rest of the protocol using \({k} ^1\).

  • \({\textsc {hyb}}_3\): Same as \({\textsc {hyb}}_2\), except that the following check for abort in GC Evaluation, Verification and Output Disclosure Phase is removed: On computing \(r^\textsf {S}_1||\cdots ||r^\textsf {S}_n = r^\textsf {S}= T \oplus H\left( {k} ^{1}\right) \), the prover aborts if any call to the extractor \(\mathsf {Ext} \) of the sender’s input to OT returns \(\bot \).

Clearly, \({\textsc {hyb}}_3 =\textsc {ideal}_{\mathcal {F}^{R}_{\mathsf {ZK}}, \mathcal {S}_\mathsf {V},\mathcal {Z}}\). Our proof will conclude, as we show that every two consecutive hybrids are computationally indistinguishable.

\({\textsc {hyb}}_0 {\mathop {\approx }\limits ^{c}} {\textsc {hyb}}_1\): The difference between these hybrids lies in the way OT first message is generated. In \({\textsc {hyb}}_0\), the message is generated by a real receiver that possesses the choice bits x, whereas in \({\textsc {hyb}}_1\), the simulator for \(\varPi _\mathsf {OT} \) for the corrupt receiver generates the message. The indistinguishability follows via reduction to the sender security of n instances of OT.

\({\textsc {hyb}}_1 {\mathop {\approx }\limits ^{c}} {\textsc {hyb}}_2\): The difference between these hybrids lies in the way \({k} ^1\) is computed. In \({\textsc {hyb}}_1\), \({k} ^1\) is computed as a real prover does. On the other hand, \({k} ^1\) is extracted using \(\mathsf {Ve} _1\) and the encoding information extracted from the OTs in \({\textsc {hyb}}_2\). By the verifiability property (Verifiability I in Appendix A) of the garbling scheme, the view of \(\mathsf {V}^\star \) in \({\textsc {hyb}}_2\) and \({\textsc {hyb}}_1\) are indistinguishable.

\({\textsc {hyb}}_2 {\mathop {\approx }\limits ^{c}} {\textsc {hyb}}_3\): The difference between these hybrids lies in the conditions checked by \(\mathsf {P}\) for abort in GC Evaluation, Verification and Output Disclosure Phase. In the former, the protocol is aborted when one of the invocations to \(\mathsf {Ext} \) returns messages different from corresponding input labels which does not happen in the latter as the check is removed. By the sender extractability of the OT protocol (Definition 4.1), the hybrids are indistinguishable except with negligible probability.    \(\square \)

Fig. 5.
figure 5

Simulator \(\mathcal {S}_\mathsf {V}\)

Full size image

4.3 Making \(\varPi _\mathsf {ZK3} \) Adaptively Secure

The challenge in achieving adaptive security for \(\varPi _\mathsf {ZK3} \) is essentially the same as ZKGC; once the GC output key Z has been retrieved, all of \(\mathsf {P}\)’s steps are independent of the witness.

Simulation for \({\mathbf {\mathsf{{P}}}}\) . Consider the worst case scenario of post-execution corruption. The simulator runs \(\left( m^\textsf {R},r^\textsf {R}_0, r^\textsf {R}_1\right) \leftarrow \mathcal {S}^\mathsf {RE}\left( \mathsf {crs},t\right) \) to generate the first message of \(\mathsf {P}\), and obtains the GC output key Z either by extracting the encoding information from \(\mathsf {V}\)’s response (if \(\mathsf {V}\) is corrupt) or using the key it picked itself when simulating \(\mathsf {V}\). The rest of the simulation is straightforward, as the code of honest \(\mathsf {P}\) can be run from this point. In case the adversary chooses to corrupt \(\mathsf {P}\), the simulator hands over the randomness \(r^\textsf {R}_{x_i}\) for each OT instance encoding witness bit \(x_i\).

Simulation for \({\mathbf {\mathsf{{V}}}}\) . As \(\mathsf {V}\) has no input, the simulator proceeds by running the code of the honest verifier, with the only difference being that it accepts a proof by checking whether \(\mathsf {P}\) has input a valid witness in the OT. A malicious \(\mathsf {P}\) can distinguish between the real protocol and the simulation only by forging Z, for which there is no advantage afforded by adaptive corruptions; a dishonest \(\mathsf {P}\) who is successful in this setting can be used to break authenticity of the garbling scheme just as in the static case.

5 Zero Knowledge in Two Rounds

As discussed in Sect. 4, it seems unlikely that we can do better than three rounds to obtain a zero-knowledge from only one garbled circuit. Therefore, we explore whether we can save on the number of rounds when constructing ZK protocols by allowing multiple garbled circuits. In this section, we adopt a ‘cut-and-choose’ approach in order to construct a GC-based ZK protocol that requires only two rounds.

Our protocol is similar in spirit to the protocol of [42], who extend the technique of “MPC-in-the-head” [45]. The “MPC-in-the-head” is a technique introduced by Ishai et al. that allows a generic transformation of an MPC protocol into a zero-knowledge proof. In [42], the authors extend this idea, and give a generic transformation from a secure two-party computation protocol to a ZK proof.

The protocol is essentially a special case of general cut-and-choose. Since the verifier has no input, we do not have to handle selective failure where the evaluator’s abort could leak a bit of his input, or ensure input consistency of the garbler, again, since the circuit is evaluated on an input entirely known to the garbler. While in [42], the protocol is seen as “2PC-in-the-head”, we cast our protocol as cut-and-choose, and apply a standard transformation based on OT. Loosely speaking, choosing to reveal \(P_1\)’s view in “2PC-in-the-head” in [42] is equivalent to choosing a circuit to be a check circuit in our protocol; and choosing to reveal \(P_2\)’s view corresponds to a circuit being an evaluation circuit. Taking this view, we get a zero-knowledge argument whereas the “2PC-in-the-head” of [42] gives a zero-knowledge proof. We note that we do not need to enforce output recovery when two evaluated circuits result in different outputs. The output recovery mechanism that is used in general 2PC protocols [1, 56,57,58, 61] relies on authenticity property of the underlying garbling scheme. Our protocol can be compiled into a NIZK using standard techniques and transformations.

Next, we note that we can upgrade our argument to a proof following the idea of [42]; we augment our two-round argument with statistically binding commitments to the input GC keys from \(\mathsf {P}\). The inputs of \(\mathsf {P}\) to the OT consist of the openings of all commitments (for a check circuit) as one message, and only the committed keys required to evaluate the GC on the garbled witness as the other message. Notably, the efficient ZK protocols such as those from garbled circuits [48] (including our 3 round construction presented in the previous section), ZKBoo [31], SNARKs and SNARGs are arguments. Our transformation requires public key operations proportional to the witness size alone whereas the best way we can think of for transforming ZKBoo to a proof involves public key operations proportional to the circuit size. For instance, running a 3-out-of-2 OT where the prover feeds three views that it creates ‘in the head’ as the input of the OT sender and the verifier chooses two indices picked uniformly at random indicating the two views to be opened for verification.

Once more, we consider the scenario where a prover \(\mathsf {P}\) would like to prove to a verifier \(\mathsf {V}\) that she knows a witness x for instance z such that \(C (x)=1\), where \(C \) is the circuit implementing the relation R(zx).

5.1 Our Construction

Informally, \(\mathsf {P}\) garbles \(C \) to produce \(\mu \) independent garbled circuits, and sends them to \(\mathsf {V}\), where \(\mu \) is a statistical security parameter. Meanwhile, \(\mathsf {V}\) samples a challenge string \(c\overset{R}{\leftarrow }{{\{0,1\}}^{\mu }} \). The positions at which bit string c is 0 will indicate which circuits \(\mathsf {V}\) would like to verify (check circuits), whereas the positions at which c is 1 indicate which circuits \(\mathsf {V}\) would like to evaluate (evaluation circuits). If all the check circuits are valid, and all the evaluation circuits decode to the correct output, \(\mathsf {V}\) believes that \(\mathsf {P}\) indeed has a witness x for the instance z. \(\mathsf {P}\) would have to correctly guess \(\mathsf {V}\)’s entire challenge string in order to cheat and avoid detection.

Intuitively, \(\mathsf {P}\) constructs \(\mu \) independent garbled circuits of \(C \), and for each instance acts as a sender in the OT protocol with messages corresponding to verification and evaluation information, respectively of the garbled circuit \(\mathbf {C} \), while sending the garbled circuit and decoding information directly to \(\mathsf {V}\) (with the final message of the OT). \(\mathsf {V}\) acts as the receiver in the OT protocol with choice bit \(c_i\) in the \(i^\text {th}\) OT instance. She receives the first message to check or the second message to evaluate a given circuit, as per her challenge. When instantiated with the UC-secure OT in the framework of [65], our protocol requires only 2 rounds. Our 2-round ZK protocol \(\varPi _\mathsf {ZK2} \) is described in Fig. 6. We include a proof that the protocol is UC-secure in the \(\mathcal {F}_{\textsf {OT}}\)-hybrid model in the full version.

Fig. 6.
figure 6

2-round zero-knowledge protocol.

Full size image

The zero knowledge protocol \(\varPi _\mathsf {ZK2} \) is not a zero knowledge proof. It is only an argument. We may obtain a proof using the idea of [42], resulting in a 2-round zero-knowledge proof.

5.2 Our Construction for ZK Proof

The zero knowledge protocol \(\varPi _\mathsf {ZK2} \) is not a zero knowledge proof. It is only an argument. We may obtain a proof using the idea of [42], resulting in a 2-round zero-knowledge proof. We outline the approach below for completeness, and give the complete protocol in the full version. For a legitimately constructed garbled circuit \(\mathbf {C} \) implementing an unsatisfiable circuit (implying there is no witness for the statement), an unbounded \(\mathsf {P}^\star \) can find a set of keys, completely unrelated to the legitimate encoding information \(e \), (say, by breaking the security of the underlying cryptographic primitive used in the garbled circuit) which evaluates \(\mathbf {C} \) to the legitimate key corresponding to one. For instance, by breaking the collision-resistance of the hash function used to garble the gates. With such a circuit, the verification will always pass when legitimate encoding information is passed on. On the other hand, the other set of keys will allow to evaluate to 1 despite the fact that \(C \) is unsatisfiable. \(\mathsf {P}^\star \) can thus convince \(\mathsf {V}\) of a false statement. To prevent \(\mathsf {P}\) from cheating we ensure that the wire labels that it provides for evaluation correspond to the valid encoding information \(e \). This is done by asking \(\mathsf {P}\) to commit to the encoding information in a randomly permuted order. Formally, for circuit i and input wire j, \(\mathsf {P}\) must prepare and send the following commitments where \(e _{ij}\) denotes the encoding information corresponding to jth input wire of the ith circuit:

$$\begin{aligned} (\mathcal {B}_{i j}^0, \mathcal {B}_{i j}^1) = (\mathsf {Com}(\mathsf {En} (b_{ij}, e _{ij})), \mathsf {Com}(\mathsf {En} (1-b_{ij}, e _{ij}))), \text { for } b_{ij} \overset{R}{\leftarrow }{{\{0,1\}}^{}} \end{aligned}$$

The commitment \(\mathsf {Com}\) is statistically binding and computationally hiding commitment scheme ensuring the binding property against an unbounded powerful \(\mathsf {P}^\star \). An ElGamal based commitment scheme suffices for our requirement. \(\mathsf {V}\) checks if the commitments \((\mathcal {B}^0_{ij}, \mathcal {B}^1_{ij})\) opens to legitimate encoding information if the ith circuit is a check circuit. On the other hand, if the ith circuit is an evaluation circuit, then it verifies that every received input wire label is consistent with one of the given commitments. The commitments used as above makes sure that \(\mathsf {V}\) evaluates the evaluation circuits on the legitimate wire labels consistent with \(e \). The cut-and-choose guarantees that correct circuits are used for evaluation.