Advertisement

Publicly Verifiable Proofs from Blockchains

  • Alessandra Scafuro
  • Luisa SiniscalchiEmail author
  • Ivan Visconti
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11442)

Abstract

A proof system is publicly verifiable, if anyone, by looking at the transcript of the proof, can be convinced that the corresponding theorem is true. Public verifiability is important in many applications since it allows to compute a proof only once while convincing an unlimited number of verifiers.

Popular interactive proof systems (e.g., \(\varSigma \)-protocols) protect the witness through various properties (e.g., witness indistinguishability (WI) and zero knowledge (ZK)) but typically they are not publicly verifiable since such proofs are convincing only for those verifiers who contributed to the transcripts of the proofs. The only known proof systems that are publicly verifiable rely on a non-interactive (NI) prover, through trust assumptions (e.g., NIZK in the CRS model), heuristic assumptions (e.g., NIZK in the random oracle model), specific number-theoretic assumptions on bilinear groups or relying on obfuscation assumptions (obtaining NIWI with no setups).

In this work we construct publicly verifiable witness-indistinguishable proof systems from any \(\varSigma \)-protocol, based only on the existence of a very generic blockchain. The novelty of our approach is in enforcing a non-interactive verification (thus guaranteeing public verifiability) while allowing the prover to be interactive and talk to the blockchain (this allows us to circumvent the need of strong assumptions and setups). This opens interesting directions for the design of cryptographic protocols leveraging on blockchain technology.

References

  1. 1.
    Badertscher, C., Garay, J., Maurer, U., Tschudi, D., Zikas, V.: But why does it work? A rational protocol design treatment of bitcoin. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 34–65. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78375-8_2CrossRefGoogle Scholar
  2. 2.
    Badertscher, C., Maurer, U., Tschudi, D., Zikas, V.: Bitcoin as a transaction ledger: a composable treatment. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 324–356. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63688-7_11CrossRefGoogle Scholar
  3. 3.
    Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, 18–21 May 2014, pp. 459–474. IEEE Computer Society (2014)Google Scholar
  4. 4.
    Bentov, I., Gabizon, A., Zuckerman, D.: Bitcoin beacon. CoRR abs/1605.04559 (2016). http://arxiv.org/abs/1605.04559
  5. 5.
    Bitansky, N., Paneth, O.: ZAPs and non-interactive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46497-7_16CrossRefzbMATHGoogle Scholar
  6. 6.
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: Simon, J. (ed.) Proceedings of the 20th Annual ACM Symposium on Theory of Computing, pp. 103–112. ACM, New York (1988)Google Scholar
  7. 7.
    Bonneau, J., Clark, J., Goldfeder, S.: On bitcoin as a public randomness source. IACR Cryptology ePrint Archive 2015, 1015 (2015). http://eprint.iacr.org/2015/1015
  8. 8.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, Las Vegas, Nevada, USA, 14–17 October 2001, pp. 136–145. IEEE Computer Society (2001)Google Scholar
  9. 9.
  10. 10.
    Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I.: Delayed-input non-malleable zero knowledge and multi-party coin tossing in four rounds. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 711–742. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_24CrossRefGoogle Scholar
  11. 11.
    Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR-composition of sigma-protocols. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 112–141. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49099-0_5CrossRefzbMATHGoogle Scholar
  12. 12.
    Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Online/offline OR composition of sigma protocols. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 63–92. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_3CrossRefGoogle Scholar
  13. 13.
    Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the Fiat-Shamir transform without programmable random oracles. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 83–111. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49099-0_4CrossRefzbMATHGoogle Scholar
  14. 14.
    Cramer, R.: Modular design of secure yet practical cryptographic protocols. Ph.D. thesis, University of Amsterdam (1996)Google Scholar
  15. 15.
    Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055745CrossRefGoogle Scholar
  16. 16.
    Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_19CrossRefGoogle Scholar
  17. 17.
    Damgård, I.: On \(\varSigma \)-protocol (2010). http://www.cs.au.dk/~ivan/Sigma.pdf
  18. 18.
    Dwork, C., Naor, M.: Zaps and their applications. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, Redondo Beach, California, USA, 12–14 November 2000, pp. 283–293 (2000)Google Scholar
  19. 19.
  20. 20.
    Feige, U.: Alternative models for zero knowledge interactive proofs. Master’s thesis (1990). Ph.D. thesisGoogle Scholar
  21. 21.
    Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st Annual Symposium on Foundations of Computer Science, St. Louis, Missouri, USA, 22–24 October 1990, vol. I, pp. 308–317. IEEE Computer Society (1990)Google Scholar
  22. 22.
    Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_46CrossRefGoogle Scholar
  23. 23.
    Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: Ortiz, H. (ed.) Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pp. 416–426. ACM, New York (1990)Google Scholar
  24. 24.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_10CrossRefGoogle Scholar
  25. 25.
    Garay, J.A., MacKenzie, P., Yang, K.: Strengthening zero-knowledge protocols using signatures. J. Cryptology 19(2), 169–209 (2006)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, Berkeley, CA, USA, 26–29 October 2013, pp. 40–49 (2013)Google Scholar
  27. 27.
    Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, 1–4 June 2013, pp. 467–476 (2013)Google Scholar
  28. 28.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Goyal, R., Goyal, V.: Overcoming cryptographic impossibility results using blockchains. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 529–561. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_18CrossRefGoogle Scholar
  30. 30.
    Groth, J., Ostrovsky, R.: Cryptography in the multi-string model. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 323–341. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_18CrossRefzbMATHGoogle Scholar
  31. 31.
    Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_6CrossRefGoogle Scholar
  32. 32.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman and Hall/CRC Press, Boca Raton (2007)CrossRefGoogle Scholar
  33. 33.
    Kiayias, A., Panagiotakos, G.: Speed-security tradeoffs in blockchain protocols. IACR Cryptology ePrint Archive 2015, 1019 (2015)Google Scholar
  34. 34.
    Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63688-7_12CrossRefGoogle Scholar
  35. 35.
    Lapidot, D., Shamir, A.: Publicly verifiable non-interactive zero-knowledge proofs. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353–365. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-38424-3_26CrossRefGoogle Scholar
  36. 36.
    Li, X.: Three-source extractors for polylogarithmic min-entropy. In: IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, Berkeley, CA, USA, 17–20 October 2015, pp. 863–882 (2015)Google Scholar
  37. 37.
    Lin, H., Pass, R.: Constant-round non-malleable commitments from any one-way function. In: Fortnow, L., Vadhan, S.P. (eds.) Proceedings of the 43rd ACM Symposium on Theory of Computing, STOC 2011, pp. 705–714. ACM, New York (2011)Google Scholar
  38. 38.
    Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and non-programmable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46494-6_5CrossRefGoogle Scholar
  39. 39.
    Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28914-9_10CrossRefGoogle Scholar
  40. 40.
    Lipmaa, H.: Efficient NIZK arguments via parallel verification of benes networks. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 416–434. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-10879-7_24CrossRefzbMATHGoogle Scholar
  41. 41.
    Lipmaa, H., Zhang, B.: A more efficient computationally sound non-interactive zero-knowledge shuffle argument. J. Comput. Secur. 21(5), 685–719 (2013)CrossRefGoogle Scholar
  42. 42.
    Maurer, U.: Zero-knowledge proofs of knowledge for group homomorphisms. Des. Codes Crypt. 1–14 (2015). http://dx.doi.org/10.1007/s10623-015-0103-5
  43. 43.
    Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988).  https://doi.org/10.1007/3-540-48184-2_32CrossRefGoogle Scholar
  44. 44.
    Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000).  https://doi.org/10.1137/S0097539795284959MathSciNetCrossRefzbMATHGoogle Scholar
  45. 45.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008, unpublished)Google Scholar
  46. 46.
    Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_22CrossRefzbMATHGoogle Scholar
  47. 47.
    Pass, R., Shi, E.: FruitChains: a fair blockchain. In: Proceedings of the ACM Symposium on Principles of Distributed Computing, PODC 2017, Washington, DC, USA, 25–27 July 2017, pp. 315–324 (2017)Google Scholar
  48. 48.
    Pass, R., Shi, E.: The sleepy model of consensus. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 380–409. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_14CrossRefGoogle Scholar
  49. 49.
  50. 50.
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_22CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Alessandra Scafuro
    • 1
  • Luisa Siniscalchi
    • 2
    Email author
  • Ivan Visconti
    • 2
  1. 1.NCSURaleighUSA
  2. 2.DIEMUniversity of SalernoFiscianoItaly

Personalised recommendations