For all our arguments we consider a prover P and a verifier V which are both probabilistic polynomial time interactive algorithms.
Let R be a polynomial time decidable binary relation, we call w a witness for a statement a if (a, w) ∈ R. We define the language
LR:= {a | ∃w : (a, w) ∈ R}
as the set of statements a that have a witness w for the relation R.
The public transcript produced by P and V is denoted by tr ← hP(s), V(t)i when both parties interact on inputs s and t . The transcript consists of the initial message from the prover, the challenges from the verifier, the answers from the prover and the decision to accept or reject from the verifier. We write hP(s), V(t)i = b depending on whether the verifier rejects b = 0, or accepts b = 1.
Definition 10 (Argument). (P, V) is called an argument for a relation R with perfect completeness if for all non-uniform polynomial time interactive adversaries A we have:
Perfect completeness:
Pr[(a, w) ← A(hist) : (a, w) 6∈ R or hP(a, w), V(a, hist)i = 1] = 1
Computational soundness:
Pr[a ← A(hist) : a 6∈ LRand hA, V(a, hist)i = 1]
is negligible, where hist contains all information an adversary can obtain before they output a statement and a witness.
Definition 11 (Public coin). An argument (P, V) is called public coin if the verifier chooses their mes- sages uniformly at random and independently of the messages sent by the prover, i.e. the challenges correspond to the verifier’s randomness ρ.
An argument is zero-knowledge if it does not leak information about the witness beyond what can be inferred from the truth of the statement. We will present arguments that have special honest verifier zero-knowledge in the sense that if the verifier’s challenge is known in advance, then it is possible to simulate the entire argument without knowing the witness.
3.5. Generalized Σ−Protocols 47 Definition 12 (SHVZK). A public coin argument (P, V) is called a perfect special honest verifier zero- knowledge (SHVZK)argument for R if there exists a probabilistic polynomial time simulator S such that for all non-uniform polynomial time adversaries A we have
Pr[(a, w, ρ) ← A(hist); tr ← hP(a, w), V(a; ρ)i : (a, w) ∈ R and A(tr) = 1] = Pr[(a, w, ρ) ← A(hist); tr ← S(a, ρ) : (a, w) ∈ R and A(tr) = 1]
where ρ is the public coin randomness used by the verifier as the challenge.
Most SHVZK arguments in literature follow a special 3-move structure, that means the transcript consists of the initial message a of the prover, one random challenge x from the verifier, and the final answer b of the prover. Most of these arguments also fulfill the special soundness property.
Definition 13 (Special Soundness). An argument (P, V) has perfect special soundness if there exists a polynomial time extractor E, such that for all adversaries A we have:
Pr[(a, tr1, tr2) ← A(hist), tr1= (a, x1, b1), tr2= (a, x2, b2), x16= x2;
w ← E(a, tr1, tr2) : V(tr1) ∧ V(tr2) = 0 or (x, w) ∈ R] = 1.
If the extractor E can extract the witness only with overwhelming probability, then the argument has special soundness.
That means given two accepting transcripts with different challenges x1, x2, it is possible to effi-
ciently compute a witness w such that (a, w) ∈ R.
Definition 14 (Σ-Protocol). A 3-move SHVZK argument (P, V) with general special soundness is called a Σ−Protocol and a 3-move SHVZK argument (P, V) with perfect general special soundness is called a perfect Σ−Protocol.
In our work the special use of Vandermonde challenges x, x2, . . . , xnmakes it impossible to extract
witnesses given only two accepting arguments. However, given n + 1 accepting witnesses with different challenges x it is possible to extract witnesses. Furthermore, some of the protocols require more than one challenge, and some of the protocols consist of more than three rounds. In all these cases the standard definition of a Σ−Protocol does not fit and we have to generalize the definition.
Definition 15 (Generalized Special Soundness). An argument (P, V) has perfect general special sound- nessif there exists a polynomial time extractor E, such that for all adversaries A we have:
Pr[(a, T r) ← A(hist), T r = {tr1, . . . , trn}, tri= (a, xi, bi);
w ← E(b, T r) : n ^ i=1 V(tri) ! = 0 or (a, w) ∈ R] = 1
where xicontains all challenges from the verifier and xik6= xjkfor all 1 ≤ i, j ≤ n, 1 ≤ k ≤ |xi|, and
48 Chapter 3. Preliminaries
If the extractor E can extract the witness only with overwhelming probability, than the argument has general special soundness.
The definition of general special soundness implies that given a long enough list of accepting tran- scripts with different challenges x it is possible to extract a witness w for a statement a independent of the required structure of the randomness and the number of moves.
Definition 16 (Generalized Σ-Protocol). A SHVZK argument (P, V) with general special soundness is called a generalized Σ−Protocol.
A perfect SHVZK argument (P, V) with perfect general special soundness and perfect complete- ness is called a perfect generalized Σ−Protocol.
For a 3-move argument (P, V) with n = 2 and x ∈ Z∗q × Z∗q, generalized special soundness
is consistent with special soundness. If such an argument is also SHVZK it holds that generalized Σ−protocols are Σ−protocols in the classical sense.
It is not hard to see that general special soundness implies computational witness extended emula- tion [Lin03, GI08]. Informally, their definition says that given an adversary that produces an acceptable argument with some probability, there exists an emulator that produces an accepting argument with the same probability and at the same time provides a witness w. Note, that an argument which has witness extended emulation does not need to be zero-knowledge. The definition does not require that the witness stays secrete during the protocol, only that an emulator can produces an accepting argument and extract a witness.
Informally, an argument (P, V) for relation R is called an argument of knowledge if it has witness- extended emulation. As a result a generalized Σ−protocol is a SHVZK argument of knowledge and this implies that proving that an argument is a Σ−protocol gives us automatically that the protocol is an argument of knowledge.
Plain model. We will describe all our protocols in the plain model. We will consider the group descrip- tion and the commitment key as part of the statement, in the case of shuffling the public encryption key will also be part of the statement. In real life zero-knowledge protocols are subprotocols of other zero- knowledge protocols or part of other cryptographic protocols. That means it is reasonable to assume that in such a setting the group description and the public keys are inherited from the outer protocols or can be supplied by the trusted third party that provides the environment.
One important factor that such a set up works is that the group description and the public keys are easily verifiable. We work over abelian modular groups G ⊂ Z∗pwith prime order q, if for q it holds that
q|p − 1 , then we can easily check the group description and the commitment key. First we test p, q for primality and then G 6= 1, Gq ≡ 1 mod p, in the case that all checks are accepting we accept the
group description. To test that the commitment key ck is valid, we test
Gqi ≡ 1 mod p for 1 ≤ i ≤ q
3.5. Generalized Σ−Protocols 49 key pk = {G, y}. To verify pk we can test if y ∈ G, yq ≡ 1 mod p, and y 6= 1.
If the trust in the third party is not reasonable, the generation of the keys can be achieved by adding an extra round of interaction. In this round the verifier generates the groups and public keys, and sends them to the prover. Assuming the prover can verify the validity of the keys our arguments will still be perfect SHVZK.
It is not desirable that the public encryption key is supplied by the verifier, who would automatically know the decryption key. In this case the verifier could decrypt the statement and learn the permutation. However, our argument to prove correctness of a shuffle is still zero-knowledge in this case, since the verifier learns nothing new from the interaction with the prover, as they are able to decrypt the ciphertexts before the protocols.
Another possibility to generate the group description and keys is that they are generated by multi- party protocols of all parties involved. This also adds some extra interaction on top of the protocol. The setup algorithm can also return some side-information that may be used by an adversary; however, we require that even with this side-information the commitment scheme should remain computationally binding. The side-information models that the keys may be set up using some multi-party computation protocol that leaks some information, the adversary may see some decryptions or even learn the decryp- tion key, etc. Our protocols are secure in the presence of such leaks as long as the commitment scheme is computationally binding.
Full Zero-Knowledge. On the one hand it is much easier to design arguments of knowledge with respect to the honest verifier than zero-knowledge arguments with respect to any malicious verifier. On the other hand in real life applications honest verifier zero-knowledge may not suffice since a malicious verifier may give non-random challenges. However, it is easy to convert a SHVZK [CDS94] argument into a full zero-knowledge argument secure against arbitrary verifiers. The conversion can be very efficient and only costs a small additional overhead, so we will in this work without loss of generality just focus on building efficient SHVZK arguments.
The OR-proof [CDS94] can be used to transform HVZK arguments of knowledge into real zero- knowledge arguments. The statement can be set up with an additional group element D, and the prover will now use an OR-proof to show that they know a witness for the statement being true or they know the discrete logarithm of D. Since the prover does not know the discrete logarithm of D this is a convincing argument of knowledge. On the other hand the simulator can also simulate this extra argument and therefore, the whole protocol.
If the verifier supplies the group description and the keys, the OR-proof can again be used to convert a HVZK argument following the lines of [FS89]. The verifier calculates D1= Gx∈ G, picks D2← G
and sends D1, D2to the prover. The verifier then proves that they know either the discrete logarithm of
D1or D2. The prover shows now either knowledge of discrete logarithm of D1or D2, or knowledge of
a witness of their statement.
If the whole protocol is set up in the common reference string (CRS) model, standard techniques can be used. They include the technique by Groth [Gro04], which forces the challenges to be uni-
50 Chapter 3. Preliminaries
formly random by applying a hash function. Another standard technique on the CRS model is given by [JL00, Dam00]. In their conversion form HVZK into ZK the prover sends in each round an additional commitment, containing the message, to the verifier. If the commitment scheme has a trapdoor, this trapdoor can be used to simulate the protocol for all verifiers.
The OR-proof [CDS94] is also widely used in the CRS model, the common reference string is either set up with an additional group element D or verification key vk of an existentially unforgeable adaptive chosen message attack secure signature scheme [GMY06]. In the first case the prover behaves like the additional group element is part of the statement, and proves knowledge of a witness for the statement or of the discrete logarithm.
In the second case the prover generates a key pair (vk0, sk0) of a string one-time signature scheme, and reveals vk0to the verifier. Now, the prover shows that either their statement is true or they know a signature for vk0under verification key vk. As the prover cannot know a signature on vk0, this convinces the verifier that the prover knows a witness for the statement. Just like above, we can set up the simulator such that it knows the signature and it is easy to simulate the proof.
All these conversions yield arguments of knowledge with perfect zero-knowledge at the price of a couple of extra group elements and are therefore efficient.