We take as our security parameter, and unless explicitly noted all algorithms and adversaries are probabilistic (interactive) Turing machines that run in polynomial time in this security parameter. We use to denote a function that is negligible in .
We let denote a cyclic group of prime order . The identity of a group is written as . We refer to the scalars of elements in as elements in a scalar field of size . Group elements are written in capital letters while scalars are written in lowercase or Greek letters. Vectors of scalars or group elements are written in boldface, i.e. and . Group operations are written additively and the multiplication of a group element by a scalar is written .
We will often use the notation to describe the inner product of two like-length vectors of scalars . We also use this notation to represent the linear combination of group elements such as with , computed in practice by a multiscalar multiplication.
We use to describe a vector of length that contains only zeroes in .
Discrete Log Relation Problem. The advantage metric is defined with respect the following game.
Given an -length vector of group elements, the discrete log relation problem asks for such that and yet , which we refer to as a non-trivial discrete log relation. The hardness of this problem is tightly implied by the hardness of the discrete log problem in the group as shown in Lemma 3 of [JT20]. Formally, we use the game defined above to capture this problem.
Interactive proofs are a triple of algorithms . The algorithm produces as its output some public parameters commonly referred to by . The prover and verifier are interactive machines (with access to ) and we denote by an algorithm that executes a two-party protocol between them on inputs . The output of this protocol, a transcript of their interaction, contains all of the messages sent between and . At the end of the protocol, the verifier outputs a decision bit.
Proofs of knowledge are interactive proofs where the prover aims to convince the verifier that they know a witness such that for a statement and polynomial-time decidable relation . We will work with arguments of knowledge which assume computationally-bounded provers.
We will analyze arguments of knowledge through the lens of four security notions.
- Completeness: If the prover possesses a valid witness, can they always convince the verifier? It is useful to understand this property as it can have implications for the other security notions.
- Soundness: Can a cheating prover falsely convince the verifier of the correctness of a statement that is not actually correct? We refer to the probability that a cheating prover can falsely convince the verifier as the soundness error.
- Knowledge soundness: When the verifier is convinced the statement is correct, does the prover actually possess ("know") a valid witness? We refer to the probability that a cheating prover falsely convinces the verifier of this knowledge as the knowledge error.
- Zero knowledge: Does the verifier learn anything besides that which can be inferred from the correctness of the statement and the prover's knowledge of a valid witness?
First, we will visit the simple definition of completeness.
Perfect Completeness. An interactive argument has perfect completeness if for all polynomial-time decidable relations and for all non-uniform polynomial-time adversaries
Complicating our analysis is that although our protocol is described as an interactive argument, it is realized in practice as a non-interactive argument through the use of the Fiat-Shamir transformation.
Public coin. We say that an interactive argument is public coin when all of the messages sent by the verifier are each sampled with fresh randomness.
Fiat-Shamir transformation. In this transformation an interactive, public coin argument can be made non-interactive in the random oracle model by replacing the verifier algorithm with a cryptographically strong hash function that produces sufficiently random looking output.
This transformation means that in the concrete protocol a cheating prover can easily "rewind" the verifier by forking the transcript and sending new messages to the verifier. Studying the concrete security of our construction after applying this transformation is important. Fortunately, we are able to follow a framework of analysis by Ghoshal and Tessaro ([GT20]) that has been applied to constructions similar to ours.
We will study our protocol through the notion of state-restoration soundness. In this model the (cheating) prover is allowed to rewind the verifier to any previous state it was in. The prover wins if they are able to produce an accepting transcript.
State-Restoration Soundness. Let be an interactive argument with verifier challenges and let the th challenge be sampled from . The advantage metric of a state restoration prover is defined with respect to the following game.
As shown in [GT20] (Theorem 1) state restoration soundness is tightly related to soundness after applying the Fiat-Shamir transformation.
We will show that our protocol satisfies a strengthened notion of knowledge soundness known as witness extended emulation. Informally, this notion states that for any successful prover algorithm there exists an efficient emulator that can extract a witness from it by rewinding it and supplying it with fresh randomness.
However, we must slightly adjust our definition of witness extended emulation to account for the fact that our provers are state restoration provers and can rewind the verifier. Further, to avoid the need for rewinding the state restoration prover during witness extraction we study our protocol in the algebraic group model.
Algebraic Group Model (AGM). An adversary is said to be algebraic if whenever it outputs a group element it also outputs a representation such that where is the vector of group elements that has seen so far. Notationally, we write to describe a group element enhanced with this representation. We also write to identify the component of the representation of that corresponds with . In other words,
The algebraic group model allows us to perform so-called "online" extraction for some protocols: the extractor can obtain the witness from the representations themselves for a single (accepting) transcript.
State Restoration Witness Extended Emulation Let be an interactive argument for relation with challenges. We define for all non-uniform algebraic provers , extractors , and computationally unbounded distinguishers the advantage metric is defined with the respect to the following games.
We say that an argument of knowledge is zero knowledge if the verifier also does not learn anything from their interaction besides that which can be learned from the existence of a valid . More formally,
Perfect Special Honest-Verifier Zero Knowledge. A public coin interactive argument has perfect special honest-verifier zero knowledge (PSHVZK) if for all polynomial-time decidable relations and for all and for all non-uniform polynomial-time adversaries there exists a probabilistic polynomial-time simulator such that where is the internal randomness of the verifier.
In this (common) definition of zero-knowledge the verifier is expected to act "honestly" and send challenges that correspond only with their internal randomness; they cannot adaptively respond to the prover based on the prover's messages. We use a strengthened form of this definition that forces the simulator to output a transcript with the same (adversarially provided) challenges that the verifier algorithm sends to the prover.
Let be a primitive root of unity forming the domain with the vanishing polynomial over this domain. Let be positive integers with and . We present an interactive argument for the relation where are (multivariate) polynomials with degree in and has degree at most in any indeterminates .
For all :
- Let be the exhaustive set of integers (modulo ) such that appears as a term in .
- Let be a list of distinct sets of integers containing and the set .
- Let when .
Let denote the size of , and let denote the size of every without loss of generality.
In the following protocol, we take it for granted that each polynomial is defined such that blinding factors are freshly sampled by the prover and are each present as an evaluation of over the domain . In all of the following, the verifier's challenges cannot be zero or an element in , and some additional limitations are placed on specific challenges as well.
- and proceed in the following rounds of interaction, where in round (starting at )
- sends a hiding commitment where are the coefficients of the univariate polynomial and is some random, independently sampled blinding factor elided for exposition. (This elision notation is used throughout this protocol description to simplify exposition.)
- responds with a challenge .
- sets .
- sends a commitment where are the coefficients of a randomly sampled univariate polynomial of degree .
- computes univariate polynomial of degree .
- computes at most degree polynomials such that .
- sends commitments for all where denotes the vector of coefficients for .
- responds with challenge and computes .
- sets .
- sends and for all sends such that for all .
- For all and set to be the lowest degree univariate polynomial defined such that for all .
- responds with challenges and initializes .
- Starting at and ending at sets .
- finally sets .
- initializes .
- Starting at and ending at sets .
- finally sets .
- and initialize .
- Starting at and ending at and set .
- Finally and set and where is computed by as using the values provided by .
- sends where defines the coefficients of the polynomial
- responds with challenge .
- sends such that for all .
- responds with challenge .
- sets and
- sets .
- samples a random polynomial of degree with a root at and sends a commitment where defines the coefficients of .
- responds with challenges .
- sets .
- sets (where should correspond with the verifier's computed value ).
- Initialize as the coefficients of and and . and will interact in the following rounds, where in the th round starting in round and ending in round :
- sends and .
- responds with challenge chosen such that is nonzero.
- and set and .
- sets .
- sends and synthetic blinding factor computed from the elided blinding factors.
- accepts only if .
We claim that this protocol is perfectly complete. This can be verified by inspection of the protocol; given a valid witness the prover succeeds in convincing the verifier with probability .
We claim that this protocol is perfect special honest-verifier zero knowledge. We do this by showing that a simulator exists which can produce an accepting transcript that is equally distributed with a valid prover's interaction with a verifier with the same public coins. The simulator will act as an honest prover would, with the following exceptions:
- In step of the protocol chooses random degree polynomials (in ) .
- In step of the protocol chooses a random degree polynomials .
- In step of the protocol chooses a random degree polynomial .
- In step of the protocol uses its foreknowledge of the verifier's choice of to produce a degree polynomial conditioned only such that has a root at .
First, let us consider why this simulator always succeeds in producing an accepting transcript. lacks a valid witness and simply commits to random polynomials whenever knowledge of a valid witness would be required by the honest prover. The verifier places no conditions on the scalar values in the transcript. must only guarantee that the check in step of the protocol succeeds. It does so by using its knowledge of the challenge to produce a polynomial which interferes with to ensure it has a root at . The transcript will thus always be accepting due to perfect completeness.
In order to see why produces transcripts distributed identically to the honest prover, we will look at each piece of the transcript and compare the distributions. First, note that (just as the honest prover) uses a freshly random blinding factor for every group element in the transcript, and so we need only consider the scalars in the transcript. acts just as the prover does except in the mentioned cases so we will analyze each case:
- and an honest prover reveal openings of each polynomial , and at most one additional opening of each in step . However, the honest prover blinds their polynomials (in ) with random evaluations over the domain . Thus, the openings of at the challenge (which is prohibited from being or in the domain by the protocol) are distributed identically between and an honest prover.
- Neither nor the honest prover reveal as it is computed by the verifier. However, the honest prover may reveal --- which has a non-trivial relationship with --- were it not for the fact that the honest prover also commits to a random degree polynomial in step , producing a commitment and ensuring that in step when the prover sets the distribution of is uniformly random. Thus, is never revealed by the honest prover nor by .
- The expected value of is computed by the verifier (in step ) and so the simulator's actual choice of is irrelevant.
- is conditioned on having a root at , but otherwise no conditions are placed on and so the distribution of the degree polynomial is uniformly random whether or not has a root at . Thus, the distribution of produced in step is identical between and an honest prover. The synthetic blinding factor also revealed in step is a trivial function of the prover's other blinding factors and so is distributed identically between and an honest prover.
- In an earlier version of our protocol, the prover would open each individual commitment at as part of the multipoint opening argument, and the verifier would confirm that a linear combination of these openings (with powers of ) agreed to the expected value of . This was done because it's more efficient in recursive proofs. However, it was unclear to us what the expected distribution of the openings of these commitments was and so proving that the argument was zero-knowledge is difficult. Instead, we changed the argument so that the verifier computes a linear combination of the commitments and that linear combination is opened at . This avoided leaking .
- As mentioned, in step the prover commits to a random polynomial as a way of ensuring that is not revealed in the multiopen argument. This is done because it's unclear what the distribution of would be.
- Technically it's also possible for us to prove zero-knowledge with a simulator that uses its foreknowledge of the challenge to commit to an which agrees at to the value it will be expected to. This would obviate the need for the random polynomial in the protocol. This may make the analysis of zero-knowledge for the remainder of the protocol a little bit tricky though, so we didn't go this route.
- Group element blinding factors are technically not necessary after step in which the polynomial is completely randomized. However, it's simpler in practice for us to ensure that every group element in the protocol is randomly blinded to make edge cases involving the point at infinity harder.
- It is crucial that the verifier cannot challenge the prover to open polynomials at points in as otherwise the transcript of an honest prover will be forced to contain what could be portions of the prover's witness. We therefore restrict the space of challenges to include all elements of the field except and, for simplicity, we also prohibit the challenge of .
Let be the interactive argument described above for relation and some group with scalar field . We can always construct an extractor such that for any non-uniform algebraic prover making at most queries to its oracle, there exists a non-uniform adversary with the property that for any computationally unbounded distinguisher
Proof. We will prove this by invoking Theorem 1 of [GT20]. First, we note that the challenge space for all rounds is the same, i.e. . Theorem 1 requires us to define:
- for all partial transcripts such that .
- an extractor function that takes as input an accepting extended transcript and either returns a valid witness or fails.
- a function returning a probability.
We say that an accepting extended transcript contains "bad challenges" if and only if there exists a partial extended transcript , a challenge , and some sequence of prover messages and challenges such that .
Theorem 1 requires that , when given an accepting extended transcript that does not contain "bad challenges", returns a valid witness for that transcript except with probability bounded above by .
Our strategy is as follows: we will define , establish an upper bound on with respect to an adversary that plays the game, substitute these into Theorem 1, and then walk through the protocol to determine the upper bound of the size of . The adversary plays the game as follows: given the inputs , the adversary simulates the game to using the inputs from the game as public parameters. If manages to produce an accepting extended transcript , invokes a function on and returns its output. We shall define in such a way that for an accepting extended transcript that does not contain "bad challenges", always returns a valid witness whenever does not return a non-trivial discrete log relation. This means that the probability is no greater than , establishing our claim.
We will perform some substitutions to aid in exposition. First, let us define the polynomial
so that we can write . The coefficient vector of is defined such that
where returns when the th bit of is set, and otherwise. We can also write .
Recall that an accepting transcript is such that
By inspection of the representations of group elements with respect to (recall that is algebraic and so has them), we obtain the equalities
and the equalities
We define the linear-time function that returns the representation of
which is always a discrete log relation. If any of the equalities above are not satisfied, then this discrete log relation is non-trivial. This is the function invoked by .
The extractor function simply returns from the representation for . Due to the restrictions we will place on the space of bad challenges in each round, we are guaranteed to obtain polynomials such that vanishes over whenever the discrete log relation returned by the adversary's function is trivial. This trivially gives us that the extractor function succeeds with probability bounded above by as required.
Recall from before that the following equalities hold:
as well as the equality
For convenience let us introduce the following notation
so that we can rewrite the above (after expanding for ) as
We can combine these equations by multiplying both sides of each instance of the first equation by (because is never zero) and substituting for in the second equation, yielding the following equalities:
Lemma 1. If then it follows that for all transcripts that do not contain bad challenges.
Proof. It will be useful to introduce yet another abstraction defined starting with and then recursively defined for all integers such that This allows us to rewrite our above equalities as
We will now show that for all integers such that that whenever the following holds for that the same also holds for
For all integers such that we have that by the definition of . This gives us as no value in nor any challenge are zeroes. We can use this to relate one half of the equalities with the other half as so:
Notice that can be rewritten as for all . Thus we can rewrite the above as
Now let us rewrite these equalities substituting with formal indeterminate .
Now let us rescale everything by to remove negative exponents.
This gives us triples of maximal degree- polynomials in that agree at despite having coefficients determined prior to the choice of . The probability that two of these polynomials would agree at and yet be distinct would be by the Schwartz-Zippel lemma and so by the union bound the probability that the three of these polynomials agree and yet any of them is distinct from another is . By the union bound again the probability that any of the triples have multiple distinct polynomials is . By restricting the challenge space for accordingly we obtain for integers and thus .
We can now conclude an equality of polynomials, and thus of coefficients. Consider the coefficients of the constant terms first, which gives us the equalities
No value of is zero, is never chosen to be and each is chosen so that is nonzero, so we can then conclude
An identical process can be followed with respect to the coefficients of the term in the equalities to establish contingent on being nonzero, which it always is. Substituting these in our equalities yields us something simpler
Now we will consider the coefficients in , which yield the equalities
which for similar reasoning as before yields the equalities