cover_image

Equivalence between GWEF and 3-message ZKA

Kurt Pan XPTY
2020年11月27日 17:46

Generalized Weakly Extractable One-way Functions (GWEF)

  • Definition (GEF [BCPR16]). A polynomial-time computable family of functions

associated with an efficient key sampler  is a generalized extractable one-way function with respect to a polynomial-time relation  if the following holds:

 -Hardness: For any non-uniform family of polynomial-size circuits  and every 

 -Extractability: There exists a PPT extractor  such that for any non-uniform family of polynomial size circuits  and every ,

  • Definition (GWEF). An efficiently computable family of functions

associated with an efficient key sampler  and NP relation  is a generalized weakly extractable one-way function with respect to a polynomial-time relation  if the following holds:

Worst-case  -Hardness: For any non-uniform family of polynomial-size circuits  every  and every 

Weak  -Extractability: There exists a PPT extractor  such that for any non-uniform family of polynomial-size circuits  we have:

Extraction: For all 

Key Indistinguishability:

Validity: For all 

From Three-Message ZK to GWEF

!! Assuming publicly verifiable three-message zero-knowledge argument system for NP and non-interactive commitments, there exists a GWEF.

Sampler :

  • Sample 
  • Let  be the zero-knowledge simulator, and let  be the honest verifier circuit with hardwired randomness  Sample 
  • Return 

Key relation  iff  such that 

Function  in family :

  • Parse 
  • Emulate the verifier  with statement  first prover message  and randomness  Let  be the produced verifier message.
  • Output 

:

  •  iff
    • Parsing  and 
    • The transcript  with respect to statement  is accepting.

From GWEF to Three-Message ZK

!! Assume there exist GWEF, non-interactive commitments, and two-message witness indistinguishable arguments. Then there exists a publicly verifiable three-message ZK argument.

  •  off  on  off  on  an offline-online WIAOK system for NP with two offline messages and a single online message. (Recall that such systems follow from non-interactive commitments. We denote its corresponding messages by wi 
  •  off  an offline-online  system for  with a single offline (verifier) message and a single online (prover) message. We denote its corresponding messages by 

Common Input: statement 

Prover Input: witness 

  1.  computes:

    •  a GWEF key.
    • wi, the first prover message in the offline  off off.
    • wi the first offline message the verifier off .
    •  a commitment to the witness .

Sends 


  1.  computes:
    •  a random string.
    •  the image of  under the GWEF.
    • wi the second verifier message in the offline  off P, off 
    •  the second prover message in the online  for the statement 

where the witness  is used.

Sends 

  1.  computes:
    • The decision of the online verifier in  on  on . If it rejects, then  aborts.
    • wi, the third prover message in the online  for the statement  

where the prover uses the witness 

Sends 

  1.  accepts iff the online verifier in  on  accepts.