Introduction
A. Non-Interactive Zero-Knowledge Proof System
A non-interactive zero-knowledge proof system (NIZK) [1] is a cryptographic protocol between two parties, a prover and a verifier. Given a statement for an NP language, the prover, who is the only one possessing a witness, proves the validity of the statement without leaking anything other than the validity of the statement. Recently, efficient construction methods for NIZKs have been proposed, such as GS-NIZK [2] and QA-NIZK [3], and NIZKs are used to build cryptographic applications.
A typical methodology that is employed in NIZKs is the commit-and-prove medhodology [4]–[6]. Roughly speaking, this technique guarantees that, given a proof and a commitment, the proof is carried out with respect to the opening of the commitment. NIZKs that employ the commit-and-prove methodology (CP-NIZKs) are seen in the literature [2], [7]–[10]. The commit-and-prove methodology itself is of interest. For instance, as noted in [11], the commit-and-prove technique is standard when one wants to prove that the witnesses to two distinct statements are the same [10], [12]–[15].
One of the most notable applications of CP-NIZKs is Zcash [16], which uses zk-SNARK by [17] to guarantee the anonymity of users. In fact, the zk-SNARK does not explicitly employ a commit-and-prove methodology. However, as mentioned in [18], a prover in Zcash proves knowledge about a committed value, and thus we can regard Zcash as an application of a CP-NIZK.
B. Black-Box Language Extension
A language
Abe et al. [20] showed the (im)possibility of extending a language class that can be proven by NIZKs in a black-box manner. They showed that, given simulation-sound NIZKs (SS-NIZKs) [21] for a language
While somewhat folklore, we can construct an NIZK that proves witness equality if the underlying NIZKs are CP-NIZKs. Suppose that we are given CP-NIZKs for distinct languages
Is it possible to construct an NIZK for a disjunctive language based on CP-NIZKs in a black-box manner?
C. Our Contribution
We investigate the above problem and answer negatively. That is, there is no fully black-box construction of an NIZK for a disjunctive language based on CP-NIZKs. In this paper, we first formalize CP-NIZKs and introduce an oracle that implements a CP-NIZK for a certain language. Then, we demonstrate a polynomial-time adversary that attacks the soundness of an NIZK for a disjunctive language.
Specifically, let
D. Technical Overview
We follow the “swapping technique” that is introduced in [20] in the construction of our adversary. The idea behind the technique is the following: Let
Our adversary works as follows: Let
E. Related Work
Utilizing NIZK oracles in a black-box framework was initiated by Brakerski et al. [23]. They introduced an oracle that implements an NIZK for an NP-complete language and showed that, despite the existence of the NIZK oracle, there is no fully black-box construction of a key agreement protocol based on a one-way function, which is a well-known result by Impagliazzo and Rudich [24]. Follow-up work in [23] treats sophisticated primitives, such as functional encryption [25] and garbled circuits [26].
As mentioned earlier, many CP-NIZKs have been proposed [2], [7]–[10]. Namely, in [10], a commit-and-prove methodology plays an essential role in obtaining a modular composition of zk-SNARKs.
A
F. Paper Organization
In Section II, we introduce basic notation. Namely, we formalize CP-NIZKs by following the definition in [7]. In Section III, we introduce an oracle that implements a CP-NIZK for a certain language and show that the oracle indeed constitutes a CP-NIZK. Section IV provides our main result on the black-box construction of an NIZK for a disjunctive language based on a CP-NIZK. Finally, Section V concludes this paper and presents several remaining tasks.
Preliminaries
A. Basic Notation
We denote by
The notation
We use bracket notation
A partial oracle
In this paper, we focus on an NIZK, which is formally defined as follows:
Definition 1 (NIZK):
A tuple of PPTs
:\Pi. \mathsf {Crs} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) Given a trapdoor
, output a common reference string (CRS)\tau .\sigma :\Pi. \mathsf {Prv} \pi \leftarrow \Pi (\mathsf {Prv}, \sigma, x, w) Given a CRS
, an instance\sigma and a witnessx , output a proofw or\pi .\bot :\Pi. \mathsf {Vrf} b \leftarrow \Pi (\mathsf {Vrf}, \sigma, x, \pi) Given a CRS
, an instance\sigma and a proofx , output a bit\pi where 1 means accept and 0 means reject.b \in \{0, 1\} :\Pi. \mathsf {CrsSim} (\sigma, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau) Given a trapdoor
, output\tau and a CRS\tau .\sigma :\Pi. \mathsf {PrvSim} \pi \leftarrow \Pi (\mathsf {PrvSim}, \sigma, x, \tau) Given a CRS
, an instance\sigma and a trapdoorx , output a proof\tau or\pi .\bot
Definition 2 (Security Properties of NIZKs):
An NIZK
Completeness: For any
, anyn \in {\mathbb {N}} and any\sigma \leftarrow \Pi (\mathsf {Crs}, \tau) ,(x, w) \in R_{\mathcal L} .\mathrm {Pr}[\Pi (\mathsf {Vrf}, \sigma, x, \Pi (\mathsf {Prv}, \sigma, x, w)) = 1] \geq 1-\mathrm {negl}(n) Soundness: For any PPT adversary
, the following holds:{\mathcal{ A}} Adaptive Zero-Knowledge: For any stateful PPT adversary\begin{align*}& \mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, \pi) \leftarrow {\mathcal{ A}} (\sigma) \end{array}: \begin{array}{l} \Pi (\mathsf {Vrf}, \sigma, x, \pi)= 1 \land \, x \notin {\mathcal L} \end{array} }\right] \\& \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \,\,\,\, {\leq \mathrm {negl}(n).}\end{align*} View Source\begin{align*}& \mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, \pi) \leftarrow {\mathcal{ A}} (\sigma) \end{array}: \begin{array}{l} \Pi (\mathsf {Vrf}, \sigma, x, \pi)= 1 \land \, x \notin {\mathcal L} \end{array} }\right] \\& \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \,\,\,\, {\leq \mathrm {negl}(n).}\end{align*}
, the following holds:{\mathcal{ A}} \begin{align*}&\hspace {-1.2pc}{\tt Adv}{\tt ZK}_{\mathcal {A}, \Pi, {\mathcal L}}(n) \\=&\mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, w) \leftarrow {\mathcal{ A}} (\sigma)\\ \pi \leftarrow \Pi (\mathsf {Prv}, \sigma, x, w) \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] \\&-\,\mathrm {Pr} \left [{\begin{array}{c} (\sigma, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau) \\ (x, w) \leftarrow \mathcal {A}({\mathrm{ \sigma }})\\ \pi \leftarrow \Pi (\mathsf {PrvSim}, \sigma, x, \tau) \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] \\\leq&\mathrm {negl}(n)_{.}\end{align*} View Source\begin{align*}&\hspace {-1.2pc}{\tt Adv}{\tt ZK}_{\mathcal {A}, \Pi, {\mathcal L}}(n) \\=&\mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, w) \leftarrow {\mathcal{ A}} (\sigma)\\ \pi \leftarrow \Pi (\mathsf {Prv}, \sigma, x, w) \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] \\&-\,\mathrm {Pr} \left [{\begin{array}{c} (\sigma, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau) \\ (x, w) \leftarrow \mathcal {A}({\mathrm{ \sigma }})\\ \pi \leftarrow \Pi (\mathsf {PrvSim}, \sigma, x, \tau) \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] \\\leq&\mathrm {negl}(n)_{.}\end{align*}
We formally define a commit-and-prove NIZK. We partially follow the definition in [7], but there are some differences. We will explain the differences after the definition.
Definition 3 (CP-NIZK):
A tuple of Turing machines
:\Pi. \mathsf {Crs} ck \leftarrow \Pi (\mathsf {Crs}, \tau) Given a trapdoor
, output a CRS (or a commitment key)\tau .ck :\Pi. \mathsf {Com} c \leftarrow \Pi (\mathsf {Com}, ck, w, r) Given a CRS
, a witnessck and a randomness (or an opening)w , output a commitmentr orc .\bot :\Pi. \mathsf {Prv} \pi \leftarrow \Pi (\mathsf {Prv}, ck, x, w, r) Given a CRS
, an instanceck , a witnessx and a randomnessw , output a proofr or\pi .\bot :\Pi. \mathsf {Vrf} b \leftarrow \Pi (\mathsf {Vrf}, ck, x, c, \pi) Given a CRS
, an instanceck , a commitmentx and a proofc , output a bit\pi where 1 means accept and 0 means reject.b \in \{0, 1\} :\Pi. \mathsf {CrsSim} (ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau) Given a trapdoor
, output a CRS\tau andck .\tau :\Pi. \mathsf {ComSim} c \leftarrow \Pi (\mathsf {ComSim}, ck, \tau, r) Given a CRS
, a trapdoorck and a randomness\tau , output a commitmentr ifc , otherwiseck = \Pi (\mathsf {Crs}, \tau) .\bot :\Pi. \mathsf {PrvSim} \pi \leftarrow \Pi (\mathsf {PrvSim}, ck, x, c,\tau) Given a CRS
, an instanceck , a commitmentx and a trapdoorc , output\tau .\pi
Definition 4 (Security Properties of CP-NIZKs):
A CP-NIZK
Completeness: For any
, anyn \in {\mathbb {N}} , any\sigma \leftarrow \Pi (\mathsf {Crs}, \tau) and any(x, w) \in R_{\mathcal L} ,c \leftarrow \Pi (\mathsf {Crs}, ck, w, [r]) .\mathrm {Pr}[\Pi (\mathsf {Vrf}, \sigma, x, c, \Pi (\mathsf {Prv}, \sigma, x, w, r)) = 1] \geq 1-\mathrm {negl}(n) Soundness: For any PPT adversary
, the following holds;{\mathcal{ A}} Composable Zero-Knowledgeness:\begin{align*}& \mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, c, \pi) \leftarrow {\mathcal{ A}} (\sigma) \end{array}: \begin{array}{l} \Pi (\mathsf {Vrf}, \sigma, x, c, \pi)= 1 \land \, x \notin {\mathcal L} \end{array} }\right] \\& \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \,\,\, {\leq \mathrm {negl}(n).}\end{align*} View Source\begin{align*}& \mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, c, \pi) \leftarrow {\mathcal{ A}} (\sigma) \end{array}: \begin{array}{l} \Pi (\mathsf {Vrf}, \sigma, x, c, \pi)= 1 \land \, x \notin {\mathcal L} \end{array} }\right] \\& \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \,\,\, {\leq \mathrm {negl}(n).}\end{align*}
is composable zero-knowledge if the following two conditions hold:\Pi For any PPT
, the following advantage{\mathcal{ A}} is negligible in{\tt AdvKeyIND}_{\Pi, {\mathcal{ A}}, {\mathcal L}} :n .|\mathrm {Pr}[ck \leftarrow \Pi (\mathsf {Crs}, \tau): 1 \leftarrow {\mathcal{ A}} (ck)] - \mathrm {Pr}[(ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau): 1 \leftarrow {\mathcal{ A}} (ck)]| For any stateful PPT
, the following advantage{\mathcal{ A}} is negligible in{\mathtt AdvPrfIND}_{\Pi, {\mathcal{ A}}, {\mathcal L}} :n where\begin{align*}&\hspace {-1pc}\left |{ \, \mathrm {Pr} \left [{\begin{array}{c} (ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau) \\ (x, c, w) \leftarrow {\mathcal{ A}} ^{O_{0}(\cdot)}(ck, \tau)\\ \textrm {if} \, (w, [r], c) \in Q \, \textrm {then}\\ \pi \leftarrow \Pi (\mathsf {Prv}, ck, x, w, r)\\ \textrm {oherwise output} \, \bot \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] }\right. \\&\left.{ -\,\mathrm {Pr} \left [{\begin{array}{c} (ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, 1^{n}) \\ (x, c, w) \leftarrow {\mathcal{ A}} ^{O_{1}(\cdot)}(ck, \tau)\\ \textrm {if} \, (w, [r], c) \in Q \, \textrm {then}\\ \pi \leftarrow \Pi (\mathsf {PrvSim}, ck, x, c, \tau)\\ \textrm {otherwise output} \, \bot \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] }\right |\end{align*} View Source\begin{align*}&\hspace {-1pc}\left |{ \, \mathrm {Pr} \left [{\begin{array}{c} (ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau) \\ (x, c, w) \leftarrow {\mathcal{ A}} ^{O_{0}(\cdot)}(ck, \tau)\\ \textrm {if} \, (w, [r], c) \in Q \, \textrm {then}\\ \pi \leftarrow \Pi (\mathsf {Prv}, ck, x, w, r)\\ \textrm {oherwise output} \, \bot \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] }\right. \\&\left.{ -\,\mathrm {Pr} \left [{\begin{array}{c} (ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, 1^{n}) \\ (x, c, w) \leftarrow {\mathcal{ A}} ^{O_{1}(\cdot)}(ck, \tau)\\ \textrm {if} \, (w, [r], c) \in Q \, \textrm {then}\\ \pi \leftarrow \Pi (\mathsf {PrvSim}, ck, x, c, \tau)\\ \textrm {otherwise output} \, \bot \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] }\right |\end{align*}
,{O}_{0} \!=\! \Pi (\mathsf {Com}, ck, *, *) and{O}_{1} = \Pi (\mathsf {ComSim}, ck, \tau,\,\,*) is a list made by the challenger as follows (note thatQ actually calls an oracle through the challenger): When{\mathcal{ A}} calls{\mathcal{ A}} or{O}_{0} , the adversary sends a witness{O}_{1} to the challenger, then the challenger chooses a randomnessw uniformly, obtainsr orc = \Pi (\mathsf {Com}, ck, w, r) , returnsc = \Pi (\mathsf {ComSim}, ck, \tau, r) toc and records{\mathcal{ A}} to(w, r, c) .Q
There are three differences between our definition and the definition in [7]. In [7], every algorithm of a CP-NIZK takes a tag as an input to identify the type of value that is given, such as a group element or a field element, while we do not require such a tag. Second, they divide a witness into pieces while we treat only a single witness, because it is sufficient for our purpose. Finally, in the composable zero-knowledge game of [7], the adversary outputs a statement and indices that correspond to the witnesses and commitments it chooses, while ours outputs a statement, a single witness and a single commitment.
We consider the impossibility of a black-box construction of a primitive, and define a black-box construction of a primitive below.
Definition 5[29]:
There exists a (fully) black-box construction of a primitive
For any implementation
off ,P implementsG^{f} .Q For any implementation
off and any oracle Turing machineP , ifM breaks the security ofM^{f} , thenQ breaks the security ofS^{f, M} .P
This work focuses on a black-box construction of an NIZK for disjunctive languages. We formally define an extended language, which includes disjunctive languages.
Definition 6 (Extended Language[20]):
Let
If a statement
In this work we treat a CP-NIZK for a hard language, which is defined as follows, since it is convenient for our purpose.
Definition 7 (Hard Language):
Let
For any security parameter
,n .{\mathcal L}_{n} \cap {\mathcal C} _{n} = \emptyset and{\mathcal L} are efficiently samplable. That is, for any security parameter{\mathcal C} , distributionsn and\mathcal {D}_{\mathcal L_{n}} exist from which\mathcal {D}_{\mathcal C_{n}} and{\mathcal L}_{n} are efficiently samplable respectively.{\mathcal C}_{n} For any PPT
and any security parameter{\mathcal{ A}} , it holds thatn where\begin{align*} \mathtt {LangIND}_{\mathcal L_{n}, {\mathcal C}_{n}, {\mathcal{ A}}}(n)=&|\mathrm {Pr}[x \leftarrow \mathcal {D}_{\mathcal L_{n}}: 1 \leftarrow A(x)] \\&-\, \mathrm {Pr}[x \leftarrow \mathcal {D}_{\mathcal C_{n}}: 1 \leftarrow A(x)]| \\\leq&\epsilon _{\mathsf {ind}}\end{align*} View Source\begin{align*} \mathtt {LangIND}_{\mathcal L_{n}, {\mathcal C}_{n}, {\mathcal{ A}}}(n)=&|\mathrm {Pr}[x \leftarrow \mathcal {D}_{\mathcal L_{n}}: 1 \leftarrow A(x)] \\&-\, \mathrm {Pr}[x \leftarrow \mathcal {D}_{\mathcal C_{n}}: 1 \leftarrow A(x)]| \\\leq&\epsilon _{\mathsf {ind}}\end{align*}
is negligible.\epsilon _{\mathsf {ind}}
A CP-NIZK Oracle
In this section, we introduce an oracle that implements a CP-NIZK for a hard language and demonstrate that such an oracle indeed constitutes a CP-NIZK. Before introducing the CP-NIZK oracle, we define another oracle that implements a hard language as follows:
Definition 8 (Oracle{O}
):
Let
:{O}. \mathsf {SmplYes} x \leftarrow {O} (\mathsf {SmplYes}, w) Given
, computew \in \{0, 1\}^{n} and outputx \leftarrow H_{\mathsf {smpl}}(1 || w) .x :{O}. \mathsf {SmplNo} x \leftarrow {O} (\mathsf {SmplNo}, w) Given
, computew \in \{0, 1\}^{n} and outputx \leftarrow H_{\mathsf {smpl}}(0 || w) .x :{O}.\mathsf {Promise} b \leftarrow {O} (\mathsf {Promise}, x) Given
, output 0 ifx \in \{0, 1\}^{2n} , otherwise 1.\bot \leftarrow H_{\mathsf {smpl}}(x)
For
Given
, output(\mathsf {SmplYes}, w) .x \leftarrow {O} (\mathsf {SmplYes}, w) Given
, output(\mathsf {SmplNo}, w) .x \leftarrow {O} (\mathsf {SmplNo}, w) Given
, output({\mathsf {Promise}}, x) .b \leftarrow {O} ({\mathsf {Promise}}, x)
Lemma 1[20]:
The algorithm \begin{align*} {\mathcal L}^{O}_{n}=&\{x \, | \, \exists w \, \textrm {such that} \, x = H_{\mathsf {smpl}}(1||w) \},\\ {\mathcal C}^{O}_{n}=&\{x \, | \, \exists w \, \textrm {such that} \, x = H_{\mathsf {smpl}}(0||w) \}.\end{align*}
Now, we introduce an oracle that almost directly implements a CP-NIZK for
Definition 9:
Let
:{Z}. \mathsf {Crs} ck \leftarrow {Z} (\mathsf {Crs}, \tau) Given a trapdoor
, output a CRS\tau \in \{0, 1\}^{n} .ck \leftarrow H_{\mathsf {crs}}(\tau) :{Z}. \mathsf {Com} c \leftarrow {Z} (\mathsf {Com}, ck, w, r) Given a CRS
, a witnessck \in \{0, 1\}^{2n} and a randomnessw \in \{0, 1\}^{n} , output a commitmentr \in \{0, 1\}^{n} if there exists a trapdoorc \leftarrow H_{\mathsf {com}}(ck || w || r) such that\tau , otherwise outputH^{-1}_{\mathsf {crs}}(ck) = \tau .\bot :{Z}. \mathsf {Prv} \pi \leftarrow {Z}(\mathsf {Prv}, ck, x, w, r) Given a CRS
, a statementck \in \{0, 1\}^{2n} , a witnessx \in \{0, 1\}^{2n} and a randomnessw \in \{0, 1\}^{n} , ifr \in \{0, 1\}^{n} and there exists a trapdoor(x, w) \in R_{\mathcal L^{O}_{n}} such that\tau , then computeH^{-1}_{\mathsf {crs}}(ck) = \tau and output a proofc = H_{\mathsf {com}}(ck, w, r) , otherwise output\pi \leftarrow H_{\mathsf {prf}}(ck || x || c) .\bot :{Z}. \mathsf {Vrf} b \leftarrow {Z} (\mathsf {Vrf}, ck, x, c, \pi) Given a CRS
, a statementck \in \{0, 1\}^{2n} , a commitmentx \in \{0, 1\}^{2n} and a proofc \in \{0, 1\}^{5n} , output 1 if\pi \in \{0, 1\}^{10n} . Otherwise output 0.\pi = H_{\mathsf {prf}}(ck || x || c) :{Z}. \mathsf {PrvSim} \pi \leftarrow {Z}(\mathsf {PrvSim}, ck, x, c, \tau) Given a CRS
, a statementck \in \{0, 1\}^{2n} , a commitmentx \in \{0, 1\}^{2n} and a trapdoorc \in \{0, 1\}^{5n} , if\tau \in \{0, 1\}^{n} then output a proofck = H_{\mathsf {crs}}(\tau) , otherwise output\pi \leftarrow H_{\mathsf {prf}}(ck || x || c) .\bot
A Construction of a CP-NIZK
Let
:{\mathsf {M}}. \mathsf {Crs} ck \leftarrow {\mathsf {M}}(\mathsf {Crs}, \tau) Given a trapdoor
, output\tau .{Z}(\mathsf {Crs}, \tau) :{\mathsf {M}}. \mathsf {Com} c \leftarrow {\mathsf {M}}(\mathsf {Com}, ck, w, r) Given a CRS
, a witnessck and a randomnessw , outputr .{Z}(\mathsf {Com}, ck, w, r) :{\mathsf {M}}. \mathsf {Prv} \pi \leftarrow {\mathsf {M}}(\mathsf {Prv}, ck, x, w, r) Given a CRS
, a statementck , a witnessx and a randomnessw , outputr .{Z}(\mathsf {Prv}, ck, x, w, r) {\mathsf {M}}. \mathsf {Vrf}:~b \leftarrow {\mathsf {M}}(\mathsf {Vrf}, ck, x, c, \pi) Given a CRS
, a statementck , a commitmentx and a proofc , output\pi .{Z}(\mathsf {Vrf}, ck, x, c, \pi) :{\mathsf {M}}. \mathsf {CrsSim} (ck, \tau) \leftarrow {\mathsf {M}}(\mathsf {CrsSim}, \tau) Given a trapdoor
, output\tau and\tau .{Z}(\mathsf {Crs}, \tau) :{\mathsf {M}}. \mathsf {ComSim} c \leftarrow {\mathsf {M}}(\mathsf {ComSim}, ck, \tau, r) Given a CRS
, a trapdoorck and a randomness\tau , ifr , then outputck = {Z}(\mathsf {Crs}, \tau) .{Z}(\mathsf {Com}, ck, \tau, r) :{\mathsf {M}}. \mathsf {PrvSim} \pi \leftarrow {\mathsf {M}}(\mathsf {PrvSim}, ck, x, c, \tau) Given a CRS
, a statementck , a commitmentx and a trapdoorc , output\tau .{Z}(\mathsf {PrvSim}, ck, x, c, \tau)
Lemma 2:
Proof:
Let
Regarding the first case,
Now, we show that
We demonstrate that, by a hybrid argument, for any PPT
Game 0:
A composable zero-knowledge game where the adversary is given
and the challenger runs{O}_{0} to obtain a proof{\mathsf {M}}. \mathsf {Prv} . We describe the composable zero-knowledge game in the real world as follows:\pi Step 1
The challenger uniformly chooses
, runs\tau \leftarrow \{0, 1\}^{n} and sends(ck, \tau) \leftarrow {\mathsf {M}}(\mathsf {CrsSim}, \tau) to the adversary.(ck, \tau) Step 2
Given
, the adversary outputs(ck, \tau) , where(x, w, c) and(x, w) \in R_{\mathcal L^{O}} is obtained as follows:c The adversary sends
to the challenger along with callingw .{O}_{0} Given
, the challenger chooses a randomnessw uniformly, obtainsr \in \{0, 1\}^{n} , sendsc = {\mathsf {M}}(\mathsf {Com}, ck, x, w, r) to the challenger and addsc to(w, r, c) whereQ is an initially empty list.Q
commitments.q Step 3
Given
, the challenger determines whether there exists an entry(x, w, c) in(w, r, c) . If such an entry exists, then the challenger computesQ and sends\pi \leftarrow {\mathsf {M}}(\mathsf {Prv}, ck, x, w, r) to the adversary, otherwise outputs\pi .\bot Step 4
Given
, the adversary outputs 0 if\pi decides that{\mathcal{ A}} is generated by the real prover, otherwise 1.\pi
Game 1:
Modify
0 so that the challenger runs{\mathsf {Game}} to obtain{\mathsf {M}}(\mathsf {PrvSim}, ck, x, c, \tau) in Step 3.\pi We remark that
gives an output other than{\mathsf {M}}. \mathsf {PrvSim} on the input\bot . Observe that(ck, x, c, \tau) . Hence, this modification does not change the distribution of the composable zero-knowledge game and we have{\mathsf {M}}(\mathsf {PrvSim}, ck, x, c, \tau) = {\mathsf {M}}(\mathsf {Prv}, ck, x, w, r) = \pi = H_{\mathsf {prf}}(ck || x || c) .P_{1} = P_{0} Game 2:
Replace
in{O}_{0} 1 with{\mathsf {Game}} . Note that this game corresponds to the simulated world.{O}_{1} Recall that
and{O}_{0} are actually{O}_{1} and{\mathsf {M}}. \mathsf {Com} , respectively, and they are implemented by the same random injection{\mathsf {M}}. \mathsf {ComSim} . Therefore, the distribution of the output of this game differs from that ofH_{\mathsf {com}} 1 only if{\mathsf {Game}} obtains a commitment that is generated by the challenger herself, i.e., only if{\mathcal{ A}} makes a query that includes the randomness{\mathcal{ A}} , which is chosen uniformly by the challenger. That is, asr knows the trapdoor{\mathcal{ A}} and the witness\tau ,w can obtain{\mathcal{ A}} by making queriesc and{Z}(\mathsf {Com}, ck, w, r) if{Z}(\mathsf {ComSim}, ck, \tau, r) obtains{\mathcal{ A}} .r
To analyze the probability that
Remark 1:
Let
Separation
This section presents our main result. That is, we show the following theorem:
Theorem 1:
Given a hard language
As we would like to show fully black-box separation, it suffices to show the absence of a black-box construction of an NIZK for a specific
We implicitly assume that a CRS (resp., a proof) generated by
Observation on a CRS: As observed in [20], even if a CRS
Overview of The Adversary: Before formally demonstrating an adversary
A. Soundness Game and the Adversary
Step 1:
The challenger chooses
uniformly, computes a CRS\tilde {\tau } and sends it to the adversary. Let\tilde {\sigma } \leftarrow {\mathsf {M}}. \mathsf {Crs}(\tilde {\tau }) be a list of CRSs and their trapdoors such thatQ_{\mathsf {leg}} appears during this step.ck \leftarrow {O} (\mathsf {Crs}, \tau) Step 2:
Given the CRS
, the adversary\tilde {\sigma } repeats the following{\mathcal{ A}} times whereq^{c} is some constant: Samplec and(x_{i}, w_{i}) \in R_{\mathcal L^{O}_{n}} uniformly, and obtain(\hat {x}_{i}, \hat {w}_{i}) \in R_{\hat {\mathcal C}} and\pi _{i} \leftarrow {\mathsf {M}}(\mathsf {Prv}, \tilde {\sigma }, x_{i}, \hat {x}_{i}, w_{i}, \hat {w}_{i}) .b = {\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, x_{i}, \hat {x}_{i}, \pi) Let
be a set ofQ_{\mathsf {triv}} pairs such that a query(ck, \tau) orck = {Z}(\mathsf {Crs}, \tau) appears during this step. Roughly speaking,{Z}(\mathsf {PrvSim}, ck, *, *, \tau, *) = \pi \neq \bot is a set of pairs of a trapdoor and a CRS such that the adversary generates them in this phase or the pair is encoded inQ_{\mathsf {triv}} \tilde {\sigma } Step 3:
chooses{\mathcal{ A}} andw \in \{0, 1\}^{n} uniformly and obtains\hat {x} \in \hat {\mathcal C} andx = {O}(\mathsf {SmplNo}, w) . The adversary defines new partial oraclesx^{*} = {O}(\mathsf {SmplYes}, w) and{O}' based on the query answer pairs that she has learned. That is, the adversary applies the swapping technique to{Z}' andx inx^{*} and{O} , respectively.{Z} Partial Oracle
{O}' A new oracle
is obtained by swapping{O}' andx inx^{*} . That is,{O} consists of entries{O}' and{O}'(\mathsf {SmplYes}, w; x) .{O}(\mathsf {SmplNo}, w; x^{*}) Partial Oracle
{Z}' The new oracle
contains the entries{Z}' .{Z}'(\mathsf {Prv}, *, x, w, *; \bot) Let
and\tilde {x} = (x^{*}, \hat {x}) . The adversary evokes\tilde {w} = (w, \bot) where{\mathsf {M}}^{O'', {Z}''}(\mathsf {Prv}, \tilde {\sigma }, \tilde {x}, \tilde {w}) and{O}'' are algorithms defined as follows:{Z}'' Algorithm
: Algorithm{O}'' works as follows:{O}'' If
is given a query registered in{O}'' , then it returns the registered answer.{O}' Otherwise, it forwards the query to
and returns the answer.{O}
Algorithm
: Let{Z}'' be an initially empty set. AlgorithmQ_{\mathsf {intl}} works as follows (recall that the bracket notation{Z}'' means a value that matches any value, and we denote the value by[x] thereafter):x For any query registered in
, return the registered answer.{Z}' : For any query of the form{Z}''. \mathsf {Crs} , return(\mathsf {Crs}, [\tau]) and recordck = {Z}(\mathsf {Crs}, \tau) in(ck, \tau) .Q_{\mathsf {intl}} : For any query of the form{Z}''. \mathsf {Prv} with a legitimate CRS(\mathsf {Prv}, [ck], x^{*}, w, [r]) , obtainck and do the following:c = {Z}(\mathsf {Com}, ck, w, r) If there exists an entry
, then return(ck, [\tau]) \in Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} and record\pi = {Z}(\mathsf {PrvSim}, ck, x^{*}, c, \tau) to(\mathsf {Prv}, ck, x^{*}, w, r; \pi) .{Z}' If there is no entry such that
, then choose(ck, [\tau]) \in Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} uniformly, return\pi \in \{0, 1\}^{10n} and record\pi and(\mathsf {Prv}, ck, x^{*}, w, r; \pi) to(\mathsf {Vrf}, ck, x^{*}, c, \pi; 1) .{Z}'
For every other query, forward it to
and return the answer.{Z}
outputs a proof{\mathsf {M}}. \mathsf {Prv} , send\tilde {\pi } and\tilde {x} to the challenger.\tilde {\pi }
Step 4:
Given
and\tilde {x} , the challenger outputs\tilde {\pi } . If{\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) , then the adversary wins.{\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) = 1
B. Evaluation
We first introduce the following lemma, which is useful for the analysis of the adversary.
Lemma 3[30]:
Let
We show that the challenger accepts the proof with noticeable probability by a hybrid argument. We start with the soundness game, and ultimately reach a situation where the challenger accepts the proof trivially. The first game, Game 0, is the soundness game itself. In the next four games, from
Game 0:
This is the soundness game; thus,
.P_{0} = P Game 1:
This game excludes the case where a legitimate value suddenly appears without its prior generation by
or{O} . That is, we halt the game if one of the following events occurs:{Z} A successful query that includes a legitimate CRS
is made but there is no entryck in(ck, [\tau]) .Q_{\mathsf {leg}} \cup Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} A successful query that includes
orx \in {\mathcal L} ^{O}_{n} x \in {\mathcal C} ^{O}_{n} a legitimate commitment
c a legitimate proof
\pi
Regarding the first case, the probability that a CRS without prior generation by
is legitimate is bounded by{Z}. \mathsf {Crs} , as1/2^{n} is a random injection such thatH_{\mathsf {crs}} . Therefore, the probability that this query occurs can be evaluated if we take the union bound for the number of queries that are made during the soundness game. Recall thatH_{\mathsf {crs}}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{2n} makes at most{\mathsf {M}} queries in its execution. Thus, the number of queries made in Steps 1, 3 and 4 are at mostq respectively, since in these steps, only a single subroutine ofq is executed once (we ignore the instance sampling queries by{\mathsf {M}} in Step 3 because they are obviously irrelevant to the query we are concerned with). In Step 2,{\mathcal{ A}} and\mathsf {M}. \mathsf {Prv} are executed\mathsf {M}. \mathsf {Vrf} times. Thus, at mostq^{c} queries are made in this step (the instance sampling queries are ignored here as well). Since at most2q \cdot q^{c} queries are made in the game, the probability that the first case deviates is at most3q + 2q^{c+1} . The other cases can be evaluated in the same manner by considering the domains of(3q + 2q^{c+1})/2^{n} ,H_{\mathsf {smpl}}: \{0, 1\}^{n+1} \rightarrow \{0, 1\}^{2n} andH_{\mathsf {com}}: \{0, 1\}^{4n} \rightarrow \{0, 1\}^{5n} . Thus, we haveH_{\mathsf {prf}}: \{0, 1\}^{9n} \rightarrow \{0, 1\}^{10n} \begin{equation*}|P_{1} - P_{0}| \leq 5(3q + 2q^{c+1}) /2^{n}.\end{equation*} View Source\begin{equation*}|P_{1} - P_{0}| \leq 5(3q + 2q^{c+1}) /2^{n}.\end{equation*}
Game 2:
We halt the game if a query including
is made in Step 1 or 2. Asw is uniformly chosen byw and{\mathcal{ A}} makes at most\mathsf {M}. \mathsf {Crs} queries in Step 1, the probability that a query onq is made in Step 1 is at mostw . Recall that the adversary choosesq/2^{n} witnesses and runsq^{c} and{\mathsf {M}}. \mathsf {Prv} times in Step 2. As{\mathsf {M}}. \mathsf {Vrf}~q^{c} makes at most{\mathsf {M}} queries, there are at mostq chances to make a query onq^{c} + 2q \cdot q^{c} in Step 2. Thus, we havew which is negligible.\begin{equation*}|P_{2} - P_{1}| \leq (q + q^{c} + 2q^{c+1})/2^{n},\end{equation*} View Source\begin{equation*}|P_{2} - P_{1}| \leq (q + q^{c} + 2q^{c+1})/2^{n},\end{equation*}
Game 3:
We halt the game if the challenger observes
in Step 2. This excludes the case in which the challenger learns nothing in this step. Note that the challenger observesb = 0 only when a completeness error occurs, as the challenger chooses values honestly in this step. As this step is executedb=0 times, we haveq^{c} \begin{equation*} |P_{3} - P_{2}| \leq q^{c} \cdot \rho _{\textsf {co}}.\end{equation*} View Source\begin{equation*} |P_{3} - P_{2}| \leq q^{c} \cdot \rho _{\textsf {co}}.\end{equation*}
Game 4:
We abort the game if a randomly assigned proof
by\pi in Step 3 appears as a result of a query to{Z}'' or{Z}. \mathsf {Prv} by the end of Step 3. Similar to{Z}. \mathsf {PrvSim} 1, there are at most{\mathsf {Game}} queries that may occur in this event (note that here we do not consider the case where this event occurs in Step 4). As2q + 2q^{c+1} and{Z}. \mathsf {Prv} are implemented by the random injection{Z}. \mathsf {PrvSim} , the probability that such aH_{\mathsf {prf}} is returned by\pi or{Z}. \mathsf {Prv} is at most{Z}. \mathsf {PrvSim} . Furthermore, as there are at most(2q + 2q^{c+1})/2^{n} randomly assigned proofs, we haveq \begin{equation*} |P_{4} - P_{3}| \leq q(2q + 2q^{c+1})/2^{n}\end{equation*} View Source\begin{equation*} |P_{4} - P_{3}| \leq q(2q + 2q^{c+1})/2^{n}\end{equation*}
Game 5:
This game excludes the case where the adversary fails to learn all the trivial CRSs embedded in
in Step 2 and its trapdoor appears suddenly in Step 3. That is, the game halts if\tilde {\sigma } in Step 3 makes a query{\mathsf {M}}. \mathsf {Prv} that results in a proof(\mathsf {PrvSim}, [ck], x, [c], [\tau]) while\pi \neq \bot .(ck, \tau) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} As such, the query results in a value other than
, it implies that\bot is the trapdoor of\tau . Furthermore, we exclude the case where a legitimateck appears without its generation byck in{Z} 1. Therefore, this is a case where a pair{\mathsf {Game}} does not appear in Step 2 but appears in Step 3. For each such pair, the probability that it does not appear in Step 2 but appears in Step 3 for the first time is bounded by(ck, \tau) \in Q_{\textsf {leg}} due to Lemma 3. As1/(eq^{c}) contains at most\tilde {\sigma } such pairs, we haveq \begin{equation*} |P_{5} - P_{4}| \leq 1/(eq^{c-1}).\end{equation*} View Source\begin{equation*} |P_{5} - P_{4}| \leq 1/(eq^{c-1}).\end{equation*}
Game 6:
Replace
and{O} in Steps 1 and 2 with{Z} and{O}'' , which contain the partial oracles{Z}'' and{O}' defined at the end of Step 3, respectively. Observe that the randomness chosen by the adversary is independent of the oracles and the randomness chosen by the challenger. Hence, modifying the game so that{Z}' chooses its randomness at the beginning of the soundness game does not affect the distribution of the soundness game. The view changes only if a query that includes{\mathcal{ A}} ,x orx^{*} is made in Step 1 or Step 2, and we have already excluded such cases. Thus, we havew .P_{6} = P_{5} Game 7:
Replace
and{O} in Step 4 with{Z} and{O}'' , respectively. The view of the game changes if{Z}'' makes one of the following queries in Step 4:{\mathsf {M}}. \mathsf {Vrf} A query
that results in(\mathsf {PrvSim}, [ck], x, [c], [\tau]) while\pi \neq \bot and there already exists an entry(ck, \tau) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} in(\mathsf {Prv}, ck, x, w, r; \pi ' \neq \bot) such that{Z}' andc = {O}(\mathsf {Com}, ck, w, r) .\pi \neq \pi ' A query that is registered in
or{O}' .{Z}'
Let us elaborate the first query. The proof
Observe that the second query is classified into two cases:
A query that contains
, i.e.,w ,(\mathsf {SmplYes}, w) and(\mathsf {SmplNo}, w) (\mathsf {Prv}, [ck], x, w, [r]) A query to
that verifies a randomly assigned proof by{Z}. \mathsf {Vrf} in Step 3.{Z}''
We define two events regarding these queries and show that they are made with small probability. Let
Claim 1:
Claim 2:
The proofs of these claims appear after the proof of Theorem 1. Therefore, we obtain \begin{align*} |P_{7} - P_{6}|\leq&1/(eq^{c-1}) + \mathrm {Pr}[\textsf {AskW}] + \mathtt {Pr}[\textsf {VerPi}] \\\leq&1/(eq^{c-1}) + 2q/2^{n} + 3\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{align*}
Game 8:
Let
and\textsf {R}_{\mathsf {o}} be uniformly chosen partial oracles such that\textsf {R}_{\mathsf {zk}} and{O}' || \textsf {R}_{\mathsf {o}} \in \mathcal {O}_{n} . Replace{Z}' || \textsf {R}_{\mathsf {zk}} \in \mathcal {Z}_{n} and{O}'' with{Z}'' and{O}' || \textsf {R}_{\mathsf {o}} respectively. Such oracles must exist since both{Z}' || \textsf {R}_{\mathsf {zk}} and{O} are implemented by random injections.{Z}
Recall that in
Observe that now a proof generated by \begin{equation*} P_{8} \geq 1 - \rho _{\textsf {co}}.\end{equation*}
Summarizing the above evaluations, we have \begin{align*}& P \geq 1 - (17q + 2q^{2} + q^{c} + 12q^{c+1} + 2q^{c+2})/2^{n} \\& \qquad \qquad \,\,\,\, { -\, 2/(eq^{c-1}) - (1 + q^{c})\rho _{\textsf {co}} - 3\rho _{\textsf {zk}} - \rho _{\textsf {ind}} - \hat {\rho }_{\textsf {ind}},}\end{align*}
Proof ofClaim 1:
We evaluate
Let
and\textsf {R}_{\mathsf {o}} be uniformly chosen partial oracles such that\textsf {R}_{\mathsf {zk}} and{O}' || \textsf {R}_{\mathsf {o}} \in \mathcal {O}_{n} . Replace{Z}' || \textsf {R}_{\mathsf {zk}} \in \mathcal {Z}_{n} and{O}'' with{Z}'' and{O}' || \textsf {R}_{\mathsf {o}} , respectively. Note that such oracles must exist since both{Z}' || \textsf {R}_{\mathsf {zk}} and{O} are implemented by random injections.{Z} Observe that the distribution in
7.1 differs from that of{\mathsf {Game}} 7.0 only when a query in{\mathsf {Game}} or{O}' is made. Thus, we obtain that{Z}' .\mathrm {Pr}[\textsf {AskW}^{7.1}] = \mathrm {Pr}[\textsf {AskW}^{7.0}] Replace
and{O}' || \textsf {R}_{\mathsf {o}} with{Z}' || \textsf {R}_{\mathsf {zk}} and{O}\leftarrow \mathcal {O}_{n} . Furthermore, let the adversary run{Z}\leftarrow \mathcal {Z}_{n} on a correct instance, i.e., on\textsf {M}. \mathsf {Prv} .(x^{*}, \hat {x}) Such modifications do not yield a difference between
7.1 and{\mathsf {Game}} 7.2. Note that in{\mathsf {Game}} 7.1, the partial oracles{\mathsf {Game}} and{O}' are determined by the choice of oracles and randomnesses in the challenger and the adversary, and{Z}' and\textsf {R}_{\mathsf {o}} are chosen uniformly. Thus, modifying the choice of oracles so that they are chosen uniformly does not change the view of the game. Hence, we have\textsf {R}_{\mathsf {zk}} .\mathrm {Pr}[\textsf {AskW}^{7.2}] = \mathrm {Pr}[\textsf {AskW}^{7.1}] Replace
in Step 1 and{\mathsf {M}}. \mathsf {Crs} in Step 3 with{\mathsf {M}}. \mathsf {Prv} and{\mathsf {M}}. \mathsf {CrsSim} , respectively. Furthermore, let the challenger pass the trapdoor generated by{\mathsf {M}}. \mathsf {PrvSim} to the adversary. We claim the following.{\mathsf {M}}. \mathsf {CrsSim}
Claim 3:
Proof ofClaim 3:
We construct a stateful PPT adversary
:\mathcal {B}_{0} Given a CRS
, sample\tilde {\sigma } andw \leftarrow \{0, 1\}^{n} and obtain\hat {x} \in \hat {\mathcal {C}} . Setx^{*} = {O}(\mathsf {SmplYes}, w) and\tilde {x} = (x^{*}, \hat {x}) and output\tilde {w} = (w, \bot) . Note that(\tilde {x}, \tilde {w}) is chosen in the same way as for the challenger of(\tilde {x}, \tilde {w}) 7.2 and{\mathsf {Game}} 7.3.{\mathsf {Game}} :\mathcal {B}_{1} Given a proof
, run\tilde {\pi } . If\textsf {M}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) observes a query that includes\mathcal {B}_{1} during the execution ofw (i.e.,\textsf {M}. \mathsf {Vrf} occurs), output{\mathsf {AskW}} , otherwiseb' = 1 .b' = 0
We denote by \begin{align*} \mathrm {Pr}[b'=1 | b=1]=&\mathrm {Pr}[\textsf {AskW}^{7.2}],\\ \mathrm {Pr}[b'=1 | b=0]=&\mathrm {Pr}[\textsf {AskW}^{7.3}].\end{align*}
\begin{align*} \mathtt {AdvZK}_{\mathcal {B}, \textsf {M}, {\mathcal L}^{O}\vee \hat {\mathcal L}}=&\mathrm {Pr}[b' = 1| b = 1] - \mathrm {Pr}[b' = 1| b = 0]\\=&\mathrm {Pr}[\textsf {AskW}^{7.2}] - \mathrm {Pr}[\textsf {AskW}^{7.3}] > \rho _{\mathsf {zk}}\end{align*}
Now we show that \begin{align*} \mathrm {Pr}[\textsf {AskW}^{7.0}]=&\mathrm {Pr}[\textsf {AskW}^{7.1}] = \mathrm {Pr}[\textsf {AskW}^{7.2}] \\\leq&\rho _{\mathsf {zk}} + \mathrm {Pr}[\textsf {AskW}^{7.3}] \leq \rho _{\mathsf {zk}} + q/2^{n}.\end{align*}
Proof ofClaim 2:
Recall that
We introduce an alternative event
is trivial but the adversary failed to learnck in Step 2(ck, \tau) is nontrivial.ck
Game
(The Same as Game 7.1):7.1' Replace
and{O}'' with{Z}'' and{O}' || \textsf {R}_{\mathsf {o}} respectively. Similar to{Z}' || \textsf {R}_{\mathsf {zk}} 7.1, we have{\mathsf {Game}} .\mathrm {Pr}[\textsf {VerCrs}^{7.1}] = \mathrm {Pr}[\textsf {VerCrs}^{7.0}] Game
(The Same as Game 7.2):7.2' Replace
and{O}' || \textsf {R}_{\mathsf {o}} with{Z}' || \textsf {R}_{\mathsf {zk}} and{O}\leftarrow \mathcal {O}_{n} . Furthermore, let the adversary run{Z}\leftarrow \mathcal {Z}_{n} on a correct instance, i.e., on\textsf {M}^{O, {Z}}. \mathsf {Prv} . Since the same discussion as in(x^{*}, \hat {x}) 7.2 can be applied, we have{\mathsf {Game}} .\mathrm {Pr}[\textsf {VerCrs}^{7.2}] = \mathrm {Pr}[\textsf {VerCrs}^{7.1}] Game
(The Same as Game 7.3):7.3' Replace
in Step 1 and{\mathsf {M}}. \mathsf {Crs} in Step 3 with{\mathsf {M}}. \mathsf {Prv} and{\mathsf {M}}. \mathsf {CrsSim} respectively. Furthermore, let the challenger pass the trapdoor generated by{\mathsf {M}}. \mathsf {PrvSim} to the adversary. We claim the following:{\mathsf {M}}. \mathsf {CrsSim}
Claim 4:
Proof ofClaim 4:
We first construct a zero-knowledge adversary
:\mathcal {B}'_{0} Given a CRS
, execute Step 2 in the soundness game. Then, choose\tilde {\sigma } andw \in \{0, 1\}^{n} uniformly and obtain\hat {x} \in \hat {\mathcal {C}} . Setx^{*} = {O}(\mathsf {SmplYes}, w) and\tilde {x} = (x^{*}, \hat {x}) and output\tilde {w} = (w, \bot) .(\tilde {x}, \tilde {w}) :\mathcal {B}'_{1} Given a proof
, run\tilde {\pi } . Output\textsf {M}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) ifb'=1 observes\mathcal {B}'_{1} , otherwise output{\mathsf {VerCrs}} .b' = 0


Game
:7.4' Modify the adversary so that it chooses
instead of(\hat {x}, \hat {w}) \in R_{\hat {\mathcal L}} in Step 2 (i.e.,\hat {x} \in \hat {\mathcal C} samples an (yes, yes)-instance). Note that since{\mathcal{ A}} runs{\mathcal{ A}} ,\textsf {M}. \mathsf {PrvSim} is not given to\hat {w} .\textsf {M}. \mathsf {PrvSim} Recall that
is a hard language, along with\hat {\mathcal L} . Thus, if\hat {\mathcal C} , it contradicts the instance indistinguishability of|\mathrm {Pr}[\textsf {VerCrs}^{7.4'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}]| > \hat {\rho }_{\textsf {ind}} , yielding\hat {\mathcal L} .|\mathrm {Pr}[\textsf {VerCrs}^{7.4'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}]| \leq \hat {\rho }_{\textsf {ind}} Game
:7.5' Modify the adversary so that it chooses
instead of(x^{*}, w) \in R_{\mathcal C} (i.e.,(x^{*}, w) \in R_{\mathcal L} samples a (no, yes)-instance). Similar to{\mathcal{ A}} , we obtain{\mathsf {Game}} ~7.4' .|\mathrm {Pr}[\textsf {VerCrs}^{7.5'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.4'}]| \leq \rho _{\textsf {ind}} Game
:7.6' Replace
and\textsf {M}. \mathsf {CrsSim} with\textsf {M}. \mathsf {PrvSim} and\textsf {M}. \mathsf {Crs} , respectively. Note that as\textsf {M}. \mathsf {Prv} samples a (no, yes)-instance, the adversary runs{\mathcal{ A}} on\textsf {M}. \mathsf {Prv} and\tilde {x} = (x^{*}, \hat {x}) . Since the same discussion as in\tilde {w} = (\bot, \hat {w}) can be applied, we have{\mathsf {Game}} ~7.3' .\mathrm {Pr}[\textsf {VerCrs}^{7.5'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.6'}] \leq \rho _{\textsf {zk}}
As
To sum up the above, we have \begin{align*} \mathrm {Pr}[\textsf {VerCrs}^{7.0'}]=&\mathrm {Pr}[\textsf {VerCrs}^{7.1'}] = \mathrm {Pr}[\textsf {VerCrs}^{7.2'}] \\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.3'}] + \rho _{\textsf {zk}} \leq \mathrm {Pr}[\textsf {VerCrs}^{7.4'}] \\&+\, \rho _{\textsf {zk}} + \hat {\rho }_{\textsf {ind}}\\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.5'}] + \rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}} \\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.6'}] + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}} \\\leq&q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{align*}
\begin{equation*} \mathrm {Pr}[\textsf {VerPi}^{7}] \leq 1/(eq^{c-1}) + q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{equation*}
Conclusion and Future Work
We revealed that there is no fully black-box construction of an NIZK for a disjunctive language based on CP-NIZKs. This result suggests that we should rely on a certain mathematical structure if we want to augment the capability of NIZKs in terms of the language they prove, while a commit-and-prove methodology is itself powerful enough to break the barrier shown in [22].
There is room for considering a black-box language extension. That is, we might be able to characterize languages (or binary relations) such that we cannot obtain NIZKs for them in a black-box manner.