Single-to-Multi-theorem Transformations for Non-interactive Statistical Zero-Knowledge

Fischlin, Marc; Rohrbach, Felix

doi:10.1007/978-3-030-75248-4_8

Marc Fischlin⁹ &
Felix Rohrbach⁹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12711))

Included in the following conference series:

IACR International Conference on Public-Key Cryptography

1201 Accesses
3 Citations

Abstract

Non-interactive zero-knowledge proofs or arguments allow a prover to show validity of a statement without further interaction. For non-trivial statements such protocols require a setup assumption in form of a common random or reference string (CRS). Generally, the CRS can only be used for one statement (single-theorem zero-knowledge) such that a fresh CRS would need to be generated for each proof. Fortunately, Feige, Lapidot and Shamir (FOCS 1990) presented a transformation for any non-interactive zero-knowledge proof system that allows the CRS to be reused any polynomial number of times (multi-theorem zero-knowledge). This FLS transformation, however, is only known to work for either computational zero-knowledge or requires a structured, non-uniform common reference string.

In this paper we present FLS-like transformations that work for non-interactive statistical zero-knowledge arguments in the common random string model. They allow to go from single-theorem to multi-theorem zero-knowledge and also preserve soundness, for both properties in the adaptive and non-adaptive case. Our first transformation is based on the general assumption that one-way permutations exist, while our second transformation uses lattice-based assumptions. Additionally, we define different possible soundness notions for non-interactive arguments and discuss their relationships.

You have full access to this open access chapter, Download conference paper PDF

Multi-Theorem Fiat-Shamir Transform from Correlation-Intractable Hash Functions

Generalized Special-Sound Interactive Proofs and Their Knowledge Soundness

Zero-Knowledge Protocols for Search Problems

Keywords

1 Introduction

In a non-interactive proof for a language $\mathcal {L}$ the prover $\textsf {P}$ shows validity of some theorem $x\in \mathcal {L}$ via a proof $\pi $ based on a common string $\text {crs}$ chosen by some external setup procedure. The common requirements are completeness—that the honest prover is able to convince the verifier $\textsf {V}$ for true statements $x$—and soundness—that the verifier will not accept false statements $x\notin \mathcal {L}$ from malicious provers. Blum et al. [5] showed that such non-interactive proofs can also be zero-knowledge [22], saying that a simulator can create a proof $\pi $ on behalf of $\textsf {P}$ if it has the ability to place some trapdoor information in $\text {crs}$.

1.1 Flavors of Non-interactive Zero-Knowledge

Non-interactive zero-knowledge protocols come in many variations:

If the prover is computationally unbounded then one speaks of a NIZK proof system whereas in arguments or argument systems the prover runs in polynomial time [8].
Zero-knowledge may be computational (NICZK) or statistical (NISZK) or even perfect (NIPZK). Note that non-interactive statistical (or perfect) zero-knowledge for $\mathsf {NP}$ requires that the prover is computationally bounded, unless the polynomial hierarchy collapses [31].
The common string $\text {crs}$ may be uniformly distributed over all bit strings of a certain length, in which case one speaks of the common random string or, less frequently, of the uniform reference string model. In any other case the string may have more structure and one calls it a common reference string or, sometimes, also public parameter model. In this work, we will focus on the case where the $\text {crs}$ is uniformly distributed.

Another important aspect is the question of when malicious parties choose their challenge statement $x$. Both zero-knowledge and soundness come in an adaptive and in a non-adaptive version. The adaptive versions say that the adversary may choose the statement $x$ after having seen the common reference string. For zero-knowledge this means that the simulator must prepare $\text {crs}$ independently of $x$ and then find a valid proof $\pi $ after learning a maliciously chosen $x\in \mathcal {L}$. Adaptive soundness says that the malicious prover $\textsf {P}^*$ first receives $\text {crs}$ and then tries to find a false statement $x\notin \mathcal {L}$ with a convincing proof $\pi $.

Remarkably, for soundness one usually merely distinguishes between non-adaptive and adaptive notions. But there are also different ways how to capture the fact that a malicious prover $\textsf {P}^*$ needs to succeed for an invalid statement $x\notin \mathcal {L}$. Either one assumes that the prover only outputs invalid statements, thus excluding some adversaries, or one penalizes the prover and declares it to lose if it chooses some $x\in \mathcal {L}$.^{Footnote 1} The penalizing definition implies the exclusive one. We note that Arte and Bellare [3], in a concurrent work, have proposed a similar distinction between exclusive and penalizing soundness.

Both notions, exclusive and penalizing soundness, already appeared implicitly in the literature, e.g., the work by Blum et al. [7] gives both an adaptive and a non-adaptive soundness definition in the exclusive setting. Indeed, non-adaptive soundness in the literature is often cast in this style. In contrast, for adaptive soundness nowadays one often encounters the penalizing variant. It seems, however, that the adaptive/exclusive version is already sufficient for many applications, e.g., to build universally composable NIZK protocols [26]. We discuss this in more detail in Sect. 3 when defining the different versions.

1.2 From Single-theorem to Multi-theorem Proofs

In this work we focus on another important property of NIZK, namely, if the $\text {crs}$ can be used only once (bounded or single-theorem) or is applicable for many proofs (unbounded or multi-theorem). The latter is of course preferable, and indeed Feige et al. [17, 18] show how to generally turn single-theorem NICZK proofs and arguments into multi-theorem zero-knowledge protocols. We call this the FLS-transformation.

The idea of the FLS-transformation is to augment the common random string by an extra uniformly distributed portion $\text {crs}^\text {aux}$ and let the prover for this $\mathsf {NP}$-language show that “$x\in \mathcal {L}$ or $\text {crs}^\text {aux}$ is the output of a pseudorandom generator”. This allows the simulator to create this part $\text {crs}^\text {aux}$ pseudorandomly and use the generator’s seed as a witness for simulating the or-proof. If the original proof is zero-knowledge, then it is also witness indistinguishable [19], and then one cannot distinguish or-proofs generated by the genuine prover with the witness for $x$ from proofs created by the simulator with the witness for $\text {crs}^\text {aux}$.

Soundness, on the other hand, is not affected because a random string $\text {crs}^\text {aux}$ is not pseudorandom, except with exponentially small probability. Hence, for invalid $x$ the “or” of the statements $x\notin \mathcal {L}$ or “$\text {crs}^\text {aux}$ is pseudorandom” would not be satisfied either with overwhelming probability. This implies that a prover would still need to break soundness of the or-protocol.

The FLS-transformation, per se, is only known to work for non-interactive computational zero-knowledge. The reason is that the pseudorandom string $\text {crs}^\text {aux}$ of the zero-knowledge simulator is only computationally indistinguishable from a truly random string. There exists a folklore “dual version” of the FLS-transformation for non-interactive perfect (and therefore also statistical) zero-knowledge, where the $\text {crs}$ contains a pseudorandom value by construction. But this transformation requires a structured, non-uniformly chosen $\text {crs}$, whereas we are interested in the setting of common random strings. For completeness, we provide a formal description of that folklore result along our terminology in the eprint version [20].

It is thus unclear if the FLS-transformation can be used equally smoothly for statistical zero-knowledge in the common random string model. For example, Peikert and Shiehian [32] recently presented a statistical zero-knowledge argument for $\mathsf {NP}$ based on LWE in the common random string model, which is only zero-knowledge for a single theorem. They therefore asked whether there is an FLS-like transformation to achieve multi-theorem zero-knowledge in the statistical case.

1.3 Known NISZK Constructions

There are only a few known constructions of NISZK and NIPZK protocols for the general class $\mathsf {NP}$. Groth et al. [25, 26] were the first to give a NIPZK argument for $\mathsf {NP}$ based on specific number-theoretic constructions over bilinear groups. Their protocol achieves multi-theorem adaptive zero-knowledge, but only non-adaptive/exclusive soundness (although this can be extended to some limited form of adaptive soundness, called adaptive culpable soundness). It is cast in the common reference string model.

Abe and Fehr [1] later showed how to achieve NIPZK arguments for $\mathsf {NP}$ under some form of the knowledge-of-exponent assumption. Their protocol achieves adaptive multi-theorem zero-knowledge and is adaptively sound (in the penalizing setting). This protocol is again in the common reference string model.

Sahai and Waters [34] show how to build NIPZK arguments for $\mathsf {NP}$ based on indistinguishability obfuscation and one-way functions. Their solution is adaptive multi-theorem zero-knowledge and non-adaptively/exclusively sound. It is designed in the common reference string model.

Peikert and Shiehian [32] constructed NISZK arguments for $\mathsf {NP}$ based on the LWE assumption. Their construction is based on the NIZK framework of Canetti et al. [9, 10] as well as Holmgren and Lombardi [27] which, among others, constructs a non-adaptively/exclusively sound NISZK argument for $\mathsf {NP}$ in the common random string model. Their protocol is adaptively zero-knowledge for single theorems. The instantiation of Peikert and Shiehian [32] uses the LWE assumption to implement the primitives and inherits the characteristics of the solutions in [9, 10, 27].

An interesting observation, based on [11, Footnote 13], is that one should be able to show adaptive soundness for the constructions in [9] when using the exclusive notion. Noteworthy, Canetti et al. [11] merely claim non-adaptive soundness, because for the adaptive version they switch to the penalizing variant. They detail why this notion cannot be achieved with the current construction, and the point touches precisely the difference between penalizing and exclusive soundness. Reverting to adaptive/exclusive soundness, the construction may satisfy this weaker level. This gives the interesting twist that the solution by Peikert and Shiehian [32] may already be adaptively/exclusively sound, such that our transformation lifts it from single-theorem to multi-theorem (adaptive) zero-knowledge.

Libert et al. [29] recently showed how to build designated-verifier statistical zero-knowledge arguments based on the (kernel) k-linear assumption, and how this construction can also be turned into a public verifiable NISZK argument. Their public verifiable construction achieves multi-theorem zero-knowledge and non-adaptive/exclusive soundness in the common reference string model.

In another work, Libert et al. [28] achieve multi-theorem zero-knowledge in the common random string model. Their protocol provides non-adaptive/non-uniform soundness, i.e., where one quantifies over all inputs $x\notin \mathcal {L}$ and the $\text {crs}$ is chosen as part of the experiment. We will later argue that in the non-adaptive case this notion is equivalent to non-adaptive/exclusive and to non-adaptive/penalizing soundness for non-uniform provers (Fig. 1).

1.4 Our Results

In this work we show multiple FLS-SZK-transformations which preserve statistical zero-knowledge. Moreover, they allow to preserve non-adaptive or adaptive zero-knowledge and also inherit the adaptive security of soundness (in the exclusive variant). In detail, we show:

For statistical zero-knowledge we show how to transform any single-theorem zero-knowledge NISZK argument for $\mathsf {NP}$-languages into one which is a multi-theorem zero-knowledge NISZK argument in the common random string model. This requires only the existence of one-way permutations^{Footnote 2}.
For perfect zero-knowledge we show that our transformation can be augmented to preserve perfect zero-knowledge. This, however, comes at the cost of having a zero-knowledge simulator which runs in expected polynomial-time.
Finally, we show that we can build a transformation for statistical zero-knowledge from the Learning with Errors (LWE) assumption in the common random string model. This transformation, in contrast to the construction by Libert et al. [28], even works for adaptively sound NISZK arguments. This fits in nicely with the recent construction of statistical zero-knowledge arguments based on LWE [32].
Additionally, we define and discuss the different soundness properties for non-interactive arguments and analyze their relationship. In particular, we show that in the non-adaptive case, the notions of exclusive, penalizing, and non-uniform soundness are all equivalent when considering non-uniform provers.

Our techniques for the constructions based on general assumptions uses a “dual” version of the original FLS-transformation. That is, instead of building the or-language for $\text {crs}^\text {aux}$ being pseudorandom, we use that $\text {crs}^\text {aux}$ is not pseudorandom. Since this is in general a $\textsf {co}\mathsf {NP}$-language we need to make sure that it is also in $\mathsf {NP}$. We achieve this by using the Blum-Micali-Yao pseudorandom generator [6, 35] based on one-way permutations and hardcore bits, which lies in $\mathsf {NP}\cap \textsf {co}\mathsf {NP}$. Soundness for our dual FLS-transformation then follows since we can let the malicious prover run on a pseudorandom string $\text {crs}^\text {aux}$ instead, since this is indistinguishable for the efficient prover in an argument. Then the or of the two statements, $x\in \mathcal {L}$ or $\text {crs}^\text {aux}$ is not pseudorandom, is again not satisfied.

The construction based on LWE is inspired by a primitive called dual-mode commitment scheme, i.e., a commitment which can be either perfectly-binding or statistically-hiding, based on the choice of how to generate the public key. The public keys for both modes are computationally indistinguishable. We note that the usefulness of such dual-mode commitments for non-interactive zero-knowledge is well known, starting with the work by Groth et al. [25] where this technique was called parameter switching, to recent efforts like the construction of Libert et al. [29]. Most times, however, the solutions work over certain structures and yield arguments in the common reference string model.

Here, we use a construction of Gorbunov et al. [23] to build these dual-mode commitments where the (statistically-hiding) public key and a commitment can be chosen as uniform bit strings. As in the FLS-transformation we extend the CRS by a public key string $\text {pk}$ and a random commitment string c and extend the language to “$x\in \mathcal {L}$ or c is a commitment to 1”. For the simulator, we choose our public key to be statistically-hiding. In our construction, a statistically-hiding public key will be statistically close to a uniformly random string and indeed generate a commitment to the value 1.

However, for the soundness game we exchange the public key $\text {pk}$ for a perfectly-binding one and change the commitment to 0, thereby forcing the malicious prover to prove $x$ to be in $\mathcal {L}$. We emphasize that we only switch between these modes and merely require computational indistinguishability of the different types of public keys. In particular, we do not need to rely on the SIS assumption as considered in [23] but, as pointed out in [13], the LWE assumption suffices. Indeed, one could directly use Regev’s LWE encryption scheme [33] which also supports a statistically-hiding, lossy mode.

1.5 Squeezing in into Possibility and Impossibility Results

There are some known impossibility results for statistical and perfect zero-knowledge arguments. Strictly speaking, these results do not infringe with our results here, since we show how to transform statistical zero-knowledge arguments (from single to multiple theorems) but do not give constructions. Still, one may wonder if the combination of our transformations with the impossibility results have any implications on potential constructions.

Abe and Fehr [1] were the first to show that NISZK arguments cannot be proven to be adaptively sound via so-called direct black-box reductions, unless the language is in $\textsf {P}/\text {poly}$. One property which such direct reductions has is that one can use an efficient alternative to the crs generator which in addition outputs the simulator’s trapdoor information (property II.(b) in [1]). Our construction, however, bypasses this property because for the soundness proof it generates a bad $\text {crs}$ which does not have a trapdoor. In this sense, our technique indicates that the notion of direct black-box reductions may be too restrictive.

Pass [30], using similar ideas and techniques as [1], shows that adaptive statistical and perfect zero-knowledge arguments with adaptive soundness cannot be based on hard primitives via black-box reductions. How does the result of Pass [30] match our results? First we remark that our NIPZK is indeed adaptively sound and adaptively zero-knowledge. But the simulator only runs in polynomial time averaged over its internal randomness. Such simulators escape the results in [30].

Yet, the most striking difference between the results in [1, 30] and our transformations lies in the distinct notions of adaptive soundness. We show that our transformations preserve adaptive/exclusive soundness. Opposite to that, the impossibility results of [1, 30] rely on the ability of the malicious prover to occasionally output theorems $x\in \mathcal {L}$. Put differently, they rule out the stronger form of adaptive/penalizing sound arguments, whereas we argue that adaptive/exclusive soundness is preserved. As remarked above, however, adaptive/exclusive sound arguments may still be sufficient for applications.

1.6 Concurrent Work

As mentioned earlier, Arte and Bellare [3] have touched upon the issue of different soundness notions in non-interactive proofs as well. Their starting point are dual-mode systems in which the common reference string can be generated in two modes, and in how far such systems allow for transference of security properties in the different modes. Our work instead focuses on the transformations for multi-theorem statistical zero-knowledge arguments.

Arte and Bellare define notions of penalizing and exclusive soundness, called SND-P and SND-E, with which our adaptive notions for soundness coincide (for efficient provers).^{Footnote 3} Remarkably, they show a separating example of their exclusive and penalizing soundness notion in the adaptive case, under the decisional Diffie-Hellman assumption. This example applies to our notions in the adaptive setting as well. We complement this result by showing that the notions are equivalent in the non-adaptive case, assuming non-uniform provers.

Another notably difference between the two works lies in the applications of the different soundness notions. Arte and Bellare discuss the example of the Bellare-Goldwasser signature scheme where penalizing soundness is required and exclusive soundness is insufficient. We argue along the implication of culpability that exclusive soundness may suffice in many settings.

2 Preliminaries

An $\mathsf {NP}$-relation $\mathcal {R}$ consists of pairs $(x,\omega )$ of theorems and witnesses where the length of witness is polynomially bounded in the length of the theorem, and where one can efficiently decide membership. More formally, there exists a polynomial-time Turing machine $M_\mathcal {R}$ and a polynomial $p_\mathcal {R}$ such that

The induced language $\mathcal {L}_{\mathcal {R}}$ is given by

2.1 Non-interactive Arguments

A non-interactive argument or proof system for an $\mathsf {NP}$-relation is now a protocol in which the setup algorithm $\textsf {Setup}$ generates a common string $\text {crs}$ which the prover $\textsf {P}$ then uses to generate a proof $\pi $ for the input $(x,\omega )$. The verifier $\textsf {V}$ then checks this proof against $\text {crs}$ and $x$ only. There are some length restrictions, of course, namely that the length of the theorem $x$ determines the length of the common string. In particular, we assume that there is a polynomial $p_\textsf {Setup}$ such that for any . Let and denote the restriction of inputs of the relation and language with length $|x|=n$ such that the length of the common string for such inputs is given by $p_\textsf {Setup}(n)$. Note that the verifier can easily check that $|x|$ matches the security parameter $n$ such that we can assume that this is always the case.

We note that the string $\text {crs}$ generated by $\textsf {Setup}$ may be uniformly distributed, in which case we speak of a common random string. It may have a different distribution, in which case we call it a common reference string. In particular, we see a common random string as a special case of a common reference string.

The usual completeness notion of non-interactive arguments and proofs asks that the verifier $\textsf {V}$ accepts genuine proofs $\pi $ generated by the prover $\textsf {P}$ for input $x\in \mathcal {L}_{\mathcal {R}}$. Soundness, on the hand, demands that the verifier does not accept false proofs generated by a malicious prover $\textsf {P}^*$ for inputs $x\notin \mathcal {L}_{\mathcal {R}}$. As explained in the introduction there are various possibilities to define soundness, which we will discuss in Sect. 3, and just use one example of the possible definitions here.

Definition 1 (Non-interactive Argument)

A non-interactive argument for an $\mathsf {NP}$-relation $\mathcal {R}$ (in the common reference string model) is a triple of probabilistic polynomial-time algorithms ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ satisfying the completeness and soundness condition:

(Perfect) Completeness: For every $n\in \mathbb {N}$, every $(x,\omega )\in \mathcal {R}(1^n)$, every , every we have that $\textsf {V}(1^n,x,\pi ,\text {crs})=1$ with probability 1.
(Non-adaptive/Exclusive) Soundness: For every (possibly malicious) probabilistic polynomial-time prover $\textsf {P}^*$ outputting only $x\notin \mathcal {L}_{\mathcal {R}}$ there exists a negligible function $\epsilon (n)$ such that for every $n\in \mathbb {N}$ we have
where the probability is over , , as well as , and $\textsf {V}$’s randomness.

We say that the argument is in the common random string model if $\textsf {Setup}(n)$ outputs uniformly distributed strings over for every $n\in \mathbb {N}$.

2.2 Zero-knowledge

We next define zero-knowledge with the usual notion of a simulator $\textsf {ZKSim}$. In the non-interactive setting this algorithm has the advantage to choose the common string $\text {crs}$ to simulate proofs. In the bounded case the distinguisher only gets to see a single proof for a chosen theorem, where the proof is either genuine or fabricated by the simulator. We simultaneously define the single-theorem and multi-theorem case where the distinguisher learns one or many (genuine or simulated) proofs. We first define both cases in the adaptive setting where the distinguisher selects the theorems in dependence of the common string and of previous proofs and in the non-adaptive case where the distinguisher chooses the statement(s) in advance. We stress that we are interested in statistical zero-knowledge here such that the distinguisher is unbounded, except that it can only ask for polynomially many proofs. We also allow the simulator to run in expected polynomial time in specially marked cases.

Definition 2 (Statistical and Perfect Zero Knowledge)

Let $\mathcal {R}$ be an $\mathsf {NP}$-relation and let ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ be a non-interactive argument for $\mathcal {R}$. The argument is zero-knowledge if it satisfies one of the following properties:

Non-adaptive Multi-theorem Zero-knowledge: For any unbounded algorithm $\textsf {D}$ there exists a probabilistic algorithm $\textsf {ZKSim}$, the simulator, running in (expected) polynomial time, such that the advantage
$$ \mathsf {Adv}_{{\varPi },\textsf {ZKSim},\textsf {D}}^{\text {naSZK}}(1^n) := \Pr \left[ \mathsf {Expt}_{{\varPi },\textsf {ZKSim},\textsf {D}}^{\text {naSZK}}(1^n) = 1 \right] -\frac{1}{2} $$
is negligible for polynomially bounded $\mathsf {q}$, where experiment $\mathsf {Expt}_{{\varPi },\textsf {ZKSim},\textsf {D}}^{\text {naSZK}}(1^n)$ is defined in Fig. 2. If the advantage of any such $\textsf {D}$ is always 0 then the argument is called perfect zero-knowledge.
Adaptive Multi-theorem Zero Knowledge: For any unbounded algorithm $\textsf {D}$ there exists a probabilistic algorithm $\textsf {ZKSim}$, the simulator, running in (expected) polynomial time, such that the advantage
$$ \mathsf {Adv}_{{\varPi },\textsf {ZKSim},\textsf {D}}^{\text {aSZK}}(1^n) := \Pr \left[ \mathsf {Expt}_{{\varPi },\textsf {ZKSim},\textsf {D}}^{\text {aSZK}}(1^n) = 1 \right] -\frac{1}{2} $$
is negligible for polynomially bounded $\mathsf {q}$, where experiment $\mathsf {Expt}_{{\varPi },\textsf {ZKSim},\textsf {D}}^{\text {aSZK}}(1^n)$ is defined in Fig. 2. If the advantage of any such $\textsf {D}$ is always 0 then the argument is called perfect zero-knowledge.

The argument is single-theorem zero-knowledge of the corresponding type if the property holds for $\mathsf {q}=1$.

Definition 3 (Statistical Witness Indistinguishability)

Let $\mathcal {R}$ be an $\mathsf {NP}$-relation. A non-interactive argument ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ for $\mathcal {R}$ is called statistical witness indistinguishable (NISWI) if it satisfies one of the following properties:

Non-adaptive Multi-theorem Witness Indistinguishability: For any unbounded algorithm $\textsf {D}$ the advantage
$$ \mathsf {Adv}_{{\varPi },\textsf {D}}^{\text {naSWI}}(1^n) := \Pr \left[ \mathsf {Expt}_{{\varPi },\textsf {D}}^{\text {naSWI}}(1^n) = 1 \right] -\frac{1}{2} $$
is negligible for polynomially bounded $\mathsf {q}$, where the experiment $\mathsf {Expt}_{{\varPi },\textsf {D}}^{\text {naSWI}}(1^n)$ is defined in Fig. 3. If the advantage of any such $\textsf {D}$ is always 0 then the argument is called perfect witness indistinguishable.
Adaptive Multi-theorem Witness Indistinguishability: For any unbounded algorithm $\textsf {D}$ the advantage
$$ \mathsf {Adv}_{{\varPi },\textsf {D}}^{\text {aSWI}}(1^n) := \Pr \left[ \mathsf {Expt}_{{\varPi },\textsf {D}}^{\text {aSWI}}(1^n) = 1 \right] -\frac{1}{2} $$
is negligible for polynomially bounded $\mathsf {q}$, where the experiment $\mathsf {Expt}_{{\varPi },\textsf {D}}^{\text {aSWI}}(1^n)$ is defined in Fig. 3. If the advantage of any such $\textsf {D}$ is always 0 then the argument is called perfect witness indistinguishable.

The argument is single-theorem witness indistinguishable of the corresponding type if the property holds for $\mathsf {q}=1$.

2.3 From Single-Theorem Zero-Knowledge to Multi-Theorem Witness Indistinguishability

We repeat here the well known fact that zero-knowledge implies witness indistinguishability, and that witness indistinguishability is closed under repetitions [19]. We state the results here for sake of completeness and according to our terminology in the statistical setting.

Lemma 1

Any adaptive resp. non-adaptive single-theorem NISZK argument is also an adaptive resp. non-adaptive single-theorem NISWI argument.

Proof (Sketch)

We only argue the adaptive case; the non-adaptive case follows analogously. We can perform a game hop starting with the witness-indistinguishability experiment $\mathsf {Expt}_{{\varPi },\textsf {D}}^{\text {aSWI}}(1^n)$. In this hop we replace the CRS and both proofs $\pi _0$ and $\pi _1$ in each iteration by simulated ones, all created by the simulator $\textsf {ZKSim}$ without knowledge of the witnesses $\omega _0$ and $\omega _1$ but using the same trapdoor. Note that we can view the proofs in the WI experiment as two sequentially requested proofs in the ZK experiment, such that the SZK property ensures that this hop is statistically indistinguishable. (In the non-adaptive case we would split each entry $(x_i,\omega _{i,0},\omega _{i,1})$ in $\textsf {D}$’s initial choice into two entries $(x_i,\omega _{i,0})$ and $(x,\omega _{i,1})$.)

But now both proofs $\pi _0$ and $\pi _1$ are created without the specific witness, and since the simulator does not update its state for giving proofs, the order in which the proofs are computed is irrelevant. In this case the bit b is perfectly hidden from the distinguisher such that the advantage in predicting b is 0. $\square $

Lemma 2

Any adaptive resp. non-adaptive single-theorem NISWI argument is also an adaptive resp. non-adaptive multi-theorem NISWI argument.

Proof (Sketch)

We again only discuss the adaptive case since the non-adaptive case follows analogously. The proof follows by a hybrid argument. For this we reduce the multi-theorem distinguisher $\textsf {D}$ to a bounded one $\textsf {D}_1$ which only makes one query. Let $\mathsf {Q}(n)$ be a polynomial upper bound on the number of queries $\mathsf {q}$ which $\textsf {D}$ makes. The bounded distinguisher $\textsf {D}_1$ initially picks an index and then internally runs in the first stage (Line 5) the distinguisher $\textsf {D}$ up to the i-th query $(\text {st}_\textsf {D},x,\omega _0,\omega _1)$. All requested proofs up to this step are computed internally by $\textsf {D}_1$ via $\textsf {P}$ and the left witness, and returned to $\textsf {D}$. The i-th query is then computed externally, and $\textsf {D}_1$ then hands the proof back to $\textsf {D}$. In the final steps till halting, $\textsf {D}_1$ computes the remaining proofs for $\omega _1$, and eventually returns $\textsf {D}$’s decision bit d unchanged.

It can be shown that the advantage of the bounded distinguisher $\textsf {D}_1$ is at most a factor $\mathsf {Q}(n)$ larger than the one of $\textsf {D}$. Since $\mathsf {Q}(n)$ is polynomial, the difference is negligible. $\square $

3 Soundness of Non-interactive Arguments

Soundness of a non-interactive argument assures that a (computationally-bound) malicious prover is unable to convince the verifier of a false statement. Commonly, soundness is defined in two variants: Adaptive soundness, with allows the (possibly malicious) prover $\textsf {P}^*$ to chose the statement to prove $x$ before seeing the common random string $\text {crs}$, and non-adaptive soundness, in which the prover $\textsf {P}^*$ has to decide on the statement $x$ before the common random string $\text {crs}$ is generated.

Remarkably, there is another dimension of definitional choice for soundness which often goes unnoticed in the literature. This dimension refers to the question how we measure success of the malicious prover. Clearly, the malicious prover should not make the verifier accept for a statement $x$ not in the language. But there are two possibilities to capture the non-membership requirement. One is to disallow $\textsf {P}^*$ to output $x\in \mathcal {L}$ at all. The other one is to declare $\textsf {P}^*$ to lose if it picks $x\in \mathcal {L}$. Following the work of Bellare et al. [4] about the question how to deal with inadmissible decryption queries in CCA-secure encryption schemes, we call the former stipulation of $\textsf {P}^*$ outputting only $x\notin \mathcal {L}$ exclusive, because it excludes certain adversaries. The latter is called penalizing as it punishes $\textsf {P}^*$ if it chooses $x\in \mathcal {L}$.

3.1 Soundness Definitions

In total, we define five soundness notions: adaptive vs. non-adaptive, and exclusive vs. penalizing, as well as a non-uniform variant that only exists for the non-adaptive case. We typically speak of non-adaptive/exclusive and adaptive/penalizing soundness etc. to distinguish the different types. Figure 4 provides an overview. It is also easy to see that adaptive soundness implies non-adaptive soundness in both settings, and penalizing soundness implies exclusive soundness in any of the other dimensions. The latter is easy to see because any malicious prover $\textsf {P}^*$ breaking exclusive soundness must output $x\notin \mathcal {L}$ such that this prover also satisfies the winning condition in the penalizing setting. In this chapter, we highlight the further connections between these definitions and their implications.

The difference between exclusive and penalizing soundness may appear to be insignificant. Indeed, for non-interactive proofs it is folklore to show that the weakest one of the five notions, non-adaptive/exclusive soundness, implies the strongest one, adaptive/penalizing soundness. See for instance [21]. This may explain why today’s literature mostly distinguishes between the (exclusive) non-adaptive notion and the (penalizing) adaptive notion. An exception is the seminal paper by Blum et al. [7] which defines the adaptive version according to the exclusive dimension (without using our terminology here, of course). We emphasize, however, that the equivalence of all notions is not known to hold for non-interactive arguments.

Is a more fine-grained distinction between exclusive and penalizing soundness in arguments necessary? We argue that it is. Roughly, the difference is that in the exclusive case the malicious prover (and any other party) knows that its output is not in the language, in the penalizing case even the prover may itself be oblivious about this. This is an important ingredient in Pass’ impossibility result to build adaptive sound and adaptive statistical zero-knowledge arguments based on black-box reductions [30]. The result crucially relies on the malicious prover choosing a (random or pseudorandom) statement for which it does not know the status. In other words, this impossibility results rules out the strongest form of adaptive/penalizing soundness.

We next argue that the weaker form of adaptive/exclusive soundness is very relevant. It is easy to see that this notion implies a slightly weaker notion of adaptive/culpable soundness [26]. This notion is similar to our definition of adaptive/exclusive soundness, but also requires the malicious prover to output an efficiently verifiable witness (denoted $\omega _\text {guilt}$ in [26]) that the statement $x$ is not in the language $\mathcal {L}$. Our exclusive notion asks $\textsf {P}^*$ to output $x\notin \mathcal {L}$. We prove the implication that adaptive/exclusive yields adaptive/culpable soundness formally in Sect. 3.3.

The noteworthy fact is that adaptive/culpable soundness suffices for many applications. One of the most important ones is the possibility to derive universally composable NIZK argument [26]. Other applications include correctness proofs for shuffles [14, 15, 24] or for e-voting [12]. Since adaptive/exclusive soundness implies adaptive/culpable soundness, any protocol satisfying the exclusive notion is also applicable in such settings.

We can now define arguments with the different soundness properties:

Definition 4 (Soundness of non-interactive Arguments)

A non-interactive argument for an $\mathsf {NP}$-relation $\mathcal {R}$ (in the common reference string model) is a triple of probabilistic polynomial-time algorithms ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ satisfying the completeness as well as at least one of the soundness conditions:

Non-adaptive/Exclusive Soundness: For every (possibly malicious) probabilistic polynomial-time prover $\textsf {P}^*$ outputting only $x\notin \mathcal {L}_{\mathcal {R}}$ there exists a negligible function $\epsilon (n)$ such that for every $n\in \mathbb {N}$ we have
where the probability is over , , as well as , and $\textsf {V}$’s randomness.
Non-adaptive/Penalizing Soundness: For every (possibly malicious) probabilistic polynomial-time prover $\textsf {P}^*$ there exists a negligible function $\epsilon (n)$ such that for every $n\in \mathbb {N}$ we have
where the probability is over , , as well as , and $\textsf {V}$’s randomness.
Adaptive/Exclusive Soundness: For every (possibly malicious) probabilistic polynomial-time prover $\textsf {P}^*$ outputting only $x\notin \mathcal {L}_{\mathcal {R}}$ there exists a negligible function $\epsilon (n)$ such that for every $n\in \mathbb {N}$ we have
where the probability is over , , and $\textsf {V}$’s randomness.
Adaptive/Penalizing Soundness: For every (possibly malicious) probabilistic polynomial-time prover $\textsf {P}^*$ there exists a negligible function $\epsilon (n)$ such that for every $n\in \mathbb {N}$ we have
where the probability is over , , and $\textsf {V}$’s randomness.
Non-adaptive/Non-uniform Soundness: For every (possibly malicious) probabilistic polynomial-time prover $\textsf {P}^*$ there exists a negligible function $\epsilon (n)$ such that for every $n\in \mathbb {N}$ and every $x\not \in \mathcal {L}_{\mathcal {R}}$ with $|x|=n$, we have
where the probability is over , and , and $\textsf {V}$’s randomness.

3.2 Equivalence of the Non-adaptive Soundness Notions

We now show that the non-adaptive soundness definitions are all equivalent if we allow the malicious provers to be non-uniform:

Theorem 1

For non-uniform (malicious) provers, a non-interactive argument ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ has non-adaptive/exclusive soundness iff it has non-adaptive/non-uniform soundness, and has non-adaptive/non-uniform soundness iff it has non-adaptive/penalizing soundness.

Proof

Non-adaptive/exclusive soundness follows directly from non-adaptive/penalizing soundness, therefore we only show that non-adaptive/non-uniform soundness follows from non-adaptive/exclusive soundness and that non-adaptive/penalizing soundness follows from non-adaptive/non-uniform soundness.

We start by showing non-adaptive/non-uniform soundness follows from non-adaptive/exclusive soundness. Let ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ be the non-interactive argument in question. Assume that there exists a successful malicious prover $\textsf {P}^*_{na/nu}$ against the non-adaptive/non-uniform soundness, i.e., for any negligible function $\epsilon (n)$ there exists an $x\notin \mathcal {L}$ such that

where the probability is over , as well as $P^*_{na/nu}$’s and $\textsf {V}$’s randomness. We can now construct a malicious prover $\textsf {P}^*_{na/ex}$ against non-adaptive/exclusive soundness as follows: We define the first-stage algorithm $\textsf {P}^*_{na/ex,1}(1^n)$ to choose $x\notin \mathcal {L}$ of length $n$ non-uniformly, such that $P^*_{na/nu}$’s success probability is maximized. The state $\text {st}$ is left empty. Further, the second-stage algorithm $\textsf {P}^*_{na/ex,2}$ merely calls $\textsf {P}^*_{na/nu}$ internally, ignoring the state $\text {st}$. Then, the success probability of $\textsf {P}^*_{na/ex}$ is at least as large as the one of $\textsf {P}^*_{na/nu}$ and thus non-negligible.

Next, we show that non-adaptive/penalizing soundness follows from non-adaptive/non-uniform soundness. Assume that there exists a successful malicious prover $\textsf {P}^*_{na/pn}$ against the non-adaptive/penalizing soundness, i.e., for any negligible function $\epsilon $ there exists an $n\in \mathbb {N}$ such that

where the probability is over , , as well as $\textsf {V}$’s internal randomness.

We can now construct a malicious prover $\textsf {P}^*_{na/nu}$ against non-adaptive/non-uniform soundness as follows: For each input length $n$, we fix the pair $(\bar{x},\bar{\text {st}})$, $\bar{x}\in \{0,1\}^n, \bar{x}\notin \mathcal {L}$, on which $\textsf {P}^*_{na/pn,2}$’s success probability is maximized (we bound the length of $\bar{\text {st}}$ by $\textsf {P}^*_{na/pn,1}$’s running time). Next we define $\textsf {P}^*_{na/nu}$ as follows: On input $x$, $\textsf {P}^*_{na/nu}$ checks whether $x$ equals $\bar{x}$, and if that is the case, it internally calls $\textsf {P}^*_{na/pn,2}(crs,\bar{x},\bar{\text {st}})$ to generate a proof. Otherwise, $\textsf {P}^*_{na/nu}$ returns an empty proof. Note that we use the non-uniformity to save the sequence of $(\bar{x},\bar{\text {st}})$ for each input length. It is again easy to see that this prover is indeed a successful malicious prover against non-adaptive/non-uniform soundness. $\square $

For adaptive soundness, Arte and Bellare [3] showed that there exists a protocol that provides adaptive/exclusive soundness but not adaptive/penalizing soundness. This indicates that a NISZK protocol with adaptive/exclusive soundness might indeed be achievable, compared to one with adaptive/penalizing soundness, for which Pass [30] showed a black-box impossibility result.

3.3 Exclusive Soundness Implies Culpable Soundness

In this section we show that adaptive/exclusive soundness implies the notion of adaptive/culpable soundness of [26]. We first recall the definition of culpable soundness (according to our terminology). For an $\mathsf {NP}$-relation $\mathcal {R}$ let $\mathcal {R}_{\text {guilt}}$ be an $\mathsf {NP}$-relation for the complement of $\mathcal {L}_{\mathcal {R}}$, i.e., $x\notin \mathcal {L}_{\mathcal {R}}$ means that there is a polynomial size $\omega _\text {guilt}$ such that $(x,\omega _{\text {guilt}})\in \mathcal {R}_{\text {guilt}}$. Note that the relation $\mathcal {R}_{\text {guilt}}$ is efficiently verifiable as an $\mathsf {NP}$-relation (and $\mathcal {L}_{\mathcal {R}}$ is therefore in $\textsf {co}$-$\mathsf {NP}$).

Definition 5 (Adaptive/Culpable Soundness)

A non-interactive argument $(\textsf {Setup},\textsf {P},\textsf {V})$ for an $\mathsf {NP}$-relation $\mathcal {R}$ (in the common reference string model) has adaptive culpable soundness if for any PPT algorithm $\textsf {P}^*_\text {culp}$ there exists a negligible function $\epsilon $ such that

where the probability is over , , and $\textsf {V}$’s internal randomness.

Proposition 1

A non-interactive argument $(\textsf {Setup},\textsf {P},\textsf {V})$ for an $\mathsf {NP}$-relation $\mathcal {R}$ (in the common reference string model) which has a corresponding relation $\mathcal {R}_{\text {guilt}}$ and is adaptive/exclusive sound is also adaptive/culpable sound.

Proof

Assume that we have a successful prover $\textsf {P}^*_\text {culp}$ against culpable soundness. We construct a malicious prover $\textsf {P}^*_\text {ex}$ against exclusive soundness as follows. $\textsf {P}^*_\text {ex}$ receives as input $\text {crs}$ and forwards this to $\textsf {P}^*_\text {culp}$ which, then, outputs $(x,\pi ,\omega _\text {guilt})$. Our prover $\textsf {P}^*_\text {ex}$ checks in polynomial time if $(x,\omega _\text {guilt})\in \mathcal {R}_\text {guilt}$. If not it immediately outputs $\bot $, else it returns $(x,\pi )$.

Note that since we interpret outputs $\bot $ as $\bot \notin \mathcal {L}_{\mathcal {R}}$ our prover $\textsf {P}^*_\text {ex}$ only outputs values not in the language. It is thus an admissible attacker against exclusive soundness. Furthermore, $\textsf {P}^*_\text {culp}$ can only win for $x\notin \mathcal {L}_{\mathcal {R}}$ such that only outputting $(x,\pi )$ for those $x$ cannot decrease the success probability. This yields that $\textsf {P}^*_\text {ex}$ has the same success probability as $\textsf {P}^*_\text {culp}$. $\square $

4 Constructions Based on General Assumptions

4.1 Multi-theorem NISZK Based on One-Way Permutations

Our approach uses the same idea as in [17] of having $\text {crs}^\text {aux}$, but we apply it in a dual way. That is, we use a language saying that $\text {crs}^\text {aux}$ is not pseudorandom. Since this is in general a $\textsf {co}\mathsf {NP}$-relation we use the Blum-Micali-Yao [6, 35] generator for one-way permutations,

$$\begin{aligned} G(s)=f^{|s|}(s)\Vert {{\,\mathrm{hb}\,}}(s)\Vert {{\,\mathrm{hb}\,}}(f(s))\Vert \dots \Vert {{\,\mathrm{hb}\,}}(f^{|s|-1}(x)) , \end{aligned}$$

where s is the seed of length $|s|=n$, $f$ is a one-way permutation, $f^i(s)$ the i-fold iteration of $f$ for input s, and ${{\,\mathrm{hb}\,}}$ is a hardcore bit for $f$. Proving that a string $\text {crs}^\text {aux}$ is not in the range of $G$ is easy if one presents the unique seed s such that the first bits are equal to $f^{|s|}(s)$ and that the remaining bits are not the hardcore bits.

For our simulator we can thus generate a perfectly distributed common random string by picking s randomly, computing $G(s)$, and randomly flipping the hardcore bits:

$$\begin{aligned} \text {crs}^\text {aux}\leftarrow G(s) \oplus 0^{|s|}\Vert t \end{aligned}$$

where each bit in $t=t_1\Vert \dots \Vert t_{|s|}$ is chosen uniformly and independently. Unless all $t_i$’s are 0 —which happens with probability $2^{-|s|}$— this gives the simulator a witness for $\text {crs}^\text {aux}$ not being pseudorandom in form of s, t. If $t=0^{|s|}$ the we let the simulator abort. This unlikely event of all $t_i$’s being 0 causes our simulator to be statistical zero-knowledge instead of being perfect zero-knowledge.

For the malicious prover in the soundness game we will hand over a pseudorandom string $G(s)$ instead of a truly random one. For the bounded prover this is computationally indistinguishable. But then the prover does not have a witness for the or-part and would thus need to break soundness of the other protocol part for $x\notin \mathcal {L}_{\mathcal {R}}$. This step preserves any exclusive soundness notion but not penalizing soundness, because we need to be able to detect diverging success behavior of the prover in the two cases (which we may not necessarily be able to in the penalizing setting since we cannot check if $x$ is in the language or not).

Below we formally define the augmented language $\mathcal {L}_{\mathcal {R}}^{\text {or}}$ as

and the corresponding relation $\mathcal {R}{}^{\text {or}}$ accordingly. Note that this is an $\mathsf {NP}$-relation such that, if we have any single-theorem statistical NIZK for general $\mathsf {NP}$-relations, then we also have an multi-theorem statistical witness-indistinguishable argument for this relation $\mathcal {R}^{\text {or}}$.

For pseudorandomness of $G$ we consider for any probabilistic polynomial-time algorithm $\mathcal {D}$ the probability that $\mathcal {D}(1^n,y_{b'})=b'$ where the probability is taken over , $y_0\leftarrow G(s)$ for , . Let $\mathsf {Adv}_{G,\textsf {D}}^{\text {PRG}}(1^n) := \Pr \left[ \mathcal {D}(1^n,y_{b'})=b' \right] -\frac{1}{2}$ be $\mathcal {D}$’s advantage. We say that $G$ is a pseudorandom generator if for any probabilistic polynomial-time algorithm $\mathcal {D}$ this advantage is negligible. Note that the Blum-Micali-Yao generator based on a one-way permutation $f$ achieves this property.

Construction 2

(SZK-FLS-Transformation). Let $\mathcal {R}$ be an $\mathsf {NP}$-relation. Let $f$ be a one-way permutation and ${\varPi }^{\text {or}}=(\textsf {Setup}^{\text {or}},\textsf {P}^{\text {or}},\textsf {V}^{\text {or}})$ be a multi-theorem non-interactive statistical witness-indistinguishable argument for the $\mathsf {NP}$-relation $\mathcal {R}^{\text {or}}$. We construct a multi-theorem non-interactive statistical zero knowledge argument ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ for $\mathcal {R}$ as follows (see also Fig. 5):

CRS: We define the sampling algorithm $\textsf {Setup}(1^n)$ for the common random string $\text {crs}$ for our construction as
$$\begin{aligned} \textsf {Setup}(1^n)=\textsf {Setup}^{\text {or}}(1^n)\Vert U_{2n}, \end{aligned}$$
where $U_{2n}$ is the uniform distribution on all 2n-bit strings.
Prover: The prover $\textsf {P}$, receiving $1^n$, $\text {crs}=\text {crs}^{\text {or}}||\text {crs}^\text {aux}$, $x$ and $\omega $ (for $\mathcal {R}$) as input, uses $(x,\text {crs}^\text {aux})$ and $\omega $ for the augmented relation $\mathcal {R}^{\text {or}}$ and computes a witness-indistinguishable proof $\pi ^{\text {or}}$ for this $\mathsf {NP}$-relation using the string $\text {crs}^{\text {or}}$.
Verifier: The verifier $\textsf {V}$ receives $1^n$, $\text {crs}=\text {crs}^{\text {or}}\Vert \text {crs}^\text {aux}$, $x$, and a proof $\pi ^{\text {or}}$ for $\mathcal {R}^{\text {or}}$. The verifier accepts iff $\textsf {V}^{\text {or}}(1^n,(x,\text {crs}^\text {aux}),\pi ^{\text {or}},\text {crs}^{\text {or}})$ accepts.

Theorem 3

Let $\mathcal {R}$ be an $\mathsf {NP}$-relation. Assuming that ${\varPi }^{\text {or}}=(\textsf {Setup}^{\text {or}},\textsf {P}^{\text {or}},\textsf {V}^{\text {or}})$ is a non-interactive statistical single-theorem zero-knowledge argument for $\mathcal {R}^{\text {or}}$ and that $f$ is a one-way permutation, the non-interactive argument system ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ in Construction 2 is a multi-theorem statistical zero-knowledge argument. Furthermore, if the underlying protocol ${\varPi }^{\text {or}}$ is (non-adaptively resp. adaptively) exclusively sound, then so is the derived protocol ${\varPi }$; if ${\varPi }^{\text {or}}$ is adaptive resp. non-adaptive zero-knowledge, then so is ${\varPi }$.

Proof

(Perfect) Completeness: Note that the verifier $\textsf {V}$ accepts a genuine proof for original data and $x\in \mathcal {L}_{\mathcal {R}}$ if and only if $\textsf {V}^{\text {or}}$ accepts $\pi ^{\text {or}}$ for $(x,\text {crs}^\text {aux})$ under $\text {crs}^{\text {or}}$. The latter is always true since $x\in \mathcal {L}_{\mathcal {R}}$ such that the pair $(x,\text {crs}^\text {aux})$ of the or-relation is also in $\mathcal {L}_{\mathcal {R}}^{\text {or}}$, the output of $\textsf {P}$ is given by the output of $\textsf {P}^{\text {or}}$ for valid input, and the verifier $\textsf {V}^{\text {or}}$ accepts genuine proofs of $\textsf {P}^{\text {or}}$.

Non-adaptive/Exclusive Soundness: Assume that ${\varPi }^{\text {or}}$ is non-adaptively/exclusively sound. Our argument to show that ${\varPi }$, too, has this property is as follows. We will first substitute the “real” common random string by one in which the augmented component $\text {crs}^\text {aux}$ is always in the range of the pseudorandom generator $G$. This will be indistinguishable for the bounded prover $\textsf {P}^*$ such that $\textsf {P}^*$ outputs a valid proof with roughly equal probability for pseudorandom $G$. In this step we exploit the property of non-adaptive/exclusive soundness that $x\notin \mathcal {L}_{\mathcal {R}}$ is chosen before $\text {crs}$. But then the or-language does not have a witness for either part, such that the malicious prover would have to break (non-adaptive) exclusive soundness of the protocol for $\mathcal {R}^{\text {or}}$.

More formally, let $\text {crs}$ be a CRS generated as described above and $\text {crs}_G$ an artificial CRS generated as

$$\begin{aligned} \text {crs}_G\leftarrow \textsf {Setup}^{\text {or}}(1^n)||G(s), \end{aligned}$$

where s is chosen uniformly from $\{0,1\}^n$. In a first game hop we argue that a successful malicious prover $\textsf {P}^*$ for such a CRS is almost as successful as for a genuine one, that is,

are negligibly close, where the probability is over , and and $\textsf {V}$’s randomness in the first case, and accordingly over , , and $\textsf {V}$’s randomness in the second case.

We show the indistinguishability by defining a distinguisher $\mathcal {D}$ against the pseudorandom generator $G$. For security parameter $n$ the distinguisher receives a string $y\in \{0,1\}^{2n}$ as input, either picked uniformly at random, or being the output of the pseudorandom generator. The distinguisher then invokes the prover and verifier to decide:

We claim that the distinguishing advantage bounds the difference between the two games, where $\mathsf {G}_{0}$ is the original soundness game (with output 1 indicating that $\textsf {P}^*$ has won) and $\mathsf {G}_{1}$ describes the game where we use the artificial string $\text {crs}_G$ instead. Since the two games correspond syntactically to the cases that the distinguisher receives a random y resp. a pseudorandom y we get:

Next we turn the malicious prover $\textsf {P}^*$ in $\mathsf {G}_{1}$ against non-adaptive/exclusive soundness against the unbounded scheme ${\varPi }$ into one of the same type for the augmented scheme ${\varPi }^{\text {or}}$. Note that we are guaranteed that $\textsf {P}^*$ always outputs $x\notin \mathcal {L}_{\mathcal {R}}$ by assumption. Our prover $\textsf {P}^*_\text {or}$ against ${\varPi }^{\text {or}}$ works as follows:

We first observe that, if $\textsf {P}^*$ always outputs $x\notin \mathcal {L}_{\mathcal {R}}$, then our prover $\textsf {P}^*_\text {or}$ always outputs $(x,\text {crs}^\text {aux})\notin \mathcal {L}_{\mathcal {R}}^{\text {or}}$. This holds as the string $\text {crs}^\text {aux}$ is pseudorandom such that neither condition of the or-language is satisfied. In addition, $\textsf {P}^*_\text {or}$ is efficient. Hence, $\textsf {P}^*_\text {or}$ is also an admissible attacker against non-adaptive/exclusive soundness, this time against $\mathcal {L}_{\mathcal {R}}^{\text {or}}$.

We conclude that, by the soundness of ${\varPi }^{\text {or}}$, the success probability of prover $\textsf {P}^*_\text {or}$ must be negligible. But because $\textsf {P}^*_\text {or}$ has the same success probability as $\textsf {P}^*$ in $\mathsf {G}_{1}$ it follows that the winning probability of $\textsf {P}^*$ in $\mathsf {G}_{1}$ must also be negligible. Since this success probability is negligibly close to the one of $\textsf {P}^*$ in $\mathsf {G}_{0}$ by the pseudorandomness of $G$, we derive that $\textsf {P}^*$ success probability against our derived protocol ${\varPi }$ must be negligible.

Adaptive/Exclusive Soundness: The proof in the adaptive case follows exactly as in the non-adaptive case. Only this time $\textsf {P}^*$ chooses $x\notin \mathcal {L}_{\mathcal {R}}$ after seeing $\text {crs}$. But both the distinguisher $\mathcal {D}$ against the pseudorandomness $\mathcal {D}$, as well as the prover $\textsf {P}^*_\text {or}$ against soundness, can assemble the common random string before $\textsf {P}^*$ selects $x$. It follows as before that the probability of $\textsf {P}_\text {or}^*$ against adaptive/exclusive soundness of ${\varPi }^{\text {or}}$ and thus the one of $\textsf {P}^*$ against ${\varPi }$ must be negligible.

Zero Knowledge: The simulator $\textsf {ZKSim}$ works as follows: On input $1^n$ it first generates $\text {crs}=\text {crs}^{\text {or}}||\text {crs}^\text {aux}$, where and $\text {crs}^\text {aux}$ is sampled as

$$\begin{aligned} \text {crs}^\text {aux}\leftarrow G(s)\oplus 0^{|s|}\Vert t \end{aligned}$$

for s, t chosen uniformly from $\{0,1\}^n$. Note that since $f$ is a permutation this CRS has the same distribution as a truly random string. If $t=0^{|s|}$ then the simulator immediately aborts. Else it outputs $\text {crs}$ as the common random string and (s, t) as state $\text {st}_\textsf {ZKSim}$. When receiving a (valid) theorem $x\in \mathcal {L}_{\mathcal {R}}$ the simulator runs the prover $\textsf {P}^{\text {or}}$ for $\mathcal {R}^{\text {or}}$ on input $1^n,(x,\text {crs}^\text {aux}),\text {crs}^{\text {or}}$ and witness (s, t) to generate a proof $\pi ^{\text {or}}$. The state remains unchanged.

By assumption, ${\varPi }^{\text {or}}$ is single-theorem statistical zero knowledge (either adaptively or non-adaptively secure). Further, by Lemma 1 it is single-theorem statistical witness indistinguishable, and by Lemma 2 also multi-theorem statistical witness indistinguishable for the same level of adaptiveness. Therefore, whenever $\textsf {ZKSim}$ is able to find a valid $t\ne 0^{|s|}$, the statistical distance between genuine proofs by $\textsf {P}^{\text {or}}$ (for witness $\omega $) and proofs by $\textsf {ZKSim}$ resp. $\textsf {P}^{\text {or}}$ (with witness (s, t)) is given by a negligible term $\epsilon (n)$ for any distinguisher requesting at most $\mathsf {q}$ proofs. As $\textsf {ZKSim}$ fails to derive $t\ne 0^{|s|}$ with probability $2^{-n}$, the overall statistical distance is therefore at most $\epsilon (n)+2^{-n}$ and thus negligible. Thus, ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ is multi-theorem statistical zero knowledge. We note that the protocol inherits the notion of zero-knowledge adaptiveness from ${\varPi }^{\text {or}}$. $\square $

We remark that the transformation also preserves adaptive/culpable soundness. For this notion the distinguisher against the pseudorandom generator in the soundness part can check efficiently if the prover’s choice $x$ is in the language or not with the help of the witness $\omega _\text {guilt}$ which the prover needs to output, too.

4.2 Adaptive Perfect Zero-Knowledge Under Expected Poly-Time

The construction in the previous section displays a small error in the simulation, even if we would start with a perfect zero-knowledge or witness-indistinguishable argument. The reason is that our simulator may not generate a valid pair (s, t) with $t\ne 0^{|s|}$. However, to preserve perfect zero-knowledge the simulator cannot simply discard such bad pairs, else outputs of the form $G(s)$ would not be hit (while a uniformly chosen string may actually be in the range of $G$).

The solution in the single-theorem case is to use the fact that the event of picking bad t’s is very unlikely, namely, $2^{-n}$. We will now decrease the probability further such that we can safely search for the actual witness $\omega $ for the $x$ part in this rare case, without violating polynomial run time on the average. For this let $p_\mathcal {R}$ denote the polynomial which bounds the witness length of relation $\mathcal {R}$. Then we use a pseudorandom generator $G(s)$ as before, but we iterate the one-way permutation $f$ for $p_\mathcal {R}(n)$ steps. Now the probability of picking some input $(s,t)\in \{0,1\}^{n}\times \{0,1\}^{p_\mathcal {R}(n)}$ with $t=0^{p_\mathcal {R}(n)}$ is $2^{-p_\mathcal {R}(n)}$. Given that this happens we let the simulator (later, after having obtained the input $x$) search through all potential witnesses $w\in \{0,1\}^{\le p_{\mathcal {R}}(n)}$ and each time check in polynomial time $q_\mathcal {R}(n)$ if $(x,w)\in \mathcal {R}$. The run time of the simulator for the exhaustive search is then bounded from above by $2\cdot 2^{p_\mathcal {R}(n)}\cdot q_\mathcal {R}(n)$. But since this step is only executed with probability at most $2^{-p_\mathcal {R}(n)}$ the overall run time of the simulator remains polynomial in expectation.

If we assume that the original argument system ${\varPi }^{\text {or}}$ is perfectly witness indistinguishable for non-adaptively chosen statements, then the derived protocol is perfectly zero-knowledge, with as simulator running in expected polynomial time and holding either a witness s, t for the auxiliary part or a witness for $x$ to compute the proof. As in the statistical case, the protocol still preserves non-adaptive/exclusive or adaptive/exclusive soundness.

The next step is to extend the above idea to multiple theorems. If we have polynomial many statements $x_1,\dots ,x_\mathsf {q}$ then we would have to search for all witnesses to simulate the proofs if $t=0\dots 0$. But the time to search for all these witnesses by brute force is additive and requires at most $2\mathsf {q}\cdot q_\mathcal {R}(n)\cdot 2^{p_\mathcal {R}(n)}$ many steps. Hence, the expected run time is still polynomial.

We finally remark that our simulator only attains the simple notion of expected polynomial where we average the number of steps over the randomness of the algorithm. It is not known if one can modify the simulator to achieve more robust notions, such as Levin’s average-time complexity.

5 A Lattice-based Construction

The main drawbacks of the previous constructions based on general assumptions is that they are not directly applicable to lattice-based problems because they require a one-way permutation. In this section we therefore present a multi-theorem extension in the common random string using dual-mode commitments, based on the Learning-With-Errors (LWE) assumption.

5.1 Dual-mode Commitment Schemes Based on Lattices

A (non-interactive) commitment scheme consists of a probabilistic polynomial-time algorithm to generate a public key and another probabilistic polynomial-time algorithm which allows to commit to a message under a public key. The scheme can be statistically-hiding (and computationally-binding), or it can be perfectly-binding (and computationally-hiding). A dual-mode scheme has now two key generation algorithms, one for the statistically-hiding and one for the perfectly-binding case. Furthermore, the output of the two key generation algorithms is computationally indistinguishable. To preserve statistical zero-knowledge we make the additional assumption that the public key output in hiding mode is close to uniform:

Definition 6 (Dual-mode Commitment Scheme)

A non-interactive commitment scheme ${\varGamma }=(\textsf {Gen}_H, \textsf {Gen}_B, \textsf {Com})$ is called a dual-mode commitment scheme if,

Statistically-Hiding Mode: The scheme $(\textsf {Gen}_H,\textsf {Com})$ is a statistically-hiding, computationally-binding commitment scheme. Furthermore, the output of $\textsf {Gen}_H$ is statistically close to the uniform distribution.
Perfectly-Binding Mode: The scheme $(\textsf {Gen}_B,\textsf {Com})$ is a perfectly-binding, computationally-hiding commitment scheme.
Indistinguishability of Modes: The random variables $\textsf {Gen}_H$ and $\textsf {Gen}_B$ are computationally indistinguishable.

Note that for a dual commitment scheme, it suffices to show that the scheme is statistically-hiding in the hiding mode, perfectly-binding in the binding mode, and that the modes are computationally indistinguishable. The complementary property of the corresponding mode (with computational guarantees) follows immediately.

For the dual-mode commitments, we will use (a stripped-off version of) the two homomorphic trapdoor functions defined by Gorbunov et al. [23]. As pointed out in [13], these two trapdoor functions give rise to a dual-mode commitment scheme. It has been shown in [13] that it can be used together with a non-interactive witness-indistinguishable proof system for bounded distance decoding to build non-interactive designated-verifier computational zero-knowledge arguments. We will describe this dual-mode commitment scheme now in detail and provide proof sketches based on the security proofs in [23].

The construction of the commitment scheme in [23] itself is based on the SIS problem [2], stating that for parameters $n,m=\text {poly}({n}),q$ and $\beta _\text {SIS}$ it is hard to find a short non-zero integer vector u (of length at most $\beta _\text {SIS}$) to a given random $n\times m$-matrix A over $\mathbb {Z}_q$ such that $Au=0$. The noteworthy property is that there is also a method to generate an $n\times m$ matrix A over $\mathbb {Z}_q$ together with a trapdoor in a secure way. This is implemented by an algorithm $\textsf {TrapGen}$, taking $1^n,1^m$ and q as input. Furthermore, there exists an algorithm $\textsf {Sam}(1^m,1^m,q)$ which outputs a “small” matrix $U\in \mathbb {Z}_q^{m\times m}$. As discussed in [23] it holds that A generated by $\textsf {TrapGen}(1^n,1^m,q)$ is statistically close to uniform, and that A and $A\cdot U$ (sampled according to $\textsf {Sam}$) are statistically close to A and a uniform matrix $V'$. The final ingredient is a fixed and easy to compute matrix $G\in \mathbb {Z}_q^{n\times m}$ for the given parameter which allows us to build the commitment scheme. We can then commit to a value $x\in \mathbb {Z}_q$ for matrix A by computing $A\cdot U+x\cdot G$. Note that since $A\cdot U$ is statistically close to a uniform matrix $V'$ we obtain that x is statistically hidden.

We note that we do not take advantage of the trapdoor property here in our construction, but instead sample a uniform matrix A (in the hiding mode). Moreover, as pointed out in [13], the SIS assumption is not necessary either. The LWE assumption suffices for our purpose, since we only need that the mode switching is computationally indistinguishable. Indeed, the same could be already accomplished with Regev’s encryption scheme [33] where one can alter to a lossy mode. We describe the dual-commitment scheme more formally in the following constructions:

Construction 4

(Hiding-mode Commitment Scheme).

Key Generation $_{H}$: We sample $A\in \mathbb {Z}^{n\times m}_q$ uniformly and set $\text {pk}\leftarrow A$.
Commitment : For input $\text {pk}$ and $x\in \mathbb {Z}_q$, we sample $U\leftarrow \textsf {Sam}(1^m, 1^m, q)$ and return $\textsf {Com}(\text {pk},x;U)=\text {pk}\cdot U + x\cdot G$. To open the commitment, we reveal x and U (or the randomness used to sample U).

Proposition 2

Construction 4 is a statistically hiding commitment scheme.

Proof

As shown in [23], we have that the following two tuples are statistically close:

$$\begin{aligned} (\text {pk},x,\text {pk}\cdot U + x\cdot G) \equiv _s (\text {pk}, x, V^\prime ) \end{aligned}$$

where $U \leftarrow \textsf {Sam}(1^m, 1^m, q)$ and $V^\prime \leftarrow \mathbb {Z}^{n\times m}_q$, i.e., the commitment is statistically indistinguishable from a random matrix. This holds for public keys generated by $\textsf {TrapGen}$ and, since that algorithm’s output is close to uniform, also for the random matrix A. $\square $

Next we recall from [23] how we can switch to a perfectly-binding mode by assuming the hardness of LWE. This problem states that given a matrix A and $As+e$ for a small error vector e sampled from a distribution $\chi $, recovering s is hard [33].

Construction 5

(Binding-mode Commitment Scheme).

Key Generation $_{B}$: We sample $A^\prime \leftarrow \mathbb {Z}^{(n-1)\times m}_q$ uniformly and and set
$$\begin{aligned} \text {pk}\leftarrow \left( \begin{array}{c} A^\prime \\ s^\prime A^\prime + e\end{array}\right) , \end{aligned}$$
where e is a short “noise vector” sampled from $\chi $.
Commitment : The commitment is identical to the one in Construction 4.

Proposition 3

Construction 5 is a perfectly binding commitment scheme.

Proof

To show this construction is perfectly binding, it suffices to show that we can uniquely recover x using s. Indeed, if we know $s^\prime $, we can set $s=(-s^\prime ,1)$ and $z=(0,\dots ,0,r)$ and calculate

$$\begin{aligned} s\left( \text {pk}\cdot U + x\cdot G\right) G^{-1}(z) = e\cdot U\cdot G^{-1}(z) + x \cdot \langle s,z\rangle = x\cdot r + e^\prime . \end{aligned}$$

Note that $G^{-1}$ is a polynomial-time algorithm whose existence is guaranteed by Lemma 2.2 in [23]. For correctly chosen parameters r and e, this lets us recover x uniquely. Now, as s does not depend on x or U, if for two pairs (x, U) and $(x^\prime , U^\prime )$

$$\begin{aligned} pk\cdot U + x\cdot G = pk\cdot U^\prime + x^\prime \cdot G, \end{aligned}$$

holds, then we have $x = x^\prime $. $\square $

Proposition 4

Assuming the $\text {LWE}(q,\chi )$-assumption holds, Constructions 4 and 5 together form a dual-mode commitment scheme.

Proof

We start by showing that the public keys of both schemes are computationally indistinguishable. First, note that all but the last column of matrix A are generated uniformly random (or statistically close to that) for both public keys. Therefore, the problem is equivalent to distinguish between $A^\prime s + e$ and $v^\prime $ given $A^\prime $, where $v^\prime \in \mathbb {Z}^n_q$ is a uniformly random vector and s and e are sampled as described in the scheme. However, this is exactly the decisional LWE problem. By our assumption, the two public keys are therefore indistinguishable.

We have not yet shown that Construction 4 is computationally binding and that Construction 5 is computationally hiding. However, we argue this follows directly from what we have shown already. Assume Construction 5 would not be computationally hiding, i.e., there exists an adversary that, given a public key $\text {pk}$, can distinguish between a commitment to x and $x^\prime $ with notable advantage. However, in this case, we can use this adversary to distinguish the public keys of the schemes, as Construction 4 is statistically hiding and no adversary with notable advantage can exist here.

Similarly, assume that Construction 4 is not computationally binding. Then, there exists an adversary that, given a public key $\text {pk}$, can generate a commitment c that opens to two values x and $x^\prime $ with non-negligible probability. However, as Construction 5 is perfectly binding, we can use such an adversary to distinguish between public keys of the two schemes. $\square $

5.2 SZK-FLS-Transformation Based on Lattices

We will now define our multi-theorem transformation based on the dual-mode commitment scheme in the previous section. As before, we will use the FLS-type transform, therefore we only need to define a sampling algorithm for the auxiliary CRS $\text {crs}^\text {aux}$ and an augmented or-relation $\mathcal {R}^{\text {or}}$ for this string.

The sampling algorithm $\textsf {Setup}^{\text {aux}}$ to generate $\text {crs}^\text {aux}$ will just generate uniformly random values representing a public key $\text {pk}$ and a commitment c:

$$\begin{aligned} \text {crs}^\text {aux}= (\text {pk},c) \leftarrow U_{nmq}\times U_{nmq}. \end{aligned}$$

Note that a random public key corresponds to the hiding-mode public key.

Technically the public key and the commitment in $\text {crs}^\text {aux}$ are matrices over $\mathbb {Z}_q$, and not uniform strings as required by the common random string model. However, we can generate random elements in $\mathbb {Z}_q$ from uniform strings by interpreting a random string of length $|q|+n$ as an integer and mapping it to the residue $\bmod \;q$. The statistically distance to a uniform element from $\mathbb {Z}_q$ is then exponentially small. We stress that we can also go “backwards” with this technique. Given a random value $v\in \mathbb {Z}_q$ we can add a random multiple $i\cdot q$ to v for to get an (almost) uniform $|q|+n$ bit string which would map to v again. Hence, from now on we switch between random matrices from $\mathbb {Z}_q$ and uniformly random string whenever convenient.

Our relation will now ask for a given public key $\text {pk}$ of the commitment scheme and commitment c, both found in the common random string, if there is a matrix $U\leftarrow \textsf {Sam}(1^m,1^m,q)$ resp. randomness u such that $U=\textsf {Sam}(1^m,1^m,q;u)$, such that the commitment opens to 1:

$$\begin{aligned} ((\text {pk},c),u)\in \mathcal {R}^{\text {or}} :\Longleftrightarrow U= \textsf {Sam}(1^m, 1^m, q;u) \wedge c = \textsf {Com}(\text {pk}, 1;U). \end{aligned}$$

Given these two properties we can now use the same construction as for the one-way permutation, only that we use the relation above and the sampler $\textsf {Setup}^{\text {aux}}$ to generate $\text {crs}^\text {aux}$. In fact the construction is otherwise identical to the one in Fig. 5:

Construction 6

(SZK-FLS-Dual-Mode-Transformation). Let $\mathcal {R}$ be an $\mathsf {NP}$-relation. Further, let ${\varGamma }=(\textsf {Gen}_H, \textsf {Gen}_B, \textsf {Com})$ be a non-interactive dual-mode commitment scheme and suppose that ${\varPi }^{\text {or}}=(\textsf {Setup}^{\text {or}},\textsf {P}^{\text {or}},\textsf {V}^{\text {or}})$ be a multi-theorem non-interactive statistical witness-indistinguishable argument for the $\mathsf {NP}$-relation $\mathcal {R}^{\text {or}}$. We construct a multi-theorem non-interactive statistical zero knowledge argument ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ for $\mathcal {R}$ as in Fig. 5 with the following exception:

CRS: We define the sampling algorithm $\textsf {Setup}(1^n)$ for the common random string $\text {crs}$ for our construction as
$$\begin{aligned} \textsf {Setup}(1^n)=\textsf {Setup}^{\text {or}}(1^n)\Vert \textsf {Setup}^{\text {aux}}(1^n). \end{aligned}$$

The prover algorithm $\textsf {P}$ and verifier algorithm $\textsf {V}$ are as before.

Theorem 7

Let $\mathcal {R}$ be an $\mathsf {NP}$-relation. Assuming that ${\varPi }^{\text {or}}=(\textsf {Setup}^{\text {or}},\textsf {P}^{\text {or}},\textsf {V}^{\text {or}})$ is a non-interactive statistical single-theorem zero-knowledge argument for $\mathcal {R}^{\text {or}}$ and that ${\varGamma }=(\textsf {Gen}_H, \textsf {Gen}_B, \textsf {Com})$ is a dual-mode non-interactive commitment scheme, the non-interactive argument ${\varPi }=(\textsf {Setup},\textsf {P},\textsf {V})$ in Construction 6 is a multi-theorem statistical zero-knowledge argument. Furthermore, if the underlying protocol ${\varPi }^{\text {or}}$ is (non-adaptively resp. adaptively) exclusively sound, then so is the derived protocol ${\varPi }$; if ${\varPi }^{\text {or}}$ is adaptive resp. non-adaptive zero-knowledge, then so is ${\varPi }$.

Proof

The proof is very close to the one of Theorem 3 such that we only sketch the main differences here.

(Perfect) Completeness: It follows as in the one-way permutation case that the honest verifier accepts proofs generated by $\textsf {P}$ for $x\in \mathcal {L}_{\mathcal {R}}$.

Exclusive Soundness: To show exclusive soundness (in the non-adaptive or adaptive case) we first switch the auxiliary string to a randomly sampled binding key and a 0-commitment $\textsf {Com}(\text {pk},0;U)$, instead of using uniformly random values. Note that we can use two game hops to show that this is computationally indistinguishable from genuine common random strings. In the first hop we replace the random key component in $\text {crs}^\text {aux}$ by a key , which is even statistically close. Then we replace the random commitment component in $\text {crs}^\text {aux}$ by a random commitment to 0, $\textsf {Com}(\text {pk},0;U)$. This is again statistically indistinguishable.

And finally we switch to a binding key and a 0-commitment under this key. This is computationally indistinguishable by the indistinguishability of the dual-mode key generation. (The additional 0-commitment can be computed easily given a hiding or binding key.) This is where we again use exclusive soundness to turn a malicious prover into a distinguisher against the dual-mode scheme, analogously to the distinguisher against the pseudorandomness of the generator in the one-way permutation case.

We now have an auxiliary string which contains a binding key and a 0-commitment, such that the or-part in the $\mathcal {R}^{\text {or}}$ cannot be satisfied. It follows now as before that soundness of the constructed protocol follows from the soundness of the original non-interactive argument.

Zero-Knowledge: For adaptive multi-theorem zero-knowledge we remark that the simulator $\textsf {ZKSim}$ can create the key part in the auxiliary string as a hiding key and the commitment part as a 1-commitment under $\text {pk}$. Since the key $\text {pk}$ and the 1-commitment are statistically close to a uniform strings, the simulator’s string $\text {crs}^\text {aux}$ is statistically close to a uniform string. For this string $\text {crs}^\text {aux}$ the simulator can use the randomness of the commitment as a witness. The remaining steps in the proof are identical to the ones in the proof of Theorem 3. $\square $

6 Conclusion

We have shown how to apply the idea of the FLS transformation also for statistical zero-knowledge arguments. Let us highlight two important aspects of our transformations.

First, our transformations based on one-way permutations and on lattices work in the common random string model and does not require any structure of the CRS. Common reference strings have the inherent disadvantage that they have some structure and that one needs to trust the party which generates the string. A prominent example is the discussion about the trustworthiness of the Zcash reference string and follow-up suggestions to use common random strings instead, e.g., [16]. Of course, a party generating a common random string may also impose some trust assumption, as our lattice-based solution with the implicit trapdoor generation algorithm shows. But several measures to thwart attacks can be implemented much easier than for structured strings. This includes the computation of the string as the output of a hash function, or by xoring common random strings from several sources.

The other aspect we would like to emphasize that our transformations preserve adaptive security for both zero-knowledge and soundness. This does not conflict with black-box impossibility result for such statistical zero-knowledge arguments [1, 30], because in the course of showing adaptive soundness we have, in passing, encountered a possibility to bypass the impossibility results. A key observation is that one may be able to achieve adaptive soundness and zero-knowledge if one switches to the notion of exclusive soundness. This adaptive/exclusive soundness implies adaptive/culpable soundness and thus suffices for many practical applications.

Notes

1.
We use here the terminology from [4] for the comparable scenario of admissible decryption queries in chosen-ciphertext security.
2.
Note that we define one-way permutations as one-way functions that are 1-1 and length-preserving, not as a family of such functions.
3.
Strictly speaking, their notion of exclusiveness allows for a negligible error which could be integrated in our notion as well.

References

Abe, M., Fehr, S.: Perfect NIZK with adaptive soundness. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_7
Chapter Google Scholar
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, May 1996
Google Scholar
Arte, V., Bellare, M.: Dual-Mode NIZKs: possibility and impossibility results for property transfer. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 859–881. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_38
Chapter Google Scholar
Bellare, M., Hofheinz, D., Kiltz, E.: Subtleties in the definition of IND-CCA: when and how should challenge decryption be disallowed? J. Cryptol. 28(1), 29–48 (2015)
Article MathSciNet Google Scholar
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: 20th ACM STOC. pp. 103–112. ACM Press, May 1988
Google Scholar
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984). https://doi.org/10.1137/0213053
Article MathSciNet MATH Google Scholar
Blum, M., Santis, A.D., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991). https://doi.org/10.1137/0220068
Article MathSciNet MATH Google Scholar
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988). https://doi.org/10.1016/0022-0000(88)90005-0
Article MathSciNet MATH Google Scholar
Canetti, R., et al.: Fiat-Shamir: from practice to theory. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1082–1090. ACM Press, June 2019
Google Scholar
Canetti, R., Chen, Y., Reyzin, L., Rothblum, R.D.: Fiat-Shamir and correlation intractability from strong KDM-secure encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 91–122. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_4
Chapter Google Scholar
Canetti, R., Lombardi, A., Wichs, D.: Fiat-Shamir: from practice to theory, Part II (NIZK and correlation intractability from circular-secure FHE). Cryptology ePrint Archive, Report 2018/1248 (2018). https://eprint.iacr.org/2018/1248
Chaidos, P., Groth, J.: Making sigma-protocols non-interactive without random oracles. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 650–670. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_29
Chapter Google Scholar
Couteau, G., Hofheinz, D.: Designated-verifier pseudorandom generators, and their applications. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 562–592. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_20
Chapter Google Scholar
Fauzi, P., Lipmaa, H.: Efficient culpably sound NIZK shuffle argument without random oracles. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 200–216. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_12
Chapter Google Scholar
Fauzi, P., Lipmaa, H., Siim, J., Zając, M.: An efficient pairing-based shuffle argument. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 97–127. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_4
Chapter Google Scholar
Fauzi, P., Meiklejohn, S., Mercer, R., Orlandi, C.: Quisquis: a new design for anonymous cryptocurrencies. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 649–678. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_23
Chapter Google Scholar
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st FOCS, pp. 308–317. IEEE Computer Society Press, October 1990
Google Scholar
Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999). https://doi.org/10.1137/S0097539792230010
Article MathSciNet MATH Google Scholar
Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: 22nd ACM STOC, pp. 416–426. ACM Press, May 1990
Google Scholar
Fischlin, M., Rohrbach, F.: Single-to-multi-theorem transformations for non-interactive statistical zero-knowledge. Cryptology ePrint Archive, Report 2020/1204 (2020). https://eprint.iacr.org/2020/1204
Goldreich, O.: Foundations of Cryptography, vol. 1. Cambridge University Press, Cambridge (2006)
MATH Google Scholar
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989). https://doi.org/10.1137/0218012
Article MathSciNet MATH Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, pp. 469–477. ACM Press, June 2015
Google Scholar
Groth, J., Lu, S.: A non-interactive shuffle with pairing based verifiability. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 51–67. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_4
Chapter Google Scholar
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_21
Chapter Google Scholar
Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. J. ACM 59(3), 111–1135 (2012). https://doi.org/10.1145/2220357.2220358
Article MathSciNet MATH Google Scholar
Holmgren, J., Lombardi, A.: Cryptographic hashing from strong one-way functions (or: One-way product functions and their applications). In: Thorup, M. (ed.) 59th FOCS, pp. 850–858. IEEE Computer Society Press, October 2018
Google Scholar
Libert, B., Nguyen, K., Passelègue, A., Titiu, R.: Simulation-sound arguments for LWE and applications to KDM-CCA2 security. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 128–158. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_5
Chapter Google Scholar
Libert, B., Passelègue, A., Wee, H., Wu, D.J.: New constructions of statistical NIZKs: dual-mode DV-NIZKs and more. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 410–441. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_14
Chapter Google Scholar
Pass, R.: Unprovable security of perfect NIZK and non-interactive non-malleable commitments. Comput. Complex. 25(3), 607–666 (2016). https://doi.org/10.1007/s00037-016-0122-2
Article MathSciNet MATH Google Scholar
Pass, R., Shelat, A.: Unconditional characterizations of non-interactive zero-knowledge. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 118–134. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_8
Chapter Google Scholar
Peikert, C., Shiehian, S.: Noninteractive zero knowledge for NP from (plain) learning with errors. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 89–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_4
Chapter Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC. pp. 84–93. ACM Press, May 2005
Google Scholar
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 475–484. ACM Press, May/June 2014
Google Scholar
Yao, A.C.C.: Theory and applications of trapdoor functions (extended abstract). In: 23rd FOCS, pp. 80–91. IEEE Computer Society Press, November 1982
Google Scholar

Download references

Acknowledgments

We thank the anonymous reviewers for valuable comments. Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – SFB 1119 – 236615297.

Author information

Authors and Affiliations

Cryptoplexity, Technische Universität Darmstadt, Darmstadt, Germany
Marc Fischlin & Felix Rohrbach

Authors

Marc Fischlin
View author publications
You can also search for this author in PubMed Google Scholar
Felix Rohrbach
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marc Fischlin .

Editor information

Editors and Affiliations

Texas A&M University, College Station, TX, USA
Juan A. Garay

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Fischlin, M., Rohrbach, F. (2021). Single-to-Multi-theorem Transformations for Non-interactive Statistical Zero-Knowledge. In: Garay, J.A. (eds) Public-Key Cryptography – PKC 2021. PKC 2021. Lecture Notes in Computer Science(), vol 12711. Springer, Cham. https://doi.org/10.1007/978-3-030-75248-4_8

Download citation

DOI: https://doi.org/10.1007/978-3-030-75248-4_8
Published: 01 May 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75247-7
Online ISBN: 978-3-030-75248-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Single-to-Multi-theorem Transformations for Non-interactive Statistical Zero-Knowledge

Abstract

Similar content being viewed by others

Multi-Theorem Fiat-Shamir Transform from Correlation-Intractable Hash Functions

Generalized Special-Sound Interactive Proofs and Their Knowledge Soundness

Zero-Knowledge Protocols for Search Problems

Keywords

1 Introduction

1.1 Flavors of Non-interactive Zero-Knowledge

1.2 From Single-theorem to Multi-theorem Proofs

1.3 Known NISZK Constructions

1.4 Our Results

1.5 Squeezing in into Possibility and Impossibility Results

1.6 Concurrent Work

2 Preliminaries

2.1 Non-interactive Arguments

Definition 1 (Non-interactive Argument)

2.2 Zero-knowledge

Definition 2 (Statistical and Perfect Zero Knowledge)

Definition 3 (Statistical Witness Indistinguishability)

2.3 From Single-Theorem Zero-Knowledge to Multi-Theorem Witness Indistinguishability

Lemma 1

Proof (Sketch)

Lemma 2

Proof (Sketch)

3 Soundness of Non-interactive Arguments

3.1 Soundness Definitions

Definition 4 (Soundness of non-interactive Arguments)

3.2 Equivalence of the Non-adaptive Soundness Notions

Theorem 1

Proof

3.3 Exclusive Soundness Implies Culpable Soundness

Definition 5 (Adaptive/Culpable Soundness)

Proposition 1

Proof

4 Constructions Based on General Assumptions

4.1 Multi-theorem NISZK Based on One-Way Permutations

Construction 2

Theorem 3

Proof

4.2 Adaptive Perfect Zero-Knowledge Under Expected Poly-Time

5 A Lattice-based Construction

5.1 Dual-mode Commitment Schemes Based on Lattices

Definition 6 (Dual-mode Commitment Scheme)

Construction 4

Proposition 2

Proof

Construction 5

Proposition 3

Proof

Proposition 4

Proof

5.2 SZK-FLS-Transformation Based on Lattices

Construction 6

Theorem 7

Proof

6 Conclusion

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation