## Abstract

Zero-Knowledge PCPs (ZK-PCPs; Kilian, Petrank, and Tardos, STOC ‘97) are PCPs with the additional zero-knowledge guarantee that the view of any (possibly malicious) verifier making a bounded number of queries to the proof can be efficiently simulated up to a small statistical distance. Similarly, ZK-PCPs of Proximity (ZK-PCPPs; Ishai and Weiss, TCC ‘14) are PCPPs in which the view of an adversarial verifier can be efficiently simulated with few queries to the input. Previous ZK-PCP constructions obtained an exponential gap between the query complexity *q* of the honest verifier, and the bound \(q^*\) on the queries of a malicious verifier (i.e., \(q={\mathsf {poly}}\log \left( q^*\right) \)), but required either exponential-time simulation, or adaptive *honest* verification. This should be contrasted with standard PCPs, that can be verified non-adaptively (i.e., with a single round of queries to the proof). The problem of constructing such ZK-PCPs, *even when* \(q^*=q\), has remained open since they were first introduced more than 2 decades ago. This question is also open for ZK-PCPPs, for which no construction with non-adaptive honest verification is known (not even with exponential-time simulation). We resolve this question by constructing the *first* ZK-PCPs and ZK-PCPPs which *simultaneously* achieve *efficient* zero-knowledge simulation and *non-adaptive* honest verification. Our schemes have a square-root query gap, namely \(q^*/q=O\left( \sqrt{n}\right) \), where *n* is the input length. Our constructions combine the “MPC-in-the-head” technique (Ishai et al., STOC ‘07) with leakage-resilient secret sharing. Specifically, we use the MPC-in-the-head technique to construct a ZK-PCP variant over a large alphabet, then employ leakage-resilient secret sharing to design a new alphabet reduction for ZK-PCPs which preserves zero-knowledge.

### Similar content being viewed by others

## Notes

We stress that a larger gap is preferable to a smaller one, since it means the proof can be verified with few queries, while guaranteeing zero-knowledge even when a malicious verifier makes many more queries (compared to the honest verifier).

In this context, we note that if one only requires ZK against the

*honest*verifier, then non-adaptive ZK-PCPs and ZK-PCPPs are known. (This is implicit in [26, 28] for ZK-PCPs and ZK-PCPPs respectively, via standard soundness amplification.) Consequently, our non-adaptive ZK-PCPs and ZK-PCPPs (with ZK against*malicious*verifiers) do not improve the round complexity in applications that only require ZK against the honest-verifier (e.g., the ZK arguments of [24], and the commit-and-prove protocols of [26]).We note that several PCP constructions (e.g., [17]) use more elaborate alphabet reduction techniques

*for efficiency reasons*(in particular, their goal is to achieve quasi-linear length proofs with \(O\left( 1\right) \) query complexity and a constant soundness error). A \(\log \left| {\Sigma }\right| \) blowup is less significant in the context of*zero-knowledge*PCPs, where the query complexity is anyway \(\omega \left( 1\right) \) since we wish to have a negligible soundness error.Due to some technical issues, the construction is actually somewhat more involved, see Sect. 5 for the construction and further details.

In fact, \(\widehat{C}\) operates on encoded inputs, however to simplify the discussion we disregard this at this point, and provide a more accurate discussion in Sect. 2.2.2.

Namely, there are \({{t/2} \atopwithdelims ()k}\) ways of choosing

*k*edges among the*t*/2 edges. Then, we choose either of the two vertices incident on the selected edges.In fact, as will be evident from the proof, it suffices that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is ZK against

*non-adaptive*malicious verifiers.We stress that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is non-adaptive in the sense that the

*honest*verifier is non-adaptive, but ZK holds against possibly*adaptive*verifiers.Notice that this step uses the fact that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is ZK against possibly

*adaptive*verifiers.In fact, as will be evident from the proof, it suffices that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is ZK against

*non-adaptive*malicious verifiers.We stress that \(\left( {\mathcal {P}},{\mathcal {V}}\right) \) is non-adaptive in the sense that the

*honest*verifier is non-adaptive, but ZK holds against possibly*adaptive*verifiers.

## References

D. Aggarwal, I. Damgård, J.B. Nielsen, M. Obremski, E. Purwanto, J.L. Ribeiro, M. Simkin, Stronger leakage-resilient and non-malleable secret sharing schemes for general access structures, in

*CRYPTO, Proceedings, Part II*(2019), pp. 510–539S. Arora, C. Lund, R. Motwani, M. Sudan, M. Szegedy, Proof verification and hardness of approximation problems, in

*FOCS, Proceedings*(1992), pp. 14–23S. Arora, S. Safra, Probabilistic checking of proofs; A new characterization of NP, in

*FOCS, Proceedings*(1992), pp. 2–13M. Ball, D. Dachman-Soled, S. Guo, T. Malkin, L.-Y. Tan, Non-malleable codes for small-depth circuits, in

*FOCS*(2018), pp. 826–837F. Benhamouda, A. Degwekar, Y. Ishai, T. Rabin, On the local leakage resilience of linear secret sharing schemes, in

*CRYPTO, Proceedings*(2018), pp. 531–561M. Ball, D. Dachman-Soled, M. Kulkarni, T. Malkin, Non-malleable codes for bounded depth, bounded fan-in circuits, in

*EUROCRYPT*(2016), pp. 881–908E. Ben-Sasson, O. Goldreich, P. Harsha, M. Sudan, S.P. Vadhan, Robust PCPs of proximity, shorter PCPs and applications to coding, in

*STOC, Proceedings*(2004), pp. 1–10M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in

*STOC*(1988), pp. 1–10E. Ben-Sasson, M. Sudan, Short PCPs with polylog query complexity.

*SIAM J. Comput.*,**38**(2), 551–607 (2008)R. Canetti, I. Damgård, S. Dziembowski, Y. Ishai, T. Malkin, On adaptive vs. non-adaptive security of multiparty protocols, in

*EUROCRYPT, Proceedings*(2001), pp. 262–279S.G. Choi, D. Dachman-Soled, T. Malkin, H. Wee, Black-box construction of a non-malleable encryption scheme from any semantically secure one, in

*TCC*(2008), pp. 427–444S.G. Choi, D. Dachman-Soled, T. Malkin, H. Wee, A black-box construction of non-malleable encryption from semantically secure encryption.

*J. Cryptol.*,**31**(1), 172–201 (2018)R. Cramer, I. Damgård, J.B. Nielsen,

*Secure Multiparty Computation and Secret Sharing*(Cambridge University Press, 2015)F. Davì, S. Dziembowski, D. Venturi, Leakage-resilient storage, in

*SCN, Proceedings*(2010), pp. 121–137S.E. Decatur, O. Goldreich, D. Ron, A probabilistic error-correcting scheme.

*IACR Cryptol. ePrint Arch.*,**1997**, 5 (1997)S.E. Decatur, O. Goldreich, D. Ron, Computational sample complexity.

*SIAM J. Comput.*,**29**(3), 854–879 (1999)I. Dinur, The PCP theorem by gap amplification, in

*STOC, Proceedings*(2006), pp. 241–250S. Dziembowski, K. Pietrzak, Intrusion-resilient secret sharing, in

*FOCS, Proceedings*(2007), pp. 227–237I. Dinur, O. Reingold, Assignment testers: towards a combinatorial proof of the PCP-theorem, in

*FOCS, Proceedings*(2004), pp. 155–164V. Goyal, A. Kumar, Non-malleable secret sharing, in

*STOC, Proceedings*(2018), pp. 685–698S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof-systems (extended abstract), in

*STOC, Proceedings*(1985), pp. 291–304Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge from secure multiparty computation, in

*STOC, Proceedings*(2007), pp. 21–30Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zero-knowledge proofs from secure multiparty computation.

*SIAM J. Comput.*,**39**(3), 1121–1152 (2009)Y. Ishai, M. Mahmoody, A. Sahai, On efficient zero-knowledge PCPs, in

*TCC, Proceedings*(2012), pp. 151–168Y. Ishai, A. Sahai, M. Viderman, M. Weiss, Zero knowledge LTCs and their applications, in

*RANDOM, Proceedings*(2013), pp. 607–622Y. Ishai, M. Weiss, Probabilistically checkable proofs of proximity with zero-knowledge, in

*TCC, Proceedings*(2014), pp. 121–145Y. Ishai, M. Weiss, G. Yang, Making the best of a leaky situation: zero-knowledge PCPs from leakage-resilient circuits, in

*TCC, Proceedings*(2016), pp. 3–32J. Kilian, E. Petrank, G. Tardos, Probabilistically checkable proofs with zero knowledge, in

*STOC, Proceedings*(1997), pp. 496–505T. Mie, Short PCPPs verifiable in polylogarithmic time with \(O\)(1) queries.

*Ann. Math. Artif. Intell.*,**56**(3–4), 313–338 (2009)A. Shamir, How to share a secret.

*Commun. ACM*,**22**(11), 612–613 (1979)A. Srinivasan, P.N. Vasudevan, Leakage resilient secret sharing and applications, in

*CRYPTO, Proceedings*(2019), pp. 480–509M. Weiss,

*Secure Computation and Probabilistic Checking*. PhD Thesis (2016)

## Acknowledgements

We thank the anonymous ITC‘21 reviewers for their helpful comments, in particular for pointing out the connection to RPEs and noting that the ZK code of [16, Theorem 2.2] is equivocal. The first and third authors are supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. The first author is supported by ISF grant No. 1316/18. The first and second authors are supported by DARPA under Contract No. HR001120C0087. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

## Author information

### Authors and Affiliations

### Corresponding author

## Additional information

Communicated by Amit Sahai.

### Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

## Rights and permissions

## About this article

### Cite this article

Hazay, C., Venkitasubramaniam, M. & Weiss, M. ZK-PCPs from Leakage-Resilient Secret Sharing.
*J Cryptol* **35**, 23 (2022). https://doi.org/10.1007/s00145-022-09433-3

Received:

Revised:

Accepted:

Published:

DOI: https://doi.org/10.1007/s00145-022-09433-3