Abstract
We study zero-knowledge arguments where proofs are: of knowledge, short, publicly-verifiable and produced without interaction. While zkSNARKs satisfy these requirements, we build such proofs in a constrained theoretical setting: in the standard-model—i.e., without a random oracle—and without assuming public-verifiable SNARKs (or even NIZKs, for some of our constructions) or primitives currently known to imply them.
We model and construct a new primitive, SPuC (Succinct Publicly-Certifiable System), where: a party can prove knowledge of a witness \({\mathsf w}\) by publishing a proof \(\pi _0\); the latter can then be certified non-interactively by a committee sharing a secret; any party in the system can now verify the proof through its certificates; the total communication complexity should be sublinear in \(|{\mathsf w}|\). We construct SPuCs generally from (leveled) FHE, homomorphic signatures and linear-only encryption, all instantiatable from lattices and thus plausibly quantum-resistant. We also construct them in the two-party case replacing FHE with the simpler primitive of homomorphic secret-sharing.
Our model has practical applications in blockchains and in other protocols where there exist committees sharing a secret and it is necessary for parties to prove knowledge of a solution to some puzzle. Our constructions can be seen as a way to compile a designated-verifier SNARK into a proof system with a flavor of public-verifiability with similar efficiency features of the starting dvSNARK (e.g., proving time).
We show that one can construct a version of SPuCs with robust proactive security from similar assumptions. In a proactively secure model the committee reshares its secret from time to time. Such a model is robust if the committee members can prove they performed this resharing step correctly. Along the way to our goal we define and build Proactive Universal Thresholdizers, a proactive version of the Universal Thresholdizer defined in Boneh et al. [Crypto 2018].
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
Naturally we require certifying parties to wait for proof \(\pi _0\) to be posted publicly.
- 3.
This happens through some nomination mechanism that we just posit and do not model explicitly in this paper. For example, one could use the nominating committee techniques in [3]. After being nominated the committee members can potentially remain anonymous to the rest of the network. This can be done for example through ephemeral public-keys and anonymous public-key encryption [3].
- 4.
More precisely, we require leveled Threshold FHE, which is shown to be implied by leveled FHE with the mild requirement of moderate decryption “noise bound”[8].
- 5.
Context-hiding states that a signature \(\sigma _{f,x}\), authenticating f(x) and obtained homomorphically from a signature on x, reveals nothing about x.
- 6.
A formal construction from homomorphic signatures is present in [9] but it relies on the specifics of the underlying homomorphic encryption scheme.
- 7.
Unleveled FHE—where homomorphic operations work correctly for any polynomial-size function f(x) without any depth bound—does imply designated-verifier NIZKs [20]. The recent work in [18] shows, however, that circular (KDM-secure) unleveled FHE even implies pvNIZKs. For our proactive extensions, we assume KDM-secure leveled FHE for \(\mathsf {NC}^1\) which is known to imply (circular-secure) unleveled FHE through bootstrapping [25]. We observe, however, that while the assumptions in our proactive constructions are sufficient to imply pvNIZKs, they do not require the standard FHE bootstrapping, significantly improving the efficiency of homomorphic operations. Finally, circular-secure leveled FHE is not known to imply pvSNARKs.
- 8.
For the definition of UT security, we refer to the sUT security in Fig. 6. Note that UT security is a special case where there is no trapdoor evaluation oracle.
- 9.
A (2-party) HSS consists of algorithms: \(\mathsf {Share}\) to secret share a message, \(\mathsf {Eval}\) to homomorphically produce a partial evaluation of a function f on the message x given a share, \(\mathsf {Combine}\) to publicly recombine the evaluation shares into f(x).
- 10.
This instantiation is still plausibly weaker than publicly-verifiable NIZKs; the recent breakthrough in [34] requires a sub-exponential version of DDH to build pvNIZKs.
References
Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup, pp. 2087–2104 (2017)
Applebaum, B.: Cryptography in Constant Parallel Time. Springer Science & Business Media, Heidelberg (2013)
Benhamouda, F., et al.: Can a public blockchain keep a secret? In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 260–290. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_10
Bitansky, N., et al.: The hunting of the snark. J. Cryptol. 30(4), 989–1066 (2017)
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again, pp. 326–349 (2012)
Bitansky, N., Chiesa, A., Ishai, Y., Ostrovsky, R., Paneth, O.: Succinct non-interactive arguments via linear interactive proofs, pp. 315–333 (2013)
Black, J., Rogaway, P., Shrimpton, T.: Encryption-scheme security in the presence of key-dependent messages. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 62–75. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_6
Boneh, D., et al.: Threshold cryptosystems from threshold fully homomorphic encryption, pp. 565–596 (2018)
Boneh, D., Gennaro, R., Goldfeder, S., Kim, S.: A lattice-based universal thresholdizer for cryptographic systems. IACR Cryptol. ePrint Arch. 2017, 251 (2017)
Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman, pp. 108–125 (2008)
Boneh, D., Ishai, Y., Sahai, A., Wu, D.J.: Lattice-based SNARGs and their application to more efficient obfuscation, pp. 247–277 (2017)
Boneh, D., Ishai, Y., Sahai, A., Wu, D.J.: Quasi-optimal SNARGs via linear multi-prover interactive proofs, pp. 222–255 (2018)
Boyle, E., Gilboa, N., Ishai, Y.: Breaking the circuit size barrier for secure computation under DDH, pp. 509–539 (2016)
Boyle, E., Gilboa, N., Ishai, Y., Lin, H., Tessaro, S.: Foundations of homomorphic secret sharing, pp. 21:1–21:21 (2018)
Boyle, E., Kohl, L., Scholl, P.: Homomorphic secret sharing from lattices without FHE, pp. 3–33 (2019)
Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world, pp. 423–443 (2020)
Campanelli, M., Gennaro, R., Goldfeder, S., Nizzardo, L.: Zero-knowledge contingent payments revisited: attacks and payments for services, pp. 229–243 (2017)
Canetti, R., et al.: Fiat-shamir: from practice to theory, pp. 1082–1090 (2019)
Chaidos, P., Couteau, G.: Efficient designated-verifier non-interactive zero-knowledge proofs of knowledge, pp. 193–221 (2018)
Damgård, I., Fazio, N., Nicolosi, A.: Non-interactive zero-knowledge from homomorphic encryption, pp. 41–59 (2006)
Danezis, G., Fournet, C., Groth, J., Kohlweiss, M.: Square span programs with applications to succinct NIZK arguments, pp. 532–550 (2014)
Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications, pp. 33–62 (2018)
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs, pp. 626–645 (2013)
Gennaro, R., Minelli, M., Nitulescu, A., Orrù, M.: Lattice-based zk-SNARKs from square span programs, pp. 556–573 (2018)
Gentry, C.: Fully homomorphic encryption using ideal lattices, pp. 169–178 (2009)
Gentry, C., Groth, J., Ishai, Y., Peikert, C., Sahai, A., Smith, A.D.: Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs. J. Cryptol. 28(4), 820–843 (2015)
Gentry, C., et al.: YOSO: you only speak once. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 64–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_3
Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions, pp. 99–108 (2011)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority, pp. 218–229 (1987)
Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices, pp. 469–477 (2015)
Goyal, V., Kothapalli, A., Masserova, E., Parno, B., Song, Y.: Storing and retrieving secrets on a blockchain. IACR Cryptol. ePrint Arch. 2020, 504 (2020)
Groth, J.: On the size of pairing-based non-interactive arguments, pp. 305–326 (2016)
Ishai, Y., Su, H., Wu, D.J.: Shorter and faster post-quantum designated-verifier zksnarks from lattices. Cryptology ePrint Archive, Report 2021/977 (2021). https://ia.cr/2021/977
Jain, A., Jin, Z.: Non-interactive zero knowledge from sub-exponential DDH. In: Canteaut, A., Standaert, F.X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 3–32. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_1
Peikert, C., Shiehian, S.: Noninteractive zero knowledge for NP from (plain) learning with errors. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 89–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_4
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more, pp. 475–484 (2014)
Acknowledgements
We thank the anonymous reviewers, as well as Jesper Buus Nielsen, Mahak Pancholi and Antonio Faonio for useful discussions around this work. Matteo Campanelli was supported by the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM). Hamidreza Khoshakhlagh was funded by the Concordium Foundation under Concordium Blockchain Research Center, Aarhus.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Campanelli, M., Khoshakhlagh, H. (2021). Succinct Publicly-Certifiable Proofs. In: Adhikari, A., Küsters, R., Preneel, B. (eds) Progress in Cryptology – INDOCRYPT 2021. INDOCRYPT 2021. Lecture Notes in Computer Science(), vol 13143. Springer, Cham. https://doi.org/10.1007/978-3-030-92518-5_27
Download citation
DOI: https://doi.org/10.1007/978-3-030-92518-5_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92517-8
Online ISBN: 978-3-030-92518-5
eBook Packages: Computer ScienceComputer Science (R0)