Strongly simulation-extractable leakage-resilient NIZK

Abstract

This paper defines strongly simulation-extractable (sSE) leakage resiliency (LR), which is a new notion for non-interactive zero-knowledge (NIZK) proof system. For an sSE-NIZK proof system, there exists a probabilistic polynomial-time extractor that can always extract a correct witness from any valid proof generated by the adversary, who can obtain proofs of true statements previously given by the simulator. The proof generated by the adversary may depend on a statement---tag pair which has already been used by the simulator. Furthermore, if the adversary can also learn leakage on witnesses and randomness which can explain the proofs generated by the simulator, then the sSE-NIZK proof system is said to satisfy the property of LR. In ASIACRYPT 2010, Dodis, Haralambiev, Lopez-Alt, and Wichs proposed the definitions of true simulation-extractable (tSE) NIZK proof system and sSE-NIZK proof system and gave their constructions. The tSE-NIZK proof system is the same as the sSE-NIZK proof system except that the proof generated by the adversary cannot depend on a statement---tag pair which was used by the simulator. As an extension of the tSE-NIZK proof system, Garg, Jain, and Sahai defined a new notion for NIZK proof system called tSE-LR in CRYPTO 2011 and provided the construction of tSE-LR-NIZK proof system. We extend the notion of tSE-LR-NIZK proof system and construct it by improving the construction of tSE-LR-NIZK proof system. An sSE-LR-NIZK proof system is applicable to construct a fully leakage-resilient signature scheme which is strongly existentially unforgeable, while a tSE-LR-NIZK proof system is applicable to construct one which just satisfies the weak existentially unforgeability. Although there has already been a great deal of research proposed for cryptographic primitives in the leakage models, as far as we know, this is the first fully leakage-resilient signature scheme that is strongly existentially unforgeable.