Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model

We present a construction for non-interactive zero-knowledge proofs of knowledge in the random oracle model from general sigma-protocols. Our construction is secure against quantum adversaries. Prior constructions (by Fiat-Shamir and by Fischlin) are only known to be secure against classical adversaries, and Ambainis, Rosmanis, Unruh (FOCS 2014) gave evidence that those constructions might not be secure against quantum adversaries in general. To prove security of our constructions, we additionally develop new techniques for adaptively programming the quantum random oracle. [This paper will appear at Eurocrypt 2015. A full version is provided in [15].] Classical NIZK proofs. Zero-knowledge proofs are a vital tool in modern cryptography. Traditional zero-knowledge proofs (e.g., [10]) are interactive protocols, this makes them cumbersome to use in many situations. To circumvent this problem, non-interactive zero-knowledge (NIZK) proofs were introduced [3]. NIZK proofs circumvent the necessity for interaction by introducing a CRS, which is a publicly known value that needs to be chosen by a trusted third party. The ease of use of NIZK proofs comes at a cost, though: generally, NIZK proofs will be less efficient and based on stronger assumptions than their interactive counterparts. So-called sigma protocols (a certain class of three move interactive proofs, see below) exist for a wide variety of problems and admit very generic operations for efficiently constructing more complex ones [5, 7] (e.g., the “or” of two sigma protocols). In contrast, efficient NIZK proofs using a CRS exist only for specific languages (most notably related to bilinear groups, using Groth-Sahai proofs [11]). To alleviate this, Fiat and Shamir [8] introduced so-called Fiat-Shamir proofs that are NIZK proofs in the random oracle model.1 Those can transform any sigma protocol into a NIZK proof. (In fact the construction is even a proof of knowledge, but we will ignore this distinction for the moment.) The Fiat-Shamir construction (or variations of it) has been used in a number of notable protocols, e.g., Direct Anonymous Attestation [4] and the Helios voting system [1]. A second construction of NIZK proofs in the random oracle model was proposed by Fischlin [9]. Fischlin’s construction is less efficient than Fiat-Shamir (and imposes an additional condition on the sigma protocol, called “unique responses”), but it avoids certain technical difficulties that Fiat-Shamir has (Fischlin’s construction does not need rewinding). Quantum NIZK proofs. However, if we want security against quantum adversaries, the situation becomes worse. Groth-Sahai proofs are not secure because they are based on hardness assumptions in bilinear groups that can be broken by Shor’s algorithm [13]. And Ambainis, Rosmanis, and Unruh [2] show that the Fiat-Shamir construction is not secure in general, at least relative to a specific oracle. Although this does not exclude that Fiat-Shamir is still secure without oracle, it at least makes a proof of security less likely – at the least, such a security proof would be non-relativizing, while all known proof techniques that deal with rewinding in the quantum case [18, 14] are relativizing. Similarly, [2] also shows Fischlin’s scheme to be insecure in general (relative to an oracle). Of course, even if Fiat-Shamir and Fischlin’s construction are insecure in general, for certain specific sigma-protocols, Fiat-Shamir or Fischlin could still be secure. (Recall that both constructions take an arbitrary sigma-protocol and convert it into a NIZK proof.) In fact, 1[8] originally introduced them as a heuristic construction for signatures schemes (with a security proof in the random oracle model by [12]). However, the construction can be seen as a NIZK proof of knowledge in the random oracle model.