Improved OR-Composition of Sigma-Protocols

Ciampi, Michele; Persiano, Giuseppe; Scafuro, Alessandra; Siniscalchi, Luisa; Visconti, Ivan

doi:10.1007/978-3-662-49099-0_5

Michele Ciampi¹⁵,
Giuseppe Persiano¹⁶,
Alessandra Scafuro¹⁷,
Luisa Siniscalchi¹⁵ &
…
Ivan Visconti¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9563))

Included in the following conference series:

Theory of Cryptography Conference

2147 Accesses
29 Citations

Abstract

In [18] Cramer, Damgård and Schoenmakers (CDS) devise an OR-composition technique for $\varSigma $-protocols that allows to construct highly-efficient proofs for compound statements. Since then, such technique has found countless applications as building block for designing efficient protocols.

You have full access to this open access chapter, Download conference paper PDF

Non-interactive Composition of Sigma-Protocols via Share-then-Hash

Acyclicity Programming for Sigma-Protocols

Stacking Sigmas: A Framework to Compose $$\varSigma $$ -Protocols for Disjunctions

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

In [18] Cramer, Damgård and Schoenmakers (CDS) devise an OR-composition technique for $\varSigma $-protocols that allows to construct highly-efficient proofs for compound statements. Since then, such technique has found countless applications as building block for designing efficient protocols.

Unfortunately, the CDS OR-composition technique works only if both statements are fixed before the proof starts. This limitation restricts its usability in those protocols where the theorems to be proved are defined at different stages of the protocol, but, in order to save rounds of communication, the proof must start even if not all theorems are available. Many round-optimal protocols ([21, 30, 41, 44]) crucially need such property to achieve round-optimality, and, due to the inapplicability of CDS’s technique, are currently implemented using proof systems that requires expensive NP reductions, but that allow the proof to start even if no statement is defined (a.k.a., LS proofs from Lapidot-Shamir [31]).

In this paper we show an improved OR-composition technique for $\varSigma $-protocols, that requires only one statement to be fixed when the proof starts, while the other statement can be defined in the last round. This seemingly weaker property is sufficient for the applications, where typically one of the theorems is fixed before the proof starts. Concretely, we show how our new OR-composition technique can directly improve the round complexity of the efficient perfect quasi-polynomial time simulatable argument system of Pass [38] (from four to three rounds) and of efficient resettable WI arguments (from five to four rounds).

1 Introduction

Witness-Indistinguishable (WI) Proofs. WI^{Footnote 1} proofs are fundamental for the design of cryptographic protocols, particularly when they are also proofs of knowledge (PoK). In a WIPoK the prover $\mathcal {P}$ proves knowledge of a witness certifying the veracity of a statement $x \in L$ to a verifier $\mathcal {V}$. WIPoKs can be used directly in some applications (e.g., in identification schemes) or can be a building block for stronger security notions (e.g., for zero-knowledge proofs using the FLS [24] paradigm or for round-optimal secure computation [30]).

Round complexity of cryptographic protocols has been extensively studied both for its practical relevance and for its natural and conceptual interest. Regarding WIPoKs, we know from Blum’s protocol [5] that 3-round WIPoKs exist for all NP languages under the sole assumptions that one-way permutations exist. This result is obtained by designing a WIPoK for the language of Hamiltonian graphs and then by leveraging on the NP-completeness of the language of Hamiltonian graphs. Under stronger cryptographic assumptions, 2-round WI proofs, called ZAPs, and non-interactive WI (NIWI) proofs have been shown in [4, 23, 28]. Neither ZAPs nor NIWI proofs are PoKs.

Since NPreductions are extremely expensive, several practical interactive PoKs have been designed for languages that are used in real-world cryptographic protocols (e.g., for proving knowledge of a discrete logarithm (DLog)). The study of such ad-hoc protocols mainly concentrates on a standardized form of a 3-round PoK referred to as $\varSigma $-protocol [19, 42].

${\varSigma \text {-}{} \mathbf{protocols.}}$ A $\varSigma $-protocol for an NPlanguage L with witness relation $R_L$ is a 3-round proof system jointly run by a prover $\mathcal {P}$ and a verifier $\mathcal {V}$ in which $\mathcal {P}$ proves knowledge of a witness w for $x\in L$. In a $\varSigma $-protocol the only message sent by $\mathcal {V}$ is a random string. Such proof systems have two very useful properties: special soundness, which is a strong form of proof of knowledge, and special honest-verifier zero knowledge (SHVZK). The latter property basically says the following: if the challenge is known in advance, then by just knowing also the theorem, it is possible to generate an accepting transcript without using the witness. This is formalized through the existence of a special simulator, called the SHVZK simulator that, on input a theorem x and a challenge c, will output (a, z) such that (a, c, z) is an accepting 3-message transcript for x and is indistinguishable from the transcript produced by the honest prover when the challenge is c. Blum’s protocol for Graph Hamiltonicity is an example of a $\varSigma $-protocol. Another popular example of $\varSigma $-protocols is Schnorr’s protocol [42] for proving knowledge of a discrete logarithm.

The security provided by the SHVZK property is clearly insufficient as it gives no immediate guarantees against verifiers who deviates from the protocol. Despite of this, the success of $\varSigma $-protocols and their impact in various constructions [1, 2, 6, 9–12, 14, 15, 20, 22, 25, 27, 32, 33, 36, 37, 40, 41, 43] is a fact. This is due to a breakthrough of Cramer et al. [18] that adds WI to the security of $\varSigma $-protocol.

$\mathbf{OR\ Composition\ of}\ \varSigma \text {-}{} \mathbf{Protocols.}$ Let L be a language that admits a $\varSigma $-protocol $\varPi _L$. In [18] it is shown how to use $\varPi _L$ and its properties to construct a new $\varSigma $-protocol, $\varPi _L^{\mathsf {OR}}$, for proving the OR composition of theorems in L avoiding the NPreduction by crucially exploiting the honest-verifier zero-knowledge (HVZK^{Footnote 2}) property of $\varPi _L$. The rationale behind the transformation can be informally explained as follows. The prover wishes to prove a statement of the form $((x_0 \in L)\vee (x_1 \in L))$. The naïve idea of simply running $\varPi _L$ twice in parallel would not work because the prover knows only one of the witnesses, say $w_b$, and cannot compute two accepting transcripts without knowing $w_{1-b}$. However, due to the HVZK property, the prover can generate an accepting transcript for $x_{1-b}\in L$ even without knowing $w_{1-b}$, by running the HVZK simulator $\mathsf {Sim}$ associated with $\varPi _L$. Indeed, $\mathsf {Sim}$ “only” needs in input the theorem $x_{1-b}$ and will output the entire transcript, challenge included. The trick is then to generate the challenges for the two executions of $\varPi _L$, in such a way that the prover can control the challenge of exactly one of them (but not both), and set it to the value generated by $\mathsf {Sim}$. Note that, if running the algorithm of $\mathsf {Sim}$ is as efficient as running the algorithm of $\mathcal {P}$, then the composed protocol is efficient. We stress that this OR-composition technique preserves SHVZK and will refer to it as the CDS-OR technique.

A very interesting property of this transformation, besides the fact that it does not need NPreduction, is that if $\mathsf {Sim}$ is a simulator for perfect HVZK then $\varPi _L^{\mathsf {OR}}$ is WI (this was shown in [18]). This result was further extended by Garay et al. [25] that noted that the CDS-OR technique can be used also for $\varSigma $-protocols that are computational HVZK. In this case the relation proved is slightly different, namely, starting with a relation ${\mathcal {R}}_L$ and instances $x_0$ and $x_1$, the resulting $\varPi ^{\mathsf {OR}}_{L}$ protocol is computational WI for the relation

$$\begin{aligned} {\mathcal {R}}_L^{\mathsf {OR}}=\{((x_0,x_1),w): ((x_0,w) \in {\mathcal {R}}_L \wedge (x_1 \in L)) \vee ((x_1,w) \in {\mathcal {R}}_L \wedge (x_0 \in L)) \}. \end{aligned}$$

Input-Delayed Proofs. Often in cryptographic protocols there is a preamble phase that has the purpose of establishing, at least in part, a statement to be proven with a WI proof. In such cases, since one of the statements is fully specified only when the preamble is completed, the WI proof can start only after the preamble ends. Hence, the overall round complexity of protocols that follow this paradigm amounts to the sum of the round complexity of the preamble and of the WI proof.

In [31], Lapidot and Shamir (and later on Feige et al. in [24]) show a 3-round proof of knowledge for Hamiltonian Graphs which has the special property that a prover can compute the first round of the proof, without knowing the theorem to be proved (that is, the graph) but only needs to know its size (that is, the number of vertices). Such a 3-round protocol is a $\varSigma $-protocol (and thus satisfies the SHVZK property) and is a WI proof. We will refer to this protocol as LS. Also, we will call input delayed a $\varSigma $-protocol where the prover computes the first message without knowledge of the statement to be proved.

The input-delayed property directly improves the round complexity of all the cryptographic protocols that follow the paradigm described above. The reason is that now the WI proof can start even if the preamble that generates the statement is not completed yet. It is worthy to note that in many applications the preamble serves as a mean to generate some trapdoor theorem, that is used only in the security proof. The “honest” theorem instead is typically known already at the beginning of the protocol. This technique has been used extensively and, most notably, it led to the celebrated FLS paradigm that upgrades any WI proof system into a zero-knowledge (ZK) proof system.

The input-delayed property of LS has been instrumental to provide round-efficient constructions from general assumptions, such as: 4-round (optimal) secure 2PC where only one player gets the output (5 rounds when both players get the output) [30], 4-round resettable WI arguments [41, 44], 4-round (optimal) resettable ZK for NP in the BPK model [41, 44].

Despite being so influential to achieve round efficiency for cryptographic protocols, the power of LS unfortunately vanishes as soon as practical constructions are desired. Indeed, similarly to Blum’s protocol, LS is crucially based on specific properties of Hamiltonian graphs. Thus, when used to prove more natural languages, which is the case of most of the applications using WI proofs, it requires to perform rather inefficient NP reductions.

Efficient Protocols and Limits of the CDS-OR Technique. A natural question is what happens if we want to avoid the NP reduction and we try to use the CDS-OR technique to construct input-delayed adaptive WI proofs. A bit more specifically, we know that there exist $\varSigma $-protocols that are input delayed. Schnorr’s protocol [42] for DLog is such an example since the first message can be computed without knowing the instance, but only a group generator. Thus the question is what happens if we apply the CDS-OR technique to an input-delayed $\varSigma $-protocol. Do we obtain a WI $\varSigma $-protocol that is input delayed as well?

Unfortunately, the answer is negative. The CDS-OR technique does not preserve the input-delayed property, not even when used to compose two $\varSigma $-protocols that are both input delayed. To see why, recall that the CDS-OR composition technique when applied to $\varSigma $-protocol $\varPi _L$ for language L requires the prover to compute two accepting transcripts, one of which is computed by running the HVZK simulator $\mathsf {Sim}$. Recall that $\mathsf {Sim}$ needs in input the theorem to be proved. Hence, to prove knowledge of a witness for the compound theorem $(x_0\in L \vee x_1\in L)$, the prover, who knows one witness, say $w_b$, needs to know also $x_{1-b}$ already at the first round to be able to run the simulator. Thus, in the CDS-OR technique the prover can successfully complete the protocol if and only if both ^{Footnote 3} instances are specified already at the first round.

Because of this missing feature, the CDS-OR technique has limited power in allowing one to obtain round-efficient/optimal cryptographic protocols, compared to the number of rounds obtained by using LS. As such, in some cases when focusing on efficient constructions, the best round-complexity that we can achieve using efficient $\varSigma $-protocols and avoiding NP reductions needs at least one additional round, therefore requiring at least 5-round if one wants to match the previously mentioned applications (e.g., 5-round resettable ZK for NP in the BPK model [41, 44] and 5-round resettable WI [41, 44]) argument systems.

Additionally, we note that the CDS-OR technique is the bottleneck in the round-complexity of the 4-round straight-line perfect simulatable in quasi-polynomial time argument shown by Pass in [38]. This argument uses quasi-polynomial time simulation and, potentially, it would only need three rounds as any $\varSigma $-protocol. The additional first round is required precisely to define the trapdoor theorem. Hence, the following natural question arises: Given a language L with an input-delayed $\varSigma $-protocol $\varPi _L$, is it possible to design an efficient Witness Indistinguishable $\varSigma $-protocol $\varPi ^L_{\mathsf {OR}}$ for proving knowledge of a witness certifying that $(x_0\in L \vee x_1\in L)$ that does not require knowledge of both $x_0$ and $x_1$ to play the first round?

1.1 Our Contribution

In this paper we answer the above question positively for a large class of $\varSigma $-protocols that includes all $\varSigma $-protocols used in efficient constructions. Specifically, we propose a new OR-composition technique for $\varSigma $-protocols that relaxes the need of having both instances fixed before the $\varSigma $-protocol starts. Our technique allows the composition of $\varSigma $-protocols for different languages and leads to improved round complexity in previous efficient constructions based on CDS-OR technique. Namely, we describe the following two results that we obtain by making use of our new OR-composition technique:

Efficient 3-round straight-line perfect quasi-polynomial time simulatable argument system for a large class of useful languages. The previous construction required four rounds [38].
Efficient 4-round rWI argument system. Previous constructions required five rounds [41, 44].

Our new technique can also be used to replace LS towards obtaining efficient round-optimal resettable zero-knowledge arguments in the BPK model (using the constructions of [41, 44]), round-optimal secure two-party computation (using the construction of [30]) and 4-round non-malleable commitments (using the construction of [26]).

Finally, we provide a precise classification of the $\varSigma $-protocols that can be used in our new OR-composition technique. In the following paragraphs we first provide a high-level description our OR-composition technique, then we discuss the applications in more details.

1.2 Our Techniques

Overview. We start by defining the setting we are considering. Let $L_0$ and $L_1$ be any pair of languages admitting $\varSigma $-protocols $\varPi _0$ and $\varPi _1$. We want to construct a $\varSigma $-protocol $\varPi ^{\mathsf {OR}}_L$ for the language $L=L_0\vee L_1$. An instance of L is a pair $(x_0,x_1)$ and we want only $x_0$ to be specified before $\varPi ^{\mathsf {OR}}_L$ starts while $x_1$ is specified only upon the last round of the protocol^{Footnote 4}. We assume that $\varPi _1$ is an input-delayed $\varSigma $-protocol and thus the first prover message of $\varPi _1$ can be computed without knowing $x_1$. As mentioned earlier this property is satisfied by popular $\varSigma $-protocols such as the ones for Discrete Log, Diffie-Hellman triples, and of course, LS itself.

Now, recall that the problem with the CDS-OR technique was that a prover needs to run $\mathsf {Sim}$ to compute the first round of the protocol, and this necessarily requires knowledge of both theorems before the protocol starts. We want instead that the prover uses only knowledge of $x_0$.

We solve this problem by introducing a new OR-composition technique that does not require the prover to run $\mathsf {Sim}$ on $x_1$ already in the first round. Instead, our technique allows the prover to wait and take action only in the third round when $x_1$ is finally defined.

Our starting point is the well known fact that given any $\varSigma $-protocol there exists an instance-dependent trapdoor commitment ($\mathsf {IDTC}$) scheme where the witness for the membership of the instance in the language can be used as a trapdoor to open a committed message as any desired message, as in [20]. Our next observation is that, instead of having the prover send the first round for protocol $\varPi _1$ in the clear, we can have him send a commitment to it, and such commitment can be computed using an instance-dependent trapdoor commitment based on $\varPi _0$ with respect to instance $x_0$. Recall that this is possible, as in our setting we assume that $\varPi _1$ is an input-delayed $\varSigma $-protocol, so the prover can honestly compute the first message of $\varPi _1$ without knowing $x_1$. Therefore, the first round of our $\varPi ^{\mathsf {OR}}_{L}$ protocol, is simply an $\mathsf {IDTC}$ of a honest $\varPi _1$’s first round.

Later on, upon receiving the challenge c from the verifier, and after the theorem $x_1$ is defined, the prover computes the third round as follows. If she has received a witness for $x_0$, then she will run $\mathsf {Sim}$ on input $(x_1,c)$ to compute an accepting transcript of $\varPi _1$ for $x_1$. Then, using the witness $w_0$ she will equivocate the commitment sent in the first round, according to the message output by $\mathsf {Sim}$. Otherwise, if she has received a witness for $x_1$ then she does not need to equivocate: she will honestly open the commitment, and honestly compute the third message of $\varPi _1$. Therefore, the third round of $\varPi ^{\mathsf {OR}}_{L}$, simply consists of an opening of the $\mathsf {IDTC}$ together with the third message of $\varPi _1$.

Now note that this idea works only if we have a special $\mathsf {IDTC}$ scheme that has the following strong trapdoor property: a sender can equivocate even a commitment that has been computed honestly. Unfortunately, this property is not satisfied in general by any trapdoor commitment based on $\varSigma $-protocols, but only for some. This would restrict the class of $\varSigma $-protocols that we can use as $L_0$ in our technique. For example, this class would not contain Blum’s protocol.

Our next contribution is the construction of $\mathsf {IDTC}$ schemes that satisfy this strong trapdoor property, for a large class of $\varSigma $-protocols. Towards this goal, we define the notion of a t-$\mathsf {IDTC}$ scheme which are $\mathsf {IDTC}$s for which the ability to open a commitment in t ways implies knowledge of a witness for the instance associated with the commitment. Next, we construct $2$-$\mathsf {IDTC}$ and $3$-$\mathsf {IDTC}$ schemes based on two different classes of $\varSigma $-protocols, the union of which includes all the $\varSigma $-protocols that are commonly used in cryptographic protocols. Finally, we provide a general OR-composition technique for any pair of languages $L_0$ and $L_1$ such that $L_0$ has a t-$\mathsf {IDTC}$ scheme and $L_1$ has an input-delayed $\varSigma $-protocol.

t-Instance-Dependent Trapdoor Commitment Scheme. For integer $t\ge 2$, a t-$\mathsf {IDTC}$ scheme for a polynomial-time relation ${\mathcal {R}}$ admitting $\varSigma $-protocol $\varPi _{\mathcal {R}}$ is a triple $(\mathsf {TCom},\mathsf {TDec},\mathsf {TFake})$ where $\mathsf {TCom}$, $\mathsf {TDec}$ are the honest commitment/decommitment procedures and $\mathsf {TFake}$ is the equivocation procedure that, given a witness for an instance x, equivocates any commitment with respect to x computed by $\mathsf {TCom}$. The crucial differences between a t-$\mathsf {IDTC}$ scheme and a regular trapdoor commitment scheme are: (a) the trapdoor property is strong in the sense that knowledge of the trapdoor (that is, the witness of the instance x) allows to equivocate even commitments that have been honestly computed; (b) the binding property is relaxed: in a t-$\mathsf {IDTC}$ scheme, the sender can open the same commitment in $t-1$ different ways, even without the trapdoor. This relaxation allows us to build an $\mathsf {IDTC}$ scheme from a wider class of $\varSigma $-protocols, which will cover all the $\varSigma $-protocols that have been used in literature.

Constructing a 2-IDTC Scheme. A $2$-$\mathsf {IDTC}$ scheme can be directly constructed from any $\varSigma $-protocol $\varPi _0$ that has the following property: even if the first message $a_0$ was computed by the SHVZK simulator $\mathsf {Sim}$, an accepting $z_0$ can be efficiently computed, for every challenge $c_0$, by using knowledge of the witness and of the randomness used by $\mathsf {Sim}$ to produce $a_0$. We call the $\varSigma $-protocols that satisfy this property, chameleon $\varSigma $-protocols, and we denote by $\mathsf {P}_\mathsf{sim}$ the special prover strategy that can answer any challenge even starting from a simulated $a_0$.

More precisely, given a chameleon $\varSigma $-protocol $\varPi _0$ for a language $L_0$, one can construct a $2$-$\mathsf {IDTC}$ scheme as follows. Let $x_0 \in L_0$. To commit to a message m, the sender runs $\mathsf {Sim}(x_0,m;r_0)$ and obtains $a_0, z_0$. The commitment is the value $a_0$. The opening is the pair $m, z_0$. The commitment is accepted iff $(x_0, a_0, m, z_0)$ is accepting. To equivocate $a_0$, as a message $m'$, run the special prover algorithm $\mathsf {P}_\mathsf{sim}((x_0, m,r_0), w_0, m')$ and obtain an accepting $z_0$.

Constructing a 3-IDTC Scheme. We now discuss a different committing strategy that works for $\varSigma $-protocols in which the simulated first message $a_0$ can only be continued for the challenge specified by $\mathsf {Sim}$, even if a witness is made available. Blum’s protocol for Hamiltonicity is an example of such $\varSigma $-protocol.

To commit to m, the sender sends a pair $(a_0,a_0')$ where, with probability 1 / 2, $a_0$ is obtained by running $\mathsf {Sim}(x_0,m)$ while $a_0'$ is computed by running the prover of $\varPi _0$, and with probability 1 / 2 the above order is inverted. One can think of a commitment as composed of two threads: a simulated thread and a honest thread. To open the commitment, the prover sends m and $z^*$, and the verifier accepts the decommitment if $m,z^*$ are accepting for one of the threads; namely, the verifier checks that either $(a_0,m,z^*)$ or $(a'_0,m,z^*)$ is accepting for $x_0\in L_0$. To equivocate ($a_0,a'_0)$ to a message $m'$, the sender simply continues the thread of the honest prover, using $m'$ as challenge and computes $z^*$ using the witness. Clearly, a malicious sender can open in two different ways even when $x_0\not \in L$. Nevertheless, three openings allow the extraction of the witness for $x_0$.

When our OR-composition technique is instantiated with a $3$-$\mathsf {IDTC}$ scheme we have that the resulting protocol is still WI since no power is added to the verifier. However the protocol is not a $\varSigma $-protocol since the special-soundness property is not guaranteed. The reason is that, in a $3$-$\mathsf {IDTC}$ scheme the sender can open the commitment in two different ways even without having the trapdoor (i.e., the witness for $x_0 \in L_0$). Therefore, for any challenge c sent by $\mathcal {V}$, the fact that the commitment of $a_1$ can be opened in two ways gives a malicious prover $\mathcal {P}^*$ two chances $(a_1,c,z_1)$ and $(a_1',c,z_1')$ to successfully complete the protocol for a false statement $x_1$. Nevertheless, this extra freedom does not hurt soundness as both openings (i.e., $a_1$ and $a_1'$) are fixed in advance, and thus when $x_1$ is not an instance of the language there exist only two challenges $c'$ and $c''$ that would allow $\mathcal {P}^*$ to succeed. When the challenge is long enough the success probability of $\mathcal {P}^*$ is therefore negligible.

Our construction when starting from a $3$-$\mathsf {IDTC}$ scheme is 3-special sound (i.e., answering to 3 challenges allows one to compute a witness efficiently), and therefore it is a proof of knowledge when the challenge is long enough.

1.3 Discussion

What Really Matters. Our new OR-composition technique works only when the theorem that has not been defined yet (i.e., $x_1$), admits an input-delayed $\varSigma $-protocol). We stress that this is not a limitation for the applications that we have in mind. In fact, in all efficient protocols that make use of input-delayed proofs that we are aware of, the preamble has always the purpose of generating the trapdoor theorem. In practical scenarios^{Footnote 5} $L_1$ usually corresponds to DLog or DDH. The fact that we can not have Blum’s $\varSigma $-protocol for $L_1$ when $L_1$ is the language of Hamiltonian graphs, is therefore not relevant as the actual language of interest is $L_0$.

Comparison with the CDS-OR Technique. We remark that even in the extremely simplified case where:

1.
the two instances $x_0$ and $x_1$ are for the same language L,
2.
L admits an input-delayed $\varSigma $-protocol $\varPi _L$ which is also special HVZK,
3.
$\varPi _L$ is chameleon and thus one can compute the first message using $\mathsf {Sim}$ and then continue with the prover to answer to arbitrary challenges,
4.
the prover knows in advance the witness w and instance $x_b$ for which she will be able to honestly complete the protocol,

the CDS-OR technique fails in obtaining a $\varSigma $-protocol (or a WIPoK) for the OR composition of instances of L if any one of the instances is not known when the protocol starts.

Beyond Schnorr’s Protocol. The works of Cramer [16], Cramer and Damgård [17], and Maurer [34, 35] showed that a protocol (referred to as the Pre-Image Protocol) for proving knowledge of a pre-image of a group homomorphism unifies and generalizes a large number of protocols in the literature. Classic $\varSigma $-protocols, such as Schnorr’s protocol [42] and the Guillou-Quisquater protocol [29], are particular cases of this abstraction. We show that the Pre-Image Protocol is a chameleon $\varSigma $-protocol and can thus be used in our construction.

What Is In and What Is Out. As mentioned previously, the $\varSigma $-protocol for $L_1$ can be any input-delayed $\varSigma $-protocol. We now discuss which $\varSigma $-protocols can be used to instantiate $L_0$ in our OR transform. For this purpose, we identify four classes of $\varSigma $-protocols and we prove that any $\varSigma $-protocol that falls in any of the first three classes can be used in our OR transform (by instantiating either a 2-$\mathsf {IDTC}$, or a 3-$\mathsf {IDTC}$ scheme).

We also identify a class of $\varSigma $-protocols that is not suitable for any of our techniques. Luckily, we have no example of natural $\varSigma $-protocols that fall in this class, and in order to prove the separation we had to construct a very contrived scheme. The four classes are listed below.

(Class 1) $\varSigma $-protocols that are Chameleon and do not require the witness to compute the first round. This class of $\varSigma $-protocols can be used to construct both $2$-$\mathsf {IDTC}$ and $3$-$\mathsf {IDTC}$ schemes.
(Class 2) $\varSigma $-protocols that are Chameleonand require the prover to use the witness already to compute the first round. This class of $\varSigma $-protocols can be used to construct a $2$-$\mathsf {IDTC}$ scheme.
(Class 3) $\varSigma $-protocols that are not Chameleon but do not require the prover to use the witness in the first round. This class of $\varSigma $-protocols can be used to construct a $3$-$\mathsf {IDTC}$ scheme.
(Class 4) $\varSigma $-protocols that are not Chameleon and require the witness to be used already in the first round. This class of $\varSigma $-protocols can not be used in our techniques.

The Input-Delayed Features. We stress here that our techniques allow to start and complete an efficient OR composition of two $\varSigma $-protocols (with the discussed restrictions) provided that one instance is known and another one will be known later. Having a witness for the first or the second instance always allows $\mathcal {P}$ to convince $\mathcal {V}$. This contrasts with the CDS-OR technique where knowing a witness for $x_0$ would block $\mathcal {P}$ immediately since $\mathcal {P}$ would need immediately $x_1$ to continue, but $x_1$ will not be available until the third round.

1.4 Applications

Our new OR-composition technique does not provide the full power of LS because it needs one theorem to be known before the protocol starts. However, as we show below, this seemingly weaker property suffices to improve the round-complexity of some of the previous constructions based on the CDS-OR technique. Such constructions aim to efficiently^{Footnote 6} transform a $\varSigma $-protocol for a relation ${\mathcal {R}}$ into a round-efficient argument with more appealing features.

Efficient 3-Round Straight-Line Perfect Quasi-Polynomial Time Simulatable Argument System. We achieve this result directly, using the construction of Pass [38] and replacing the CDS-OR technique with our technique. As a result the first round of the verifier of [38] can be postponed, therefore reducing the round complexity from four to three rounds. Our construction works for all languages admitting a perfect chameleon $\varSigma $-protocol.

Efficient 4-Round Resettable WI Arguments. It is well known [8] how to transform a $\varSigma $-protocol into a resettable WI protocol: the verifier commits to the challenge c using a perfectly hiding commitment scheme and sends it to the prover in the first round; the prover then computes its messages with randomness derived by applying a pseudo-random function (PRF) on the commitment received. Soundness follows directly from the soundness of the $\varSigma $-protocol due to the perfect hiding of the commitment. WI follows from the fact that the protocol is zero knowledge against a stand-alone verifier and thus concurrent WI. Then the use of the PRF and the fact that all messages of the verifier are committed in advance upgrades concurrent WI to resettable WI. This approach, however, generates a 5-round protocol.

Achieving the same result efficiently, namely, avoiding NP reductions, in only four rounds is non-trivial. The reason is that if we attempt to replace the 2-round perfectly hiding commitment with a non-interactive commitment, we lose the unconditional soundness property, and then it is not clear how to argue about computational soundness. More specifically, black-box extraction of the witness is not possible (black-box extraction and resettable WI can not coexist) and the adversarial prover could try to maul the commitment of the verifier and adaptively generate the first round of the $\varSigma $-protocol. In fact, even allowing complexity-leveraging arguments (and thus, straight-line extraction), constructing a 4-round WI argument system that avoids NP reductions and adds only a few modular exponentiations to the underlying $\varSigma $-protocol has remained so far an open problem.

We solve this problem by using our new OR-composition technique. We have the verifier commit to the challenge in the first round, but then later, instead of sending the decommitment, she will directly send the challenge and prove that either the challenge is the correct opening of the commitment or she solved some hard puzzle (in our construction, computing the Discrete Log of a random group element chosen by the prover). The puzzle is sent by the prover in the second round and it will be solved by the reduction in super-polynomial time in the proof of soundness.

This trick has been proposed in literature in various forms [21, 38] and we are using the form used in [21] where the puzzle is sent only in the second round. [21] must use the LS transform and therefore needs NP-reduction. As explained earlier, going through LS was necessary as the CDS-OR transform can be applied only if both statements are fixed at the beginning.

Our new OR transform solves precisely this problem, and it allows the verifier to start the proof before the puzzle is defined, and this proof can be done efficiently without NP reductions.

Resettable WI follows from the CGGM transformation and the WI property of the proof generated by the prover. The groups used for the commitment of the challenge and for the puzzle sent by the prover, will be chosen appropriately so that the hardness of computing discrete logarithms are different and guarantee that our reductions work (i.e., we make use of complexity leveraging).

Further Applications. Our new OR-composition technique can find various other applications. Indeed, wherever there is a round-efficient (but otherwise inefficient) construction based on the use of LS without a corresponding efficient construction with the same round complexity, then our technique constitutes a powerful tool towards achieving computationally efficient and round-efficient constructions. For instance, the 4-round (optimal) resettable ZK argument systems in the BPK model provided in [41, 44], consists (roughly) of the parallel execution of a (resettable) WI protocol from the prover to the verifier, where the prover proves that either $x\in L$ or he knows the secret key associated to the public identity of the verifier, and a 3-round (resettably-sound) WI protocol from the verifier to the prover, where $\mathcal {V}$ proves knowledge of the secret key associate to its public key, or knowledge of the solution of a puzzle computed by the prover. When instantiated with efficient $\varSigma $-protocols, such construction requires 5-rounds, where the additional round, from the prover to the verifier, is used to send the puzzle necessary for the verifier to start a proof using the CDS-OR technique. We observe that this setting closely resembles the setting of the 4-round resettable WI ($\mathsf {r}\mathsf {WI}$) protocol that we provide in this paper. As such, one could directly instantiate the proof provided by the prover of the $\mathtt{{BPK}}$ model, with our 4-round $\mathsf {r}\mathsf {WI}$ protocol, and have the verifier just prove knowledge of its secret keys, thus avoiding the need of the additional first round.

Our OR-composition technique could also be useful in replacing the use of LS in the 4-round non-malleable commitment scheme of [26], and in the round-optimal secure two-party computation protocol of [30].

1.5 Open Problems

Our OR-composition technique relaxes the requirement of CDS-OR of requiring knowledge of all instances already at the beginning of the protocol. However still our result does not match the power of LS where no theorem is required for the protocol to start. An immediate open question is whether one can improve our OR transform so that the first round can be run without the knowledge of any theorem. Perhaps a first step in this direction would be to answer a related relaxed question, which is to design an OR transform for proving (still preserving WI) knowledge of 1 out of n theorems and that requires knowledge of (at least some) theorems only after the second round. It would also be interesting to extend our technique in order to make it applicable to all $\varSigma $-protocols.

2 Definitions

In this section we set-up our notation and give some useful definitions. More definitions can be found in the full version.

We denote the security parameter by $\lambda $. If A is a probabilistic algorithm then A(x) denotes the probability distribution of the output of A when it receives x as input. By A(x; R) instead we denote the output of A on input x when coin tosses R are used as randomness.

A polynomial-time relation ${\mathcal {R}}$ (or, simply, a relation) is a subset of $\{0,1\}^\star \times \{0,1\}^\star $ for which membership of (x, w) to ${\mathcal {R}}$ can be decided in time polynomial in |x|. We define the NP-language $L_{\mathcal {R}}$ as $L_{\mathcal {R}}=\{x|\exists w: (x, w)\in {\mathcal {R}}\}$. If $(x,w)\in {\mathcal {R}}$, we say that w is a witness for instance x. Following [25], we define $\hat{L}_{\mathcal {R}}$ to be the input language that includes both $L_{\mathcal {R}}$ and all well formed instances that do not have a witness. More formally, $L_{\mathcal {R}}\subseteq \hat{L}_{\mathcal {R}}$ and membership in $\hat{L}_{\mathcal {R}}$ can be tested in polynomial time. We implicitly assume that the verifier of a protocol for relation ${\mathcal {R}}$ executes the protocol only if the common input x belongs to $\hat{L}_{\mathcal {R}}$ and rejects immediately common inputs not in $\hat{L}_{\mathcal {R}}$.

Number-Theoretic Assumptions. We define group generator algorithms to be probabilistic polynomial-time algorithms that take as input security parameter $1^\lambda $ and output $(\mathcal {G},q,g)$, where $\mathcal {G}$ is (the description of) a cyclic group of order q and g is a generator of $\mathcal {G}$. We assume that membership in $\mathcal {G}$ and its group operations can be performed in time polynomial in the length of q and that there is an efficient procedure to randomly select elements from $\mathcal {G}$. Moreover, with a slight abuse of notation, we will use $\mathcal {G}$ to denote the group and its description.

We consider the sub-exponential versions of the DLog and of the DDH assumptions that posit the hardness of the computation of discrete logarithms and of breaking the Decisional Diffie-Hellman assumption with respect to the group generator algorithm $\mathsf {IG}$ that, on input $\lambda $, randomly selects a $\lambda $-bit prime q such that $p=2q+1$ is also prime and outputs the order q group $\mathcal {G}$ of the quadratic residues modulo p along with a random generator g of $\mathcal {G}$. The strong versions of the two assumptions posit the hardness of the same problems even if p (and q) and generator g are chosen adversarially.

3 $\varSigma $-Protocols

We consider 3-move protocols $\varPi $ for a polynomial-time relation ${\mathcal {R}}$. Protocol $\varPi $ is played by a prover $\mathcal {P}$ and a verifier $\mathcal {V}$ that receive a common input x. $\mathcal {P}$ receives as an additional private input a witness w for x and the security parameter $1^\lambda $ in unary. The protocol $\varPi $ has the following form:

1.
$\mathcal {P}$ runs algorithm $\mathsf {P}_1$ on common input x, private input w, security parameter $1^\lambda $ and randomness R obtaining $a=\mathsf {P}_1(x,w,1^\lambda ;R)$ and sends a to $\mathcal {V}$.
2.
$\mathcal {V}$, after receiving a from $\mathcal {P}$, chooses a random challenge $c\leftarrow \{0,1\}^{l}$ and sends c to $\mathcal {P}$.
3.
$\mathcal {P}$ runs algorithm $\mathsf {P}_2$ on input x, w, R, c and sends $z\leftarrow \mathsf {P}_2(x,w,R,c)$ to $\mathcal {V}$.
4.
$\mathcal {V}$ outputs $\mathsf {V}(x,a,c,z)$ (i.e., $\mathcal {V}$’s decision to accept ($b=1$) or reject ($b=0$)).

We call $(\mathsf {P}_1,\mathsf {P}_2,\mathsf {V})$ the algorithms associated with $\varPi $ and l the challenge length such that, wlog, the challenge space $\{0,1\}^l$ is composed of $2^l$ different challenges.

The triple (a, c, z) of messages exchanged is called a 3-move transcript. A 3-move transcript is honest if a, z correspond to the messages computed running the honest algorithms, respectively, of $\mathsf {P}_1$ and $\mathsf {P}_2$, and c is a random string, in $\{0,1\}^l$. A 3-move transcript (a, c, z) is accepting for x if and only if $\mathsf {V}(x,a,c,z)=1$. Two accepting 3-move transcripts (a, c, z) and $(a',c',z')$ for an instance x constitute a collision if $a=a'$ and $c \ne c'$.

Definition 1

( $\varSigma \text {-}{} \mathbf{protocol}$ [18]). A 3-move protocol $\varPi $ with challenge length l is a $\varSigma $ -protocol for a relation ${\mathcal {R}}$ if it enjoys the following properties:

1.
Completeness. If $(x,w)\in {\mathcal {R}}$ then all honest 3-move transcripts for (x, w) are accepting.
2.
Special Soundness. There exists an efficient algorithm $\mathsf {Extract}$ that, on input x and a collision for x, outputs a witness w such that $(x,w)\in {\mathcal {R}}$.
3.
Special Honest-Verifier Zero Knowledge (SHVZK). There exists a PPT simulator algorithm $\mathsf {Sim}$ that takes as input $x\in L_{\mathcal {R}}$, security parameter $1^\lambda $ and $c\in \{0,1\}^l$ and outputs an accepting transcript for x where c is the challenge. Moreover, for all l-bit strings c, the distribution of the output of the simulator on input (x, c) is computationally indistinguishable from the distribution of the 3-move honest transcript obtained when $\mathcal {V}$ sends c as challenge and $\mathcal {P}$ runs on common input x and any private input w such that $(x,w)\in {\mathcal {R}}$.

We say that $\varPi $ is Perfect when the two distributions are identical.

Not to overburden the descriptions of protocols and simulators, we will omit the specification of the security parameter when it is clear from the context.

In the rest of the paper, we will call a 3-move protocol that enjoys Completeness, Special Soundness and Honest-Verifier Zero Knowledge (HVZK^{Footnote 7}) a $\tilde{\varSigma }$-protocol. The next theorem shows that SHVZK can be added to a 3-move protocol with HVZK without any significant penalty in terms of efficiency.

Theorem 1

[19]. Suppose relation ${\mathcal {R}}$ admits a 3-move protocol $\varPi '$ that is HVZK (resp., perfect HVZK). Then ${\mathcal {R}}$ admits a 3-move protocol $\varPi $ that is SHVZK (resp., perfect SHVZK) and has the same efficiency.

Proof

Let l be the challenge length of $\varPi '$, let $(\mathsf {P}_1',\mathsf {P}_2',\mathsf {V}')$ be the algorithms associated with $\varPi '$ and let $\mathsf {Sim}'$ be the simulator for $\varPi '$. Consider the following algorithms.

1.
$\mathsf {P}_1$, on input $(x,w)\in {\mathcal {R}}$, security parameter $1^\lambda $ and randomness $R_1$, parses $R_1$ as $(r_1, c'')$ where $|c''|=l$, computes $a'\leftarrow \mathsf {P}_1'(x,w,1^\lambda ;r_1)$, and outputs $a=(a',c'')$.
2.
$\mathsf {P}_2$, on input $(x, w)\in {\mathcal {R}}$, $R_1$ and randomness $R_2$ parses $R_1$ as $(r_1, c'')$, c, sets $c'=c\oplus c''$, computes $z'\leftarrow \mathsf {P}_2'(x,w,r_1,c';R_2)$, and sends it to $\mathcal {V}$.
3.
$\mathsf {V}$, on input x, $a=(a', c'')$, c and $z'$, returns the output of $\mathsf {V}'(x,a',c \oplus c'',z' )$ to decide whether to accept or not.

Consider the following PPT simulator $\mathsf {Sim}$ that, on input an instance x and a challenge c, runs $\mathsf {Sim}'$ on input x and obtains $(a',c',z')$. Then $\mathsf {Sim}$ sets $c''=c\oplus c'$ and $a=(a',c'')$ and outputs $(a,c,z')$. It is easy to see that if $\mathsf {Sim}'$ is a HVZK (resp. perfect HVZK) simulator for $\varPi '$ then $\mathsf {Sim}$ is a SHVZK (resp. perfect SHVZK) simulator for $\varPi $.

We will use the definition of proof of knowledge given in [3, 19].

Theorem 2

[19]. Let $\varPi $ be a $\varSigma $-protocol for a relation ${\mathcal {R}}$ with challenge length l. Then $\varPi $ is a proof of knowledge with knowledge error $2^{-l}$.

Definition 2

(Input-Delayed $\varSigma \text {-}{} \mathbf{protocol)\mathbf{.}}$ A $\varSigma $-protocol $\varPi =(\mathcal {P},\mathcal {V})$ with $\mathcal {P}$ running PPT algorithms $(\mathsf {P}_1,\mathsf {P}_2)$ is an input-delayed $\varSigma $-protocol if $\mathsf {P}_1$ takes as input only the length of the common instance and $\mathsf {P}_2$ takes as input the common instance x, the witness w, the randomness $R_1$ used by $\mathsf {P}_1$ and the challenge c received from the verifier.

Definition 3

(Witness-Delayed $\varSigma \text {-}{} \mathbf{protocol)\mathbf{.}}$ A $\varSigma $-protocol $\varPi =(\mathcal {P},\mathcal {V})$ for a relation ${\mathcal {R}}$ with associated algorithms $(\mathsf {P}_1, \mathsf {P}_2, \mathsf {V})$ is a witness-delayed $\varSigma $-protocol if $\mathsf {P}_1$ takes as input only the common instance x.

In a $Chamelon\,\varSigma \text {-}protocol$, the prover can compute the first message by using the simulator and thus knowing only the input but not the witness. Once the challenge has been received, the prover can compute the last message (thus completing the interaction) by using the witness w (which is thus used only to compute the last message) and the coin tosses used by the simulator to compute the first message.

Definition 4

(Chameleon $\varSigma \text {-}{} \mathbf{protocol)\mathbf{.}}$ A $\varSigma $-protocol $\varPi $ for polynomial-time relation ${\mathcal {R}}$ is a Chameleon $\varSigma $-protocol if there exists an SHVZK simulator $\mathsf {Sim}$ and an algorithm $\mathsf {P}_\mathsf{sim}$ satisfying the following property:

Delayed Indistinguishability: for all pairs of challenges $c_0$ and $c_1$ and for all $(x,w)\in {\mathcal {R}}$, the following two distributions
$$\begin{aligned}&\Big \{R\leftarrow \{0,1\}^{|x|^d};(a,z_0)\leftarrow \mathsf {Sim}(x,c_0;R); z_1\leftarrow \mathsf {P}_\mathsf{sim}((x,c_0,R),w,c_1):\\&\qquad \qquad \qquad \qquad \qquad (x,a,c_1,z_1)\Big \} \end{aligned}$$
and
$$\Big \{(a,z_1)\leftarrow \mathsf {Sim}(x,c_1): (x,a,c_1,z_1)\Big \}$$
are indistinguishable, where $\mathsf {Sim}$ is the Special HVZK simulator and d is such that $\mathsf {Sim}$, on input an $\lambda $-bit instance, uses at most $\lambda ^d$ random coin tosses. If the two distributions above are identical then we say that delayed indistinguishability is perfect, and $\varPi $ is a Perfect Chameleon $\varSigma $-protocol.

We remark that a chameleon $\varSigma $-protocol $\varPi $ has two modes of operations: the standard mode when $\mathcal {P}$ runs $\mathsf {P}_1$ and $\mathsf {P}_2$, and a delayed mode when $\mathcal {P}$ uses $\mathsf {Sim}$ and $\mathsf {P}_\mathsf{sim}$. Moreover, observe that since $\mathsf {Sim}$ is a simulator for $\varPi $, it follows from the delayed-indistinguishability property that, for all challenges c and $\tilde{c}$ and common inputs x, distribution

$$\begin{aligned} \{R\leftarrow \{0,1\}^{|x|^d};(a,\tilde{z})\leftarrow \mathsf {Sim}(x,\tilde{c};R); z\leftarrow \mathsf {P}_\mathsf{sim}((x,\tilde{c},R),w,c): (a,c,z)\} \end{aligned}$$

is indistinguishable from

$$\begin{aligned} \{R\leftarrow \{0,1\}^{|x|^d};a\leftarrow \mathsf {P}_1(x,w;R); z\leftarrow \mathsf {P}_2(x,w,R,c):(a,c,z)\}. \end{aligned}$$

That is, the two modes of operations of $\varPi $ are indistinguishable. This property make us able to claim that if $\varPi $ is WI when a WI challenger interacts with an adversary using $(\mathsf {P}_1, \mathsf {P}_2)$, then $\varPi $ is WI even when the pair $(\mathsf {Sim}, \mathsf {P}_\mathsf{sim})$ is used. Finally, we observe that Chameleon $\varSigma $-protocols do exist and Schnorr’s protocol [42] is one example. When considering the algorithms associated to a Chameleon $\varSigma $-protocol, we will add $\mathsf {P}_\mathsf{sim}$.

3.1 $\varSigma $-protocols and Witness Indistinguishability

Definition 5

A 3-move protocol $\varPi =(\mathcal {P},\mathcal {V})$ is Witness Indistinguishable (WI) for a relation ${\mathcal {R}}$ if, for every malicious verifier $\mathcal {V}^{\star }$, there exists a negligible function $\nu $ such that for all $x,w,w'$ such that $(x, w)\in {\mathcal {R}}_L$ and $(x, w')\in {\mathcal {R}}_L$

$$\begin{aligned} \Big |\text{ Prob }\left[ \;\langle \mathcal {P}(w,1^\lambda ),\mathcal {V}^{\star }\rangle (x)=1\;\right] -\text{ Prob }\left[ \;\langle \mathcal {P}(w',1^\lambda ),\mathcal {V}^{\star }\rangle (x)=1\;\right] \Big |\le \nu (\lambda ).\end{aligned}$$

The notion of a perfect WI 3-move protocol is obtained by requiring the two distributions to be identical. We start by recalling the following result.

Theorem 3

[18]. Every Perfect ${\tilde{\varSigma }\text {-}protocol}$ ^{Footnote 8} is Perfect WI.

For completeness, in the full version we show a ${\tilde{\varSigma }\text {-}protocol}$ that it is not WI.

3.2 Or Composition of $\tilde{\varSigma }\text {-}{} \mathbf{protocols}$: the CDS-OR Transform

In this section we describe the CDS-OR [18] transform in details. Let $\varPi $ be a ${\tilde{\varSigma }\text {-}protocol}$ for polynomial-time relation ${\mathcal {R}}$ with challenge length l, associated algorithms $(\mathsf {P}_1,\mathsf {P}_2,\mathsf {V})$ and HVZK simulator $\mathsf {Sim}$. The CDS-OR transform constructs a $\tilde{\varSigma }\text {-}\mathrm{protocol}$ $\varPi _\mathsf {OR}$ with associated algorithms $({{\mathsf {P}^\mathsf {OR}_1}},{{\mathsf {P}^\mathsf {OR}_2}},{{\mathsf {V}^\mathsf {OR}_\varSigma }})$ for the relation

$$\begin{aligned} {\mathcal {R}}_\mathsf {OR}=\left\{ ((x_0,x_1),w): \left( (x_0,w)\in {\mathcal {R}}\wedge x_1\in \hat{L}_{\mathcal {R}}\right) \mathsf {OR}\left( (x_1,w)\in {\mathcal {R}}\wedge x_0\in \hat{L}_{\mathcal {R}}\right) \right\} . \end{aligned}$$

Protocol 1

CDS-OR Transform.

Common input: $(x_0,x_1)$.

${ \mathcal {P}'}$ s private input: (b, w) with $b\in \{0,1\}$ and $(x_b,w)\in {\mathcal {R}}$.

${{\mathsf {P}^\mathsf {OR}_1}}((x_0,x_1),(b,w);R_1)$. Set $a_b=\mathsf {P}_1(x_b,w;R_1)$. Compute $(a_{1-b},c_{1-b},z_{1-b})\leftarrow \mathsf {Sim}(x_{1-b})$. Output $(a_0,a_1)$.
${ P^{\mathsf {OR}}_{2}}((x_0,x_1),(b,w),c,R_1)$. Set $c_b=c\oplus c_{1-b}$. Compute $z_b\leftarrow \mathsf {P}_2(x_b,w,c_b,R_1)$. Output $((c_0,c_1),(z_0,z_1))$.
${{\mathsf {V}^\mathsf {OR}_\varSigma }}((x_0,x_1),(a_0,a_1),c,((c_0,c_1),(z_0,z_1)))$. ${{\mathsf {V}^\mathsf {OR}_\varSigma }}$ accepts if and only if $c=c_0\oplus c_1$ and $\mathsf {V}(x_0,a_0,c_0,z_0)=1$ and $\mathsf {V}(x_1,a_1,c_1,z_1)=1$.

Theorem 4

[18, 25]. If $\varPi $ is a ${\tilde{\varSigma }\text {-}protocol}$for ${\mathcal {R}}$ then $\varPi _\mathsf {OR}$ is a ${\tilde{\varSigma }\text {-}protocol}$ for ${\mathcal {R}}_\mathsf {OR}$ and is WI for relation

$$\begin{aligned} {\mathcal {R}}^\prime _\mathsf {OR}=\left\{ ((x_0,x_1),w): \left( (x_0,w)\in {\mathcal {R}}\wedge x_1\in L_{\mathcal {R}}\right) \mathsf {OR}\left( (x_1,w)\in {\mathcal {R}}\wedge x_0\in L_{\mathcal {R}}\right) \right\} . \end{aligned}$$

Moreover, if $\varPi $ is a Perfect ${\tilde{\varSigma }\text {-}protocol}$ for ${\mathcal {R}}$ then $\varPi ^\mathsf {OR}$ is WI for ${\mathcal {R}}_\mathsf {OR}$.

It is possible to extend the above construction to handle two different relations ${\mathcal {R}}_0$ and ${\mathcal {R}}_1$ that admit $\tilde{\varSigma }\text {-}\mathrm{protocols}$. Indeed we can assume, wlog, that ${\mathcal {R}}_0$ and ${\mathcal {R}}_1$ have $\tilde{\varSigma }\text {-}\mathrm{protocols}$ $\varPi _0$ and $\varPi _1$ with the same challenge length (details are available in the full version). Hence, the construction outlined above can be used to construct ${\tilde{\varSigma }\text {-}protocol}$ $\varPi _\mathsf {OR}^{{\mathcal {R}}_0,{\mathcal {R}}_1}$ for relation

$$\begin{aligned} {\mathcal {R}}_\mathsf {OR}=\left\{ ((x_0,x_1),w): \left( (x_0,w)\in {\mathcal {R}}_0\wedge x_1\in \hat{L}_{{\mathcal {R}}_1}\right) \mathsf {OR}\left( (x_1,w)\in {\mathcal {R}}_1\wedge x_0\in \hat{L}_{{\mathcal {R}}_0}\right) \right\} . \end{aligned}$$

Theorem 5

If $\varPi _0$ and $\varPi _1$ are $\tilde{\varSigma }\text {-}$protocols for ${\mathcal {R}}_0$ and ${\mathcal {R}}_1$, respectively, then $\varPi _\mathsf {OR}^{{\mathcal {R}}_0,{\mathcal {R}}_1}$ is a ${\tilde{\varSigma }\text {-}protocol}$ for relation ${\mathcal {R}}_\mathsf {OR}$ and is WI for relation

$$\begin{aligned} {\mathcal {R}}^\prime _\mathsf {OR}=\left\{ ((x_0,x_1),w): \left( (x_0,w)\in {\mathcal {R}}_0\wedge x_1\in L_{{\mathcal {R}}_1}\right) \mathsf {OR}\left( (x_1,w)\in {\mathcal {R}}_1\wedge x_0\in L_{{\mathcal {R}}_0}\right) \right\} . \end{aligned}$$

Moreover, if $\varPi _0$ and $\varPi _1$ are Perfect $\tilde{\varSigma }\text {-}$protocols for ${\mathcal {R}}_0$ and ${\mathcal {R}}_1$ then $\varPi ^\mathsf {OR}$ is WI for ${\mathcal {R}}_\mathsf {OR}$.

We remark that if $\varPi _0$ and $\varPi _1$ are $\varSigma $-protocols then the CDS-OR transform yields a $\varSigma $-protocol for ${\mathcal {R}}_\mathsf {OR}$ and Theorems 4 and 5 still hold.

4 t-Instance-Dependent Trapdoor Commitment Schemes

In this section, for integer $t\ge 2$, we define the notion of a $t$-Instance-Dependent Trapdoor Commitmentscheme associated with a polynomial-time relation ${\mathcal {R}}$ and show constructions for $t=2$ and $t=3$.

Definition 6

( t -Instance-Dependent Trapdoor Commitment Scheme). Let $t\ge 2$ be an integer and let ${\mathcal {R}}$ be a polynomial-time relation. A t-Instance-Dependent Trapdoor Commitment (a t-IDTC, in short) scheme for ${\mathcal {R}}$ with message space $M$ is a triple of PPT algorithms $(\mathsf {TCom},\mathsf {TDec},\mathsf {TFake})$ where $\mathsf {TCom}$ is the randomized commitment algorithm that takes as input security parameter $1^\lambda $, an instance $x\in \hat{L}_{\mathcal {R}}$ (with $|x|=\text{ poly }(\lambda )$) and a message $m\in M$ and outputs commitment com, decommitment $\mathtt {dec}$, and auxiliary information $\mathtt {rand}$; $\mathsf {TDec}$ is the verification algorithm that takes as input $(x,\mathtt{com},\mathtt {dec},m)$ and decides whether m is the decommitment of $\mathtt{com}$; $\mathsf {TFake}$ is the randomized equivocation algorithm that takes as input $(x,w)\in {\mathcal {R}}$, messages $m_1$ and $m_2$ in $M$, commitment $\mathtt{com}$ of $m_1$ with respect to instance x and associated auxiliary information $\mathtt {rand}$ and produces decommitment information $\mathtt {dec}_2$ such that $\mathsf {TDec}$, on input $(x,\mathtt{com},\mathtt {dec}_2,m_2)$, outputs 1.

A $t$-Instance-Dependent Trapdoor Commitment enjoys:

Correctness: for all $x\in \hat{L}_{\mathcal {R}}$, all $m\in M$, it holds that
$$\text{ Prob }\left[ \;(\mathtt{com},\mathtt {dec},\mathtt {rand}) \leftarrow \mathsf {TCom}(1^\lambda ,x,m) : \mathsf {TDec}(x,\mathtt{com},\mathtt {dec},m)=1\;\right] =1.$$
t -Special Extract: there exists an efficient algorithm $\mathsf {ExtractTCom}$ that, on input x, commitment com, pairs $(\mathtt {dec}_i,m_i)_{i=1}^t$ of openings and messages such that
- for $1\le i<j\le t$ we have that $m_i\ne m_j$;
- $\mathsf {TDec}(x,\mathtt{com},\mathtt {dec}_i,m_i)=1$, for $i=1,\ldots ,t$;
outputs w such that $(x,w)\in {\mathcal {R}}.$
Hiding (resp., Perfect Hiding): for every PPT (resp., unbounded) adversary $\mathcal {A}$ there exists a negligible function $\nu $ (resp., $\nu (\cdot )=0$) such that, for all $x\in L_{\mathcal {R}}$ and all $m_0,m_1 \in M$, it holds that
$$\begin{aligned}&{\text{ Prob }}\big [b\leftarrow \{0,1\}; (\mathtt{com},\mathtt {dec},\mathtt {rand})\leftarrow \mathsf {TCom}(1^\lambda ,x,m_b):\\&\qquad \qquad b=\mathcal {A}(x,\mathtt{com},m_0,m_1)\big ]\le \frac{1}{2}+\nu (\lambda ). \end{aligned}$$
Trapdoorness: the following two families of probability distributions are indistinguishable:
$$\begin{aligned}&\qquad \quad \{(\mathtt{com},\mathtt {dec}_1,\mathtt {rand})\leftarrow \mathsf {TCom}(1^\lambda ,x,m_1);\\&\mathtt {dec}_2\leftarrow \mathsf {TFake}(x,w,m_1,m_2,\mathtt{com},\mathtt {rand}): (\mathtt{com},\mathtt {dec}_2)\} \end{aligned}$$
and $\{(\mathtt{com},\mathtt {dec}_2,\mathtt {rand})\leftarrow \mathsf {TCom}(1^\lambda ,x,m_2):(\mathtt{com},\mathtt {dec}_2)\}$ over all families $\{(x,w,m_1,m_2)\}$ such that $(x,w)\in {\mathcal {R}}$ and $m_1,m_2\in M$.

The perfect trapdoorness property requires the two probability distributions to coincide for all $(x,w,m_1,m_2)$ such that $(x,w)\in {\mathcal {R}}$ and $m_1,m_2\in M$.

Constructing a 2-IDTC ${ scheme\ from\ a\ Chameleon\ \varSigma \text {-}protocol.}$ Let $\varPi =(\mathcal {P},\mathcal {V})$ with associated algorithms $(\mathsf {P}_1,\mathsf {P}_2,\mathsf {V},\mathsf {P}_\mathsf{sim})$ be a Chameleon $\varSigma $-protocol for polynomial-time relation ${\mathcal {R}}$ with a security parameter $1^\lambda $. Let l be the challenge length of $\varPi $ and let $\mathsf {Sim}$ be a SHVZK simulator associated to $\varPi $. We construct a $t$-$\mathsf {IDTC}$ scheme $(\mathsf {TCom}_\varPi ,\mathsf {TDec}_\varPi ,\mathsf {TFake}_\varPi )$ for ${\mathcal {R}}$ with messages space $M=\{0,1\}^{l}$ for $x\in \hat{L}_{R}$ as follows.

Protocol 2

$2\text {-}\mathsf{IDTC}$ scheme from Chameleon $\varSigma {\text {-protocol }} \varPi $.

$\mathsf {TCom}_\varPi (1^\lambda , x,m_1)$: On input x and $m_1 \in M$, pick randomness R and compute $(a,z)\leftarrow \mathsf {Sim}(x,m_1;R)$. Output $\mathtt{com}=a$, $\mathtt {dec}=z$ and $\mathtt {rand}=R$;
$\mathsf {TDec}_\varPi (x, \mathtt{com}, \mathtt {dec}, m_1)$: On input $x,\mathtt{com},\mathtt {dec}$ and $m_1$, run $b=\mathsf {V}(x,\mathtt{com},$ $m_1,\mathtt {dec})$ and accept $m_1$ as the decommitted message iff $b=1$.
$\mathsf {TFake}_\varPi $: On input $(x,w)\in {\mathcal {R}}$, messages $m_1,m_2\in M$, for $m_2$ and $\mathtt {rand}$ for $\mathtt{com}$, output $z=\mathsf {P}_\mathsf{sim}((x,m_1,\mathtt {rand}),w,m_2)$.

Theorem 6

If $\varPi $ is a Chameleon $\varSigma $-protocol for ${\mathcal {R}}$ then Protocol 2 is a $2$-$\mathsf {IDTC}$ scheme for ${\mathcal {R}}$. Moreover, if $\varPi $ is Perfect then so is Protocol 2.

Proof

Correctness follows directly from the Completeness property of $\varPi $.

2-Special-Extract. Suppose $\mathtt{com}$ is a commitment with respect to instance x and let $\mathtt {dec}_1$ and $\mathtt {dec}_2$ be two openings of $\mathtt{com}$ as messages $m_1\ne m_2$, respectively. Then, triplets $(\mathtt{com},m_1,\mathtt {dec}_1)$ and $(\mathtt{com},m_2,\mathtt {dec}_2)$ are accepting transcripts for $\varPi $ on common input x with the same first round; that is, they constitute a collision for $\varPi $. Therefore, we define algorithm $\mathsf {ExtractTCom}$ to be the algorithm that runs algorithm $\mathsf {Extract}$ (that exists by the special soundness of $\varPi $) on input the collision. $\mathsf {ExtractTCom}$ returns the witness for x computed by $\mathsf {Extract}$.

(Perfect) Trapdoorness. It follows from the Perfect Delayed-Indistinguishability property of $\varPi $ as well as the (perfect) Hiding property.

${Constructing\ a 3\text {-}\mathsf{IDTC}\ Scheme.}$ Let ${\mathcal {R}}$ be a polynomial-time relation as above admitting a witness-delayed $\varSigma $-protocol $\varPi $ with associated algorithms $(\mathsf {P}_1, \mathsf {P}_2, \mathsf {V})$ and security parameter $1^\lambda $. Let l denote the challenge length of $\varPi $. We construct a 3-$\mathsf {IDTC}$ scheme for message space $M=\{0,1\}^{l}$ for $x\in \hat{L}_{R}$, as follows.

Protocol 3

${3\text {-}\mathsf{IDTC\ } \mathrm{scheme.}}$

$\mathsf {TCom}_\varPi $: On input $1^\lambda $, x and $m_1 \in M$, pick randomness R and compute $(a_0,z)\leftarrow \mathsf {Sim}(x,m_1)$ and $a_1\leftarrow \mathsf {P}_1(x;R)$. Let $\mathtt{com}_0=a_0$ and $\mathtt{com}_{1}=a_1$. Output $\mathtt{com}=(\mathtt{com}_b,\mathtt{com}_{1-b})$ for a randomly selected bit b, $\mathtt {dec}=z$ and $\mathtt {rand}=R$.
$\mathsf {TDec}_\varPi $: On input $x,\mathtt{com}$ = $(\mathtt{com}_0,\mathtt{com}_1),\mathtt {dec}$ and $m_1$, accept $m_1$ if and only if either $\mathsf {V}( x, \mathtt{com}_0,m_1,\mathtt {dec})=1$ or $\mathsf {V}( x,\mathtt{com}_1,m_1,\mathtt {dec})=1$.
$\mathsf {TFake}_\varPi $: On input $(x,w)\in {\mathcal {R}}$, messages $m_1,m_2\in M$, commitment $\mathtt{com}$ for $m_1$ and $\mathtt {rand}$ for $\mathtt{com}$, output z $\leftarrow $ $\mathsf {P}_2(x,w,\mathtt {rand}, m_2)$.

Theorem 7

If $\varPi $ is a witness-delayed $\varSigma $-protocol for ${\mathcal {R}}$, with the associated algorithms $(\mathsf {P}_1,\mathsf {P}_2,\mathsf {V})$, then Protocol 3 is a $3$-$\mathsf {IDTC}$ scheme for ${\mathcal {R}}$. Moreover, if $\varPi $ is Perfect then so is Protocol 3.

Proof

Correctness follows from the completeness of $\varPi $.

3-Special Extract. It follows from the special soundness of $\varPi $. Assume that the committer generates 3 accepting openings $\mathtt {dec}_1$, $\mathtt {dec}_2$ and $\mathtt {dec}_3$, for distinct messages $m_1$, $m_2$ and $m_3$, for the same commitment $\mathtt{com}$ computed w.r.t. x. In this case, we have three accepting transcript for $\varPi $ and therefore at least two of them must share the same first message, i.e., it is a collision. Thus we can run the extractor $\mathsf {Extract}$ for $\varPi $ on the collision and obtain a witness for x.

Trapdoorness. It follows from the SHVZK property of $\varPi $. We prove this property via hybrid arguments.

The first hybrid, $\mathcal {H}_1$ is the real execution, where a honest prover commits to a message following the honest commitment and decommitment procedure, without using the trapdoor. More formally, in the hybrid $\mathcal {H}_1$ the prover performs the following steps:

On input x and $m_1,m_2\in M$, the prover selects random coin tosses R and computes $(a_0,z)\leftarrow \mathsf {Sim}(x,m_2)$, $a_1\leftarrow \mathsf {P}_1(x;R)$. It picks $b \leftarrow \{0,1\}$ and sends $\mathtt{com}=(a_b,a_{1-b})$, $\mathtt {dec}=z$, $m_2$.

The second hybrid $\mathcal {H}_2$ is equal to $\mathcal {H}_1$ with the difference that $a_0$ is computed using the algorithm $\mathsf {P}_1$ and z using $\mathsf {P}_2$. Formally:

On input x and $m_1,m_2 \in M$, the prover selects random coin tosses $R=(r_1, r_2)$ and computes $a_0\leftarrow \mathsf {P}_1(x;r_1)$, $z\leftarrow \mathsf {P}_2(x,w,r_1, m_2)$ and $a_1\leftarrow \mathsf {P}_1(x;r_2)$. It picks $b \leftarrow \{0,1\}$ and sends $\mathtt{com}=(a_b,a_{1-b})$, $\mathtt {dec}=z$, $m_2$.

Due to the SHVZK property of $\varPi $, $\mathcal {H}_1$ is indistinguishable from $\mathcal {H}_2$. Now we consider the hybrid $\mathcal {H}_3$ in which $a_1$ is computed using $\mathsf {Sim}(x, m_2)$. Formally:

On input x and $m_1, m_2 \in M$, the prover selects random coin tosses R and computes $a_0\leftarrow \mathsf {P}_1(x;R)$, $z\leftarrow \mathsf {P}_2(x,w,R, m_2)$ and ($a_1, \overline{z})\leftarrow \mathsf {Sim}(x, m_1)$. It picks $b \leftarrow \{0,1\}$ and sends $\mathtt{com}=(a_b,a_{1-b})$, $\mathtt {dec}=z$, $m_2$.

Even in this case, we can claim that $\mathcal {H}_3$ is indistinguishable from $\mathcal {H}_2$ because of the SHVZK of $\varPi $. The proof ends with the observation that $\mathcal {H}_3$ is the experiment in which a sender commits to a message $m_1$ and opens to $m_2$ using the trapdoor.

If $\varPi $ is a perfect SHVZK protocol, then the sequence of hybrids produces identical distributions.

5 Our New OR-Composition Technique

In this section we formally describe our new OR transform. Let ${\mathcal {R}}_0$ be a relation admitting a $t$-$\mathsf {IDTC}$ scheme, $I=(\mathsf {TCom}_{\varPi _0},\mathsf {TDec}_{\varPi _0},\mathsf {TFake}_{\varPi _0})$, with $t=2$ or $t=3$, and ${\mathcal {R}}_1$ a relation admitting an input-delayed $\varSigma $-protocol $\varPi _1$ with associated algorithms $(\mathsf {P}_1^1,\mathsf {P}_2^1,\mathsf {V}^1)$ and simulator $\mathsf {Sim}^1$. We show a $\varSigma $-protocol $\varPi ^\mathsf {OR}$ for the OR relation:

$$\begin{aligned} {\mathcal {R}}_\mathsf {OR}=\{ ((x_0,x_1),w):((x_0,w)\in {\mathcal {R}}_0\wedge x_1\in \hat{L}_{{\mathcal {R}}_1}) \ \mathsf {OR}\ ((x_1,w)\in {\mathcal {R}}_1\wedge x_0\in \hat{L}_{{\mathcal {R}}_0})\}. \end{aligned}$$

We denote by $(\mathsf {P}_1^\mathsf {OR},\mathsf {P}_2^\mathsf {OR},\mathsf {V}^\mathsf {OR})$ the algorithms associated with $\varPi ^\mathsf {OR}$. We assume that the initial common input is $x_0$. The other input $x_1$ and the witness w for $(x_0,x_1)$ are made available to the prover only after the challenge has been received. We let $b \in \{0,1\}$ be such that $(x_b,w)\in {\mathcal {R}}_b$ and assume that the message space of the $t$-$\mathsf {IDTC}$ scheme I includes all possible first-round messages of $\varPi _1$. Note that for the constructions of the $t$-$\mathsf {IDTC}$ scheme we provide, the message space coincides with the set of challenges of the underlying $\varSigma $-protocol and, in the full version we show that the challenge length of a $\varSigma $-protocol can be easily expanded/reduced.

We remind that prover algorithm $\mathsf {P}_2^\mathsf {OR}$ receives as further input the randomness $(R_1,\mathtt {rand}_1)$ used by $\mathsf {P}_1^\mathsf {OR}$ to produce the first-round message.

Protocol 4

Protocol $\varPi ^{\mathsf {OR}}$ for ${\mathcal {R}}_{\mathsf {OR}}.$

Common input: $(x_0,1^\lambda )$, where $1^\lambda $ is the security parameter.

1.
$\mathsf {P}_1^\mathsf {OR}(x_0, 1^\lambda )$. Pick random $R_1$ and compute $a_1\leftarrow \mathsf {P}_1^1(1^\lambda ;R_1)$. Then commit to $a_1$ by running $(\mathtt{com},\mathtt {dec}_1,\mathtt {rand}_1)\leftarrow \mathsf {TCom}_{\varPi _0}(1^\lambda , x_0,a_1)$. Output $\mathtt{com}$.
2.
$\mathsf {P}_2^\mathsf {OR}((x_0,x_1),c,(w,b),(\mathtt {rand}_1,R_1))$ (with $(x_b,w)\in {\mathcal {R}}_b$).

If $b=1$, compute $z_1\leftarrow \mathsf {P}_2^1(x_1,w,R_1,c)$ and output $(\mathtt {dec}_1,a_1,z_1)$.

If $b=0$, compute $(a_2,z_2)$ $\leftarrow \mathsf {Sim}^1(x_1,c)$, $\mathtt {dec}_2\leftarrow \mathsf {TFake}_{\varPi _0}$ $(x_0,w,a_1,a_2,$ $\mathtt{com},\mathtt {rand}_1)$ and output $(\mathtt {dec}_2,a_2,z_2)$.
3.
$\mathsf {V}^\mathsf {OR}$, on input $(x_0,x_1)$, $\mathtt{com}$, c, and $(\mathtt {dec},a,z))$ received from $\varPi ^\mathsf {OR}$, outputs 1 iff
$$ \mathsf {TDec}_{\varPi _0}(x_0,\mathtt{com},\mathtt {dec},a)=1\ \text {and} \ \mathsf {V}^1(x_1,a,c,z)=1; $$

Theorem 8

If ${\mathcal {R}}_0$ admits a $2$-$\mathsf {IDTC}$ (resp., $3$-$\mathsf {IDTC}$) scheme and if ${\mathcal {R}}_1$ admits an input-delayed $\varSigma $-protocol, then $\varPi ^{\mathsf {OR}}$ is a $\varSigma $-protocol (resp., is a 3-round public-coin SHVZK PoK) for relation ${\mathcal {R}}_\mathsf {OR}$.

Proof

Completeness follows by inspection. We next prove the properties of Protocol 4 when instantiated with a $2$-$\mathsf {IDTC}$ and $3$-$\mathsf {IDTC}$ schemes.

${Proof\ for\ the\ construction\ based\ on\ the\ 2\text {-}\mathsf{IDTC\ } scheme.}$ Special Soundness. It follows from the special soundness of the underlying $\varSigma $-protocol $\varPi _1$ and the 2-Special Extract of the $2$-$\mathsf {IDTC}$ scheme. More formally, consider a collision $(\mathtt{com},c, (\mathtt {dec},a,z))$ and $(\mathtt{com},c',(\mathtt {dec}',a',z'))$ for input $(x_0,x_1)$. We observe that:

if $a=a'$ then (a, c, z) and $(a',c',z')$ is a collision for $\varPi _1$ for input $x_1$; then we can obtain a witness $w_1$ for $x_1$ by the Special Soundness property of $\varPi _1$;
if $a\ne a'$, then $\mathtt {dec}$ and $\mathtt {dec}'$ are two openings of $\mathtt{com}$ with respect to $x_0$ for messages $a\ne a'$; then we can obtain a witness $w_0$ by the 2-Special Extract of the $2$-$\mathsf {IDTC}$ scheme.

SHVZK Property. Consider simulator $\mathsf {Sim}^\mathsf {OR}$ that, on input $(x_0,x_1)$ and challenge c, sets $(a,c,z)\leftarrow \mathsf {Sim}_1(x_1,c)$ and $(\mathtt{com},\mathtt {dec})\leftarrow \mathsf {TCom}_{x_0}(a)$, and outputs $(\mathtt{com},c,(\mathtt {dec},a,z))$. Next, we show that the transcript generated by $\mathsf {Sim}^\mathsf {OR}$ is indistinguishable from the one generated by a honest prover.

Let us first consider the case in which the prover of $\varPi ^\mathsf {OR}$ receives a witness for $x_1$. In this case, if we sample a random distribution $(\mathtt{com},c,(\mathtt {dec},a,z))$ of $\varPi ^\mathsf {OR}$ on input $(x_0,x_1)$ constrained to c being the challenge we have that (a, c, z) has the same distribution as in random transcript of $\varPi _1$ on input $x_1$ constrained to c being the challenge; moreover, $(\mathtt{com},\mathtt {dec})$ is a pair of commitment and decommitment of a with respect to $x_0$. By the property of $\mathsf {Sim}_1$, this distribution is indistinguishable from (a, c, z) computed as $\mathsf {Sim}_1(x_1,c)$ which is exactly as in the output $\mathsf {Sim}^\mathsf {OR}$.

Let us now consider the case in which the prover of $\varPi ^\mathsf {OR}$ receives a witness for $x_0$. If we sample a random distribution $(\mathtt{com},c,(\mathtt {dec},a,z))$ of $\varPi ^\mathsf {OR}$ on input $(x_0,x_1)$ constrained to c being the challenge we have that (a, c, z) are distributed exactly as in the output of $\mathsf {Sim}^\mathsf {OR}$ (that is by running $\mathsf {Sim}_1$ on input $x_1$ and c). In addition, in the output of $\mathsf {Sim}^\mathsf {OR}$, $(\mathtt{com},\mathtt {dec})$ are commitment and decommitment of a whereas in the view of $\varPi ^\mathsf {OR}$ they are computed by means of ${\mathsf {TFake}}$ algorithm. However, the two distributions are indistinguishable by the trapdoorness of the Instance-Dependent Trapdoor Commitment.

${Proof\ for\ the\ construction\ based\ on\ the\ 3\text {-}\mathsf {IDTC\ } scheme.}$

3-Special Soundness. This property ensures that there exists an efficient algorithm that, given three accepting transcripts, $(a, c_0, z_0)$, $(a, c_1, z_1)$, $(a, c_2, z_2)$ with $c_i\ne c_j$ for $1\le i<j\le 3$, for the same common input, outputs a witness for x.

Consider three accepting transcripts for $\varPi ^\mathsf {OR}$ and input $(x_0,x_1)$: $(\mathtt{com},c_1,(\mathtt {dec}_1,a_1, z_1)),\,(\mathtt{com},c_2,(\mathtt {dec}_2,a_2, z_2))$ and $(\mathtt{com},c_3,(\mathtt {dec}_3,a_3, z_3)).$

We observe that:

if $a_i=a_j$ for some $i\ne j$ then $(a_i,c_i,z_i)$ and $(a_j,c_j,z_j)$ is a collision for $\varPi _1$ for input $x_1$; thus we can obtain a witness $w_1$ for $x_1$ by the Special Soundness property of $\varPi _1$;
if $a_i\ne a_j$ for all $i\ne j$, then, $\mathtt {dec}_1$ and $\mathtt {dec}_2$ and $\mathtt {dec}_3$ are three openings of the same $\mathtt{com}$ with respect to $x_0$ for messages $a_1$, $a_2$ and $a_3$; then we can obtain a witness $w_0$ for $x_0$ by the 3-Special Extract of the $3$-$\mathsf {IDTC}$ scheme.

We stress that having a long enough challenge, 3-special soundness implies the proof of knowledge property.

SHVZK Property. This is similar to the proof for the construction based on $2$-$\mathsf {IDTC}$.

5.1 Witness Indistinguishability of Our Transform

In this section we discuss the adaptive WI property of $\varPi ^\mathsf {OR}$. Roughly speaking, adaptive WI means that in the WI experiment the adversary $\mathcal {A}$ is not forced to choose both theorems $x_0$ and $x_1$ at the onset of the experiment. Rather, she can choose theorem $x_1$ and witnesses $w_0,w_1$ adaptively, after seeing the first message of $\varPi ^\mathsf {OR}$ played by the prover on input $x_0$. After $x_1,w_0,w_1$ have been selected by $\mathcal {A}$, the experiment randomly selects $b\leftarrow \{0,1\}$. The prover then receives $x_1$ and $w_b$ and proceeds to complete the protocol. The adversary wins the game if she can guess b with probability non-negligibly greater than 1 / 2. More formally, we consider adaptive WIfor polynomial-time relation

$$\begin{aligned} {\mathcal {R}}^p_\mathsf {OR}=\left\{ ((x_0,x_1),w): \left( (x_0,w)\in {\mathcal {R}}_0\wedge x_1\in \hat{L}_{{\mathcal {R}}_1}\right) \mathsf {OR}\left( (x_1,w)\in {\mathcal {R}}_1\wedge x_0\in \hat{L}_{{\mathcal {R}}_0}\right) \right\} \end{aligned}$$

and for the weaker relation

$$\begin{aligned} {\mathcal {R}}^c_\mathsf {OR}=\Big \{((x_0,x_1),w): \Big ((x_0,w)\in {\mathcal {R}}_0\wedge x_1\in L_{{\mathcal {R}}_1}\Big )\ \mathsf {OR}\ \Big ( (x_1,w)\in {\mathcal {R}}_1\wedge x_0\in L_{{\mathcal {R}}_0}\Big ) \Big \}. \end{aligned}$$

The adaptive WI experiment, $\mathsf {ExpWI}_\mathcal {A}^{\delta }(x_0,\lambda ,\mathsf {aux})$ with $\delta \in \{c,p\}$, is parameterized by PPT adversary $\mathcal {A}$ and has three inputs: instance $x_0$, security parameter $\lambda $, and auxiliary information $\mathsf {aux}$ for $\mathcal {A}$.

$\mathsf {ExpWI}_\mathcal {A}^{\delta }(x_0,\lambda ,\mathsf {aux})$:

1.
$a=\mathsf {P}_1^\mathsf {OR}(x_0,1^\lambda ;R_1)$, for random coin tosses $R_1$;
2.
$\mathcal {A}(x_0,a,\mathsf {aux})$ outputs $((x_1,w_0,w_1),c,\mathtt {state})$ such that $((x_0,x_1),w_0),((x_0,x_1),w_1)\in {\mathcal {R}}_\mathsf {OR}^{\delta }$;
3.
$b\leftarrow \{0,1\}$;
4.
$z\leftarrow \mathsf {P}_2^\mathsf {OR}((x_0,x_1),w_b,R_1,c)$;
5.
$b'\leftarrow \mathcal {A}(z,\mathtt {state})$;
6.
If $b=b'$ then output 1 else output 0.

We set $\mathsf {Adv}_{\mathcal {A}}^{\delta }(x_0,\lambda ,\mathsf {aux})=\left| \text{ Prob }\left[ \;\mathsf {ExpWI}_\mathcal {A}^{\delta }(x_0,\lambda ,\mathsf {aux})=1\;\right] -\frac{1}{2}\right| .$

Definition 7

$\varPi ^\mathsf {OR}$ is Adaptive Witness Indistinguishable (resp., Adaptive Perfect Witness Indistinguishable) if for every adversary $\mathcal {A}$ there exists a negligible function $\nu $ such that for all $\mathsf {aux}$ and $x_0$ it holds that $\mathsf {Adv}_{\mathcal {A}}^c(x_0,\lambda ,\mathsf {aux})\le \nu (\lambda )$ (resp., $\mathsf {Adv}_{\mathcal {A}}^p(x_0,\lambda ,\mathsf {aux})=0$).

Next, in Theorem 9, we prove the Adaptive Perfect WI of $\varPi ^\mathsf {OR}$ when both $\varPi _0$ and $\varPi _1$ are perfect SHVZK. When one of $\varPi _0$ and $\varPi _1$ is not perfect, we would like to prove that $\varPi ^\mathsf {OR}$ is Adaptive WI. In Theorem 10 we prove a weaker form of Adaptive WI in which the adversary is restricted in his choice of witnesses $(w_0,w_1)$ for relation ${\mathcal {R}}_\mathsf {OR}^c$. We leave open the problem of an OR-composition technique that gives Adaptive WI when the $\varSigma $-protocol composed are not both perfect SHVZK.

Theorem 9

If $\varPi _0$ and $\varPi _1$ are perfect SHVZK then $\varPi ^\mathsf {OR}$ is Adaptive Perfect Witness Indistinguishable.

Proof

The proof considers the following three cases:

Case 1. $(x_0,w_0)\in {\mathcal {R}}_0$ and $(x_1,w_1)\in {\mathcal {R}}_1$;
Case 2. $(x_0,w_0)\in {\mathcal {R}}_0$ and $(x_0,w_1)\in {\mathcal {R}}_0$;
Case 3. $(x_1,w_0)\in {\mathcal {R}}_1$ and $(x_1,w_1)\in {\mathcal {R}}_1$.

For each case we present a sequence of hybrids and prove that pairs of consecutive hybrids are perfectly indistinguishable.

Case 1. The first hybrid experiment $\mathcal {H}_1(x_0,\lambda ,\mathsf {aux})$ is the original experiment $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$ in which $b=1$ (and thus $\mathcal {P}$ uses witness $w_1$). That is,

In Step 1 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$, the following steps are executed:
1. 1.
  $a=\mathsf {P}_1^1(1^\lambda ;R_1)$, for random coin tosses $R_1$;
2. 2.
  $(\mathtt{com},\mathtt {dec},\mathtt {rand})\leftarrow \mathsf {TCom}_{\varPi _0}(x_0,1^\lambda ,a)$ and outputs $\mathtt{com}$.
In Step 4 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$, the following steps are executed:
1. 1.
  set $a'=a$;
2. 2.
  $z\leftarrow \mathsf {P}_2^1(x_1,w_1,c,R_1)$;
3. 3.
  set $\mathtt {dec}'=\mathtt {dec}$;
4. 4.
  output $(\mathtt {dec}',a',z)$.

The second hybrid experiment $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$ differs from $\mathcal {H}_1(x_0,\lambda ,\mathsf {aux})$ in the way $a'$ and $\mathtt {dec}'$ are computed. More specifically,

Step 1 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$ stays the same.
1. 1.
  $a=\mathsf {P}_1^1(1^\lambda ;R_1)$, for random coin tosses $R_1$;
2. 2.
  $(\mathtt{com},\mathtt {dec},\mathtt {rand})\leftarrow \mathsf {TCom}_{\varPi _0}(x_0,1^\lambda ,a)$ and outputs $\mathtt{com}$.
In Step 4 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$, the following steps are executed:
1. 1.
  $a'=\mathsf {P}_1^1(1^\lambda ;R_1')$, for random coin tosses $R_1'$;
2. 2.
  $z\leftarrow \mathsf {P}_2^1(x_1,w_1,c,R_1')$;
3. 3.
  $\mathtt {dec}'\leftarrow \mathsf {TFake}_{\varPi _0}(x_0,w_0,a,a',\mathtt{com},\mathtt {rand})$;
4. 4.
  $(\mathtt {dec}',a',z)$.

The trapdoorness of the instance-dependent trapdoor commitment scheme based on $\varPi _0$ guarantees that $\mathcal {H}_1(x_0,\lambda ,\mathsf {aux})$ and $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$ are perfectly indistinguishable for all $\lambda $.

The third hybrid experiment $\mathcal {H}_3(x_0,\lambda ,\mathsf {aux})$ differs from $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$ in the way $a'$ and z are computed. More specifically,

Step 1 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$ stays the same.
1. 1.
  $a=\mathsf {P}_1^1(1^\lambda ;R_1)$, for random coin tosses $R_1$;
2. 2.
  $(\mathtt{com},\mathtt {dec},\mathtt {rand})\leftarrow \mathsf {TCom}_{\varPi _0}(x_0,1^\lambda ,a)$ and outputs $\mathtt{com}$.
In Step 4 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$, the following steps are executed:
1. 1.
  $(a',z)\leftarrow \mathsf {Sim}^1(x_1,c)$;
2. 2.
  $\mathtt {dec}'\leftarrow \mathsf {TFake}_{\varPi _0}(x_0,w_0,a,a',\mathtt{com},\mathtt {rand})$;
3. 3.
  $(\mathtt {dec}',a',z)$.

By the perfect SHVZK of $\varPi _1$, we have that $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$ and $\mathcal {H}_3(x_0,\lambda ,\mathsf {aux})$ are perfectly indistinguishable for all $\lambda $. The proof ends with the observation that $\mathcal {H}_3(x_0,\lambda ,\mathsf {aux})$ is exactly experiment $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$ when $b=0$.

Case 2. The first hybrid experiment $\mathcal {H}_1(x_0,\lambda ,\mathsf {aux})$ is again the original experiment $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$ in which $b=1$ (and thus $\mathcal {P}$ uses witness $w_1$). The second hybrid experiment $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$ differs from $\mathcal {H}_1(x_0,\lambda ,\mathsf {aux})$ in the way $\mathsf {TFake}$ is executed (namely, using as input $w_0$ instead of $w_1$). More specifically,

Step 1 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$ stays the same.
1. 1.
  $a=\mathsf {P}_1^1(1^\lambda ;R_1)$, for random coin tosses $R_1$;
2. 2.
  $(\mathtt{com},\mathtt {dec},\mathtt {rand})\leftarrow \mathsf {TCom}_{\varPi _0}(x_0,1^\lambda ,a)$ and outputs $\mathtt{com}$.
In Step 4 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$, the following steps are executed:
1. 1.
  ($a', z)=\mathsf {Sim}^1(x_1,c)$;
2. 2.
  $\mathtt {dec}'\leftarrow \mathsf {TFake}_{\varPi _0}(x_0,w_0,a,a',\mathtt{com},\mathtt {rand})$;
3. 3.
  $(\mathtt {dec}',a',z)$.

The trapdoorness of the instance-dependent trapdoor commitment scheme based on $\varPi _0$ implies that $\mathcal {H}_1(x_0,\lambda \mathsf {aux})$ is perfectly indistinguishable from $\mathcal {H}_2(x_0,\lambda \mathsf {aux})$ for all $\lambda $. The proof ends with the observation that $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$ is exactly experiment $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$ when $b=0$.

Case 3. The first hybrid experiment $\mathcal {H}_1(x_0,\lambda ,\mathsf {aux})$ is again the original experiment $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\mathsf {aux})$ in which $b=1$ (and thus $\mathcal {P}$ uses witness $w_{1}$). The second hybrid experiment $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$ differs from $\mathcal {H}_1(x_0,\lambda ,\mathsf {aux})$ in the way z is computed (using as input $w_1$ instead of $w_0$ when $\mathsf {P}_2$ is executed). More specifically,

In Step 1 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$, the following steps are executed:
1. 1.
  $a=\mathsf {P}_1^1(1^\lambda ;R_1)$, for random coin tosses $R_1$;
2. 2.
  $(\mathtt{com},\mathtt {dec},\mathtt {rand})\leftarrow \mathsf {TCom}_{\varPi _0}(x_0,1^\lambda ,a)$ and outputs $\mathtt{com}$.
In Step 4 of $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$, the following steps are executed:
1. 1.
  $z\leftarrow \mathsf {P}_2^1(x_1,w_0,c,R_1)$;
2. 2.
  output $(\mathtt {dec},a,z)$

The Perfect $\mathsf {WI}$ property of $\varPi _1$ implies that $\mathcal {H}_1(x_0,\lambda ,\mathsf {aux})$ is perfectly indistinguishable from $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$. The proof ends with the observation that $\mathcal {H}_2(x_0,\lambda ,\mathsf {aux})$ is exactly the experiment $\mathsf {ExpWI}_\mathcal {A}^{p}(x_0,\lambda ,\mathsf {aux})$ when $b=0$.

Next we consider the computational case in which one of $\varPi _0$ and $\varPi _1$ is not Perfect SHVZK (but they are still both SHVZK).

Theorem 10

If $\varPi _0$ and $\varPi _1$ are SHVZK then $\varPi ^\mathsf {OR}$ is Adaptive Witness Indistinguishable with respect to adversaries that output $(x_1,w_0,w_1)$ such that at least one of $w_0$ and $w_1$ is a witness for $x_1\in L_{{\mathcal {R}}_1}$.

Proof

We prove this theorem by considering the following two cases:

(1) $(x_{0}, w_{0})\in {\mathcal {R}}_0$ and $(x_{1}, w_{1})\in {\mathcal {R}}_1$;

(2) $(x_{1}, w_{0})\in {\mathcal {R}}_1$ and $(x_{1}, w_{1})\in {\mathcal {R}}_1$.

Case 1. In this case the proof follows closely the one of Case 1 of Theorem 9, with the difference that hybrids here are only computationally indistinguishable.

Case 2. In this case we show that there exists $\mathcal {A}'$ for Case 1 that has the same success probability of $\mathcal {A}$. Suppose indeed that both $w_0$ and $w_1$ are witnesses for $x_1$ and that $\mathcal {A}$ breaks the adaptive WI property of $\varPi ^\mathsf {OR}$. Then, by definition of ${\mathcal {R}}^c_\mathsf {OR}$ and by Definition 7, there exists $\mathcal {A}'$ that has in his description a witness $w_2$ for $x_0$. Indeed, the output of $\mathcal {A}$ interacting with $\mathcal {P}((x_0,x_1),w_2)$ would necessarily be distinguishable from the output of the interaction with either $\mathcal {P}((x_0,x_1),w_0)$ or $\mathcal {P}((x_0,x_1),w_1)$. Therefore $\mathcal {A}'$ would contradict Case 1 and thus there exists no successful $\mathcal {A}$ for Case 2.

6 Applications

In this section, we describe the application of our new OR-composition technique for constructing a 3-round straight-line perfect quasi-polynomial time simulatable argument system. In the full version we also show an efficient 4-round resettable WI argument system and an efficient 4-round resettable zero knowledge with concurrent soundness argument system in the BPK model.

A 3-Round Efficient Perfect Quasi-Polynomial Time Simulatable Argument System. In [38], Pass introduced relaxed notions of zero knowledge and knowledge extraction in which the simulator and the extractor are allowed to run in quasi-polynomial time. Allowing the simulator to run in quasi-polynomial time typically dispenses with the need of rewinding the verifier; that is, the simulator is straight-line. In [38], Pass first describes the following 2-round perfect ZK argument for any language L: the verifier $\mathcal {V}$ sends a value $Y=f(y)$ for a randomly chosen y where f is a sub-exponentially hard OWF and the first round of a ZAP protocol. The prover $\mathcal {P}$ then sends a commitment to $(y'|w')$ and uses the second round of the ZAP to prove that either $y'=f^{-1}(y)$ or $w'$ is a witness for $x\in L$. If language L admits a $\varSigma $-protocol $\varPi _L$ then the above construction can be implemented as an efficient 4-round argument with quasi-polynomial time simulation: the function f is concretely instantiated to be an exponentiation in a group in which the Discrete Log problem is hard and the ZAP is replaced with the CDS-OR composition of $\varPi _L$ and Schnorr’s $\varSigma $-protocol for the Discrete Log.

Note that Schnorr’s $\varSigma $-protocol is input delayed and thus we can use it as $\varSigma $-protocol $\varPi _1$ in our OR transform in conjunction with any Chameleon $\varSigma $-protocol $\varPi _0$. One drawback of reducing to 3 rounds the result of [38] is that we can use only a perfect $\varSigma $-protocol since the goal is to obtain perfect WI in 3 rounds.

Simulation in Quasi-Polynomial Time. Since the verifier in an interactive argument is often modeled as a PPT machine, the classical zero-knowledge definition requires that the simulator runs also in (expected) polynomial time. In [38], the simulator is allowed to run in time $\lambda ^{\mathtt {poly}(\mathtt {log}(\lambda ))}$. Loosely speaking, we say that an interactive argument is $\lambda ^{\mathtt {poly}(\mathtt {log}(\lambda ))}$-perfectly simulatable if for any adversarial verifier there exists a simulator running in time $\lambda ^{\mathtt {poly}(\mathtt {log}(\lambda ))}$, where $\lambda $ is the size of the statement being proved, whose output is identically distributed to the output of the adversarial verifier.

Definition 8

(One-way functions for sub-exponential circuits [38]). A function $f: \{0,1\}^{*} \rightarrow \{0,1\}^*$ is called one-way for sub-exponential circuits if there exists a constant $\alpha $ such that the following two condition holds:

there exist a deterministic polynomial-time algorithm that on input y outputs f(y);
for every probabilistic algorithm $\mathcal {A}$ with running time bounded by $2^{\lambda ^\alpha }$, all sufficiently large $\lambda $’s, and every auxiliary input $z\in \{0,1\}^{\text{ poly }(\lambda )}$

$$\begin{aligned} \text{ Prob }\left[ \;y \mathop {\leftarrow }\limits ^{R} \{0,1\}^*: \mathcal {A}(f(y), z)\in f^{-1}(f(y))\;\right] <\frac{1}{\text{ poly }(2^{\lambda ^\alpha })}. \end{aligned}$$

Now we define straight-line $T(\lambda )$-perfectly simulatable interactive arguments.

For our result we consider a one-way functions for sub-exponential circuits that is also one-to-one.

Definition 9

(straight-line $T(\lambda )$ simulatability, Definition 31 of [39]). Let $T(\lambda )$ be a class of functions that is closed under composition with any polynomial. We say that an interactive argument (proof) ($\mathcal {P}, \mathcal {V}$) for the language $L\in $ NP, with the witness relation ${\mathcal {R}}_L$, is straight-line $T(\lambda )$-simulatable if for every PPT machine $\mathcal {V}^{\star }$ there exists a probabilistic simulator S with running time bounded by $T(\lambda )$ such that the following two ensembles are computationally indistinguishable (when the distinguish gap is a function in $\lambda =|x|$)

$\left\{ (\langle \mathcal {P}(w), \mathcal {V}^{\star }(z) \rangle (x))\right\} _{z\in \{0,1\}^*, x\in L}$ for arbitrary w s.t. $(x,w)\in {\mathcal {R}}_L$
$\left\{ (\langle S, \mathcal {V}^{\star }(z) \rangle (x) )\right\} _{z\in \{0,1\}^*, x\in L}$

We note that the above definition is very restrictive. In fact, the simulator is supposed to act as a cheating prover, with its only advantage being the possibility of running in time $T(\lambda )$, instead of in polynomial time. Trivially, it do not exist a straight-line $T(\lambda )$-simulatable proof for non-trivial languages (this should be contrasted with straight-line simulatable interactive arguments, which instead do exist).

For any NP-language L we consider the perfect chameleon $\varSigma $-protocol $\varPi _L$ for the relation $R_L$. Also we consider the Schnorr $\varSigma $-protocol $\varPi _{\mathsf {DLOG}}$ the following relation ${\mathsf {DLOG}}=\{((\mathcal {G},q,g,Y),y): g^y=Y\}$ with the associated NP-language $L_{\mathsf {DLOG}}$, over groups $\mathcal {G}$ of prime-order q, and use our OR-composition technique to obtain a new $\varSigma $-protocol $\varPi ^\mathsf {OR}=(\mathcal {P}^\mathsf {OR},\mathcal {V}^\mathsf {OR})$ for the relation

$$\begin{aligned} {\mathcal {R}}_\mathsf {OR}=\Big \{ ((x_L,x_{\mathsf {DLOG}}),w): \big ( (x_L,w)\in {\mathcal {R}}_L\wedge x_{{\mathsf {DLOG}}}\in \hat{L}_{{\mathsf {DLOG}}} \big ) \mathsf {OR}\\ \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \big ( (x_{{\mathsf {DLOG}}},w)\in {\mathsf {DLOG}}\wedge x_L\in \hat{L}_{{\mathcal {R}}_L} \big ) \Big \} \end{aligned}$$

with challenge length $l=\lambda $ and associated algorithms $\mathsf {P}_1^\mathsf {OR}$, $\mathsf {P}_2^\mathsf {OR}$ and $\mathsf {V}^\mathsf {OR}$.

Let f be a sub-exponentially hard one-to-one one-way function implemented using DLog as described before, with the only change that for some constant $\alpha $, f is one-way w.r.t circuits of size $2^{\lambda ^\alpha }$. Let $L\in $NP and $k=\frac{1}{\alpha }+1$. Our 3-round straight-line quasi-polynomial time simulatable argument system for $x\in L$ is the following.

Protocol 5

A 3-round straight-line quasi-polynomial time simulatable argument system.

Common input: An instance x of a language $L\in $NP with witness relation $R_L$ with a perfect chameleon $\varSigma $-protocol, and $1^\lambda $ as security parameter.

Private input: $\mathcal {P}$ has w as a private input, s.t. $(x, w)\in {\mathcal {R}}_L$.

Round 1. $\mathcal {P}\rightarrow \mathcal {V}$:

1.
On input a randomness $R_1$, $\mathcal {P}$uniformly chooses (p, q, g) where $p=2q+1$ is a safe prime and g is a generator of a group $\mathcal {G}_q$ of size q. We remark that (p, q, g) are parameters selected so that the function $f(y)=g^y$ is a one-to-one one-way function for some constant $\alpha $ w.r.t circuits of size $2^{\lambda ^\alpha }$.
2.
$\mathcal {P}$computes $a\leftarrow \mathsf {P}_1^\mathsf {OR}((x, 1^{\lambda ^\alpha });R_1)$.
3.
$\mathcal {P}$sends (p, q, g) and a to $\mathcal {V}$.

Round 2. $\mathcal {V}\rightarrow \mathcal {P}$:

1.
$\mathcal {V}$ chooses $y\leftarrow \mathbb {Z}_q$ and computes $Y=g^y$.
2.
$\mathcal {V}$ chooses $c\leftarrow \{0,1\}^{l}$.
3.
$\mathcal {V}$ sends c and Y to $\mathcal {P}$.

Round 3. $\mathcal {P}\rightarrow \mathcal {V}$:

1.
$\mathcal {P}$ computes $z\leftarrow \mathsf {P}_2^\mathsf {OR}(\left( x, ((p, q, g),Y) \right) , w, c, R_1)$.
2.
$\mathcal {P}$ sends z to $\mathcal {V}$.
3.
$\mathcal {V}$ accepts if and only if $\mathsf {V}^\mathsf {OR}(\left( x, ((p, q, g),Y) \right) , a, c, z)=1$.

We remark that we are using the same assumption of [7] that allows the adversary of DLog to generate the DLog parameters while the challenger selects the random element of the group.

Theorem 11

If $\varPi ^\mathsf {OR}$ is a perfect $\varSigma $-protocol for OR composition of ${\mathcal {R}}_L$ and ${\mathsf {DLOG}}$, then Protocol 5 is a 3-round straight-line perfectly $\lambda ^{O(\log ^k \lambda )}$-simulatable argument of knowledge.

Proof

Completeness follows directly from the completeness of $\varPi ^\mathsf {OR}$.

Soundness/Knowledge Extraction. We show that $\varPi $ is an argument of knowledge; this directly implies soundness. The claim follows from the fact that the argument system $\varPi ^\mathsf {OR}$ used is a proof of knowledge when the challenge is long enough. and from the fact that a PPT adversary only finds a pre-image to Y (for f) with negligible probability. More formally, we construct a polynomial-time extractor ${\mathsf {E}}$ for every polynomial-time $\mathcal {P}^{\star }$ for protocol $\varPi $. ${\mathsf {E}}$ internally incorporates $\mathcal {P}^{\star }$ and each time $\varPi ^\mathsf {OR}$ proves a new theorem it proceeds as follows. ${\mathsf {E}}$ invokes the extractor ${\mathsf {E}}^\mathsf {OR}$ for $\varPi ^\mathsf {OR}$. ${\mathsf {E}}$ outputs whatever ${\mathsf {E}}^\mathsf {OR}$ outputs. By the proof knowledge property of $\varPi ^{\mathsf {OR}}$, the output of ${\mathsf {E}}$ will either be a witness w for the statement proved, or the pre-image of Y. If ${\mathsf {E}}$ outputs w, we are done. Otherwise, if it outputs y with non-negligible probability, then we can construct a reduction that breaks the DLog assumption (still in the form proposed by [7]).

Quasi-Polynomial Time Perfect Simulation. Consider a straight-line simulator $\mathsf {Sim}$ that computes the first round as the honest prover. This is possible because $\varPi ^\mathsf {OR}$ does not need any witness to computes the first round. After the simulator receives Y it checks that Y has a pre-image. $\mathsf {Sim}$ thereafter performs an exhaustive search to find a pre-image y of a value Y for the function f. To perform this task $\mathsf {Sim}$ tries all possible values $y'\in \{0,1\}^{\log ^k \lambda }$ and checks if $f(y') = Y$. This thus takes time $\text{ poly }(2^{\log ^k \lambda })$, since the time it takes to evaluate the function f is a polynomial in $\lambda $. After having found a value y such that $f(y) = Y$, $\mathsf {Sim}$ uses y as witness to complete the execution of $\varPi ^\mathsf {OR}$ (instead of using a real witness for x, as the honest prover would do). Clearly the running time of $\mathsf {Sim}$ is bounded by $\lambda ^{O(\log ^k \lambda )}$. We proceed to show that the output of the simulator is identically distributed to the output of any adversarial verifier in a real execution with an honest prover. Note that the only difference between a real execution and a simulated execution is in the choice of the witness used in the last stage of the protocol. Therefore, from the adaptive WI property of $\varPi ^\mathsf {OR}$ we have that the output of the simulated execution is identically distributed to the output of the real execution.

Notes

1.
We will use WI to mean both “witness indistinguishability” and “witness indistinguishable”.
2.
HVZK requires the existence of a simulator that by receiving in input the theorem gives in output an accepting triple (a, c, z). Clearly HVZK is implied by SHVZK.
3.
Note that the WI property requires that the prover would be able to prove any of the two theorems, and thus potentially use the simulator on either $x_0$ or $x_1$.
4.
Like LS, we will just need the size of $x_1$ to be known when $\varPi ^{\mathsf {OR}}_L$ starts.
5.
These are the only scenarios of interest for our work since if practicality is not desired than one can just rely on the LS $\varSigma $-protocol and use NPreductions.
6.
By efficiently we mean that no NPreduction is needed and only a constant number of modular exponentiations are added. We do not discuss the practicality of the resulting constructions.
7.
Recall that HVZK requires the existence of a simulator that generates a full transcript. This is a seemingly weaker requirement than SHVZK where the challenge is an input for the simulator.
8.
We remind the reader that we call a 3-move protocol that enjoys Completeness, Special Soundness and Honest-Verifier Zero Knowledge (HVZK) a $\tilde{\varSigma }$-protocol.

References

Abe, M., Okamoto, T., Suzuki, K.: Message recovery signature schemes from sigma-protocols. IEICE Trans. 96–A(1), 92–100 (2013)
Article Google Scholar
Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification protocols secure against reset attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 495–511. Springer, Heidelberg (2001)
Chapter Google Scholar
Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993)
Chapter Google Scholar
Bitansky, N., Paneth, O.: ZAPs and non-interactive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015)
Chapter Google Scholar
Blum, M.: How to prove a theorem so no one else can claim it. In: International Congress of Mathematicians, p. 1444 (1986)
Google Scholar
Blundo, C., Persiano, G., Sadeghi, A.-R., Visconti, I.: Improved security notions and protocols for non-transferable identification. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 364–378. Springer, Heidelberg (2008)
Chapter Google Scholar
Canetti, R., Dakdouk, R.R.: Extractable perfectly one-way functions. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 449–460. Springer, Heidelberg (2008)
Chapter Google Scholar
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: STOC, pp. 235–244 (2000)
Google Scholar
Catalano, D., Dodis, Y., Visconti, I.: Mercurial commitments: minimal assumptions and efficient constructions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 120–144. Springer, Heidelberg (2006)
Chapter Google Scholar
Catalano, D., Visconti, I.: Hybrid trapdoor commitments and their applications. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 298–310. Springer, Heidelberg (2005)
Chapter Google Scholar
Catalano, D., Visconti, I.: Hybrid commitments and their applications to zero-knowledge proof systems. Theor. Comput. Sci. 374(1–3), 229–260 (2007)
Article MathSciNet MATH Google Scholar
Chaidos, P., Groth, J.: Making sigma-protocols non-interactive without random oracles. PKC 2015, 650–670 (2015)
MathSciNet MATH Google Scholar
Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR composition of Sigma-protocols. IACR Cryptology ePrint Archive 2015, vol. 810 (2015). http://eprint.iacr.org/2015/810
Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the Fiat-Shamir transform without programmable random oracles. IACR Cryptology ePrint Archive, vol. 770 (2015). http://eprint.iacr.org/2015/770
Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the Fiat-Shamir transform without programmable random oracles. In: Theory of Cryptography - 13th Theory of Cryptography Conference, TCC 2016-A, Tel Aviv, Israel, 10–13 January 2016
Google Scholar
Cramer, R.: Modular design of secure yet practical cryptographic protocols. Ph.D. thesis, University of Amsterdam (1996)
Google Scholar
Cramer, R., Damgård, I.B.: Zero-knowledge proofs for finite field arithmetic or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998)
Chapter Google Scholar
Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)
Google Scholar
Damgård, I.: On $\Sigma $-protocol (2010). http://www.cs.au.dk/~ivan/Sigma.pdf
Damgård, I., Groth, J.: Non-interactive and reusable non-malleable commitment schemes. In: STOC 2003, pp. 426–437 (2003)
Google Scholar
Di Crescenzo, G., Persiano, G., Visconti, I.: Constant-round resettable zero knowledge with concurrent soundness in the bare public-key model. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 237–253. Springer, Heidelberg (2004)
Chapter Google Scholar
Di Crescenzo, G., Visconti, I.: Concurrent zero knowledge in the public-key model. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 816–827. Springer, Heidelberg (2005)
Chapter Google Scholar
Dwork, C., Naor, M.: Zaps and their applications. FOCS 2000, 283–293 (2000)
MathSciNet MATH Google Scholar
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: FOCS 1990, pp. 308–317. IEEE Computer Society (1990)
Google Scholar
Garay, J.A., MacKenzie, P., Yang, K.: Strengthening zero-knowledge protocols using signatures. J. Cryptology 19(2), 169–209 (2006)
Article MathSciNet MATH Google Scholar
Goyal, V., Richelson, S., Rosen, A., Vald, M.: An algebraic approach to non-malleability. In: 55th FOCS 2014, pp. 41–50, Philadelphia, PA, USA. IEEE Computer Society, 18–21 October 2014
Google Scholar
Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015)
Google Scholar
Groth, J., Ostrovsky, R., Sahai, A.: Perfect Non-interactive Zero Knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006)
Chapter Google Scholar
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)
Chapter Google Scholar
Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004)
Chapter Google Scholar
Lapidot, D., Shamir, A.: Publicly Verifiable Non-interactive Zero-Knowledge Proofs. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353–365. Springer, Heidelberg (1991)
Google Scholar
Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and non-programmable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015)
Google Scholar
Lindell, Y., Pinkas, B.: An efficient protocol for secure two-party computation in the presence of malicious adversaries. J. Cryptology 28(2), 312–350 (2015)
Article MathSciNet MATH Google Scholar
Maurer, U.: Zero-knowledge proofs of knowledge for group homomorphisms. Des. Codes Crypt. 77, 663–676 (2015)
Google Scholar
Maurer, U.: Unifying zero-knowledge proofs of knowledge. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 272–286. Springer, Heidelberg (2009)
Chapter Google Scholar
Ostrovsky, R., Pandey, O., Visconti, I.: Efficiency preserving transformations for concurrent non-malleable zero knowledge. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 535–552. Springer, Heidelberg (2010)
Chapter Google Scholar
Ostrovsky, R., Rao, V., Visconti, I.: On selective-opening attacks against encryption schemes. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 578–597. Springer, Heidelberg (2014)
Google Scholar
Pass, R.: Simulation in quasi-polynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003)
Chapter Google Scholar
Pass, R.: Alternative Variants of Zero-Knowledge Proofs. Master’s thesis, Kungliga Tekniska Högskolan, licentiate Thesis Stockholm, Sweden (2004)
Google Scholar
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)
Chapter Google Scholar
Scafuro, A., Visconti, I.: On round-optimal zero knowledge in the bare public-key model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 153–171. Springer, Heidelberg (2012)
Chapter Google Scholar
Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)
Google Scholar
Visconti, I.: Efficient zero knowledge on the internet. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 22–33. Springer, Heidelberg (2006)
Chapter Google Scholar
Yung, M., Zhao, Y.: Generic and practical resettable zero-knowledge in the bare public-key model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 129–147. Springer, Heidelberg (2007)
Chapter Google Scholar

Download references

Acknowledgments

We thank Berry Schoenmakers for various useful discussions on $\varSigma $-protocols.

The work of the third author was supported by the MACS project under NSF Frontier grant CNS-1414119 and by NSF grant 1012798. This work was done in part while the third author was visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.

For the full version of this work see [13].

Author information

Authors and Affiliations

DIEM, University of Salerno, Salerno, Italy
Michele Ciampi, Luisa Siniscalchi & Ivan Visconti
DISA-MIS, University of Salerno, Salerno, Italy
Giuseppe Persiano
Boston University and Northeastern University, Boston, USA
Alessandra Scafuro

Authors

Michele Ciampi
View author publications
You can also search for this author in PubMed Google Scholar
Giuseppe Persiano
View author publications
You can also search for this author in PubMed Google Scholar
Alessandra Scafuro
View author publications
You can also search for this author in PubMed Google Scholar
Luisa Siniscalchi
View author publications
You can also search for this author in PubMed Google Scholar
Ivan Visconti
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michele Ciampi .

Editor information

Editors and Affiliations

Department of Computer Science, Technion , Haifa, Israel
Eyal Kushilevitz
Department of Computer Science, Columbia University , New York, New York, USA
Tal Malkin

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I. (2016). Improved OR-Composition of Sigma-Protocols. In: Kushilevitz, E., Malkin, T. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), vol 9563. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49099-0_5

Download citation

DOI: https://doi.org/10.1007/978-3-662-49099-0_5
Published: 24 December 2015
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49098-3
Online ISBN: 978-3-662-49099-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Improved OR-Composition of Sigma-Protocols

Abstract

Similar content being viewed by others

Non-interactive Composition of Sigma-Protocols via Share-then-Hash

Acyclicity Programming for Sigma-Protocols

Stacking Sigmas: A Framework to Compose $$\varSigma $$ -Protocols for Disjunctions

Keywords

1 Introduction

1.1 Our Contribution

1.2 Our Techniques

1.3 Discussion

1.4 Applications

1.5 Open Problems

2 Definitions

3 \(\varSigma \)-Protocols

Definition 1

Theorem 1

Proof

Theorem 2

Definition 2

Definition 3

Definition 4

3.1 \(\varSigma \)-protocols and Witness Indistinguishability

Definition 5

Theorem 3

3.2 Or Composition of \(\tilde{\varSigma }\text {-}{} \mathbf{protocols}\): the CDS-OR Transform

Protocol 1

Theorem 4

Theorem 5

4 t-Instance-Dependent Trapdoor Commitment Schemes

Definition 6

Protocol 2

Theorem 6

Proof

Protocol 3

Theorem 7

Proof

5 Our New OR-Composition Technique

Protocol 4

Theorem 8

Proof

5.1 Witness Indistinguishability of Our Transform

Definition 7

Theorem 9

Proof

Theorem 10

Proof

6 Applications

Definition 8

Definition 9

Protocol 5

Theorem 11

Proof

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation