Paper 2024/1518

Witness Semantic Security

Paul Lou, University of California, Los Angeles
Nathan Manohar, IBM Research - Thomas J. Watson Research Center
Amit Sahai, University of California, Los Angeles
Abstract

To date, the strongest notions of security achievable for two-round publicly-verifiable cryptographic proofs for $\mathsf{NP}$ are witness indistinguishability (Dwork-Naor 2000, Groth-Ostrovsky-Sahai 2006), witness hiding (Bitansky-Khurana-Paneth 2019, Kuykendall-Zhandry 2020), and super-polynomial simulation (Pass 2003, Khurana-Sahai 2017). On the other hand, zero-knowledge and even weak zero-knowledge (Dwork-Naor-Reingold-Stockmeyer 1999) are impossible in the two-round publicly-verifiable setting (Goldreich-Oren 1994). This leaves an enormous gap in our theoretical understanding of known achievable security and the impossibility results for two-round publicly-verifiable cryptographic proofs for $\mathsf{NP}$. Towards filling this gap, we propose a new and natural notion of security, called witness semantic security, that captures the natural and strong notion that an adversary should not be able to learn any partial information about the prover's witness beyond what it could learn given only the statement $x$. Not only does our notion of witness semantic security subsume both witness indistinguishability and witness hiding, but it also has an easily appreciable interpretation. Moreover, we show that assuming the subexponential hardness of LWE, there exists a two-round public-coin publicly-verifiable witness semantic secure argument. To our knowledge, this is the strongest form of security known for this setting. As a key application of our work, we show that non-interactive zero-knowledge (NIZK) arguments in the common reference string (CRS) model can additionally maintain witness semantic security even when the CRS is maliciously generated. Our work gives the first construction from (subexponential) standard assumptions that achieves a notion stronger than witness-indistinguishability against a malicious CRS authority. In order to achieve our results, we give the first construction of a ZAP from subexponential LWE that is adaptively sound. Additionally, we propose a notion of simulation using non-uniform advice about a malicious CRS, which we also believe will be of independent interest.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Published by the IACR in EUROCRYPT 2024
DOI
10.1007/978-3-031-58740-5_6
Keywords
Zero-KnowledgeWitness HidingWitness Indistinguishability
Contact author(s)
pslou @ cs ucla edu
nmanohar @ ibm com
sahai @ cs ucla edu
History
2024-09-30: approved
2024-09-26: received
See all versions
Short URL
https://ia.cr/2024/1518
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1518,
      author = {Paul Lou and Nathan Manohar and Amit Sahai},
      title = {Witness Semantic Security},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1518},
      year = {2024},
      doi = {10.1007/978-3-031-58740-5_6},
      url = {https://eprint.iacr.org/2024/1518}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.