ConstantRound LeakageResilient ZeroKnowledge from Collision Resistance
 1.7k Downloads
Abstract
We construct a constantround leakageresilient zeroknowledge argument system under the existence of collisionresistant hash function family. That is, using collisionresistant hash functions, we construct a constantround zeroknowledge argument system such that for any cheating verifier that can obtain arbitrary amount of leakage of the prover’s state, there exists a simulator that can simulate the adversary’s view by obtaining at most the same amount of leakage of the witness. Previously, leakageresilient zeroknowledge protocols were constructed only under a relaxed security definition (GargJainSahai, CRYPTO’11) or under the DDH assumption (Pandey, TCC’14).
Our leakageresilient zeroknowledge argument system satisfies an additional property that it is simultaneously leakageresilient zeroknowledge, meaning that both zeroknowledgeness and soundness hold in the presence of leakage.
Keywords
Collisionresistant Hash Function Family Zeroknowledge Protocol Equivocal Commitment Scheme Leakage Queries Hamiltonicity Protocol1 Introduction
Zeroknowledge (\(\mathrm {ZK}\)) proofs and arguments [14] are interactive proof/argument systems with which the prover can convince the verifier of the correctness of a mathematical statement while providing zero additional knowledge. This “zero additional knowledge” property is formalized thorough the simulation paradigm. Specifically, an interactive proof or argument is said to be zeroknowledge if for any adversarial verifier there exists a simulator that can output a simulated view of the adversary.
Recently, Garg et al. [12] introduced a new notion of zeroknowledgeness called leakageresilient zeroknowledge (\(\mathrm {LRZK}\)). Roughly speaking, \(\mathrm {LRZK}\) is a notion of zeroknowledgeness in the setting where adversarial verifiers can obtain arbitrary leakage on the entire state of the honest prover (including the witness and the randomness) during the entire protocol execution. \(\mathrm {LRZK}\) is motivated by the studies of sidechannel attacks (e.g., [2, 18, 27]), which demonstrated that adversaries might be able to obtain leakage of honest parties’ secret states by attacking physical implementations of cryptographic algorithms.
Informally speaking, \(\mathrm {LRZK}\) requires that the protocol does not reveal anything beyond the validity of the statement and the leakage that the adversary obtained. More formally, \(\mathrm {LRZK}\) is defined as follows. In the definition of \(\mathrm {LRZK}\), the cheating verifier is allowed to make arbitrary number of leakage queries during the interaction with a honest prover, where each leakage query f is answered by \(f(w, \mathsf {tape})\) for the witness w and the randomness \(\mathsf {tape}\) that the honest prover generated thus far. On the other hand, the simulator is allowed to make queries to the leakage oracle \(\mathcal {L}_w\), which is parametrized by the witness w of the honest prover and outputs f(w) on input any function f. \(\mathrm {LRZK}\) is then defined by requiring that for any cheating verifier \(V^*\) there exists a simulator \(\mathcal {S}\) such that for any \(\ell \in \mathbb {N}\), when \(V^*\) obtains \(\ell \) bits of leakage of the prover’s state via leakage queries, \(\mathcal {S}\) can simulate the view of \(V^*\) by obtaining \(\ell \) bits of leakage of the witness via queries to the leakage oracle \(\mathcal {L}_w\).^{1}
In [12], Garg et al. showed a proof system that satisfies a weaker notion of \(\mathrm {LRZK}\) called \((1+\epsilon )\)\(\mathrm {LRZK}\). Specifically, they showed that for any \(\epsilon >0\), there exists a proof system such that when \(V^*\) obtains \(\ell \) bits of leakage from the prover, a simulator can simulate the verifier’s view by obtaining at most \((1+\epsilon )\cdot \ell \) bits of leakage from \(\mathcal {L}_w\). The round complexity of this protocol is at least \(\omega (\log n){\slash }\epsilon \), and its security is proven under a standard general assumption (the existence of statistically hiding commitment scheme that is publiccoin w.r.t. the receiver).
A natural question left open by [12] is whether we can construct a \(\mathrm {LRZK}\) protocol without weakening the security requirement. That is, the question is whether we can reduce \(\epsilon \) to 0 in the protocol of [12]. This question is particularly of theoretical interest because reducing \(\epsilon \) to 0 is optimal in the sense that \(\lambda \)\(\mathrm {LRZK}\) for \(\lambda <0\) is impossible to achieve in the plain model [12].
Recently, this question was solved affirmatively by Pandey [23], who constructed the first \(\mathrm {LRZK}\) argument system by using the DDH assumption and collisionresistant hash functions. Pandey’s protocol has only constant number of rounds; therefore, it follows that asymptotically optimal round complexity can be achievable even in the presence of leakage.
A question that is explicitly left open by Pandey [23, Section 1] is whether we can construct \(\mathrm {LRZK}\) protocols under a standard general assumption. In fact, although the protocol of Pandey [23] is superior to the protocol of Garg et al. [12] in terms of both leakage resilience (\(\mathrm {LRZK}\) v.s. \((1+\epsilon )\)\(\mathrm {LRZK}\)) and round complexity (constant v.s. \(\omega (\log n){\slash }\epsilon \)), the assumption of the former is seemingly much stronger than that of the latter (the DDH assumption v.s. the existence of statistically hiding commitment scheme that is publiccoin w.r.t. the receiver, which is implied by, say, the existence of collisionresistant hash function family or even the existence of oneway functions^{2}).
Question. Can we construct a (constantround) leakageresilient zeroknowledge protocol under standard general assumptions?
1.1 Our Results
In this paper, we answer the above question affirmatively by constructing a \(\mathrm {LRZK}\) protocol from collisionresistant hash functions (CRHFs). Like the protocol of [23], our protocol has only constant number of rounds. Also, our protocol has an additional property that it is public coin (w.r.t. the verifier).
Theorem. Assume the existence of collisionresistant hash function family. Then, there exists a constantround publiccoin leakageresilient zeroknowledge argument for \(\mathcal {NP}\).
Simultaneously LeakageResilient ZeroKnowledge. Our protocol has an additional property that it is simultaneously leakageresilient zeroknowledge [12], meaning that not only zeroknowledgeness but also soundness holds in the presence of leakage. The leakageresilient (LR) soundness (i.e., soundness in the presence of leakage) of our protocol follows immediately from its publiccoin property. In fact, any publiccoin interactive proof/argument system is \(\text {LR}\) sound for arbitrary amount of leakage of the verifier because the verifier has no secret state in publiccoin protocols.
To the best of our knowledge, our protocol is the first simultaneously \(\mathrm {LRZK}\) protocol. The \((1+\epsilon )\)\(\mathrm {LRZK}\) protocol of Garg et al. [12] is \(\text {LR}\) sound in a weak sense—it is \(\text {LR}\) sound when there is an apriori upper bound on the amount of leakage—but is not \(\text {LR}\) sound when the amount of leakage is unbounded,^{3} and similarly, the \(\mathrm {LRZK}\) protocol of Pandey [23] is also not \(\text {LR}\) sound with unbounded amount of leakage. In contrast, our protocol is sound even when cheating verifiers obtain arbitrary amount of leakage.
Summary of the results on \(\mathrm {LRZK}\) protocols. The round complexity of the protocol of [12] depends on the assumption that is used to instantiate the underlying statisticallyhiding commitment scheme; in particular, when only oneway functions (OWFs) are used, there is a polynomial additive overhead because statistically hiding commitment schemes currently require polynomial number of rounds in this case [15].
LR ZKness  LR soundness  #(round)  Assumptions  

[12]  \((1+\epsilon )\)\(\mathrm {LRZK}\)  BoundedLR sound  \(\mathsf {poly}(n) + \omega (\log n){\slash }\epsilon \)  OWFs 
\(\omega (\log n){\slash }\epsilon \)  CRHFs  
[23]  \(\mathrm {LRZK}\)    O(1)  DDH + CRHFs 
This work  \(\mathrm {LRZK}\)  LR sound  O(1)  CRHFs 
1.2 Related Works
Several works study interactive protocols in the presence of arbitrary leakage in the models other than the plain model, e.g., the work about leakagetolerant UCsecure protocols in the CRS model [5], the work about nontransferable interactive proof systems in the CRS model with leakfree input encoding/updating phase [1], and the works about secure computation protocols in the CRS model with leakfree preprocessing/inputencoding phase and constant fraction of honest parties [6, 7, 8]. We remind the readers that, like [12, 23], this work considers \(\mathrm {LRZK}\) protocols in the plain model without any leakfree phase.
In [22], Ostrovsky et al. showed an impossibility result about blackbox \(\mathrm {LRZK}\) in the model with only leakfree inputencoding phase (i.e., without CRS and preprocessing). We notice that this impossibility result does not contradict our result since the definition of \(\mathrm {LRZK}\) in [22] is different from the one we use (i.e., the definition given by [12]). Specifically, in the definition of [22], the simulator is not allowed to obtain any leakage, whereas in the definition that we use, the simulator can obtain the same amount of leakage as the cheating verifier. (In other words, Ostrovsky et al. [22] considers leakage resilience whereas we consider leakage tolerance; see Footnote 1.)
2 Overview of Our Techniques
2.1 Previous Techniques
Since our techniques rely on the techniques that are used in the previous \(\mathrm {LRZK}\) protocols of [12, 23], we start by recalling these protocols.
Protocol of [12]. In [12], Garg et al. constructed a \((1+\epsilon )\)leakageresilient zeroknowledge proof system, i.e., a proof system such that when \(V^*\) obtains \(\ell \) bits of leakage from the prover, its view can be simulated by obtaining at most \((1+\epsilon )\cdot \ell \) bits of leakage from \(\mathcal {L}_w\).
A key idea behind the protocol of [12] is to give the simulator two independent ways of cheating—one for simulating prover’s messages and the other for simulating leakages. Concretely, Garg et al. constructed their protocol by combining two wellknown techniques of constantround zeroknowledge protocols—the technique by Goldreich and Kahan [13] that requires the verifier to commit to its challenges in advance and the technique by Feige and Shamir [11] that uses equivocal commitment schemes. They then proved the security by considering a simulator that simulates the prover’s messages by extracting the challenges and simulates the leakages by using the equivocality of the commitment scheme.

When the extracted challenge \({{\varvec{ch}}}\) is \({\mathbf{0}}\), the simulator commits to a randomly permuted graph of statement G, and after \(V^*\) decommits the challenge ch (which must be 0), the simulator decommits the commitment to the permuted graph of G. Notice that the simulator does exactly the same things as a honest prover. Hence, the simulator can simulate prover’s randomness \(\mathsf {tape}\) easily and therefore can answer any leakage query f from \(V^*\) by querying \(f(\cdot , \mathsf {tape})\) to \(\mathcal {L}_w\).

When the extracted challenge \({{\varvec{ch}}}\) is \(\mathbf{1}\), the simulator commits to a randomly chosen cycle graph H at the beginning and then partially decommits it in the last step so that only the edges on the cycle are revealed.
When \(V^*\) makes a leakage query, the simulator answers it by using w and td to compute randomness that “explains” the commitment to H as a commitment to a permuted graph of G. (Recall that the prover is supposed to commit to a permuted graph of G.) Specifically, the simulator answers a leakage query f from \(V^*\) by querying the following function \(\widetilde{f}(\cdot )\) to \(\mathcal {L}_w\).
 1.
On input w, function \(\widetilde{f}\) first computes a permutation \(\pi \) that maps the Hamiltonian cycle w in G to the cycle in H (i.e., computes \(\pi \) such that \(\pi (G)\) has the same cycle as H).
 2.
Then, by using equivocality^{5} with trapdoor td, it computes randomness \(\mathsf {tape}\) that explains the commitment to H as a commitment to \(\pi (G)\) (i.e., it computes \(\mathsf {tape}\) such that committing to \(\pi (G)\) with randomness \(\mathsf {tape}\) will generate the same commitment as the one that the simulator has sent to \(V^*\) by committing to H).
 3.
Finally, it outputs \(f(w, \mathsf {tape})\).
Notice that since \(\pi (G)\) has the same cycle as H, the simulated leakages (from which \(V^*\) may be able to compute \(\pi (G)\)) are consistent with the cycle of H that is decommitted by the simulator in the last step.
 1.
We remark that the reason why the protocol of [12] satisfies only \((1+\epsilon )\)\(\mathrm {LRZK}\) (rather than standard \(\mathrm {LRZK}\)) is that the extraction of ch and td involves the rewinding of \(V^*\). In fact, since \(V^*\) can make new leakage queries after being rewound, the simulator need to obtain new leakages from \(\mathcal {L}_w\) in each rewinding and hence the simulator need to obtain more bits of leakage than \(V^*\).
Protocol of [23]. In [23], Pandey constructed a constantround \(\mathrm {LRZK}\) argument system under the DDH assumption. Roughly speaking, Pandey’s idea is to replace the rewinding simulation technique in the protocol of [12] with the “straightline” simulation technique of Barak [3]. In particular, Pandey replaced the first phase of the protocol of [12] with the following one.
 1.
First, the prover and the verifier execute an encrypted version of so called Barak’s preamble [3, 24, 25], which determines a “fake statement” that is false except with negligible probability.
 2.
Next, the prover and the verifier execute Yao’s garbled circuit protocol [28] in which the prover can obtain ch and td only when it has a valid witness for the fake statement.
From the security of the encrypted Barak’s preamble, no cheating prover can make the fake statement true; hence, ch and td are hidden from the cheating prover. In contrast, a nonblackbox simulator can make the fake statement true by using the knowledge of the code of the verifier; hence, the simulator can obtain ch and td without rewinding \(V^*\). An issue is that, to guarantee leakage resilience, it is required that Yao’s protocol is executed in a way that all prover’s messages are pseudorandom (since otherwise it is hard to simulate randomness that explains the simulated prover’s messages as honest prover’s messages during the simulation of the leakages). Since Yao’s protocol involves executions of an oblivious transfer protocol (in which the prover behaves as a receiver), this property is hard to satisfy. Pandey solved this problem by using the DDH assumption, under which there exists an oblivious transfer protocol such that all receiver’s messages are indistinguishable from random group elements.
2.2 Our Techniques
The reason why the protocols of [12, 23] either guarantee only weaker security or rely on a stronger assumption is that the simulation involves extraction from \(V^*\). In fact, in [12], the simulator need to obtain more amount of leakage than \(V^*\) because it rewinds \(V^*\) during extraction, and in [23], the DDH assumption is required because Yao’s protocol is used for extraction.
Based on this observation, our strategy is to modify the protocols of [12, 23] so that no extraction is required in simulation. We first remove the extraction of trapdoor td and next remove the extraction of challenge ch.
Removing Extraction of Trapdoor \({{\varvec{td.}}}\) We first modify the protocols of [12, 23] so that leakages can be simulated without extracting the trapdoor td of an equivocal commitment scheme.
Our main tool is Hamiltonicity commitment scheme \(\mathsf {H}\text {}\mathsf {Com}\) [9, 11], which is a wellknown instancedependent equivocal commitment scheme based on Blum’s Hamiltonicity protocol. \(\mathsf {H}\text {}\mathsf {Com}\) is parametrized by a graph G with \(q = \mathsf {poly}(n)\) vertices. To commit to 0, the committer chooses a random permutation \(\pi \) and commits to the adjacent matrix of \(\pi (G)\) using any commitment scheme \(\mathsf {Com}\); to decommit, the committer reveals \(\pi \) and decommits all the entries of the matrix. To commit to 1, the committer commits to the adjacent matrix of a random qcycle graph; to decommit, the committer decommits only the entries that corresponds to the edges on the cycle. \(\mathsf {H}\text {}\mathsf {Com}\) satisfies equivocality when G has a Hamiltonian cycle; this is because after committing to 0, the committer can decommit it to both 0 and 1 given a Hamiltonian cycle w in G.
Given \(\mathsf {H}\text {}\mathsf {Com}\), we remove the extraction of td by combining \(\mathsf {H}\text {}\mathsf {Com}\) with an encrypted variant of Barak’s preamble. Specifically, we replace the equivocal commitment scheme in the protocols of [12, 23] with \(\mathsf {H}\text {}\mathsf {Com}\) that depends on the fake statement \(G'\) that is obtained by the encrypted Barak’s preamble. From the security of Barak’s preamble, any cheating prover cannot make \(G'\) true and hence it cannot use the equivocality of \(\mathsf {H}\text {}\mathsf {Com}\), whereas the simulator can make \(G'\) true and hence it can use the equivocality of \(\mathsf {H}\text {}\mathsf {Com}\) as desired.
Remark 1
As observed in [23], it is not straightforward to use the encrypted Barak’s preamble in the presence of leakage. Roughly speaking, in the encrypted Barak’s preamble, the prover commits to its messages instead of sending them in clear, and in the proof of soundness, it is required that the prover’s messages are extractable from the commitments. The problem is that it is not easy to guarantee this extractability in the presence of leakage (this is because the prover’s messages are typically not pseudorandom in the techniques of extractability). Pandey [23] solved this problem by having the prover use a specific extractable commitment scheme based on the DDH assumption. In this paper, we instead have the prover use a commitment scheme that satisfies only very weak extractability but the prover’s messages of which are pseudorandom and the security of which is based on the existence of CRHFs.^{6} For details, see Sect. 4.1.
Removing Extraction of Challenge \({{\varvec{ch.}}}\) Next, we modify the protocols of [12, 23] so that prover’s messages can be simulated without extracting the challenge ch of Hamiltonicity protocol.
We first notice that although the simulator can use equivocality without extraction as shown above, it is not easy for the simulator to use equivocality for simulating prover’s messages. This is because when the leakages to \(V^*\) includes the randomness that is used for commitments, \(V^*\) may be able to determine the committed values from the leakages and therefore equivocation may be detected by \(V^*\).
As our main technical tool, then, we introduce a specific instancedependent equivocal commitment scheme \(\mathsf {GJS}\text {}\mathsf {Com}\) that we obtain by considering the technique of [12] on Hamiltonicity protocol in the context of \(\mathsf {H}\text {}\mathsf {Com}\). Recall that, as explained in Sect. 2.1, in [12] Garg et al. use Blum’s Hamiltonicity protocol that is instantiated with an equivocal commitment scheme. Here, we use \(\mathsf {H}\text {}\mathsf {Com}\) that is instantiated with an equivocal commitment scheme (i.e., we use \(\mathsf {H}\text {}\mathsf {Com}\) in which the adjacent matrix is committed to by an equivocal commitment scheme). The equivocal commitment scheme that we use here is, as above, \(\mathsf {H}\text {}\mathsf {Com}\) that depends on the fake statement generated by the encrypted Barak’s preamble.^{7} Hence, the commitment scheme \(\mathsf {GJS}\text {}\mathsf {Com}\) is a version of \(\mathsf {H}\text {}\mathsf {Com}\) that is instantiated by using \(\mathsf {H}\text {}\mathsf {Com}\) itself as the underling commitment scheme.^{8} \(\mathsf {GJS}\text {}\mathsf {Com}\) depends on two statements of the Hamiltonicity problem: The “outer” \(\mathsf {H}\text {}\mathsf {Com}\) (the \(\mathsf {H}\text {}\mathsf {Com}\) that is implemented with \(\mathsf {H}\text {}\mathsf {Com}\)) depends on the real statement G, and the “inner” \(\mathsf {H}\text {}\mathsf {Com}\) (the \(\mathsf {H}\text {}\mathsf {Com}\) that is used to implement \(\mathsf {H}\text {}\mathsf {Com}\)) depends on the fake statement \(G'\). \(\mathsf {GJS}\text {}\mathsf {Com}\) inherits equivocality from the outer \(\mathsf {H}\text {}\mathsf {Com}\), i.e., given a witness for the real statement G, a \(\mathsf {GJS}\text {}\mathsf {Com}\) commitment to 0 can be decommitted to both 0 and 1.
Since \(\mathsf {GJS}\text {}\mathsf {Com}\) is obtained by considering the technique of [12] in the context of \(\mathsf {H}\text {}\mathsf {Com}\), it satisfies a property that is useful for proving \(\mathrm {LRZK}\) property. First, observe that given \(\mathsf {GJS}\text {}\mathsf {Com}\), the second phase of the \(\mathrm {LRZK}\) protocol of [12] (i.e., Hamiltonicity protocol phase) can be viewed as follows.
 1.
The prover commits to 0 by using \(\mathsf {GJS}\text {}\mathsf {Com}\).
 2.
The verifier reveals the challenge \(ch\in \{0,1 \}\) that is committed to in the first phase.
 3.
When \(ch = 0\), the prover decommits the \(\mathsf {GJS}\text {}\mathsf {Com}\) commitment to 0 honestly, and when \(ch = 1\), the prover decommits it to 1 by using the equivocality with the knowledge of Hamiltonian cycle w in G.
When the second phase of the protocol of [12] is viewed in this way, the key property that is used in the simulation of the leakages in [12] is the following.

Given a Hamiltonian cycles in G and \(G'\), a \(\mathsf {GJS}\text {}\mathsf {Com}\) commitment to 1 (in which a random cycle graph is committed) can be “explained” as a commitment to 0 (in which a permutation of G is committed) by using the equivocality of the inner \(\mathsf {H}\text {}\mathsf {Com}\).
Furthermore, even after being explained as a commitment to 0, the commitment can later be decommitted to 1 in a consistent way with the explained randomness (cf. function \(\widetilde{f}\) in Sect. 2.1).
Because of this property, even when the simulator commits to 1 instead of 0 using \(\mathsf {GJS}\text {}\mathsf {Com}\) to simulate the messages, the simulator can answer any leakage query f from \(V^*\) by querying \(\mathcal {L}_w\) a function \(\widetilde{f}\) that, on input w, computes randomness \(\mathsf {tape}\) that explains the commitment to 1 as a commitment to 0 and then outputs \(f(w, \mathsf {tape})\).
A problem of this property is that it can be used only in a very limited situation. Specifically, this property can be used only when the simulator knows which \(\mathsf {GJS}\text {}\mathsf {Com}\) commitment will be decommitted to 1, and this is the reason why the extraction of ch is required in the simulation strategy of [12, 23]. Hence, to remove the extraction of ch, we need to use \(\mathsf {GJS}\text {}\mathsf {Com}\) in a way that, given a witness for the fake statement, the simulator can predict which value each \(\mathsf {GJS}\text {}\mathsf {Com}\) commitment will be decommitted to.
Our key observation is that we can use this property if we use \(\mathsf {GJS}\text {}\mathsf {Com}\) to implement the Hamiltonicity protocol in which the fake statement is proven. Concretely, we consider the following protocol.
 1.
The prover and the verifier execute an encrypted variant of Barak’s preamble. Let \(G'\) be the fake statement and let \(q'\) be the number of the nodes of \(G'\).
 2.
 (a)
The prover commits to a \(q'\times q'\) zero matrix by using \(\mathsf {GJS}\text {}\mathsf {Com}\).
 (b)
The verifier sends a challenge \(ch\in \{0,1 \}\).
 (c)
When \(ch=0\), the prover sends a random permutation \(\pi \) over \(G'\) to the verifier and then decommit the \(\mathsf {GJS}\text {}\mathsf {Com}\) commitments to the adjacent matrix of \(\pi (G')\) by using the equivocality of \(\mathsf {GJS}\text {}\mathsf {Com}\) with the knowledge of a witness for the real statement.
When \(ch=1\), the prover chooses a random \(q'\)cycle graph H and decommits some of the \(\mathsf {GJS}\text {}\mathsf {Com}\) commitments to 1 by using the equivocality of \(\mathsf {GJS}\text {}\mathsf {Com}\) so that the decommitted entries of the matrix correspond to the cycle in H.
 (d)
When \(ch=0\), the verifier verifies whether the decommitted graph is \(\pi (G')\). When \(ch=1\), the verifier verifies whether the decommitted entries corresponds to a \(q'\)cycle in a graph.
 (a)
Since any charting prover cannot make the fake statement \(G'\) true, \(\mathsf {GJS}\text {}\mathsf {Com}\) is statistically binding when the real statement G is false, and hence soundness follows. In contrast, the simulator can cheat in Barak’s preamble so that it knows a Hamiltonian cycle \(w'\) in the fake statement \(G'\), and therefore it can simulate the prover’s messages by “honestly” proving the fake statement, i.e., by committing to \(\pi (G')\) in step 2(a) for a randomly chosen \(\pi \) and then revealing the entire graph \(\pi (G')\) or only the cycle \(\pi (w')\) depending on the value of ch. Furthermore, since in step 2(a) the simulator do know which value each \(\mathsf {GJS}\text {}\mathsf {Com}\) commitment will be decommitted to (the commitments to the edges on \(\pi (w')\) will be always decommitted to 1 and others will be decommitted honestly or will not be decommitted), the simulator can simulate the leakage in the same way as in the protocol of [12] by using the property of \(\mathsf {GJS}\text {}\mathsf {Com}\) described above.
This completes the overview of our techniques. The details are given in what follows.
3 Preliminaries
3.1 Notations
We use \(n\) to denote the security parameter. For any \(k\in \mathbb {N}\), we use [k] to denote the set \(\{1,\ldots ,k \}\). For any randomized algorithm \(\mathsf {Algo}\), we use \(\mathsf {Algo}(x; r)\) to denote the execution of \(\mathsf {Algo}\) with input x and randomness r, and we use \(\mathsf {Algo}(x)\) to denote the execution of \(\mathsf {Algo}\) with input x and uniform randomness.
We use \(\mathbf L _{\mathrm {HC}}\) to denote the languages of the Hamiltonian graphs. For any \(G\in \mathbf L _{\mathrm {HC}}\), we use \(\mathbf R _{\mathrm {HC}}(G)\) to denote the set of the Hamiltonian cycles in G. Generally, for any language \(\mathbf L \) and any instance \(x\in \mathbf L \), we use \(\mathbf R _\mathbf{L }(x)\) to denote the set of the witnesses for \(x\in \mathbf L \).
For any twoparty protocol \(\langle A, B \rangle \), we use \(\mathsf {trans}\left[ A(x) \leftrightarrow B(y) \right] \) to denote a random variable representing the transcript of the interaction between A and B with input x and y respectively, and use \(\mathsf {output}_{A}\left[ A(x) \leftrightarrow B(y) \right] \) (resp., \(\mathsf {output}_{B}\left[ A(x) \leftrightarrow B(y) \right] \)) to denote a random variable representing the output of A (resp., B) in the interaction between A and B with input x and y respectively.
3.2 LeakageResilient ZeroKnowledge
We recall the definition of leakageresilient zeroknowledgeness [12]. For convenience, we use a slightly different formulation of the definition.
For any interactive proof system \(\langle P, V \rangle \), any \(\textsc {ppt} \) cheating receiver \(V^*\), any statement \(x\in \mathbf L \), any witness \(w\in \mathbf R _\mathbf{L }(x)\), and any oracle machine \(\mathcal {S}\) called simulator, consider the following two experiments.
 Open image in new window
 1.
Execute \(V^*(x, z)\) with a honest prover P(x, w) of \(\langle P, V \rangle \).
During the interaction, \(V^*\) can make arbitrary number of adaptive leakage queries on the state of P. A leakage query consists of an efficiently compatible function \(f_i\) (described as a circuit) and it is answered with \(f_i(w, \mathsf {tape})\), where \(\mathsf {tape}\) is the randomness used by P so far.
 2.
Output the view of \(V^*\).
 1.
 Open image in new window
 1.
Execute \(\mathcal {S}(x, z)\) with access to a leakage oracle \(\mathcal {L}_w\). A query to \(\mathcal {L}_w\) consists of an efficiently computable function f and answered with f(w). Let \(\tau \) be the output of \(\mathcal {S}\).
 2.
If \(\tau \) is not a valid view of \(V^*\), the output of the experiment is \(\bot \). Otherwise, let \(\ell \) be the total length of the leakage that \(V^*\) obtains in \(\tau \). If the total length of the answers that \(\mathcal {S}\) obtained from \(\mathcal {L}_w\) is larger than \(\ell \), the output of the experiment is \(\bot \). Otherwise, the output is \(\tau \).
 1.
Let \(\mathsf {REAL}_{V^*}(x,w,z)\) be the random variable representing the output of \(\mathrm {REAL}_{V^*}(x,w,z)\) and \(\mathsf {IDEAL}_{\mathcal {S}}(x,w,z)\) be the random variable representing the output of \(\mathrm {IDEAL}_{\mathcal {S}}(x,w,z)\).
Definition 1
An interactive argument system \(\langle P, V \rangle \) for a language \(\mathbf L \) with witness relation \(\mathbf R \) is leakageresilient zero knowledge if for every ppt machine \(V^*\) and every sequence \(\{w_x \}_{x\in \mathbf L }\) such that \((x, w_x)\in \mathbf R _\mathbf{L }\), there exists a \(\textsc {ppt} \) oracle machine \(\mathcal {S}\) such that the following hold.
 Indistinguishability Condition$$\begin{aligned} \left\{ \mathsf {REAL}_{V^*}(x, w_x, z) \right\} _{x\in \mathbf L , z\in \{0,1 \}^{*}} \approx \left\{ \mathsf {IDEAL}_{\mathcal {S}}(x, w_x, z) \right\} _{x\in \mathbf L , z\in \{0,1 \}^{*}}. \end{aligned}$$
 Leakagelength condition. For every \(x\in \mathbf L \) and \(z\in \{0,1 \}^*\),$$\begin{aligned} \Pr \left[ \mathsf {IDEAL}_{\mathcal {S}}(x, w_x, z) = \bot \right] = 0. \end{aligned}$$
3.3 Commitment Scheme
Recall that commitment schemes are twoparty protocols between a committer C and a receiver R. We say that a commitment is valid if there exists a value to which it can be decommitted. We denote by \(\mathsf {value}(\cdot )\) a function that, on input a commitment (i.e., a transcript in the commit phase), outputs its committed value if it is uniquely determined and outputs \(\bot \) otherwise.
3.4 Naor’s Commitment
We recall Naor’s statistically binding commitment scheme \(\mathsf {Com}\), which can be constructed from oneway functions [16, 20].
Commit Phase. The commit phase consists of two rounds. In the first round, the receiver sends a random \(3n\)bit string \(r\in \{0,1 \}^{3n}\). In the second round, the committer chooses a random seed \(s\in \{0,1 \}^{n}\) for a pseudorandom generator \(\mathsf {PRG}:\{0,1 \}^{n} \rightarrow \{0,1 \}^{3n}\) and then sends \(\mathsf {PRG}(s)\) if it wants to commit to 0 and sends \(\mathsf {PRG}(s) \oplus r\) if it wants to commit to 1.
We use \(\mathsf {Com}_r(\cdot )\) to denote an algorithm that, on input \(b\in \{0,1 \}\), computes a commitment to b as above by using r as the firstround message.
Decommit Phase. In the decommit phase, the committer reveals the seed s.
Security. \(\mathsf {Com}\) is statistically binding and computational hiding. Furthermore, the binding and hiding property hold even when the same firstround message r is used in multiple commitments.
Committing to Strings. For any \(\ell \in \mathbb {N}\), we can commit to an \(\ell \)bit string by simply committing to each bit using \(\mathsf {Com}\). We notice that the same firstround message r can be used in all the commitments.
We abuse the notation and use \(\mathsf {Com}_r(\cdot )\) to denote an algorithm that, on input \(m\in \{0,1 \}^*\), computes a commitment to m as above by using r as the firstround message. Notice that \(\mathsf {Com}_r(\cdot )\) has pseudorandom range. Thus, by using an algorithm \(\mathsf {Com}_{\mathrm {pub}}\) that outputs a random \(3n\ell \)bit string on input \(1^{\ell }\), we can obtain a “fake commitment” that is indistinguishable from a real commitment.
3.5 Hamiltonicity Commitment
We recall a wellknown instancedependent commitment scheme \(\mathsf {H}\text {}\mathsf {Com}\) [9, 11] that is based on Blum’s zeroknowledge proof for Hamiltonicity.
Commit Phase. \(\mathsf {H}\text {}\mathsf {Com}\) is parametrized by a graph G. Let q be the number of its vertices. To commit to 0, the committer chooses a random permutation \(\pi \) over the vertices of G and then commits to the adjacent matrix of \(\pi (G)\) by using \(\mathsf {Com}\). To commit to 1, the committer chooses a random qcycle graph and then commits to its adjacent matrix by using \(\mathsf {Com}\).
We use \(\mathsf {H}\text {}\mathsf {Com}_{G,r}(\cdot )\) to denote an algorithm that, on input \(b\in \{0,1 \}\), computes a commitment to b as above by using r as the firstround message of all the \(\mathsf {Com}\) commitments.
Decommit Phase. When the committer committed to 0, it reveals \(\pi \), and also reveals all the entries of the adjacent matrix by decommitting all the \(\mathsf {Com}\) commitments. When the committer committed to 1, it reveals only the entries corresponding to the edges on the qcycle by decommitting the \(\mathsf {Com}\) commitments in which these entries are committed.
Security. \(\mathsf {H}\text {}\mathsf {Com}\) is computationally hiding, and it is statistically binding when \(G\not \in \mathbf L _{\mathrm {HC}}\).
Equivocality. When \(G\in \mathbf L _{\mathrm {HC}}\), a commitment to 0 can be decommitted to 1 given a Hamiltonian cycle \(w\in \mathbf R _{\mathrm {HC}}(G)\) in G. Specifically, a commitment to 0 can be decommitted to 1 by decommitting the entries that corresponds to the edges on \(\pi (w)\) (i.e., the cycle that is obtained by applying \(\pi \) on w).
3.6 Adaptive Hamiltonicity Commitment
We recall the adaptively secure Hamiltonicity commitment scheme \(\mathsf {AH}\text {}\mathsf {Com}\), which was used in, e.g., [9, 19].
Commit Phase. \(\mathsf {AH}\text {}\mathsf {Com}\) is parametrized by a graph G. Let q be the number of its vertices. To commit to 0, the committer does the same things as in \(\mathsf {H}\text {}\mathsf {Com}\); i.e., it chooses a random permutation \(\pi \) over the vertices of G and then commits to the adjacent matrix of \(\pi (G)\) by using \(\mathsf {Com}\). To commit to 1, the committer chooses a random qcycle graph and then commits to its adjacent matrix in the following way: For all the entries corresponding to the edges on the qcycle, it commits to 1 by using \(\mathsf {Com}\), and for all the other entries, it simply sends random \(3n\)bit strings instead of committing to 0. (Since \(\mathsf {Com}\) has pseudorandom range, random \(3n\)bit strings are indistinguishable from \(\mathsf {Com}\) commitments.)
We use \(\mathsf {AH}\text {}\mathsf {Com}_{G,r}(\cdot )\) to denote an algorithm that, on input \(b\in \{0,1 \}\), computes a commitment to b as above by using r as the firstround message of all the \(\mathsf {Com}\) commitments.
Decommit Phase. To decommit, the committer reveals all the randomness used in the commit phase. We use \(\mathsf {AH}\text {}\mathsf {Dec}_r(\cdot , \cdot , \cdot )\) to denote an algorithm that, on input \(c, b, \rho \) such that \(\mathsf {AH}\text {}\mathsf {Com}_r(b; \rho ) = c\), outputs a decommitment d as above.
Security. Like \(\mathsf {H}\text {}\mathsf {Com}\), \(\mathsf {AH}\text {}\mathsf {Com}\) is computationally hiding both when \(G\in \mathbf L _{\mathrm {HC}}\) and when \(G\not \in \mathbf L _{\mathrm {HC}}\), and it is statistically binding when \(G\not \in \mathbf L _{\mathrm {HC}}\).
Adaptive Security. When \(G\in \mathbf L _{\mathrm {HC}}\), a commitment to 0 can be “explained” as a valid commitment to 1 given a witness \(w\in \mathbf R _{\mathrm {HC}}(G)\). Specifically, for a commitment c to 0, we can compute \(\rho \) such that \(\mathsf {AH}\text {}\mathsf {Com}(1; \rho ) = c\). This is because commitments to the entries that do not correspond to the edges on \(\pi (w)\) are indistinguishable from random strings.
Formally, there exists an algorithm AHExplainAsOne such that for security parameter \(n\in \mathbb {N}\), graphs \(G\in \mathbf L _{\mathrm {HC}}\), witness \(w\in \mathbf R _{\mathrm {HC}}(G)\), and string \(r\in \{0,1 \}^{3n}\), the following hold.

Correctness. Given witness \(w\in \mathbf R _{\mathrm {HC}}(G)\) and c, \(\rho \) such that \(\mathsf {AH}\text {}\mathsf {Com}_{G,r}(0; \rho ) = c\), \(\mathsf{AH}\text {}\mathsf{ExplainAsOne}_{G, r}\) outputs \(\rho '\) such that \(\mathsf {AH}\text {}\mathsf {Com}_{G,r}(1; \rho ') = c\).

Indistinguishability. Consider the following two probabilistic experiments.
 /* \(\;\mathtt {commit}\;\mathtt {to}\) 1 \(\mathtt {and}\; \mathtt {reveal}\; \mathtt {randomness}\;\texttt {*/}\)
 1.
Computes \(c \leftarrow \mathsf {AH}\text {}\mathsf {Com}_{G, r}(1)\).
Let \(\rho _1\) be the randomness used in \(\mathsf {AH}\text {}\mathsf {Com}\).
 2.
Output \((c, \rho _1)\).
 1.
 /* \(\mathtt {commit\;to}\) 0 \(\mathtt {and\;explain\;it\;as\;commitment\;to}\) 1 */
 1.
Computes \(c \leftarrow \mathsf {AH}\text {}\mathsf {Com}_{G, r}(0)\).
Let \(\rho _0\) be the randomness used in \(\mathsf {AH}\text {}\mathsf {Com}\).
Compute \(\rho _1 := \mathsf{AH}\text {}\mathsf{ExplainAsOne}_{G, r}(w, c, \rho _0)\).
 2.
Output \((c, \rho _1)\).
 1.
Let \(\mathsf {EXP}^{\mathrm {AH}}_b(n, G, w, r)\) be the random variable representing the output of \(\mathrm {EXP}^{\mathrm {AH}}_b(n, G, w, r)\) for each \(b\in \{0,1 \}\). Then, the following two ensembles are computationally indistinguishable.

\(\left\{ \mathsf {EXP}^{\mathrm {AH}}_0(n,G,w,r) \right\} _{n\in \mathbb {N}, G\in \mathbf L _{\mathrm {HC}}, w\in \mathbf R _{\mathrm {HC}}(G), r\in \{0,1 \}^{3n}}\)

\(\left\{ \mathsf {EXP}^{\mathrm {AH}}_1(n,G,w,r) \right\} _{n\in \mathbb {N}, G\in \mathbf L _{\mathrm {HC}}, w\in \mathbf R _{\mathrm {HC}}(G), r\in \{0,1 \}^{3n}}\)

3.7 Barak’s Nonblackbox ZeroKnowledge Protocols
As explained in Sect. 2, in our \(\mathrm {LRZK}\) protocol, we use a variant of so called “encrypted” Barak’s preamble [24, 25], which is based on the preamble stage of Barak’s nonblackbox zeroknowledge protocol [3]. In this section, we recall Barak’s nonblackbox zeroknowledge protocol. Our variant of encrypted Barak’s preamble is described in Sect. 4.1.
Barak’s nonblackbox zeroknowledge protocol is constructed from any collisionresilient hash function family \(\mathcal {H}\). Informally speaking, Barak’s protocol \(\mathsf {BarakZK}\) proceeds as follows.
 1.
The verifier V sends a random hash function \(h\in \mathcal {H}\) and the firstround message \(r_1\in \{0,1 \}^{3n}\) of \(\mathsf {Com}\) to the prover P.
 2.
P sends \(c \leftarrow \mathsf {Com}_{r_1}(0^{n})\) to V. Then, V sends random string \(r_2\) to P.
 3.
P proves the following statement by a witnessindistinguishable argument.

\(x \in L\), or

\((h, c, r_2)\in \varLambda \), where \((h, c, r_2) \in \varLambda \) holds if and only if there exists a machine \(\mathrm {\mathrm {\Pi }}\) such that c is a commitment to \(h(\mathrm {\mathrm {\Pi }})\) and \(\mathrm {\mathrm {\Pi }}\) outputs \(r_2\) in \(n^{\log \log n}\) steps.

Note that the statement proven in the last step is not in \(\mathcal {NP}\). Thus, P proves this statement by a witnessindistinguishable universal argument (WIUA), with which P can prove any statement in \(\mathcal {NEXP}\). Intuitively, \(\mathsf {BarakZK}\) is sound since \(\mathrm {\mathrm {\Pi }}(c) \ne r\) holds with overwhelming probability even when a cheating prover \(P^*\) commits to \(h(\mathrm {\mathrm {\Pi }})\) for a machine \(\mathrm {\mathrm {\Pi }}\). On the other hand, the zeroknowledge property can be proven by using a simulator that commits to \(h(\mathrm {\mathrm {\Pi }})\) such that \(\mathrm {\mathrm {\Pi }}\) is a machine that emulates the cheating verifier \(V^*\); since \(\mathrm {\mathrm {\Pi }}(c) = V^*(c) = r\) holds from the definition, the simulator can give a valid proof in the last step.
In essentially the same way as the soundness of \(\mathsf {BarakZK}\), we can prove the following lemma on \(\langle P_{\mathrm {B}}, V_{\mathrm {B}} \rangle \), which roughly states that there exists a “hard” language \(\mathbf L _{\mathrm {B}}\) on the transcript of \(\langle P_{\mathrm {B}}, V_{\mathrm {B}} \rangle \) such that no cheating prover can generate a transcript that is included in \(\mathbf L _{\mathrm {B}}\).
Lemma 1
A proof sketch of this lemma is given in the full version of this paper [17].
3.8 Somewhat Extractable Commitment Scheme
As we mentioned in Remark 1 in Sect. 2.2, in our variant of encrypted Barak’s preamble, we use a commitment scheme that satisfies only very weak extractability, which we call somewhat extractability. An important point is that since only very weak extractability is required, we can construct a somewhat extractable commitment scheme such that the committer sends only pseudorandom messages. Furthermore, we can construct such a scheme from oneway functions.
Lemma 2

\(c_{i,b} = c'_{i,b}\) for every \(i\in [n]\) and \(b\in \{0,1 \}\),

there exists \(i^*\in [n]\) such that \(e_{i^*} \ne e'_{i^*}\), and

the committed value of \(c_{i,b}\) is uniquely determined for every \(i\in [n]\) and \(b\in \{0,1 \}\).
Let \(\mathsf {Extract}(\cdot , \cdot )\) be the algorithm shown in Fig. 3. Then, for any two admissible commitments c and \(c'\), if both c and \(c'\) are valid, \(\widetilde{v} \mathop {=}\limits ^\mathrm{def}\mathsf {Extract}(c, c')\) is equal to \(\mathsf {value}(c)\) (i.e., \(\widetilde{v}\) is the committed value of c).
Proof
First, when c and \(c'\) are valid, \(a_{i^*, e_{i^*}}\) and \(a'_{i^*, e'_{i^*}}\) are the committed values of \(c_{i^*, e_{i^*}}\) and \(c_{i^*, e'_{i^*}}\) (since otherwise, any decommitments of c and \(c'\) would be rejected because the decommitted values of \(c_{i^*, e_{i^*}}\) and \(c_{i^*, e'_{i^*}}\) are not consistent with \(a_{i^*, e_{i^*}}\) and \(a'_{i^*, e'_{i^*}}\)). Second, when c and \(c'\) are valid, the committed value of c can be computed by XORing the committed values of \(c_{i^*, e_{i^*}}\) and \(c_{i^*, e'_{i^*}}\) (since otherwise, any decommitments of c and \(c'\) would be rejected). From these, the lemma follows. \(\square \)
A nice property of \(\mathsf {SWExtCom}\) is that all the messages that the committer sends in the commit phase are pseudorandom. Formally, we have the following lemma.
Lemma 3
(Existence of PublicCoin Fake Committing Algorithm). Let C be a honest committer algorithm of \(\mathsf {SWExtCom}\). There exists a \(\textsc {ppt} \) publiccoin algorithm \(C_{\mathrm {pub}}\) such that for any \(\textsc {ppt} \) cheating receiver \(R^*\) that interacts with C in the commit phase of \(\mathsf {SWExtCom}\), the following ensembles are computationally indistinguishable.

\(\left\{ \mathsf {output}_{R^*}\left[ C(v) \leftrightarrow R^*(1^{n}, z) \right] \right\} _{n\in \mathbb {N}, v\in \{0,1 \}^{n}, z\in \{0,1 \}^{*}}\)

\(\left\{ \mathsf {output}_{R^*}\left[ C_{\mathrm {pub}}(1^{n}) \leftrightarrow R^*(1^{n}, z) \right] \right\} _{n\in \mathbb {N}, v\in \{0,1 \}^{n}, z\in \{0,1 \}^{*}}\)
Proof
(sketch). \(C_{\mathrm {pub}}\) is an algorithm that is the same as C except that, instead of sending commitments of \(\mathsf {Com}\), it sends fake commitments of \(\mathsf {Com}\) using \(\mathsf {Com}_{\mathrm {pub}}\) (i.e., sends random strings with the same length as the \(\mathsf {Com}\) commitments). Since \(\mathsf {Com}\) has pseudorandom range, the indistinguishability can be proven by using a standard hybrid argument (in which the commitments of \(\mathsf {Com}\) are replaced with random strings one by one). The formal proof is omitted. \(\square \)
4 Building Blocks
4.1 SpecialPurpose Encrypted Barak’s Preamble
We first show that, as in the case of \(\langle P_{\mathrm {B}}, V_{\mathrm {B}} \rangle \), there exists a “hard” language on the transcript of \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \).
Lemma 4
Proof
Consider the following cheating prover \(P^*\) against \(\langle P_{\mathrm {B}}, V_{\mathrm {B}} \rangle \). First, \(P^*\) internally invokes \(\mathbb {P}^*\). Then, while externally interacting with a honest \(V_{\mathrm {B}}\) of \(\langle P_{\mathrm {B}}, V_{\mathrm {B}} \rangle \), \(P^*\) interacts with internal \(\mathbb {P}^*\) as a verifier of \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \) in the following way.

In Stage 1 and 2 (of \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \)), \(P^*\) forwards all messages from external \(V_{\mathrm {B}}\) to internal \(\mathbb {P}^*\) and forwards all messages from internal \(\mathbb {P}^*\) to external \(V_{\mathrm {B}}\). (Notice that the verifier of \(\langle P_{\mathrm {B}}, V_{\mathrm {B}} \rangle \) and that of \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \) are identical.) Let \((h, r_1, c, r_2)\) be the transcript of these stages.

In Stage 31, \(P^*\) forwards \(\alpha \) from external \(V_{\mathrm {B}}\) to internal \(\mathbb {P}^*\).

In Stage 32, \(P^*\) interacts with internal \(\mathbb {P}^*\) as a honest receiver of \(\mathsf {SWExtCom}\) and obtains \(\widehat{\beta }_1\). Let \(\mathsf {st}\) be the current state of \(\mathbb {P}^*\). Then, \(P^*\) rewinds \(\mathbb {P}^*\) to the point just before the challenge stage of \(\mathsf {SWExtCom}\), interacts with \(\mathbb {P}^*\) again, and obtains \(\widehat{\beta }_2\). Then, \(P^*\) computes a potential committed value \(\widetilde{\beta } \mathop {=}\limits ^\mathrm{def}\mathsf {Extract}(\widehat{\beta }_1, \widehat{\beta }_2)\) of \(\widehat{\beta }_1\) (recall that \(\mathsf {Extract}\) is the extracting algorithm of \(\mathsf {SWExtCom}\) shown in Fig. 3) and sends \(\widetilde{\beta }\) to external \(V_{\mathrm {B}}\).

In Stage 33, \(P^*\) receives \(\gamma \) from \(V_{\mathrm {B}}\) and sends it to internal \(\mathbb {P}^*\) (which is restarted from state \(\mathsf {st}\)).

In Stage 34, \(P^*\) interacts with internal \(\mathbb {P}^*\) as a honest receiver of \(\mathsf {SWExtCom}\) and obtains \(\widehat{\delta }_1\). Then, \(P^*\) rewinds \(\mathbb {P}^*\) to the point just before the challenge stage of \(\mathsf {SWExtCom}\), interacts with \(\mathbb {P}^*\) again, and obtains \(\widehat{\delta }_2\). Then, \(P^*\) computes \(\widetilde{\delta } := \mathsf {Extract}(\widehat{\delta }_1, \widehat{\delta }_2)\) and sends \(\widetilde{\delta }\) to external \(V_{\mathrm {B}}\).
Whenever internal \(\mathbb {P}^*\) aborts, \(P^*\) also aborts.
Before analyzing the success probability of \(P^*\), we first introduce some terminologies regarding the internally emulated interaction between \(\mathbb {P}^*\) and \(\mathbb {V}_{\mathrm {B}}\). Let \(\tau = (h, r_1, c, r_2, \alpha , \widehat{\beta }_1, \gamma , \widehat{\delta }_1)\) be its transcript. Notice that since \(P^*\) emulates \(\mathbb {V}_{\mathrm {B}}\) for internal \(\mathbb {P}^*\) perfectly, we have \(\tau \in \mathbb {L}_{\mathrm {B}}\) with probability at least \(1{\slash }p(n)\).

We say that a transcript \(\tau _1\) up until the commit stage of \(\mathsf {SWExtCom}\) in Stage 32 is good if under the condition that \(\tau _1\) is a prefix of \(\tau \), the probability that \(\tau \in \mathbb {L}_{\mathrm {B}}\) holds is at least \(1{\slash }2p(n)\).

We say that a transcript \(\tau _2\) up until the commit stage of \(\mathsf {SWExtCom}\) in Stage 34 is good if (1) a prefix of \(\tau _2\) up until the commit stage of \(\mathsf {SWExtCom}\) in Stage 32 is good and (2) under the condition that \(\tau _2\) is a prefix of \(\tau \), the probability that \(\tau \in \mathbb {L}_{\mathrm {B}}\) holds is at least \(1{\slash }4p(n)\).
We next note that a nonblackbox simulator can simulate the transcript \(\tau \) in such a way that \(\tau \in \mathbb {L}_{\mathrm {B}}\) holds, and the simulator can additionally output a witness for \(\tau \in \mathbb {L}_{\mathrm {B}}\).
Lemma 5
(Simulatability). Let \(\mathbb {L}_{\mathrm {B}}\) be the language defined in Fig. 5. Then, for any \(\textsc {ppt} \) cheating verifier \(\mathbb {V}^*\) against \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \), there exists a \(\textsc {ppt} \) simulator \(\mathcal {S}\) such that the following hold.
 Let \(\mathcal {S}_1(x, z)\) be the random variable representing the first output of \(\mathcal {S}(x, z)\). Then, the following indistinguishability holds.$$\begin{aligned} \left\{ \mathsf {view}_{\mathbb {V}^*}\left[ \mathbb {P}_{\mathrm {B}}(1^{n}) \leftrightarrow \mathbb {V}^*(1^{n}, z) \right] \right\} _{n\in \mathbb {N}, z\in \{0,1 \}^{*}} \approx \left\{ \mathcal {S}_1(1^{n}, z) \right\} _{n\in \mathbb {N}, z\in \{0,1 \}^{*}} \end{aligned}$$
 For any \(n\in \mathbb {N}\) and \(z\in \{0,1 \}^*\), the following holds.$$\begin{aligned} \Pr \left[ \begin{array}{l} (v, w) \leftarrow \mathcal {S}(1^{n}, z);\\ reconstruct\;transcript\;\tau \;from\;view\; v\;of\;\mathbb {V}^*\end{array} : w \in \mathbf R _{\mathbb {L}_{\mathrm {B}}}(\tau ) \right] \ge 1  \mathsf {negl}(n) \end{aligned}$$
This lemma can be proven in essentially the same way as the zeroknowledge property of Barak’s nonblackbox zeroknowledge protocol. A proof sketch is given in the full version [17].
4.2 SpecialPurpose InstanceDependent Commitment
Lemma 6
(Hiding and Binding). \(\mathsf {GJS}\text {}\mathsf {Com}\) is computationally hiding. Furthermore, it is statistically binding when \(G\not \in \mathbf L _{\mathrm {HC}}\) and \(G'\not \in \mathbf L _{\mathrm {HC}}\).
Lemma 7
(Equivocality). There exists an algorithm \(\mathsf {GJS}\text {}\mathsf {EquivToOne}\) that is parametrized by graphs \(G, G'\) and a string \(r\in \{0,1 \}^{3n}\) and satisfies the following: When \(G\in \mathbf L _{\mathrm {HC}}\), on input any \(w\in \mathbf R _{\mathrm {HC}}(G)\) and any c and \(\rho \) such that \(\mathsf {GJS}\text {}\mathsf {Com}_{G, G', r}(0; \rho ) = c\), \(\mathsf {GJS}\text {}\mathsf {EquivToOne}_{G, G', r}\) outputs a valid decommitment of c to 1.
Proofs of these two lemmas are straightforward. We give the proofs in the full version [17].
Lemma 8
(Adaptive Security). There exists an algorithm \(\mathsf {GJS}\text {}\mathsf {ExplainAsZero}\) that is parametrized by graphs \(G, G'\) and a string \(r\in \{0,1 \}^{3n}\) and satisfies the following.

Correctness. When \(G, G'\in \mathbf L _{\mathrm {HC}}\), on input any \(w\in \mathbf R _{\mathrm {HC}}(G)\) and \(w'\in \mathbf R _{\mathrm {HC}}(G')\) and any c and \(\rho _1\) such that \(\mathsf {GJS}\text {}\mathsf {Com}_{G,G',r}(1; \rho _1) = c\), \(\mathsf {GJS}\text {}\mathsf {ExplainAsZero}_{G,G',r}\) outputs \(\rho _0\) such that \(\mathsf {GJS}\text {}\mathsf {Com}_{G,G',r}(0; \rho _0) = c\).

Indistinguishability. For security parameter \(n\in \mathbb {N}\), graphs \(G,G'\in \mathbf L _{\mathrm {HC}}\), witnesses \(w\in \mathbf R _{\mathrm {HC}}(G)\) and \(w'\in \mathbf R _{\mathrm {HC}}(G')\), and string \(r\in \{0,1 \}^{3n}\), consider the following two probabilistic experiments.
 /* \(\mathtt {commit\;to}\) 0 \(\mathtt {and\;decommit\;it\;to}\) 1 \(\mathtt {using\;equivocality}\) */
 1.
Compute \(c \leftarrow \mathsf {GJS}\text {}\mathsf {Com}_{G, G', r}(0)\).
Let \(\rho _0\) be the randomness used in \(\mathsf {GJS}\text {}\mathsf {Com}\).
 2.
Compute \(d_1 := \mathsf {GJS}\text {}\mathsf {EquivToOne}_{G, G', r}(c, w, \rho _0)\).
 3.
Output \((c, \rho _0, d_1)\).
 1.
 /* \( \mathtt {commit\; \& \;decommit\;to}\) 1 \(\mathtt {and\;explain\;it\;as\;commitment\;to}\) 0 */
 1.
Compute \(c \leftarrow \mathsf {GJS}\text {}\mathsf {Com}_{G, G', r}(1)\).
Let \(\rho _1\) be the randomness used in \(\mathsf {GJS}\text {}\mathsf {Com}\).
Compute \(d_1 := \mathsf {GJS}\text {}\mathsf {Dec}_{G, G', r}(c, 1, \rho )\).
 2.
Compute \(\rho _0 := \mathsf {GJS}\text {}\mathsf {ExplainAsZero}_{G, G', r}(c, w, w', \rho _1)\).
 3.
Output \((c, \rho _0, d_1)\).
 1.
Let \(\mathsf {EXP}^{\mathrm {GJS}}_b(n, G, G', w, w', r)\) be the random variable representing the output of \(\mathrm {EXP}^{\mathrm {GJS}}_b(n, G, G', w, w', r)\) for each \(b\in \{0,1 \}\). Then, the following two ensembles are computationally indistinguishable.

\(\left\{ \mathsf {EXP}^{\mathrm {GJS}}_0(n,G,G',w,w',r) \right\} _{n\in \mathbb {N}, G,G'\in \mathbf L _{\mathrm {HC}}, w\in \mathbf R _{\mathrm {HC}}(G), w'\in \mathbf R _{\mathrm {HC}}(G'), r\in \{0,1 \}^{3n}}\)

\(\left\{ \mathsf {EXP}^{\mathrm {GJS}}_1(n,G,G',w,w',r) \right\} _{n\in \mathbb {N}, G,G'\in \mathbf L _{\mathrm {HC}}, w\in \mathbf R _{\mathrm {HC}}(G), w'\in \mathbf R _{\mathrm {HC}}(G'), r\in \{0,1 \}^{3n}}\)

Proof
(sketch). \(\mathsf {GJS}\text {}\mathsf {ExplainAsZero}\) is shown in Fig. 7. A key idea is that given the ability to explain \(\mathsf {AH}\text {}\mathsf {Com}\) commitments to 0 as \(\mathsf {AH}\text {}\mathsf {Com}\) commitments to 1, we can explain a \(\mathsf {GJS}\text {}\mathsf {Com}\) commitment to 1 (which is \(\mathsf {AH}\text {}\mathsf {Com}\) commitments to the adjacent matrix of a cycle graph) as a \(\mathsf {GJS}\text {}\mathsf {Com}\) commitment to 0 (which is \(\mathsf {AH}\text {}\mathsf {Com}\) commitments to the adjacent matrix of a Hamiltonian graph G). Intuitively, this is because a cycle graph can be transformed to any Hamiltonian graph by appropriately adding edges (which corresponds to changing some entries of the adjacent matrix from 0 to 1). A formal proof is given in the full version [17]. \(\square \)
5 Our LeakageResilient ZeroKnowledge Argument
Theorem 1
Assume the existence of collisionresistant hash function family. Then, there exists a constantround publiccoin leakageresilient zeroknowledge argument system \(\mathsf {LR}\text {}\mathsf {ZK}\).
Proof
Roughly speaking, the soundness of \(\mathsf {LR}\text {}\mathsf {ZK}\) can be proven as follows. From the soundness of \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \), we have \(\tau \not \in \mathbb {L}_{\mathrm {B}}\) (and hence \(G'\not \in \mathbf L _{\mathrm {HC}}\)) in Stage 1 except with negligible probability. Hence, \(\mathsf {GJS}\text {}\mathsf {Com}_{G, G'}\) is statistically binding except with negligible probability, and thus we can use essentially the same argument as in the proof of the soundness of Blum’s Hamiltonicity protocol to show that any cheating prover can give valid response in Stage 23 of all \(n\) iterations only with negligible probability. The formal proof is given in the full version [17].
In the following, we prove leakageresilient zeroknowledgeness.
Lemma 9
\(\mathsf {LR}\text {}\mathsf {ZK}\) is leakageresilient zeroknowledge.
In the following, we prove this lemma only w.r.t. a simplified version of \(\mathsf {LR}\text {}\mathsf {ZK}\) in which Stage 21, 22, and 23 are executed only once (instead of executed \(n\) times in parallel). The proof w.r.t. \(\mathsf {LR}\text {}\mathsf {ZK}\) can be obtained by modifying the following proof in a straightforward way.
Proof
Without loss of generality, we assume that after receiving each message from the prover, the cheating verifier makes exactly a single leakage query. To see that we indeed do not lose generality, observe that instead of making two queries \(f_1\) and \(f_2\), the cheating verifier can always query a single query f such that, on input witness w and prover’s randomness \(\mathsf {tape}\), it computes the first leakage \(L_1 := f_1(w, \mathsf {tape})\), chooses the second query \(f_2\) adaptively, computes the second leakage \(L_2 := f_2(w, \mathsf {tape})\), and outputs \((L_1, L_2)\).
Description of the Simulator. Given access to leakage oracle \(\mathcal {L}_{w}\) and input (G, z), our simulator \(\mathcal {S}\) simulates the view of cheating verifier \(V^*\) by internally invoking \(V^*(G, z)\) and interacting with it as follows.
Simulating Messages and Leakages in Stage 1. Roughly speaking, \(\mathcal {S}\) simulates the messages in Stage 1 by interacting with \(V^*\) in the same way as the simulator of \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \) (cf. Lemma 5). To simulate the leakages in Stage 1, \(\mathcal {S}\) uses the fact that Stage 1 of \(\mathsf {LR}\text {}\mathsf {ZK}\) is public coin w.r.t. the prover and therefore all the randomness that a honest prover generates during Stage 1 is the messages themselves. Specifically, \(\mathcal {S}\) simulates the leakages by considering the messages \(\mathsf {msgs}\) that it has sent to \(V^*\) thus far as the randomness of the prover. An issue is that due to the existence of leakage queries, \(\mathcal {S}\) cannot use the simulator of \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \) in a modular way. Nonetheless, \(\mathcal {S}\) can still use the technique used in the simulator of \(\langle \mathbb {P}_{\mathrm {B}}, \mathbb {V}_{\mathrm {B}} \rangle \) as long as the length of the leakages is bounded by \(n^2\). (Notice that when the length of leakage exceeds \(n^2\), \(\mathcal {S}\) can simply obtain a Hamiltonian cycle w of G from \(\mathcal {L}_w\).)
Formally, \(\mathcal {S}\) interacts with \(V^*\) as follows.
 1.
After receiving h and \(r_1\) from \(V^*\), \(\mathcal {S}\) sends \(c\leftarrow \mathsf {Com}_{r_1}(h(V^*))\) to \(V^*\). Let \(\mathsf {rand}\) be the randomness that was used in this step.
Leakage query: When \(V^*\) makes a leakage query f, \(\mathcal {S}\) does the following.

Let \(\mathsf {tape}:= c\).

If the output length of f is more than \(n^2\), \(\mathcal {S}\) obtains w from \(\mathcal {L}_w\) and returns \(f(w \!\parallel \! \mathsf {tape})\) to \(V^*\).

Otherwise, \(\mathcal {S}\) queries \(f(\cdot , \mathsf {tape})\) to \(\mathcal {L}_w\), obtains reply L from \(\mathcal {L}_w\), and forwards L to \(V^*\).
If \(\mathcal {S}\) obtained w, from now on \(\mathcal {S}\) interacts with \(V^*\) in exactly the same way as a honest prover. Otherwise, do the following.

 2.
After receiving \(r_2\) and \(\alpha \) from \(V^*\), \(\mathcal {S}\) computes the secondround \(\mathsf {UA}\) message \(\beta \) by using witness \((V^*, \mathsf {rand}, L)\) and then honestly commits to \(\beta \) by using \(\mathsf {SWExtCom}\). Let \(\widehat{\beta }\) be the commitment and \(d_1\) be the decommitment.
Leakage query: When \(V^*\) makes a leakage query f, \(\mathcal {S}\) sets \(\mathsf {tape}:= \mathsf {msgs}\), queries \(f(\cdot , \mathsf {tape})\) to \(\mathcal {L}_w\), and forwards the reply from \(\mathcal {L}_w\) to \(V^*\), where \(\mathsf {msgs}\) are the messages that \(\mathcal {S}\) has sent to \(V^*\) thus far.
 3.
After receiving \(\gamma \) from \(V^*\), \(\mathcal {S}\) computes the fourthround \(\mathsf {UA}\) message \(\delta \) and then honestly commits to \(\delta \) by using \(\mathsf {SWExtCom}\). Let \(\widehat{\delta }\) be the commitment and \(d_2\) be the decommitment.
Leakage query: When \(V^*\) makes a leakage query f, \(\mathcal {S}\) answers it in exactly the same way as above.
Let \(\tau \mathop {=}\limits ^\mathrm{def}(h, r_1, c, r_2, \alpha , \widehat{\beta }, \gamma , \widehat{\delta })\) and \(\bar{w} \mathop {=}\limits ^\mathrm{def}(d_1, d_2, \beta , \delta )\). Since \((V^*, \mathsf {rand}, L)\) is a valid witness for \((h, r_1, c, r_2)\in \varLambda \), we have \(\tau \in \mathbb {L}_{\mathrm {B}}\) and \(\bar{w}\in \mathbf R _{\mathbb {L}_{\mathrm {B}}}(\tau )\). Let \(G'\) and \(w'\) be the graph and its Hamiltonian cycle that are obtained by reducing statement “\(\tau \in \mathbb {L}_{\mathrm {B}}\)” to Hamiltonicity problem through the \(\mathcal {NP}\) reduction.
Simulating Messages Stage 2. If \(\mathcal {S}\) obtained w during Stage 1, it interacts with \(V^*\) in the same way as a honest prover. Otherwise, \(\mathcal {S}\) interacts with \(V^*\) as follows. The idea is that, since \(\mathcal {S}\) know a witness \(w'\) for \(G'\in \mathbf L _{\mathrm {HC}}\), \(\mathcal {S}\) can correctly respond to the challenge for both \(ch=0\) and \(ch=1\) by committing to a random permutation of \(G'\) in the first step.
 1.
\(\mathcal {S}\) chooses a random permutation \(\pi \) and computes \(H := \pi (G')\). Then, \(\mathcal {S}\) commits to the adjacent matrix \(A = \{a_{i, j} \}_{i,j\in [q']}\) of H by using \(\mathsf {GJS}\text {}\mathsf {Com}_{G, G', r}\). That is, \(\mathcal {S}\) sends \(c_{i,j} \leftarrow \mathsf {GJS}\text {}\mathsf {Com}_{G, G', r}(a_{i,j})\) to \(V^*\) for every \(i,j\in [q']\).
Let \(\{\rho _{i,j} \}_{i,j\in [q']}\) be the randomness used in the \(\mathsf {GJS}\text {}\mathsf {Com}\) commitments and \(\pi (w')\) be the Hamiltonian cycle in H that is obtained by applying \(\pi \) on Hamiltonian cycle \(w'\) in \(G'\).
 2.
\(\mathcal {S}\) receives a random bit \(ch\in \{0,1 \}\) from \(V^*\).
 3.

When \({\varvec{ch = 0}}\varvec{,}\) \(\mathcal {S}\) sends \(\pi \) to V and decommits \(c_{i, j}\) to \(a_{i, j}\) honestly for every \(i,j\in [q']\). That is, \(\mathcal {S}\) sends \(d_{i,j} := \mathsf {GJS}\text {}\mathsf {Dec}_{G, G', r}(c_{i,j}, a_{i,j}, \rho _{i,j})\) to V for every \(i,j\in [q']\).

When \({\varvec{ch = 1}}\varvec{,}\) \(\mathcal {S}\) decommits \(c_{i, j}\) to 1 honestly for every i, j such that edge (i, j) is on the Hamiltonian cycle \(\pi (w')\) in H. That is, for every such i and j, \(\mathcal {S}\) sends \(d_{i,j} := \mathsf {GJS}\text {}\mathsf {Dec}_{G, G', r}(c_{i,j}, a_{i,j}, \rho _{i,j})\) to \(V^*\).


First, for each \(i,j\in [q']\), \(\mathcal {S}\) constructs a function \(F_{i,j}(\cdot )\) such that on input w, it outputs \(\widetilde{\rho }_{i, j}\) such that \(\mathsf {GJS}\text {}\mathsf {Com}_{G, G', r}(0; \widetilde{\rho }_{i,j}) = c_{i,j}\). Concretely, when \(a_{i,j} = 0\), \(F_{i,j}(\cdot )\) is a function that always outputs \(\rho _{i,j}\), and when \(a_{i,j} = 1\), \(F_{i,j}(\cdot ) \mathop {=}\limits ^\mathrm{def}\mathsf {GJS}\text {}\mathsf {ExplainAsZero}_{G,G',r}(c_{i,j}, \cdot , w', \rho _{i,j})\).

Next, \(\mathcal {S}\) constructs a function \(\widetilde{f}\) such that on input w, it computes \(\mathsf {tape}:= \mathsf {msgs} \!\parallel \! \{F_{i,j}(w) \}_{i,j\in [q']} \) and outputs \(f(w, \mathsf {tape})\).

Finally, \(\mathcal {S}\) queries \(\widetilde{f}\) to \(\mathcal {L}_w\) and forwards the reply from \(\mathcal {L}_w\) to \(V^*\).

Open image in new window is identical with experiment \(\mathrm {REAL}_{V^*}(G, w, z)\). That is, \(V^*\) interacts with honest P(G, w) and obtains leakage that is computed honestly based on witness w and the prover’s randomness. The outputs of this hybrid is the view of \(V^*\).

Open image in new window is the same as Open image in new window except for the following.

– In Stage 1, a honest prover is replaced with the simulator. That is, c is computed by committing to \(h(V^*)\), \(\widehat{\beta }\) is computed by committing to \(\beta \), and \(\widehat{\delta }\) is computed by committing to \(\delta \).
Let \(\tau \) and \(\bar{w}\) be the statement and the witness generated in it. Let \(G'\) and \(w'\) be the graph and its Hamiltonian cycle that are obtained by reducing statement “\(\tau \in \mathbb {L}_{\mathrm {B}}\)” to Hamiltonicity problem through the \(\mathcal {NP}\) reduction.

– The leakage queries are answered by considering that the randomness generated by the prover during Stage 1 is equal to the messages sent to \(V^*\) during Stage 1.


Open image in new window is the same as Open image in new window except for the following.

– As in \(\mathcal {S}\), a random permutation \(\pi \) is chosen randomly at the beginning of Stage 21. Let \(H \mathop {=}\limits ^\mathrm{def}\pi (G')\), and \(A = \{a_{i,j} \}_{i,j\in [q']}\) be the adjacent matrix of H. Let \(\pi (w')\) be the Hamiltonian cycle in H that is obtained by applying \(\pi \) on Hamiltonian cycle \(w'\) in \(G'\).
We remark that in this hybrid, the prover still commits to a \(q' \times q'\) zero matrix as in Open image in new window . Also, the leakage query immediately after Stage 21 is answered in exactly the same way as in Open image in new window . In particular, when the leakage query is answered, \(\pi \) is not included in the randomness generated by the prover in Stage 21.

– In Stage 23, graph \(H_0\) or \(H_1\) is chosen as follows.

When \({\varvec{ch = 0}}\varvec{,}\) \(H_0 := H\).

When \({\varvec{ch = 1}}\varvec{,}\) \(H_1\) is the graph that is obtained by removing every edge in H except for the ones on Hamiltonian cycle \(\pi (w')\).
The leakage query immediately after Stage 23 is answered in the same way as in Open image in new window by considering that \(H_0\) or \(H_1\) was chosen during Stage 23 as in Open image in new window .



Open image in new window is the same as Open image in new window except for the following.

– In Stage 21, for every \(i,j\in [q']\), commitment \(c_{i,j}\) is computed by committing to \(a_{i,j}\) (instead of 0), i.e., \(c_{i,j} \leftarrow \mathsf {GJS}\text {}\mathsf {Com}_{G,G',r}(a_{i,j})\).

– In Stage 23, for every \(i,j\in [q']\), if commitment \(c_{i,j}\) need to be decommitted, it is decommitted to \(a_{i,j}\) honestly.

– When the leakage queries are answered during Stage 2, the randomness \(\rho _{i,j}\) used for computing \(c_{i,j}\) is simulated by \(\widetilde{\rho }_{i,j}\) that is computed by function \(F_{i,j}\) as in \(\mathcal {S}\) for every \(i,j\in [q']\).


Open image in new window is identical with \(\mathrm {IDEAL}_{\mathcal {S}}(x, w, z)\). That is, \(\mathcal {S}(G, z)\) is executed given access to \(\mathcal {L}_{w}\). The outputs of this hybrid is that of \(\mathcal {S}\).
Claim 1
The output of Open image in new window and that of Open image in new window are computationally indistinguishable.
Proof
Open image in new window differs from Open image in new window only in that fake commitments of \(\mathsf {Com}\) and \(\mathsf {SWExtCom}\) are replaced with real commitments. Hence, the indistinguishability follows from the security of \(\mathsf {Com}_{\mathrm {pub}}\) and \(C_{\mathrm {pub}}\) (see Sects. 3.4 and 3.8). \(\square \)
Claim 2
The output of Open image in new window and that of Open image in new window are computationally indistinguishable.
Proof
This claim can be proven by inspection. Observe that Open image in new window differs from Open image in new window only in the way graph \(H_0\) or \(H_1\) is chosen in Stage 2. When \(ch = 0\), the distribution of \(H_0\) in Open image in new window is the same as that in Open image in new window since \(H_0\) is obtained both in Open image in new window and Open image in new window by applying a random permutation on \(G'\). When \(ch = 1\), the distribution of \(H_1\) in Open image in new window is the same as that in Open image in new window since the Hamiltonian cycle \(w'\) in \(G'\) is mapped to a random qcycle by \(\pi \). Hence, the output of Open image in new window is identically distributed with that of Open image in new window . \(\square \)
Claim 3
The output of Open image in new window and that of Open image in new window are computationally indistinguishable.
Proof
Assume for contradiction that for infinitely many \(G\in \mathbf L _{\mathrm {HC}}\), there exists \(z\in \{0,1 \}^*\) such that a distinguisher \(\mathcal {D}\) distinguishes the output of Open image in new window and that of Open image in new window with advantage \(1{\slash }p(n)\) for a polynomial \(p(\cdot )\). Fix any such G and z. To derive a contradiction, we consider the following intermediate hybrids.

Open image in new window is identical with Open image in new window .

Open image in new window , where \(k\in [q'^2]\), is the same as Open image in new window except for the following. Let \(u \mathop {=}\limits ^\mathrm{def}\lfloor (k1){\slash }q' \rfloor + 1\) and \(v \mathop {=}\limits ^\mathrm{def}k  \lfloor (k1){\slash }q' \rfloor \cdot q'\).

– In Stage 21, commitment \(c_{u,v}\) is computed by committing to \(a_{u,v}\) (instead of 0), i.e., \(c_{u,v} \leftarrow \mathsf {GJS}\text {}\mathsf {Com}_{G,G',r}(a_{u,v})\).

– In Stage 23, if commitment \(c_{u,v}\) need to be decommitted, it is decommitted to \(a_{u,v}\) honestly.

– When the leakage queries are answered during Stage 2, the randomness \(\rho _{u,v}\) used for computing \(c_{u,v}\) is simulated by \(\widetilde{\rho }_{u,v}\) that is computed by function \(F_{u,v}\) as in \(\mathcal {S}\).

Clearly, Open image in new window is identical with Open image in new window . Hence, there exists \(k^*\in [q'^2]\) such that the output of Open image in new window and that of Open image in new window can be distinguished with advantage \(1{\slash }q'^2p(n)\). Furthermore, from an average argument, there exists a prefix \(\sigma \) of the execution of Open image in new window up until permutation \(\pi \) is chosen in Stage 21 (i.e., just before \(\{c_{i,j} \}_{i,j\in [q']}\) is sent to \(V^*\)) such that under the condition that a prefix of the execution is \(\sigma \), the output of Open image in new window and that of Open image in new window can be distinguished with advantage \(1{\slash }q'^2p(n)\). Notice that \(\sigma \) determines \(G'\), \(w'\), r, \(\{a_{i,j} \}_{i,j\in [q']}\).
We derive a contradiction by showing that we can break the adaptive security of \(\mathsf {GJS}\text {}\mathsf {Com}\) (Lemma 8). Specifically, we show that \(\mathsf {EXP}^{\mathrm {GJS}}_0(n, G, G', w, w', r)\) and \(\mathsf {EXP}^{\mathrm {GJS}}_1(n, G, G', w, w', r)\) can be distinguished with advantage \(1{\slash }q'^2p(n)\). Toward this end, consider the following distinguisher \(\mathcal {D}'\).

Externally, \(\mathcal {D}'\) takes \((c, \rho _0, d_1)\) as well as \((n, G, G', w, w', r)\) as input. \(\mathcal {D}'\) also takes \((\sigma , z)\) as nonuniform input.

Internally, \(\mathcal {D}'\) invokes \(V^*\) and simulates Open image in new window for \(V^*\) from \(\sigma \) honestly except for the following. Let \(u^* \mathop {=}\limits ^\mathrm{def}\lfloor (k^*1){\slash }q' \rfloor + 1\) and \(v^* \mathop {=}\limits ^\mathrm{def}k^*  \lfloor (k^*1){\slash }q' \rfloor \cdot q'\). Notice that it must hold that \(a_{u^*,v^*} = 1\) since Open image in new window is identical with Open image in new window when \(a_{u^*,v^*} = 0\).

In Stage 21, commitment \(c_{u^*,v^*}\) is defined by setting \(c_{u^*,v^*} := c\).

In Stage 23, when commitment \(c_{u^*,v^*}\) is decommitted, it is decommitted to \(a_{u^*,v^*} = 1\) by sending \(d_1\).

When the leakage queries are answered during Stage 2, the randomness \(\rho _{u^*,v^*}\) used for computing \(c_{u^*,v^*}\) is simulated by setting \(\widetilde{\rho }_{u^*,v^*} := \rho _0\).
Let \(\mathsf {view}\) be the view of \(V^*\). Then, \(\mathcal {D}'\) outputs \(\mathcal {D}(\mathsf {view})\).

When \((c, \rho _0, d_1) \leftarrow \mathsf {EXP}^{\mathrm {GJS}}_0(n, G, G', w, w', r)\) (i.e., when c is a commitment to 0, \(\rho _0\) is the randomness that is used to generate c, and \(d_1\) is a decommitment to 1 that is computed by \(\mathsf {GJS}\text {}\mathsf {EquivToOne}\)), \(\mathcal {D}'\) emulates Open image in new window for \(V^*\) perfectly. On the other hand, when \((c, \rho _0, d_1) \leftarrow \mathsf {EXP}^{\mathrm {GJS}}_1(n, G, G', w, w', r)\) (i.e., when c is a commitment to 1, \(\rho _0\) is randomness that is computed by \(\mathsf {GJS}\text {}\mathsf {ExplainAsZero}\), and \(d_1\) is a decommitment to 1 that is computed honestly), \(\mathcal {D}'\) emulates Open image in new window for \(V^*\) perfectly. Hence, from our assumption, \(\mathcal {D}'\) distinguishes \(\mathsf {EXP}^{\mathrm {GJS}}_0(n, G, G', w, w', r)\) and \(\mathsf {EXP}^{\mathrm {GJS}}_1(n,G,G',w,w',r)\) with advantage \(1{\slash }q'^2p(n)\), and therefore we reach a contradiction. \(\square \)
Claim 4
The output of Open image in new window and that of Open image in new window are computationally indistinguishable.
Proof
In Open image in new window , the prover interacts with \(V^*\) in exactly the same way as \(\mathcal {S}\). Hence, the claim follows. \(\square \)
Equation (5) follows from these claims. This concludes the proof of Lemma 9. \(\square \)
This concludes the proof of Theorem 1. \(\square \)
Footnotes
 1.
 2.
 3.
This is because in the protocol of [12], the verifier commits to the challenge bits of Blum’s Hamiltonicity protocol in advance and hence an cheating prover can easily break the soundness by obtaining the challenge bits via leakage.
 4.
Actually, there is a cointossing protocol that determines the parameter of the equivocal commitment, and td is the trapdoor for biasing the outcome of the cointossing.
 5.
What is actually used here is adaptive security, which guarantees that for each underlying commitment, it is possible to compute randomness \(\mathsf {tape}_0\) and \(\mathsf {tape}_1\) such that \(\mathsf {tape}_b\) explains the commitment as a commitment to b for each \(b\in \{0,1 \}\).
 6.
This extractability is used only in the proof of soundness. Hence, the proof of zeroknowledgeness works even in the presence of this extractable commitment scheme.
 7.
 8.
In the “inner” \(\mathsf {H}\text {}\mathsf {Com}\), the underlying commitment scheme is \(\mathsf {Com}\) as before.
Notes
Acknowledgments
The author would like to thank the anonymous reviewers for their helpful comments.
References
 1.Ananth, P., Goyal, V., Pandey, O.: Interactive proofs under continual memory leakage. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 164–182. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 2.Anderson, R., Kuhn, M.: Tamper resistance: a cautionary note. In: WOEC, pp. 1–11 (1996)Google Scholar
 3.Barak, B.: How to go beyond the blackbox simulation barrier. In: FOCS, pp. 106–115 (2001)Google Scholar
 4.Barak, B., Goldreich, O.: Universal arguments and their applications. SIAM J. Comput. 38(5), 1661–1694 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 5.Bitansky, N., Canetti, R., Halevi, S.: Leakagetolerant interactive protocols. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 266–284. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 6.Bitansky, N., DachmanSoled, D., Lin, H.: Leakagetolerant computation with inputindependent preprocessing. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 146–163. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 7.Boyle, E., Garg, S., Jain, A., Kalai, Y.T., Sahai, A.: Secure computation against adaptive auxiliary information. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 316–334. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 8.Boyle, E., Goldwasser, S., Jain, A., Kalai, Y.T.: Multiparty computation secure against continual memory leakage. In: STOC, pp. 1235–1254 (2012)Google Scholar
 9.Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable twoparty and multiparty secure computation. In: STOC, pp. 494–503 (2002)Google Scholar
 10.Damgård, I., Pedersen, T.P., Pfitzmann, B.: Statistical secrecy and multibit commitments. IEEE Trans. Inf. Theor. 44(3), 1143–1151 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
 11.Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, Heidelberg (1990)Google Scholar
 12.Garg, S., Jain, A., Sahai, A.: Leakageresilient zero knowledge. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 297–315. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 13.Goldreich, O., Kahan, A.: How to construct constantround zeroknowledge proof systems for NP. J. Cryptol. 9(3), 167–190 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
 14.Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
 15.Haitner, I., Nguyen, M., Ong, S.J., Reingold, O., Vadhan, S.P.: Statistically hiding commitments and statistical zeroknowledge arguments from any oneway function. SIAM J. Comput. 39(3), 1153–1218 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any oneway function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
 17.Kiyoshima, S.: Constantround leakageresilient zeroknowledge from collision resistance. Cryptology ePrint Archive, Report 2015/1235 (2015). http://eprint.iacr.org/
 18.Kocher, P.C.: Timing attacks on implementations of DiffieHellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
 19.Lindell, Y., Zarosim, H.: Adaptive zeroknowledge proofs and adaptively secure oblivious transfer. J. Cryptol. 24(4), 761–799 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 20.Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991)CrossRefzbMATHGoogle Scholar
 21.Naor, M., Yung, M.: Universal oneway hash functions and their cryptographic applications. In: STOC, pp. 33–43 (1989)Google Scholar
 22.Ostrovsky, R., Persiano, G., Visconti, I.: Impossibility of blackbox simulation against leakage attacks. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 130–149. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 23.Pandey, O.: Achieving constant round leakageresilient zeroknowledge. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 146–166. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 24.Pass, R., Rosen, A.: Concurrent nonmalleable commitments. In: FOCS, pp. 563–572 (2005)Google Scholar
 25.Pass, R., Rosen, A.: New and improved constructions of nonmalleable cryptographic protocols. In: STOC, pp. 533–542 (2005)Google Scholar
 26.Pass, R., Wee, H.: Blackbox constructions of twoparty protocols from oneway functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 403–418. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 27.Quisquater, J., Samyde, D.: ElectroMagnetic Analysis (EMA): measures and countermeasures for smart cards. In: Attali, I., Jensen, T. (eds.) Esmart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 28.Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167 (1986)Google Scholar