Witness Signatures and Non-Malleable Multi-Prover Zero-Knowledge Proofs

Motivated by the goal of removing trusted setup assumptions from cryptography, we introduce the notion of witness signatures. This primitive allows any party with a valid witness to an NP statement to sign a message on behalf of that statement. We also require these signatures to be unforgeable: that is, producing a signature on a new message (even given several message, signature pairs) should be as hard as computing a witness to the NP statement itself. Witness signatures are closely related to previously well-studied notions such as non-malleable non-interactive zero knowledge arguments, and signatures of knowledge. In this work, we formalize this notion and show that most natural definitions are impossible in the plain model without any setup assumptions. While still wanting to avoid a central trusted setup, we turn to the tamper proof hardware token model of Katz (Eurocrypt 2007). Interestingly, we show witness signatures in the hardware token model are closely related to what we call non-malleable multi-prover zero-knowledge proofs in the plain model (i.e. without hardware tokens). We initiate the study of nonmalleable multi-prover zero-knowledge proofs, and, provide an unconditional construction of single round non-malleable two-prover zero-knowledge proofs. We then use this primitive to obtain an unconditional construction of witness signatures in the hardware token model. Our construction makes a novel use of non-malleable codes. In particular, we crucially rely on the notion of many-many non-malleable codes introduced recently by Chattopadhyay, Goyal and Li (ECCC 2015). Our construction is unconditional, is extremely efficient (in terms of computation, number of tokens, and rounds of interaction with the token), and, only relies on elementary computations such as inner products. Finally, this construction yields signatures which can only be verified a bounded number of times. Towards that end, we show how to extend it to get the unbounded (polynomial) verification property relying on the minimal additional assumption of one-way functions. We also show that obtaining unconditional unbounded-verifiable witness signatures under black-box extraction, is impossible even with access to an unbounded number of stateful tamper-proof hardware tokensthereby giving a matching lower bound. This is done by relying on the techniques from the work of Goyal et al (Crypto 2012) (which in turn builds on techniques from the black-box separation literature). In particular, we rely on the notion of “inaccessible entropy" introduced in prior works. ∗Microsoft Research, India. Email: [email protected]. †UCLA, USA. Email: [email protected]. Work done in part while at Microsoft Research, India. ‡UCLA, USA. Email: [email protected]. Work done in part during an internship at Microsoft Research, India.