Abstract
A proof system is publicly verifiable, if anyone, by looking at the transcript of the proof, can be convinced that the corresponding theorem is true. Public verifiability is important in many applications since it allows to compute a proof only once while convincing an unlimited number of verifiers.
Popular interactive proof systems (e.g., \(\varSigma \)-protocols) protect the witness through various properties (e.g., witness indistinguishability (WI) and zero knowledge (ZK)) but typically they are not publicly verifiable since such proofs are convincing only for those verifiers who contributed to the transcripts of the proofs. The only known proof systems that are publicly verifiable rely on a non-interactive (NI) prover, through trust assumptions (e.g., NIZK in the CRS model), heuristic assumptions (e.g., NIZK in the random oracle model), specific number-theoretic assumptions on bilinear groups or relying on obfuscation assumptions (obtaining NIWI with no setups).
In this work we construct publicly verifiable witness-indistinguishable proof systems from any \(\varSigma \)-protocol, based only on the existence of a very generic blockchain. The novelty of our approach is in enforcing a non-interactive verification (thus guaranteeing public verifiability) while allowing the prover to be interactive and talk to the blockchain (this allows us to circumvent the need of strong assumptions and setups). This opens interesting directions for the design of cryptographic protocols leveraging on blockchain technology.
A. Scafuro—Work supported by NSF grant # 1012798.
L. Siniscalchi and I. Visconti—Research supported in part by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 780477 (project PRIViLEDGE) and in part by “GNCS - INdAM”.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In the remaining of the paper we will omit the adjective “permissionless” since this work focuses on the permissionless setting only.
- 2.
In the introduction, informally we will generically use the word “proof” to refer also to computationally sound proofs [44].
- 3.
Every perfect special honest-verifier zero-knowledge (SHVZK) is WI [16]. If a \(\varSigma \)-protocol is computational SHVZK, then it could not enjoy the WI property [11], however [25] shows that the OR-composition of computational SHVZK \(\varSigma \)-protocols is WI when all involved instances are true.
- 4.
The actual assumption is a bit different but is essentially captured by the chain quality property and some natural requirements that are seemingly satisfied by known blockchains.
- 5.
We stress that we obtain a random string that is an unknown position in a vector of \(\left( {\begin{array}{c}K\\ 3\end{array}}\right) \) strings.
- 6.
More specifically, only some specific parts of the blocks are given as input to the randomness extractor.
- 7.
Note that after that \(\mathcal {P}\) outputs \(\pi \), the execution of \(\varGamma ^\mathsf {V}_\mathsf {view}(\mathcal {A}, \mathcal {H}, \mathcal {Z}, 1^\lambda )\) could still continue even though \(\mathsf {st}_\mathcal {P}\) will not change anymore.
- 8.
Note that \(\mathsf {view}_\mathcal {A}\) can contain auxiliary inputs from the execution of \({\varGamma ^\mathsf {V}}(\mathcal {A}, \mathcal {H}, \mathcal {Z}, 1^\lambda )\) that could continue after that \(\pi \) is computed.
- 9.
We remark that our results require that Assumption 1 is not violated.
- 10.
q is s.t. \(q \ge n_0(\lambda )\) where \((\mu (\cdot ),n_0(\cdot ))\) are the chain quality parameters of \(\varGamma ^\mathsf {V}\).
- 11.
The hash value of the string \(\varSigma ^1_1,||\dots ||\varSigma ^1_\tau \) is computed through a Merkle Tree [43], therefore \(\alpha \) corresponds to the root of a Merkle Tree.
- 12.
- 13.
From Assumption 1, it follows that there are at least \(\lambda \) bits of min-entropy in each of the 3 sub-blocks.
- 14.
Again, we are implicitly assuming that a CRHF comes for free from a blockchain.
- 15.
For this construction we require that the messages of \(\varPi _{\varSigma }\) are small enough to be posted in a block of the blockchain.
- 16.
q is s.t. \(q \ge n_0(\lambda )\) where \((\mu (\cdot ),n_0(\cdot ))\) are the chain quality parameters of \(\varGamma ^\mathsf {V}\).
References
Badertscher, C., Garay, J., Maurer, U., Tschudi, D., Zikas, V.: But why does it work? A rational protocol design treatment of bitcoin. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 34–65. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_2
Badertscher, C., Maurer, U., Tschudi, D., Zikas, V.: Bitcoin as a transaction ledger: a composable treatment. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 324–356. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_11
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, 18–21 May 2014, pp. 459–474. IEEE Computer Society (2014)
Bentov, I., Gabizon, A., Zuckerman, D.: Bitcoin beacon. CoRR abs/1605.04559 (2016). http://arxiv.org/abs/1605.04559
Bitansky, N., Paneth, O.: ZAPs and non-interactive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_16
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: Simon, J. (ed.) Proceedings of the 20th Annual ACM Symposium on Theory of Computing, pp. 103–112. ACM, New York (1988)
Bonneau, J., Clark, J., Goldfeder, S.: On bitcoin as a public randomness source. IACR Cryptology ePrint Archive 2015, 1015 (2015). http://eprint.iacr.org/2015/1015
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, Las Vegas, Nevada, USA, 14–17 October 2001, pp. 136–145. IEEE Computer Society (2001)
Cardano: https://www.cardano.org/en/home/
Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I.: Delayed-input non-malleable zero knowledge and multi-party coin tossing in four rounds. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 711–742. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_24
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR-composition of sigma-protocols. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 112–141. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_5
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Online/offline OR composition of sigma protocols. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 63–92. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_3
Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the Fiat-Shamir transform without programmable random oracles. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 83–111. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_4
Cramer, R.: Modular design of secure yet practical cryptographic protocols. Ph.D. thesis, University of Amsterdam (1996)
Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055745
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
Damgård, I.: On \(\varSigma \)-protocol (2010). http://www.cs.au.dk/~ivan/Sigma.pdf
Dwork, C., Naor, M.: Zaps and their applications. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, Redondo Beach, California, USA, 12–14 November 2000, pp. 283–293 (2000)
Ethereum: https://www.ethereum.org/
Feige, U.: Alternative models for zero knowledge interactive proofs. Master’s thesis (1990). Ph.D. thesis
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st Annual Symposium on Foundations of Computer Science, St. Louis, Missouri, USA, 22–24 October 1990, vol. I, pp. 308–317. IEEE Computer Society (1990)
Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_46
Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: Ortiz, H. (ed.) Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pp. 416–426. ACM, New York (1990)
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Garay, J.A., MacKenzie, P., Yang, K.: Strengthening zero-knowledge protocols using signatures. J. Cryptology 19(2), 169–209 (2006)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, Berkeley, CA, USA, 26–29 October 2013, pp. 40–49 (2013)
Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, 1–4 June 2013, pp. 467–476 (2013)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Goyal, R., Goyal, V.: Overcoming cryptographic impossibility results using blockchains. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 529–561. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_18
Groth, J., Ostrovsky, R.: Cryptography in the multi-string model. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 323–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_18
Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_6
Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman and Hall/CRC Press, Boca Raton (2007)
Kiayias, A., Panagiotakos, G.: Speed-security tradeoffs in blockchain protocols. IACR Cryptology ePrint Archive 2015, 1019 (2015)
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Lapidot, D., Shamir, A.: Publicly verifiable non-interactive zero-knowledge proofs. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353–365. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_26
Li, X.: Three-source extractors for polylogarithmic min-entropy. In: IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, Berkeley, CA, USA, 17–20 October 2015, pp. 863–882 (2015)
Lin, H., Pass, R.: Constant-round non-malleable commitments from any one-way function. In: Fortnow, L., Vadhan, S.P. (eds.) Proceedings of the 43rd ACM Symposium on Theory of Computing, STOC 2011, pp. 705–714. ACM, New York (2011)
Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and non-programmable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_5
Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_10
Lipmaa, H.: Efficient NIZK arguments via parallel verification of benes networks. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 416–434. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_24
Lipmaa, H., Zhang, B.: A more efficient computationally sound non-interactive zero-knowledge shuffle argument. J. Comput. Secur. 21(5), 685–719 (2013)
Maurer, U.: Zero-knowledge proofs of knowledge for group homomorphisms. Des. Codes Crypt. 1–14 (2015). http://dx.doi.org/10.1007/s10623-015-0103-5
Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_32
Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000). https://doi.org/10.1137/S0097539795284959
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008, unpublished)
Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_22
Pass, R., Shi, E.: FruitChains: a fair blockchain. In: Proceedings of the ACM Symposium on Principles of Distributed Computing, PODC 2017, Washington, DC, USA, 25–27 July 2017, pp. 315–324 (2017)
Pass, R., Shi, E.: The sleepy model of consensus. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 380–409. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_14
Ripple: https://ripple.com/
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Standard Tools
A Standard Tools
Definition 9
(One-way function (OWF)). A function \(f: \{0,1\}^* \rightarrow \{0,1\}^*\) is called one way if the following two conditions hold:
-
there exists a deterministic polynomial-time algorithm that on input y in the domain of f outputs f(y);
-
for every ppt algorithm \(\mathcal {A}\) there exists a negligible function \(\nu \), such that for every auxiliary input \(z\in \{0,1\}^{\mathsf {poly}(\lambda )}\):
We say, also, that a OWF f is a one-way permutation (OWP) if f is a permutation.
Definition 10
(Hash Function [32]). An hash function is a pair of ppt algorithms \(\varPi =(\mathtt {Gen}, H)\) fulfilling the following:
-
\(\mathtt {Gen}\) is a probabilistic algorithm which takes as input a security parameter \(\lambda \) and outputs a key s.
-
There exists \(l=\mathsf {poly}(\lambda )\) such that H is (deterministic) polynomial time algorithm that takes as input a key s and any string \(x \in \{0,1\}^*\) and outputs a string \(H(s, x)\in \{0,1\}^{l}\).
Definition 11
(Collision-Resistant Hash Functions (CRHFs) [32]). A hash function \(\varPi =(\mathtt {Gen}, H)\) is collision resistant if for all ppt adversaries \(\mathcal {A}\) there exists a negligible function \(\nu \) such that:
In this paper we denote by \(\mathsf {h}(\cdot )\) a CRHFs where the description of the hash function (i.e., the key s) is publicly available either in the blockchain protocol or in the genesis block of the blockchain.
Definition 12
(Witness Indistinguishable (WI)). An argument/proof system \(\varPi =(\mathcal {P},\mathcal {V})\), is Witness Indistinguishable (WI) for a relation \({\mathcal {R}}\) if, for every malicious ppt verifier \(\mathcal {V}^*\), there exists a negligible function \(\nu \) such that for all \(x,w,w'\) such that \((x, w)\in {\mathcal {R}}\) and \((x, w')\in {\mathcal {R}}\) it holds that:
Obviously one can generalize the above definitions of WI to their natural adaptive-input variants, where the adversarial verifier can select the statement and the witnesses adaptively, before the prover plays the last round. We note that [23] prove that WI is preserved under self-concurrent composition, i.e. when multiple instance of \(\varPi \) are played concurrently.
Definition 13
(Proof/argument system). A pair of ppt interactive algorithms \(\varPi =(\mathcal {P},\mathcal {V})\) constitute a proof system (resp., an argument system) for an \(\mathcal {N}\mathcal {P}\)-language L, if the following conditions hold:
-
Completeness: For every \(x\in L\) and w such that \((x,w)\in {\mathcal {R}}_\mathsf {L}\), it holds that:
$$\begin{aligned} \text{ Pr }\left[ \;\langle \mathcal {P}(w), \mathcal {V}\rangle (x) =1\;\right] =1. \end{aligned}$$ -
Soundness: For every interactive (resp., ppt interactive) algorithm \(\mathcal {P}^{\star }\), there exists a negligible function \(\nu \) such that for every \(x \notin L\) and every z:
$$\begin{aligned} \text{ Pr }\left[ \;\langle \mathcal {P}^{\star }(z), \mathcal {V}\rangle (x) =1\;\right] < \nu (|x|). \end{aligned}$$
A proof/argument system \(\varPi =(\mathcal {P},\mathcal {V})\) for an \(\mathcal {N}\mathcal {P}\)-language L, enjoys delayed-input completeness if \(\mathcal {P}\) needs x and w only to compute the last round and \(\mathcal {V}\) needs x only to compute the output. Before that, \(\mathcal {P}\) and \(\mathcal {V}\) run having as input only the size of x. The notion of delayed-input completeness was defined in [12].
An interactive protocol \(\varPi =(\mathcal {P},\mathcal {V})\) is public coin if, at every round, \(\mathcal {V}\) simply tosses a predetermined number of coins (i.e. a random challenge) and sends the outcome to the prover. Moreover we say that the transcript \(\tau \) of an execution \(b=\langle \mathcal {P}(z), \mathcal {V}\rangle (x)\) is accepting if \(b=1\).
A 3-round protocol \(\varPi =(\mathcal {P}, \mathcal {V})\) for a relation \({\mathcal {R}}\) is an interactive protocol played between a prover \(\mathcal {P}\) and a verifier \(\mathcal {V}\) on common input x and private input w of \(\mathcal {P}\) s.t. \((x,w)\in {\mathcal {R}}\). In a 3-round protocol the first message \(\mathtt {a}\) and the third message \(\mathtt {z}\) are sent by \(\mathcal {P}\) and the second messages \(\mathtt {c}\) is played by \(\mathcal {V}\). At the end of the protocol \(\mathcal {V}\) decides to accept or reject based on the data that he has seen, i.e. \(x, \mathtt {a},\mathtt {c},\mathtt {z}\).
We usually denote the message \(\mathtt {c}\) sent by \(\mathcal {V}\) as a challenge, and as challenge length the number of bit of \(\mathtt {c}\).
Definition 14
(\(\varSigma \)-Protocol). A 3-round public-coin protocol \(\varPi =(\mathcal {P}, \mathcal {V})\) for a relation \({\mathcal {R}}\) is a \(\varSigma \)-Protocol if the following properties hold:
-
Completeness: if \((\mathcal {P}, \mathcal {V})\) follow the protocol on input x and private input w to \(\mathcal {P}\) s.t. \((x,w)\in {\mathcal {R}}\), \(\mathcal {V}\) always accepts.
-
Special soundness: if there exists a polynomial time algorithm such that, for any pair of accepting transcripts on input x, \((\mathtt {a},\mathtt {c_1},\mathtt {z_1})\) \((\mathtt {a},\mathtt {c_2},\mathtt {z_2})\) where \(\mathtt {c_1}\ne \mathtt {c_2}\), outputs witnesses w such that \((x,w)\in {\mathcal {R}}\).
-
Special Honest Verifier Zero-knowledge (SHVZK): there exists a ppt simulator algorithm \(\mathsf {S}\) that for any \(x\in L\), security parameter \(\lambda \) and any challenge \(\mathtt {c}\) works as follow: \(( \mathtt {a},\mathtt {z}) \leftarrow \mathsf {S}(1^\lambda , x,\mathtt {c})\). Furthermore, the distribution of the output of \(\mathsf {S}\) is computationally indistinguishable from the distribution of a transcript obtained when \(\mathcal {V}\) sends \(\mathsf {S}\) as challenges and \(\mathcal {P}\) runs on common input x and any w such that \((x,w)\in {\mathcal {R}}\).
Definition 15
A perfect \(\varSigma \)-Protocol is \(\varSigma \)-Protocol that satisfies a strong SHVZK requirement, that is:
Perfect Special Honest Verifier Zero-knowledge: there exists a ppt simulator algorithm \(\mathsf {S}\) that for any \(x\in L\), security parameter \(\lambda \) and any challenge \(\mathtt {c}\) works as follow: \(( \mathtt {a},\mathtt {z}) \leftarrow \mathsf {S}(1^\lambda , x,\mathtt {c})\). Furthermore, the distribution of the output of \(\mathsf {S}\) is perfect indistinguishable from the distribution of a transcript obtained when \(\mathcal {V}\) sends \(\mathsf {S}\) as challenges and \(\mathcal {P}\) runs on common input x and any w such that \((x,w)\in {\mathcal {R}}\).
Theorem 3
[16]. Every perfect \(\varSigma \)-protocol is perfect WI.
Theorem 4
[25]. The OR-composition of \(\varSigma \)-Protocols is WI.
Definition 16
A delayed-input 3-round system \(\varPi =(\mathcal {P}, \mathcal {V})\) for relation \({\mathcal {R}}\) enjoys adaptive-input special soundness if there exists a polynomial time algorithm \(\mathtt {Ext}\) such that, for any pair of accepting transcripts \(\mathtt {a},\mathtt {c_1},\mathtt {z_1}\) for input \(x_1\) and \(\mathtt {a},\mathtt {c_2},\mathtt {z_2}\) for input \(x_2\) with \(\mathtt {c_1}\ne \mathtt {c_2}\), outputs witnesses \(w_1\) and \(w_2\) such that \((x_1,w_1)\in {\mathcal {R}}\) and \((x_2,w_2)\in {\mathcal {R}}\).
Definition 17
(Proof of Knowledge [37]). A protocol that is complete \(\varPi =(\mathcal {P}, \mathcal {V})\) is a proof of knowledge (PoK) for the relation \({\mathcal {R}}_\mathsf {L}\) if there exist a probabilistic expected polynomial-time machine \(\mathtt {Ext}\), called the extractor, such that for every algorithm \(\mathcal {P}^\star \), there exists a negligible function \(\nu \), every statement \(x\in \{0,1\}^\lambda \), every randomness \(r\in \{0,1\}^\star \) and every auxiliary input \(z\in \{0,1\}^\star \),
We also say that an argument system \(\varPi \) is a argument of knowledge (AoK) if the above condition holds w.r.t. any ppt \(\mathcal {P}^\star \).
In this paper we also consider the adaptive-input PoK/AoK property for all the protocols that enjoy delayed-input completeness. Adaptive-input PoK/AoK ensures that the PoK/AoK property still holds when a malicious prover can choose the statement adaptively at the last round.
Definition 18
Let X, Y be two random variables that takes values in V (i.e., V is the union of supports of X and Y). The statistical distance between X and Y is defined as follows:
Definition 19
[36] [s - Source Extractor]. A function \(\mathsf {E}_{n, \lambda }:\{\{0,1\}^n\}^s\rightarrow \{0,1\}^m\) is an extractor for independent \((n, \lambda )\) sources that uses s sources and outputs m bits with error \(\epsilon \), if for any s independent \((n, \lambda )\) sources \(X_1, X_2,\dots , X_s\), we have that
where \(| \cdot |\) denotes the statistical distance.
The author of [36] gave a construction of a 3-source extractor, with parameters \(\lambda \ge \log ^{12} n\), \(m=0.9\lambda \) and \(\epsilon =2^{-\lambda ^{\omega (1)}}\).
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Scafuro, A., Siniscalchi, L., Visconti, I. (2019). Publicly Verifiable Proofs from Blockchains. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11442. Springer, Cham. https://doi.org/10.1007/978-3-030-17253-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-17253-4_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17252-7
Online ISBN: 978-3-030-17253-4
eBook Packages: Computer ScienceComputer Science (R0)