Resettably-sound resettable zero knowledge in constant rounds

Abstract

In FOCS 2001 Barak et al. conjectured the existence of zero-knowledge arguments that remain secure against resetting provers and resetting verifiers. The conjecture was proven true by Deng et al. in FOCS 2009 under various complexity assumptions and requiring a polynomial number of rounds. Later on in FOCS 2013 Chung et al. improved the assumptions requiring one-way functions only but still with a polynomial number of rounds. In this work we show a constant-round resettably-sound resettable zero-knowledge argument system, therefore improving the round complexity from polynomial to constant. We obtain this result through the following steps. 1.We show an explicit transform from any ℓ -round concurrent zero-knowledge argument system into an O(ℓ) -round resettable zero-knowledge argument system. The transform is based on techniques proposed by Barak et al. in FOCS 2001 and by Deng et al. in FOCS 2009. Then, we make use of a recent breakthrough presented by Chung et al. in CRYPTO 2015 that solved the longstanding open question of constructing a constant-round concurrent zero-knowledge argument system from plausible polynomial-time hardness assumptions. Starting with their construction Γ we obtain a constant-round resettable zero-knowledge argument system Λ.2.We then show that by carefully embedding Λ inside Γ (i.e., essentially by playing a modification of the construction of Chung et al. against the construction of Chung et al.) we obtain the first constant-round resettably-sound concurrent zero-knowledge argument system Δ.3.Finally, we apply a transformation due to Deng et al. to Δ obtaining a resettably-sound resettable zero-knowledge argument system Π, the main result of this work. While our round-preserving transform for resettable zero knowledge requires one-way functions only, both Λ, Δ and Π extend the work of Chung et al. and as such they rely on the same assumptions (i.e., families of collision-resistant hash functions, one-way permutations and indistinguishability obfuscation for P/ poly, with slightly super-polynomial security).