**Publicly Verifiable Proofs from Blockchains**

*Alessandra Scafuro and Luisa Siniscalchi and Ivan Visconti*

**Abstract: **A proof system is publicly verifiable, if anyone, by looking at the transcript of the proof, can be convinced that the corresponding theorem is true. Public verifiability is important in many applications since it allows to compute a proof only once while convincing an unlimited number of verifiers.
Popular interactive proof systems (e.g., $\Sigma$-protocols) protect the witness through various properties (e.g., witness indistinguishability (WI) and zero knowledge (ZK)) but typically they are not publicly verifiable since such proofs are convincing only for those verifiers who contributed to the transcripts of the proofs.
The only known proof systems that are publicly verifiable rely on a non-interactive (NI) prover, through trust assumptions (e.g., NIZK in the CRS model), heuristic assumptions (e.g., NIZK in the random oracle model),specific number-theoretic assumptions on bilinear groups or relying on obfuscation assumptions (obtaining NIWI with no setups).
In this work we construct publicly verifiable witness-indistinguishable proof systems from any $\Sigma$-protocol, based only on the existence of a very generic blockchain. The novelty of our approach is in enforcing a non-interactive verification (thus guaranteeing public verifiability) while allowing the prover to be interactive and talk to the blockchain (this allows us to circumvent the need of strong assumptions and setups). This opens interesting directions for the design of cryptographic protocols leveraging on blockchain technology.

**Category / Keywords: **Non-interactive Witness Indistinguishability, Blockchain, public verifiability, NIZK, WI

**Original Publication**** (with minor differences): **IACR-PKC-2019

**Date: **received 20 Jan 2019, last revised 9 Feb 2019

**Contact author: **luisa siniscalchi88 at gmail com

**Available format(s): **PDF | BibTeX Citation

**Note: **Compared to previous versions, this one includes improved definitions. Moreover a few typos have been corrected.

**Version: **20190209:135231 (All versions of this report)

**Short URL: **ia.cr/2019/066

[ Cryptology ePrint archive ]