**
Robust Non-Interactive Zero Knowledge
**

*
Alfredo De Santis, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe
Persiano, Amit Sahai
*

**
Abstract:
**

Non-Interactive Zero Knowledge (NIZK), introduced by Blum, Feldman, and Micali in 1988, is a fundamental cryptographic primitive which has attracted considerable attention in the last decade and has been used throughout modern cryptography in several essential ways. For example, NIZK plays a central role in building provably secure public-key cryptosystems based on general complexity-theoretic assumptions that achieve security against chosen ciphertext attacks. In essence, in a multi-party setting, given a fixed common random string of polynomial size which is visible to all parties, NIZK allows an arbitrary polynomial number of Provers to send messages to polynomially many Verifiers, where each message constitutes an NIZK proof for an arbitrary polynomial-size NP statement.

In this paper, we take a closer look at NIZK in the multi-party setting. First, we consider {\em non-malleable} NIZK, and generalizing and substantially strengthening the results of Sahai, we give the first construction of NIZK which remains non-malleable after polynomially-many NIZK proofs. Second, we turn to the definition of standard NIZK itself, and propose a strengthening of it. In particular, one of the concerns in the technical definition of NIZK (as well as non-malleable NIZK) is that the so-called ``simulator'' of the Zero-Knowledge property is allowed to pick a {\em different} ``common random string'' from the one that Provers must actually use to prove NIZK statements in real executions. In this paper, we propose a new definition for NIZK that eliminates this shortcoming, and where Provers and the simulator use the {\em same} common random string. Furthermore, we show that both standard and {\em non-malleable\/} NIZK (as well as NIZK Proofs of Knowledge) can be constructed achieving this stronger definition. We call such NIZK {\bf Robust NIZK} and show how to achieve it. Our results also yields the simplest known public-key encryption scheme based on general assumptions secure against adaptive chosen-ciphertext attack (CCA2).

**comment:**
Appeared in Proceedings of Advances in Cryptology, (CRYPTO-2001)
Springer-Verlag/IACR Lecture Notes in Computer Science.

Fetch PostScript file of the paper Fetch PDF file of the paper

Back to the Rafail Ostrovsky publication list or to the Rafail Ostrovsky main page.