Loading web-font TeX/Caligraphic/Regular
On the Impossibility of NIZKs for Disjunctive Languages From Commit-and-Prove NIZKs | IEEE Journals & Magazine | IEEE Xplore

On the Impossibility of NIZKs for Disjunctive Languages From Commit-and-Prove NIZKs


NIZK.

Abstract:

This paper considers the problem of expanding a language class that can be proven by a non-interactive zero-knowledge proof system (NIZK) in a black-box manner in the com...Show More

Abstract:

This paper considers the problem of expanding a language class that can be proven by a non-interactive zero-knowledge proof system (NIZK) in a black-box manner in the common reference string model. Namely, given NIZKs for two languages, {\mathcal L}_{0} and {\mathcal L}_{1} , can we construct an NIZK for {\mathcal L}_{0} \vee {\mathcal L} _{1} in a black-box manner? NIZKs for disjunctive languages have a large number of applications, such as electronic voting. Therefore, such a black-box construction may enable the efficient constructions of such applications. However, Abe et al. (PKC 2020) showed that this is impossible if the two given NIZKs are simulation-sound. In this paper, we prove that it is also impossible if the two given NIZKs are constructed by the commit-and-prove methodology that is typically used in many cryptographic protocols, including NIZKs. This result suggests that if we want to augment the capability of NIZKs in terms of the languages they can prove, we should rely on certain properties or structures of the underlying NIZKs, such as algebraic structures.
NIZK.
Published in: IEEE Access ( Volume: 9)
Page(s): 51368 - 51379
Date of Publication: 01 February 2021
Electronic ISSN: 2169-3536
Author image of Kyosuke Yamashita
Graduate School of Informatics, Kyoto University, Kyoto, Japan
National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan
Kyosuke Yamashita received the B.E. and M.E. degrees from Kyoto University, in 2013 and 2015, respectively, where he is currently pursuing the Ph.D. degree with the Graduate School of Informatics. He is also a Research Assistant with the National Institute of Advanced Industrial Science and Technology (AIST).
Kyosuke Yamashita received the B.E. and M.E. degrees from Kyoto University, in 2013 and 2015, respectively, where he is currently pursuing the Ph.D. degree with the Graduate School of Informatics. He is also a Research Assistant with the National Institute of Advanced Industrial Science and Technology (AIST).View more
Author image of Mehdi Tibouchi
Graduate School of Informatics, Kyoto University, Kyoto, Japan
Secure Platform Laboratories, NTT Corporation, Tokyo, Japan
Mehdi Tibouchi received the Ph.D. degree in computer science from the University of Paris VII and the University of Luxembourg in 2011. He is currently a Distinguished Researcher at NTT Corporation and a Guest Associate Professor at Kyoto University.
Mehdi Tibouchi received the Ph.D. degree in computer science from the University of Paris VII and the University of Luxembourg in 2011. He is currently a Distinguished Researcher at NTT Corporation and a Guest Associate Professor at Kyoto University.View more
Author image of Masayuki Abe
Graduate School of Informatics, Kyoto University, Kyoto, Japan
Secure Platform Laboratories, NTT Corporation, Tokyo, Japan
Masayuki Abe received the Ph.D. degree from The University of Tokyo, in 2002. He has been working with Nippon Telegraph and Telephone Corporation (NTT), Japan, since 1992. He is currently a Guest Professor with the Graduate School of Informatics, Kyoto University.
Masayuki Abe received the Ph.D. degree from The University of Tokyo, in 2002. He has been working with Nippon Telegraph and Telephone Corporation (NTT), Japan, since 1992. He is currently a Guest Professor with the Graduate School of Informatics, Kyoto University.View more

CCBY - IEEE is not the copyright holder of this material. Please follow the instructions via https://creativecommons.org/licenses/by/4.0/ to obtain full-text articles and stipulations in the API documentation.
SECTION I.

Introduction

A. Non-Interactive Zero-Knowledge Proof System

A non-interactive zero-knowledge proof system (NIZK) [1] is a cryptographic protocol between two parties, a prover and a verifier. Given a statement for an NP language, the prover, who is the only one possessing a witness, proves the validity of the statement without leaking anything other than the validity of the statement. Recently, efficient construction methods for NIZKs have been proposed, such as GS-NIZK [2] and QA-NIZK [3], and NIZKs are used to build cryptographic applications.

A typical methodology that is employed in NIZKs is the commit-and-prove medhodology [4]–​[6]. Roughly speaking, this technique guarantees that, given a proof and a commitment, the proof is carried out with respect to the opening of the commitment. NIZKs that employ the commit-and-prove methodology (CP-NIZKs) are seen in the literature [2], [7]–​[10]. The commit-and-prove methodology itself is of interest. For instance, as noted in [11], the commit-and-prove technique is standard when one wants to prove that the witnesses to two distinct statements are the same [10], [12]–​[15].

One of the most notable applications of CP-NIZKs is Zcash [16], which uses zk-SNARK by [17] to guarantee the anonymity of users. In fact, the zk-SNARK does not explicitly employ a commit-and-prove methodology. However, as mentioned in [18], a prover in Zcash proves knowledge about a committed value, and thus we can regard Zcash as an application of a CP-NIZK.

B. Black-Box Language Extension

A language {\mathcal L}_{0} \diamond {\mathcal L} _{1} such that \diamond \in \{\wedge, \vee \} is referred to as an extended language. NIZKs for extended languages are important from the perspective of both theory and practice. The well-known Naor-Yung construction [19] uses an NIZK for a conjunctive language to construct a chosen ciphertext attack secure public key encryption scheme. In electronic voting protocols such as Helios, an NIZK for a disjunctive language is employed to guarantee the validity of votes. Therefore, a black-box construction of NIZKs for extended languages may help in obtaining efficient constructions for these applications.

Abe et al. [20] showed the (im)possibility of extending a language class that can be proven by NIZKs in a black-box manner. They showed that, given simulation-sound NIZKs (SS-NIZKs) [21] for a language {\mathcal L}_{0} , it is impossible to construct a (standard) NIZK for {\mathcal L}_{0} \vee {\mathcal L} _{1} , where {\mathcal L}_{1} is some NP language. Note that, given NIZKs for {\mathcal L}_{0} and {\mathcal L}_{1} , we can trivially construct a standard NIZK for {\mathcal L}_{0} \land {\mathcal L} _{1} by executing the given NIZKs in parallel. Furthermore, Yamashita et al. [22] showed a negative result on a more involved language. That is, they showed that, given an NIZK that proves the validity of the ciphertext of a chosen plaintext attack secure public key encryption scheme (CPA-PKE), it is impossible to construct an NIZK that proves the equality of the plaintexts behind two distinct ciphertexts (i.e., the NIZK employed in the Naor-Yung construction [19]) in a black-box manner.

While somewhat folklore, we can construct an NIZK that proves witness equality if the underlying NIZKs are CP-NIZKs. Suppose that we are given CP-NIZKs for distinct languages {\mathcal L}_{0} and {\mathcal L}_{1} that share the same commitment scheme. Then, we can construct an NIZK for the language {\mathcal L}= \{x_{0}, x_{1} \, | \, \exists w_{0}, w_{1} \, \textrm {such that} \, (x_{0}, w_{0}) \in R_{\mathcal L_{0}} \land (x_{1}, w_{1}) \in R_{\mathcal L_{1}} \land w_{0}=w_{1}\} by executing the NIZKs on the same commitment. In other words, the commit-and-prove methodology trivially breaks the barrier presented in [22]. However, it is not clear if a commit-and-prove technique overcomes the negative result for disjunctive languages by [20]. Hence, the following question is still open:

Is it possible to construct an NIZK for a disjunctive language based on CP-NIZKs in a black-box manner?

C. Our Contribution

We investigate the above problem and answer negatively. That is, there is no fully black-box construction of an NIZK for a disjunctive language based on CP-NIZKs. In this paper, we first formalize CP-NIZKs and introduce an oracle that implements a CP-NIZK for a certain language. Then, we demonstrate a polynomial-time adversary that attacks the soundness of an NIZK for a disjunctive language.

Specifically, let {O} be a certain oracle and {Z} be an oracle that implements a CP-NIZK for an oracle-relativized language, denoted by {\mathcal L}^{O} . Assume that there exists a black-box construction \textsf {M}^{O, {Z}} of a proof system for {\mathcal L}^{O} \vee {\mathcal L} ' that is complete and zero-knowledge, where {\mathcal L}' is some language. Then, we can construct an adversary that breaks the soundness of {\mathsf {M}} in the standard soundness game. This result suggests that if we want to augment the capability of NIZKs in terms of the languages they prove, we should rely on certain algebraic structures.

D. Technical Overview

We follow the “swapping technique” that is introduced in [20] in the construction of our adversary. The idea behind the technique is the following: Let {O} be an oracle implemented by a uniformly chosen random injection and {\mathcal L}^{O} = \{x \, | \, \exists \, w \, \textrm {such that} \, x = {O}(w)\} be a language. Let x = {O}(w) for some w and x' \notin {\mathcal L} ^{O} , where |x| = |x'| . Suppose that we are considering a game between a challenger and an adversary, and the adversary internally simulates some oracle algorithm. When the algorithm makes a query to {O} on w , the adversary actually relays the query to the oracle. Even if the adversary returns x' as the answer to the algorithm (i.e., the adversary sets x':= {O}(w) ), the algorithm cannot detect this swap, as {O} is implemented by a random injection. In other words, there must be another “correct” oracle {O}' that maps w to x' in the oracle distribution. Thus, the simulated algorithm runs correctly and outputs its result based on the swapped value.

Our adversary works as follows: Let {\mathsf {M}} be a black-box construction of a proof system for a disjunctive language that is complete and zero-knowledge. Given a common reference string in a soundness game, the adversary runs the prover algorithm of {\mathsf {M}} on a false statement. The adversary cheats the prover by following the above swapping technique, and finally the prover outputs a (forged) proof. This proof should pass the verification by {\mathsf {M}} since it is generated by the prover. Actually, the oracle {O} and the construction of the adversary are more involved. See Section IV for more details.

E. Related Work

Utilizing NIZK oracles in a black-box framework was initiated by Brakerski et al. [23]. They introduced an oracle that implements an NIZK for an NP-complete language and showed that, despite the existence of the NIZK oracle, there is no fully black-box construction of a key agreement protocol based on a one-way function, which is a well-known result by Impagliazzo and Rudich [24]. Follow-up work in [23] treats sophisticated primitives, such as functional encryption [25] and garbled circuits [26].

As mentioned earlier, many CP-NIZKs have been proposed [2], [7]–​[10]. Namely, in [10], a commit-and-prove methodology plays an essential role in obtaining a modular composition of zk-SNARKs.

A \Sigma -protocol for a disjunctive language has already been proposed [27]. Therefore, we can obtain an NIZK for a disjunctive language in the random oracle model if we apply the Fiat-Shamir transformation [28] to the \Sigma -protocol. However, this does not affect the meaning of this work as we consider NIZKs in the common reference string (CRS) model.

F. Paper Organization

In Section II, we introduce basic notation. Namely, we formalize CP-NIZKs by following the definition in [7]. In Section III, we introduce an oracle that implements a CP-NIZK for a certain language and show that the oracle indeed constitutes a CP-NIZK. Section IV provides our main result on the black-box construction of an NIZK for a disjunctive language based on a CP-NIZK. Finally, Section V concludes this paper and presents several remaining tasks.

SECTION II.

Preliminaries

A. Basic Notation

We denote by n \in {\mathbb {N}} a security parameter throughout this paper. A polynomial function and a negligible function are denoted by poly and negl, respectively. For a finite set X , the notation x \leftarrow X represents a sampling of an instance x \in X with a uniform distribution over X . Similarly, for an algorithm A , the computation that A takes x as input and outputs y is denoted by y \leftarrow A(x) . A probabilistic polynomial-time Turing machine is denoted by PPT. A Turing machine {\mathsf {M}} that has access to an oracle {O} is called an oracle Turing machine, denoted by \textsf {M}^{O} . For an NP language {\mathcal L} , the NP relation is denoted by R_{\mathcal L} , and we let {\mathcal L}_{n}:= {\mathcal L}\cap \{0, 1\}^{n} and R_{n}:= \{ (x, w) \, | \, (x, w) \in R_{\mathcal L} \wedge x \in {\mathcal L} _{n}\} . For a function f , we denote the inverse function by f^{-1} . When y has no preimage, we write f^{-1}(y) = \bot . For a function f: \{0, 1\}^{n_{1}} \rightarrow \{0, 1\}^{n_{2}} , where n_{1} < n_{2} , we say y \in \{0, 1\}^{n_{2}} is legitimate with respect to f if y has a preimage x s.t. f(x) = y . We say that a query to an oracle is successful if it has a result other than \bot .

The notation y \leftarrow {O} (x) represents that a query to an oracle {O} on x results in y . We use oracles and algorithms that implement several functionalities. We denote by \textsf {M}(\textsf {func}, x) an algorithm or an oracle {\mathsf {M}} that works as a functionality {\mathsf {func}} on input x . If the input is not important in the context, we write \textsf {M}.\textsf {func} to denote the functionality {\mathsf {func}} implemented by {\mathsf {M}} . We regard an oracle {O} as a set of entries (\textsf {func}, x; y) where {\mathsf {func}} is a function implemented by {O} , x is an input of {\mathsf {func}} and y is an output s.t. y \leftarrow {O} (\textsf {func}, x) . We denote by {O}(\textsf {func}, x, y) such an entry.

We use bracket notation [\cdot] to represent a variable that matches any value; for instance, y \leftarrow {O} ([x]) is a query that results in y , and we refer to the input value as x thereafter. When the matched value is not important in the context, we write y \leftarrow {O} (*) .

A partial oracle S of an oracle {O} is a set that is defined on only some subset of inputs of {O} , and S is consistent with {O} if there exists another set S' s.t. S \cup S' = {O} . We sometimes denote an oracle S by S = S_{1} || S_{2} || \cdots , where S_{i} are partial oracles and S works as follows: Given a query on x , it first searches for a matching entry S_{1}(x, [y]) and returns y if such a query exists, otherwise it searches S_{2} and so on.

In this paper, we focus on an NIZK, which is formally defined as follows:

Definition 1 (NIZK):

A tuple of PPTs \Pi = (\Pi. \mathsf {Crs},\,\,\Pi. \mathsf {Prv},\,\,\Pi. \mathsf {Vrf},\,\,\Pi. \mathsf {CrsSim},\,\,\Pi. \mathsf {PrvSim}) that work as described below is a non-interactive zero-knowledge proof system (NIZK) for a language {\mathcal L} .

  • \Pi. \mathsf {Crs} :\sigma \leftarrow \Pi (\mathsf {Crs}, \tau)

    Given a trapdoor \tau , output a common reference string (CRS) \sigma .

  • \Pi. \mathsf {Prv} : \pi \leftarrow \Pi (\mathsf {Prv}, \sigma, x, w)

    Given a CRS \sigma , an instance x and a witness w , output a proof \pi or \bot .

  • \Pi. \mathsf {Vrf} : b \leftarrow \Pi (\mathsf {Vrf}, \sigma, x, \pi)

    Given a CRS \sigma , an instance x and a proof \pi , output a bit b \in \{0, 1\} where 1 means accept and 0 means reject.

  • \Pi. \mathsf {CrsSim} :(\sigma, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau)

    Given a trapdoor \tau , output \tau and a CRS \sigma .

  • \Pi. \mathsf {PrvSim} : \pi \leftarrow \Pi (\mathsf {PrvSim}, \sigma, x, \tau)

    Given a CRS \sigma , an instance x and a trapdoor \tau , output a proof \pi or \bot .

Definition 2 (Security Properties of NIZKs):

An NIZK \Pi for a language {\mathcal L} has the following properties.

  • Completeness: For any n \in {\mathbb {N}} , any \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) and any (x, w) \in R_{\mathcal L} , \mathrm {Pr}[\Pi (\mathsf {Vrf}, \sigma, x, \Pi (\mathsf {Prv}, \sigma, x, w)) = 1] \geq 1-\mathrm {negl}(n) .

  • Soundness: For any PPT adversary {\mathcal{ A}} , the following holds:\begin{align*}& \mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, \pi) \leftarrow {\mathcal{ A}} (\sigma) \end{array}: \begin{array}{l} \Pi (\mathsf {Vrf}, \sigma, x, \pi)= 1 \land \, x \notin {\mathcal L} \end{array} }\right] \\& \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \,\,\,\, {\leq \mathrm {negl}(n).}\end{align*}

    View SourceRight-click on figure for MathML and additional features. Adaptive Zero-Knowledge: For any stateful PPT adversary {\mathcal{ A}} , the following holds:\begin{align*}&\hspace {-1.2pc}{\tt Adv}{\tt ZK}_{\mathcal {A}, \Pi, {\mathcal L}}(n) \\=&\mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, w) \leftarrow {\mathcal{ A}} (\sigma)\\ \pi \leftarrow \Pi (\mathsf {Prv}, \sigma, x, w) \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] \\&-\,\mathrm {Pr} \left [{\begin{array}{c} (\sigma, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau) \\ (x, w) \leftarrow \mathcal {A}({\mathrm{ \sigma }})\\ \pi \leftarrow \Pi (\mathsf {PrvSim}, \sigma, x, \tau) \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] \\\leq&\mathrm {negl}(n)_{.}\end{align*}
    View SourceRight-click on figure for MathML and additional features.

We formally define a commit-and-prove NIZK. We partially follow the definition in [7], but there are some differences. We will explain the differences after the definition.

Definition 3 (CP-NIZK):

A tuple of Turing machines \Pi = (\Pi. \mathsf {Crs}, \Pi. \mathsf {Com}, \Pi. \mathsf {Prv},\,\,\Pi. \mathsf {Vrf}, \Pi. \mathsf {CrsSim}, \Pi. \mathsf {ComSim},\,\,\Pi. \mathsf {PrvSim}) that work as follows is a commit-and-prove non-interactive zero-knowledge proof system (CP-NIZK) for a language {\mathcal L} .

  • \Pi. \mathsf {Crs} :ck \leftarrow \Pi (\mathsf {Crs}, \tau)

    Given a trapdoor \tau , output a CRS (or a commitment key) ck .

  • \Pi. \mathsf {Com} : c \leftarrow \Pi (\mathsf {Com}, ck, w, r)

    Given a CRS ck , a witness w and a randomness (or an opening) r , output a commitment c or \bot .

  • \Pi. \mathsf {Prv} : \pi \leftarrow \Pi (\mathsf {Prv}, ck, x, w, r)

    Given a CRS ck , an instance x , a witness w and a randomness r , output a proof \pi or \bot .

  • \Pi. \mathsf {Vrf} : b \leftarrow \Pi (\mathsf {Vrf}, ck, x, c, \pi)

    Given a CRS ck , an instance x , a commitment c and a proof \pi , output a bit b \in \{0, 1\} where 1 means accept and 0 means reject.

  • \Pi. \mathsf {CrsSim} : (ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau)

    Given a trapdoor \tau , output a CRS ck and \tau .

  • \Pi. \mathsf {ComSim} : c \leftarrow \Pi (\mathsf {ComSim}, ck, \tau, r)

    Given a CRS ck , a trapdoor \tau and a randomness r , output a commitment c if ck = \Pi (\mathsf {Crs}, \tau) , otherwise \bot .

  • \Pi. \mathsf {PrvSim} : \pi \leftarrow \Pi (\mathsf {PrvSim}, ck, x, c,\tau)

    Given a CRS ck , an instance x , a commitment c and a trapdoor \tau , output \pi .

Definition 4 (Security Properties of CP-NIZKs):

A CP-NIZK \Pi for a language {\mathcal L} satisfies the following conditions.

  • Completeness: For any n \in {\mathbb {N}} , any \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) , any (x, w) \in R_{\mathcal L} and any c \leftarrow \Pi (\mathsf {Crs}, ck, w, [r]) , \mathrm {Pr}[\Pi (\mathsf {Vrf}, \sigma, x, c, \Pi (\mathsf {Prv}, \sigma, x, w, r)) = 1] \geq 1-\mathrm {negl}(n) .

  • Soundness: For any PPT adversary {\mathcal{ A}} , the following holds; \begin{align*}& \mathrm {Pr} \left [{\begin{array}{c} \sigma \leftarrow \Pi (\mathsf {Crs}, \tau) \\ (x, c, \pi) \leftarrow {\mathcal{ A}} (\sigma) \end{array}: \begin{array}{l} \Pi (\mathsf {Vrf}, \sigma, x, c, \pi)= 1 \land \, x \notin {\mathcal L} \end{array} }\right] \\& \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \,\,\, {\leq \mathrm {negl}(n).}\end{align*}

    View SourceRight-click on figure for MathML and additional features. Composable Zero-Knowledgeness: \Pi is composable zero-knowledge if the following two conditions hold:

    • For any PPT {\mathcal{ A}} , the following advantage {\tt AdvKeyIND}_{\Pi, {\mathcal{ A}}, {\mathcal L}} is negligible in n : |\mathrm {Pr}[ck \leftarrow \Pi (\mathsf {Crs}, \tau): 1 \leftarrow {\mathcal{ A}} (ck)] - \mathrm {Pr}[(ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau): 1 \leftarrow {\mathcal{ A}} (ck)]| .

    • For any stateful PPT {\mathcal{ A}} , the following advantage {\mathtt AdvPrfIND}_{\Pi, {\mathcal{ A}}, {\mathcal L}} is negligible in n :\begin{align*}&\hspace {-1pc}\left |{ \, \mathrm {Pr} \left [{\begin{array}{c} (ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, \tau) \\ (x, c, w) \leftarrow {\mathcal{ A}} ^{O_{0}(\cdot)}(ck, \tau)\\ \textrm {if} \, (w, [r], c) \in Q \, \textrm {then}\\ \pi \leftarrow \Pi (\mathsf {Prv}, ck, x, w, r)\\ \textrm {oherwise output} \, \bot \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] }\right. \\&\left.{ -\,\mathrm {Pr} \left [{\begin{array}{c} (ck, \tau) \leftarrow \Pi (\mathsf {CrsSim}, 1^{n}) \\ (x, c, w) \leftarrow {\mathcal{ A}} ^{O_{1}(\cdot)}(ck, \tau)\\ \textrm {if} \, (w, [r], c) \in Q \, \textrm {then}\\ \pi \leftarrow \Pi (\mathsf {PrvSim}, ck, x, c, \tau)\\ \textrm {otherwise output} \, \bot \end{array}: \begin{array}{l} {\mathcal{ A}}(\pi)= 1 \\ \land (x, w) \in R_{\mathcal L} \end{array} }\right] }\right |\end{align*}

      View SourceRight-click on figure for MathML and additional features. where {O}_{0} \!=\! \Pi (\mathsf {Com}, ck, *, *) , {O}_{1} = \Pi (\mathsf {ComSim}, ck, \tau,\,\,*) and Q is a list made by the challenger as follows (note that {\mathcal{ A}} actually calls an oracle through the challenger): When {\mathcal{ A}} calls {O}_{0} or {O}_{1} , the adversary sends a witness w to the challenger, then the challenger chooses a randomness r uniformly, obtains c = \Pi (\mathsf {Com}, ck, w, r) or c = \Pi (\mathsf {ComSim}, ck, \tau, r) , returns c to {\mathcal{ A}} and records (w, r, c) to Q .

There are three differences between our definition and the definition in [7]. In [7], every algorithm of a CP-NIZK takes a tag as an input to identify the type of value that is given, such as a group element or a field element, while we do not require such a tag. Second, they divide a witness into pieces while we treat only a single witness, because it is sufficient for our purpose. Finally, in the composable zero-knowledge game of [7], the adversary outputs a statement and indices that correspond to the witnesses and commitments it chooses, while ours outputs a statement, a single witness and a single commitment.

We consider the impossibility of a black-box construction of a primitive, and define a black-box construction of a primitive below.

Definition 5[29]:

There exists a (fully) black-box construction of a primitive Q from a primitive P if there exist PPT oracle machines G and S s.t.

  • For any implementation f of P , G^{f} implements Q .

  • For any implementation f of P and any oracle Turing machine M , if M^{f} breaks the security of Q , then S^{f, M} breaks the security of P .

This work focuses on a black-box construction of an NIZK for disjunctive languages. We formally define an extended language, which includes disjunctive languages.

Definition 6 (Extended Language[20]):

Let {\mathcal L} and \hat {\mathcal L} be languages, and let \diamond \in \{\vee, \wedge \} denote a logical binary operator. An extended language is defined as the union \bigcup _{n}({\mathcal L}_{n} \diamond \hat {\mathcal L_{n}}) , where {\mathcal L}_{n} \diamond \hat {\mathcal L_{n}}:= \{(x, \hat {x}) \, | (x \in {\mathcal L} _{n}) \diamond (\hat {x} \in \hat {\mathcal L_{n}}) \} . An extension is nontrivial if {\mathcal L}_{n} \diamond \hat {\mathcal L_{n}} \notin {\mathcal L} _{n'} for any n and n' .

If a statement (x, x^{*}) for an extended language {\mathcal L}\diamond \hat {\mathcal L} satisfies x \in {\mathcal L} and x^{*} \in \hat {\mathcal L} , we say such a statement is an (yes, yes)-instance, and we define other such statements in the obvious way.

In this work we treat a CP-NIZK for a hard language, which is defined as follows, since it is convenient for our purpose.

Definition 7 (Hard Language):

Let R be an efficiently verifiable binary relation. Let {\mathcal L}_{n} = \{x \in \{0, 1\}^{ \mathop {\mathrm {poly}}\nolimits (n)} \, | \, \exists w \in \{0, 1\}^{ \mathop {\mathrm {poly}}\nolimits '(n)} \, \textrm {such that} \, R(x, w) = 1\} and {\mathcal L}= \bigcup _{n} {\mathcal L}_{n} . Let {\mathcal C}_{n} \subseteq \{0, 1\}^{ \mathop {\mathrm {poly}}\nolimits (n)} be a set and {\mathcal C}= \bigcup _{n} {\mathcal C}_{n} . Then, {\mathcal L} is \epsilon _{\mathsf {ind}} -hard if the following hold:

  • For any security parameter n , {\mathcal L}_{n} \cap {\mathcal C} _{n} = \emptyset .

  • {\mathcal L} and {\mathcal C} are efficiently samplable. That is, for any security parameter n , distributions \mathcal {D}_{\mathcal L_{n}} and \mathcal {D}_{\mathcal C_{n}} exist from which {\mathcal L}_{n} and {\mathcal C}_{n} are efficiently samplable respectively.

  • For any PPT {\mathcal{ A}} and any security parameter n , it holds that \begin{align*} \mathtt {LangIND}_{\mathcal L_{n}, {\mathcal C}_{n}, {\mathcal{ A}}}(n)=&|\mathrm {Pr}[x \leftarrow \mathcal {D}_{\mathcal L_{n}}: 1 \leftarrow A(x)] \\&-\, \mathrm {Pr}[x \leftarrow \mathcal {D}_{\mathcal C_{n}}: 1 \leftarrow A(x)]| \\\leq&\epsilon _{\mathsf {ind}}\end{align*}

    View SourceRight-click on figure for MathML and additional features. where \epsilon _{\mathsf {ind}} is negligible.

SECTION III.

A CP-NIZK Oracle

In this section, we introduce an oracle that implements a CP-NIZK for a hard language and demonstrate that such an oracle indeed constitutes a CP-NIZK. Before introducing the CP-NIZK oracle, we define another oracle that implements a hard language as follows:

Definition 8 (Oracle{O} ):

Let H_{\mathsf {smpl}}: \{0, 1\}^{n+1} \rightarrow \{0, 1\}^{2n} be a random injection. An oracle {O} provides the three functionalities \mathsf {SmplYes} , \mathsf {SmplNo} and {\mathsf {Promise}} as follows:

  • {O}. \mathsf {SmplYes} : x \leftarrow {O} (\mathsf {SmplYes}, w)

    Given w \in \{0, 1\}^{n} , compute x \leftarrow H_{\mathsf {smpl}}(1 || w) and output x .

  • {O}. \mathsf {SmplNo} : x \leftarrow {O} (\mathsf {SmplNo}, w)

    Given w \in \{0, 1\}^{n} , compute x \leftarrow H_{\mathsf {smpl}}(0 || w) and output x .

  • {O}.\mathsf {Promise} : b \leftarrow {O} (\mathsf {Promise}, x)

    Given x \in \{0, 1\}^{2n} , output 0 if \bot \leftarrow H_{\mathsf {smpl}}(x) , otherwise 1.

Let \mathcal {O}_{n} be the set of all oracles that satisfy the above syntax with security parameter n , and let \mathcal {O} be the collection of \mathcal {O}_{n} for all n > 0 .

For {O}\in \mathcal {O}_{n} , let \textsf {L}^{O} = (\textsf {L}^{O}. \mathsf {SmplYes}, \textsf {L}^{O}. \mathsf {SmplNo},\,\,\textsf {L}^{O}.\textsf {Promise}) be an oracle machine that works as follows:

  • Given (\mathsf {SmplYes}, w) , output x \leftarrow {O} (\mathsf {SmplYes}, w) .

  • Given (\mathsf {SmplNo}, w) , output x \leftarrow {O} (\mathsf {SmplNo}, w) .

  • Given ({\mathsf {Promise}}, x) , output b \leftarrow {O} ({\mathsf {Promise}}, x) .

It is known that {\mathsf {L}}^{O} constitutes a hard language as shown in the following lemma:

Lemma 1[20]:

The algorithm {\mathsf {L}}^{O} constitutes a hard language ({\mathcal L}^{O}_{n}, {\mathcal C}^{O}_{n}) where \begin{align*} {\mathcal L}^{O}_{n}=&\{x \, | \, \exists w \, \textrm {such that} \, x = H_{\mathsf {smpl}}(1||w) \},\\ {\mathcal C}^{O}_{n}=&\{x \, | \, \exists w \, \textrm {such that} \, x = H_{\mathsf {smpl}}(0||w) \}.\end{align*}

View SourceRight-click on figure for MathML and additional features.

Now, we introduce an oracle that almost directly implements a CP-NIZK for {\mathcal L}^{O}_{n} . The oracle has several functionalities, and some of them are implemented by random injections, which are accessible only within the interfaces. Namely, the CRS generator and prover interfaces (i.e., \mathsf {Crs} , \mathsf {Prv} and \mathsf {PrvSim} ) are implemented by random injections H_{\textsf {crs}} and H_{\textsf {prf}} , respectively, where these random injections work only when valid inputs are given to the interfaces. We guarantee the soundness of a proof generated by the oracle by making the prover interfaces so that they work only when they are given a correct witness or a trapdoor of a CRS.

Definition 9:

Let {O}\in \mathcal {O}_{n} be an oracle of the kind that is defined in Definition 8, and let {\mathcal L}^{O}_{n} be the language defined in Lemma 1. An NIZK oracle {Z}= ({Z}. \mathsf {Crs},\,\, {Z}. \mathsf {Com},\,\, {Z}. \mathsf {Prv},\,\, {Z}. \mathsf {Vrf},\,\, {Z}. \mathsf {PrvSim}) for {\mathcal L}^{O}_{n} is equipped with random injections H_{\mathsf {crs}}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{2n} , H_{\mathsf {com}}: \{0, 1\}^{4n} \rightarrow \{0, 1\}^{5n} and H_{\mathsf {prf}}: \{0, 1\}^{9n} \rightarrow \{0, 1\}^{10n} that implement the functionalities below.1

  • {Z}. \mathsf {Crs} : ck \leftarrow {Z} (\mathsf {Crs}, \tau)

    Given a trapdoor \tau \in \{0, 1\}^{n} , output a CRS ck \leftarrow H_{\mathsf {crs}}(\tau) .

  • {Z}. \mathsf {Com} : c \leftarrow {Z} (\mathsf {Com}, ck, w, r)

    Given a CRS ck \in \{0, 1\}^{2n} , a witness w \in \{0, 1\}^{n} and a randomness r \in \{0, 1\}^{n} , output a commitment c \leftarrow H_{\mathsf {com}}(ck || w || r) if there exists a trapdoor \tau such that H^{-1}_{\mathsf {crs}}(ck) = \tau , otherwise output \bot .

  • {Z}. \mathsf {Prv} : \pi \leftarrow {Z}(\mathsf {Prv}, ck, x, w, r)

    Given a CRS ck \in \{0, 1\}^{2n} , a statement x \in \{0, 1\}^{2n} , a witness w \in \{0, 1\}^{n} and a randomness r \in \{0, 1\}^{n} , if (x, w) \in R_{\mathcal L^{O}_{n}} and there exists a trapdoor \tau such that H^{-1}_{\mathsf {crs}}(ck) = \tau , then compute c = H_{\mathsf {com}}(ck, w, r) and output a proof \pi \leftarrow H_{\mathsf {prf}}(ck || x || c) , otherwise output \bot .

  • {Z}. \mathsf {Vrf} :b \leftarrow {Z} (\mathsf {Vrf}, ck, x, c, \pi)

    Given a CRS ck \in \{0, 1\}^{2n} , a statement x \in \{0, 1\}^{2n} , a commitment c \in \{0, 1\}^{5n} and a proof \pi \in \{0, 1\}^{10n} , output 1 if \pi = H_{\mathsf {prf}}(ck || x || c) . Otherwise output 0.

  • {Z}. \mathsf {PrvSim} : \pi \leftarrow {Z}(\mathsf {PrvSim}, ck, x, c, \tau)

    Given a CRS ck \in \{0, 1\}^{2n} , a statement x \in \{0, 1\}^{2n} , a commitment c \in \{0, 1\}^{5n} and a trapdoor \tau \in \{0, 1\}^{n} , if ck = H_{\mathsf {crs}}(\tau) then output a proof \pi \leftarrow H_{\mathsf {prf}}(ck || x || c) , otherwise output \bot .

Let \mathcal {Z}_{n} be the set of all oracles that satisfy the above syntax with security parameter n , and let \mathcal {Z} be the collection of \mathcal {Z}_{n} for all n > 0 . The reader may wonder that the above oracle lacks interfaces that implement \mathsf {CrsSim} and \mathsf {ComSim} . However, we can construct such functionalities from {Z}. \mathsf {Crs} and {Z}. \mathsf {Com} , respectively.

A Construction of a CP-NIZK

Let {O}\in \mathcal {O}_{n} be an oracle of the type defined in Definition 8, {\mathcal L}^{O}_{n} be the language defined in Lemma 1 and {Z}\in \mathcal {Z}_{n} be an oracle of the type defined in Definition 9. We construct {\mathsf {M}} for a CP-NIZK for {\mathcal L}^{O}_{n} based on {O} and {Z} as follows:

  • {\mathsf {M}}. \mathsf {Crs} : ck \leftarrow {\mathsf {M}}(\mathsf {Crs}, \tau)

    Given a trapdoor \tau , output {Z}(\mathsf {Crs}, \tau) .

  • {\mathsf {M}}. \mathsf {Com} :c \leftarrow {\mathsf {M}}(\mathsf {Com}, ck, w, r)

    Given a CRS ck , a witness w and a randomness r , output {Z}(\mathsf {Com}, ck, w, r) .

  • {\mathsf {M}}. \mathsf {Prv} : \pi \leftarrow {\mathsf {M}}(\mathsf {Prv}, ck, x, w, r)

    Given a CRS ck , a statement x , a witness w and a randomness r , output {Z}(\mathsf {Prv}, ck, x, w, r) .

  • {\mathsf {M}}. \mathsf {Vrf}:~b \leftarrow {\mathsf {M}}(\mathsf {Vrf}, ck, x, c, \pi)

    Given a CRS ck , a statement x , a commitment c and a proof \pi , output {Z}(\mathsf {Vrf}, ck, x, c, \pi) .

  • {\mathsf {M}}. \mathsf {CrsSim} : (ck, \tau) \leftarrow {\mathsf {M}}(\mathsf {CrsSim}, \tau)

    Given a trapdoor \tau , output \tau and {Z}(\mathsf {Crs}, \tau) .

  • {\mathsf {M}}. \mathsf {ComSim} : c \leftarrow {\mathsf {M}}(\mathsf {ComSim}, ck, \tau, r)

    Given a CRS ck , a trapdoor \tau and a randomness r , if ck = {Z}(\mathsf {Crs}, \tau) , then output {Z}(\mathsf {Com}, ck, \tau, r) .

  • {\mathsf {M}}. \mathsf {PrvSim} : \pi \leftarrow {\mathsf {M}}(\mathsf {PrvSim}, ck, x, c, \tau)

    Given a CRS ck , a statement x , a commitment c and a trapdoor \tau , output {Z}(\mathsf {PrvSim}, ck, x, c, \tau) .

Lemma 2:

{\mathsf {M}} is a CP-NIZK for {\mathcal L}^{O}_{n} .

Proof:

Let {\mathcal{ A}} be a PPT adversary. Without loss of generality, we assume that {\mathcal{ A}} makes at most q = \mathop {\mathrm {poly}}\nolimits (n) queries. Completeness is immediate. We show that {\mathsf {M}} is sound. Suppose that {\mathcal{ A}} is given a legitimate CRS ck and outputs x \notin {\mathcal L} ^{O}_{n} , c and \pi . Since x \notin {\mathcal L} ^{O}_{n} , {\mathcal{ A}} should evoke {\mathsf {M}}. \mathsf {Prv} to generate \pi for x that passes the verification by {\mathsf {M}}. \mathsf {Vrf} . There are two possibilities in which {\mathcal{ A}} can create such a proof: Call {Z}. \mathsf {PrvSim} on a trapdoor \tau of ck , c and x to obtain a simulated proof, or compute a proof \pi so that it passes the verification without a query that results in \pi .

Regarding the first case, {\mathcal{ A}} should make a query to {Z}. \mathsf {PrvSim} on a trapdoor \tau of ck . However, as {Z}. \mathsf {Crs} is implemented by a random injection, {\mathcal{ A}} should make a query to {Z}. \mathsf {Crs} on a trapdoor and see if the given CRS is returned to find \tau . Since there are 2^{n} candidates for \tau , the probability that {\mathcal{ A}} makes a query on \tau is 1/2^{n} . Taking the union bound for at most q queries, {\mathcal{ A}} makes such a query with probability at most q/2^{n} . We evaluate the second case. We remark that, in this case, {\mathcal{ A}} computes a legitimate \pi without making a query to {Z}. \mathsf {PrvSim} , since otherwise it implies the first case. Considering the domain of H_{\mathsf {prf}}: \{0, 1\}^{9n} \rightarrow \{0, 1\}^{10n} , the probability that such a proof is legitimate is at most q\cdot 2^{9n}/2^{10n} = q/2^{n} , which is negligible.

Now, we show that {\mathsf {M}} is composable zero-knowledge. As a first step, we prove that {\mathtt {AdvKeyIND}}_{\mathsf {M}, {\mathcal{ A}}, {\mathcal L}^{O}_{n}} is negligible in n . Since {\mathsf {M}}. \mathsf {Crs} and {\mathsf {M}}. \mathsf {CrsSim} are implemented by the same random injection, {\mathcal{ A}} cannot distinguish the algorithm from which the CRS comes. Thus, we have {\mathtt {AdvKeyIND}}_{\mathsf {M}, {\mathcal{ A}}, {\mathcal L}^{O}_{n}}(n) = 0 .

We demonstrate that, by a hybrid argument, for any PPT {\mathcal{ A}} , \mathtt {AdvPrfIND}_{\mathsf {M}, {\mathcal{ A}}, {\mathcal L}^{O}_{n}} is negligible. Let {O}_{0} and {O}_{1} be the oracles that are explicitly given in Definition 3 (note that in the composable zero-knowledge game, {O} and {Z} are given in addition to {O}_{0} or {O}_{1} ). We say {\mathcal{ A}} is in the “real” (resp., “simulated”) world if {\mathcal{ A}} is given {O}_{0} (resp., {O}_{1} ). We introduce three games where the first game corresponds to the real world and the third game corresponds to the simulated world. Let P_{i} be the probability that {\mathcal{ A}} chooses a pair (x, w) \in R_{\mathcal L^{O}_{n}} and finally outputs 1 in {\mathsf {Game}} ~i .

  • Game 0:

    A composable zero-knowledge game where the adversary is given {O}_{0} and the challenger runs {\mathsf {M}}. \mathsf {Prv} to obtain a proof \pi . We describe the composable zero-knowledge game in the real world as follows:

    • Step 1

      The challenger uniformly chooses \tau \leftarrow \{0, 1\}^{n} , runs (ck, \tau) \leftarrow {\mathsf {M}}(\mathsf {CrsSim}, \tau) and sends (ck, \tau) to the adversary.

    • Step 2

      Given (ck, \tau) , the adversary outputs (x, w, c) , where (x, w) \in R_{\mathcal L^{O}} and c is obtained as follows:

      • The adversary sends w to the challenger along with calling {O}_{0} .

      • Given w , the challenger chooses a randomness r \in \{0, 1\}^{n} uniformly, obtains c = {\mathsf {M}}(\mathsf {Com}, ck, x, w, r) , sends c to the challenger and adds (w, r, c) to Q where Q is an initially empty list.

      Note that the adversary obtains at most q commitments.

    • Step 3

      Given (x, w, c) , the challenger determines whether there exists an entry (w, r, c) in Q . If such an entry exists, then the challenger computes \pi \leftarrow {\mathsf {M}}(\mathsf {Prv}, ck, x, w, r) and sends \pi to the adversary, otherwise outputs \bot .

    • Step 4

      Given \pi , the adversary outputs 0 if {\mathcal{ A}} decides that \pi is generated by the real prover, otherwise 1.

  • Game 1:

    Modify {\mathsf {Game}} 0 so that the challenger runs {\mathsf {M}}(\mathsf {PrvSim}, ck, x, c, \tau) to obtain \pi in Step 3.

    We remark that {\mathsf {M}}. \mathsf {PrvSim} gives an output other than \bot on the input (ck, x, c, \tau) . Observe that {\mathsf {M}}(\mathsf {PrvSim}, ck, x, c, \tau) = {\mathsf {M}}(\mathsf {Prv}, ck, x, w, r) = \pi = H_{\mathsf {prf}}(ck || x || c) . Hence, this modification does not change the distribution of the composable zero-knowledge game and we have P_{1} = P_{0} .

  • Game 2:

    Replace {O}_{0} in {\mathsf {Game}} 1 with {O}_{1} . Note that this game corresponds to the simulated world.

    Recall that {O}_{0} and {O}_{1} are actually {\mathsf {M}}. \mathsf {Com} and {\mathsf {M}}. \mathsf {ComSim} , respectively, and they are implemented by the same random injection H_{\mathsf {com}} . Therefore, the distribution of the output of this game differs from that of {\mathsf {Game}} 1 only if {\mathcal{ A}} obtains a commitment that is generated by the challenger herself, i.e., only if {\mathcal{ A}} makes a query that includes the randomness r , which is chosen uniformly by the challenger. That is, as {\mathcal{ A}} knows the trapdoor \tau and the witness w , {\mathcal{ A}} can obtain c by making queries {Z}(\mathsf {Com}, ck, w, r) and {Z}(\mathsf {ComSim}, ck, \tau, r) if {\mathcal{ A}} obtains r .

To analyze the probability that {\mathcal{ A}} makes a query that includes r , we should consider two cases. First, {\mathcal{ A}} makes such a query before obtaining c . As r \in \{0, 1\}^{n} is chosen uniformly, the probability that a query made by {\mathcal{ A}} contains r is 1/2^{n} . Considering the assumption that {\mathcal{ A}} makes at most q queries during the composable zero-knowledge game, the probability that this event occurs is at most q/2^{n} . The second case is that {\mathcal{ A}} makes such a query after obtaining c . That is, {\mathcal{ A}} might gain some information about r from c . However, c is generated by the random injection H_{\mathsf {com}} . Hence, we can apply the same discussion as the first case and conclude that this event happens with probability at most q/2^{n} . Summarizing the above, we have |P_{2} - P_{1}| \leq 2q/2^{n} . Now, the difference between {\mathsf {Game}} 0 and {\mathsf {Game}} 2 corresponds to the advantage in the composable zero-knowledge game. Summarizing the above, we have {\mathtt {AdvPrfIND}}_{\mathsf {M}, {\mathcal{ A}}, {\mathcal L}^{O}_{n}}(n) \leq 2q/2^{n} , which is negligible.

Remark 1:

Let {Z}, {Z}' \in \mathcal {ZK}_{n} be oracles that constitute CP-NIZKs for some languages {\mathcal L} and {\mathcal L}' respectively. If {Z}. \mathsf {Com} and {Z}'. \mathsf {Com} are implemented by the same random injection, then we can construct an NIZK that proves witness equality (i.e., an NIZK for (x, w) \in R_{\mathcal L} \land (x', w') \in R_{\mathcal L'} \land w=w' ).

SECTION IV.

Separation

This section presents our main result. That is, we show the following theorem:

Theorem 1:

Given a hard language {\mathcal L} and a CP-NIZK for {\mathcal L} , there is no fully black-box construction of a (standard) NIZK for {\mathcal L}\vee \hat {\mathcal L} where \hat {\mathcal L} is a hard language.

As we would like to show fully black-box separation, it suffices to show the absence of a black-box construction of an NIZK for a specific {\mathcal L}\vee \hat {\mathcal L} . Let {O} be an oracle of the type defined in Definition 8, {\mathcal L}^{O}_{n} be the language defined in Lemma 1 and {Z} be an oracle of the type defined in Definition 9. Thus, we assume that there exists a black-box construction {\mathsf {M}} of a proof system for {\mathcal L}^{O}_{n} \vee \hat {\mathcal L} , where \hat {\mathcal L} is a hard language along with \hat {\mathcal C} , which is complete and zero-knowledge, and we present an adversary that attacks the soundness of {\mathsf {M}} . As {\mathsf {M}} is complete, for any n \in {\mathbb {N}} , any \tilde {\sigma } \leftarrow \mathsf {M}(\mathsf {Crs}, \tilde {\tau }) and any (\tilde {x}, \tilde {w}) \in R_{\mathcal L^{O}_{n} \vee \hat {\mathcal L}} , we have \mathrm {Pr}[\mathsf {M}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \mathsf {M}(\mathsf {Prv}, \tilde {\sigma }, \tilde {x}, \tilde {w})) = 1] \geq 1-\rho _{\textsf {co}} where \rho _{\mathsf {co}} is negligible. Similarly, it holds that \mathtt {AdvZK}_{\mathcal {A}, \textsf {M}, {\mathcal L}^{O}\vee \hat {\mathcal L}} \leq \rho _{\textsf {zk}} for any PPT {\mathcal{ A}} where \rho _{\textsf {zk}} is negligible.

We implicitly assume that a CRS (resp., a proof) generated by {\mathsf {M}}. \mathsf {Crs} (resp., {\mathsf {M}}. \mathsf {Prv} ) contains CRSs (resp., proofs) generated by {Z}. \mathsf {Crs} (resp., {Z}. \mathsf {Prv} ), since otherwise, it implies that we can construct {\mathsf {M}} without the oracle {Z} . Furthermore, we assume that a proof \tilde {\pi } generated by \mathsf {M}. \mathsf {Prv} contains a commitment that is necessary to verify a proof embedded in \tilde {\pi } . Without loss of generality, we assume that every algorithm in this section makes at most q = \mathop {\mathrm {poly}}\nolimits (n) queries. Thus, at most q values are embedded in every value output by {\mathsf {M}} . As {\mathcal L}^{O}_{n} and \hat {\mathcal L} are hard languages, for any PPT {\mathcal{ A}} , it holds that \mathtt {LangIND}_{\mathcal L^{O}_{n}, {\mathcal C}^{O}_{n}, {\mathcal{ A}}}(n) \leq \rho _{\mathsf {ind}} and \mathtt {LangIND}_{\hat {\mathcal L}_{n}, \hat {\mathcal C}_{n}, {\mathcal{ A}}}(n) \leq \hat {\rho }_{\mathsf {ind}} where \rho _{\mathsf {ind}} and \hat {\rho }_{\mathsf {ind}} are negligible in n respectively.

Observation on a CRS: As observed in [20], even if a CRS \tilde {\sigma } generated by {\mathsf {M}}. \mathsf {Crs} contains some legitimate CRSs with respect to {Z}. \mathsf {Crs} , these CRSs cannot be used to generate a proof by {\mathsf {M}}. \mathsf {Prv} unless its trapdoor is known to {\mathsf {M}}. \mathsf {Prv} . Since {\mathsf {M}}. \mathsf {Prv} proves a disjunctive language, there are cases in which only one side of a statement is true (i.e., an (yes, no)-instance or a (no, yes)-instance). However, a proof generated by {\mathsf {M}}. \mathsf {Prv} should not leak which side of the statement is the yes-instance as, {\mathsf {M}} is zero-knowledge. Assume that \tilde {\sigma } contains a legitimate CRS with respect to {Z}. \mathsf {Crs} without its trapdoor (we say such a CRS is nontrivial), and that {\mathsf {M}}. \mathsf {Prv} is given a (no, yes)-instance. Then, the prover algorithm cannot prove the no-instance on the nontrivial CRS, as its trapdoor is required to prove the no-instance. If {\mathsf {M}}. \mathsf {Prv} is supposed to use only this type of CRS, then a proof generated by {\mathsf {M}}. \mathsf {Prv} may leak the fact that the instance is a (no, yes)-instance. Hence, to generate a zero-knowledge proof, {\mathsf {M}}. \mathsf {Prv} should use a CRS with respect to {Z}. \mathsf {Crs} whose trapdoor is embedded in \tilde {\sigma } (we say such a CRS is trivial) or a CRS that is generated by the prover algorithm itself.

Overview of The Adversary: Before formally demonstrating an adversary {\mathcal{ A}} , we sketch the adversary in the standard soundness game. First, given a CRS \tilde {\sigma } , the adversary learns trivial CRSs and their trapdoors with respect to {Z}. \mathsf {Crs} by following the above observation. Since we do not know how these pairs are encoded in \tilde {\sigma } , we let {\mathcal{ A}} run \mathsf {M}. \mathsf {Prv} and \mathsf {M}. \mathsf {Vrf} sufficiently many times on \tilde {\sigma } , an (yes, no)-instance and its witness where they are chosen uniformly. After this step, {\mathcal{ A}} samples a (no, no)-instance (x, \hat {x}) uniformly and runs \mathsf {M}. \mathsf {Prv} on the instance to forge a proof. During the execution of \mathsf {M}. \mathsf {Prv} , we apply the swapping technique [20], that is described in Section I-D. Recall that a query made by \mathsf {M}. \mathsf {Prv} is actually relayed by the adversary. Thus, when \mathsf {M}. \mathsf {Prv} makes a query to {Z}. \mathsf {Prv} on x and a CRS ck whose trapdoor \tau is known to {\mathcal{ A}} (i.e., a trivial CRS or a CRS generated during the execution of \mathsf {M}. \mathsf {Prv} ), the adversary obtains a proof by making a query to {Z}. \mathsf {PrvSim} on x, ck and \tau and returns the answer to \mathsf {M}. \mathsf {Prv} . Note that a query to {Z}. \mathsf {Prv} on x and ck should result in \bot since x is a no-instance. However, there might be a case in which \mathsf {M}. \mathsf {Prv} makes a query on a CRS whose trapdoor is not known (i.e., a nontrivial CRS or a CRS that is found accidentally without prior generation by {Z}. \mathsf {Crs} ). In such a case, the adversary assigns a randomly chosen proof as the answer to the query. (Clearly, if such a proof is verified by the challenger, it results in 0 with high probability, and the attack might fail. However, we will show later that such a random proof is verified by \mathsf {M}. \mathsf {Vrf} with only low probability.) After \mathsf {M}. \mathsf {Prv} outputs a (forged) proof, the adversary passes it to the challenger. Then, the challenger verifies the proof by \mathsf {M}. \mathsf {Vrf} , and it should pass the verification, as it was generated by \mathsf {M}. \mathsf {Prv} .

A. Soundness Game and the Adversary

  • Step 1:

    The challenger chooses \tilde {\tau } uniformly, computes a CRS \tilde {\sigma } \leftarrow {\mathsf {M}}. \mathsf {Crs}(\tilde {\tau }) and sends it to the adversary. Let Q_{\mathsf {leg}} be a list of CRSs and their trapdoors such that ck \leftarrow {O} (\mathsf {Crs}, \tau) appears during this step.

  • Step 2:

    Given the CRS \tilde {\sigma } , the adversary {\mathcal{ A}} repeats the following q^{c} times where c is some constant: Sample (x_{i}, w_{i}) \in R_{\mathcal L^{O}_{n}} and (\hat {x}_{i}, \hat {w}_{i}) \in R_{\hat {\mathcal C}} uniformly, and obtain \pi _{i} \leftarrow {\mathsf {M}}(\mathsf {Prv}, \tilde {\sigma }, x_{i}, \hat {x}_{i}, w_{i}, \hat {w}_{i}) and b = {\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, x_{i}, \hat {x}_{i}, \pi) .

    Let Q_{\mathsf {triv}} be a set of (ck, \tau) pairs such that a query ck = {Z}(\mathsf {Crs}, \tau) or {Z}(\mathsf {PrvSim}, ck, *, *, \tau, *) = \pi \neq \bot appears during this step. Roughly speaking, Q_{\mathsf {triv}} is a set of pairs of a trapdoor and a CRS such that the adversary generates them in this phase or the pair is encoded in \tilde {\sigma }

  • Step 3:

    {\mathcal{ A}} chooses w \in \{0, 1\}^{n} and \hat {x} \in \hat {\mathcal C} uniformly and obtains x = {O}(\mathsf {SmplNo}, w) and x^{*} = {O}(\mathsf {SmplYes}, w) . The adversary defines new partial oracles {O}' and {Z}' based on the query answer pairs that she has learned. That is, the adversary applies the swapping technique to x and x^{*} in {O} and {Z} , respectively.

    • Partial Oracle {O}'

      A new oracle {O}' is obtained by swapping x and x^{*} in {O} . That is, {O}' consists of entries {O}'(\mathsf {SmplYes}, w; x) and {O}(\mathsf {SmplNo}, w; x^{*}) .

    • Partial Oracle {Z}'

      The new oracle {Z}' contains the entries {Z}'(\mathsf {Prv}, *, x, w, *; \bot) .

      Let \tilde {x} = (x^{*}, \hat {x}) and \tilde {w} = (w, \bot) . The adversary evokes {\mathsf {M}}^{O'', {Z}''}(\mathsf {Prv}, \tilde {\sigma }, \tilde {x}, \tilde {w}) where {O}'' and {Z}'' are algorithms defined as follows:

    • Algorithm {O}'' : Algorithm {O}'' works as follows:

      • If {O}'' is given a query registered in {O}' , then it returns the registered answer.

      • Otherwise, it forwards the query to {O} and returns the answer.

    • Algorithm {Z}'' : Let Q_{\mathsf {intl}} be an initially empty set. Algorithm {Z}'' works as follows (recall that the bracket notation [x] means a value that matches any value, and we denote the value by x thereafter):

      • For any query registered in {Z}' , return the registered answer.

      • {Z}''. \mathsf {Crs} : For any query of the form (\mathsf {Crs}, [\tau]) , return ck = {Z}(\mathsf {Crs}, \tau) and record (ck, \tau) in Q_{\mathsf {intl}} .

      • {Z}''. \mathsf {Prv} : For any query of the form (\mathsf {Prv}, [ck], x^{*}, w, [r]) with a legitimate CRS ck , obtain c = {Z}(\mathsf {Com}, ck, w, r) and do the following:

        • If there exists an entry (ck, [\tau]) \in Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} , then return \pi = {Z}(\mathsf {PrvSim}, ck, x^{*}, c, \tau) and record (\mathsf {Prv}, ck, x^{*}, w, r; \pi) to {Z}' .

        • If there is no entry such that (ck, [\tau]) \in Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} , then choose \pi \in \{0, 1\}^{10n} uniformly, return \pi and record (\mathsf {Prv}, ck, x^{*}, w, r; \pi) and (\mathsf {Vrf}, ck, x^{*}, c, \pi; 1) to {Z}' .

      • For every other query, forward it to {Z} and return the answer.

      If {\mathsf {M}}. \mathsf {Prv} outputs a proof \tilde {\pi } , send \tilde {x} and \tilde {\pi } to the challenger.

  • Step 4:

    Given \tilde {x} and \tilde {\pi } , the challenger outputs {\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) . If {\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) = 1 , then the adversary wins.

B. Evaluation

We first introduce the following lemma, which is useful for the analysis of the adversary.

Lemma 3[30]:

Let X_{1}, \cdots, X_{n+1} be independent Bernoulli random variables. Let \mathrm {Pr}[X_{i}=1] = p and \mathrm {Pr}[X_{i}=0] = 1-p for some p \in [{0,1}] . Let E be an event in which the first n variables are sampled at 1 and X_{n+1} is sampled at 0. Then, \mathrm {Pr}[E] \leq 1/(e\cdot n) where e is the base of the natural logarithm.

We show that the challenger accepts the proof with noticeable probability by a hybrid argument. We start with the soundness game, and ultimately reach a situation where the challenger accepts the proof trivially. The first game, Game 0, is the soundness game itself. In the next four games, from {\mathsf {Game}} 1 to {\mathsf {Game}} 4, we exclude certain bad events that happen only by accident. Note that in these games, we sometimes let the soundness game abort (or halt) if these bad events happen. This means that the challenger outputs 0 and the adversary loses the soundness game. Then, we modify the game step by step, finally reaching a situation where the challenger trivially accepts the proof unless a completeness error occurs. Let P be the probability that the challenger accepts the proof in the soundness game and P_{i} be the same probability in Game i .

  • Game 0:

    This is the soundness game; thus, P_{0} = P .

  • Game 1:

    This game excludes the case where a legitimate value suddenly appears without its prior generation by {O} or {Z} . That is, we halt the game if one of the following events occurs:

    • A successful query that includes a legitimate CRS ck is made but there is no entry (ck, [\tau]) in Q_{\mathsf {leg}} \cup Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} .

    • A successful query that includes

      • x \in {\mathcal L} ^{O}_{n} or x \in {\mathcal C} ^{O}_{n}

      • a legitimate commitment c

      • a legitimate proof \pi

      is made without their prior generation by the given oracles.

    Regarding the first case, the probability that a CRS without prior generation by {Z}. \mathsf {Crs} is legitimate is bounded by 1/2^{n} , as H_{\mathsf {crs}} is a random injection such that H_{\mathsf {crs}}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{2n} . Therefore, the probability that this query occurs can be evaluated if we take the union bound for the number of queries that are made during the soundness game. Recall that {\mathsf {M}} makes at most q queries in its execution. Thus, the number of queries made in Steps 1, 3 and 4 are at most q respectively, since in these steps, only a single subroutine of {\mathsf {M}} is executed once (we ignore the instance sampling queries by {\mathcal{ A}} in Step 3 because they are obviously irrelevant to the query we are concerned with). In Step 2, \mathsf {M}. \mathsf {Prv} and \mathsf {M}. \mathsf {Vrf} are executed q^{c} times. Thus, at most 2q \cdot q^{c} queries are made in this step (the instance sampling queries are ignored here as well). Since at most 3q + 2q^{c+1} queries are made in the game, the probability that the first case deviates is at most (3q + 2q^{c+1})/2^{n} . The other cases can be evaluated in the same manner by considering the domains of H_{\mathsf {smpl}}: \{0, 1\}^{n+1} \rightarrow \{0, 1\}^{2n} , H_{\mathsf {com}}: \{0, 1\}^{4n} \rightarrow \{0, 1\}^{5n} and H_{\mathsf {prf}}: \{0, 1\}^{9n} \rightarrow \{0, 1\}^{10n} . Thus, we have \begin{equation*}|P_{1} - P_{0}| \leq 5(3q + 2q^{c+1}) /2^{n}.\end{equation*}

    View SourceRight-click on figure for MathML and additional features.

  • Game 2:

    We halt the game if a query including w is made in Step 1 or 2. As w is uniformly chosen by {\mathcal{ A}} and \mathsf {M}. \mathsf {Crs} makes at most q queries in Step 1, the probability that a query on w is made in Step 1 is at most q/2^{n} . Recall that the adversary chooses q^{c} witnesses and runs {\mathsf {M}}. \mathsf {Prv} and {\mathsf {M}}. \mathsf {Vrf}~q^{c} times in Step 2. As {\mathsf {M}} makes at most q queries, there are at most q^{c} + 2q \cdot q^{c} chances to make a query on w in Step 2. Thus, we have \begin{equation*}|P_{2} - P_{1}| \leq (q + q^{c} + 2q^{c+1})/2^{n},\end{equation*}

    View SourceRight-click on figure for MathML and additional features. which is negligible.

  • Game 3:

    We halt the game if the challenger observes b = 0 in Step 2. This excludes the case in which the challenger learns nothing in this step. Note that the challenger observes b=0 only when a completeness error occurs, as the challenger chooses values honestly in this step. As this step is executed q^{c} times, we have \begin{equation*} |P_{3} - P_{2}| \leq q^{c} \cdot \rho _{\textsf {co}}.\end{equation*}

    View SourceRight-click on figure for MathML and additional features.

  • Game 4:

    We abort the game if a randomly assigned proof \pi by {Z}'' in Step 3 appears as a result of a query to {Z}. \mathsf {Prv} or {Z}. \mathsf {PrvSim} by the end of Step 3. Similar to {\mathsf {Game}} 1, there are at most 2q + 2q^{c+1} queries that may occur in this event (note that here we do not consider the case where this event occurs in Step 4). As {Z}. \mathsf {Prv} and {Z}. \mathsf {PrvSim} are implemented by the random injection H_{\mathsf {prf}} , the probability that such a \pi is returned by {Z}. \mathsf {Prv} or {Z}. \mathsf {PrvSim} is at most (2q + 2q^{c+1})/2^{n} . Furthermore, as there are at most q randomly assigned proofs, we have \begin{equation*} |P_{4} - P_{3}| \leq q(2q + 2q^{c+1})/2^{n}\end{equation*}

    View SourceRight-click on figure for MathML and additional features.

  • Game 5:

    This game excludes the case where the adversary fails to learn all the trivial CRSs embedded in \tilde {\sigma } in Step 2 and its trapdoor appears suddenly in Step 3. That is, the game halts if {\mathsf {M}}. \mathsf {Prv} in Step 3 makes a query (\mathsf {PrvSim}, [ck], x, [c], [\tau]) that results in a proof \pi \neq \bot while (ck, \tau) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} .

    As such, the query results in a value other than \bot , it implies that \tau is the trapdoor of ck . Furthermore, we exclude the case where a legitimate ck appears without its generation by {Z} in {\mathsf {Game}} 1. Therefore, this is a case where a pair (ck, \tau) \in Q_{\textsf {leg}} does not appear in Step 2 but appears in Step 3. For each such pair, the probability that it does not appear in Step 2 but appears in Step 3 for the first time is bounded by 1/(eq^{c}) due to Lemma 3. As \tilde {\sigma } contains at most q such pairs, we have \begin{equation*} |P_{5} - P_{4}| \leq 1/(eq^{c-1}).\end{equation*}

    View SourceRight-click on figure for MathML and additional features.

  • Game 6:

    Replace {O} and {Z} in Steps 1 and 2 with {O}'' and {Z}'' , which contain the partial oracles {O}' and {Z}' defined at the end of Step 3, respectively. Observe that the randomness chosen by the adversary is independent of the oracles and the randomness chosen by the challenger. Hence, modifying the game so that {\mathcal{ A}} chooses its randomness at the beginning of the soundness game does not affect the distribution of the soundness game. The view changes only if a query that includes x , x^{*} or w is made in Step 1 or Step 2, and we have already excluded such cases. Thus, we have P_{6} = P_{5} .

  • Game 7:

    Replace {O} and {Z} in Step 4 with {O}'' and {Z}'' , respectively. The view of the game changes if {\mathsf {M}}. \mathsf {Vrf} makes one of the following queries in Step 4:

    • A query (\mathsf {PrvSim}, [ck], x, [c], [\tau]) that results in \pi \neq \bot while (ck, \tau) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} and there already exists an entry (\mathsf {Prv}, ck, x, w, r; \pi ' \neq \bot) in {Z}' such that c = {O}(\mathsf {Com}, ck, w, r) and \pi \neq \pi ' .

    • A query that is registered in {O}' or {Z}' .

Let us elaborate the first query. The proof \pi ' is randomly assigned by the adversary in Step 3 to (ck, \tau) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} , but the entry (\mathsf {Prv}, ck, x, w, r; \pi ') is in {Z}' . Recall that we have already excluded the case where a legitimate CRS suddenly appears without prior generation by {O}. \mathsf {Crs} in {\mathsf {Game}} 1. Hence, if {\mathsf {M}}. \mathsf {Vrf} makes such a query, it means that the adversary failed to learn a pair of a CRS and its trapdoor in Step 2 and such a pair appears in Step 4. Applying the same discussion as in {\mathsf {Game}} 5, we obtain that such a query is made with probability at most 1/(eq^{c-1}) .

Observe that the second query is classified into two cases:

  • A query that contains w , i.e., (\mathsf {SmplYes}, w) , (\mathsf {SmplNo}, w) and (\mathsf {Prv}, [ck], x, w, [r])

  • A query to {Z}. \mathsf {Vrf} that verifies a randomly assigned proof by {Z}'' in Step 3.

Intuitively, the zero-knowledgeness of {\mathsf {M}} is compromised if the first query is made. Regarding the second query, we follow the intuition that a nontrivial CRS cannot be used to generate a proof \tilde {\pi } .

We define two events regarding these queries and show that they are made with small probability. Let {\mathsf {AskW}} be an event in which {\mathsf {M}}. \mathsf {Vrf} makes a query on w in Step 4, and let {\mathsf {VerRand}} be an event in which {\mathsf {M}}. \mathsf {Vrf} in Step 4 makes a query to {Z}. \mathsf {Vrf} that includes a randomly assigned proof generated by {Z}'' . By {\mathsf {AskW}}^{i} (resp., {\mathsf {VerRand}}^{i} ), we denote an event in which {\mathsf {AskW}} (resp., {\mathsf {VerRand}} ) occurs in game i . We claim the following two statements:

Claim 1:

\mathrm {Pr}[\textsf {AskW}^{7}] \leq \rho _{\mathsf {zk}} + q/2^{n} .

Claim 2:

\mathrm {Pr}[\textsf {VerPi}^{7}] \leq 1/(eq^{c-1}) + q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}} .

The proofs of these claims appear after the proof of Theorem 1. Therefore, we obtain \begin{align*} |P_{7} - P_{6}|\leq&1/(eq^{c-1}) + \mathrm {Pr}[\textsf {AskW}] + \mathtt {Pr}[\textsf {VerPi}] \\\leq&1/(eq^{c-1}) + 2q/2^{n} + 3\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{align*}

View SourceRight-click on figure for MathML and additional features.

  • Game 8:

    Let \textsf {R}_{\mathsf {o}} and \textsf {R}_{\mathsf {zk}} be uniformly chosen partial oracles such that {O}' || \textsf {R}_{\mathsf {o}} \in \mathcal {O}_{n} and {Z}' || \textsf {R}_{\mathsf {zk}} \in \mathcal {Z}_{n} . Replace {O}'' and {Z}'' with {O}' || \textsf {R}_{\mathsf {o}} and {Z}' || \textsf {R}_{\mathsf {zk}} respectively. Such oracles must exist since both {O} and {Z} are implemented by random injections.

Recall that in {\mathsf {Game}} 7, oracles {O}'' = {O}' || {O} and {Z}'' = {Z}' || {Z} are given. Furthermore, we have already excluded the case where \textsf {M}. \mathsf {Vrf} in Step 4 makes queries that are inconsistent with {O}' and {Z}' in {\mathsf {Game}} 7. Therefore, replacing {O} and {Z} with \textsf {R}_{\textsf {o}} and \textsf {R}_{\textsf {zk}} does not change the view in Step 4. Thus, we have P_{8} = P_{7} .

Observe that now a proof generated by \textsf {M}. \mathsf {Prv} is a correct proof on (x, \hat {x}) . Therefore, \textsf {M}. \mathsf {Vrf} should accept such a proof unless a completeness error occurs. Hence, \begin{equation*} P_{8} \geq 1 - \rho _{\textsf {co}}.\end{equation*}

View SourceRight-click on figure for MathML and additional features.

Summarizing the above evaluations, we have \begin{align*}& P \geq 1 - (17q + 2q^{2} + q^{c} + 12q^{c+1} + 2q^{c+2})/2^{n} \\& \qquad \qquad \,\,\,\, { -\, 2/(eq^{c-1}) - (1 + q^{c})\rho _{\textsf {co}} - 3\rho _{\textsf {zk}} - \rho _{\textsf {ind}} - \hat {\rho }_{\textsf {ind}},}\end{align*}

View SourceRight-click on figure for MathML and additional features. which concludes Theorem 1.

Proof ofClaim 1:

We evaluate {\mathsf {AskW}} by introducing subgames that ultimately reach a situation where a proof generated by the prover algorithm becomes independent of the witness. Let {\mathsf {Game}} 7.0 be {\mathsf {Game}} 7 and {\mathsf {Game}} 7.1 be the following:

  1. Let \textsf {R}_{\mathsf {o}} and \textsf {R}_{\mathsf {zk}} be uniformly chosen partial oracles such that {O}' || \textsf {R}_{\mathsf {o}} \in \mathcal {O}_{n} and {Z}' || \textsf {R}_{\mathsf {zk}} \in \mathcal {Z}_{n} . Replace {O}'' and {Z}'' with {O}' || \textsf {R}_{\mathsf {o}} and {Z}' || \textsf {R}_{\mathsf {zk}} , respectively. Note that such oracles must exist since both {O} and {Z} are implemented by random injections.

    Observe that the distribution in {\mathsf {Game}} 7.1 differs from that of {\mathsf {Game}} 7.0 only when a query in {O}' or {Z}' is made. Thus, we obtain that \mathrm {Pr}[\textsf {AskW}^{7.1}] = \mathrm {Pr}[\textsf {AskW}^{7.0}] .

  2. Replace {O}' || \textsf {R}_{\mathsf {o}} and {Z}' || \textsf {R}_{\mathsf {zk}} with {O}\leftarrow \mathcal {O}_{n} and {Z}\leftarrow \mathcal {Z}_{n} . Furthermore, let the adversary run \textsf {M}. \mathsf {Prv} on a correct instance, i.e., on (x^{*}, \hat {x}) .

    Such modifications do not yield a difference between {\mathsf {Game}} 7.1 and {\mathsf {Game}} 7.2. Note that in {\mathsf {Game}} 7.1, the partial oracles {O}' and {Z}' are determined by the choice of oracles and randomnesses in the challenger and the adversary, and \textsf {R}_{\mathsf {o}} and \textsf {R}_{\mathsf {zk}} are chosen uniformly. Thus, modifying the choice of oracles so that they are chosen uniformly does not change the view of the game. Hence, we have \mathrm {Pr}[\textsf {AskW}^{7.2}] = \mathrm {Pr}[\textsf {AskW}^{7.1}] .

  3. Replace {\mathsf {M}}. \mathsf {Crs} in Step 1 and {\mathsf {M}}. \mathsf {Prv} in Step 3 with {\mathsf {M}}. \mathsf {CrsSim} and {\mathsf {M}}. \mathsf {PrvSim} , respectively. Furthermore, let the challenger pass the trapdoor generated by {\mathsf {M}}. \mathsf {CrsSim} to the adversary. We claim the following.

Claim 3:

\mathrm {Pr}[{\mathsf {AskW}}^{7.2}] - \mathrm {Pr}[{\mathsf {AskW}}^{7.3}] \leq \rho _{\mathsf {zk}} .

Proof ofClaim 3:

We construct a stateful PPT adversary \mathcal {B} = (\mathcal {B}_{0}, \mathcal {B}_{1}) that attacks the zero-knowledgeness of {\mathsf {M}} , assuming that \mathrm {Pr}[{\mathsf {AskW}}^{7.2}] - \mathrm {Pr}[{\mathsf {AskW}}^{7.3}] > \rho _{\mathsf {zk}} . Such an adversary contradicts the assumption that {\mathsf {M}} is zero-knowledge, thus justifying the claim. The adversary works in the (standard) zero-knowledge game with a challenger as follows:

  • \mathcal {B}_{0} :

    Given a CRS \tilde {\sigma } , sample w \leftarrow \{0, 1\}^{n} and \hat {x} \in \hat {\mathcal {C}} and obtain x^{*} = {O}(\mathsf {SmplYes}, w) . Set \tilde {x} = (x^{*}, \hat {x}) and \tilde {w} = (w, \bot) and output (\tilde {x}, \tilde {w}) . Note that (\tilde {x}, \tilde {w}) is chosen in the same way as for the challenger of {\mathsf {Game}} 7.2 and {\mathsf {Game}} 7.3.

  • \mathcal {B}_{1} :

    Given a proof \tilde {\pi } , run \textsf {M}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) . If \mathcal {B}_{1} observes a query that includes w during the execution of \textsf {M}. \mathsf {Vrf} (i.e., {\mathsf {AskW}} occurs), output b' = 1 , otherwise b' = 0 .

We denote by b = 1 (resp., b = 0 ) the situation where the challenger works with \textsf {M}. \mathsf {Crs} and \textsf {M}. \mathsf {Prv} (resp., \textsf {M}. \mathsf {CrsSim} and \textsf {M}. \mathsf {PrvSim} ). Observe that the distribution of (\tilde {\sigma }, \tilde {x}, \tilde {\pi }) in \mathcal {B}_{1} is the same as that given to \textsf {M}. \mathsf {Vrf} in Step 4 in {\mathsf {Game}} 7.2 (resp., {\mathsf {Game}} 7.3) if b=1 (resp., b=0 ). Thus, we obtain that \begin{align*} \mathrm {Pr}[b'=1 | b=1]=&\mathrm {Pr}[\textsf {AskW}^{7.2}],\\ \mathrm {Pr}[b'=1 | b=0]=&\mathrm {Pr}[\textsf {AskW}^{7.3}].\end{align*}

View SourceRight-click on figure for MathML and additional features. Considering the definition of \mathtt {AdvZK}_{\mathcal {B}, \textsf {M}, {\mathcal L}^{O} \vee \hat {\mathcal L}} , we obtain the following formula:\begin{align*} \mathtt {AdvZK}_{\mathcal {B}, \textsf {M}, {\mathcal L}^{O}\vee \hat {\mathcal L}}=&\mathrm {Pr}[b' = 1| b = 1] - \mathrm {Pr}[b' = 1| b = 0]\\=&\mathrm {Pr}[\textsf {AskW}^{7.2}] - \mathrm {Pr}[\textsf {AskW}^{7.3}] > \rho _{\mathsf {zk}}\end{align*}
View SourceRight-click on figure for MathML and additional features.
which contradicts the assumption that {\mathsf {M}} is zero-knowledge. Thus, we obtain \mathrm {Pr}[{\mathsf {AskW}}^{7.2}] - \mathrm {Pr}[{\mathsf {AskW}}^{7.3}] \leq \rho _{\mathsf {zk}} .

Now we show that \mathrm {Pr}[\textsf {AskW}^{7.3}] \leq q/2^{n} . As a proof generated by {\mathsf {M}}. \mathsf {PrvSim} is independent of w , the verifier makes a query on w only by chance. As {\mathsf {M}}. \mathsf {Vrf} makes at most q queries, \mathrm {Pr}[\textsf {AskW}^{7.3}] \leq q/2^{n} . Summarizing the above, we have \begin{align*} \mathrm {Pr}[\textsf {AskW}^{7.0}]=&\mathrm {Pr}[\textsf {AskW}^{7.1}] = \mathrm {Pr}[\textsf {AskW}^{7.2}] \\\leq&\rho _{\mathsf {zk}} + \mathrm {Pr}[\textsf {AskW}^{7.3}] \leq \rho _{\mathsf {zk}} + q/2^{n}.\end{align*}

View SourceRight-click on figure for MathML and additional features. We have thus proven Claim 1.

Proof ofClaim 2:

Recall that {\mathsf {VerPi}} is the event that a randomly assigned proof in Step 3 is verified by \textsf {M}. \mathsf {Vrf} in Step 4. It should be analyzed carefully as we do not know whether a proof is a randomly assigned proof when {\mathsf {M}}. \mathsf {Vrf} makes a query to {Z}. \mathsf {Vrf} , i.e., {\mathsf {VerPi}} is not observable. However, we observe that there exists an alternative event that almost implies {\mathsf {VerPi}} .

We introduce an alternative event {\mathsf {VerCrs}} and show that \mathrm {Pr}[\textsf {AskW}] \leq \mathrm {Pr}[\textsf {VerCrs}] + 1/(eq^{c-1}) . Observe that a proof is randomly assigned only when a query that contains a CRS ck such that (ck, [\tau]) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}} is made in Step 3. Hence, whenever {\mathsf {VerPi}} occurs, such a CRS is queried by \textsf {M}. \mathsf {Vrf} . As we have already excluded the case where a legitimate CRS suddenly appears without its prior generation by given oracle in {\mathsf {Game}} 1, the appearance of such a CRS in Step 4 is due to one of the following:

  • ck is trivial but the adversary failed to learn (ck, \tau) in Step 2

  • ck is nontrivial.

The first case can be evaluated as in {\mathsf {Game}} 5; thus such a query is made with probability at most 1/(eq^{c-1}) . Regarding the second case, we define \textsf {VerCrs} to be an event in which \textsf {M}. \mathsf {Vrf} makes a query (\mathsf {Vrf}, [ck], [x], [c], [\pi]) to {Z} such that ck \in Q_{\mathsf {nt}} where Q_{\mathsf {nt}} is the list of CRSs queried in Step 2 but (ck, [\tau]) \notin Q_{\mathsf {triv}} (“{\mathsf {nt}} ” stands for nontrivial). From the above observation, we have \mathrm {Pr}[\textsf {VerPi}] \leq \mathrm {Pr}[\textsf {VerCrs}] + 1/(eq^{c-1}) . Now, we evaluate \mathrm {Pr}[\mathsf {VerCrs}] by introducing several subgames. We first introduce the same game transition as in {\mathsf {Game}} 7.1 to {\mathsf {Game}} 7.3. Then, we modify the game so that it ultimately reaches the situation where a proof is generated on a (no, yes)-instance; thus {\mathsf {VerCrs}} does not occur. Let {\mathsf {Game}} 7.0' be {\mathsf {Game}} 7.
  • Game 7.1' (The Same as Game 7.1):

    Replace {O}'' and {Z}'' with {O}' || \textsf {R}_{\mathsf {o}} and {Z}' || \textsf {R}_{\mathsf {zk}} respectively. Similar to {\mathsf {Game}} 7.1, we have \mathrm {Pr}[\textsf {VerCrs}^{7.1}] = \mathrm {Pr}[\textsf {VerCrs}^{7.0}] .

  • Game 7.2' (The Same as Game 7.2):

    Replace {O}' || \textsf {R}_{\mathsf {o}} and {Z}' || \textsf {R}_{\mathsf {zk}} with {O}\leftarrow \mathcal {O}_{n} and {Z}\leftarrow \mathcal {Z}_{n} . Furthermore, let the adversary run \textsf {M}^{O, {Z}}. \mathsf {Prv} on a correct instance, i.e., on (x^{*}, \hat {x}) . Since the same discussion as in {\mathsf {Game}} 7.2 can be applied, we have \mathrm {Pr}[\textsf {VerCrs}^{7.2}] = \mathrm {Pr}[\textsf {VerCrs}^{7.1}] .

  • Game 7.3' (The Same as Game 7.3):

    Replace {\mathsf {M}}. \mathsf {Crs} in Step 1 and {\mathsf {M}}. \mathsf {Prv} in Step 3 with {\mathsf {M}}. \mathsf {CrsSim} and {\mathsf {M}}. \mathsf {PrvSim} respectively. Furthermore, let the challenger pass the trapdoor generated by {\mathsf {M}}. \mathsf {CrsSim} to the adversary. We claim the following:

Claim 4:

\mathrm {Pr}[\textsf {VerCrs}^{7.2'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}] \leq \rho _{\textsf {zk}} .

Proof ofClaim 4:

We first construct a zero-knowledge adversary \mathcal {B}' = (\mathcal {B}'_{0}, \mathcal {B}'_{1}) as follows:

  • \mathcal {B}'_{0} :

    Given a CRS \tilde {\sigma } , execute Step 2 in the soundness game. Then, choose w \in \{0, 1\}^{n} and \hat {x} \in \hat {\mathcal {C}} uniformly and obtain x^{*} = {O}(\mathsf {SmplYes}, w) . Set \tilde {x} = (x^{*}, \hat {x}) and \tilde {w} = (w, \bot) and output (\tilde {x}, \tilde {w}) .

  • \mathcal {B}'_{1} :

    Given a proof \tilde {\pi } , run \textsf {M}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) . Output b'=1 if \mathcal {B}'_{1} observes {\mathsf {VerCrs}} , otherwise output b' = 0 .

Similar to {\mathsf {Game}} 7.3, we denote by b = 1 (resp., b = 0 ) the situation where the challenger runs \textsf {M}. \mathsf {Crs} and \textsf {M}. \mathsf {Prv} (resp., \textsf {M}. \mathsf {CrsSim} and \textsf {M}. \mathsf {PrvSim} ). Then, we obtain \begin{align*} \mathrm {Pr}[b'=1 | b=1]=&\mathrm {Pr}[\textsf {VerCrs}^{7.2'}],\\ \mathrm {Pr}[b'=1 | b=0]=&\mathrm {Pr}[\textsf {VerCrs}^{7.3'}].\end{align*}
View SourceRight-click on figure for MathML and additional features.
Considering the definition of \mathtt {AdvZK}_{\mathcal {B}', \textsf {M}, {\mathcal L}^{O} \vee \hat {\mathcal L}} , we obtain the following formula:\begin{align*} \mathtt {AdvZK}_{\mathcal {B}', \textsf {M}, {\mathcal L}^{O}\vee \hat {\mathcal L}}=&\mathrm {Pr}[b' = 1| b = 1] - \mathrm {Pr}[b' = 1| b = 0]\\=&\mathrm {Pr}[\textsf {VerCrs}^{7.2'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}].\end{align*}
View SourceRight-click on figure for MathML and additional features.
Therefore, it contradicts the zero-knowledgeness of {\mathsf {M}} if \mathrm {Pr}[\textsf {VerCrs}^{7.2'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}] > \rho _{ \textsf {zk}} , which justifies Claim 4.

  • Game 7.4' :

    Modify the adversary so that it chooses (\hat {x}, \hat {w}) \in R_{\hat {\mathcal L}} instead of \hat {x} \in \hat {\mathcal C} in Step 2 (i.e., {\mathcal{ A}} samples an (yes, yes)-instance). Note that since {\mathcal{ A}} runs \textsf {M}. \mathsf {PrvSim} , \hat {w} is not given to \textsf {M}. \mathsf {PrvSim} .

    Recall that \hat {\mathcal L} is a hard language, along with \hat {\mathcal C} . Thus, if |\mathrm {Pr}[\textsf {VerCrs}^{7.4'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}]| > \hat {\rho }_{\textsf {ind}} , it contradicts the instance indistinguishability of \hat {\mathcal L} , yielding |\mathrm {Pr}[\textsf {VerCrs}^{7.4'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}]| \leq \hat {\rho }_{\textsf {ind}} .

  • Game 7.5' :

    Modify the adversary so that it chooses (x^{*}, w) \in R_{\mathcal C} instead of (x^{*}, w) \in R_{\mathcal L} (i.e., {\mathcal{ A}} samples a (no, yes)-instance). Similar to {\mathsf {Game}} ~7.4' , we obtain |\mathrm {Pr}[\textsf {VerCrs}^{7.5'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.4'}]| \leq \rho _{\textsf {ind}} .

  • Game 7.6' :

    Replace \textsf {M}. \mathsf {CrsSim} and \textsf {M}. \mathsf {PrvSim} with \textsf {M}. \mathsf {Crs} and \textsf {M}. \mathsf {Prv} , respectively. Note that as {\mathcal{ A}} samples a (no, yes)-instance, the adversary runs \textsf {M}. \mathsf {Prv} on \tilde {x} = (x^{*}, \hat {x}) and \tilde {w} = (\bot, \hat {w}) . Since the same discussion as in {\mathsf {Game}} ~7.3' can be applied, we have \mathrm {Pr}[\textsf {VerCrs}^{7.5'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.6'}] \leq \rho _{\textsf {zk}} .

As \textsf {M}. \mathsf {Prv} runs on a (no, yes)-instance, there is little chance that \textsf {VerCrs} will occur. That is, the probability of a query (\mathsf {Prv}, [ck], x^{*}, w, [r]) having a legitimate CRS ck \in Q_{\textsf {nt}} is bounded by q/2^{n} , as {O}. \mathsf {SmplNo} is implemented by a random injection and \mathsf {M}. \mathsf {Prv} is not given w . Therefore, \mathrm {Pr}[\textsf {VerCrs}^{7.6'}] \leq q/2^{n} .

To sum up the above, we have \begin{align*} \mathrm {Pr}[\textsf {VerCrs}^{7.0'}]=&\mathrm {Pr}[\textsf {VerCrs}^{7.1'}] = \mathrm {Pr}[\textsf {VerCrs}^{7.2'}] \\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.3'}] + \rho _{\textsf {zk}} \leq \mathrm {Pr}[\textsf {VerCrs}^{7.4'}] \\&+\, \rho _{\textsf {zk}} + \hat {\rho }_{\textsf {ind}}\\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.5'}] + \rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}} \\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.6'}] + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}} \\\leq&q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{align*}

View SourceRight-click on figure for MathML and additional features. Therefore, we obtain \begin{equation*} \mathrm {Pr}[\textsf {VerPi}^{7}] \leq 1/(eq^{c-1}) + q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{equation*}
View SourceRight-click on figure for MathML and additional features.
We have thus proven Claim 2.

SECTION V.

Conclusion and Future Work

We revealed that there is no fully black-box construction of an NIZK for a disjunctive language based on CP-NIZKs. This result suggests that we should rely on a certain mathematical structure if we want to augment the capability of NIZKs in terms of the language they prove, while a commit-and-prove methodology is itself powerful enough to break the barrier shown in [22].

There is room for considering a black-box language extension. That is, we might be able to characterize languages (or binary relations) such that we cannot obtain NIZKs for them in a black-box manner.

Author image of Kyosuke Yamashita
Graduate School of Informatics, Kyoto University, Kyoto, Japan
National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan
Kyosuke Yamashita received the B.E. and M.E. degrees from Kyoto University, in 2013 and 2015, respectively, where he is currently pursuing the Ph.D. degree with the Graduate School of Informatics. He is also a Research Assistant with the National Institute of Advanced Industrial Science and Technology (AIST).
Kyosuke Yamashita received the B.E. and M.E. degrees from Kyoto University, in 2013 and 2015, respectively, where he is currently pursuing the Ph.D. degree with the Graduate School of Informatics. He is also a Research Assistant with the National Institute of Advanced Industrial Science and Technology (AIST).View more
Author image of Mehdi Tibouchi
Graduate School of Informatics, Kyoto University, Kyoto, Japan
Secure Platform Laboratories, NTT Corporation, Tokyo, Japan
Mehdi Tibouchi received the Ph.D. degree in computer science from the University of Paris VII and the University of Luxembourg in 2011. He is currently a Distinguished Researcher at NTT Corporation and a Guest Associate Professor at Kyoto University.
Mehdi Tibouchi received the Ph.D. degree in computer science from the University of Paris VII and the University of Luxembourg in 2011. He is currently a Distinguished Researcher at NTT Corporation and a Guest Associate Professor at Kyoto University.View more
Author image of Masayuki Abe
Graduate School of Informatics, Kyoto University, Kyoto, Japan
Secure Platform Laboratories, NTT Corporation, Tokyo, Japan
Masayuki Abe received the Ph.D. degree from The University of Tokyo, in 2002. He has been working with Nippon Telegraph and Telephone Corporation (NTT), Japan, since 1992. He is currently a Guest Professor with the Graduate School of Informatics, Kyoto University.
Masayuki Abe received the Ph.D. degree from The University of Tokyo, in 2002. He has been working with Nippon Telegraph and Telephone Corporation (NTT), Japan, since 1992. He is currently a Guest Professor with the Graduate School of Informatics, Kyoto University.View more

References

References is not available for this document.