Non-black-box Simulation in the Fully Concurrent Setting, Revisited

Kiyoshima, Susumu

doi:10.1007/s00145-018-09309-5

Non-black-box Simulation in the Fully Concurrent Setting, Revisited

Published: 06 February 2019

Volume 32, pages 393–434, (2019)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

Non-black-box Simulation in the Fully Concurrent Setting, Revisited

Download PDF

Susumu Kiyoshima¹

2137 Accesses
1 Citation
Explore all metrics

Abstract

We give a new proof of the existence of $O(n^{\epsilon })$-round public-coin concurrent zero-knowledge arguments for $\mathcal {NP}$, where $\epsilon >0$ is an arbitrary constant. The security is proven in the plain model under the assumption that collision-resistant hash functions exist. The existence of such concurrent zero-knowledge arguments was previously proven by Goyal (STOC’13) in the plain model under the same assumption. In the proof, we use a new variant of the non-black-box simulation technique of Barak (FOCS’01). An important property of our simulation technique is that the simulator runs in a “straight-line” manner in the fully concurrent setting. Compared with the simulation technique of Goyal, which also has such a property, the analysis of our simulation technique is (arguably) simpler.

A New Framework for More Efficient Round-Optimal Lattice-Based (Partially) Blind Signature via Trapdoor Sampling

A Formal Security Analysis of the Signal Messaging Protocol

Article 23 September 2020

Katriel Cohn-Gordon, Cas Cremers, … Douglas Stebila

A Formal Analysis of the FIDO2 Protocols

1 Introduction

Zero-knowledge ($\mathrm {ZK}$) proofs and arguments [22] are interactive proof/argument systems with which the prover can convince the verifier of the correctness of a mathematical statement while providing zero additional knowledge. In the definition of $\mathrm {ZK}$ protocols,^{Footnote 1} this “zero additional knowledge” property is formalized thorough the simulation paradigm: An interactive proof/argument is said to be zero-knowledge if for any adversarial verifier there exists a simulator that can output a simulated view of the adversary. $\mathrm {ZK}$ protocols have been used as building blocks in many cryptographic protocols, and techniques developed for them have been used in many fields of cryptography.

Traditionally, the security of $\mathrm {ZK}$ protocols was proven via black-box simulation. That is, the zero-knowledge property was proven by showing a simulator that uses the adversary only as an oracle. Since black-box simulators use the adversaries as oracles, the only advantage they have is the ability to rewind the adversaries. Still, black-box simulation is quite powerful, and it can be used to obtain $\mathrm {ZK}$ protocols with a variety of additional properties, security, and efficiency.

However, black-box simulation has inherent limitations. For example, let us consider public-coin $\mathrm {ZK}$ protocols and concurrent $\mathrm {ZK}$ protocols, where the former is the $\mathrm {ZK}$ protocols such that the verifier sends only the outcome of its coin-tossing during the protocols, and the latter is the $\mathrm {ZK}$ protocols such that their zero-knowledge property holds even when they are concurrently executed many times. It is known that both of them can be constructed by using black-box simulation techniques [23, 26, 31, 34]. However, it is also known that neither of them can be constructed by black-box simulation techniques if we additionally require round efficiency. Specifically, it was shown that constant-round public-coin $\mathrm {ZK}$ protocols and $o(\log n/\log \log n)$-round concurrent $\mathrm {ZK}$ protocols cannot be proven secure via black-box simulation [13, 21]. Furthermore, it was also shown that no public-coin concurrent $\mathrm {ZK}$ protocol can be proven secure via black-box simulation irrespective of its round complexity [33].

A natural question to ask is whether the $\mathrm {ZK}$ property can be proven by using non-black-box simulation techniques. In particular, whether the above impossibility results can be overcome by using non-black-box simulation techniques is a highly motivated question. Non-black-box simulation techniques are, however, significantly hard to develop. Specifically, non-black-box simulation seems to inherently involve “reverse engineering” of the adversaries, and such reverse engineering seems very difficult.

Barak [2] made a breakthrough about non-black-box stimulation by proposing the first non-black-box simulation technique under a standard assumption and showing that a black-box impossibility result can be overcome by using it. Specifically, Barak used his non-black-box simulation technique to obtain a constant-round public-coin $\mathrm {ZK}$ protocol under the assumption that a family of collision-resistant hash functions exists. (Recall that, as noted above, constant-round public-coin $\mathrm {ZK}$ protocols cannot be proven secure via black-box simulation.) The simulation technique of Barak is completely different from previous ones. Specifically, in his simulation technique, the simulator runs in a “straight-line” manner (i.e., it does not “rewind” the adversary) and simulates the adversary’s view by using the code of the adversary.^{Footnote 2}

Non-black-box simulation in the concurrent setting Since Barak’s non-black-box simulation technique allows us to overcome a black-box impossibility result, it is natural to ask whether we can overcome other black-box impossibility results as well by using Barak’s technique. In particular, since Barak’s simulation technique works in a straight-line manner and therefore completely removes the issue of recursive rewinding [18] that arises in the setting of concurrent $\mathrm {ZK}$, it is natural to expect that Barak’s simulation technique can be used to overcome the black-box impossibility results of $o(\log n/\log \log n)$-round concurrent $\mathrm {ZK}$ protocols and public-coin concurrent $\mathrm {ZK}$ protocols.

However, it turned out that Barak’s non-black-box simulation technique is hard to use in the concurrent setting. In fact, although Barak’s technique can be extended so that it can handle bounded-concurrent execution [2] (i.e., concurrent execution where the protocol is concurrently executed a bounded number of times) and parallel execution [32], it had been open for years to extend it so that it can handle fully concurrent execution. An important step toward obtaining non-black-box simulation in the fully concurrent setting was made by Deng et al. [17], who used Barak’s technique in the fully concurrent setting by combining it with a black-box simulation technique (specifically, with the recursive rewinding technique of Richardson and Kilian [34]). Another important step was made by Bitansky and Paneth [8,9,10], who developed a new non-black-box simulation technique (which is not based on that of Barak) that can handle fully concurrent execution when being combined with a black-box simulation technique (again, the recursive rewinding technique of [34]). The simulation techniques of these works are powerful enough to allow us to overcome another black-box impossibility result (the impossibility of simultaneously resettable $\mathrm {ZK}$ protocols [6, 12]). However, they are not strict improvement over Barak’s non-black-box simulation technique since they do not have some of the useful properties that Barak’s technique do have, such as the public-coin property and the straight-line simulation property. As a result, they do not immediately allow us to overcome the black-box impossibility results of $o(\log n/\log \log n)$-round concurrent $\mathrm {ZK}$ protocols and public-coin concurrent $\mathrm {ZK}$ protocols.

Recently, several works showed that with a trusted setup or non-standard assumptions, Barak’s simulation technique can be extended so that it can handle fully concurrent execution (without losing its public-coin property and straight-line simulation property). Furthermore, they showed that with their versions of Barak’s technique, it is possible to overcome the black-box impossibility results of $o(\log n/\log \log n)$-round concurrent $\mathrm {ZK}$ protocols and public-coin concurrent $\mathrm {ZK}$ protocols. For example, Canetti et al. [14] constructed a public-coin concurrent $\mathrm {ZK}$ protocol in the global hash function (GHF) model, where a single hash function is used in all concurrent sessions. Also, Chung et al. [15] constructed a constant-round concurrent $\mathrm {ZK}$ protocol by assuming the existence of $\mathcal {P}$-certificates (i.e., “succinct” non-interactive proofs/arguments for $\mathcal {P}$), Pandey et al. [29] constructed a constant-round concurrent $\mathrm {ZK}$ protocols by assuming the existence of differing-input indistinguishability obfuscators, and Chung et al. [16] constructed a constant-round concurrent $\mathrm {ZK}$ protocols by assuming the existence of indistinguishability obfuscators.

Very recently, Goyal [24] showed that Barak’s non-black-box simulation technique can be extended so that it can handle fully concurrent execution even in the plain model under standard assumptions. Goyal then used his version of Barak’s technique to obtain the first public-coin concurrent $\mathrm {ZK}$ protocol in the plain model under a standard assumption (the existence of a family of collision-resistant hash functions), where its round complexity is $O(n^{\epsilon })$ for an arbitrary constant $\epsilon >0$. Like the original simulation technique of Barak (and many of its variants), the simulation technique of Goyal has a straight-line simulator; hence, Goyal’s simulator performs straight-line concurrent simulation. Because of this straight-line concurrent simulation property, the simulation technique of Goyal has huge potential. In fact, it was shown subsequently that Goyal’s technique can be used to obtain new results on concurrently secure multi-party computation and concurrent blind signatures [20].

In summary, we currently have several positive results on non-black-box simulation in the concurrent setting, and in particular, we have a one that has a straight-line concurrent simulator in the plain model under a standard assumption [24]. However, the state of the art is still not satisfactory, and there are still many open problems to be addressed. For example, the simulation technique of Goyal [24] requires the protocol to have $O(n^{\epsilon })$ rounds, so the problem of constructing $o(\log n/\log \log n)$-round concurrent $\mathrm {ZK}$ protocols in the plain model under standard assumptions is still open. Thus, studying more on non-black-box simulation and developing new non-black-box simulation techniques in the concurrent setting is still an important research direction.

1.1 Our Result

In this paper, we propose a new variant of Barak’s non-black-box simulation technique and use it to give a new proof of the following theorem, which was originally proven by Goyal [24].

Theorem

Assume the existence of a family of collision-resistant hash functions. Then, for any constant $\epsilon >0$, there exists an $O(n^{\epsilon })$-round public-coin concurrent zero-knowledge argument of knowledge.

Like the simulation technique of Goyal, our simulation technique can handle fully concurrent execution in the plain model under a standard assumption, and it has a simulator that runs in a straight-line manner in the fully concurrent setting. We emphasize that our simulation technique requires the same hardness assumption and the same round complexity as that of Goyal; hence, it does not immediately lead to improvement over the result of Goyal. Nevertheless, we believe that our simulation technique is interesting because it is different from that of Goyal and its analysis is (in our opinion) simpler than the analysis of Goyal’s technique. (A comparison between our simulation technique and that of Goyal is given in Sect. 2.3.) We hope that our technique leads to further study on non-black-box simulation in the concurrent setting.

Brief overview of our technique Our public-coin concurrent $\mathrm {ZK}$ protocol is based on the public-coin concurrent $\mathrm {ZK}$ protocol of Canetti, Lin, and Paneth (CLP) [14], which is secure in the global hash function model. Below, we give a brief overview of our technique under the assumptions that the readers are familiar with Barak’s non-black-box simulation technique and CLP’s techniques. In Sect. 2, we give a more detailed overview of our technique, including the explanation of the techniques of Barak and CLP.

The protocol of CLP is similar to the $\mathrm {ZK}$ protocol of Barak except that it has multiple “slots” (i.e., pairs of a prover’s commitment and a receiver’s random-string message). A key observation by CLP is that given multiple slots, one can avoid the blowup of the simulator’s running time, which is the main obstacle to use Barak’s simulation technique in the concurrent setting. More precisely, CLP’s observation is that given multiple slots, the simulator can use any of these slots when generating the PCP proof in the universal argument ($\mathsf {UA}$) of Barak’s protocol, and therefore, it can avoid the blowup of its running time by using a good “proving strategy” that determines which slots to use in the generation of the PCP proofs in concurrent sessions. The proving strategy that CLP use is similar in spirit to the oblivious rewinding strategy [26, 31] of black-box concurrent $\mathrm {ZK}$ protocols. In particular, in the proving strategy of CLP, the simulator recursively divides the simulated transcript between honest provers and the cheating verifier into “blocks” and generates the PCP proofs only at the end of the blocks.

A problem that CLP encountered is that the simulator has only one opportunity to give the $\mathsf {UA}$ proof in each session, and thus it needs to remember all previously generated PCP proofs if the adversary delays the execution of the $\mathsf {UA}$ proofs in all sessions. Because of this problem, the length of the PCP proofs can be rapidly blowing up in the concurrent setting, and the size of the simulator cannot be bounded by a polynomial. In [14], CLP solved this problem in the global hash function model by cleverly using the global hash function in $\mathsf {UA}$.

To solve this problem in the plain model, we modify the protocol of CLP so that the simulator has multiple opportunities to give the $\mathsf {UA}$ proof in each session. We then show that by using a good proving strategy that also determines which opportunity the simulator takes to give the $\mathsf {UA}$ proof in each session, the simulator can avoid the blowup of its size as well as that of its running time. Our proving strategy guarantees that a PCP proof generated at the end of a block is used only in its “parent block”; because of this guarantee, the simulator needs to remember each PCP proof only for a limited time, and therefore, the length of the PCP proofs does not blow up. This proving strategy is the core of our simulation technique and the main deference between the simulation technique of ours and that of Goyal [24]. (The simulator of Goyal also has multiple opportunities to give the $\mathsf {UA}$ proof in each session, but it determines which opportunity to take by using a proving strategy that is different from ours.) Interestingly, the strategy that we use is deterministic (whereas the strategy that Goyal uses is probabilistic). Because of the use of this deterministic strategy, we can analyze our simulator in a relatively simple way. In particular, when showing that every session is always successfully simulated, we need to use only a simple counting argument.

2 Overview of Our Technique

As mentioned in Sect. 1.1, our protocol is based on the protocol of Canetti et al. [14], which in turn is based on Barak’s non-black-box zero-knowledge protocol [2]. Below, we first recall the protocols of [2, 14] and then give an overview of our protocol.

2.1 Known Techniques

Barak’s protocol Roughly speaking, Barak’s non-black-box zero-knowledge argument $\mathsf {BarakZK}$ proceeds as follows.

$\underline{\hbox {Protocol}\, \mathsf {BarakZK}}$

1.
The verifier V chooses a hash function $h\in \mathcal {H}_n$ and sends it to the prover P.
2.
P sends $c \leftarrow \mathsf {Com}(0^{n})$ to V, where $\mathsf {Com}$ is a statistically binding commitment scheme. (For simplicity, in this overview we assume that $\mathsf {Com}$ is non-interactive.) Then, V sends a random string $r\in \{0,1 \}^{n}$ to P. In the following, the pair (c, r) is called a slot.
3.
P proves the following statement by using a witness-indistinguishable argument.
- $x \in L$, or
- $(h, c, r)\in \Lambda $, where $\Lambda $ is a language such that $(h, c, r) \in \Lambda $ holds if and only if there exists a machine $\mathrm {\Pi }$ such that (i) c is a commitment to $h(\mathrm {\Pi })$ and (ii) $\mathrm {\Pi }$ outputs r within $n^{\log \log n}$ steps.^{Footnote 3}

Since polynomial-time algorithms cannot check whether or not $\mathrm {\Pi }$ outputs r within $n^{\log \log n}$ steps, the statement proven in Step 3 is not in $\mathcal {NP}$. Thus, P proves this statement by using a witness-indistinguishable universal argument ($\mathsf {WIUA}$), which is, roughly speaking, a witness-indistinguishable argument for $\mathcal {NEXP}$ such that a language whose witness relation is checkable in T steps can be proven in $\mathsf {poly}(T)$ steps.

Roughly speaking, the security of $\mathsf {BarakZK}$ is proven as follows. The soundness is proven by observing that even when a cheating prover $P^*$ commits to $h(\mathrm {\Pi })$ for a machine $\mathrm {\Pi }$, we have $\mathrm {\Pi }(c) \ne r$ with overwhelming probability because r is chosen after $P^*$ commits to $h(\mathrm {\Pi })$. The zero-knowledge property is proven by using a simulator that commits to a machine $\mathrm {\Pi }$ that emulates the cheating verifier $V^*$; since $\mathrm {\Pi }(c) = V^*(c) = r$ from the definition, the simulator can give a valid proof in $\mathsf {WIUA}$. Such a simulator runs in polynomial time since, from the property of $\mathsf {WIUA}$, the running time of the simulator during $\mathsf {WIUA}$ is bounded by $\mathsf {poly}(t)$, where t is the running time of $\mathrm {\Pi }(c)$.

Barak’s protocol in the concurrent setting A limitation of $\mathsf {BarakZK}$ is that we do not know how to prove its zero-knowledge property in the concurrent setting. Recall that in the concurrent setting, a protocol is executed many times concurrently; hence, to prove the zero-knowledge property of a protocol in the concurrent setting, we need to design a simulator against cheating verifiers that participate in many sessions of the protocol with honest provers. The above simulator for $\mathsf {BarakZK}$, however, does not work against such verifiers since $V^*(c) = r$ does not hold when a verifier $V^*$ participates in other sessions during a slot of a session (i.e., $V^*(c) \ne r$ holds when $V^*$ first receives c in a session, next receives messages in other sessions, and then sends r in the first session).

A potential approach to proving the concurrent zero-knowledge property of $\mathsf {BarakZK}$ is to use a simulator $\mathcal {S}$ that commits to a machine that emulates $\mathcal {S}$ itself. The key observation behind this approach is the following: When $V^*$ participates in other sessions during a slot of a session, all the messages that $V^*$ receives in the other sessions are actually generated by $\mathcal {S}$; hence, if the committed machine $\mathrm {\Pi }$ can emulate $\mathcal {S}$, it can emulate all the messages between c and r for $V^*$, so $\mathrm {\Pi }(c)$ can output r even when $V^*$ receives many messages during a slot.^{Footnote 4}

This approach however causes a problem in the simulator’s running time. For example, let us consider the following “nested concurrent sessions” schedule (see Fig. 1).

The $(i+1)$th session is executed in such a way that it is completely contained in the slot of the ith session. That is, $V^*$ starts the $(i+1)$th session after receiving c in the ith session, and sends r in the ith session after completing the $(i+1)$th session.

Let m be the number of sessions, and let t be the running time of $\mathcal {S}$ during the simulation of the mth session. Then, to simulate the $(m-1)$th session, $\mathcal {S}$ need to run at least 2t steps—t steps for simulating the slot (which contains the mth session) and t steps for simulating $\mathsf {WIUA}$. Then, to simulate the $(m-2)$th session, $\mathcal {S}$ need to run at least 4t steps—2t steps for simulating the slot and 2t steps for simulating $\mathsf {WIUA}$. In general, to simulate the ith session, $\mathcal {S}$ need to run at least $2^{m-i}t$ steps. Thus, the running time of $\mathcal {S}$ becomes super-polynomial when $m = \omega (\log n)$.

Protocol of Canetti et al [14]. To avoid the blowup of the simulator’s running time, Canetti, Lin, and Paneth (CLP) [14] used the “multiple slots” approach, which was originally used in previous black-box concurrent zero-knowledge protocols [26, 31, 34]. The idea is that if $\mathsf {BarakZK}$ has multiple sequential slots, $\mathcal {S}$ can choose any of them as a witness in $\mathsf {WIUA}$, and therefore $\mathcal {S}$ can avoid the nested computations in $\mathsf {WIUA}$ by using a good proving strategy that determines which slot to use as a witness in each session. To implement this approach, CLP first observed that the four-round public-coin $\mathsf {UA}$ of Barak and Goldreich [5], from which $\mathsf {WIUA}$ can be constructed, can be divided into the offline phase and the online phase such that all heavy computations are done in the offline phase. Concretely, CLP divided the $\mathsf {UA}$ of [5] as follows. Let $x \in L$ be the statement to be proven in $\mathsf {UA}$ and w be a witness for $x \in L$.

$\underline{\hbox {Offline/online}\, \mathsf {UA}}$

Offline Phase:
1. 1.
  V sends a random hash function $h\in \mathcal {H}_{n}$ to P.
2. 2.
  P generates a PCP proof $\pi $ of statement $x \in L$ by using w as a witness, and then computes $\mathsf {UA}_2 := h(\pi )$. In the following, $(h, \pi , \mathsf {UA}_2)$ is called the offline proof.
Online Phase:
1. 1.
  P sends $\mathsf {UA}_2$ to V.
2. 2.
  V chooses randomness $\rho $ for the PCP verifier and sends $\mathsf {UA}_3 := \rho $ to P.
3. 3.
  P computes a PCP query Q by executing the PCP verifier with statement $x \in L$ and randomness $\rho $, and then sends $\{\pi _i \}_{i\in Q}$ to V (i.e., partially reveals $\pi $ according to the locations that are specified by Q) while proving that $\{\pi _i \}_{i\in Q}$ is correctly computed w.r.t. the string it hashed in $\mathsf {UA}_2$. (Such a proof can be generated efficiently if P computes $\mathsf {UA}_2 = h(\pi )$ by tree hashing.)
4. 4.
  V first verifies the correctness of the revealed bits $\{\pi _i \}_{i\in Q}$, and next verifies the PCP proof by executing the PCP verifier on $\{\pi _i \}_{i\in Q}$.

Note that the only heavy computations—the generation of $\pi $ and the computation of $h(\pi )$—are performed in the offline phase; the other computations can be performed in a fixed polynomial time. (For simplicity, here we assume that P has random access to $\pi $.^{Footnote 5}) Thus, in the online phase, the running time of P can be bounded by a fixed polynomial in $n$. In the offline phase, the running time of P is bounded by a fixed polynomial in t, where t is the time needed for verifying $x \in L$ with witness w. The length of the offline proof is also bounded by a polynomial in t.

CLP then considered the following protocol (which is an over-simplified version of their final protocol). Let $N_{\mathrm {slot}}$ be a parameter that is determined later.

$\underline{\hbox {Protocol}\, \mathsf {BasicCLP}}$

Stage 1.V chooses a hash function $h\in \mathcal {H}_n$ and sends it to P.
Stage 2. For each $i \in [N_{\mathrm {slot}}]$ in sequence, P and V do the following.
- P sends $C_i \leftarrow \mathsf {Com}(0^n)$ to V. Then, V sends a random string $r_i\in \{0,1 \}^{n}$ to P.
Stage 3.P and V execute the special-purpose $\mathsf {WIUA}$ of Pass and Rosen [30] with the $\mathsf {UA}$ system of Barak and Goldreich [5] being used as the underlying $\mathsf {UA}$ system. Concretely, P and V do the following.
1. 1.
  P sends $D_{\mathsf {UA}} \leftarrow \mathsf {Com}(0^n)$ to V.
2. 2.
  V sends a third-round $\mathsf {UA}$ message $\mathsf {UA}_3$ to P (i.e., V sends a random string of appropriate length).
3. 3.
  P proves the following statement by using a witness-indistinguishable proof of knowledge ($\mathsf {WIPOK}$).
  - $x \in L$, or
  - there exist $i\in [N_{\mathrm {slot}}]$ and a second- and a fourth-round $\mathsf {UA}$ message $\mathsf {UA}_2, \mathsf {UA}_4$ such that $D_{\mathsf {UA}}$ is a commitment to $\mathsf {UA}_2$ and $(h, \mathsf {UA}_2, \mathsf {UA}_3, \mathsf {UA}_4)$ is an accepting proof for the statement $(h, C_i, r_i) \in \Lambda $.

Recall that the idea of the multiple-slot approach is that $\mathcal {S}$ avoids nested computations in $\mathsf {WIUA}$ by using a good proving strategy that determines which slots to use as witnesses. Based on this idea, CLP designed a proving strategy as well as a simulator. First, their simulator works roughly as follows: $\mathcal {S}$ commits to a machine in each slots, where the committed machines emulate $\mathcal {S}$ as mentioned above; $\mathcal {S}$ then computes an offline proof (including a PCP proof) w.r.t. a slot that is chosen according to the proving strategy; $\mathcal {S}$ then commits to the second-round $\mathsf {UA}$ message (i.e., the hash of the PCP proof) in Stage 3-1 and gives a $\mathsf {WIPOK}$ proof in Stage 3-3 using the offline proof as a witness. Second, their proving strategy works roughly as follows. As in the oblivious rewinding strategy of black-box concurrent zero-knowledge protocols [26, 31], the proving strategy of CLP recursively divides the entire transcript between honest provers and the cheating verifier into “blocks.” Let M be the total number of messages and q be a parameter called the splitting factor. Assume for simplicity that M is a power of q, i.e., $M = q^d$ for $d\in \mathbb {N}$.

The level-d block is the entire transcript. Thus, the level-d block contains $M = q^d$ messages.
Then, the level-d block is divided into q sequential blocks, where each of them contains $q^{d-1}$ messages. These blocks are called the level-$(d-1)$ blocks.
Similarly, each level-$(d-1)$ block is divided into q sequential blocks, where each of them contains $q^{d-2}$ messages. These blocks are called the level-$(d-2)$ blocks.
In this way, each block is continued to be divided into q blocks until the level-0 blocks are obtained. A level-0 block contains only a single message.

Then, the proving strategy of CLP specifies that at the end of each block in each level, $\mathcal {S}$ computes offline proofs w.r.t. each slot that is contained in that block. Note that the offline proofs are computed only at the end of the blocks, and the maximum level of the blocks (i.e., d) is constant when $q=n^{\epsilon }$ for a constant $\epsilon $. We therefore have at most constant levels of nesting in the executions of $\mathsf {WIUA}$. Furthermore, it was shown by CLP that when $N_{\mathrm {slot}}= \omega (q) = \omega (n^{\epsilon })$, the simulator does not “get stuck,” i.e., in every session, the simulator obtains an offline proof before Stage 3 starts.

The protocol $\mathsf {BasicCLP} $ is, however, not concurrent zero-knowledge in the plain model. Roughly speaking, this is because the size of $\mathcal {S}$’s state can become super-polynomial. Recall that $\mathcal {S}$ generates an offline proof in Stage 2 and uses it in Stage 3 in each session. Then, since $V^*$ can choose any concurrent schedule (and in particular can delay the execution of Stage 3 arbitrarily), in general, $\mathcal {S}$ need to remember every previously generated offline proof during its execution. This means that each committed machine also need to contain every previously generated offline proof (otherwise they cannot emulate the simulator), and therefore an offline proof (which is generated by using a committed machine as a witness) is as long as the total length of all the offline proofs that are generated previously. Thus, the length of the offline proofs can be rapidly blowing up and the size of $\mathcal {S}$’s state cannot be bounded by a polynomial.

A key observation by CLP is that this problem can be solved in the global hash model, in which a global hash function is shared by all sessions. Roughly speaking, CLP avoided the blowup of the simulator’s size by considering machines that contain only the hash values of the offline proofs; then, to guarantee that the simulation works with such machines, they modified $\mathsf {BasicCLP} $ in such a way that P proves in $\mathsf {WIUA}$ that $x \in L$ or the committed machine outputs r given access to the hash-inversion oracle; in the simulation, $\mathcal {S}$ commits to a machine that emulates $\mathcal {S}$ by recovering offline proofs from their hash values using the hash-inversion oracle. In this modified protocol, the soundness is proven by using the fact that the same hash function is used across all the sessions.

In this way, CLP obtained a public-coin concurrent zero-knowledge protocol in the global hash model. Since $q=n^{\epsilon }$ and $N_{\mathrm {slot}}= \omega (q)$, the round complexity is $O(n^{\epsilon '})$ for a constant $\epsilon '$. (Since $\epsilon $ is an arbitrary constant, $\epsilon '$ can be an arbitrary small constant.) CLP also showed that by modifying the protocol further, the round complexity can be reduced to $O(\log ^{1+\epsilon }n)$.

2.2 Our Techniques

We obtain our $O(n^{\epsilon })$-round protocol by modifying $\mathsf {BasicCLP} $ of Canetti et al. [14] so that its concurrent zero-knowledge property can be proven without using global hash functions. Recall that a global hash function is used in [14] to avoid the blowup of the simulator’s state size. In particular, a global hash function is used so that the simulation works even when the committed machines do not contain any previously computed offline proof. Below, we first introduce the machines that our simulator commits to in the slots. They do not contain any previously generated offline proof, and therefore, their sizes are bounded by a fixed polynomial. We then explain our protocol and simulator, which are designed so that the simulation works even when the committed machines do not contain any previously computed offline proof. In the following, we set $q := n^{\epsilon }$, $N_{\mathrm {slot}}:= \omega (q)$, and $N_{\mathrm {col}}:= \omega (1)$.

The machines to be committed Our first observation is that if the committed machines emulate a larger part of the simulation, they generate more offline proofs by itself, and they are more likely to be able to output r even when they contain no offline proof. For example, let us consider an extreme case that the committed machines emulate the simulator from the beginning of the simulation (rather than from the beginning of the slots in which they are committed to). In this case, the committed machines generate every offline proof by themselves, so they can output r even when they contain no offline proof. A problem of this case is that the running time of each committed machine is too long and the running time of the simulator becomes super-polynomial. We therefore need to design machines that emulate a large, but not too large, part of the simulation.

Based on this observation, we consider machines that emulate the simulator from the beginning of the “current blocks,” i.e., machines that emulate the simulator from the beginning of the blacks that contain the commitments in which they are committed to. More precisely, we first modify $\mathsf {BasicCLP} $ so that P gives $N_{\mathrm {col}}$ parallel commitments in each slot. Then, our simulator commits to machines in each slot as follows. Below, the ith column ($i\in [N_{\mathrm {col}}]$) of a slot is the ith commitment of the slot, and the current level-$\ell $ block ($\ell \in [d]$) at a point during the interaction with $V^*$ is the level-$\ell $ block that will contain the next scheduled message (see Fig. 2).

In the ith column ($i\in [d]$) of a slot, our simulator commits to a machine $\mathrm {\Pi }_i$ that emulates the simulator from the beginning of the current level-i block, where $\mathrm {\Pi }_i$ does not contain any offline proofs, and it terminates with output $\mathsf {fail}$ if the emulation fails due to the lack of the offline proofs.

Now, we observe that the simulator’s running time does not blow up when the simulator commits to machines as above. Assume that, as in the proving strategy of CLP, the simulator computes the offline proofs only at the end of the blocks. Specifically, assume that the simulator computes the offline proofs at the end of the blocks as follows.

At the end of a level-$\ell $ block b ($\ell \in [d]$), the simulator finds all the slots that are contained in block b, and generates offline proofs w.r.t. those slots by using the machine that are committed to in their $\ell $th columns. Note that those committed machines emulate the simulator from the beginning of block b, so the simulator can indeed use them as witness when generating the offline proofs.

Let $t_i$ be the maximum time needed for simulating a level-i block ($i\in \{0,\ldots ,d \}$). Recall that a level-i block consists of q level-$(i-1)$ blocks, and at most $m := \mathsf {poly}(n)$ offline proofs are generated at the end of each level-$(i-1)$ block. Then, since each offline proof at the end of a level-$(i-1)$ block can be computed in $\mathsf {poly}(t_{i-1})$ steps, we have

Recall that we have $t_0 = \mathsf {poly}(n)$ (this is because a level-0 block contains only a single message), and the maximum level $d = \log _q M$ is constant. We therefore have $t_d = \mathsf {poly}(n)$, so the running time of the simulator is bounded by a polynomial in $n$.

We note that although the above machines do not contain any previously generated offline proof, they do contain every previously generated $\mathsf {WIPOK}$ witness (i.e., $\mathsf {UA}_2$ and $\mathsf {UA}_4$).^{Footnote 6} As explained below, allowing the committed machines to contain every previously generated $\mathsf {WIPOK}$ witness is crucial to obtain our protocol and simulator.

Our protocol and simulator When the simulator commits to the above machines, the simulation does not work if the committed machines output $\mathsf {fail}$. In particular, the simulation fails if there exists a block in which the simulator uses an offline proof that are generated before the beginning of that block. (If such a block exists, the machines that are committed in this block output $\mathsf {fail}$ since they cannot emulate the simulator due to the lack of the offline proof.) Thus, to guarantee successful simulation, we need to make sure that in each block, the simulator uses only the offline proofs that are generated in that block. Of course, we also need to make sure that the simulator does not “get stuck,” i.e., we need to guarantee that in each session, the simulator obtains a valid witness before $\mathsf {WIPOK}$ starts.

To avoid the simulation failure, we first modify $\mathsf {BasicCLP} $ as follows. As noted in the previous paragraph, we need to construct a simulator such that in each block, it uses only the offline proofs that are generated in that block. In $\mathsf {BasicCLP} $, it is hard to construct such a simulator since offline proofs may be used long after they are generated. (Recall that during the simulation, the offline proofs are generated in Stage 2 and they are used in Stage 3 to compute $\mathsf {WIPOK}$ witnesses, and $V^*$ can delay the execution of Stage 3 arbitrarily.) Thus, we modify $\mathsf {BasicCLP} $ so that the simulator can use the offline proofs soon after generating them; in particular, we modify $\mathsf {BasicCLP} $ so that Stage 3 can be executed “in the middle of” Stage 2. Concretely, after each slot in Stage 2, we add another slot, a $\mathsf {UA}$-slot, that can be used for executing Stage 3-1 and Stage 3-2. That is, we consider the following protocol. (As stated before, we also modify $\mathsf {BasicCLP} $ so that P gives $N_{\mathrm {col}}$ parallel commitments in each slot.)

$\underline{\hbox {Protocol}\, \mathsf {OurZK}}$

Stage 1.V chooses a hash function $h\in \mathcal {H}_n$ and sends it to P.
Stage 2. For each $i \in [N_{\mathrm {slot}}]$ in sequence, P and V do the following.
- $\varvec{\mathrm {\Pi }}$-slot:P sends $C_{i, 1} \leftarrow \mathsf {Com}(0^n), \ldots , C_{i, N_{\mathrm {col}}} \leftarrow \mathsf {Com}(0^n)$ to V. Then, V sends a random string $r_i\in \{0,1 \}^{n^2}$ to P.
- $\varvec{\mathsf {UA}}$-slot:P sends $D_{i, 1} \leftarrow \mathsf {Com}(0^n), \ldots , D_{i, N_{\mathrm {col}}} \leftarrow \mathsf {Com}(0^n)$ to V. Then, V sends a random string $\omega _i$ to P.
Stage 3.P proves the following statement with $\mathsf {WIPOK}$.
- $x \in L$, or
- there exist $i_1, i_2 \in [N_{\mathrm {slot}}]$, $j\in [N_{\mathrm {col}}]$, and a second- and a fourth-round $\mathsf {UA}$ message $\mathsf {UA}_2$ and $\mathsf {UA}_4$ such that $D_{i_2, j}$ is a commitment to $\mathsf {UA}_2$ and $(h, \mathsf {UA}_2, \omega _{i_2}, \mathsf {UA}_4)$ is an accepting proof of the statement $(h, C_{i_1, j}, r_{i_1})\in \Lambda $.

We then consider the following simulator. Recall that, as explained above, our simulator commits to machines that emulate the simulation from the beginning of the current blocks, and its running time can be bounded by a polynomial if the offline proofs are computed only at the end of the blocks. Recall also that we need to make sure that (i) in each block the simulator uses only the offline proofs that are generated in that block (so that each committed machine does not output $\mathsf {fail}$ due to the lack of the offline proofs), and (ii) the simulator does not get stuck.

Roughly speaking, our simulator does the following in each block (see Fig. 3). Consider any level-$(i+1)$ block b ($i\in [d-1]$), and recall that b consists of q level-i blocks. The goal of our simulator in block b is to compute offline proofs by using the machines that emulate the simulation from the beginning of those level-i blocks, and find opportunities to use them before block b completes. Therefore, for each session s, our simulator first tries to find a level-i block that contains a $\mathrm {\Pi }$-slot of session s. If it finds such a level-i block and a $\mathrm {\Pi }$-slot, it computes an offline proof at the end of that level-i block by using the machine that is committed to in the ith column of that $\mathrm {\Pi }$-slot, and commits to this offline proof in the ith column of the $\mathsf {UA}$-slots of session s in the subsequent level-i blocks. If a subsequent level-i block contains a $\mathsf {UA}$-slot of session s, it computes a $\mathsf {WIPOK}$ witness from this offline proof (i.e., by using the third-round $\mathsf {UA}$ message in that $\mathsf {UA}$-slot, it computes a fourth-round $\mathsf {UA}$ message from that offline proof).

More precisely, we consider the following simulator. In what follows, for each $i\in \{0,\ldots ,d-1 \}$, we say that two level-i blocks are sibling if they are contained by the same level-$(i+1)$ block.

In the ith column ($i\in [d]$) of a $\mathrm {\Pi }$-slot of a session s, our simulator commits to a machine that emulates the simulator from the beginning of the current level-i block.
In the ith column ($i\in [d]$) of a $\mathsf {UA}$-slot of a session s, our simulator commits to $0^{n}$ if no prior sibling of the current level-i block contains a $\mathrm {\Pi }$-slot of session s; if a prior sibling contains a $\mathrm {\Pi }$-slot of session s, an offline proof w.r.t. such a $\mathrm {\Pi }$-slot was computed at the end of that prior sibling (see below), so our simulator commits to that offline proof instead of $0^{n}$.
When $\mathsf {WIPOK}$ starts, our simulator does the following. If it already obtained a valid witness (see below), it gives a proof by using this witness. If it does not have a valid witness, it aborts with output $\mathsf {stuck}$.
At the end of a level-i block b ($i\in [d-1]$), our simulator does the following. For each $\mathrm {\Pi }$-slot that is contained in block b, it computes an offline proof by using the machine that is committed to in the ith column of that $\mathrm {\Pi }$-slot. Also, for each $\mathsf {UA}$-slot that is contained in block b, if an offline proof is committed to in the ith column of that $\mathsf {UA}$-slot, it computes a $\mathsf {WIPOK}$ witness by using that offline proof.

In the simulation by our simulator, the committed machines never fail due to the lack of the offline proofs. This is because in each block, our simulator uses only the offline proofs that are generated in that block.

Thus, it remains to show that our simulator does not get stuck, i.e., in each session our simulator has a valid witness when $\mathsf {WIPOK}$ starts. Below, we use the following terminologies.

For any session s, a block is good w.r.t. s if it contains at least two slots of session s and does not contain the first prover message of $\mathsf {WIPOK}$ of session s. Here, we use “slots” to refer to both $\mathrm {\Pi }$-slots and $\mathsf {UA}$-slots. Hence, if a block is good w.r.t. session s, it contains both a $\mathrm {\Pi }$-slot and a $\mathsf {UA}$-slot of session s (see Fig. 4).
For each $i\in [d]$, we say that a level-$(i-1)$ block is a child of a level-i block if the former is contained by the latter. (Thus, each block has q children.)

From the construction, our simulator does not get stuck if for any session s that reaches $\mathsf {WIPOK}$, there exists a block such that at least two of its children are good w.r.t. session s. (If such a block exists, an offline proof is computed at the end of the first good child, and a $\mathsf {WIPOK}$ witness is computed at the end of the second good child, so the simulator obtains a $\mathsf {WIPOK}$ witness before $\mathsf {WIPOK}$ starts in session s.) Thus, we show that if a session s reaches $\mathsf {WIPOK}$, there exists a block such that at least two of its children are good w.r.t. session s. To prove this, it suffices to show that if a session s reaches $\mathsf {WIPOK}$, there exists a block such that at least three of its children contain two or more slots of session s. (This is because at most one child contains the first message of $\mathsf {WIPOK}$ of session s.) Assume for contradiction that there exists a session $s^*$ such that $s^*$ reaches $\mathsf {WIPOK}$ but every block has at most two children that contain two or more slots of $s^*$. Let $\Gamma (i)$ be the maximum number of the slots that belong to $s^*$ and are contained by a level-i block. Then, since in each block b,

at most two children of b contain two or more slots of $s^*$, and the other children contain at most a single slot of $s^*$, and
$s^*$ has at most $q-1$ slots that are contained by block b but are not contained by its children (see Fig. 5),

we have

$$\begin{aligned} \Gamma (i) \le 2 \cdot \Gamma (i-1) + (q-2) \cdot 1 + q-1 =2\Gamma (i-1) + 2q-3. \end{aligned}$$

Then, since $\Gamma (0) = 0$ (this is because a level-0 block contains only a single message), and the maximum level d is constant, we have

$$\begin{aligned} \Gamma (d) \le 2^d \Gamma (0) + \sum _{i=0}^{d-1}2^i(2q-3) = O(q). \end{aligned}$$

This means that there are at most O(q) slots of $s^*$ in the entire transcript. This is a contradiction since we have $N_{\mathrm {slot}}= \omega (q)$ and assume that $s^*$ reaches $\mathsf {WIPOK}$. Thus, if a session reaches $\mathsf {WIPOK}$, there exists a block such that at least two of its children are good w.r.t. that session. Thus, the simulator does not get stuck.

Since $q = O(n^{\epsilon })$ and $N_{\mathrm {slot}}= \omega (q)$, the round complexity of our protocol is $O(n^{\epsilon '})$ for a constant $\epsilon '>\epsilon $. Since $\epsilon $ is an arbitrary constant, $\epsilon '$ can be an arbitrary small constant.

Toward the final protocol To obtain a formal proof of security, we need to add a slight modification to the above protocol. In particular, as pointed out in previous work [14, 15, 24, 29], when the code of the simulator is committed in the simulation, we have to take special care to the randomness of the simulator.^{Footnote 7} Fortunately, the techniques used in the previous work can also be used here to overcome this problem. In this work, we use the technique of [14, 15], which uses forward-secure pseudorandom generators (which can be obtained from one-way functions).

2.3 Comparison with the Simulation Technique of Goyal [24]

In this section, we compare the simulation technique of ours with that of Goyal [24], which is the only known simulation technique that realizes straight-line concurrent simulation in the plain model under standard assumptions.

First of all, our protocol is almost identical with that of Goyal. The only difference is that the prover gives $\omega (1)$ commitments in each slot in our protocol whereas it gives only a single commitment in each slot in Goyal’s protocol.

Our simulation technique is also very similar to Goyal’s simulation technique. For example, in both simulation techniques, the simulator commits to machines that emulate itself, and it has multiple opportunities to give $\mathsf {UA}$ proof and determines which opportunities to take by using the blocks.

However, there are also differences between the two simulation techniques. A notable difference is how the simulator determines which opportunities to take to give $\mathsf {UA}$ proofs. Recall that, in the simulation technique of ours, the strategy that the simulator uses to determine whether it embeds a $\mathsf {UA}$ message in a slot is deterministic (the simulator checks whether a prior sibling of the current block contains a $\mathrm {\Pi }$-slot; see Fig. 3 in Sect. 2.2). In contrast, in the simulation technique of Goyal, the strategy that the simulator uses is probabilistic (the simulator uses a probabilistic procedure that performs the “marking” of the blocks and the $\mathsf {UA}$ messages). Since in the simulation technique of ours the simulator uses a deterministic strategy, the analysis of our simulator is simple: We use only a simple counting argument (and no probabilistic argument) to show that the simulator will not get stuck.

3 Preliminary

We assume familiarity to the definition of basic cryptographic primitives and protocols, such as collision-resistant hash functions and commitment schemes.

3.1 Notations

We use $n$ to denote the security parameter, and $\textsc {ppt} $ as an abbreviation of “probabilistic polynomial time.” For any $k\in \mathbb {N}$, let $[k] {\mathop {=}\limits ^\mathrm{def}}\{1,\ldots ,k \}$. For any randomized algorithm $\mathsf {Algo}$, we use $\mathsf {Algo}(x; r)$ to denote the execution of $\mathsf {Algo}$ with input x and randomness r, and $\mathsf {Algo}(x)$ to denote the execution of $\mathsf {Algo}$ with input x and uniformly chosen randomness. For any two interactive Turing machines A, B and three strings $x,y,z\in \{0,1 \}^*$, we use $\langle A(y), B(z) \rangle (x)$ to denote the output of B in the interaction between A(x, y) and B(x, z).

3.2 Tree Hashing

In this paper, we use a family of collision-resistant hash functions $\mathcal {H}= \{h_{\alpha } \}_{\alpha \in \{0,1 \}^{*}}$ that satisfies the following properties.

For any $h\in \mathcal {H}_{n} {\mathop {=}\limits ^\mathrm{def}}\{h_{\alpha }\in \mathcal {H}: \alpha \in \{0,1 \}^{n} \}$, the domain of h is $\{0,1 \}^*$ and the range of h is $\{0,1 \}^{n}$.
For any $h\in \mathcal {H}_{n}$, $x\in \{0,1 \}^{\le n^{\log \log n}}$, and $i\in \{1,\ldots ,| x | \}$, one can compute a short certificate $\mathsf {auth}_i(x)\in \{0,1 \}^{n^2}$ such that given h(x), $x_i$, and $\mathsf {auth}_i(x)$, anyone can verify that the ith bit of x is indeed $x_i$.

Such a collision-resistant hash function family can be obtained from any (standard) length-halving collision-resistant hash function family by using Merkle’s tree-hashing technique. We notice that when $\mathcal {H}$ is obtained in this way, $\mathcal {H}$ satisfies an additional property that we can find a collision of the underlying hash function from two pairs $(x_i, \mathsf {auth}_i(x))$ and $(x'_i, \mathsf {auth}_i(x'))$ such that $x_i \ne x'_i$; furthermore, finding such a collision takes only time polynomial in the size of the hash value (i.e., $| h(x) | = n$).

3.3 Naor’s Commitment Scheme

In our protocol, we use Naor’s two-round statistically binding commitment scheme $\mathsf {Com}$, which can be constructed from one-way functions [25, 28]. A nice property of $\mathsf {Com}$ is that its security holds even when the same first-round message $\tau \in \{0,1 \}^{3n}$ is used in multiple commitments. For any $\tau \in \{0,1 \}^{3n}$, we use $\mathsf {Com}_{\tau }(\cdot )$ to denote an algorithm that, on input $m\in \{0,1 \}^*$, computes a commitment to m by using $\tau $ as the first-round message.

3.4 Interactive Proofs and Arguments

We recall the definitions of interactive proofs and interactive arguments, and the definitions of their witness indistinguishability and proof-of-knowledge property [3, 4, 19, 22].

Definition 1

(Interactive Proof System) For an $\mathcal {NP}$ language L with witness relation $\mathbf R _L$, a pair of interactive Turing machines $\langle P,V \rangle $ is an interactive proof for L if it satisfies the following properties.

Completeness: For every $x \in L$ and $w \in \mathbf R _L(x)$,
$$\begin{aligned} \Pr _{} \left[ \langle P(w), V \rangle (x) = 1 \right] = 1. \end{aligned}$$
Soundness: For every computationally unbounded Turing machine $P^*$, there exists a negligible function $\mathsf {negl}(\cdot )$ such that for every $x \not \in L$ and $z\in \{0,1 \}^*$,
$$\begin{aligned} \Pr _{} \left[ \langle P^*(z), V \rangle (x) = 1 \right] < \mathsf {negl}(| x |). \end{aligned}$$

If the soundness condition holds only against every $\textsc {ppt} $ Turing machine, the pair $\langle P,V \rangle $ is an interactive argument. $\square $

Definition 2

(Witness Indistinguishability) An interactive proof (or argument) system $\langle P, V \rangle $ for an $\mathcal {NP}$ language L with witness relation $\mathbf R _L$ is said to be witness indistinguishable if for every $\textsc {ppt} $ Turing machine $V^*$ and for every two sequences $\{w_x^1 \}_{x \in L}$ and $\{w_x^2 \}_{x \in L}$ such that $w_x^1, w_x^2 \in \mathbf R _L(x)$ for every $x\in L$, the following ensembles are computationally indistinguishable.

$\left\{ \langle P(w_x^1), V^*(z) \rangle (x) \right\} _{x \in L, z\in \{0,1 \}^*}$
$\left\{ \langle P(w_x^2), V^*(z) \rangle (x) \right\} _{x \in L, z\in \{0,1 \}^*}$

$\square $

Definition 3

(Proof of Knowledge) An interactive proof system $\langle P, V \rangle $ for an $\mathcal {NP}$ language L with witness relation $\mathbf R _L$ is said to be proof of knowledge if there exists an expected $\textsc {ppt} $ oracle machine E (call the extractor) such that the following holds: For every computationally unbounded Turing machine $P^*$, there exists a negligible function $\mathsf {negl}(\cdot )$ such that for every $x \in \{0,1 \}^{*}$ and $z\in \{0,1 \}^{*}$,

$$\begin{aligned} \Pr _{} \left[ \exists w \in \mathbf R _L(x) \text { s.t. } E^{P^*(x, z)}(x) = w \right] > \Pr _{} \left[ \langle P^*(z), V \rangle (x) = 1 \right] - \mathsf {negl}(| x |). \end{aligned}$$

If the above condition holds only against every $\textsc {ppt} $ Turing machine $P^*$, the pair $\langle P,V \rangle $ is said to be argument of knowledge. $\square $

A four-round witness-indistinguishable proof of knowledge system $\mathsf {WIPOK}$ can be obtained from one-way functions by executing Blum’s Hamiltonian-cycle protocol in parallel [7].

3.5 Concurrent Zero-Knowledge Proofs/Arguments

We recall the definition of the concurrent zero-knowledge property of interactive proofs and arguments [34]. For any polynomial $m(\cdot )$, m-session concurrent cheating verifier is a $\textsc {ppt} $ Turing machine $V^*$ such that on input (x, z), $V^*$ concurrently interacts with $m(| x |)$ independent copies of P. The interaction between $V^*$ and each copy of P is called session. There is no restriction on how $V^*$ schedules messages among sessions, and $V^*$ can abort some sessions. Let $\mathsf {view}_{V^*}\langle P(w), V^*(z) \rangle (x)$ be the view of $V^*$ in the above concurrent execution, where $x \in L$ is the common input, $w\in \mathbf R _L(x)$ is the private input to P, and z is the non-uniform input to $V^*$.

Definition 4

(Concurrent Zero-Knowledge) An interactive proof (or argument) $\langle P,V \rangle $ for an $\mathcal {NP}$ language L is concurrent zero-knowledge if for every polynomial $m(\cdot )$ and every m-session concurrent cheating verifier $V^*$, there exists a $\textsc {ppt} $ simulator $\mathcal {S}$ such that for any sequence $\{w_x \}_{x\in L}$ such that $w_x\in \mathbf R _L(x)$, the following ensembles are computationally indistinguishable.

$\left\{ \mathsf {view}_{V^*}\langle P(w_x), V^*(z) \rangle (x) \right\} _{x \in L, z\in \{0,1 \}^*}$
$\left\{ \mathcal {S}(x, z) \right\} _{x \in L, z\in \{0,1 \}^*}$

$\square $

Remark 1

As in previous work (e.g., [26, 31, 34]), we consider the setting where the same statement x is proven in all the sessions. We comment that our protocol and its security proof work even in a slightly generalized setting where predetermined statements $x_1, \ldots , x_m$ are proven in the sessions. (However, they do not work if the statements are chosen adaptively by the cheating verifier.)

3.6 PCP and Universal Argument

We recall the definitions of probabilistically checkable proof (PCP) systems and universal argument systems [1, 5].

3.6.1 Universal Language $L_{\mathcal {U}}$

For simplicity, we show the definitions of PCPs and universal arguments only w.r.t. the membership of a single “universal” language $L_{\mathcal {U}}$. For triplet $y = (M, x, t)$, we have $y \in L_{\mathcal {U}}$ if non-deterministic machine M accepts x within t steps. (Here, all components of y, including t, are encoded in binary.) Let $\mathbf R _{\mathcal {U}}$ be the witness relation of $L_{\mathcal {U}}$, i.e., $\mathbf R _{\mathcal {U}}$ is a polynomial-time decidable relation such that for any $y = (M, x, t)$, we have $y \in L_{\mathcal {U}}$ if and only if there exists $w\in \{0,1 \}^{\le t}$ such that $(y,w) \in \mathbf R _{\mathcal {U}}$. Note that every language $L\in \mathcal {NP}$ is linear-time reducible to $L_{\mathcal {U}}$. Thus, a proof system for $L_{\mathcal {U}}$ allows us to handle all $\mathcal {NP}$ statements.^{Footnote 8}

3.6.2 PCP System

Roughly speaking, a PCP system is a $\textsc {ppt} $ verifier that can decide the correctness of a statement $y \in L_{\mathcal {U}}$ given access to an oracle $\pi $ that represents a proof in a redundant form. Typically, the verifier reads only few bits of $\pi $ in the verification.

Definition 5

(PCP system—basic definition) A probabilistically checkable proof (PCP) system (with a negligible soundness error) is a $\textsc {ppt} $ oracle machine V (called a verifier) that satisfies the following.

Completeness: For every $y \in L_{\mathcal {U}}$, there exists an oracle $\pi $ such that
$$\begin{aligned} \Pr _{} \left[ V^{\pi }(y) = 1 \right] = 1. \end{aligned}$$
Soundness: For every $y \not \in L_{\mathcal {U}}$ and every oracle $\pi $, there exists a negligible function $\mathsf {negl}(\cdot )$ such that
$$\begin{aligned} \Pr _{} \left[ V^{\pi }(y) = 1 \right] < \mathsf {negl}(| y |). \end{aligned}$$
$\square $

In this paper, PCP systems are used as a building block in the universal argument $\mathsf {UA}$ of Barak and Goldreich [5]. To be used in $\mathsf {UA}$, PCP systems need to satisfy four auxiliary properties: relatively efficient oracle construction, non-adaptive verifier, efficient reverse sampling, and proof of knowledge. The definitions of the first two properties are required to understand this paper; for the definitions of the other properties, see [5].

Definition 6

(PCP system—auxiliary properties) Let V be a PCP verifier.

Relatively efficient oracle construction: There exists an algorithm P (called a prover) such that, given any $(y,w)\in \mathbf R _{\mathcal {U}}$, algorithm P outputs an oracle $\pi _y$ that makes V always accept (i.e., as in the completeness condition). Furthermore, there exists a polynomial $p(\cdot )$ such that on input (y, w), the running time of P is $p(| y | + | w |)$.
Non-adaptive verifier: The verifier’s queries are determined based only on the input and its internal coin tosses, independently of the answers given to previous queries. That is, V can be decomposed into a pair of algorithms Q and D such that on input y and random tape r, the verifier makes the query sequence $Q(y,r,1), Q(y,r,2),\ldots ,Q(y,r,p(| y |))$, obtains the answers $b_1, \ldots , b_{p(| y |)}$, and decides according to $D(y, r, b_1 \cdots b_{p(| y |)})$, where p is some fixed polynomial.

$\square $

3.6.3 Universal Argument

Universal arguments [5], which are closely related to the notion of CS poofs [27], are “efficient” arguments of knowledge for proving the membership in $L_{\mathcal {U}}$. For any $y = (M, x, t)\in L_{\mathcal {U}}$, let $T_{M}(x, w)$ be the running time of M on input x with witness w, and let $\mathbf R _{\mathcal {U}}(y) {\mathop {=}\limits ^\mathrm{def}}\{w : (y, w)\in \mathbf R _{\mathcal {U}} \}$.

Definition 7

(Universal argument) A pair of interactive Turing machines $\langle P,V \rangle $ is a universal argument system if it satisfies the following properties.

Efficient verification: There exists a polynomial p such that for any $y=(M, x, t)$, the total time spent by (probabilistic) verifier strategy V on inputs y is at most $p(| y |)$.
Completeness by a relatively efficient prover: For every $y =(M,x,t)\in L_{\mathcal {U}}$ and $w\in \mathbf R _{\mathcal {U}}(y)$,
$$\begin{aligned} \Pr _{} \left[ \langle P(w), V \rangle (y) = 1 \right] = 1. \end{aligned}$$
Furthermore, there exists a polynomial q such that the total time spent by P, on input (y, w), is at most $q(| y | + T_{M}(x, w)) \le q(| y | + t)$.
Computational Soundness: For every $\textsc {ppt} $ Turing machine $P^*$, there exists a negligible function $\mathsf {negl}(\cdot )$ such that for every $y = (M, x, t)\not \in L_{\mathcal {U}}$ and $z\in \{0,1 \}^{*}$,
$$\begin{aligned} \Pr _{} \left[ \langle P^*(z), V \rangle (y) = 1 \right] < \mathsf {negl}(| y |). \end{aligned}$$
Weak Proof of Knowledge: For every polynomial $p(\cdot )$, there exists a polynomial $p'(\cdot )$ and a $\textsc {ppt} $ oracle machine E such that the following holds: For every $\textsc {ppt} $ Turing machine $P^*$, every sufficiently long $y = (M,x,t)\in \{0,1 \}^{*}$, and every $z\in \{0,1 \}^{*}$, if $\Pr _{} \left[ \langle P^*(z), V \rangle (y) = 1 \right] > 1/p(| y |)$, then
$$\begin{aligned} \Pr _{r} \left[ \exists w = w_1 \cdots w_t \in \mathbf R _{\mathcal {U}}(y) \text { s.t. } \forall i\in [t], E_r^{P^*(y, z)}(y, i) = w_i \right] > \frac{1}{p'(| y |)}, \end{aligned}$$
where $E_r^{P^*(y, z)}(\cdot , \cdot )$ denotes the function defined by fixing the randomness of E to r, and providing the resulting $E_r$ with oracle access to $P^*(y, z)$.

$\square $

The weak proof-of-knowledge property of universal arguments only guarantees that each individual bit $w_i$ of a witness w can be extracted in probabilistic polynomial time. However, for any $y = (M, x, t) \in L_{\mathcal {U}}$, since the witness $w\in \mathbf R _{\mathcal {U}}(y)$ is of length at most t, there exists an extractor (called the global extractor) that extracts the whole witness in time polynomial in $\mathsf {poly}(| y |)\cdot t$; we call this property the global proof-of-knowledge property of a universal argument.

In this paper, we use the public-coin four-round universal argument system $\mathsf {UA}$ of Barak and Goldreich [5] (Fig. 6). As in [14], the construction of $\mathsf {UA}$ below is separated into an offline stage and an online stage. In the offline stage, the running time of the prover is bounded by a fixed polynomial in $n+ T_{M}(x, w)$.

3.7 Forward-Secure PRG

We recall the definition of forward-secure pseudorandom generators (PRGs) [11]. Roughly speaking, a forward-secure PRG is a pseudorandom generator such that

It periodically updates the seed. Hence, we have a sequence of seeds $(\sigma _1, \sigma _2, \ldots )$ that generates a sequence of pseudorandomness $(\rho _1, \rho _2, \ldots )$.
Even if the seed $\sigma _t$ is exposed (and thus the “later” pseudorandom sequence $\rho _{t+1}, \rho _{t+2}, \ldots $ is also exposed), the “earlier” sequence $\rho _1, \ldots , \rho _t$ still remains pseudorandom.

In this paper, we use a simple variant of the definition by [15]. We notice that in the following definition, the indices of the seeds and pseudorandomness are written in the reverse order because we use them in the reverse order in the analysis of our concurrent zero-knowledge protocol.

Definition 8

(Forward-secure PRG) We say that a polynomial-time computable function $\mathsf {f}\textsf {-}\mathsf {PRG}$ is a forward-secure pseudorandom generator if on input a string $\sigma $ and an integer $\ell \in \mathbb {N}$, it outputs two sequences $(\sigma _{\ell }, \ldots , \sigma _{1})$ and $(\rho _{\ell }, \ldots , \rho _{1})$ that satisfy the following properties.

Consistency: For every $n, \ell \in \mathbb {N}$ and $\sigma \in \{0,1 \}^{n}$, if $\mathsf {f}\textsf {-}\mathsf {PRG}(\sigma , \ell ) = (\sigma _{\ell }, \ldots , \sigma _{1},\rho _{\ell }, \ldots , \rho _{1})$, then it holds $\mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{\ell }, \ell -1) = (\sigma _{\ell -1}, \ldots , \sigma _{1}, \rho _{\ell -1}, \ldots , \rho _{1})$.
Forward Security: For every polynomial $\ell (\cdot )$, the following ensembles are computationally indistinguishable.
- $\left\{ \sigma \leftarrow U_{n}; (\sigma _{\ell (n)}, \ldots , \sigma _{1}, \rho _{\ell (n)}, \dots , \rho _{1}) := \mathsf {f}\textsf {-}\mathsf {PRG}(\sigma , \ell (n)) : (\sigma _{\ell (n)}, \rho _{\ell (n)}) \right\} _{n\in \mathbb {N}}$
- $\left\{ \sigma \leftarrow U_{n}; \rho \leftarrow U_{n} : (\sigma , \rho ) \right\} _{n\in \mathbb {N}}$
Here, $U_{n}$ is the uniform distribution over $\{0,1 \}^{n}$.

$\square $

Any (traditional) PRG implies the existence of a forward-secure PRG. Thus from the result of [25], the existence of forward-secure PRGs are implied by the existence of one-way functions.

4 Our Public-Coin Concurrent Zero-Knowledge Argument

In this section, we prove our main theorem.

Theorem 1

Assume the existence of a family of collision-resistant hash functions. Then, for any constant $\epsilon >0$, there exists an $O(n^{\epsilon })$-round public-coin concurrent zero-knowledge argument of knowledge system.

Proof

Our $O(n^{\epsilon })$-round public-coin concurrent zero-knowledge argument of knowledge, $\mathsf {cZKAOK}$, is shown in Fig. 7. In $\mathsf {cZKAOK}$, we use the following building blocks.

Naor’s two-round statistically binding commitment scheme $\mathsf {Com}$, which can be constructed from one-way functions (see Sect. 3.3).
A four-round public-coin witness-indistinguishable proof of knowledge system $\mathsf {WIPOK}$, which can be constructed from one-way functions (see Sect. 3.4).
Four-round public-coin universal argument $\mathsf {UA}$ of Barak and Goldreich [5], which can be constructed from collision-resistant hash functions (see Sect. 3.6.3).

Clearly, $\mathsf {cZKAOK}$ is public-coin and its round complexity is $4N_{\mathrm {slot}}+5 = O(n^{\epsilon })$. Thus, Theorem 1 follows from the following lemmas.

Lemma 1

$\mathsf {cZKAOK}$ is concurrent zero-knowledge.

Lemma 2

$\mathsf {cZKAOK}$ is argument of knowledge.

Lemma 1 is proven in Sect. 4.1, and Lemma 2 is proven in Sect. 4.2. $\square $

Remark 2

The languages $\Lambda _2$ in Fig. 8 is slightly over-simplified and will make $\mathsf {cZKAOK}$ work only when $\mathcal {H}$ is collision resistant against $\mathsf {poly}(n^{\log \log n})$-time adversaries. We can make it work under standard collision resistance by using a trick by Barak and Goldreich [5], which uses a “good” error-correcting code $\mathsf {ECC}$ (i.e., with constant relative distance and with polynomial-time encoding and decoding). More details are given in Sect. 4.2.

4.1 Concurrent Zero-Knowledge Property

Proof of Lemma 1

Let $V^*$ be any cheating verifier. Since $V^*$ takes an arbitrary non-uniform input z, we assume without loss of generality that $V^*$ is deterministic. Let $m(\cdot )$ be a polynomial such that $V^*$ invokes $m(n)$ concurrent sessions during its execution. (Recall that $n{\mathop {=}\limits ^\mathrm{def}}| x |$.) Let $q {\mathop {=}\limits ^\mathrm{def}}n^{\epsilon /2}$. We assume without loss of generality that in the interaction between $V^*$ and provers, the total number of messages across all the sessions is always the power of q (i.e., it is $q^d$ for an integer d). Since the total number of messages is at most $M {\mathop {=}\limits ^\mathrm{def}}(4N_{\mathrm {slot}}+5) \cdot m$, we have $d = \log _qM = \log _q(\mathsf {poly}(n)) = O(1)$.

4.1.1 Simulator $\mathcal {S}$

In this section, we describe our simulator. We first give an informal description; a formal description is given after the informal one. We recommend the readers to browse the overview of our techniques in Sect. 2.2 before reading this section. In the informal description, we use some terminologies that we introduced in Sect. 2.2.

4.1.2 Informal Description of $\mathcal {S}$

Our simulator, $\mathcal {S}$, simulates the view of $V^*$ by using an auxiliary simulator algorithm $\mathsf {aux}\text {-}\mathcal {S}$, which simulates the transcript between $V^*$ and honest provers by recursively executing itself. The input to $\mathsf {aux}\text {-}\mathcal {S}$ is the recursion level $\ell $ and the transcript $\mathsf {trans}$ that is simulated so far. $\mathsf {aux}\text {-}\mathcal {S}$ is also given oracle access to tables $\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}$ (which $\mathsf {aux}\text {-}\mathcal {S}$ can freely read and update), where $\mathsf {T}_{\mathrm {\Pi }}$ contains the hash values of the machines that should be committed to in the $\mathrm {\Pi }$-slots, and $\mathsf {T}_{\mathsf {UA}}$ and $\mathsf {T}_{\mathsf {W}}$ contain the second-round $\mathsf {UA}$ messages and the $\mathsf {WIPOK}$ witnesses that are computed so far. The goal of $\mathsf {aux}\text {-}\mathcal {S}$, on input $(\ell , \mathsf {trans})$ and access to $\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}$, is to add the next $q^\ell $ messages to $\mathsf {trans}$ while updating the tables $\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}$. More details about $\mathsf {aux}\text {-}\mathcal {S}$ are described below.

On level 0 (i.e., when $\ell = 0$), $\mathsf {aux}\text {-}\mathcal {S}$ adds a single message to the simulated transcript as follows. If the next message is a verifier message, $\mathsf {aux}\text {-}\mathcal {S}$ simulates it by simply receiving it from $V^*$. If the next message is a prover message $(C_1, \ldots , C_{N_{\mathrm {col}}})$ in a $\mathrm {\Pi }$-slot, $\mathsf {aux}\text {-}\mathcal {S}$ finds the values to be committed from $\mathsf {T}_{\mathrm {\Pi }}$ and generates commitments to them by using $\mathsf {Com}$. Similarly, if the next message is a prover message $(D_1, \ldots , D_{N_{\mathrm {col}}})$ in a $\mathsf {UA}$-slot, $\mathsf {aux}\text {-}\mathcal {S}$ finds appropriate second-round $\mathsf {UA}$ messages from $\mathsf {T}_{\mathsf {UA}}$ and generates commitments to them by using $\mathsf {Com}$. (If appropriate $\mathsf {UA}$ messages cannot be found, $\mathsf {aux}\text {-}\mathcal {S}$ generates commitments to $0^{n}$.) If the next message is a prover message of $\mathsf {WIPOK}$, $\mathsf {aux}\text {-}\mathcal {S}$ computes it honestly by using a witness that is stored in $\mathsf {T}_{\mathsf {W}}$. (If the stored witness is not a valid witness, $\mathsf {aux}\text {-}\mathcal {S}$ aborts.)

On level $\ell >0$, $\mathsf {aux}\text {-}\mathcal {S}$ simulates the next $q^{\ell }$ messages by recursively executing itself q times in sequence, where each recursive execution simulates $q^{\ell -1}$ messages. More precisely, $\mathsf {aux}\text {-}\mathcal {S}$ first updates $\mathsf {T}_{\mathrm {\Pi }}$ by storing the hash values of its own code (with the inputs and the entries of the tables being hardwired), where the hash functions of all the existing sessions are used for computing these hash values, and each hash value is stored as the value to be committed in the $\ell $th commitment in $\mathrm {\Pi }$-slots. (By requiring $\mathsf {aux}\text {-}\mathcal {S}$ to store its own code in $\mathsf {T}_{\mathrm {\Pi }}$ in this way, we make sure that when $\mathsf {aux}\text {-}\mathcal {S}$ simulates a $\mathrm {\Pi }$-slot, it commits to its own code in the $\mathrm {\Pi }$-slot.) Then, $\mathsf {aux}\text {-}\mathcal {S}$ recursively executes itself q times in sequence with level $\ell -1$; at the same time, $\mathsf {aux}\text {-}\mathcal {S}$ updates $\mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}$ at the end of each recursive execution in the following way.

If a $\mathrm {\Pi }$-slot (both the prover message and the verifier message) of a session is simulated by the recursive execution that has just been completed, $\mathsf {aux}\text {-}\mathcal {S}$ computes a second-round $\mathsf {UA}$ message about such a $\mathrm {\Pi }$-slot and stores it in $\mathsf {T}_{\mathsf {UA}}$. (A machine that emulates this recursive execution must be committed in the $(\ell -1)$th commitment of such a $\mathrm {\Pi }$-slot (this is because the recursively executed $\mathsf {aux}\text {-}\mathcal {S}$ must have stored its own code in $\mathsf {T}_{\mathrm {\Pi }}$ at the beginning of its execution), and this machine can be used as a witness for generating a $\mathsf {UA}$ proof about this $\mathrm {\Pi }$-slot.)
If a $\mathsf {UA}$-slot of a session is simulated by the recursive execution that has just been completed, and a second-round $\mathsf {UA}$ message for this session was stored in $\mathsf {T}_{\mathsf {UA}}$ before this recursive execution, $\mathsf {aux}\text {-}\mathcal {S}$ computes a $\mathsf {WIPOK}$ witness for this session and stores it in $\mathsf {T}_{\mathsf {W}}$. (If such a $\mathsf {UA}$-slot and a second-round $\mathsf {UA}$ message exist, that second-round $\mathsf {UA}$ message must be committed to in that $\mathsf {UA}$-slot, and they can be used as a $\mathsf {WIPOK}$ witness.)

Finally, $\mathsf {aux}\text {-}\mathcal {S}$ outputs the $q^{\ell }$ messages that are simulated by these q recursive executions.

We remark that for technical reasons, the formal description of $\mathcal {S}$ below is a bit more complex.

To avoid the circularity that arises when $\mathsf {aux}\text {-}\mathcal {S}$ uses it own code, we use a technique by Chung, Lin, and Pass [15]. Roughly speaking, $\mathsf {aux}\text {-}\mathcal {S}$ takes the code of a machine $\mathrm {\Pi }$ as input and uses this code rather than its own code; we then design $\mathcal {S}$ and $\mathsf {aux}\text {-}\mathcal {S}$ in such a way that when $\mathsf {aux}\text {-}\mathcal {S}$ is invoked, we always have $\mathrm {\Pi }= \mathsf {aux}\text {-}\mathcal {S}$.
To avoid the circularity issue about randomness that we sketched in Sect. 2.2, we use a technique of [14, 15] that uses a forward-secure PRG $\mathsf {f}\textsf {-}\mathsf {PRG}$. Roughly speaking, $\mathsf {aux}\text {-}\mathcal {S}$ takes a seed $\sigma $ of $\mathsf {f}\textsf {-}\mathsf {PRG}$ as input, computes a sequence of pseudorandomness $\rho _{q^{\ell }}, \ldots , \rho _{2}, \rho _{1}$ (notice that the indices are written in the reverse order), and simulates the prover messages in such a way that the ith message in the transcript is simulated with randomness $\rho _i$.

4.1.3 Formal Description of $\mathcal {S}$

The input to $\mathcal {S}$ is (x, z), and the input to $\mathsf {aux}\text {-}\mathcal {S}$ is $(x, z, \ell , \mathrm {\Pi }, \mathsf {trans}, \sigma )$ such that:

$\ell \in \{0,\ldots ,d \}$.
$\mathrm {\Pi }$ is a code of a machine. (In what follows, we always have $\mathrm {\Pi }= \mathsf {aux}\text {-}\mathcal {S}$.)
$\mathsf {trans}\in \{0,1 \}^{\mathsf {poly}(n)}$ is a prefix of a transcript between $V^*(x,z)$ and honest provers.
$\sigma \in \{0,1 \}^{n}$ is a seed of $\mathsf {f}\textsf {-}\mathsf {PRG}$.

The auxiliary simulator $\mathsf {aux}\text {-}\mathcal {S}$ is also given oracle access to three tables $\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}$ such that:

$\mathsf {T}_{\mathrm {\Pi }}= \{v_{s,j} \}_{s\in [m], j\in [N_{\mathrm {col}}]}$ is a table of the hash values of some machines.
$\mathsf {T}_{\mathsf {UA}}= \{\mathsf {ua}_{s,j} \}_{s\in [m], j\in [N_{\mathrm {col}}]}$ is a table of second-round $\mathsf {UA}$ messages.
$\mathsf {T}_{\mathsf {W}}= \{w_{s} \}_{s\in [m]}$ is a table of $\mathsf {WIPOK}$ witnesses.

We allow $\mathsf {aux}\text {-}\mathcal {S}$ to read and update the entries in $\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}$ freely.

4.1.4 $\underline{\hbox {Simulator}\, \mathcal {S}(x, z):}$

1.
Choose a random seed $\sigma _{q^d+1}\in \{0,1 \}^{n}$ of $\mathsf {f}\textsf {-}\mathsf {PRG}$. Initialize $\mathsf {T}_{\mathrm {\Pi }}$, $\mathsf {T}_{\mathsf {UA}}$, $\mathsf {T}_{\mathsf {W}}$ by $v_{s,j} := 0^{n}$, $\mathsf {ua}_{s,j} := 0^{n}$, $w_s := \bot $ for every $s\in [m]$ and $j\in [N_{\mathrm {col}}]$.
2.
Compute $\mathsf {trans}:= \mathsf {aux}\text {-}\mathcal {S}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, d, \mathsf {aux}\text {-}\mathcal {S}, \varepsilon , \sigma _{q^d+1})$, where $\varepsilon $ is the empty string.
3.
Output $(x, z, \mathsf {trans})$.

4.1.5 $\underline{\hbox {Auxiliary Simulator}\, \mathsf {aux}\text {-}\mathcal {S}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, \ell , \mathrm {\Pi }, \mathsf {trans}, \sigma ):}$

Step 1.

/*Preparing randomness for simulating the next $q^{\ell }$ messages*/

Let $\kappa := | \mathsf {trans} |$ (i.e., $\kappa $ be the number of the messages that are included in $\mathsf {trans}$). Then, compute

$$\begin{aligned} (\sigma _{\kappa +q^{\ell }}, \ldots , \sigma _1, \rho _{\kappa +q^{\ell }}, \ldots , \rho _1) := \mathsf {f}\textsf {-}\mathsf {PRG}(\sigma , \kappa +q^{\ell }). \end{aligned}$$

Step 2a: Simulation (base case). If $\ell = 0$, do the following.

1.
If the next scheduled message $\mathsf {msg}$ is a verifier message, feed $\mathsf {trans}$ to $V^*(x,z)$ and receive $\mathsf {msg}$ from $V^*$. If the next scheduled message $\mathsf {msg}$ is a prover message of the sth session ($s\in [m]$), do the following with randomness $\rho _{\kappa +1}$. (If necessary, $\rho _{\kappa +1}$ is expanded by a pseudorandom generator.) Let $\tau _s$ be the first-round message of $\mathsf {Com}$ of the sth session, which can be found from $\mathsf {trans}$.
- If $\mathsf {msg}$ is the prover message in a $\mathrm {\Pi }$-slot, compute $\mathsf {msg}= (C_1, \ldots , C_{N_{\mathrm {col}}})$ by $C_j \leftarrow \mathsf {Com}_{\tau _s}(v_{s,j})$ for every $j\in [N_{\mathrm {col}}]$, where $v_{s,j}$ is read from $\mathsf {T}_{\mathrm {\Pi }}$.
- If $\mathsf {msg}$ is the prover message in a $\mathsf {UA}$-slot, compute $\mathsf {msg}= (D_1, \ldots , D_{N_{\mathrm {col}}})$ by $D_j \leftarrow \mathsf {Com}_{\tau _s}(\mathsf {ua}_{s,j})$ for every $j\in [N_{\mathrm {col}}]$, where $\mathsf {ua}_{s,j}$ is read from $\mathsf {T}_{\mathsf {UA}}$.
- If $\mathsf {msg}$ is the first prover message of $\mathsf {WIPOK}$, compute $\mathsf {msg}$ by using $w_s$ as a witness, where $w_s$ is read from $\mathsf {T}_{\mathsf {W}}$; if $w_s$ is not a valid witness, abort with output $\mathsf {stuck}$.
- If $\mathsf {msg}$ is the second prover message of $\mathsf {WIPOK}$, reconstruct the prover state of $\mathsf {WIPOK}$ from $w_s$ and $\rho _1, \ldots , \rho _{\kappa }$ and then honestly compute $\mathsf {msg}$ by using this prover state, where $w_s$ is read from $\mathsf {T}_{\mathsf {W}}$.^{Footnote 9}
2.
Output $\mathsf {msg}$.

Step 2b: Simulation (recursive case). If $\ell >0$, do the following.

1.
/*Storing it own code in$\mathsf {T}_{\mathrm {\Pi }}$/* Let $\mathsf {T}'_{\mathrm {\Pi }}$, $\mathsf {T}'_{\mathsf {UA}}$, $\mathsf {T}'_{\mathsf {W}}$ be the tables that are obtained by copying the current entries of $\mathsf {T}_{\mathrm {\Pi }}$, $\mathsf {T}_{\mathsf {UA}}$, $\mathsf {T}_{\mathsf {W}}$. Let
$$\begin{aligned} \mathrm {\Pi }_{\mathrm {myself}}(\cdot ) {\mathop {=}\limits ^\mathrm{def}}\mathrm {\Pi }^{\mathsf {T}'_{\mathrm {\Pi }}, \mathsf {T}'_{\mathsf {UA}}, \mathsf {T}'_{\mathsf {W}}}(x, z, \ell , \mathrm {\Pi }, \mathsf {trans}, \cdot ). \end{aligned}$$
Then, for each $s\in [m]$, if the sth session has already started in $\mathsf {trans}$, do the following: Let $h_s$ be the hash function chosen by $V^*$ in the sth session in $\mathsf {trans}$; then, update $\mathsf {T}_{\mathrm {\Pi }}$ by setting $v_{s,\ell } := h_s(\mathrm {\Pi }_{\mathrm {myself}})$.
2.
Set temporary variables $\mathsf {ctr}_{s} := 0$ and $\mathsf {tmp}_s := \bot $ for every $s\in [m]$, and a temporary variable $\mathsf {new}\textsf {-}\mathsf {trans}:= \varepsilon $. Define a function $\mathsf {head}(\cdot )$ as $\mathsf {head}(k) {\mathop {=}\limits ^\mathrm{def}}\kappa +1 + (k-1)q^{\ell -1}$.
3.
For each $k\in [q]$, do the following:
1. (a)
  /*Storing the machine that executes thekth child-block.*/ Let $\mathsf {T}_{\mathrm {\Pi }}^{(k)}$, $\mathsf {T}_{\mathsf {UA}}^{(k)}$, $\mathsf {T}_{\mathsf {W}}^{(k)}$ be the tables that are obtained by copying the current entries of $\mathsf {T}_{\mathrm {\Pi }}$, $\mathsf {T}_{\mathsf {UA}}$, $\mathsf {T}_{\mathsf {W}}$. Then, let
  $$\begin{aligned} \mathrm {\Pi }_{k}(\cdot ) {\mathop {=}\limits ^\mathrm{def}}\mathrm {\Pi }^{\mathsf {T}_{\mathrm {\Pi }}^{(k)}, \mathsf {T}_{\mathsf {UA}}^{(k)}, \mathsf {T}_{\mathsf {W}}^{(k)}}(x, z, \ell -1, \mathrm {\Pi }, \mathsf {trans} \!\parallel \! \mathsf {new}\textsf {-}\mathsf {trans}, \cdot ). \end{aligned}$$
2. (b)
  /*Executing thekth child-block.*/ Compute
  $$\begin{aligned} \mathsf {trans}_k := \mathrm {\Pi }^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, \ell -1, \mathrm {\Pi }, \mathsf {trans} \!\parallel \! \mathsf {new}\textsf {-}\mathsf {trans}, \sigma _{\mathsf {head}(k+1)}) \end{aligned}$$
  while reading and updating $\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}$ for $\mathrm {\Pi }$.
3. (c)
  For each $s\in [m]$, if the sth session has already started in $\mathsf {trans} \!\parallel \! \mathsf {new}\textsf {-}\mathsf {trans}$, do the following. Let $(h_s, \tau _s)$ be the first-round message of the sth session.
  - Case 1.$\varvec{\mathsf {ctr}_s = 0}$, and$\mathsf {trans}_k$contains a$\mathrm {\Pi }$-slot of thesth session.
    
    /* Computing offline proof */ Let $\mathsf {sl}$ denote the $\mathrm {\Pi }$-slot that is contained by $\mathsf {trans}_k$. (If there are more than one such $\mathrm {\Pi }$-slot, $\mathsf {sl}$ denote the first such one.) Let $i_1$ denote the slot-index of $\mathsf {sl}$, i.e., $i_1\in [N_{\mathrm {slot}}]$ such that $\mathsf {sl}$ is the $i_1$th $\mathrm {\Pi }$-slot in the sth session. Let $(\overline{C}_{i_1}, r_{i_1})$ denote the messages in $\mathsf {sl}$, where $\overline{C}_{i_1} = (C_{i_1,1}, \ldots , C_{i_1, N_{\mathrm {col}}})$.
    1. i.
      From $\rho _{\mathsf {head}(k)}, \ldots , \rho _{\mathsf {head}(k+1)-1}$ (which are computed in Step 1), find the randomness $R_1$ that was used for generating $C_{i_1, \ell -1}$.^{Footnote 10} Then, compute a PCP proof $\pi _{s}$ for statement $(h_s, \tau _s, C_{i_1, \ell -1}, r_{i_1})\in \Lambda _2$ using $(\mathrm {\Pi }_{k}, R_1, \sigma _{\mathsf {head}(k+1)})$ as a witness (see Sect. 4.1.2 for details). Then, compute $\mathsf {UA}_2 := h_s(\pi _{s})$.
    2. ii.
      Update $\mathsf {T}_{\mathsf {UA}}$ by setting $\mathsf {ua}_{s,\ell -1} := \mathsf {UA}_2$.
    3. iii.
      Update $\mathsf {tmp}_s := (i_1, \pi _{s}, \mathsf {UA}_2)$ and $\mathsf {ctr}_s := \mathsf {ctr}_s + 1$.
  - Case 2.$\varvec{\mathsf {ctr}_s = 1}$, and$\mathsf {trans}_k$contains a$\mathsf {UA}$-slot of thesth session./*Computing$\mathsf {WIPOK}$witness*/ Let $\mathsf {sl}$ denote the $\mathsf {UA}$-slot that is contained by $\mathsf {trans}_k$. (If there are more than one such $\mathsf {UA}$-slot, $\mathsf {sl}$ denote the first such one.) Let $i_2$ be the slot-index of $\mathsf {sl}$. Let $(\overline{D}_{i_2}, \omega _{i_2})$ denote the messages in $\mathsf {sl}$, where $\overline{D}_{i_2} = (D_{i_2,1}, \ldots , D_{i_2, N_{\mathrm {col}}})$.
    1. i.
      Parse $(i_1, \pi _{s}, \mathsf {UA}_2) := \mathsf {tmp}_s$. Then, compute a fourth-round $\mathsf {UA}$ message $\mathsf {UA}_4$ from the offline proof $(h_s, \pi _{s}, \mathsf {UA}_2)$ and the third-round $\mathsf {UA}$ message $\omega _{i_2}$.
    2. ii.
      From $\rho _{\mathsf {head}(k)}, \ldots , \rho _{\mathsf {head}(k+1)-1}$ (which are computed in Step 1), find the randomness $R_2$ that was used for generating $D_{i_2, \ell -1}$. Then, if $w_s = \bot $, update $\mathsf {T}_{\mathsf {W}}$ by setting $w_s := (i_1, i_2, \ell -1, \mathsf {UA}_2, \mathsf {UA}_4, R_2)$.
    3. iii.
      Update $\mathsf {ctr}_s := \mathsf {ctr}_s + 1$.
  - Case 3. All the other cases. Do nothing.
4. (d)
  Update $\mathsf {new}\textsf {-}\mathsf {trans}:= \mathsf {new}\textsf {-}\mathsf {trans} \!\parallel \! \mathsf {trans}_k$.
4.
Output $\mathsf {new}\textsf {-}\mathsf {trans}$.

4.1.6 Correctness of $\mathcal {S}$.

In this section, we observe the correctness of $\mathcal {S}$. Specifically, we observe that $\mathsf {aux}\text {-}\mathcal {S}$ can indeed compute a valid PCP proof $\pi _{s}$ and a valid $\mathsf {WIPOK}$ witness $w_s$ in Step 2b.

First, we see that $\mathsf {aux}\text {-}\mathcal {S}$ can indeed compute a PCP proof $\pi _{s}$ in Step 2b. Specifically, we see that when $\mathsf {aux}\text {-}\mathcal {S}$ computes $\pi _{s}$ in Step 2b, $(\mathrm {\Pi }_{k}, R_1, \sigma _{\mathsf {head}(k+1)})$ is indeed a witness for $(h_s, \tau _s, C_{i_1, \ell -1}, r_{i_1})\in \Lambda _2$ (that is, $C_{i_1, \ell -1}$ is a commitment to $h_s(\mathrm {\Pi }_{k})$ and $\mathrm {\Pi }_{k}$ outputs a string that has $r_{i_1}$ as a substring).

1.
First, we observe that $C_{i_1, \ell -1}$ is a commitment to $h_s(\mathrm {\Pi }_{k})$. Recall that when $\mathsf {aux}\text {-}\mathcal {S}$ computes $\pi _{s}$ in Step 2b, the $\mathrm {\Pi }$-slot $(C_{i_1, \ell -1}, r_{i_1})$ is contained by $\mathsf {trans}_k$. Then, since $\mathsf {trans}_k$ is generated by a recursive execution
$$\begin{aligned} \mathrm {\Pi }^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, \ell -1, \mathrm {\Pi }, \mathsf {trans}, \sigma _{\mathsf {head}(k+1)}), \end{aligned}$$
and this recursive execution updates $v_{s, \ell -1}\in \mathsf {T}_{\mathrm {\Pi }}$ to be the hash of its own code at the beginning, $C_{i_1, \ell -1}$ is a commitment to the hash of this code, which is identical with $h_s(\mathrm {\Pi }_k)$.
2.
Next, we observe that $\mathrm {\Pi }_{k}$ outputs $\mathsf {trans}_k$ on input $\sigma _{\mathsf {head}(k+1)}$. This is because from its definition $\mathrm {\Pi }_{k}(\sigma _{\mathsf {head}(k+1)})$ is identical with
$$\begin{aligned} \mathrm {\Pi }^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, \ell -1, \mathrm {\Pi }, \mathsf {trans}, \sigma _{\mathsf {head}(k+1)}) \end{aligned}$$
(including the entries in the tables), which outputs $\mathsf {trans}_k$.

Since $r_{i_1}$ is contained by $\mathsf {trans}_k$, we conclude that $(\mathrm {\Pi }_{k}, R_1, \sigma _{\mathsf {head}(k+1)})$ is indeed a witness for $(h_s, \tau _s, C_{i_1, \ell -1}, r_{i_1})\in \Lambda _2$.

Next, we see that $\mathsf {aux}\text {-}\mathcal {S}$ can compute a $\mathsf {WIPOK}$ proof in Step 2a as long as $w_s \ne \bot $. In other words, we see that if $\mathsf {aux}\text {-}\mathcal {S}$ updates $w_s$ to $(i_1, i_2, \ell -1, \mathsf {UA}_2, \mathsf {UA}_4, R_2)$ in Step 2b, it is indeed a valid $\mathsf {WIPOK}$ witness (that is, $D_{i_2, \ell -1}$ is a commitment to $\mathsf {UA}_2$ and $(h_s, \mathsf {UA}_2, \omega _{i_2}, \mathsf {UA}_4)$ is an accepting $\mathsf {UA}$ proof for $(h_s, \tau _s, C_{i_1, \ell -1}, r_{i_1})\in \Lambda _2$).

1.
First, $\mathsf {UA}_2$ is the hash value of a PCP proof $\pi _{s}$ that is computed at the end of a previous recursive execution, and from what is observed above, $\pi _{s}$ is a valid PCP proof for statement $(h_s, \tau _s, C_{i_1, \ell -1}, r_{i_1})\in \Lambda _2$. Hence, $(h_s, \mathsf {UA}_2, \omega _{i_2}, \mathsf {UA}_4)$ is an accepting proof for $(h_s, \tau _s, C_{i_1, \ell -1}, r_{i_1})\in \Lambda _2$
2.
Next, since $\mathsf {ua}_{s, \ell -1}\in \mathsf {T}_{\mathsf {UA}}$ is not updated during level-$(\ell -1)$ recursive executions, $D_{i_2, \ell -1}$ is a commitment to $\mathsf {UA}_2$.

Thus, $(i_1, i_2, \ell -1, \mathsf {UA}_2, \mathsf {UA}_4, R_2)$ is a valid $\mathsf {WIPOK}$ witness.

Finally, we see that we have $w_s \ne \bot $ when $\mathsf {aux}\text {-}\mathcal {S}$ computes a $\mathsf {WIPOK}$ proof in Step 2a. This follows from the following claim.

Claim 1

During the execution of $\mathcal {S}$, any execution of $\mathsf {aux}\text {-}\mathcal {S}$ does not output $\mathsf {stuck}$.

Proof

We first introduce notations. Recall that an execution of $\mathcal {S}$ involves recursive executions of $\mathsf {aux}\text {-}\mathcal {S}$. We use block to denote each execution of $\mathsf {aux}\text {-}\mathcal {S}$. Notice that each block can be identified by the value of $\ell $ and $\kappa = | \mathsf {trans} |$. A block is in level$\ell $ if the corresponding $\mathsf {aux}\text {-}\mathcal {S}$ is executed with input $\ell $. The child-blocks of a block are the blocks that are recursively executed by this block; thus, each block has q child-blocks. A block contains a slot of a session if the execution of $\mathsf {aux}\text {-}\mathcal {S}$ that corresponds to this block outputs a transcript that includes this slot (i.e., includes both the prover and the verifier message of this slot), where we use slots to refer to both $\mathrm {\Pi }$-slots and $\mathsf {UA}$-slots. A block is good w.r.t. a session if this block contains at least two slots of this session but contain neither the first verifier message of this session nor the first prover message of $\mathsf {WIPOK}$ of this session.^{Footnote 11}

Given these notations, we prove the claim as follows. From the constructions of $\mathcal {S}$ and $\mathsf {aux}\text {-}\mathcal {S}$, none of $\mathsf {aux}\text {-}\mathcal {S}$ outputs $\mathsf {stuck}$ if for every session that reaches Stage 3, there exists a block such that two of its child-blocks are good. (If there exists such a block for a session, the first good child-block contains a $\mathrm {\Pi }$-slot of that session and the second one contains a $\mathsf {UA}$-slot of that session; thus, a $\mathsf {WIPOK}$ witness for that session is computed at the end of the second good child-block.) Thus, it suffices to show that if a session reaches Stage 3, there exists a block such that at least two of its child-blocks are good w.r.t. that session. To show this, it suffices to show that if a session reaches Stage 3, there exists a block such that at least four of its child-blocks contain two or more slots of that session. (If four child-blocks contain two or more slots, two of them are good since at most one child-block contains the first verifier message and at most one child-block contains the first prover message of $\mathsf {WIPOK}$.) Assume for contradiction that there exists a session $s^*$ such that $s^*$ reaches Stage 3 but every block has at most three child-blocks that contain two or more slots of session $s^*$. For $\ell \in \{0,\ldots ,d \}$ and $\kappa \in [q^d]$, let $\Gamma _{\kappa }(\ell )$ be the number of the slots that belong to session $s^*$ and are contained by the block that is identified by $\ell $ and $\kappa $, and let $\Gamma (\ell ) {\mathop {=}\limits ^\mathrm{def}}\max _{\kappa }(\Gamma _{\kappa }(\ell ))$. Then, since for each block b,

at most three child-blocks of b contain two or more slots of $s^*$, and the other child-blocks contain at most a single slot of $s^*$, and
$s^*$ has at most $q-1$ slots that are contained by block b but are not contained by its child-blocks,

we have

$$\begin{aligned} \Gamma (\ell ) \le 3\cdot \Gamma (\ell -1) + (q-2) \cdot 1 + q-1 = 3\Gamma (\ell -1) + 2q-3. \end{aligned}$$

Thus, we have

$$\begin{aligned} \Gamma (d)&\le 3\Gamma (d-1) + 2q-3\\&\le 3^2\Gamma (d-2)+ 3(2q-3) + 2q-3\\&\le \cdots \le 3^{d} \Gamma (0) + \sum _{i=0}^{d-1}3^i(2q-3)\\&= 3^{d}\Gamma (0) + \frac{1}{2}(3^{d}-1)(2q-3). \end{aligned}$$

From $d = O(1)$ and $\Gamma (0) = 0$, we have $\Gamma (d) = O(q)$. Then, since $\mathcal {S}$ outputs the view of $V^*$ that is generated by the level-d block, there are at most $O(q) = O(n^{\epsilon /2})$ slots of $s^*$ in the simulated transcript. Then, since we have $N_{\mathrm {slot}}= O(n^{\epsilon })$, this contradicts to the assumption that $s^*$ reaches Stage 3. $\square $

From the above three observations, we conclude that $\mathsf {aux}\text {-}\mathcal {S}$ can indeed compute a valid PCP proof $\pi _{s}$ and a $\mathsf {WIPOK}$ valid witness $w_s$ in Step 2b.

4.1.7 Running Time of $\mathcal {S}$

Lemma 3

$\mathcal {S}(x, z)$ runs in polynomial time.

Proof

We bound the running time of $\mathcal {S}$ as follows. Recall that an execution of $\mathcal {S}$ involves recursive executions of $\mathsf {aux}\text {-}\mathcal {S}$. We identify each execution of $\mathsf {aux}\text {-}\mathcal {S}$ by the value of $\ell $ and $\kappa = | \mathsf {trans} |$. In the following, we use $\mathsf {aux}\text {-}\mathcal {S}_{\ell , \kappa }$ to denote the execution of $\mathsf {aux}\text {-}\mathcal {S}$ with $\ell $ and $\kappa $. Let $t_{\ell , \kappa }$ be the running time of $\mathsf {aux}\text {-}\mathcal {S}_{\ell ,\kappa }$, and let $t_{\ell } {\mathop {=}\limits ^\mathrm{def}}\max _{\kappa }(t_{\ell , \kappa })$. Then, observe that in the execution of $\mathsf {aux}\text {-}\mathcal {S}_{\ell ,\kappa }$, every computation is performed in fixed polynomial time in $n$ except for the following computations.

1.
The recursive executions of $\mathsf {aux}\text {-}\mathcal {S}$ (i.e., the executions of $\mathsf {aux}\text {-}\mathcal {S}_{\ell -1, \kappa }, \mathsf {aux}\text {-}\mathcal {S}_{\ell -1, \kappa +q^{\ell -1}}, \ldots $).
2.
The generations of the offline proofs (i.e., PCP proofs and their hash values) and the fourth-round $\mathsf {UA}$ messages.

Each recursive execution takes at most $t_{\ell -1}$ steps. Furthermore, from the relatively efficient oracle construction property of PCP systems, each offline proof can be generated in $\mathsf {poly}(t_{\ell -1})$ steps. Then, since for each $k\in [q]$ there are a single recursive execution and at most m computations of offline proofs and fourth-round $\mathsf {UA}$ proofs, we have

$$\begin{aligned} t_{\ell } \le q \cdot ( t_{\ell -1} + m \cdot \mathsf {poly}(t_{\ell -1}) + \mathsf {poly}(n) ) + \mathsf {poly}(n) \le \mathsf {poly}(t_{\ell -1}) \end{aligned}$$

for any $\ell \in [d]$. Then, since we have $d=O(1)$ and $t_0 = \mathsf {poly}(n)$, we have $t_{d} = \mathsf {poly}(n)$. Thus, $\mathcal {S}$ runs in polynomial time. $\square $

4.1.8 Indistinguishability of Views

Lemma 4

The output of $\mathcal {S}(x, z)$ is computationally indistinguishable from the view of $V^*$.

Proof

We prove this lemma by considering a sequence of hybrid experiments, $H_0, \ldots , H_{q^d+1}$. Hybrid $H_{0}$ is identical with the real interaction between $V^*$ and honest provers, and $H_{q^d+1}$ is identical with the execution of $\mathcal {S}$. Hybrid $H_i$ ($i\in [q^d]$) is identical with $H_{q^d+1}$ except that, roughly speaking, the simulation stops after simulating the ith message, and later on the prover messages are generated honestly as in $H_{0}$. Formally, we define $H_i$ ($i\in [q^d]$) by using the following hybrid auxiliary simulator $\mathsf {aux}\text {-}\tilde{\mathcal {S}}_i$, which differs from $\mathsf {aux}\text {-}\mathcal {S}$ in that it simulates the transcript only until the ith message and that it simulates the ith message using true randomness $\rho $ (rather than pseudorandomness $\rho _i$ derived by $\mathsf {f}\textsf {-}\mathsf {PRG}$). Though $\mathsf {aux}\text {-}\tilde{\mathcal {S}}_{i}$ is very similar to $\mathsf {aux}\text {-}\mathcal {S}$, we give a complete description of $\mathsf {aux}\text {-}\tilde{\mathcal {S}}_{i}$ below. The differences from $\mathsf {aux}\text {-}\mathcal {S}$ are highlighted by blue color and underline.

:

Step 1.

/*Preparing randomness for simulating the next $q^{\ell }$ messages*/

Let $\kappa := | \mathsf {trans} |$ (i.e., $\kappa $ be the number of the messages that are included in $\mathsf {trans}$). Then, compute

Step 2a: Simulation (base case). If $\ell = 0$, do the following.

1.
If the next scheduled message $\mathsf {msg}$ is a verifier message, feed $\mathsf {trans}$ to $V^*(x,z)$ and receive $\mathsf {msg}$ from $V^*$. If the next scheduled message $\mathsf {msg}$ is a prover message of the sth session ($s\in [m]$), do the following with randomness $\rho _{\kappa +1}$. (If necessary, $\rho _{\kappa +1}$ is expanded by a pseudorandom generator.) Let $\tau _s$ be the first-round message of $\mathsf {Com}$ of the sth session, which can be found from $\mathsf {trans}$.
- If $\mathsf {msg}$ is the prover message in a $\mathrm {\Pi }$-slot, compute $\mathsf {msg}= (C_1, \ldots , C_{N_{\mathrm {col}}})$ by $C_j \leftarrow \mathsf {Com}_{\tau _s}(v_{s,j})$ for every $j\in [N_{\mathrm {col}}]$, where $v_{s,j}$ is read from $\mathsf {T}_{\mathrm {\Pi }}$.
- If $\mathsf {msg}$ is the prover message in a $\mathsf {UA}$-slot, compute $\mathsf {msg}= (D_1, \ldots , D_{N_{\mathrm {col}}})$ by $D_j \leftarrow \mathsf {Com}_{\tau _s}(\mathsf {ua}_{s,j})$ for every $j\in [N_{\mathrm {col}}]$, where $\mathsf {ua}_{s,j}$ is read from $\mathsf {T}_{\mathsf {UA}}$.
- If $\mathsf {msg}$ is the first prover message of $\mathsf {WIPOK}$, compute $\mathsf {msg}$ by using $w_s$ as a witness, where $w_s$ is read from $\mathsf {T}_{\mathsf {W}}$; if $w_s$ is not a valid witness, abort with output $\mathsf {stuck}$.
- If $\mathsf {msg}$ is the second prover message of $\mathsf {WIPOK}$, reconstruct the prover state of $\mathsf {WIPOK}$ from $w_s$ and $\rho _1, \ldots , \rho _{\kappa }$ and then honestly compute $\mathsf {msg}$ by using this prover state, where $w_s$ is read from $\mathsf {T}_{\mathsf {W}}$.^{Footnote 12}
2.
Output $\mathsf {msg}$.

Step 2b: Simulation (recursive case). If $\ell >0$, do the following.

1.
/*Storing it own code in$\mathsf {T}_{\mathrm {\Pi }}$/* Let $\mathsf {T}'_{\mathrm {\Pi }}$, $\mathsf {T}'_{\mathsf {UA}}$, $\mathsf {T}'_{\mathsf {W}}$ be the tables that are obtained by copying the current entries of $\mathsf {T}_{\mathrm {\Pi }}$, $\mathsf {T}_{\mathsf {UA}}$, $\mathsf {T}_{\mathsf {W}}$. Let
$$\begin{aligned} \mathrm {\Pi }_{\mathrm {myself}}(\cdot ) {\mathop {=}\limits ^\mathrm{def}}\mathrm {\Pi }^{\mathsf {T}'_{\mathrm {\Pi }}, \mathsf {T}'_{\mathsf {UA}}, \mathsf {T}'_{\mathsf {W}}}(x, z, \ell , \mathrm {\Pi }, \mathsf {trans}, \cdot ). \end{aligned}$$
Then, for each $s\in [m]$, if the sth session has already started in $\mathsf {trans}$, do the following: Let $h_s$ be the hash function chosen by $V^*$ in the sth session in $\mathsf {trans}$; then, update $\mathsf {T}_{\mathrm {\Pi }}$ by setting $v_{s,\ell } := h_s(\mathrm {\Pi }_{\mathrm {myself}})$.
2.
Set temporary variables $\mathsf {ctr}_{s} := 0$ and $\mathsf {tmp}_s := \bot $ for every $s\in [m]$, and a temporary variable $\mathsf {new}\textsf {-}\mathsf {trans}:= \varepsilon $. Define a function $\mathsf {head}(\cdot )$ as $\mathsf {head}(k) {\mathop {=}\limits ^\mathrm{def}}\kappa +1 + (k-1)q^{\ell -1}$.
3.
For each $k\in [q]$ , do the following:
1. (a)
  /*Storing the machine that executes the kth child-block.*/ Let $\mathsf {T}_{\mathrm {\Pi }}^{(k)}$, $\mathsf {T}_{\mathsf {UA}}^{(k)}$, $\mathsf {T}_{\mathsf {W}}^{(k)}$ be the tables that are obtained by copying the current entries of $\mathsf {T}_{\mathrm {\Pi }}$, $\mathsf {T}_{\mathsf {UA}}$, $\mathsf {T}_{\mathsf {W}}$. Then, let
  $$\begin{aligned} \mathrm {\Pi }_{k}(\cdot ) {\mathop {=}\limits ^\mathrm{def}}\mathrm {\Pi }^{\mathsf {T}_{\mathrm {\Pi }}^{(k)}, \mathsf {T}_{\mathsf {UA}}^{(k)}, \mathsf {T}_{\mathsf {W}}^{(k)}}(x, z, \ell -1, \mathrm {\Pi }, \mathsf {trans} \!\parallel \! \mathsf {new}\textsf {-}\mathsf {trans}, \cdot ). \end{aligned}$$
2. (b)
  /*Executing thekth child-block.*/ Compute
  $$\begin{aligned} \mathsf {trans}_k := \mathrm {\Pi }^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, \ell -1, \mathrm {\Pi }, \mathsf {trans} \!\parallel \! \mathsf {new}\textsf {-}\mathsf {trans}, \sigma _{\mathsf {head}(k+1)}) \end{aligned}$$
  while reading and updating $\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}$ for $\mathrm {\Pi }$.
3. (c)
  For each $s\in [m]$, if the sth session has already started in $\mathsf {trans} \!\parallel \! \mathsf {new}\textsf {-}\mathsf {trans}$, do the following. Let $(h_s, \tau _s)$ be the first-round message of the sth session.
  - Case 1.$\varvec{\mathsf {ctr}_s = 0}$, and$\mathsf {trans}_k$contains a$\varvec{\mathrm {\Pi }}$-slot of the$\mathbf{s}$th session.
    
    /* Computing offline proof */ Let $\mathsf {sl}$ denote the $\mathrm {\Pi }$-slot that is contained by $\mathsf {trans}_k$. (If there are more than one such $\mathrm {\Pi }$-slot, $\mathsf {sl}$ denote the first such one.) Let $i_1$ denote the slot-index of $\mathsf {sl}$, i.e., $i_1\in [N_{\mathrm {slot}}]$ such that $\mathsf {sl}$ is the $i_1$th $\mathrm {\Pi }$-slot in the sth session. Let $(\overline{C}_{i_1}, r_{i_1})$ denote the messages in $\mathsf {sl}$, where $\overline{C}_{i_1} = (C_{i_1,1}, \ldots , C_{i_1, N_{\mathrm {col}}})$.
    1. i.
      From $\rho _{\mathsf {head}(k)}, \ldots , \rho _{\mathsf {head}(k+1)-1}$ (which are computed in Step 1), find the randomness $R_1$ that was used for generating $C_{i_1, \ell -1}$.^{Footnote 13} Then, compute a PCP proof $\pi _{s}$ for statement $(h_s, \tau _s, C_{i_1, \ell -1}, r_{i_1})\in \Lambda _2$ using $(\mathrm {\Pi }_{k}, R_1, \sigma _{\mathsf {head}(k+1)})$ as a witness (see Sect. 4.1.2 for details). Then, compute $\mathsf {UA}_2 := h_s(\pi _{s})$.
    2. ii.
      Update $\mathsf {T}_{\mathsf {UA}}$ by setting $\mathsf {ua}_{s,\ell -1} := \mathsf {UA}_2$.
    3. iii.
      Update $\mathsf {tmp}_s := (i_1, \pi _{s}, \mathsf {UA}_2)$ and $\mathsf {ctr}_s := \mathsf {ctr}_s + 1$.
  - Case 2.$\varvec{\mathsf {ctr}_s = 1}$, and$\mathsf {trans}_k$contains a${\mathsf {UA}}$-slot of the$\mathbf{s}$th session.
    
    /*Computing$\mathsf {WIPOK}$witness*/ Let $\mathsf {sl}$ denote the $\mathsf {UA}$-slot that is contained by $\mathsf {trans}_k$. (If there are more than one such $\mathsf {UA}$-slot, $\mathsf {sl}$ denote the first such one.) Let $i_2$ be the slot-index of $\mathsf {sl}$. Let $(\overline{D}_{i_2}, \omega _{i_2})$ denote the messages in $\mathsf {sl}$, where $\overline{D}_{i_2} = (D_{i_2,1}, \ldots , D_{i_2, N_{\mathrm {col}}})$.
    1. i.
      Parse $(i_1, \pi _{s}, \mathsf {UA}_2) := \mathsf {tmp}_s$. Then, compute a fourth-round $\mathsf {UA}$ message $\mathsf {UA}_4$ from the offline proof $(h_s, \pi _{s}, \mathsf {UA}_2)$ and the third-round $\mathsf {UA}$ message $\omega _{i_2}$.
    2. ii.
      From $\rho _{\mathsf {head}(k)}, \ldots , \rho _{\mathsf {head}(k+1)-1}$ (which are computed in Step 1), find the randomness $R_2$ that was used for generating $D_{i_2, \ell -1}$. Then, if $w_s = \bot $, update $\mathsf {T}_{\mathsf {W}}$ by setting $w_s := (i_1, i_2, \ell -1, \mathsf {UA}_2, \mathsf {UA}_4, R_2)$.
    3. iii.
      Update $\mathsf {ctr}_s := \mathsf {ctr}_s + 1$.
  - Case 3. All the other cases. Do nothing.
4. (d)
  Update $\mathsf {new}\textsf {-}\mathsf {trans}:= \mathsf {new}\textsf {-}\mathsf {trans} \!\parallel \! \mathsf {trans}_k$.
4.
1. (a)
  Compute
  $$\begin{aligned} \underline{\mathsf {trans}_k := \tilde{\mathrm {\Pi }}_i^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, \ell -1, \mathrm {\Pi }, \mathsf {trans} \!\parallel \! \mathsf {new}\textsf {-}\mathsf {trans}, \sigma _{\mathsf {head}(k+1)}, \tilde{\mathrm {\Pi }}_i, \rho )} \end{aligned}$$
2. (b)
5
Output $\mathsf {new}\textsf {-}\mathsf {trans}$.

Now, we formally define the hybrids as follows.

4.1.9 $\underline{\hbox {Hybrids}\, H_0, \ldots , H_{q^d+1}:}$

Hybrid $H_0$ is the same as the real interaction between $V^*$ and honest provers.
Hybrid $H_i$ ($i\in [q^d]$) is the same as the real execution of $\mathcal {S}$ except for the following.
1. 1.
  $\mathcal {S}$ obtains $\mathsf {trans}$ by executing
  $$\begin{aligned} \mathsf {aux}\text {-}\tilde{\mathcal {S}}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}_{i}(x, z, d, \mathsf {aux}\text {-}\mathcal {S}, \varepsilon , \sigma _i, \mathsf {aux}\text {-}\tilde{\mathcal {S}}_i, \rho _i) \end{aligned}$$
  rather than
  $$\begin{aligned} \mathsf {aux}\text {-}\mathcal {S}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, d, \mathsf {aux}\text {-}\mathcal {S}, \varepsilon , \sigma _{q^d+1}), \end{aligned}$$
  where $(\sigma _i, \rho _i) := \mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{i+1}, 1)$ for a randomly chosen seed $\sigma _{i+1}$ of $\mathsf {f}\textsf {-}\mathsf {PRG}$. We remark that in $\mathsf {trans}$, the view of $V^*$ is simulated up until the ith message (inclusive) in a way that the ith message is simulated by using $\rho _i$ as randomness.
2. 2.
  After $\mathsf {trans}$, the simulation of $V^*$’s view is continued as follows:
  - Every message is computed with true randomness.
  - Every message in $\mathrm {\Pi }$-slots and $\mathsf {UA}$-slot is generated by committing to $0^{n}$.
  - Every $\mathsf {WIPOK}$ that starts after $\mathsf {trans}$ is executed with a witness for $x \in L$.
  - Every $\mathsf {WIPOK}$ that already started in $\mathsf {trans}$ is executed as in $\mathsf {aux}\text {-}\mathcal {S}$ (i.e., by reconstructing the prover state).
Hybrid $H_{q^d+1}$ is the same as the real execution of $\mathcal {S}$.

From a hybrid argument, it suffices to show the indistinguishability between the outputs of each neighboring hybrids. In the following, we show the indistinguishability in the reverse order, i.e., we show that the output of $H_i$ is indistinguishable from that of $H_{i-1}$ for every $i\in [q^d+1]$.

Claim 2

The output of $H_{q^d+1}$ and that of $H_{q^d}$ are identically distributed.

Proof

This claim can be proven by inspection. Notice that the only difference between $H_{q^d+1}$ and $H_{q^d}$ is that in $H_{q^d+1}$, $\mathsf {trans}$ is obtained by executing

$$\begin{aligned} \mathsf {aux}\text {-}\mathcal {S}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, d, \mathsf {aux}\text {-}\mathcal {S}, \varepsilon , \sigma _{q^d+1}) \end{aligned}$$

whereas in $H_{q^d}$, $\mathsf {trans}$ is obtained by executing

$$\begin{aligned} \mathsf {aux}\text {-}\tilde{\mathcal {S}}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}_{q^d}(x, z, d, \mathsf {aux}\text {-}\mathcal {S}, \varepsilon , \sigma _{q^d}, \mathsf {aux}\text {-}\tilde{\mathcal {S}}, \rho _{q^d}) \end{aligned}$$

such that $(\sigma _{q^d}, \rho _{q^d}) := \mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{q^d+1}, 1)$. The former execution simulates the $q^d$ messages in $\mathsf {trans}$ using the randomness $\rho _1, \ldots , \rho _{q^d}$ that are obtained by $\mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{q^d+1}, q^d)$, whereas the latter execution simulates the first $q^d-1$ messages using the randomness $\rho _1, \ldots , \rho _{q^d-1}$ that are obtained by $\mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{q^d}, q^d-1)$ and then simulates the $q^d$th message using the randomness $\rho _{q^d}$. Then, since $(\sigma _{q^d}, \rho _{q^d}) = \mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{q^d+1}, 1)$ in $H_{q^d}$, it follows from the consistency of $\mathsf {f}\textsf {-}\mathsf {PRG}$ that the messages in the latter execution are simulated using the randomness $\rho _1, \ldots , \rho _{q^d}$ that are obtained by $\mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{q^d+1}, q^d)$. Hence, the messages in the latter execution are generated identically with those in the former execution. $\square $

Claim 3

The output of $H_{i}$ and that of $H_{i-1}$ are computationally indistinguishable for every $i\in [q^d]$.

Proof

To prove this claim, we consider a sequence of intermediate hybrids in which $H_{i}$ is gradually changed to $H_{i-1}$ as follows.

Hybrid $H_{i:1}$:

is the same as $H_{i}$ except that $\mathcal {S}$ obtains $\mathsf {trans}$ by executing

$$\begin{aligned} \mathsf {aux}\text {-}\tilde{\mathcal {S}}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}_{i}(x, z, d, \mathsf {aux}\text {-}\mathcal {S}, \varepsilon , \sigma _i, \mathsf {aux}\text {-}\tilde{\mathcal {S}}_i, \rho _i) \end{aligned}$$

for random $\sigma _i$ and $\rho _i$ rather than for $(\sigma _{i}, \rho _i) := \mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{i+1}, 1)$. Notice that in $H_{i:1}$, the ith message is simulated with true randomness rather than pseudorandomness.

Hybrid $H_{i:2}$:

is the same as $H_{i:1}$ except that if the ith message is a prover message of $\mathsf {Com}$ (either in a $\mathrm {\Pi }$-slot or in a $\mathsf {UA}$-slot), then the message is computed as in the honest prover (i.e., $C_{j} \leftarrow \mathsf {Com}(0^n)$ or $D_{j} \leftarrow \mathsf {Com}(0^n)$ for every $j\in [N_{\mathrm {col}}]$).

Hybrid $H_{i:3}$:

is the same as $H_{i:2}$ except that if the ith message is the first prover message of $\mathsf {WIPOK}$, then subsequently all messages in this $\mathsf {WIPOK}$ are computed by using a witness for $x \in L$.

From a hybrid argument, it suffices to show the indistinguishability between each neighboring intermediate hybrids.

Claim 4

For every $i\in [q^d]$, the output of $H_{i:1}$ is computationally indistinguishable from that of $H_{i}$.

Proof

The indistinguishability follows immediately from the forward security of $\mathsf {f}\textsf {-}\mathsf {PRG}$. Assume for contradiction that the output of $H_{i}$ and that of $H_{i:1}$ are distinguishable. Then, consider the following adversary $\mathcal {D}$ against the forward security of $\mathsf {f}\textsf {-}\mathsf {PRG}$. On input $(\sigma '_i, \rho '_i)$, adversary $\mathcal {D}$ internally invokes $V^*$ and simulates $H_{i}$ for $V^*$ honestly except for the following.

Rather than executing
$$\begin{aligned} \mathsf {aux}\text {-}\tilde{\mathcal {S}}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}_{i}(x, z, d, \mathsf {aux}\text {-}\mathcal {S}, \varepsilon , \sigma _i, \mathsf {aux}\text {-}\tilde{\mathcal {S}}_i, \rho _i) \end{aligned}$$
for $(\sigma _{i}, \rho _i) := \mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{i+1}, 1)$, $\mathcal {D}$ executes it for $\sigma _i := \sigma '_i$ and $\rho _i := \rho '_i$.

When $\sigma '_i$ and $\rho '_{i}$ are generated by $(\sigma '_i, \rho '_i) := \mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{i+1}, 1)$, the output of $\mathcal {D}$ is identically distributed with that of $H_{i}$, and when $\sigma '_i$ and $\rho '_{i}$ are chosen randomly, the output of $\mathcal {D}$ is identically distributed with that of $H_{i:1}$. Therefore, $\mathcal {D}$ breaks the forward security of $\mathsf {f}\textsf {-}\mathsf {PRG}$ from the assumption, and thus we reach a contradiction. $\square $

Claim 5

For every $i\in [q^d]$, the output of $H_{i:2}$ is computationally indistinguishable from that of $H_{i:1}$.

Proof

It suffices to consider the case that the ith message $\mathsf {msg}$ is a prover message of $\mathsf {Com}$. Note that both in $H_{i:1}$ and $H_{i:2}$, the $\mathsf {Com}$ commitments in $\mathsf {msg}$ are generated by using true randomness; furthermore, the information about their committed values and randomness are not used in the other messages (e.g., the randomness is not hardwired in the committed machines, and the committed value and the randomness are not used as a witness in the generations of PCP and $\mathsf {WIPOK}$). Thus, the indistinguishability follows from the hiding property of $\mathsf {Com}$. $\square $

Claim 6

For every $i\in [q^d]$, the output of $H_{i:3}$ is computationally indistinguishable from that of $H_{i:2}$.

Proof

It suffices to consider the case that the ith message $\mathsf {msg}$ is the first prover message of $\mathsf {WIPOK}$. Note that both in $H_{i:2}$ and in $H_{i:3}$, this $\mathsf {WIPOK}$ proof is generated with true randomness that is not used anywhere else; furthermore, from Claim 1, a valid witness is used both in $H_{i:2}$ and in $H_{i:3}$. Thus, the indistinguishability follows from the witness indistinguishability of $\mathsf {WIPOK}$. $\square $

Claim 7

For every $i\in [q^d]$, the output of $H_{i-1}$ is identically distributed with that of $H_{i:3}$.

Proof

From the consistency of $\mathsf {f}\textsf {-}\mathsf {PRG}$, the first $(i-1)$ messages are computed both in $H_{i:3}$ and in $H_{i-1}$ by using the pseudorandomness that is generated by $\mathsf {f}\textsf {-}\mathsf {PRG}(\sigma _{i}, i-1)$ for random $\sigma _{i}$. In addition, the ith message $\mathsf {msg}$ is computed in exactly the same way in $H_{i:3}$ and $H_{i-1}$. Thus, the claim follows. $\square $

From Claims 4, 5, 6, and 7, the output of $H_i$ and that of $H_{i-1}$ are computationally indistinguishable. This completes the proof of Claim 3. $\square $

From Claims 2 and 3, the output of $H_0$ and that of $H_{q^d+1}$ are indistinguishable. This completes the proof of Lemma 4. $\square $

This completes the proof of Lemma 1. $\square $

4.2 Argument of Knowledge Property

As noted in Remark 2, the language $\Lambda _2$ shown in Fig. 8 is slightly over-simplified, and we can prove the argument-of-knowledge property of $\mathsf {cZKAOK}$ only when $\mathcal {H}$ is collision resistant against $\mathsf {poly}(n^{\log \log n})$-time adversaries.

Below, we prove the argument-of-knowledge property assuming that $\mathcal {H}$ is collision resistant against $\mathsf {poly}(n^{\log \log n})$-time adversaries. By using a trick shown in [5], we can extend this proof so that it works even under the assumption that $\mathcal {H}$ is collision resistant only against polynomial-time adversaries. The details are given at the end of this section.

Proof of Lemma 2

(when $\mathcal {H}$ is collision resistant against $\mathsf {poly}(n^{\log \log n})$-time adversaries). For any cheating prover $P^*$, let us consider the following extractor E.

Given oracle access to $P^*$, the extractor E emulates a verifier of $\mathsf {cZKAOK}$ for $P^*$ honestly until the beginning of Stage 3. E then extract a witness from $\mathsf {WIPOK}$ using its extractor.

To show that E outputs a witness for $x \in L$, it suffices to show that the extracted witness is a witness for $(h, \tau , \overline{C}_1, r_1, \overline{D}_1, \omega _1, \ldots , \overline{C}_{N_{\mathrm {slot}}}, r_{N_{\mathrm {slot}}}, \overline{D}_{N_{\mathrm {slot}}}, \omega _{N_{\mathrm {slot}}}) \in \Lambda _1$ only with negligible probability. In the following, we call a witness for $(h, \tau , \overline{C}_1, r_1, \overline{D}_1, \omega _1, \ldots , \overline{C}_{N_{\mathrm {slot}}}, r_{N_{\mathrm {slot}}}, \overline{D}_{N_{\mathrm {slot}}}, \omega _{N_{\mathrm {slot}}}) \in \Lambda _1$ a fake witness, and we say that $P^*$ is bad if E outputs a fake witness with non-negligible probability. Below, we show that if there exists a bad cheating prover, we can break the collision resistance of $\mathcal {H}$.

We first show the following claim, which roughly states that if there exists a bad $P^*$, there also exists a prover $P^{**}$ that can prove a statement in $\Lambda _2$ with non-negligible probability.

Claim 8

For any ITM P, let us consider an experiment $\mathsf {Exp}_1(n, P)$ in which P interacts with a verifier V as follows.

1.
Interactively generating statement.V sends a random $h\in \mathcal {H}_{n}$ and $\tau \in \{0,1 \}^{3n}$ to P. Then, P sends a commitment C of $\mathsf {Com}$ to V, and V sends a random $r\in \{0,1 \}^{n^2}$ to P.
2.
Generating$\mathsf {UA}$proof.P sends a second-round $\mathsf {UA}$ message $\mathsf {UA}_2$ of statement $(h, \tau , C, r) \in \Lambda _2$ to V. Then, V sends a third-round $\mathsf {UA}$ message $\omega $ to P, and P sends a fourth-round $\mathsf {UA}$ message $\mathsf {UA}_4$ to V.
3.
We say that P wins in the experiment if $(h, \mathsf {UA}_2, \omega , \mathsf {UA}_4)$ is an accepting $\mathsf {UA}$ proof for $(h, \tau , C, r) \in \Lambda _2$.

Then, if there exists a bad $P^*$, there exists a $\textsc {ppt} $ ITM $P^{**}$ that wins in $\mathsf {Exp}_1(n, P^{**})$ with non-negligible probability.

Proof

From the assumption that $P^*$ is bad, for infinitely many $n$ we can extract a fake witness from $P^*$ with probability at least $\delta (n) {\mathop {=}\limits ^\mathrm{def}}1/\mathsf {poly}(n)$. In the following, we fix any such $n$. From an average argument, there exist $i_1^*, i_2^* \in [N_{\mathrm {slot}}]$ and $j^*\in [N_{\mathrm {col}}]$ such that with probability at least $\delta '(n) {\mathop {=}\limits ^\mathrm{def}}\delta (n)/N_{\mathrm {col}}N_{\mathrm {slot}}^2 > \delta (n)/n^3$, we can extract a fake witness $(i_1, i_2, j, \ldots )$ such that $(i_1, i_2, j) = (i_1^*, i_2^*, j^*)$. Then, we consider the following cheating prover $P^{**}$ against $\mathsf {Exp}_1$.

1.
$P^{**}$ internally invokes $P^*$ and emulates a verifier of $\mathsf {cZKAOK}$ for $P^*$ honestly with the following differences:
- In Stage 1, $P^{**}$ forwards h and $\tau $ from the external V to the internal $P^*$.
- In the $i_1^*$th $\mathrm {\Pi }$-slot of Stage 2, $P^{**}$ forwards $C_{i_1^*, j^*}$ from the internal $P^*$ to the external V and forwards r from V to $P^*$.
- In Stage 3, $P^{**}$ extracts a witness w from $P^*$ by using the extractor of $\mathsf {WIPOK}$.
2.
If w is not a fake witness of the form $(i_1^*, i_2^*, j^*, \ldots )$, $P^{**}$ aborts with output $\mathsf {fail}$. Otherwise, parse $(i_1^*, i_2^*, j^*, \mathsf {UA}_2, \mathsf {UA}_4, R) := w$. Then, $P^{**}$ sends $\mathsf {UA}_2$ to the external V and receives $\omega $.
3.
$P^{**}$ rewinds the internal $P^*$ to the point just after $P^*$ sent the $\mathsf {Com}$ commitments in the $i_2^*$th $\mathsf {UA}$-slot. Then, $P^{**}$ sends $\omega $ to $P^*$ as the verifier message of the $i_2^*$th $\mathsf {UA}$-slot, interacts with $P^*$ again as an honest verifier, and then extracts a witness $w'$ in Stage 3.
4.
If $w'$ is not a fake witness of the form $(i_1^*, i_2^*, j^*, \ldots )$, $P^{**}$ aborts with output $\mathsf {fail}$. Otherwise, parse $(i_1^*, i_2^*, j^*, \mathsf {UA}'_2, \mathsf {UA}'_4, R') := w'$. Then, $P^{**}$ sends $\mathsf {UA}'_4$ to the external V.

To analyze the probability that $P^{**}$ wins in $\mathsf {Exp}_1(n, P^{**})$, we first observe that the transcript of $\mathsf {cZKAOK}$ that is internally emulated by $P^{**}$ is “good” with probability at least $\delta '/2$. Formally, let $\mathsf {trans}$ be the prefix of a transcript of $\mathsf {cZKAOK}$ up until the prover message of the $i_2^*$th $\mathsf {UA}$-slot (inclusive). Then, we say that $\mathsf {trans}$ is good if under the condition that $\mathsf {trans}$ is a prefix of the transcript, a fake witness of the form $(i_1^*, i_2^*, j^*, \ldots )$ is extracted from $P^*$ with probability at least $\delta '/2$. From an average argument, the prefix of the transcript is good with probability at least $\delta '/2$ when $P^*$ interacts with an honest verifier of $\mathsf {cZKAOK}$. Then, since a transcript of $\mathsf {cZKAOK}$ is perfectly emulated in Step 1 of $P^{**}$, the prefix of the internally emulated transcript is good with probability at least $\delta '/2$.

We next observe that under the condition that the prefix of the internally emulated transcript is good in Step 1 of $P^{**}$, $P^{**}$ wins in $\mathsf {Exp}_1(n, P^{**})$ with probability at least $(\delta '/2)^2 - \mathsf {negl}(n)$. First, from the definition of a good prefix, it follows that under the condition that the prefix of the internally emulated transcript is good in Step 1 of $P^{**}$, the probability that both w and $w'$ are fake witnesses of the form $(i_1^*, i_2^*, j^*, \ldots )$ is at least $(\delta '/2)^2$. Next, if w and $w'$ are fake witnesses, both $\mathsf {UA}_2$ and $\mathsf {UA}'_2$ are the committed values of $D_{i_2^*, j^*}$, so $\mathsf {UA}_2 = \mathsf {UA}'_2$ holds except with negligible probability; this means that if w and $w'$ are fake witnesses, $(h, \mathsf {UA}_2, \omega , \mathsf {UA}'_4)$ is an accepting $\mathsf {UA}$ proof except with negligible probability. Hence, under the aforementioned condition, $P^{**}$ wins in $\mathsf {Exp}_1(n, P^{**})$ with probability at least $(\delta '/2)^2 - \mathsf {negl}(n)$.

By combining the above two observations, we conclude that the probability that $P^{**}$ wins in $\mathsf {Exp}_1(n, P^{**})$ is at least

$$\begin{aligned} \frac{\delta '}{2}\left( \left( \frac{\delta '}{2} \right) ^2 - \mathsf {negl}(n) \right) \ge \frac{1}{\mathsf {poly}(n)}. \end{aligned}$$

$\square $

Next, we show the following claim, which roughly states that if there exists $P^{**}$ that proves a statement in $\Lambda _2$ with non-negligible probability, then we can extract a valid witness from $P^{**}$ with non-negligible probability.

Claim 9

For any ITM $E^*$, let us consider an experiment $\mathsf {Exp}_2(n, E^*)$ in which $E^*$ interacts with a verifier V as follows.

1.
Interactively generating statement. This step is the same as the one in $\mathsf {Exp}_1$, where $E^*$ plays as P. Let $(h, \tau , C, r)$ be the interactively generated statement.
2.
Outputting witness.E outputs $w = (\mathrm {\Pi }, R, y)$. We say that E wins in the experiment if w is a valid witness for $(h, \tau , C, r) \in \Lambda _2$.

Then, if there exists a $\textsc {ppt} $ ITM $P^{**}$ that wins in $\mathsf {Exp}_1(n, P^{**})$ with non-negligible probability, there exists a $\mathsf {poly}(n^{\log \log n})$-time ITM $E^*$ that wins in $\mathsf {Exp}_2(n, E^*)$ with non-negligible probability.

Proof

We first observe that $\mathsf {UA}$ satisfies weak/global proof-of-knowledge property even when the statement is generated after the hash function h is chosen, i.e., even when the first-round message of $\mathsf {UA}$ is sent before the statement is generated. Roughly speaking, the $\mathsf {UA}$ extractor by [5] extracts a witness by combining the extractor of the underlying PCP system with an oracle-recovery procedure that (implicitly) recovers a PCP proof for the extractor of the PCP system. A nice property of the $\mathsf {UA}$ extractor by [5] is that it invokes the oracle-recovery procedure on input a random hash function h that is chosen independently of the statement. Because of this property, the $\mathsf {UA}$ extractor can be modified straightforwardly so that it works even when h is chosen before the statement.

We then obtain $E^*$ by simply using the global $\mathsf {UA}$ extractor for $P^{**}$. Since the running time of the global $\mathsf {UA}$ extractor is $\mathsf {poly}(n^{\log \log n})$, the running time of $E^*$ is also $\mathsf {poly}(n^{\log \log n})$. $\square $

Finally, we reach a contradiction by showing that given $E^*$ described in Claim 9, we can break the collision resistance of $\mathcal {H}$.

Claim 10

If there exists a $\mathsf {poly}(n^{\log \log n})$-time ITM $E^*$ that wins in $\mathsf {Exp}_2(n, E^*)$ with non-negligible probability, there exists a $\mathsf {poly}(n^{\log \log n})$-time machine $\mathcal {A}$ that breaks the collision resistance of $\mathcal {H}$.

Proof

We consider the following ${\mathcal {A}}$.

1.
Given $h\in \mathcal {H}$, ${\mathcal {A}}$ internally invokes $E^*$ and emulates $\mathsf {Exp}_2(n, E^*)$ for $E^*$ perfectly except that ${\mathcal {A}}$ forwards h to $E^*$ in Step 1. Let $(h, \tau , C, r)$ and w be the statement and the output of $E^*$ in this emulated experiment.
2.
If w is not a valid witness for $(h, \tau , C, r) \in \Lambda _2$, ${\mathcal {A}}$ aborts with output $\mathsf {fail}$. Otherwise, let $(\mathrm {\Pi }, R, y) := w$.
3.
${\mathcal {A}}$ rewinds $E^*$ to the point just after $E^*$ sent C, and from this point ${\mathcal {A}}$ emulates $\mathsf {Exp}_2(n, E^*)$ again with fresh randomness. Let $(h, \tau , C, r')$ be the statement and $w'$ be the witness in this emulated experiment.
4.
If $w'$ is not a valid witness for $(h, C, r') \in \Lambda _2$, ${\mathcal {A}}$ aborts with output $\mathsf {fail}$. Otherwise, let $(\mathrm {\Pi }', R', y') := w'$.
5.
${\mathcal {A}}$ outputs $(\mathrm {\Pi }, \mathrm {\Pi }')$ if $\mathrm {\Pi }\ne \mathrm {\Pi }'$ and $h(\mathrm {\Pi }) = h(\mathrm {\Pi }')$. Otherwise, ${\mathcal {A}}$ outputs $\mathsf {fail}$.

First, we show that both w and $w'$ are valid witnesses with non-negligible probability. From the assumption that $E^*$ wins in $\mathsf {Exp}_2(n, E^*)$ with non-negligible probability, $E^*$ outputs a valid witness in $\mathsf {Exp}_2(n, E^*)$ with probability $\epsilon {\mathop {=}\limits ^\mathrm{def}}1/\mathsf {poly}(n)$ for infinitely many $n$. In the following, we fix any such $n$. Let $\mathsf {trans}$ be the prefix of a transcript of $\mathsf {Exp}_2(n, E^*)$ up until $E^*$ sends C (inclusive). We say that $\mathsf {trans}$ is good if under the condition that $\mathsf {trans}$ is a prefix of the transcript, $E^*$ outputs a valid witness with probability at least $\epsilon /2$. From an average argument, the prefix of the internally emulated transcript is good with probability at least $\epsilon /2$. Thus, the probability that both w and $w'$ are valid witnesses is at least $(\epsilon /2)(\epsilon /2)^2 = (\epsilon /2)^3$.

Next, we show that when ${\mathcal {A}}$ obtains two valid witnesses $w = (\mathrm {\Pi }, R, y)$ and $w' = (\mathrm {\Pi }', R', y')$, we have $\mathrm {\Pi }\ne \mathrm {\Pi }'$ and $h(\mathrm {\Pi }) = h(\mathrm {\Pi }')$ except with negligible probability. First, from the binding property of $\mathsf {Com}$, we have $h(\mathrm {\Pi }) = h(\mathrm {\Pi }')$ except with negligible probability. (Recall that from the condition that w and $w'$ are valid witnesses, we have $\mathsf {Com}_{\tau }(h(\mathrm {\Pi }); R) = \mathsf {Com}_{\tau }(h(\mathrm {\Pi }'); R') = C$.) Next, since $r'$ is chosen randomly after $\mathrm {\Pi }$ is determined, and since we have

the probability that there exists $y''\in \{0,1 \}^{n}$ such that $r'$ is a substring of the output of $\mathrm {\Pi }(y'')$ is at most $2^{2n}/2^{n^2} = \mathsf {negl}(n)$. Then, since $r'$ is a substring of the output of $\mathrm {\Pi }'(y')$, we conclude that we have $\mathrm {\Pi }\ne \mathrm {\Pi }'$ except with negligible probability.

From the above two observations, we conclude that ${\mathcal {A}}$ finds a collision of $\mathcal {H}$ with non-negligible probability. $\square $

From Claims 8, 9, and 10, it follows that there exists no bad $P^*$. Thus, the extractor E outputs a witness for $x \in L$ except with negligible probability. This concludes the proof of Lemma 2. $\square $

4.2.1 On the proof of Lemma 2 when $\mathcal {H}$ is secure only against poly-time adversaries.

As noted before, we can use a trick by [5] to extend the above proof so that it works even when $\mathcal {H}$ is secure only against polynomial-time adversaries. Recall that in the above proof, $\mathcal {H}$ need to be secure against super-polynomial-time adversaries because a collision of $\mathcal {H}$ (i.e., the pair of $\mathrm {\Pi }$ and $\mathrm {\Pi }'$) is found by using the global argument-of-knowledge property of $\mathsf {UA}$. Hence, the overall strategy is to modify the protocol and the proof so that the weak argument-of-knowledge property can be used instead of the global one.

Roughly speaking, the trick by [5] works as follows. Recall that, as noted in Sect. 3.2, $\mathcal {H}$ is a hash function family that is obtained by applying Merkle’s tree-hashing technique on any length-halving collision-resistant hash function family. From the properties of the tree hashing, it follows that for any $h\in \mathcal {H}_{n}$ and $x = (x_1, \ldots , x_{| x |})\in \{0,1 \}^{\le n^{\log \log n}}$, we can compute short certificates $\mathsf {auth}(x) = \{\mathsf {auth}_i(x) \}_{i\in [| x |]}$ such that given h(x), $x_i$, and $\mathsf {auth}_i(x)$, one can verify in time polynomial in $n$ that the ith bit of x is indeed $x_i$. Furthermore, for any collision $(x, x')$ of $\mathcal {H}$, a collision of the underlying hash function can be found in polynomial time from any pairs of a bit and a certificate $(x_i, \mathsf {auth}_i(x))$ and $(x'_i, \mathsf {auth}_i(x'))$ such that $x_i \ne x'_i$. Then, the idea of the trick by [5] is, instead of finding a collision of $\mathcal {H}$ by extracting the whole of $\mathrm {\Pi }$ and $\mathrm {\Pi }'$, finding a collision of the underlying hash function by extracting $\mathrm {\Pi }$ and $\mathrm {\Pi }'$ in a single bit position along with their certificates. Specifically, in the trick by [5], the language $\Lambda _2$ is first modified in such a way that a witness includes the certificates of the committed machine so that, if we know a bit position in which $\mathrm {\Pi }$ and $\mathrm {\Pi }'$ differ, we can find a collision of the underlying hash function by extracting $\mathrm {\Pi }$ and $\mathrm {\Pi }'$ in that position along with the corresponding certificates. Then, to make sure that we can find a position in which $\mathrm {\Pi }$ and $\mathrm {\Pi }'$ differ with non-negligible probability, the language $\Lambda _2$ is further modified in such a way that the cheating prover is required to commit to the hash value of $\mathsf {ECC}(\mathrm {\Pi })$ instead of the hash value of $\mathrm {\Pi }$, where $\mathsf {ECC}$ is an error-correcting code with constant relative distance and with polynomial-time encoding and decoding; since $\mathsf {ECC}(\mathrm {\Pi })$ and $\mathsf {ECC}(\mathrm {\Pi }')$ differ in a constant fraction of their indices, they differ in a randomly chosen position with constant probability. Since we can extract $\mathsf {ECC}(\mathrm {\Pi })$ and $\mathsf {ECC}(\mathrm {\Pi }')$ in a single position along with their certificates in time polynomial in $n$ using the weak argument-of-knowledge property of $\mathsf {UA}$, the proof now works under collision resistance against polynomial-time adversaries.

More formally, the trick by [5] works as follows. First, we replace the language $\Lambda _2$ in Fig. 8 with the one in Fig. 9. Next, we modify Claim 9 in such a way that $E^*$ is required to extract a witness only implicitly (i.e., output the ith bit of the witness on input any i); the proof of Claim 9 is the same as before except that we use weak argument-of-knowledge property instead of global one. Finally, we modify the proof of Claim 10 in such a way that, instead of extracting the whole of w and $w'$, the adversary ${\mathcal {A}}$ extracts $\mathsf {ECC}(\mathrm {\Pi })$ and $\mathsf {ECC}(\mathrm {\Pi }')$ only in a randomly chosen bit position and then extracts the certificates that correspond to that position; also, at the end $\mathcal {A}$ outputs a collision of the underlying hash function if $\mathcal {A}$ can compute it from the extracted bits and certificates. From essentially the same argument as before, it follows that $\mathcal {A}$ finds a collision of the underlying hash function with non-negligible probability. Since the running time of $\mathcal {A}$ is now bounded by a polynomial, we can derive a contradiction even when the underlying hash function is collision resistant only against polynomial-time adversaries.

Notes

We use “$\mathrm {ZK}$ protocols” to denote $\mathrm {ZK}$ proofs and arguments.
The notion of “straight-line simulation” is, unfortunately, hard to formalize. I this paper, we use it only informally.
Here, $n^{\log \log n}$ can be replaced with any super-polynomial function. We use $n^{\log \log n}$ for concreteness.
The circularity about the simulator committing to a machine that emulates the simulator itself can be avoided by separating it to the main simulator $\mathcal {S}$ and an auxiliary simulator $\mathsf {aux}\text {-}\mathcal {S}$. Roughly speaking, $\mathsf {aux}\text {-}\mathcal {S}$ takes a code of a machine $\mathrm {\Pi }$ as input and does simulation by committing to $\mathrm {\Pi }$; then, $\mathcal {S}$ invokes $\mathsf {aux}\text {-}\mathcal {S}$ with input $\mathrm {\Pi }= \mathsf {aux}\text {-}\mathcal {S}$.
This assumption is used only in this overview.
Since the length of the $\mathsf {WIPOK}$ witnesses is bounded by a fixed polynomial, the sizes of the committed machines do not blow up even when they contain every previously generated $\mathsf {WIPOK}$ witness.
When the code of the simulator is committed, the randomness used for generating this commitment is also committed; thus, if a protocol is designed naively, we need a commitment scheme such that the committed value is hidden even when it contains the randomness used for the commitment.
In fact, every language in $\mathcal {NEXP}$ is polynomial-time reducible to $L_{\mathcal {U}}$.
From the construction of $\mathcal {S}$ and $\mathsf {aux}\text {-}\mathcal {S}$, the first prover message of $\mathsf {WIPOK}$ in $\mathsf {trans}$ must have been computed with witness $w_s$ and randomness in $\rho _1, \ldots , \rho _{\kappa }$.
From the construction of $\mathsf {aux}\text {-}\mathcal {S}$, every message in the kth child-block is computed by using randomness in $\rho _{\mathsf {head}(k)}, \ldots , \rho _{\mathsf {head}(k+1)-1}$.
The definition of good blocks here is slightly different from that in the technical overview in Sect. 2.2.
From the construction of $\mathcal {S}$ and $\mathsf {aux}\text {-}\mathcal {S}$, the first prover message of $\mathsf {WIPOK}$ in $\mathsf {trans}$ must have been computed with witness $w_s$ and randomness in $\rho _1, \ldots , \rho _{\kappa }$.
From the construction of $\mathsf {aux}\text {-}\mathcal {S}$, every message in the kth child-block is computed by using randomness in $\rho _{\mathsf {head}(k)}, \ldots , \rho _{\mathsf {head}(k+1)-1}$.

References

S. Arora, S. Safra, Probabilistic checking of proofs: a new characterization of np. J. ACM, 45(1), 70–122 (1998)
Article MathSciNet MATH Google Scholar
B. Barak, How to go beyond the black-box simulation barrier, in FOCS, pp. 106–115 (2001)
G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
Article MathSciNet MATH Google Scholar
M. Bellare, O. Goldreich, On defining proofs of knowledge, in CRYPTO, pp. 390–420 (1992)
B. Barak, O. Goldreich, Universal arguments and their applications. SIAM J. Comput. 38(5), 1661–1694 (2009)
Article MathSciNet MATH Google Scholar
B. Barak, O. Goldreich, S. Goldwasser, Y. Lindell, Resettably-sound zero-knowledge and its applications, in FOCS, pp. 116–125 (2001)
M. Blum, How to prove a theorem so no one else can claim it, in The International Congress of Mathematicians, pp. 1444–1451 (1986)
N. Bitansky, O. Paneth, From the impossibility of obfuscation to a new non-black-box simulation technique, in FOCS, pp. 223–232 (2012)
N. Bitansky, O. Paneth, On the impossibility of approximate obfuscation and applications to resettable cryptography, in STOC, pp. 241–250 (2013)
N. Bitansky, O. Paneth, On non-black-box simulation and the impossibility of approximate obfuscation. SIAM J. Comput 44(5), 1325–1383 (2015)
Article MathSciNet MATH Google Scholar
M. Bellare, B.S. Yee, Forward-security in private-key cryptography, in CT-RSA, pp. 1–18 (2003)
R. Canetti, O. Goldreich, S. Goldwasser, S. Micali, Resettable zero-knowledge, in STOC, pp. 235–244 (2000)
R. Canetti, J. Kilian, E. Petrank, A. Rosen, Black-box concurrent zero-knowledge requires (almost) logarithmically many rounds. SIAM J. Comput. 32(1), 1–47 (2002)
Article MathSciNet MATH Google Scholar
R. Canetti, H. Lin, O. Paneth, Public-coin concurrent zero-knowledge in the global hash model, in TCC, pp. 80–99 (2013)
K.-M. Chung, H. Lin, R. Pass, Constant-round concurrent zero knowledge from P-certificates, in FOCS, pp. 50–59 (2013)
K.-M. Chung, H. Lin, R. Pass, Constant-round concurrent zero-knowledge from indistinguishability obfuscation, in CRYPTO, pp. 287–307 (2015)
Y. Deng, V. Goyal, A. Sahai, Resolving the simultaneous resettability conjecture and a new non-black-box simulation strategy, in FOCS, pp. 251–260 (2009)
C. Dwork, M. Naor, A. Sahai, Concurrent zero-knowledge. J. ACM 51(6), 851–898 (2004)
Article MathSciNet MATH Google Scholar
U. Feige, A. Shamir, Witness indistinguishable and witness hiding protocols, in STOC, pp. 416–426 (1990)
V. Goyal, D. Gupta, A. Sahai, Concurrent secure computation via non-black box simulation, in CRYPTO, pp. 23–42 (2015)
O. Goldreich, H. Krawczyk, On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)
Article MathSciNet MATH Google Scholar
S. Goldwasser, S. Micali, and C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Article MathSciNet MATH Google Scholar
O. Goldreich, S. Micali, A. Wigderson, Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)
Article MathSciNet MATH Google Scholar
V. Goyal, Non-black-box simulation in the fully concurrent setting, in STOC, pp. 221–230 (2013)
J. Htad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Article MathSciNet MATH Google Scholar
J. Kilian, E. Petrank, Concurrent and resettable zero-knowledge in poly-loalgorithm rounds, in STOC, pp. 560–569 (2001)
S. Micali, Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)
Article MathSciNet MATH Google Scholar
M. Naor, Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 1991.
Article MATH Google Scholar
O. Pandey, M. Prabhakaran, A. Sahai, Obfuscation-based non-black-box simulation and four message concurrent zero knowledge for NP, in TCC, pp. 638–667 (2015)
R. Pass, A. Rosen, New and improved constructions of non-malleable cryptographic protocols, in STOC, pp. 533–542 (2005)
M. Prabhakaran, A. Rosen, A. Sahai, Concurrent zero knowledge with logarithmic round-complexity, in FOCS, pp. 366–375 (2002)
R. Pass, A. Rosen, W.-L. D. Tseng, Public-coin parallel zero-knowledge for NP. J. Cryptol. 26(1), 1–10 (2013)
Article MathSciNet MATH Google Scholar
R. Pass, W.-L.D. Tseng, D. Wikstrm, On the composition of public-coin zero-knowledge protocols, in CRYPTO, pp. 160–176 (2009)
R. Richardson, J. Kilian, On the concurrent composition of zero-knowledge proofs, in EUROCRYPT, pp. 415–431 (1999)

Download references

Acknowledgements

The author greatly thanks the anonymous reviewers of Journal of Cryptology and TCC 2015 for their useful comments about the presentation of this paper. I also thank an anonymous reviewer of TCC 2015 for pointing out an error that I made in an earlier version of this paper.

Author information

Authors and Affiliations

NTT Secure Platform Laboratories, Tokyo, Japan
Susumu Kiyoshima

Authors

Susumu Kiyoshima
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Susumu Kiyoshima.

Additional information

Communicated by Jonathan Katz.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is based on an earlier article: An Alternative Approach to Non-black-box Simulation in Fully Concurrent Setting, in Proceedings of TCC 2015, ©IACR 2015, https://doi.org/10.1007/978-3-662-46494-6_13.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kiyoshima, S. Non-black-box Simulation in the Fully Concurrent Setting, Revisited. J Cryptol 32, 393–434 (2019). https://doi.org/10.1007/s00145-018-09309-5

Download citation

Received: 30 November 2015
Revised: 12 September 2018
Published: 06 February 2019
Issue Date: 15 April 2019
DOI: https://doi.org/10.1007/s00145-018-09309-5

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Non-black-box Simulation in the Fully Concurrent Setting, Revisited

Abstract

Similar content being viewed by others

A New Framework for More Efficient Round-Optimal Lattice-Based (Partially) Blind Signature via Trapdoor Sampling

A Formal Security Analysis of the Signal Messaging Protocol

A Formal Analysis of the FIDO2 Protocols

1 Introduction

1.1 Our Result

Theorem

2 Overview of Our Technique

2.1 Known Techniques

2.2 Our Techniques

2.3 Comparison with the Simulation Technique of Goyal [24]

3 Preliminary

3.1 Notations

3.2 Tree Hashing

3.3 Naor’s Commitment Scheme

3.4 Interactive Proofs and Arguments

Definition 1

Definition 2

Definition 3

3.5 Concurrent Zero-Knowledge Proofs/Arguments

Definition 4

Remark 1

3.6 PCP and Universal Argument

3.6.1 Universal Language \(L_{\mathcal {U}}\)

3.6.2 PCP System

Definition 5

Definition 6

3.6.3 Universal Argument

Definition 7

3.7 Forward-Secure PRG

Definition 8

4 Our Public-Coin Concurrent Zero-Knowledge Argument

Theorem 1

Proof

Lemma 1

Lemma 2

Remark 2

4.1 Concurrent Zero-Knowledge Property

Proof of Lemma 1

4.1.1 Simulator \(\mathcal {S}\)

4.1.2 Informal Description of \(\mathcal {S}\)

4.1.3 Formal Description of \(\mathcal {S}\)

4.1.4 \(\underline{\hbox {Simulator}\, \mathcal {S}(x, z):}\)

4.1.5 \(\underline{\hbox {Auxiliary Simulator}\, \mathsf {aux}\text {-}\mathcal {S}^{\mathsf {T}_{\mathrm {\Pi }}, \mathsf {T}_{\mathsf {UA}}, \mathsf {T}_{\mathsf {W}}}(x, z, \ell , \mathrm {\Pi }, \mathsf {trans}, \sigma ):}\)

4.1.6 Correctness of \(\mathcal {S}\).

Claim 1

Proof

4.1.7 Running Time of \(\mathcal {S}\)

Lemma 3

Proof

4.1.8 Indistinguishability of Views

Lemma 4

Proof

4.1.9 \(\underline{\hbox {Hybrids}\, H_0, \ldots , H_{q^d+1}:}\)

Claim 2

Proof

Claim 3

Proof

Claim 4

Proof

Claim 5

Proof

Claim 6

Proof

Claim 7

Proof

4.2 Argument of Knowledge Property

Proof of Lemma 2

Claim 8

Proof

Claim 9

Proof

Claim 10

Proof

4.2.1 On the proof of Lemma 2 when \(\mathcal {H}\) is secure only against poly-time adversaries.

Notes

References

Acknowledgements