Non-Malleable Zero Knowledge: Black-Box Constructions and Definitional Relationships

This paper deals with efficient non-malleable zero-knowledge proofs forNP, based on general assumptions. We construct a simulation-sound zero-knowledge (ZK) protocol for NP, based only on the black-box use of one-way functions. Constructing such a proof system has been an open question ever since the original work of Dolev, Dwork, and Naor [DDN91]. In addition to the feasibility result, our protocol has a constant number of rounds, which is asymptotically optimal. Traditionally, the term non-malleable zero-knowledge (NmZK) refers to the original definition of [DDN91]; but today it is used loosely to also refer to simulation-soundness (SimSound) [Sah99], and simulation-extractability (SimExt) [PR05b]. While SimExt implies NmZK, the common perception is that SimExt is strongest of the three notions. A formal study of the definitional relationship between these three notions, however, has never been done. In the second part of this work, we try to correct this situation by initiating such a study. We show that in the “static” case, if an NmZK protocol is also an argument-of-knowledge, then it is in fact SimExt. Furthermore, in the most strict sense of the definition, SimSound does not necessarily follow from SimExt. These results are somewhat surprising because they are opposite to the common perception that SimExt is the strongest of the three notions.