Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

In this work we study probabilistically checkable proofs with zero-knowledge properties, and establish a connection between such proofs and leakage-resilient circuits. Before describing our main results, we first give a short overview of these objects.

Probabilistically Checkable Proof (PCP) systems [1, 2] are proof systems that allow an efficient randomized verifier, with oracle access to a purported proof generated by an efficient prover (that is also given the witness), to probabilistically verify claims of the form “\(x\in L\)” (for an NP-language L) by probing only few bits of the proof. The verifier accepts the proof of a true claim with probability 1 (the completeness property), and rejects false claims with high probability (the probability that the verifier accepts a false claim is called the soundness error). The celebrated PCP theorem [1, 2, 8] asserts that any NP language admits a PCP system with soundness error 1/2 in which the verifier reads only a constant number of proof bits (soundness can be amplified using repetition). Moreover, the verifier is non-adaptive, namely its queries are determined solely by his randomness (a verifier is adaptive if each of his queries may also depend on the oracle answers to previous queries).

A very different kind of proofs are zero-knowledge (ZK) proofs [14], namely proofs that carry no extra knowledge other than being convincing. Combining the advantages of ZK proofs and PCPs, a zero-knowledge PCP (ZKPCP) is defined similarly to a traditional PCP, except that the proof is also randomized and there is the additional guarantee that the view of any (possibly malicious) verifier who makes a bounded number of queries can be efficiently simulated up to a small statistical distance.

Previous ZKPCP constructions [17, 19, 21] are obtained from standard (i.e., non-ZK) PCPs in two steps. First, the standard PCP is transformed into a PCP with a weaker “honest-verifier” ZK guarantee (which is much easier to achieve than full-fledged ZK). Then, this “honest-verifier” ZKPCP is combined with an unconditionally secure oracle-based commitment primitive called a “locking scheme” [17, 21]. This transformation yields ZKPCPs for NP with statistical ZK against query-bounded malicious verifiers, namely ones who are only limited to asking at most \(p (\left| x\right| )\) queries, for some fixed polynomial p that is much smaller than the proof length, but can be much bigger than the (polylogarithmic) number of queries asked by the honest verifier.

A common limitation of all previous ZKPCP constructions is that they require adaptive verification, even if the underlying non-ZK PCP can be non-adaptively verified. This raises the natural question of constructing PCPs that can be non-adaptively verified, and guarantee ZK against malicious verifiers. We note that the adaptivity of the verifier is inherent to any locking-scheme-based ZKPCP, since the unconditional security of locking schemes makes their opening inherently adaptive. Therefore, constructing ZKPCPs that can be verified non-adaptively requires a new approach towards ZKPCP construction. An additional advantage of eliminating the use of locking schemes is the possibility of constructing ZKPCPs preserving the proof length (which is important when these are used for cryptographic applications as described below), since locking schemes inherently incur a polynomial blow-up in the PCP length.

Motivated by these goals, we suggest a new approach for the construction of ZKPCPs. We apply leakage-resilient circuit compilers (LRCCs) to construct witness-indistinguishable PCPs (WIPCPs) for NP, a weaker variant of ZKPCPs in which the simulation is not required to be efficient. We then apply the so-called “FLS technique” [12] to convert these WIPCPs into computational ZKPCPs (CZKPCPs) in the common random string (CRS) model, based on the existence of one-way functions (OWFs). In such a CZKPCP, the view of any query-bounded PPT verifier can be efficiently simulated, in a way which is computationally indistinguishable from the actual view.

Informally, an LRCC compiles any circuit into a new circuit that operates on encoded inputs, and withstands side-channel attacks in the sense that these reveal nothing about the (properly encoded) input, other than what follows from the output. Works on LRCCs obtained information-theoretic security for different classes of leakage functions [10, 11, 15, 18, 23, 25].

Other than the theoretical interest in this question, our study of PCPs with ZK properties is motivated by their usefulness for cryptographic applications. For instance, ZKPCPs are the underlying combinatorial building blocks of succinct zero-knowledge arguments, which have been the subject of a large body of recent work (see, e.g., [35] and references therein).

A more direct application of WIPCPs and ZKPCPs is for implementing efficiently verifiable zero-knowledge proofs in a distributed setting involving a prover, verifier, and multiple (potentially corrupted) servers. In this setting a prover can distribute a ZKPCP between the servers, allowing the verifier to efficiently verify the claim by polling a small random subset of the servers.Footnote 1 In this and similar situations, ZKPCPs that only offer security against an honest verifier are not sufficient for protecting against colluding servers. We use our non-adaptively verifiable WIPCPs and CZKPCPs for NP to construct 3-round WI and CZK proofs for NP in this distributed setting, in which the total communication with the verifier is sublinear in the input length. The WI proofs are unconditional, whereas the CZK proofs are based on the existence of OWFs. This should be contrasted with standard sublinear ZK arguments, that require at least 4 rounds of interaction, and require the existence of collision resistant hash functions. We refer the reader to, e.g., [17] for additional discussion of ZKPCPs and their applications.

1.1 Our Results and Techniques

We now give a more detailed account of our results, and the underlying techniques.

From LRCCs and PCPs to WIPCPs. Let L be an NP-language with a corresponding NP-relation \(\mathcal {R}_L\), and a boolean circuit C verifying \(\mathcal {R}_L\). Recall that the prover P in a PCP system for \(\mathcal {R}_L\) is given the input x and a witness y for the membership of x in L, and outputs a proof \(\pi \) that is obtained by applying some function \(f_P\) to xy. For our purposes, it would be more convenient to think of \(f_P\) as a function of the entire wire values w of C, when evaluated on xy. In a ZKPCP, few bits in the output of \(f_P\) should reveal essentially nothing about the wire values w, i.e., C should withstand “leakage” from \(f_P\). In general, we cannot assume that C has this guarantee, but using an LRCC, C can be compiled into a circuit \(\hat{C}\) with this property. Informally, an LRCC is associated with a function class \(\mathcal {L}\) (the leakage class) and a (randomized) input encoding scheme \(\mathsf{{E}} \), and compiles a deterministic circuit C into a deterministic circuit \(\hat{C}\), that emulates C, but operates on an encoded input. It is leakage-resilient in the following sense: for any input z for C, and any \(\ell \in \mathcal{{L}}\), the output of \(\ell \) on the wire values of \(\hat{C}\), when evaluated on \(\mathsf{{E}} \left( z\right) \), reveals nothing other than \(C\left( z\right) \). This is formalized in the simulation-based paradigm (i.e., the wire-values of \(\hat{C}\) can be efficiently simulated given only \(C\left( z\right) \)).

We establish a connection between ZKPCPs and LRCCs. Assume the existence of an LRCC associated with a leakage class \(\mathcal {L}\), such that any restriction \(f_P^{\mathcal{{I}}}\) of \(f_P\) to a “small” subset \(\mathcal{{I}}\) of its outputs satisfies \(f_P^{\mathcal{{I}}}\in \mathcal{{L}}\). Then the oracle answers to the queries of a query-bounded verifier V correspond to functions in \(\mathcal{{L}}\), since for every possible set \(\mathcal{{I}}\) of oracle queries, the answers are \(f_P^{\mathcal{{I}}}\left( w\right) \). Therefore, if w is the wire values of a leakage-resilient circuit then the system is ZK. This gives a general method of transforming standard PCPs into ZKPCPs: PV replace \(C_x=C\left( x,\cdot \right) \) (i.e., C with x hard-wired into it) with \(\hat{C_x}\); and P proves that \(\hat{C_x}\) is satisfiable by generating the PCP \(\pi \) from the wire values of \(\hat{C_x}\).

This transformation crucially relies on the fact that \(\hat{C_x}\) emulates \(C_x\) (e.g., if \(\hat{C_x}\) always outputs 1 then the resultant PCP system is not sound). However, in current constructions of LRCCs (e.g., [11, 18, 23]), this holds only if the encoded input of \(\hat{C_x}\) was honestly generated. Moreover, there always exists a choice of an ill-formed “encoding” that satisfies \(\hat{C_x}\) (i.e., causes it to output 1). In our case the prover generates the encoded input of \(\hat{C_x}\) (the verifier does not know this input), so a malicious prover can pick an ill-formed “encoding” that satisfies \(\hat{C_x}\), causing the verifier to accept with probability 1. Therefore, soundness requires that if \(C_x\) is not satisfiable, then there exists no satisfying input for \(\hat{C_x}\) (either well- or ill-formed), a property which we call SAT-respecting. The main tool we use are SAT-respecting LRCCs, which we construct based on the LRCC of Faust et al. [11]. To describe our construction, we first need to delve deeper into their construction.

The LRCC of [11] transforms a circuit C into a circuit \(\hat{C}\) that operates on encodings generated by a linear encoding scheme, and emulates the operations of C on these encodings. Leakage-resilience against functions in a restricted function class \(\mathcal {L}\) is obtained by “refreshing” the encoded intermediate values of the computation after every operation, using encodings of 0. (The LRCCs of [18, 23] operate essentially in the same way.) The input of \(\hat{C}\) includes sufficiently many encodings of 0 to be used for the entire computation.Footnote 2 However, by providing \(\hat{C}\) also with 1-encodings (i.e., encodings of 1), one can change the functionality emulated by \(\hat{C}\). (In particular, if the encoding “refreshing” the output gate is a 1-encoding, the output is flipped.) This is not just an artifact of the construction, but rather is essential for their leakage-resilience argument. Concretely, to simulate the wire values of \(\hat{C}\) without knowing its input, the simulator sometimes uses 1-encodings, which rules out the natural solution of verifying that the encodings used for “refreshing” are 0-encodings. We observe that if C were emulated twice, it would suffice to know that at least one copy used only 0-encodings, since then \(\hat{C}\) is satisfiable only if the honestly-evaluated copy is satisfiable (i.e., C is satisfiable). At first, this may seem as no help at all, but it turns out that by emulating C twice, we can construct what we call a relaxed LRCC, which is similar to an LRCC, except that the simulator is not required to be efficient. Specifically, assume that before compiling C into \(\hat{C}\), we would replace it with a circuit \(C'\) that computes C twice, and outputs the AND of both evaluations. Then \(\hat{C'}\) would be relaxed leakage-resilient, since an unbounded simulator could simulate the wire values of \(\hat{C'}\) by finding a satisfying input \(z_S\) for C, and honestly evaluating \(\hat{C'}\) on a pair of encodings of \(z_S\). Using a hybrid argument, we can prove that functions in \(\mathcal{{L}}\) cannot distinguish the simulated wire values \(\mathcal {W}_S\) from the actual wire values \(\mathcal {W}_R\) of \(\hat{C'}\) when evaluated on a satisfying input \(z_R\). Indeed, we can first replace the input in the first copy from \(z_R\) to \(z_S\) (using the leakage-resilience of the LRCC of [11] to claim that functions in \(\mathcal{{L}}\) cannot distinguish this hybrid distribution from \(\mathcal {W}_R\)), then do the same in the second copy. By replacing the inputs one at a time, we only need to use 1-encodings in a single copy.Footnote 3 However, holding two copies of the original circuit still does not guarantee that the evaluation in at least one of them uses only 0-encodings.

The natural solution would again be to add a sub-circuit verifying that the encodings used are 0-encodings, but this sub-circuit should hide the identity of the “correctly evaluated” copy. This is because the hybrid argument described above first uses 1-encodings in the first copy (and 0-encodings in the second), and then uses 1-encodings in the second copy (and only 0-encodings in the first). Therefore, if functions in \(\mathcal{{L}}\) could determine which copy uses only 0-encodings, they could also distinguish between the hybrids. Instead, we describe an “oblivious” checker \(\mathcal{{T}}_0\), which at a high-level operates as follows. To check that either the first or the second copy use only 0-encodings, it checks that for every pair of encodings, one from the first copy, and one from the second, the product of the encoded values is 0. To guarantee that leakage on \(\mathcal{{T}}_0\) reveals no information regarding which copy uses only 0-encodings, we use the LRCC of [11] to compile \(\mathcal{{T}}_0\) into a leakage-resilient circuit \(\hat{\mathcal{{T}}_0}\). This introduces the additional complication that now we must also verify the encodings used to “refresh” the computation in \(\hat{\mathcal{{T}}_0}\) (otherwise 1-encodings may be used, potentially changing the functionality of \(\hat{\mathcal{{T}}}_0\) and rendering it useless). However, since \(\hat{\mathcal{{T}}_0}\) does not operate directly on the inputs to \(\hat{C'}\) (it operates only on the encodings used for “refreshing”), we show that the “refreshing” encodings used in \(\hat{\mathcal{{T}}_0}\) can be checked directly (by decoding the encoded values and verifying that they are 0). Additional technicalities arise since introducing these additional components prevents us from using the LRCC of [11] as a black box (see Sect. 3 for additional details on the analysis). Finally, we note that our circuit-compiler is relaxed-leakage-resilient because in all hybrids, we need the honestly-evaluated copy to be satisfied, so the simulator needs to find a satisfying input for C. This is also the reason that we get WIPCPs, and not ZKPCPs. If we had a SAT-respecting LRCC, the transformation described above would give a ZKPCP. However, we show that known LRCCs withstanding global leakage [11, 18, 23] cannot be transformed into SAT-respecting non-relaxed LRCCs (i.e., LRCCs with an efficient simulator), unless \(\mathsf{{NP}} \subseteq \mathsf{{BPP}}\). Intuitively, this is because these constructions admit a simulator which is universal in the sense that it simulates the wire values of the compiled circuit without knowing the leakage function, and the simulated values “fool” all functions in \(\mathcal {L}\). Combining such a SAT-respecting LRCC with PCPs for NP (through the transformation described above) would give a BPP algorithm of deciding any NP-language.

Constructing WIPCPs for NP. Recall that our general transformation described above relied on \(f_P\) being in the function class \(\mathcal{{L}}\) that is associated with the SAT-respecting relaxed-LRCC. We observe that the PCP system of Arora and Safra [2] has the property that every “small” subset of proof bits can be generated using a low-depth circuit of polynomial size over the operations \(\wedge ,\vee ,\lnot ,\oplus \), with “few” \(\oplus \) gates. We use recent correlation bounds of Lovett and Srivinasan [22], which roughly state that such circuits have negligible correlation with the boolean function that counts the number of 1’s modulo 3 in its input, to construct a SAT-respecting circuit compiler that is relaxed leakage-resilient with respect to this function class. Combining this relaxed LRCC with our general transformation, we prove the following, where NA-WIPCP denotes the class of all NP-languages that have a PCP system with a negligible soundness error, polynomial-length proofs, a non-adaptive honest verifier that queries poly-logarithmically many proof bits, and guarantee WI against (adaptive) malicious verifiers querying a fixed polynomial number of proof bits.

Theorem 1

(NA-WIPCPs for NP). \(\mathsf{{NP}} =\mathsf{{NA-WIPCP}} \).

Constructing CZKPCPs for NP. Using a general technique of Feige et al. [12], and assuming the existence of OWFs, we transform our WIPCP into a CZKPCP in the CRS model, in which the PCP prover and verifier both have access to a common random string. Concretely, we prove the following result, where NA-CZKPCP corresponds exactly to the class NA-WIPCP, except that the WI property is replaced with CZK in the CRS model.

Corollary 1

(NA-CZKPCPs for NP). Assume that OWFs exist. Then \(\mathsf{{NP}} =\mathsf{{NA-CZKPCP}} \).

In Sect. 4 we describe a simple alternative approach for constructing CZKPCPs by applying a PCP on top of a standard non-interactive zero-knowledge (NIZK) proof. This should be contrasted with our main construction that only relies on a OWF.

2 Preliminaries

Let \(\mathbb {F}\) be a finite field, and \(\varSigma \) be a finite alphabet (i.e., a set of symbols). In the following, function composition is denoted as \(f\circ g\), where \(\left( f\circ g\right) \left( x\right) :=f\left( g\left( x\right) \right) \). If FG are families of functions then \(F\circ G=\{f\circ g:f\in F,g\in G\}\). Vectors will be denoted by boldface letters (e.g., \(\mathbf a \)). If \(\mathcal {D}\) is a distribution then \(X\leftarrow \mathcal {D}\), or \(X\in _R \mathcal {D}\), denotes sampling X according to the distribution \(\mathcal {D}\). Given two distributions XY, \(\mathsf{{SD}} \left( X,Y\right) \) denotes the statistical distance between X and Y. For a natural n, \(\mathsf{{negl}} \left( n\right) \) denotes a function that is negligible in n. For a function family \(\mathcal {L}\), we sometimes use the term “leakage family \(\mathcal {L}\)”, or “leakage class \(\mathcal {L}\)”. In the following, n usually denotes the input length, m usually denotes the output length, ds denote depth and size, respectively (e.g., of circuits, as defined below), t is used to count \(\oplus \) gates, and \(\sigma \) is a security parameter. We assume that standard cryptographic primitives (e.g., OWFs) are secure against non-uniform adversaries.

Definition 1

(Leakage-indistinguishability of distributions). Let \(D,D'\) be finite sets, \(\mathcal {L}=\{\ell :D\rightarrow D'\}\) be a family of leakage functions, and \(\epsilon >0\). We say that two distributions XY over D are \(\left( \mathcal {L},\epsilon \right) \)-leakage-indistinguishable, if for any function \(\ell \in \mathcal {L}\), \(\mathsf{{SD}} \left( \ell \left( X\right) ,\ell \left( Y\right) \right) \le \epsilon \).

Remark 1

In case \(\mathcal {L}\) consists of functions over different domains, we say that XY over D are \(\left( \mathcal {L},\epsilon \right) \)-leakage-indistinguishable if \(\mathsf{{SD}} \left( \ell \left( X\right) ,\ell \left( Y\right) \right) \le \epsilon \) for every function \(\ell \in \mathcal {L}\) with domain D.

Encoding schemes. An encoding scheme \(\mathsf {E}\) over alphabet \(\varSigma \) is a pair \(\left( \mathsf{{Enc}},\mathsf{{Dec}}\right) \) of algorithms, where the encoding algorithm \(\mathsf{{Enc}}\) is a probabilistic polynomial-time (PPT) algorithm that given a message \(x \in \varSigma ^n\) outputs an encoding \(\hat{x}\in \varSigma ^{\hat{n}}\) for some \(\hat{n} = \hat{n}\left( n\right) \); and the decoding algorithm \(\mathsf{{Dec}}\) is a deterministic algorithm, that given an \(\hat{x}\) of length \(\hat{n}\) in the image of \(\mathsf{{Enc}}\), outputs an \(x\in \varSigma ^n\). Moreover, \(\Pr \left[ \mathsf{{Dec}}\left( \mathsf{{Enc}}\left( x\right) \right) =x\right] =1\) for every \(x\in \varSigma ^n\). We say that \(\mathsf{{E}}\) is onto, if \(\mathsf{{Dec}}\) is defined for every \(x\in \varSigma ^{\hat{n}\left( n\right) }\).

An encoding scheme \(\mathsf{{E}}=\left( \mathsf{{Enc}},\mathsf{{Dec}}\right) \) over \(\mathbb {F}\) is linear if for every n, n divides \(\hat{n}\left( n\right) \), and there exists a decoding vector \(\mathbf r ^{\hat{n}\left( n\right) }\in \mathbb {F}^{\hat{n}\left( n\right) /n}\) such that the following holds for every \(x\in \mathbb {F}^n\). First, every encoding \(\mathbf y \) in the support of \(\mathsf{{Enc}}\left( x\right) \) can be partitioned into n equal-length parts \(\mathbf y =\left( \mathbf y ^1,...,\mathbf y ^n\right) \). Second, \(\mathsf{{Dec}}\left( \mathbf y \right) =\left( \langle \mathbf r ^{\hat{n}\left( n\right) },\mathbf y ^1\rangle , ...,\langle \mathbf r ^{\hat{n}\left( n\right) },\mathbf y ^n\rangle \right) \) (where “\(\langle \cdot ,\cdot \rangle \)” denotes inner product). Given an encoding scheme \(\mathsf{{E}}=\left( \mathsf{{Enc}},\mathsf{{Dec}}\right) \) over \(\mathbb {F}\), and \(n\in \mathbb {N}\), we say that a vector \(\mathbf v \in {\mathbb {F}}^{\hat{n}\left( n\right) }\) is well-formed if \(\mathbf v \in \mathsf{{Enc}}\left( 0^n\right) \).

Parameterized encoding schemes. We consider encoding schemes in which the encoding and decoding algorithms are given an additional input \(1^{\sigma }\), which is used as a security parameter. Concretely, the encoding length depends also on \(\sigma \) (and not only on n), i.e., \(\hat{n}=\hat{n}\left( n,\sigma \right) \), and for every \(\sigma \) the resultant scheme is an encoding scheme (in particular, for every \(x\in \varSigma ^n\) and every \(\sigma \in \mathbb {N}\), \(\Pr \left[ \mathsf{{Dec}}\left( \mathsf{{Enc}}\left( x,1^{\sigma }\right) ,1^{\sigma }\right) =x\right] =1\)). We call such schemes parameterized. A parameterized encoding scheme is onto if it is onto for every \(\sigma \). It is linear if it is linear for every \(\sigma \) (in particular, there exist decoding vectors \(\{\mathbf{r }^{\hat{n}\left( n,\sigma \right) }\}\)). For \(n,\sigma \in \mathbb {N}\), a vector \(\mathbf v \in {\mathbb {F}}^{\hat{n}\left( n,\sigma \right) }\) is well-formed if \(\mathbf v \in \mathsf{{Enc}}\left( 0^n,1^{\sigma }\right) \). We will only consider parameterized encoding schemes, and therefore when we say “encoding scheme” we mean a parameterized encoding scheme.

Definition 2

(Leakage-indistinguishability of functions and encodings). Let \(\mathcal {L}\) be a family of leakage functions, and \(\epsilon >0\). A randomized function \(f:\varSigma ^n\rightarrow \varSigma ^m\) is \(\left( \mathcal {L},\epsilon \right) \)-leakage-indistinguishable if for every \(x,y\in \varSigma ^n\), the distributions \(f\left( x\right) ,f\left( y\right) \) are \(\left( \mathcal {L},\epsilon \right) \)-leakage-indistinguishable.

We say that an encoding scheme \(\mathsf{{E}}\) is \(\left( \mathcal {L},\epsilon \right) \) -leakage-indistinguishable if for every large enough \(\sigma \in \mathbb {N}\), \(\mathsf{{Enc}}\left( \cdot ,1^{\sigma }\right) \) is \(\left( \mathcal {L},\epsilon \right) \)-leakage indistinguishable.

Circuits. We consider arithmetic circuits C over the field \(\mathbb {F}\) and the set \(X = \left\{ x_1,...,x_n\right\} \) of variables. C is a directed acyclic graph whose vertices are called gates and whose edges are called wires. The wires of C are labled with functions over X. Every gate in C of in-degree 0 has out-degree 1 and is either labeled by a variable from X and is referred to as an input gate; or is labeled by a constant \(\alpha \in {\mathbb {F}}\) and is referred to as a \(\mathsf{{const}} _{\alpha }\) gate. Following [11], all other gates are labeled by one of the following functions \(+,-,\times ,\mathsf{{copy}} \) or \(\mathsf{{id}} \), where \(+,-,\times \) are the addition, subtraction, and multiplication operations of the field (i.e., the outcoming wire is labeled with the addition, subtraction, or product (respectively) of the labels of the incoming wires), and these vertices have fan-in 2 and fan-out 1; \(\mathsf {copy}\) vertices have fan-in 1 and fan-out 2, where the labels of the outcoming edges carry the same function as the incoming edge; and \(\mathsf{{id}} \) vertices have fan-in and fan-out 1, and the label of the outcoming edge is the same as the incoming edge. We write \(C : {\mathbb {F}}^n \rightarrow {\mathbb {F}}^m\) to indicate that C is an arithmetic circuit over \({\mathbb {F}}\) with n inputs and m outputs. The size of a circuit C, denoted \(\left| C\right| \), is the number of wires in C, together with input and output gates. \(\mathsf{{Shallow}} \left( d,s\right) \) denotes the class of all depth-d, size-s, arithmetic circuits over \(\mathbb {F}\). Similarly, \(\mathsf{{ShallowB}} \left( d,s\right) \) denotes the class of all depth-d, size-s, boolean circuits with \(\wedge ,\vee \) gates (replacing the \(+,-,\times \) gates of arithmetic circuits), \(\mathsf{{id}} \), \(\mathsf{{copy}}\), \(\mathsf{{const}}_0\), and \(\mathsf{{const}}_1\) gates (with fan-in and fan-out as specified above), and \(\lnot \) gates with fan-in and fan-out 1. Somewhat abusing notation, we use the same notations to denote the families of functions computable by circuits in the respective class of circuits. \(\mathsf{{AC}} ^0\) denotes all constant-depth and polynomial-sized boolean circuits over unbounded fan-in and fan out \(\wedge ,\vee ,\lnot ,\mathsf{{const}}_0\) and \(\mathsf{{const}}_1\) gates.

Definition 3

For \(\mathbb {F}=\mathbb {F}_2\), a circuit \(C:\mathbb {F}^n\rightarrow \mathbb {F}\) over \(\mathbb {F}_2\) is satisfiable if there exists an \(x\in \mathbb {F}^n\) such that \(C\left( x\right) =1\). For \(\mathbb {F}\ne \mathbb {F}_2\), C is satisfiable if there exists an \(x\in \mathbb {F}^n\) such that \(C\left( x\right) =0\).

2.1 Circuit Compilers

We define the notion of a circuit compiler. Informally, it consists of an encoding scheme and a compiler algorithm, that compiles a given circuit into a circuit operating on encodings, and emulating the original circuit. Formally,

Definition 4

(Circuit compiler over \(\mathbb {F}\) ). A circuit compiler over \(\mathbb {F}\) is a pair \(\left( \mathsf{{Comp}},\mathsf{{E}}\right) \) of algorithms with the following syntax.

  • \(\mathsf{{E}}=\left( \mathsf{{Enc}},\mathsf{{Dec}}\right) \) is an encoding scheme, where \(\mathsf{{Enc}}\) is a PPT encoding algorithm that given a vector \(x \in \mathbb {F}^n\), and \(1^{\sigma }\), outputs a vector \(\hat{x}\). We assume that \(\hat{x}\in \mathbb {F}^{\hat{n}}\) for some \(\hat{n} = \hat{n}\left( n,\sigma \right) \).

  • \(\mathsf {Comp}\) is a polynomial-time algorithm that given an arithmetic circuit C over \(\mathbb {F}\) outputs an arithmetic circuit \(\hat{C}\).

We require that \(\left( \mathsf{{Comp}},\mathsf{{E}}\right) \) satisfy the following correctness requirement. For any arithmetic circuit C, and any input x for C, we have \(\Pr \left[ \hat{C}\left( \hat{x}\right) =C\left( x\right) \right] =1\), where \(\hat{x}\) is the output of \(\mathsf{{Enc}}\left( x,1^{\left| C\right| }\right) \).

A boolean circuit compiler is a circuit compiler over \(\mathbb {F}_2\).

We consider circuit compilers that are also “sound”, meaning that satisfying (possibly ill formed) inputs for the compiled circuit exist only if the original circuit is satisfiable.

Definition 5

(SAT-respecting circuit compiler). A circuit compiler \(\left( \mathsf{{Comp}},\mathsf{{E}}\right) \) is SAT-respecting if it satisfies the following soundness requirement for every circuit \(C:\mathbb {F}^n\rightarrow \mathbb {F}\). If \(\hat{C}=\mathsf {Comp}(C)\) is satisfiable then C is satisfiable, i.e., if \(\hat{C}\left( \hat{x}^*\right) =0\) for some \(\hat{x}^*\in \mathbb {F}^{\hat{n}}\), then there exists an \(x\in \mathbb {F}^n\) such that \(C\left( x\right) =0\). (For \(\mathbb {F}=\mathbb {F}_2\), we require that if \(\hat{C}\) outputs 1 on some input, then so does C.)

2.2 Leakage-Resilient Circuit Compilers (LRCCs)

We consider circuit compilers whose outputs are leakage resilient for a class \(\mathcal{{L}}\) of functions, in the following sense. For every “not too large” circuit C, and every input x for C, the wire values of the compiled circuit \(\hat{C}\), when evaluated on a random encoding \(\hat{x}\) of x, can be simulated given only the output of C; and functions in \(\mathcal {L}\) cannot distinguish between the actual and simulated wire values.

Notation 2

For a Circuit C, a leakage function \(\ell :\mathbb {F}^{\left| C\right| }\rightarrow \mathbb {F}^m\) for some natural m, and an input x for C, \(\left[ C,x\right] \) denotes the wire values of C when evaluated on x, and \(\ell \left[ C,x\right] \) denotes the output of \(\ell \) on \(\left[ C,x\right] \).

Definition 6

(Relaxed LRCC). Let \(\mathbb {F}\) be a finite field. For a function class \(\mathcal {L}\), \(\epsilon \left( n\right) :\mathbb {N}\rightarrow \mathbb {R}^{+}\), and a size function \(\mathsf{{S}}\left( n\right) :\mathbb {N}\rightarrow \mathbb {N}\), we say that \(\left( \mathsf{{Comp}},\mathsf{{E}}\right) \) is \(\left( \mathcal {L},\epsilon \left( n\right) ,\mathsf{{S}}\left( n\right) \right) \)-relaxed leakage-resilient if there exists an algorithm \(\mathsf{{Sim}} \) such that the following holds. For all sufficiently large n’s, every arithmetic circuit C over \(\mathbb {F}\) of input length n and size at most \(\mathsf{{S}}\left( n\right) \), every \(\ell \in \mathcal {L}\) of input length \(\left| \hat{C}\right| \), and every \(x \in \mathbb {F}^n\), we have \(\mathsf{{SD}} \left( \ell \left[ \mathsf{{Sim}} \left( C,C\left( x\right) \right) \right] ,\ell \left[ \hat{C},\hat{x}\right] \right) \le \epsilon \left( \left| x\right| \right) \), where \(\hat{x}\leftarrow \mathsf{{Enc}}\left( x,1^{\left| C\right| }\right) \).

Definition 6 is relaxed in the sense that (unlike [11, 18, 23]) \(\mathsf{{Sim}} \) is not required to be efficient.

The error in Definitions 5 and 6 is defined with relation to the input length n. Both definitions can be naturally extended such that the compiler is also given a security parameter \(\kappa \), and the error depends on \(\kappa \) (and possibly also n).

3 SAT-Respecting Relaxed LRCC

In this section we construct a SAT-respecting relaxed LRCC. We first describe a relaxed LRCC over any finite field \(\mathbb {F}\ne {\mathbb {F}}_2\), then use its instantiation over \({\mathbb {F}}_3\) to construct a boolean relaxed LRCC (which we later use to construct WIPCPs and CZKPCPs). Our starting point is the circuit-compiler of Faust et al. [11], which we denote by \(\left( \mathsf{{Comp}}^{\mathrm {FRRTV}},\mathsf{{E}}^{\mathrm {FRRTV}}\right) \). They present a general circuit-compiler that guarantees correctness, and a stronger notion of leakage-resilience (informally, that the wire values of the compiled circuit can be efficiently simulated). However, the correctness of their construction relies on the assumption that the inputs to the compiled circuit are honestly encoded. Therefore, their construction is not SAT-respecting, since by using ill-formed encoded inputs one can cause the compiled circuit to output arbitrary values, even if other than that the compiler was honestly applied to the original circuit. We describe a method of generalizing their construction such that the circuit-compiler is also SAT-respecting. We first give a high-level overview of the compiler of [11].

Gadgets. On input a circuit C, our compiler, and that of \(\mathsf{{Comp}}^{\mathrm {FRRTV}}\), replace every wire of C with a bundle of wires, and every gate in C with a gadget. More specifically, a bundle is a string of field elements, encoding a field element according to some encoding scheme \(\mathsf{{E}}\); and a gadget is a circuit which operates on bundles and emulates the operation of the corresponding gate in C. A gadget has both standard inputs, that represent the wires in the original circuit, and masking inputs, that are used to achieve privacy. More formally, a gadget emulates a specific boolean or arithmetic operation on the standard inputs, and outputs a bundle encoding the correct output. Every gadget G is associated with a set \(M_G\) of “well-formed” masking input bundles (e.g., in the circuit compiler of [11], \(M_G\) consists of sets of 0-encodings). For every standard input x, on input a bundle \(\mathbf{x }\) encoding x, and any masking input bundles \(\mathsf{{m}}\in M_G\), the output of the gadget G should be consistent with the operation on x. For example, if G computes the operation \(\times \), then for every standard input \(x=\left( x_1,x_2\right) \), for every bundle encoding \(\mathbf{x }=\left( \mathbf{x }_1,\mathbf{x }_2\right) \) of x according to \(\mathsf{{E}}\), and for every masking input bundles \(\mathsf{{m}}\in M_G\), \(G\left( \mathbf{x },\mathsf{{m}}\right) \) is a bundle encoding \(x_1\times x_2\) according to \(\mathsf{{E}}\). Since all the encoding schemes that we consider are onto, we may think of the masking input bundles \(\mathsf{{m}}\) as encoding some set \(\mathsf{{mask}}\) of values, in which case we say that G takes \(\left| \mathsf{{mask}}\right| \) masking inputs. The privacy of the internal computations in the gadget will be achieved when the masking input bundles of the gadget are uniformly distributed over \(M_G\), regardless of the actual values encoded by the masking input bundles.

Gadget-based circuit-compilers. \(\hat{C}=\mathsf{{Comp}} ^{{\mathrm {FRRTV}} }\left( C\right) \) is a circuit in which every gate is replaced with the corresponding gadget, and output gates are followed by decoding sub-circuits (computing the decoding function of \(\mathsf{{E}} \)). Recall that the gadgets also have masking inputs. These are provided as part of the encoded input of \(\hat{C}\), in the following way. \(\mathsf{{E}}^{\mathrm {FRRTV}}\) uses an “inner” encoding scheme \(\mathsf{{E}} ^{{\mathrm {in}} }=\left( \mathsf{{Enc}} ^{{\mathrm {in}} },\mathsf{{Dec}} ^{{\mathrm {in}} }\right) \), where \(\mathsf{{Enc}} ^{\mathrm {FRRTV}}\) uses \(\mathsf{{Enc}} ^{{\mathrm {in}} }\) to encode the inputs of C, concatenated with \(0^{\kappa }\) for a “sufficiently large” \(\kappa \) (these 0-encodings will be the masking inputs to the gadgets); and \(\mathsf{{Dec}} ^{\mathrm {FRRTV}}\) uses \(\mathsf{{Dec}} ^{{\mathrm {in}} }\) to decode its input, and discards the last \(\kappa \) symbols.

3.1 The Construction

Let \(C:\mathbb {F}^n\rightarrow \mathbb {F}\) be the circuit to be compiled. In the following, let \(\mathsf{{r}} =\mathsf{{r}} \left( \sigma \right) \) denote the number of masking inputs used in a circuit compiled according to the compiler of [11]. Recall that our compiler, given a circuit C, generates two copies \(C_1,C_2\) of C (that operate on two copies of the inputs); compiles \(C_1,C_2\) into circuits \(\hat{C}_1,\hat{C}_2\) using the circuit-compiler of [11]; generates the circuit \(\hat{C'}\) that outputs the AND of \(\hat{C}_1,\hat{C}_2\); generates a circuit \(\mathcal{{T}}_0\) verifying that at least one of the copies \(\hat{C}_1,\hat{C}_2\) uses well-formed masking inputs (i.e., its masking inputs are well-formed vectors); compiles \(\mathcal{{T}}_0\) into \(\hat{\mathcal{{T}}_0}\) using the circuit-compiler of [11]; and finally verifies “in the clear” that \(\hat{\mathcal{{T}}_0}\) uses well-formed masking inputs. We now describe these ingredients in more detail.

Our first ingredient checks the validity of the masking inputs used in the compiled circuit \(\hat{C'}\). If \(\mathsf{{m}} ^1,\mathsf{{m}} ^2\) are masking inputs used in the first and second copies \(\hat{C}_1,\hat{C}_2\) in \(\hat{C'}\), respectively (i.e., these copies are given encodings of \(\mathsf{{m}} ^1,\mathsf{{m}} ^2\)), then we compute \(v_{ij}=\mathsf{{m}} ^1_i\times \mathsf{{m}} ^2_j\) for every \(i,j\in \left[ \mathsf{{r}} \right] \), and check that all the \(v_{ij}\)’s are zero. To make this check easier, we will use the following “binarization” sub-circuit, which outputs 1 if its input is 0, and outputs 0 on all other values.

Construction 3

(“Binarization” sub-circuit \(\mathcal{{T}}\) ). \(\mathcal{{T}}:\mathbb {F}\rightarrow \mathbb {F}\) is defined as \(\mathcal{{T}}\left( z\right) =-\prod _{0\ne a\in {\mathbb {F}}}{\left( z-a\right) }\), computed using \(O\left( \left| {\mathbb {F}}\right| \right) \) \(\times \) and constant gates arranged in \(O\left( \log \left| {\mathbb {F}}\right| \right) \) layers.

Observation 4

\(\mathcal{{T}}\left( 0\right) =1\), and for every \(0\ne z\in \mathbb {F}\), \(\mathcal{{T}}\left( z\right) =0\).

The sub-circuit \(\mathcal{{T}}_0\) described next checks the masking inputs \(\mathsf{{m}} ^1,\mathsf{{m}} ^2\) used in the copies of \(\hat{C}\), and outputs 1 if and only if one of \(\mathsf{{m}} ^1,\mathsf{{m}} ^2\) is the all-zero string. It computes all products of the form \(\mathsf{{m}} ^1_i\times \mathsf{{m}} ^2_j\), then applies \(\mathcal{{T}}\) to every product, and computes the products of all these outputs.

Construction 5

(Oblivious mask-checking sub-circuit \(\mathcal{{T}}_0\) ). \(\mathcal{{T}}_0:\mathbb {F}^{\mathsf{{r}} }\times \mathbb {F}^{\mathsf{{r}} }\rightarrow \mathbb {F}\) is defined as follows. \(\mathcal{{T}}_0\left( y,z\right) =\prod _{i,j\in \left[ \mathsf{{r}} \right] }\mathcal{{T}}\left( y_i\times z_j\right) \), computed using a multiplication tree of size \(O\left( \mathsf{{r}} \right) \) and depth \(O\left( \log \mathsf{{r}} \right) \) (on top of the multiplication trees used to compute \(\mathcal{{T}}\)).

Observation 6

Since the outputs of \(\mathcal{{T}}\) are in \(\{0,1\}\), \(\mathcal{{T}}_0\left( y,z\right) =1\) if and only if for every \(i,j\in \left[ \mathsf{{r}} \right] \), \(\mathcal{{T}}\left( y_i,z_j\right) =1\) (which by Observation 4 happens if and only if \(y_i\times z_j=0\)), otherwise it outputs 0.

Our final ingredient is a sub-circuit \(\mathcal{{T}}_V\) checking the masking inputs used in the compiled sub-circuit \(\hat{\mathcal{{T}}_0}\). At a high level, \(\mathcal{{T}}_V\) decodes every masking input; uses \(\mathcal{{T}}\) to map the decoded values into \(\{0,1\}\) such that only 0 is mapped to 1; and multiplies all these values, to guarantee that all the masking inputs are well-formed. In the following, \(\mathsf{{r}} _0=\mathsf{{r}} _0\left( \sigma \right) \) denotes the number of masking inputs used in \(\hat{\mathcal{{T}}_0}\).

Construction 7

(Non-oblivious mask-checking sub-circuit \(\mathcal{{T}}_V\) ). Let \(n,\sigma ,\) \(\kappa \in \mathbb {N}\), \(\hat{n}=\hat{n}\left( n+\kappa ,\sigma \right) \), and \(\left\{ \mathbf d ^{\hat{n}}\right\} \) be the decoding vectors of \(\mathsf{{E}} ^{{\mathrm {in}} }\). We define the decoding sub-circuit \(\mathcal {D}_V:\mathbb {F}^{\hat{n}}\rightarrow \mathbb {F}\) corresponding to \(\mathbf d ^{\hat{n}}\) as follows: \(\mathcal {D}_V\left( \mathbf v \right) =\langle \mathbf d ^{\hat{n}},\mathbf v \rangle \), where \(\langle \cdot ,\cdot \rangle \) denotes inner-product. \(\mathcal {D}_V\) is computed using any correct decoding circuit with \(O\left( \hat{n}\right) \) gates arranged in \(O\left( \log \hat{n}\right) \) layers.

We define \(\mathcal{{T}}_V:\left( \mathbb {F}^{\hat{n}}\right) ^{\mathsf{{r}} _0}\rightarrow \mathbb {F}\) as follows: for \(\mathbf R =\left( \mathbf r _1,...,\mathbf r _{\mathsf{{r}} _0}\right) \) where \(\mathbf r _i\in \mathbb {F}^{\hat{n}}\) for every \(1\le i\le \mathsf{{r}} _0\), \(\mathcal{{T}}_V\left( \mathbf R \right) =\prod _{i\in \left[ \mathsf{{r}} _0\right] }\mathcal{{T}}\left( \mathcal {D}_V\left( \mathbf r _i\right) \right) \). \(\mathcal{{T}}_V\) is computed using \(O\left( \mathsf{{r}} _0\right) \) \(\times \) gates, arranged in a tree of depth \(O\left( \log {\mathsf{{r}} _0}\right) \) (on top of the sub-circuits \(\mathcal{{T}}\circ \mathcal {D}_V\)).

Observation 8

Let \(\mathbf R =\left( \mathbf r _1,...,\mathbf r _{\mathsf{{r}} _0}\right) \in \left( \mathbb {F}^{\hat{n}}\right) ^{\mathsf{{r}} _0}\), then for every \(i\in \left[ \mathsf{{r}} _0\right] \), \(\mathcal {D}_V\left( \mathbf r _i\right) =v_i\), where \(v_i\) is the value that \(\mathbf r _i\) encodes. Since the outputs of \(\mathcal{{T}}\) are in \(\{0,1\}\), \(\mathcal{{T}}\left( \mathcal {D}_V\left( \mathbf r _i\right) \right) =1\) if and only if \(v_i=0\), so \(\mathcal{{T}}_V=1\) if and only if all \(\mathbf r _i\)’s are well-formed, otherwise it outputs 0.

Our circuit-compiler (Construction 9) uses the ingredients described above. \(\mathsf{{Comp}} \) first compiles 2 copies \(C_1,C_2\) of C, and \(\mathcal{{T}}_0\), into \(\hat{C}_1,\hat{C}_2,\hat{\mathcal{{T}}_0}\) (respectively), using the compiler of [11]. Then, it generates a flag bit indicating whether \(\hat{C}_1,\hat{C}_2\) have the same output, and the masking inputs used in \(\hat{C}_1,\hat{C}_2,\hat{\mathcal{{T}}_0}\) are well-formed. If so, the output is that of \(\hat{C}_1\), otherwise it is 1. (Recall that an arithmetic circuit is satisfied iff its output is 0.) The encodings scheme generates encoded inputs for both copies \(\hat{C}_1,\hat{C}_2\), as well as sufficient masking inputs to be used in \(\hat{C}_1,\hat{C}_2,\hat{\mathcal{{T}}_0}\).

Construction 9

( \(\left( \mathcal {L},\epsilon \left( n\right) ,\mathsf{{S}}\left( n\right) \right) \) -LRCC over \(\mathbb {F}\) ). The circuit compiler \(\left( \mathsf{{Comp}} ,\mathsf{{E}} =\left( \mathsf{{Enc}} ,\mathsf{{Dec}} \right) \right) \) is defined as follows. Let \(\mathsf{{r}} =\mathsf{{r}} \left( \sigma \right) , \mathsf{{r}} _0=\mathsf{{r}} _0\left( \sigma \right) :\mathbb {N}\rightarrow \mathbb {N}\) be parameters whose value will be set later.

Let \(\mathsf{{E}}^{{\mathrm {in}} }=\left( \mathsf{{Enc}}^{{\mathrm {in}} },\mathsf{{Dec}}^{{\mathrm {in}} }\right) \) be a linear encoding scheme over \(\mathbb {F}\), with encodings of length \(\hat{n}_{{\mathrm {in}} }=\hat{n}_{{\mathrm {in}} }\left( n,\sigma \right) \), and decoding vectors \(\{\mathbf{d }^{\hat{n}_{{\mathrm {in}} }}\}\). Then \(\mathsf{{Enc}} \left( x,1^{\sigma }\right) =\left( \hat{x}_1,\hat{x}_2\right) \), where \(\hat{x}_i\leftarrow \mathsf{{Enc}} ^{{\mathrm {in}} }\left( \left( x,0^{\mathsf{{r}} +\mathsf{{r}} _0}\right) ,1^{\sigma }\right) \); and \(\mathsf{{Dec}} \left( \left( \hat{x}_1,\hat{x}_2\right) ,1^{\sigma }\right) \) computes \(\mathsf{{Dec}} ^{{\mathrm {in}} }\left( \hat{x}_1,1^{\sigma }\right) \), and discards the last \(\mathsf{{r}} +\mathsf{{r}} _0\) symbols. We use \(\hat{n}=\hat{n}\left( n,\sigma \right) \) to denote the length of encodings output by \(\mathsf{{Enc}} \), and \(\hat{n}_1=\hat{n}_1\left( \sigma \right) :=\hat{n}\left( 1,\sigma \right) \). (Notice that \(\hat{n}\left( n,\sigma \right) =2\hat{n}_{{\mathrm {in}} }\left( n+\mathsf{{r}} +\mathsf{{r}} _0,\sigma \right) \).) For \(\left( \hat{x}_1,\hat{x}_2\right) \leftarrow \mathsf{{Enc}} \left( x,1^{\sigma }\right) \), we denote \(\hat{x}_i=\left( \hat{x}_i^{{\mathrm {in}} },\mathbf R _i,\mathbf R _i^0\right) \), where \(\hat{x}_i^{{\mathrm {in}} }\) is the encoding of x, and \(\mathbf R _i,\mathbf R _i^0\) are encodings of \(0^{\mathsf{{r}} },0^{\mathsf{{r}} _0}\), respectively. (\(\mathbf R _2^0\) is not used in the construction, but it is part of \(\hat{x}_2\) because the same internal encoding scheme \(\mathsf{{Enc}} ^{{\mathrm {in}} }\) is used to generate \(\hat{x}_1,\hat{x}_2\).)

Let \(\left( \mathsf{{Comp}} ^{{\mathrm {FRRTV}} },\mathsf{{E}} ^{\mathrm {{\mathrm {FRRTV}} }}\right) \) be the circuit compiler of [11]. \(\mathsf{{Comp}} \) on input a circuit \(C:\mathbb {F}^n\rightarrow \mathbb {F}\), outputs the circuit \(\hat{C}:\mathbb {F}^{\hat{n}\left( n,\left| C\right| \right) }\rightarrow \mathbb {F}\) defined as follows.

  • Let \(C_1,C_2\) be two copies of C, \(\hat{C}_i=\mathsf{{Comp}} ^{{\mathrm {FRRTV}} }\left( C_i\right) \) for \(i=1,2\), and \(\hat{\mathcal{{T}}_0}=\mathsf{{Comp}} ^{{\mathrm {FRRTV}} }\left( \mathcal{{T}}_0\right) \).

  • Let \(\mathsf{{f}}\left( \left( \hat{x}_1^{{\mathrm {in}} },\mathbf R _1,\mathbf R _1^0\right) ,\left( \hat{x}^{{\mathrm {in}} }_2,\mathbf R _2,\mathbf R _2^0\right) \right) := \mathcal{{T}}\left( \hat{C}_1\left( \hat{x}_1^{{\mathrm {in}} },\mathbf R _1\right) -\hat{C}_2\left( \hat{x}_2^{{\mathrm {in}} },\mathbf R _2\right) \right) \times \hat{\mathcal{{T}}_0}\left( \left( \mathbf R _1,\mathbf R _2\right) ,\mathbf R _1^0\right) \times \mathcal{{T}}_V\left( \mathbf R _1^0\right) \). (\(\mathsf{{f}}=1\) if \(\hat{C}_1,\hat{C}_2\) have the same output, and in addition the masking inputs used in \(\hat{\mathcal{{T}}}_0\), and at least one of \(\hat{C}_1,\hat{C}_2\), are well-formed. Otherwise, \(\mathsf{{f}}=0\).) Then:

    $$\hat{C}\left( \left( \hat{x}_1^{{\mathrm {in}} },\mathbf R _1,\mathbf R _1^0\right) ,\left( \hat{x}^{{\mathrm {in}} }_2,\mathbf R _2,\mathbf R _2^0\right) \right) = \left( 1-\mathsf{{f}}\left( \left( \hat{x}_1^{{\mathrm {in}} },\mathbf R _1,\mathbf R _1^0\right) ,\left( \hat{x}^{{\mathrm {in}} }_2,\mathbf R _2,\mathbf R _2^0\right) \right) \right) $$
    $$+\,\mathsf{{f}}\left( \left( \hat{x}_1^{{\mathrm {in}} },\mathbf R _1,\mathbf R _1^0\right) ,\left( \hat{x}^{{\mathrm {in}} }_2,\mathbf R _2,\mathbf R _2^0\right) \right) \cdot \hat{C}_1\left( \hat{x}_1^{{\mathrm {in}} },\mathbf R _1,\mathbf R _1^0\right) $$

    (Notice that the output is \(\hat{C}_1\left( \hat{x}_1^{{\mathrm {in}} },\mathbf R _1,\mathbf R _1^0\right) \) if \(\mathsf{{f}}=1\), otherwise it is 1.)

Let \(\mathsf{{r}} ^{{\mathrm {FRRTV}} }\) denote the maximal number of masking inputs used in a gadget used by the compiler of [11], and \(\mathsf{{S}}_0\left( \mathsf{{r}} \right) \) denote the size of \(\mathcal{{T}}_0\). Then \(\mathsf{{r}} \left( \sigma \right) =\sigma \cdot \mathsf{{r}} ^{{\mathrm {FRRTV}} }\) and \(\mathsf{{r}} _0\left( \sigma \right) =\sigma \cdot \mathsf{{S}}_0\left( \mathsf{{r}} ^{{\mathrm {FRRTV}} }\right) \).

Next, we briefly analyze the properties of the construction. (The full analysis appears in the full version.)

SAT-respecting. If the masking inputs of \(\hat{\mathcal{{T}}}_0\) are ill-formed, then \(\mathcal{{T}}_V\) resets the flag, so the output is 1 (i.e., \(\hat{C}\) is not satisfied). Conditioned on \(\hat{\mathcal{{T}}}_0\) having well-formed masking inputs, the correctness of the compiler of [11] (applied to \(\hat{\mathcal{{T}}}_0\))), guarantees that the flag is reset if the masking inputs of both \(\hat{C}_1,\hat{C}_2\) are ill-formed. Finally, if at least one of \(\hat{C}_1,\hat{C}_2\) has well-formed masking inputs, and \(\hat{C}\) is satisfied (in particular, the flag is not reset), then there exists an \(x\in \mathbb {F}^n\) that satisfies the correctly evaluated copy, and therefore also satisfies C. We note that the encoding scheme should be onto, otherwise computations in compiled circuits may not correspond to computations in the original circuits (since the “encoded” input may not correspond to a valid input for the original circuit).

Relaxed leakage-resilience. At a high level, on input \(C:\mathbb {F}^n\rightarrow \mathbb {F}\), and \(C\left( x\right) \) for \(x\in \mathbb {F}^n\), \(\mathsf{{Sim}} \) finds a \(y\in \mathbb {F}^n\) such that \(C\left( y\right) =C\left( x\right) \) (this is the reason that \(\mathsf{{Sim}} \) is unbounded); generates \(\hat{C}=\mathsf{{Comp}} \left( C\right) \) and \(\hat{y}\leftarrow \mathsf{{Enc}} \left( y,1^{\left| C\right| }\right) \); honestly evaluates \(\hat{C}\) on \(\hat{y}\); and outputs the wire values of \(\hat{C}\). If \(\mathsf{{E}} \) is leakage-indistinguishable for a leakage class which is “somewhat stronger” than \(\mathcal {L}\), then for every \(\ell \in \mathcal {L}\), \(\mathsf{{SD}} \left( \ell \left[ \hat{C},\hat{x}\right] ,\ell \left[ \hat{C},\hat{y}\right] \right) \le \epsilon \left( n\right) \), where \(\hat{x}\leftarrow \mathsf{{Enc}} \left( x,1^{\left| C\right| }\right) \). Informally, this follows from a hybrid argument, where we first replace the input of \(\hat{C}_1\) from \(\hat{x}\) to \(\hat{y}\), and then do the same for \(\hat{C}_2\). (This is also the reason that we do not explicitly verify that \(\hat{C}_1,\hat{C}_2\) are evaluated on encodings of the same input.)

To show that each adjacent pair of hybrids is leakage-indistinguishable, we first use an argument similar to that of [11], where we first replace the bundles of \(\hat{C}_1\) or \(\hat{C}_2\) (depending on the pair of hybrids in question) that are external to the gadgets (i.e., bundles that correspond to wires of the original circuit C) with random encoding of the “correct” values; and then replacing the bundles internal to the gadgets of \(\hat{C}_1\) (or \(\hat{C}_2\)) with simulated values. However, our compiled circuit \(\hat{C}\) consists also of \(\hat{\mathcal{{T}}_0},\mathcal{{T}}_V\), so the analysis in our case is more complex, and in particular we cannot use the leakage-resilience analysis of [11] as a black box. To explain the difficulty in generating these wires values, we need to take a closer look at their leakage-resilience analysis.

Recall that the leakage-indistinguishability proof for every pair of adjacent hybrids contains in itself two series of hybrid arguments, one replacing external bundles, and the other replacing internal bundles. In the first case, leakage-indistinguishability is reduced to that of the underlying encoding scheme \(\mathsf{{E}} ^{{\mathrm {in}} }\), whereas in the second it is reduced to the leakage-indistinguishability of the actual and simulated wire values of a single gadget. Specifically, the leakage function \(\ell ^{{\mathrm {in}} }\) in the reduction is given either an encoding of a single field element, or the wire values of a single gadget; uses its input to generate all the wire values of the compiled circuit; and then evaluates \(\ell \) on these wire values. Thus, if originally we could withstand leakage from some function class \(\mathcal {L}^{{\mathrm {in}} }\), and the additional wires can be generated by a function class \(\mathcal{{L}}_R\), then after the reduction we can withstand leakage from any function class \(\mathcal{{L}}\) such that \(\mathcal{{L}}\circ \mathcal{{L}}_R\subseteq \mathcal{{L}}^{{\mathrm {in}} }\). In particular, if \(\mathcal{{L}}^{{\mathrm {in}} }\) consists of functions computable by low-depth circuits, and computing the internal wires of \(\hat{\mathcal{{T}}_0},\mathcal{{T}}_V\) require deep circuits (consequently, \(\mathcal{{L}}_R\) necessarily contains functions whose computation requires deep circuits), then we have no leakage-resilience. To overcome this, we show how to simulate these additional wires using shallow circuits. This is possible because (due to the way in which the hybrids are defined) the masking inputs in at least one copy are well-formed. Specifically, the structure of \(\hat{\mathcal{{T}}}_0,\mathcal{{T}}_V\) guarantees that conditioned on the masking inputs of \(\hat{C}_2\) being well-formed, these wire values can be computed by shallow circuits. When the masking inputs of \(\hat{C}_2\) are ill-formed, we are guaranteed that the masking inputs of \(\hat{C}_1\) are well-formed. Conditioned on this event, we show an alternative method of computing the internal wires of \(\hat{\mathcal{{T}}}_0,\mathcal{{T}}_V\), which can be done by shallow circuits. Thus, we get the following result.

Proposition 1

(SAT-respecting relaxed LRCC over \({\mathbb {F}}\) ). Let \(\mathcal {L},\mathcal {L}_\mathsf{{E}}\) be families of functions, \(\mathsf{{S}}\left( n\right) :\mathbb {N}\rightarrow \mathbb {N}\) be a size function, and \(\epsilon \left( n\right) :\mathbb {N}\rightarrow \mathbb {R}^+\). Let \(\mathsf{{E}}^{{\mathrm {in}} }=\left( \mathsf{{Enc}}^{{\mathrm {in}} },\mathsf{{Dec}}^{{\mathrm {in}} }\right) \) be a linear, onto, \(\left( \mathcal {L}_{\mathsf{{E}}},\epsilon \left( n\right) \right) \)-leakage-indistinguishable encoding scheme with parameters \(n=1\), \(\sigma \) and \(\hat{n}=\hat{n}\left( \sigma \right) \), such that \(\mathcal {L}_\mathsf{{E}} = \mathcal {L}\circ \mathsf{{Shallow}} \left( 7,O\left( \hat{n}^4\left( \mathsf{{S}}\left( n\right) \right) \cdot \mathsf{{S}}\left( n\right) \right) \right) \). Then there exists a SAT-respecting, \(\left( \mathcal {L},8\epsilon \left( n\right) \cdot \mathsf{{S}}\left( n\right) , \mathsf{{S}}\left( n\right) \right) \)-relaxed-LRCC over \({\mathbb {F}}\). Moreover, For every \(C:{\mathbb {F}}^n\rightarrow {\mathbb {F}}\), the compiled circuit \(\hat{C}\) has size \(\left| \hat{C}\right| =O\left( \left| {\mathbb {F}}\right| \cdot \hat{n}^5\left( \mathsf{{S}}\left( n\right) \right) \cdot \left| C\right| ^2\right) \).

3.2 A SAT-Respecting Relaxed LRCC over \({\mathbb {F}}_2\)

In this section we describe a relaxed LRCC over \({\mathbb {F}}_2\). Our starting point is the circuit-compiler of Construction 9 over the field \({\mathbb {F}}\), which we apply to an “arithmetic version” of the boolean circuit. At a high-level, we construct our circuit compiler over \({\mathbb {F}}_2\) as follows: we represent field elements of \({\mathbb {F}}\) using bit-strings; and operations \(+,-,\times ,\mathsf{{id}} ,\mathsf{{copy}},\mathsf{{const}}_{\alpha },\alpha \in \mathbb {F}\) as functions over \(\lceil \log \left| \mathbb {F}\right| \rceil \)-bit strings. (For now, we assume that there exist gates operating on \(\lceil \log \left| \mathbb {F}\right| \rceil \)-bit strings and computing these operations.) We “translate” boolean circuits into arithmetic circuits with such operations, and apply the circuit-compiler of Construction 9 (where the field operations are implemented using the boolean operations described in Sect. 2) to the “translated” circuit. (We note that leakage-resilience deteriorates when an arithmetic compiler is transformed to a boolean one, but only by a constant factor in the depth and size of circuits computing the leakage functions.) Concretely, we set \({\mathbb {F}}={\mathbb {F}}_3\).

From boolean circuits to arithmetic circuits. Our boolean circuit-compiler operates on boolean circuits, but employs an arithmetic circuit-compiler operating on arithmetic circuits over \({\mathbb {F}}\). Therefore, we first transform the boolean circuit into an equivalent arithmetic circuit in the natural manner (i.e., representing every bit operation as a polynomial over the arithmetic field).

The field elements of \(\mathbb {F}\), and the arithmetic operations over \(\mathbb {F}\) that are used by the arithmetic relaxed LRCC (Construction 9) will be represented using bit strings and boolean operations, respectively.

Representing field elements as bit strings. We can use any 1:1 transformation \(E_b:{\mathbb {F}}_3\rightarrow \{0,1\}^2\), such that every bit string is associated with a field element. This is required for the SAT-respecting property, to guarantee that whatever values are carried on the wires of the boolean circuit, they can be “translated” into wires of the arithmetic circuit over \(\mathbb {F}_3\), and is achieved by defining a “reverse” mapping \(E_b^{-1}\).

Implementing field operations. The compiled arithmetic circuit uses the field operations \(+,-,\times \), and also \(\mathsf{{copy}}, \mathsf{{id}} \) and \(\mathsf{{const}}_{\alpha },\alpha \in \mathbb {F}_3\). These operations are represented using bit operations over bit strings generated by \(E_b\). Specifically, we think of every field operation as a boolean function with 4 inputs (a pair of 2-bit strings representing the pair of input field elements) and 2 outputs (a 2-bit string representing the output field element). We stress that though an honest construction over bits uses only 3 of the 4 possible 2-bit strings encoding field elements (i.e., only the strings in the image of \(E_b\) as defined, for example, in Construction 11), the function representing a field operation in \(\mathbb {F}_3\) should be defined to output the correct values on all 2-bit strings. The truth table of each output bit has constant size, and can be represented by a constant-size, depth-3 boolean circuit. \(\mathsf{{copy}},\mathsf{{id}} \) and \(\mathsf{{const}}_{\alpha }\) gates are handled similarly. Therefore, the size (depth) of each gadget (and consequently, of the entire compiled circuit) increases by a constant multiplicative factor (specifically, by a factor of 3).

Notice that representing boolean circuits using arithmetic circuits introduces the following obstacle. For a satisfiable circuit \(\hat{C}\), we are only guaranteed the existence of an \(x\in {\mathbb {F}}^n\) satisfying the original arithmetic circuit, whereas for boolean circuits we require that \(x\in \{0,1\}^n\). Therefore, we need an additional “input checker” sub-circuit that will guarantee that the inputs to the compiled circuit encode binary strings.

Definition 7

(Input-checker \(\mathcal{{T}}^{{\mathrm {in}} }\) ). \(\mathcal{{T}}^{{\mathrm {in}} }:{\mathbb {F}}\rightarrow {\mathbb {F}}\) is defined as follows: \(\mathcal{{T}}^{{\mathrm {in}} }\left( z\right) =\mathcal{{T}}\left( z^2-z\right) \).

Observation 10

For every \(z\in \mathbb {F}_3\), \(\mathcal{{T}}^{{\mathrm {in}} }\left( z\right) \in \{0,1\}\), and \(\mathcal{{T}}^{{\mathrm {in}} }\left( z\right) =1\) if and only if \(z\in \{0,1\}\).

Construction 11

(SAT-respecting relaxed LRCC). Let \(E_b:\mathbb {F}_3\rightarrow \{0,1\}^2\) such that \(E_b\left( 0\right) =00\), \(E_b\left( 1\right) =01\), and \(E_b\left( 2\right) =11\), and let \(E_b^{-1}:\{0,1\}^2\rightarrow \mathbb {F}_3\) such that \(E_b^{-1}\left( 00\right) =0\), \(E_b^{-1}\left( 01\right) =E_b^{-1}\left( 10\right) =1\), and \(E_b^{-1}\left( 11\right) =2\). Let \(T'\) be an algorithm transforming boolean circuits into arithmetic circuits over \({\mathbb {F}}_3\), and \(\left( \mathsf{{Comp}},\mathsf{{E}}=\left( \mathsf{{Enc}},\mathsf{{Dec}}\right) \right) \) be the circuit compiler over \({\mathbb {F}}_3\) of Construction 9. The circuit compiler over \({\mathbb {F}}_2\) is \(\left( \mathsf{{Comp}}^b,\mathsf{{E}}^b=\left( \mathsf{{Enc}}^b,\mathsf{{Dec}}^b\right) \right) \), where:

  • \(\mathsf{{Enc}}^b=E_b\circ \mathsf{{Enc}}\) and \(\mathsf{{Dec}}^b=\mathsf{{Dec}}\circ E_b^{-1}\)

  • \(\mathsf{{Comp}}^b\) on input \(C:\{0,1\}^n\rightarrow \{0,1\}\):

    • Uses \(T'\) to transform C into an equivalent arithmetic circuit \(C':{\mathbb {F}}_3^{n}\rightarrow {\mathbb {F}}_3\).

    • Constructs the circuit \(C'':{\mathbb {F}}_3^{n}\rightarrow {\mathbb {F}}_3\) such that \(C''\left( x_1,...,x_n\right) =1-\left( C'\left( x_1,...,x_n\right) \times \left( \times _{i=1}^{n}\mathcal{{T}}^{{\mathrm {in}} }\left( x_i\right) \right) \right) \). (Notice that \(C''\left( x_1,...,x_n\right) \) outputs 0 if and only if \(C'\left( x_1,...,x_n\right) =1\) and \(x_1,...,x_n\in \{0,1\}\).)

    • Computes \(\hat{C''}=\mathsf{{Comp}}\left( C''\right) \).

    • Replaces every gate in \(\hat{C''}\) with a constant-size, depth-3 boolean circuit computing the truth table of the gate operation. \(\mathsf{{Comp}}^b\) can use any correct circuit, as long as these circuits are used consistently (i.e., for every gate the same circuit is used to replace all appearances of the gate in \(\hat{C''}\)).

    • Denote the output of \(\hat{C''}\) by \(e\in {\mathbb {F}}_3\), represented by the string \(\left( e_1,e_2\right) \in \{0,1\}^2\). Then \(\mathsf{{Comp}} ^b\) outputs the circuit \(\hat{C}_b\) obtained from \(\hat{C''}\) by applying a \(\vee \) gate, followed by a \(\lnot \) gate, to the output of \(\hat{C''}\). (This reduces the output string of \(\hat{C''}\) to a single bit, and flips the output of \(\hat{C''}\), which is required due to the negation added in step 2.)

    We use \(\hat{C}_{1,b},\hat{C}_{2,b},\hat{\mathcal{{T}}}_{0,b},\mathcal{{T}}_{V,b}\) to denote the components of \(\hat{C}_b\) corresponding to \(\hat{C}_1,\hat{C}_2,\hat{\mathcal{{T}}_0},\mathcal{{T}}_V\), respectively.

Observation 12

\(\hat{C}_b\left( \hat{x}\right) \in \{0,1\}\) for every \(\hat{x}\). Moreover, \(\hat{C}_b\left( \hat{x}\right) =1\) if and only if \(\hat{C''}\left( \hat{x}\right) =0\). If \(\mathsf{{Comp}} \) is SAT-respecting, then this guarantees that \(C''\left( x\right) =0\) for some \(x\in {\mathbb {F}}_3\). The definition of \(C''\), and the correctness of \(T'\), guarantees that \(x\in \{0,1\}^n\), and that \(C'\left( x\right) =C\left( x\right) =1\).

In the full version, we prove that if Construction 9 is a SAT-respecting relaxed-LRCC over \({\mathbb {F}}_3\), then so is Construction 11 (over \({\mathbb {F}}_2\)), against a somewhat-weaker leakage family. The leakage family is weaker because relaxed leakage-resilience is proved by reduction to the relaxed leakage-resilience of Construction 9 (the leakage function in the reduction, given the wire values of the arithmetic compiled circuit, generate the internal wires emulating these operations using boolean operations). Formally, we obtained the following.

Proposition 2

Let \(\mathcal {L},\mathcal {L}_\mathsf{{E}}\) be families of functions, \(\mathsf{{S}}\left( n\right) :\mathbb {N}\rightarrow \mathbb {N}\) be a size function, and \(\epsilon \left( n\right) :\mathbb {N}\rightarrow \mathbb {R}^+\). Let \(\mathsf{{E}}^{{\mathrm {in}} }\) be a linear, onto encoding scheme over \(\mathbb {F}_3\) with parameters \(n=1\), \(\sigma \) and \(\hat{n}=\hat{n}\left( \sigma \right) \), that is \(\left( \mathcal {L}_{\mathsf{{E}}},\epsilon \left( n\right) \right) \)-leakage-indistinguishable, and \(\mathcal {L}_{\mathsf{{E}}}=\mathcal {L} \circ \mathsf{{ShallowB}} \left( 33,O\left( \hat{n}^5\left( \mathsf{{S}}\left( n\right) \right) \cdot \mathsf{{S}}\left( n\right) ^2\right) \right) \). Then there exists a constant \(c>0\), and a SAT-respecting, \(\left( \mathcal {L},c\cdot \epsilon \left( n\right) \cdot \mathsf{{S}}\left( n\right) , \mathsf{{S}}\left( n\right) \right) \)-relaxed-LRCC over \({\mathbb {F}}_2\). Moreover, \(\left| \hat{C}_b\right| =O\left( \hat{n}^5\left( \mathsf{{S}}\left( n\right) \right) \left| C\right| ^2\right) \).

Taking \(\mathsf{{E}} ^{{\mathrm {in}} }\) to be the parity encoding in the previous proposition, and using a result of Håstad [16] that \(\mathsf{{AC}} ^0\) circuits (i.e., constant-depth and polynomial-sized boolean circuits with unbounded fan-in \(\wedge ,\vee \) and \(\lnot \) gates) cannot distinguish parity encodings of 0 and 1, we obtain an LRCC against \(\mathsf{{AC}} ^0\)-leakage. (We note that the compiler can also be made to withstand leakage that outputs more than one bit, using a result of Dubrov and Ishai [9]. The details of this construction, and the proof of Corollary 2, are deferred to the full version.)

Corollary 2

There exists a SAT-respecting \(\left( \mathsf{{AC}} ^0,\mathsf{{negl}} \left( n\right) ,\mathsf{{poly} }\left( n\right) \right) \)-relaxed-LRCC over \({\mathbb {F}}_2\).

3.3 Withstanding Leakage from \(\mathsf{{AC}} ^0\) Circuits with \(\oplus \) Gates

Recall that \(\mathsf{{AC}} ^0\) denotes the class of constant-depth, polynomial-sized boolean circuits over unbounded fan-in and fan-out \(\wedge ,\vee ,\lnot \) gates. In this section we describe a SAT-respecting circuit-compiler withstanding leakage computed by \(\mathsf{{AC}} ^0\) circuits, augmented with a sublinear number of \(\oplus \) gates of unbounded fan-in and fan-out. Concretely, we use Construction 11, where the underlying arithmetic LRCC over \(\mathbb {F}_3\) is instantiated with the encoding scheme \(\mathsf{{E}} ^{\mathrm {in}}\) that maps an element \(\gamma \in \mathbb {F}_3\) into a vector \(v\in \{0,1\}^k\) (for some natural k), which is random subject to the constraint that the number of 1’s in v is congruent to \(\gamma \) modulo 3. We show, by reduction to correlation bounds of [22], that \(\mathsf{{AC}} ^0\) circuits, augmented with a sublinear number of \(\oplus \) gates, have a negligible advantage in distinguishing between random encodings of 0 and 1 according to \(\mathsf{{E}} ^{\mathrm {in}}\). (This reduction is non-trivial and appears in Appendix A.) Using the leakage-indistinguishability of \(\mathsf{{E}} ^{\mathrm {in}}\), we prove the existence of a circuit compiler withstanding leakage from \(\mathsf{{AC}} ^0\) circuits that have several output bits and are augmented with a sublinear number of \(\oplus \) gates. (The proof appears in the full version.)

Theorem 13

For input length parameter n, leakage length bound \(\hat{n}=\hat{n}\left( n\right) \), size bound \(s=s\left( n\right) \), output length bound \(m=m\left( n\right) \), parity gate bound \(t=t\left( n\right) \), and depth bound d, let \(\mathcal {L}^m_{\hat{n},d,s,\oplus t}=\bigcup _{n\in \mathbb {N}}\mathcal {L}^{m\left( n\right) }_{\hat{n}\left( n\right) ,d,s\left( n\right) ,\oplus t\left( n\right) }\), where \(\mathcal {L}^{m_0}_{\hat{n}_0,d_0,s_0,\oplus t_0}\) denotes the class of boolean circuits of input length \(\hat{n}_0\) over \(\lnot \) gates and unbounded fan-in \(\wedge ,\vee ,\oplus \) gates, whose depth, size, output length, and number of parity gates are bounded by \(d_0,s_0,m_0,t_0\), respectively. Then for every positive constants dc, polynomials mt, and polynomial size bound \(s'=s'\left( n\right) \), there exists a polynomial \(l\left( n\right) \), such that there exists a SAT-respecting \(\left( \mathcal {L}^m_{l,d,l^c,\oplus t},2^{-n^{c}},s'\left( n\right) \right) \)-relaxed LRCC over \({\mathbb {F}}_2\), which on input a circuit \(C:\{0,1\}^n\rightarrow \{0,1\}\) of size \(|C|\le s'\left( n\right) \) outputs a circuit \(\hat{C}\) of size \(|\hat{C}|\le l\left( n\right) \).

4 WIPCPs and CZKPCPs

Given a relation \(\mathcal {R}=\mathcal {R}\left( x,w\right) \), we let \(L_{\mathcal {R}}:=\left\{ x:\exists w,\left( x,w\right) \in \mathcal {R}\right\} \). A probabilistic proof system (PV) for an NP-relation \(\mathcal {R}=\mathcal {R}\left( x,w\right) \) consists of a PPT prover P that on input \(\left( x,w\right) \) outputs a proof \(\pi \) (in standard probabilistically checkable proofs the prover is deterministic, but our constructions will crucially rely on the prover being probabilistic), and a probabilistic verifier V that given input x and oracle access to a proof \(\pi \) outputs either accept or reject. We say that V is q-query-bounded if V makes at most q queries to \(\pi \).

WIPCPs. A probabilistic proof system is a WIPCP for an NP-relation \(\mathcal {R}=\mathcal {R}\left( x,w\right) \) if it satisfies the following. First, when given \(x\in L_{\mathcal {R}}\), and oracle access to an honestly generated proof, the verifier accepts with probability 1 (this is called completeness). Second, given \(x\notin L_{\mathcal {R}}\), the verifier rejects except with some probability \(\epsilon _S\), regardless of its “proof” oracle (this is called \(\epsilon _S\) -soundness). Thirdly, for every (possibly malicious, possibly adaptive) \(q^*\)-query bounded verifier \(V^*\), every \(x\in L_{\mathcal {R}}\), and every pair \(w_1,w_2\) of witnesses for x, the view of \(V^*\) when verifying an honestly generated proof for \(\left( x,w_1\right) \) is \(\epsilon _{\mathrm {ZK}}\)-statistically close to its view when verifying an honestly generated proof for \(\left( x,w_2\right) \) (this is called \(\left( \epsilon _{\mathrm {ZK}},q^*\right) \) -WI). A WIPCP is a non-adaptive WIPCP (NA-WIPCP) system for a relation \(\mathcal {R}=\mathcal {R}\left( x,w\right) \), if the honest verifier is non-adaptive. In the following, we denote by \(\mathsf{{NA-WIPCP}} \left[ r,q,q^*,\epsilon _S,\epsilon _{\mathrm {ZK}},\ell \right] \) the class of NP-languages that admit an NP-relation \(\mathcal {R}\) with a non-adaptive \(\left( \epsilon _{\mathrm {ZK}},q^*\right) \)-WIPCP, in which the prover outputs proofs of length \(\ell \), the honest verifier tosses \(O\left( r\right) \) coins, queries \(O\left( q\right) \) proof bits, and rejects false claims except with probability at most \(\epsilon _S\). We use \(\mathsf{{PCP}} \left[ r,q,\epsilon ,\ell \right] \) to denote the class of NP-languages admitting a standard (i.e., non-WI) PCP system with the same properties, and write \(\mathcal {R}\in \mathsf{{PCP}} \left[ r,q,\epsilon ,\ell \right] \) to denote that \(L_{\mathcal {R}}\in \mathsf{{PCP}} \left[ r,q,\epsilon ,\ell \right] \). We denote \(\mathsf{{NA-WIPCP}} :=\mathsf{{NA-WIPCP}} [\mathsf{{poly} }\log n,\mathsf{{poly} }\log n,\mathsf{{poly} }\left( n\right) ,\mathsf{{negl}} \left( n\right) , \mathsf{{negl}} \left( n\right) , \mathsf{{poly} }\left( n\right) ]\).

We describe a transformation from PCPs to NA-WIPCPs, which can be applied to any PCP system in which the proof is obtained from the witness through an “easy” function (we formalize this notion below). Recall that a standard PCP \(\pi \) can be generated from the wire values \(\left[ C_{\mathcal {R}},\left( x,w\right) \right] \) of the verification circuit \(C_{\mathcal {R}}\) of the relation, on input x and witness w. If the function f taking \(\left[ C_{\mathcal {R}},\left( x,w\right) \right] \) to \(\pi \) is in a function class \(\mathcal {L}\), then the system can be made WI as follows. The prover and verifier both compile \(C_{\mathcal {R}}\left( x,\cdot \right) \) (i.e., \(C_{\mathcal {R}}\) with x hard-wired into it) into a SAT-respecting circuit \(\hat{C}_{\mathcal {R}}\) that is relaxed leakage-resilient against \(\mathcal{{L}}\). The prover then samples a random encoding \(\hat{w}\) of w, and generates the PCP \(\pi =f\left[ \hat{C}_{\mathcal {R}},\hat{w}\right] \). The verifier probabilistically verifies that \(\hat{C}_{\mathcal {R}}\) is satisfiable by reading few symbols of \(\pi \), which (if the verifier is non-adaptive) correspond to applying a leakage function from \(\mathcal {L}\) to the wire values of \(\hat{C}_{\mathcal {R}}\). This gives the following result. (The detailed construction, and the proof of Proposition 3, appear in the full version.)

Proposition 3

Let n be a length parameter, \(\epsilon _{S},\epsilon _{\mathrm {ZK}}\in \left[ 0,1\right] \), \(\mathsf{{S}}=\mathsf{{S}}\left( n\right) \) be a size function, \(q^*=q^*\left( n\right) \) be a query function, and \(g(\cdot )\) be a polynomial. Let \(\mathcal {L}\) be a family of leakage functions, such that:

  • there is a SAT-respecting \(\left( \mathcal {L},\epsilon _{\mathrm {ZK}},\mathsf{{S}}\right) \)-relaxed LRCC \(\left( \mathsf {Comp},\mathsf{{E}}\right) \) satisfying \(\left| \mathsf {Comp}(C) \right| \le g\left( \left| C\right| \right) \);

  • there is a \(\mathsf{{PCP}} \left[ r\left( n\right) ,q\left( n\right) ,\epsilon _S,\ell \left( n\right) \right] \) system for \(\mathrm {3SAT}\), such that for every \(\left( \varphi ,W\right) \in \mathrm {3SAT}\), every subset \(\mathcal {Q}\) of \(q^{*}\) bits of an honestly-generated proof \(\pi =\pi \left( \varphi ,W\right) \) is computable from W by a function \(f_{\varphi ,\mathcal {Q}}\in \mathcal {L}\).

Then for every NP-relation \(\mathcal {R}=\mathcal {R}\left( x,w\right) \) with verification circuit \(C^{\mathcal {R}}\) of size at most \(\mathsf {S}\), we have that \(\mathcal {R}\in \mathsf{{NA-WIPCP}} \left[ r\left( t\right) , q\left( t\right) ,q^*,\epsilon _S, 2\epsilon _{\mathrm {ZK}}, \ell \left( t\right) \right] \), where \(t=O\left( g\left( \left| C^{\mathcal {R}}\right| \right) \right) \), and WI holds against non-adaptive verifiers.

In the full version we use techniques of [7] to generalize the WI property of Proposition 3 to adaptive verifiers, while increasing the statistical distance of the WI by a multiplicative factor of roughly \(\ell ^{q^*}\) (all other parameters remain unchanged). Then, we prove that the PCP system of [2] for 3SAT has the property that every proof bit is generated from the NP-witness by an \(\mathsf{{AC}} ^{0}\) circuit, augmented with “few” \(\oplus \) gates. Theorem 1 follows by combining these two results with Theorem 13.

CZKPCPs in the CRS model. A probabilistic proof system is a CZKPCP in the CRS model for an NP-relation \(\mathcal {R}=\mathcal {R}\left( x,w\right) \) if the prover and verifier have access to a common random string s; correctness holds for any s; soundness holds for a uniformly random s; and there exists a PPT simulator \(\mathsf{{Sim}} \) such that for every \(q^*\)-query bounded verifier \(V^*\), and every \(x\in L_{\mathcal {R}}\), \(\mathsf{{Sim}} \left( x\right) \) is computationally indistinguishable from the joint distribution of a uniformly random s, and the view of \(V^*\) given s and oracle access to an honestly generated proof for x (this is called computational ZK (CZK)). Similar to NA-WIPCPs, a CZKPCP system is non-adaptive (NA-CZKPCP) if the honest verifier is non-adaptive. Applying the techniques of [12] to Proposition 3, we obtain a general transformation from NA-WIPCPs to NA-CZKPCPs, and Corollary 1 follows by using the NA-WIPCP of Theorem 1 (see the full version for details).

We note that a simple alternative construction of CZKPCP for NP can be obtained by applying a standard PCP on top of a standard NIZK proof [6, 13]. Concretely, the CZKPCP prover generates a PCP for the NP-claim “there exists a NIZK for the claim \(x\in L_{\mathcal {R}}\), relative to the CRS s, that would cause the NIZK-verifier to accept”, where the witness is the NIZK proof string. Since the NIZK itself is CZK, the resultant PCP is also CZK. However, NIZK proofs for NP are not known to follow from the existence of one-way functions, and can currently be based only on much stronger assumptions such as the existence of trapdoor permutations [12].

The (im)possibility of SAT-respecting non-relaxed LRCCs. Known constructions of LRCCs withstanding global leakage [11, 18, 23] guarantee a universal simulation property, in the sense that the simulator generates the simulated wire values without knowing the identity of the leakage function; and these values are guaranteed to be indistinguishable from the actual wire values, for every leakage function in the leakage class. Consequently, our construction (which is based on the LRCC of [11]), also guarantees this universal simulation property. Our general transformation from SAT-respecting relaxed LRCCs to WIPCPs can also be applied to a SAT-respecting non-relaxed LRCC, in which case we would get ZKPCP for all NP, with a universal PPT simulator that generates a simulated proof without seeing the queries of the verifier. This simulator can be used to decide the NP-language, so the existence of SAT-respecting LRCCs with a universal simulator would imply that \(\mathsf{{NP}} \subseteq \mathsf{{BPP}}\). (See the full version for additional details.) We note that our transformation of Sect. 4 does not require the LRCC simulator to be universal. However, the construction of (SAT-respecting) non-relaxed LRCCs with a non-universal simulator would require developing new techniques for constructing LRCCs.

4.1 Distributed ZK and WI Proofs

We use our WIPCPs and CZKPCPs to construct 3-round distributed WI and CZK proofs (respectively) for NP in a distributed setting, in which the PPT prover P and verifier V are aided by m polynomial-time servers \(S_1,...,S_m\). We call such systems m-distributed proof systems. We note that P has input \(\left( x,w\right) \), V has input x, and the servers have no input. Our motivation for studying proofs in a distributed setting is to minimize the round complexity, and underlying assumptions, of sublinear ZK proofs. Concretely, it is known that assuming the existence of collision resistant hash functions, there exist 2-party 4-round sublinear ZK arguments for NP [17, 20]. (Arguments guarantee soundness only against bounded malicious provers.) We show that in the distributed setting, there exist 3-round sublinear CZK (respectively, WI) proofs for NP, assuming the existence of OWFs (respectively, unconditional). Thus, the distributed setting allows us to improve previous results in terms of round complexity, underlying assumptions, and soundness type.

Distributed CZK\WI proof systems. An m-distributed proof system is a \(\left( t,m\right) \)-distributed ZK proof system for an NP-relation \(\mathcal {R}\) if it satisfies the following properties. First, if all parties are honest and \(\left( x,w\right) \in \mathcal {R}\) then V accepts x with probability 1 (the correctness property). Second, if \(x\notin L_{\mathcal {R}}\) then V rejects x except with negligible probability, even if the prover is corrupted and colludes with at most t corrupted servers (the soundness property). Thirdly, for every adversary \(\mathcal {A}\) corrupting V and \(t'\le t\) servers there exists a PPT simulator \(\mathsf{{Sim}} \) such that for every \(x\in L_{\mathcal {R}}\), \(\mathsf{{Sim}} \left( x\right) \) is computationally indistinguishable from the the view of \(\mathcal {A}\) in the protocol execution, when it has input x. This notion can be naturally relaxed to WI, or CZK in the CRS model.

We use WIPCPs (respectively, CZKPCPs) to construct a 3-round distributed-WI proof system (respectively, CZK proof system in the CRS model) which, at a high level, operates as follows. In the first round the prover distributes a WIPCP (respectively, a CZKPCP) between the servers, and in the second and third rounds the verifier and servers emulate the WIPCP (respectively, CZKPCP) verification procedure (the verifier sends the proof queries of the WIPCP or CZKPCP verifier, and the servers provide the corresponding proof bits). This overview is an over-simplification of the construction: the verification procedure of the WIPCP (respectively, CZKPCP) cannot be used as-is since it only guarantees soundness when the verification is performed with a proof oracle, whereas corrupted servers can determine their answers after seeing the queries of the verifier. We overcome this by using techniques of [19] (a more detailed description and analysis of these distributed proof systems appears in the full version). Thus, we obtain the following results.

Theorem 14

(Sublinear distributed WI proofs). For every \(\mathsf{{NP}} \)-relation \(\mathcal {R}\), and polynomial \(t\left( n\right) \), there exists a polynomial \(m\left( n\right) > t\left( n\right) \) such that \(\mathcal {R}\) has a 3-round sublinear \(\left( t,m\right) \)-distributed WI proof system, where n is the input length.

Theorem 15

(Sublinear distributed CZK proofs in the CRS model). Assume that OWFs exist. Then for every \(\mathsf{{NP}} \)-relation \(\mathcal {R}\), and polynomial \(t\left( n\right) \), there exists a polynomial \(m\left( n\right) > t\left( n\right) \) such that \(\mathcal {R}\) has a 3-round sublinear \(\left( t,m\right) \)-distributed CZK proof system in the CRS model, where n is the input length.

These constructions crucially rely on the non-adaptivity of the honest WIPCP (respectively, CZKPCP) verifier (otherwise we would need at least 4 rounds, since rounds cannot be compressed). Moreover, the verifier may collude with a subset of servers, so the PCP should be WI (respectively, CZK) against malicious verifiers.