1 Introduction

Secure computation [13, 42] allows a set of mutually distrusting parties to compute a joint function of their private inputs such that nothing else apart from the function’s output is leaked. The constructions of secure computation protocols (where the majority of the parties can be corrupted) may make use of cryptographic primitives in one out of the following two ways. The construction can either make black-box use of the primitive by referring only to the input/output behavior of that primitive or it can make non-black-box use of the primitive by using the code computing this primitive.

Typically, non black-box use of a cryptographic primitive is made to protect against malicious adversaries who may deviate arbitrarily from the protocol specification. In such scenarios, a zero-knowledge proof [14] showing correct computation of this primitive (which in turn requires access to the code computing this primitive) is used. This part is computationally expensive and further, the complexity of this step depends on the actual implementation of this cryptographic functionality.

The advantage of black-box constructions is that their complexity is independent of the complexity of implementation of the underlying primitive. In fact, such protocols are sometimes considered as the first step towards practical implementations. There has been an impressive body of research [7, 15, 16, 19, 25,26,27,28, 36] on constructing secure computation protocols that make black-box use of underlying primitives. However, most of these works incur several additional rounds of interaction when compared to non-black-box protocols.

A very natural question, which is still far from being resolved, is whether there exist black-box protocols that match the exact round complexity of their non-black-box counterparts.Footnote 1 In this paper, we ask this question for a key cryptographic functionality that lies at the center of nearly all black-box constructions: the commit-and-prove functionality.

1.1 Commit-and-Prove Functionalities

A “commit-and-prove” functionality [6, 13] is generally used to prevent malicious behaviour by forcing participants to prove correctness of their protocol messages w.r.t. the committed inputs. Informally, a commit-and-prove functionality allows a party to commit to some secret value x and prove that value satisfies some predicate P. In order to maintain secrecy, such a proof must additionally hide the secret input x, in other words it must be zero-knowledge.

Very roughly, any commit-and-prove protocol is said to be zero-knowledge if there exists an associated simulator that given the commitment externally, is able to generate a proof without access to the witness (or the value being committed via the commitment). We note that such protocols have been a core primitive in nearly all previous works on obtaining black-box constructions, including [16, 25, 27, 36]. In addition to zero-knowledge, we also consider the weaker privacy property of witness indistinguishability [9].Footnote 2

Despite the above mentioned fascinating advances in constructing such protocols, we still do not know round-optimal black-box constructions of zero-knowledge commit-and-prove functionalities. Indeed, in the black-box regime, the best known result is due to Hazay and Venkitasubramaniam [21] which requires 6 rounds of interaction. In fact, when not restricted to black-box use of primitives, we have known for more than 25 years that four rounds are necessary [12]Footnote 3 and sufficient [5, 8] for constructing zero-knowledge commit-and-prove arguments.

However, so many years later, in the regime of black-box commit-and-prove, the following question is still open:

“Do there exist round-optimal, black-box commit-and-prove zero-knowledge protocols?”

1.2 Our Results

We provide a positive answer to this question. In particular, assuming injective one-way functions, we construct the first:

  • Four round black-box commit-and-prove zero-knowledge arguments of knowledge against malicious verifiers, and

  • Three round black-box commit-and-prove witness-indistinguishable arguments of knowledge against malicious verifiers. These commitments satisfy only a weaker notion of binding (that we call 1-of-2 binding), which nevertheless suffices for all our applications, and which we detail in Definition 4.

Our protocols satisfy correctness and soundness even in the delayed-input setting, where the predicate to be proved can be decided even in the last round of the protocol, however, the witness or message to be committed must be known before the prover sends his first message. Additionally, as simple applications of these protocols, we give the first constructions of four round extractable and equivocal commitments that only make black-box use of injective one-way functions.

Discussion. Our construction makes non-black-box use of the predicate, similar to all previous constructions in this line of work. With respect to constructions making black-box use of the predicate, we would like to point to the negative result of Rosulek [39] which shows that any (honest-verifier) zero-knowledge argument for the NP language \(L = \{x: \exists w s.t. f(w) = x\}\) and f is a one-way function must make use of the code of the function f.

We note that similar to previous work using MPC-in-the-head [IKOS07] and follow-ups, our techniques can be used directly to build black-box protocols in cases where the predicate is information theoretic. There are several settings in literature where the predicate is indeed information theoretic. A few simple examples include:

  • A commit-and-prove protocol for checking equality of two committed values (This is in fact used in our construction of equivocal commitments).

  • A commit-and-prove protocol for checking that one committed value corresponds to a fixed polynomial evaluated on a different committed value (Eg, in the ZK arguments that achieve four round non-malleable commitments in GRRV14.)

  • Comparison queries or range proofs, showing that a committed value lies in a certain fixed range (Such proofs have become increasingly popular in recent years).

  • These techniques may also be relevant to distributed secure protocols with information-theoretic guarantees.

Furthermore, as we note in the paper, in many other situations, where the predicate itself involves cryptography, cut-and-choose techniques have been extensively explored (Please see [1, 22, 23, 30,31,32,33, 40, 41] and references therein). Specifically, the works of [16, 17, 35] used cut-and-choose to separate such predicates into cryptographic components, for which malicious security was obtained using cut-and-choose, and information-theoretic components, for which tailored commit-and-prove protocols were built. In this paper, we concentrate on the latter and build round-optimal, black-box commit-and-prove ZK protocols to generically solve the problem of commit-and-prove for information-theoretic predicates. As simple applications of these results, in the paper, we construct the first four round extractable and equivocal commitments from injective one-way functions.

1.3 Related Works

Goldreich and Krawcyzk [12] showed that four rounds are necessary to construct zero-knowledge argument system that make black-box use of a verifier for languages outside of \(\texttt {BPP}\). Bellare et al. [5] and Feige et al. [8] gave protocols that matches this round complexity from the minimum assumption that one-way functions exist.

The commit and prove functionality was first used implicitly in [13] and was later formalized in [6]. The constructions given in these works made non-black-box use of one-way functions. A constant round black-box commit and prove zero-knowledge proof was implicit in the work of Ishai et al. [27] assuming collision resistant hash functions. Later works of [16, 17, 35] improved the concrete round complexity of this construction and also constructed zero-knowledge argument systems from one-way functions. More recently, Hazay and Venkitasubramaniam [21] constructed a six-round black-box commit and prove zero-knowledge argument from injective one-way functions. This work represents the state of the art in terms of round complexity of black-box commit and prove.

2 Our Techniques

Our starting point is the work of Hazay and Venkitasubramaniam [21], who constructed three-message black-box commit-and-prove ZK protocols with constant soundness, by making use of robust offline/online randomized encodings.

Starting Point: Robust Offline/Online Encoding. A randomized encoding [2,3,4, 24, 42] of a boolean circuit f is a function \(\widehat{f}\) along with a decoding algorithm \( Dec \) such that for any input x in the domain of the function f, with overwhelming probability it holds that \( Dec (\widehat{f}(x; U_m)) = f(x)\), where \(U_m\) denotes the uniform distribution over m bits. Moreover, the encoding \(\widehat{f}\) required to satisfy computational privacy, meaning that the encoding \(\widehat{f}(x, U_m)\) reveals no information about x and f, except f(x). A randomized encoding is called offline/online if it has two components: an offline component that does not depend on the input, and an online component which is a function of the input. We will denote these by two functions \(\widehat{f}_{\mathrm {off}}\) and \(\widehat{f}_{\mathrm {on}}\) such that \(\widehat{f}(x; r) = (\widehat{f}_{\mathrm {off}}(r), \widehat{f}_{\mathrm {on}}(x, r))\). Such an encoding is called robust, if additionally the following is true: when there exists no x such that \(f(x) = a\), then for any r, there does not exist any z such that \( Dec (\widehat{f}_{\mathrm {off}}(r), z) = a\). The work of [21] showed that robust randomized encodings can be instantiated in multiple ways, including the use of adaptive garbled circuits.

Black-Box Commit and Prove with Constant Soundness. Let us now explain how the work of [21] used offline/online randomized encodings to construct black-box commit and prove ZK proofs with constant soundness error. Additionally, if the encodings are robust then this zero-knowledge proof satisfies correctness and soundness in the delayed-input setting.

The prover \(\mathcal {P}\) has a message m and wants to convince the verifier that \(\phi (m) = 1\) where \(\phi \) is some predicate. The protocol is as follows:

  1. 1.

    In the first round, \(\mathcal {P}\) secret shares m into two shares \(m_0\) and \(m_1\). It then constructs a function f which has hardwired a secret share \(m_0\) of m, and obtains as input the other share \(m_1\) and the predicate \(\phi \). This function outputs \((1, \phi , m_1)\) if and only if \(\phi (m_0 \oplus m_1)= 1\); otherwise it outputs \(\bot \). It constructs an offline encoding of this function \(\widehat{f}_{\mathrm {off}}(r)\) and sends \(\widehat{f}_{\mathrm {off}}(r)\) and also sends a (standard) non-interactive commitment to \(m_1\).

  2. 2.

    The verifer \(\mathcal {V}\) sends a random single bit challenge b.

  3. 3.

    If \(b := 0\) then the prover sends fr and the verifier checks if \(\widehat{f}_{\mathrm {off}}(r)\) is computed correctly. Otherwise, \(\mathcal {P}\) opens the commitment to \(m_1\) and also sends \(\widehat{f}_{\mathrm {on}}((m_1,\phi ),r)\). \(\mathcal {V}\) checks if the opening is valid and also runs \( Dec (\widehat{f}_{\mathrm {off}}(r),\widehat{f}_{\mathrm {on}}((m_1,\phi ),r))\) and checks if this output is \((1,m_1,\phi )\).

In the case where \(b = 0\), the commitment computationally hides \(m_1\), whereas when \(b = 1\), the privacy of the randomized encoding ensures that \(m_0\) remains hidden. As shown in [21], this can indeed be formalized to prove that the protocol satisfies zero-knowledge. However, the protocol is only 1 / 2 sound: in particular, a cheating prover can guess the verifier’s challenge in advance, and use this to generate an accepting proof of a false statement.

Boosting Soundness. In order to boost soundness to close to 1, a natural idea is to parallel repeat this basic protocol to achieve negligible soundness error. But this idea does not work because we want a commit-and-prove: meaning that a malicious prover should be forced to commit to a single value and prove that it satisfies the predicate. In a naïve parallel repetition, a cheating prover could use different m’s to compute the first message in different parallel repetitions. Therefore, we must find a way to ensure consistency of messages used across different parallel executions.

To achieve this, we augment the constant soundness protocol in the following way:

  1. 1.

    Instead of secret sharing m, the prover now secret shares \(w := (m \Vert r)\) where r is a random element from a finite field \(\mathbb {F}\).Footnote 4 Let \(w_0\) and \(w_1\) be the secret shares. The prover constructs a function f that has \(w_0\) hardwired in its description and takes as input the other share \(w_1\) along with an augmented predicate \(\phi '\) (which we will define later). f outputs \((1,w_1,\phi ')\) if and only if \(\phi '(w_0\,\oplus \,w_1) = 1\). It constructs an offline encoding of this function \(\widehat{f}_{\mathrm {off}}(r)\) and sends \(\widehat{f}_{\mathrm {off}}(r)\) and also sends a (standard) non-interactive commitment to \(w_1\).

  2. 2.

    The verifier chooses a random bit b as before and additionally chooses a random element \(\alpha \leftarrow \mathbb {F}\setminus \{0\}\) and sends \(b,\alpha \) to \(\mathcal {P}\).

  3. 3.

    The prover computes \(\gamma := r \alpha + m\) and sets the predicate \(\phi '((m\Vert r))\) to check if \(\phi (m) = 1\) and if \(\gamma \) is correctly computed. The prover sends \(\gamma \) and responds to the verifier’s challenge bit as before.

In the parallel repetition of the above protocol, \(\mathcal {P}\) chooses a “global" r that remains the same for each of the repetitions and also sends a single \(\gamma := r\alpha + m\) in the third round; in each repetition, the predicate \(\phi '\) shows that this “global” \(\gamma \) is consistent with the value w used in that repetition. We now show that the above augmented constant soundness protocol can force a prover to use consistent witness across multiple parallel executions. Say, the prover tries to use different witnesses \((r',m') \ne (r,m)\) across parallel repetitions. Then, with overwhelming probability \(r \alpha + m \ne r' \alpha + m'\) by the Schwartz-Zippel lemma. Thus, the predicate that the prover is trying to prove in those repetitions is false and hence he will be caught if he tries to use inconsistent witness in many repetitions. We show that this parallel repetition satisfies witness indistinguishability.

Achieving Zero-Knowledge. As mentioned earlier, our three round parallel repetition of the augmented constant soundness protocol satisfies witness indistinguishability. Indeed, in order for it to achieve zero-knowledge property, it is necessary to have an additional round of interaction [11].

Our four round commit and prove ZK protocol follows the FLS paradigm [8] i.e., we run two special purpose witness indistinguishable protocols in opposite directions between the prover \(\mathcal {P}\) and the verifier \(\mathcal {V}\). Recall that in the FLS paradigm the first protocol is a WI-PoK run by the verifier proving the knowledge of some trapdoor information. The second WI-PoK protocol run by the prover shows the knowledge of a witness for the statement x or the knowledge of verifier’s trapdoor information. Intuitively, the soundness of the protocol follows from the security of the first WI-PoK and the zero-knowledgeness property follows from the observation that the simulator can rewind and extract the trapdoor information from the first WI-PoK and then use it in the second protocol.

In our construction, the first WI protocol run by \(\mathcal {V}\) is a 3-round \(\mathsf {two}\text {-}\mathsf {com}\) protocol. Intuitively, the \(\mathsf {two}\text {-}\mathsf {com}\) protocol is a commitment to two random strings \(s_0\) and \(s_1\) such that commitment to \(s_b\) for a random \(b \in \{0,1\}\) is binding whereas the commitment to the other string \(s_{1-b}\) is equivocal. The trapdoor information is the string \(s_b\). We demonstrate how to construct this primitive with black-box use of statistically binding commitment scheme using ideas from [34]. We additionally show that this trapdoor information can be extracted in expected polynomial time by rewinding the verifier. We wish to emphasize that the trapdoor that we use is in some sense “information theoretic” in nature and in contrast, the trapdoors usually used in the FLS paradigm are “crytographic” in nature such as the inverse of a given one-way function, or a signature under a public verification key, etc. Indeed, using such cryptographic trapdoors in the FLS paradigm leads to non-black-box use of one-way functions.

The second WI protocol run by \(\mathcal {P}\) is essentially the 3-round WI protocol that we constructed earlier which proves that either the committed message m satisfies the predicate or m is the trapdoor. We show that a combination of these two special purpose WI protocols is a zero-knowledge commit and prove by carefully relying on the timing of the messages exchanged and the delayed input property of the second WI. We refer the reader to the main body for the details.

3 Preliminaries

In this section, we recall some preliminaries and tools that will be useful in our constructions. We will denote the security parameter by \(\lambda \), and we will say that a function \(f: \mathbb {N} \rightarrow \mathbb {N}\) is negligible if for every polynomial \(p(\cdot )\) and all sufficiently large n it holds that \(f(n) < \frac{1}{p(n)}\). We use the abbreviation PPT to denote probabilistic polynomial-time.

3.1 Commitment Schemes

A commitment scheme enables a party, known as the sender S, to commit to a value while keeping it secret from the receiver R – this property is called hiding. Furthermore, it is guaranteed that at a later stage, the opening of the commitment can only yield a single value – this property is called binding. We consider commitment schemes that are statistically binding and computationally hiding.

Definition 1

(Commitment schemes). A commitment scheme \(\langle C (m), R \rangle \) is a two-phase protocol between a committer \(\mathcal {C}\) and receiver \(\mathcal {R}\). At the beginning of the protocol, \(\mathcal {C}\) obtains as input a message \(m \in \{0, 1\}^p\). Next, \(\mathcal {C}\) and \(\mathcal {R}\) execute the commit phase, and obtain commitment transcript \(\tau \leftarrow \mathsf {Commit}\langle \mathcal {C}(m), \mathcal {R}\rangle \). They also store (private) randomness used respectively by \(\mathcal {C}\) and \(\mathcal {R}\) as \(\mathsf {state}_{{\mathcal {C}, \tau }}\) and \(\mathsf {state}_{{\mathcal {R}, \tau }}\). At the end of this phase, \(\mathcal {R}\) outputs 0 or 1, where 1 denotes that \(\mathcal {R}\) accepted the commitment phase. The view of the receiver (including its coins, any auxiliary information z and transcript) at the end of this phase is denoted by \(\mathsf {View}_{\mathcal {R}}\langle \mathcal {C}(M), \mathcal {R}(z) \rangle \).

Later, \(\mathcal {C}\) and \(\mathcal {R}\) possibly engage in another (interactive) decommit phase, which we denote by \(\mathsf {Decommit}\langle \tau , \mathcal {C}(m, \mathsf {state}_{\mathcal {C}, \tau }), \mathcal {R}(\mathsf {state}_{\mathcal {R}, \tau }) \rangle \) at the end of which \(\mathcal {R}\) outputs \(\bot \) or a message \(\widetilde{m} \in \{0, 1\}^p\).

We require these algorithms to satisfy the following properties:

  • Correctness. If \(\mathcal {C}, \mathcal {R}\) honestly follow the protocol, .

  • Computational hiding. For every PPT machine \(R^*\) with auxiliary information z, the distributions \(\{\mathsf {View}_{\mathcal {R}}\langle \mathcal {C}(m), \mathcal {R}(z) \rangle \}\) and \(\{\mathsf {View}_{\mathcal {R}}\langle \mathcal {C}(0), \mathcal {R}(z) \rangle \}\) are computationally indistinguishable.

  • Statistical binding. For any (unbounded) malicious \(\mathcal {C}^*\),

    $$\begin{aligned} \Pr \big [ \mathcal {R}\text { accepts decommitment to } \widetilde{m}_1 \text { and } \widetilde{m}_2 \text { where } \widetilde{m}_1 \ne \widetilde{m}_2] \le \mathsf {negl}(\lambda ) \end{aligned}$$

    where the probability is over the randomness of sampling \( \left( \tau \leftarrow \mathsf {Commit}\right. \left. \langle \mathcal {C}^*, \mathcal {R}\rangle \right) \), \(\left( \widetilde{m}_1 \leftarrow \mathsf {Decommit} \langle \tau , \mathcal {C}^*, \mathcal {R}(\mathsf {state}_{\mathcal {R}, \tau }) \rangle \right) \) and \(\left( \widetilde{m}_2 \leftarrow \mathsf {Decommit} \langle \tau , \mathcal {C}^*,\right. \left. \mathcal {R}(\mathsf {state}_{\mathcal {R}, \tau }) \rangle \right) .\) We will say that the scheme satisfies computational binding if the above holds for any PPT committer \(\mathcal {C}^*\) with auxiliary input z.

We now define an extractable commitment scheme [37, 38]. Intuitively, a commitment scheme is extractable if there exists an expected polynomial time machine that can extract the value committed by a cheating committer.

Definition 2

(Extractable Commitments). A commitment scheme is said to be extractable, if there exists a PPT oracle algorithm E that given \(\tau \leftarrow \mathsf {Commit}\langle \mathcal {C}^*, \mathcal {R}\rangle \) and oracle access to \(\mathcal {C}^*\), outputs \(\widetilde{m}, r\) such that \(\exists r\) where \(\tau = \mathsf {Commit}\langle \mathcal {C}(\widetilde{m}), \mathcal {R}\rangle \) using randomness r for \(\mathcal {C}\).

An equivocal commitment scheme allows an expected polynomial time machine called as the equivocator to equivocate a commitment transcript to any chosen committed value. Equivocal commitments have been extensively used to obtain round optimal constructions of secure two-party and multiparty computations [10, 29].

Definition 3

(Equivocal Commitments). A commit-and-prove scheme is equivocal if there exists a PPT oracle algorithm \(\mathsf {Eq}\) that interacts with oracle access to any malicious receiver \(\mathcal {R}^*\) to output a commitment transcript \(\widetilde{\tau }\). Next, it obtains externally generated string \(m'\), and then runs \(\mathsf {Decommit} \langle \widetilde{\tau }, \mathsf {Eq}^{\mathcal {R}^*}, \mathcal {R}^* \rangle \). Then, we require that the distributions

$$\begin{aligned}&\mathsf {View}_{\mathcal {R}^*}( \tau \leftarrow \mathsf {Commit}\langle \mathcal {C}(M'), \mathcal {R}^* \rangle , \mathsf {Decommit} \langle \tau , \mathcal {C}, \mathcal {R}^* \rangle ) \text { and } \\&\quad \mathsf {View}_{\mathcal {R}^*}( \widetilde{\tau } \leftarrow \mathsf {Commit} \langle \mathsf {Eq}^{\mathcal {R}^*}, \mathcal {R}^* \rangle , \mathsf {Decommit} \langle \widetilde{\tau }, \mathsf {Eq}^{\mathcal {R}^*}, \mathcal {R}^* \rangle ) \end{aligned}$$

are computationally indistinguishable.

3.2 Commit-and-Prove Protocols

We start with the definition of commit and prove witness indistinguishable proof of knowledge. Our construction of commit and prove witness indistinguishable proof of knowledge satisfies a weaker notion of 1-of-2 binding. Intuitively, 1-of-2 binding states that there exists at most two different messages that a committed transcript can be opened to.

Definition 4

(Commit-and-Prove Witness Indistinguishable Proof of Knowledge). A commit-and-prove witness indistinguishable proof of knowledge is a protocol between a prover \(\mathcal {P}\) and verifier \(\mathcal {V}\). It consists of two phases, a commit phase and reveal phase.

In the commit phase, \(\mathcal {P}\) interacts with \(\mathcal {V}\) to commit to a message m. It also proves that the m satisfies some predicate \(\phi \), in other words it proves that \(\phi (m) = 1\). Let \(\tau \) denote the transcript \(\tau \leftarrow \mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}(m, \phi ), \mathcal {V}(\phi ) \rangle \). They also store (private) randomness used respectively by \(\mathcal {P}\) and \(\mathcal {V}\) as \(\mathsf {state}_{\mathcal {P}, \tau }\) and \(\mathsf {state}_{\mathcal {V}, \tau }\). At the end of this phase, \(\mathcal {V}\) outputs 0 or 1, where 1 denotes that \(\mathcal {V}\) accepted the commit-and-prove phase.

Later, the parties \(\mathcal {P}\) and \(\mathcal {V}\) possibly engage in another decommit phase, which we denote by \(\mathsf {Decommit}\langle \tau , \mathcal {P}(m, \mathsf {state}_{\mathcal {P}, \tau }), \mathcal {V}(\mathsf {state}_{\mathcal {V}, \tau }) \rangle \), at the end of which \(\mathcal {V}\) outputs \(\bot \) or \(\widetilde{m} \in \{0, 1\}^p\).

We require the protocol to satisfy the following conditions:

  • Completeness. If \(\mathcal {P}, \mathcal {V}\) honestly follow the protocol, .

  • Witness Indistinguishability. Let the view of a malicious verifier \(\mathcal {V}^*\) at the end of the commit phase when the honest prover has input message m be denoted by \(\mathsf {View}_{\mathcal {V}^*} (\mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}(m), \mathcal {V}^*(z) \rangle )\). For any malicious verifier \(V^*\), and any two messages \(m_1, m_2\) such that \(\phi (m_1) = 1\) and \(\phi (m_2) = 1\), the distributions \(\{P(m_1), V^*(z)\}\) and \(\{P(m_2), V^*(z)\}\) are computationally indistinguishable.

  • Proof of Knowledge. There exists a PPT oracle algorithm E that given oracle access to \(\mathcal {P}^*\) and \(\tau \leftarrow \mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}^*, \mathcal {R}(\phi ) \rangle \) outputs \(\widetilde{m}\) such that the following properties are satisfied for every PPT \(\mathcal {P}^*\):

    • \(\phi (\widetilde{m}) = 1\).

    • 1-of-2-Binding. This requires that the committer cannot decommit to two values \(m_1, m_2\), both of which are different from \(\widetilde{m}\). In other words, we require the commit-and-prove to bind any malicious committer to at least one out of two values. Formally, \(\Pr [ \widetilde{m} \not \in \{ {m}_1, {m}_2 \}] \le \mathsf {negl}(\lambda )\), whenever \({m}_1 \leftarrow \mathsf {Decommit} \langle \tau , \mathcal {P}^*, \mathcal {V}(\mathsf {state}_{\mathcal {V}, \tau }) \rangle \), and also when \({m}_2 \leftarrow \mathsf {Decommit} \langle \tau , \mathcal {P}^*, \mathcal {V}(\mathsf {state}_{\mathcal {V}, \tau }) \rangle \).

We now give the definition of commit and prove zero-knowledge argument of knowledge. We include the equivocality property into our zero-knowledge condition. This will be helpful when proving the security of our construction of equivocal commitment scheme.

Definition 5

(Commit-and-Prove Zero-Knowledge Arguments of Knowledge). A commit-and-prove zero-knowledge argument of knowledge is a protocol between a prover \(\mathcal {P}\) and verifier \(\mathcal {V}\). It consists of two phases, a commit phase and reveal phase.

In the commit phase, \(\mathcal {P}\) interacts with \(\mathcal {V}\) to commit to a message m. It also proves that the m satisfies some predicate \(\phi \), in other words it proves that \(\phi (m) = 1\). Let \(\tau \) denote the transcript \(\tau \leftarrow \mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}(m, \phi ), \mathcal {V}(\phi ) \rangle \). They also store (private) randomness used respectively by \(\mathcal {P}\) and \(\mathcal {V}\) as \(\mathsf {state}_{\mathcal {P}, \tau }\) and \(\mathsf {state}_{\mathcal {V}, \tau }\). At the end of this phase, \(\mathcal {V}\) outputs 0 or 1, where 1 denotes that \(\mathcal {V}\) accepted the commit-and-prove phase.

Later, the parties \(\mathcal {P}\) and \(\mathcal {V}\) possibly engage in another decommit phase, which we denote by \(\mathsf {Decommit}\langle \tau , \mathcal {P}(m, \mathsf {state}_{\mathcal {P}, \tau }), \mathcal {V}(\mathsf {state}_{\mathcal {V}, \tau }) \rangle \), at the end of which \(\mathcal {V}\) outputs \(\bot \) or \(\widetilde{m} \in \{0, 1\}^p\).

We require the protocol to satisfy the following conditions:

  • Completeness. If \(\mathcal {P}, \mathcal {V}\) honestly follow the protocol, .

  • Argument of Knowledge. There exists a PPT oracle algorithm E that given oracle access to \(\mathcal {P}^*\) and \(\tau \leftarrow \mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}^*, \mathcal {R}(\phi ) \rangle \) outputs \(\widetilde{m}\) such that the following properties are satisfied for every PPT \(\mathcal {P}^*\):

    • \(\phi (\widetilde{m}) = 1\).

    • Computational Binding. \(\Pr \big [ {m} \leftarrow \mathsf {Decommit} \langle \tau , \mathcal {P}^*, \mathcal {R}(\mathsf {state}_{\mathcal {R}, \tau }) \rangle \wedge m \ne \widetilde{m}] \le \mathsf {negl}(\lambda )\).

  • Zero-Knowledge. Let \(\mathsf {View}_{\mathcal {V}^*} (\mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}( m), \mathcal {V}^*(z) \rangle )\) denote the view of a malicious verifier \(\mathcal {V}^*\) at the end of the commit phase when the honest prover has input message m such that \(\phi (m)=1\). There exists a simulator \(\mathsf {Sim}\) that outputs \(\mathsf {View}_{\mathsf {Commit}}(\mathsf {Sim}^{\mathcal {V}^*})\). Next, it obtains input m and outputs \(\mathsf {View}_{\mathsf {Decommit}}(\mathsf {Sim}^{\mathcal {V}^*}(m))\). Then, we require that for all values m,

    $$\begin{aligned}&\left( \mathsf {View}_{\mathsf {Commit}}(\mathsf {Sim}^{\mathcal {V}^*}), \mathsf {View}_{\mathsf {Decommit}}(\mathsf {Sim}^{\mathcal {V}^*}(m)) \right) {\mathop {\approx }\limits ^{c}} \\&\big ( \mathsf {View}_{\mathcal {V}^*} (\mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}(m), \mathcal {V}^*(z) \rangle ), \mathsf {Decommit} \langle \tau , \mathcal {P}(\mathsf {state}_{\mathcal {P}, \tau }), \mathcal {V}^* \big ) \end{aligned}$$

    In particular, this also implies that any malicious verifier \(V^*\), and any two messages \(m_1, m_2\) such that \(R(\phi , m_1) = 1\) and \(R(\phi , m_2) = 1\), the distribution \(\mathsf {View}_{\mathcal {V}^*} (\mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}(m_1), \mathcal {V}^*(z) \rangle )\) and the distribution \(\mathsf {View}_{\mathcal {V}^*} (\mathsf {Commit}\text {-}\mathsf {and}\text {-}\mathsf {Prove}\langle \mathcal {P}(m_2), \mathcal {V}^*(z) \rangle )\) are computationally indistinguishable.

Remark 1

A commit-and-prove protocol is said to satisfy delayed-input completeness, if \(\mathcal {P}, \mathcal {V}\) obtain the predicate \(\phi \) in the last round of a protocol.

3.3 Robust Offline/Online Randomized Encoding

We start with the definition of a randomized encoding [2, 3, 24].

Definition 6

(Randomized Encoding). Let \(f: \{0, 1\}^n \rightarrow \{0, 1\}^\ell \) be a function. Then a function \(\hat{f}: \{0, 1\}^n \times \{0, 1\}^m \rightarrow \{0, 1\}^s\) is said to be a randomized encoding of f, if:

  • Correctness: There exists a decoder algorithm \(\mathsf {Dec}\) such that for any input \(x \in \{0, 1\}^n\), except with negligible probability over the randomness of the encoding and the random coins of \(\mathsf {Dec}\), it holds that \(\mathsf {Dec}(\hat{f}(x, U_m)) = f(x)\).

  • Computational (statistical) privacy: There exists a PPT simulator \(\mathcal {S}\), such that for any input \(x \in \{0, 1\}^n\) the following distributions are computationally (statistically) indistinguishable:

    • \(\{\hat{f}(x, U_m)\}_{n \in \mathbb {N}, x \in \{0, 1\}^n}\), and,

    • \(\{\mathcal {S}(f(x))\}_{n \in \mathbb {N}, x \in \{0, 1\}^n}\)

We recall the definition of robust randomized encoding from [21].

Definition 7

(Robust Offline/Online Randomized Encoding). [21] A randomized encoding is called an online/offline encoding, if there exists functions \(\widehat{f}_{\mathrm {off}}\) and \(\widehat{f}_{\mathrm {on}}\) such that \(\widehat{f}(x;r) = (\widehat{f}_{\mathrm {off}}(r), \widehat{f}_{\mathrm {on}}(x,r))\). That is, there exists an offline component that does not depend on the input, and an online component which is a function of the input. It is called robust if additionally, it holds that: if there exists no x such that \(f(x) = a\), then for any r, there does not exist any z such that \(\mathsf {Dec}(\widehat{f}_{\mathrm {off}}(r),z) = a\).

In Appendix A, we describe a simplified variant of the construction of robust offline/online randomized encodings from [21], that only assumes one-way functions.

4 Three-Round Black-Box Commit-and-Prove WIPoK

In this section, we describe a three-round black-box commit-and-prove witness indistinguishable proof of knowledge protocol.

4.1 Construction

The construction is described in Fig. 1, and uses a robust randomized encoding \((\widehat{f}^{\mathrm {off}}, \widehat{f}^{\mathrm {on}})\), secure in the presence of adaptive choice of inputs.

We have the following theorem.

Fig. 1.
figure 1

Black-box witness indistinguishable proof of knowledge

Full size image

Theorem 1

The protocol described in Fig. 1 is a black-box commit-and-prove witness indistinguishable argument of knowledge according to Definition 4.

The completeness of the protocol can be easily verified from inspection. Furthermore, the protocol only makes black-box access to a non-interactive commitment scheme and a robust randomized encoding. Recall that a robust randomized encoding can be constructed from black-use of a one-way function. We now show witness indistinguishability.

Lemma 1

The protocol described in Fig. 1 satisfies witness indistinguishability according to Definition 4.

Proof

To prove witness indistinguishability of this protocol, we consider the following sequence of hybrid experiments.

The first hybrid \(\mathsf {Hyb}_{0}\) corresponds to the view of a (malicious) verifier interacting with an honest prover that follows the protocol in Fig. 1 using the message \(m_0\) for the predicate \(\phi \).

We define a hybrid \(\mathsf {Hyb}_{0,k}\) for each \(k \in [0,\lambda ]\) that corresponds to the view of a (malicious) verifier interacting with a prover that uses the message \(m_1\) in the first k instances and the message \(m_0\) in the remaining instances. To be more precise, the prover in \(\mathsf {Hyb}_{0,k}\) does the following:

  • In round-1,

    1. 1.

      \(\mathcal {P}\) chooses \(r,s \mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\mathbb {F}\).

    2. 2.

      For \(i \in [k]\), \(\mathcal {P}\) does the following:

      1. (a)

        Choose \(w^i_{0}\mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\mathbb {F}^3\) and compute \(w^i_{1} := w^i_{0} \oplus (m_1 \Vert \bot \Vert s)\).

      2. (b)

        Choose \(\omega _i \mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\{0, 1\}^*\) and compute \(\widehat{f}^{\mathrm {off}}(\omega _i)\) and \(\tau _i \leftarrow \mathsf {Com}(w^i_{1})\).

      3. (c)

        Send \((\widehat{f}^{\mathrm {off}}(\omega _i),\tau _i)\).

    3. 3.

      For \(i \in [k+1,\lambda ]\), \(\mathcal {P}\) does the following:

      1. (a)

        Choose \(w^i_{0}\mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\mathbb {F}^3\) and compute \(w^i_{1} := w^i_{0} \oplus (m_0 \Vert r \Vert \bot )\).

      2. (b)

        Choose \(\omega _i \mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\{0, 1\}^*\) and compute \(\widehat{f}^{\mathrm {off}}(\omega _i)\) and \(\tau _i \leftarrow \mathsf {Com}(w^i_{1})\).

      3. (c)

        Send \((\widehat{f}^{\mathrm {off}}(\omega _i),\tau _i)\).

  • In round-3,

    1. 1.

      \(\mathcal {P}\) sends \(b := s + \beta m_1\) and \(a = r + \alpha m_0\). Additionally, for every \(i \in [\lambda ]\), \(\mathcal {P}\) does the following:

      1. (a)

        If \(\mathsf {ch}_i = 0\), send \(w^i_{0}, \omega _i\).

      2. (b)

        If \(\mathsf {ch}_i = 1\), send \(\widehat{f}^{\mathrm {on}}(\phi ||\alpha ||\beta ||w_{1}^i\Vert (a,b) ,\omega _i)\), and decommit to \(\tau _i\).

Claim

Assuming the hiding property of \(\mathsf {Com}\) and the adaptive security of robust randomized encoding, \(\mathsf {Hyb}_{0,k-1} \overset{c}{\approx }\mathsf {Hyb}_{0,k}\) for each \(k \in [\lambda ]\).

Proof

Assume for the sake of contradiction that there exists a malicious verifier that can distinguish \(\mathsf {Hyb}_{0,k-1}\) and \(\mathsf {Hyb}_{0,k}\) with non-negligible probability. We will construct an adversary \(\mathcal {B}\) that breaks the security of either the robust randomized encoding or the hiding property of \(\mathsf {Com}\) with non-negligible probability. \(\mathcal {B}\) chooses a bit \(b_k \overset{\$}{\leftarrow }\{0,1\}\).

  • Case-1: \(b_k = 0\). In this case, \(\mathcal {B}\) does the following:

    1. 1.

      For all \(i \ne k\), \(\mathcal {B}\) generates the commitments and the randomized encoding as in \(\mathsf {Hyb}_{0,k-1}\). For \(i = k\), it does the following:

      1. (a)

        Choose \(w^i_{0}\mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\mathbb {F}^3\) and compute \(w^i_{1} := w^i_{0} \oplus (m_0 \Vert r \Vert \bot )\) and \(\widehat{w}^i_1 := w^i_{0} \oplus (m_1 \Vert \bot \Vert s)\). Give the two messages \(w^i_0,\widehat{w}^i_1\) as the challenge messages to the hiding property of \(\mathsf {Com}\). Obtain the challenge commitment \(\tau _i\).

      2. (b)

        Choose \(\omega _i \mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\{0, 1\}^*\) and compute \(\widehat{f}^{\mathrm {off}}(\omega _i)\) and \(\tau _i \leftarrow \mathsf {Com}(w^i_{1})\).

      3. (c)

        Send \((\widehat{f}^{\mathrm {off}}(\omega _i),\tau _i)\).

    2. 2.

      If \(\mathsf {ch}_k\) obtained from the receiver is not equal to \(b_k\), we abort and output a random bit. Else, continue the protocol as per the description of \(\mathsf {Hyb}_{0,k-1}\). Output whatever the verifier outputs

    3. 3.

      Note that if \(\tau _k\) is a commitment to \(w^i_{1}\) then the distribution is identical to \(\mathsf {Hyb}_{0,k-1}\); else, it is identical to distribution \(\mathsf {Hyb}_{0,k}\). Thus, if the malicious verifier can distinguish between \(\mathsf {Hyb}_{0,k-1}\) and \(\mathsf {Hyb}_{0,k}\) with probability p then \(\mathcal {B}\) breaks the hiding of the commitment scheme with probability at least p / 2.

  • Case-2: \(b_k = 1\). In this case, \(\mathcal {B}\) does the following:

    1. 1.

      For all \(i \ne k\), \(\mathcal {B}\) generates the commitments and the randomized encoding as in \(\mathsf {Hyb}_{0,k-1}\). For \(i = k\), it does the following:

      1. (a)

        Choose \(w^i_{1}\mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\mathbb {F}^3\) and computes \(w^i_{0} := w^i_{1} \oplus (m_0 \Vert r \Vert s)\) and \(\widehat{w}^i_0 := w^i_{1} \oplus (m_1 \Vert {r} \Vert s)\). Give to the randomized encoding challenger two circuits \(f[{w^i_0}]\) and \(f[{\widehat{w}^i_0}]\) as the challenge circuits. Obtain \(\widehat{f}^{\mathrm {off}}\) as the challenge circuit.

      2. (b)

        Send \(\widehat{f}^{\mathrm {off}}\) and \(\tau _i \leftarrow \mathsf {Com}(w^i_1)\).

    2. 2.

      If \(\mathsf {ch}_k\) obtained from the receiver is not equal to \(b_k\), we abort and output a random bit. Else,

      1. (a)

        Obtain \(\alpha \) from the verifier.

      2. (b)

        Send \(\phi ||\alpha ||\beta ||w_{1}^i\Vert (a,b) ,\omega _i\) as the challenge input to the randomized encoding challenger and obtain \(\widehat{f}^{\mathrm {on}}\).

      3. (c)

        Send \(\widehat{f}^{\mathrm {on}}\) as response to \(\mathsf {ch}_k\) and decommit to \(\tau _k\).

    3. 3.

      Finally, output whatever the verifier outputs.

    Notice that the output of the two circuits \(f[w^i_0]\) and \(f[\widehat{w}^i_0]\) on the challenge input is exactly the same. Thus, \(\mathcal {B}\) constitutes a valid challenger to the adaptive security of randomized encoding. Thus, if \(\widehat{f}^{\mathrm {off}}\) corresponds to a offline randomized encoding of \(f_{w^i_0}\), the view of the malicious verifier is identical to \(\mathsf {Hyb}_{0,k-1}\). Else, the view is identical to \(\mathsf {Hyb}_{0,k}\). Thus, a malicious verifier distinguishing \(\mathsf {Hyb}_{0,k-1}\) and \(\mathsf {Hyb}_{0,k}\) can be used to break the security of robust randomized encodings.

We now prove that \(\mathsf {Hyb}_{0,0}\) is identically distributed to \(\mathsf {Hyb}_0\). Notice that \(\mathsf {Hyb}_{0,0}\) is the same as \(\mathsf {Hyb}_0\), except that the prover sends \(b = s + \beta m_1\) instead of sampling b uniformly at random. Since s is information theoretically hidden in both \(\mathsf {Hyb}_{0,0}\) and \(\mathsf {Hyb}_0\) it follows that both these distributions are identical. A similar argument shows that \(\mathsf {Hyb}_{0,\lambda }\) is identical to \(\mathsf {Hyb}_1\). This completes the proof of the claim.

The proof of WI follows by noting that \(\mathsf {Hyb}_{0,\lambda }\) is distributed identically to the case where the prover uses the witness \(W_1\) to generate the proof.

We will now prove that it is an argument of knowledge:

Lemma 2

The protocol in Fig. 1 is a proof of knowledge against PPT provers, even for statements chosen adaptively by such a prover in the last round, according to Definition 4.

Proof

We begin by describing the extractor (having oracle access to a PPT prover \(\mathcal {P}^*\)) that takes as input an accepted transcript \(\mathbb {T}\) and outputs a value \(\widetilde{m}\) such that \(\phi (\widetilde{m}) = 1\) and there exists at most two messages \(\widetilde{m}_1,\widetilde{m}_2\) such that \(\widetilde{m} \in \{\widetilde{m}_1,\widetilde{m}_2\}\) and either \(\mathcal {P}^*\) will decommit to \(\widetilde{m}_1\) or \(\widetilde{m}_2\).

The extractor rewinds the cheating prover \(\mathcal {P}^*\) to the beginning of the third round multiple times, and gives different uniformly chosen challenge messages \(ch \mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\{0,1\}^{\lambda }\). It stops when it obtains for some \(i \in [\lambda ]\), two decommitments \(w^i_0, w_1^i\) such that \(w^i_0 \oplus w^i_1 = (m \Vert r \Vert s)\), and outputs m if \(\phi (m)\), and \(r + \alpha m = a\) or \(s + \beta m = b\) from the main thread.

Let \(\mathbb {T}\) be the accepted protocol transcript. Because of robustness of the randomized encoding and a simple averaging argument, we note that with overwhelming probability over the choice of random challenge \(ch \in \mathbb {T}\), at least \(\lambda - O(\log ^2 \lambda )\) indices i are such that \(f_{w^i_0}(\phi ,\alpha ,\beta ,w^i_1,a,b) \ne \bot \). Let S be the set of indices i such that the above is true. Then, we have for each \(i \in S\), let \(w^i_1 \oplus w^i_0 = (m_i \Vert r_i \Vert s_i)\) where \(\phi (m_i) = 1\). Further, for every \(i \in S\), we now have from the definition of f that, \(r_i + \alpha m_i = a\) and \(s_i + \beta m_i = b\). With overwhelming probability over \(\alpha ,\beta \), this is possible only if there exists at most two values \(\widetilde{m}_1,\widetilde{m}_2\) such that \(m_i \in \{\widetilde{m}_1,\widetilde{m}_2\}\) for all \(i \in S\) (by Schwartz-Zippel lemma).

We finally argue that the extractor runs in expected polynomial time. Let p be the probability that conditioned on the first two messages of the protocol, the prover \(\mathcal {P}^*\) generates an accepting proof. Since the running time of the extractor in each rewind is bounded by some polynomial \(\mathrm{poly}(\lambda )\), we have that the expected running time of the extractor is \(p\,.\,\frac{\mathrm{poly}(\lambda )}{p} = \mathrm{poly}(\lambda )\).

4.2 Black-Box One-Binding Commitment to Two Strings

In this section, we describe how to use the black-box commit-and-prove WIPoK to generate a commitment to two strings such that one of the two commitments is binding, and the other can be freely equivocated by a simulator. Such a protocol can also be built using ideas from [34], however, we give a direct instantiation via a slight modification of our black-box commit-and-prove WIAoK. This scheme is referred to as \(\mathsf {two}\text {-}\mathsf {com}\), and is described in Fig. 2.

We also note that unlike [34], when we use scheme \(\mathsf {two}\text {-}\mathsf {com}\), honest parties will never need to rely on equivocation, and equivocation will only be used in the proof of security.

Fig. 2.
figure 2

Commitment to two strings where one is binding

Full size image

Witness indistinguishability of the argument of binding of one of the two commitments follows directly via witness indistinguishability of the underlying protocol, using an identical proof to the one in Lemma 1.

We will now argue why the protocol in Fig. 2 is such that any (malicious) committer is bound to one of the two openings \(m \in \{m_0, m_1\}\), by the end of the first round. This relies on soundness of the witness indistinguishable argument. Specifically, by the Schwartz-Zippel lemma, there exist at most two witnesses \(W, W'\) such that at least \((\lambda - \log ^2 n)\) parallel executions generated by a malicious committer, have a commitment to either W or \(W'\), or both. Now, because of the soundness of individual WI arguments, once the first message has been committed, in the third message, any (malicious) committer can only open to \(m_0, m_1\) such that:

  • If in the first message, all but \(\log ^2 n\) commitments were to the same witness W, then either \(W = m_0\) or \(W = m_1\).

  • If in the first message, all but \(\log ^2 n\) commitments were to two witnesses \(W, W'\) then \(W = m_0, W' = m_1\) or vice-versa.

5 Four-Round Black-Box Commit-and-Prove Zero-Knowledge

In this section, we describe a black-box commit-and-prove zero-knowledge argument in four rounds based on injective one-way functions. We start with a description of the main tools used in the construction.

5.1 Construction

Our construction is described formally in Fig. 3, and makes use of the following primitives:

  • A non-interactive, statistically binding commitment \(\mathsf {Com}\).

  • A three-round commitment to two strings, together with a black-box witness-indistinguishable proof that one of the two commitments is binding by the end of the first round. We also require the other commitment to be equivocal. Such a scheme is described in [34], Sect. 3. Let \(\mathsf {two}\text {-}\mathsf {com}(s_1, s_2)\) denote such a scheme for committing to strings \(s_1\) and \(s_2\).

  • A robust randomized encoding \(\widehat{f}^{\mathrm {off}}, \widehat{f}^{\mathrm {on}}\) according to Definition  6.

Fig. 3.
figure 3

Four round black-box commit-and-prove ZKAoK

Full size image

5.2 Proof of Security

We start with the lemma which shows that the protocol described in Fig. 1 is a commitment to the witness w.

Lemma 3

The protocol described in Fig. 3 is a statistically binding commitment to the element \(w \in \mathbb {F}\).

Proof

We start with the description of the decommit phase and then argue statistical binding and computational hiding of the protocol.

The decommit phase involves opening the commitments \(\sigma _i\), \(\sigma '_i\) and \(\sigma ^*_{i}\) and sending \(w^i_0\) for every \(i \in [\lambda ]\). For each \(i \in [\lambda ]\), compute \(w_i\Vert r_i := w^i_0 + w^i_1\) (where a value is substituted with a default symbol if the decommitment information is not valid) and output the value w that occurs in more than \(\lambda /2\) positions. If there is no w that occurs in more that \(\lambda /2\) positions then we reject the decommitment information.

Since the commitment sent in the second round of the protocol is statistically binding and we have defined the decommitment phase to output the majority of the committed values, we note that there can exist at most one valid decommitment to a protocol transcript except with negligible probability. Thus, the protocol is statistically binding. We note that computational hiding property follows the zero-knowledge property we later show.

Lemma 4

The protocol in Fig. 3 is an argument of knowledge against PPT provers, even for statements chosen adaptively by such a prover in the last round, according to Definition 5.

Proof

We begin by describing the extractor (having oracle access to a PPT prover \(\mathcal {P}^*\)) that takes as input an accepted transcript \(\mathbb {T}\) and outputs a value \(w \in \mathbb {F}\) that occurs in majority of the positions and is such that \(R(x,w)=1\).

The extractor rewinds the cheating prover \(\mathcal {P}^*\) to the beginning of the third round and gives different uniformly chosen challenge messages \(ch \mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\{0,1\}^{\lambda }\). The extractor stops when it obtains for some \(i \in [\lambda ]\), two decommitments \(w^i_0,w^1_i\) such that \(w^i_0 \oplus w^i_1 = (w \Vert r)\) and outputs w if \(r + \alpha w = a\) from the main thread.

We will now prove that for any PPT prover, the extracted w is such that \(R(x, w) = 1\) – in particular, we will show that for any PPT prover, \(\Pr [s = \widehat{s}_0 \text { or } s = \widehat{s}_1] \le \mathsf {negl}(\lambda )\). Suppose for contradiction there exists a polynomial \(\mathrm{poly}(\cdot )\) and \(\beta \in \{0, 1\}\) such that \(\Pr [s = \widehat{s}_\beta ] \ge \frac{1}{\mathrm{poly}(\lambda )}\). We will use this to contradict witness indistinguishability of \(\mathsf {two}\text {-}\mathsf {com}\), or the hiding of the commitments in \(\mathsf {two}\)-\(\mathsf {com}\). We consider the following sequence of hybrid experiments.

\(\mathsf {Hyb}_0\) corresponds to the real experiment, where the challenger generates the verifier messages according to the honest verifier strategy, such that the commitment \(\widehat{s}_0\) is equivocable and the commitment \(\widehat{s}_{1}\) is binding for \(\gamma \in \{0, 1\}\). It then uses the extraction strategy described above to extract s such that \(\Pr [s = \widehat{s}_\beta ] \ge \frac{1}{\mathrm{poly}(\lambda )}\) for some \(\beta \in \{0, 1\}\).

In \(\mathsf {Hyb}_{1a}\), the challenger sends messages exactly the same way as \(\mathsf {Hyb}_0\), except that it samples \(\widehat{s} \mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\{0, 1\}^\lambda \), and in the third message, equivocates \(\widehat{s}_{0}\) to \(\widehat{s}\). The value extracted by the challenger must remain indistinguishable between \(\mathsf {Hyb}_0\) and \(\mathsf {Hyb}_1\), because of the equivocation property of the commitment to \(\widehat{s}_{0}\). However, since \(\widehat{s}\) was chosen uniformly at random and independent of \(\widehat{s}_0\), the probability that \(\widehat{s}\) equals \(s_1^i \oplus s_0^i\) (which are both fixed before \(\widehat{s}\) is chosen), is at most \(2^{-\lambda }\). Otherwise, \(\beta = 1\) and we consider the following sequence of hybrids.

In \(\mathsf {Hyb}_{1b}\), the challenger sends messages the same way as \(\mathsf {Hyb}_0\), except that the commitment \(\widehat{s}_0\) is binding and the commitment \(\widehat{s}_{1}\) is equivocable for \(\gamma \in \{0, 1\}\). It then uses the extraction strategy described above to extract s. By witness indistinguishability of the argument, this is such that \(\Pr [s = \widehat{s}_1] \ge \frac{1}{\mathrm{poly}(\lambda )}\).

In \(\mathsf {Hyb}_2\), the challenger sends messages exactly the same way as \(\mathsf {Hyb}_{1b}\), except that it samples \(\widehat{s} \mathbin {{\mathop {\leftarrow }\limits ^{\,\tiny \$}}}\{0, 1\}^\lambda \), and in the third message, equivocates \(\widehat{s}_{1}\) to \(\widehat{s}\). The value extracted by the challenger must remain indistinguishable between \(\mathsf {Hyb}_{1b}\) and \(\mathsf {Hyb}_2\), because of the equivocation property of the commitment to \(\widehat{s}_{1}\). However, since \(\widehat{s}\) was chosen uniformly at random and independent of \(\widehat{s}_0\), the probability that \(\widehat{s}\) equals \(s_1^i \oplus s_0^i\) (which are both committed by the prover even before \(\widehat{s}\) is chosen), is at most \(2^{-\lambda }\).

We now argue that the extracted w occurs in the majority of positions. Let \(\mathbb {T}\) be the accepted protocol transcript. We note that with overwhelming probability over the choice of random challenge \(ch \in \mathbb {T}\), at least \(\lambda - O(\log ^2 \lambda )\) positions are such that \(f_{w^i_0,s^i_0}(x,\alpha ,w^i_1,s^i_1,a,\widehat{s}_0,\widehat{s}_1) = (1,x,\alpha ,w^i_1,s^i_1,(a,\widetilde{a}))\). This follows from the robustness property of the randomized encoding scheme. Let S be the set of positions such that the above is true. Additionally, we showed above that for any i (in particular, for any \(i \in S\)) \(s^i_0 \oplus s^i_1\) is not equal to \(\widehat{s}_0\) or \(\widehat{s}_1\) with overwhelming probability. Thus, we have for each \(i \in S\), let \(w^i_1 \oplus w^i_0 = (w_i \Vert r_i)\) where \(R(x,w_i) = 1\). Since \(f_{w^i_0,s^i_0}(x,\alpha ,w^i_1,s^i_1,a,\widehat{s}_0,\widehat{s}_1) = (1,x,\alpha ,w^i_1,s^i_1,(a,\widetilde{a}))\) for every \(i \in S\), we now have from the definition of f that, \(w_i\alpha + r_i = a\). With overwhelming probability over \(\alpha \), this is possible only if there exists \((w,r) \in \mathbb {F}\) such that \(w_i = w\) and \(r_i = r\) for all \(i \in S\) (by Schwartz-Zippel lemma).

We finally argue that the extractor runs in expected polynomial time. Let p be the probability that conditioned on fixing the first two messages of the main thread the prover \(\mathcal {P}^*\) gives an accepted proof. Since the running time of the extractor in each rewind is bounded by some polynomial \(\mathrm{poly}(\lambda )\), we have that the expected running time of the extractor is \(p\,.\,\frac{\mathrm{poly}(\lambda )}{p} = \mathrm{poly}(\lambda )\).

This completes the proof of soundness, and of the argument of knowledge property.

Lemma 5

The protocol in Fig. 3 is zero-knowledge against all PPT verifiers \(\mathcal {V}\).

Proof

We begin with a brief overview of the simulation strategy (for simplicity in this overview we only consider non-aborting verifiers). The simulator runs the verifier on randomly chosen prover message for the second round, and observes the openings \(\widehat{s}_0^{(1)}\) and \(\widehat{s}_1^{(1)}\). On learning \(\widehat{s}_0^{(1)}, \widehat{s}_1^{(1)}\), the simulator rewinds and sends a prover message by setting \(s = \widehat{s}_0^{(1)}\). If the verifier responds with \(\widehat{s}_0^{(2)} \ne \widehat{s}_0^{(1)}\), the simulator rewinds again and sets \(s = \widehat{s}_1^{(1)}\). Denote the response of the verifier in the second rewinding by \(\widehat{s}_0^{(3)}, \widehat{s}_1^{(3)}\).

Since the first message of \(\mathsf {two}\text {-}\mathsf {com}\) is binding to at least one string, if \(\widehat{s}_0^{(2)} \ne \widehat{s}_0^{(1)}\), then with overwhelming probability, it must be the case that the commitment to \(\widehat{s}_1\) is binding. In other words, \(s = \widehat{s}_1^{(1)} = \widehat{s}_1^{(3)}\) with overwhelming probability. In this case, the simulator uses s as witness to complete the proof. The general simulation strategy is detailed in Fig. 4.

Proof of Simulation Security. The proof that the simulated distribution is indistinguishable from the real distribution will rely on the witness indistinguishability of a three round sub-protocol that is being executed within the main protocol. Let us give the details.

Fig. 4.
figure 4

Simulation strategy for black-box commit-and-prove ZKAoK

Full size image

It was shown in [21] that the single execution (i.e., for each \(i \in [\lambda ]\)) of the sub-protocol is zero-knowledge with soundness error 1 / 2. Hence, this sub-protocol is also witness indistinguishable. The parallel repetition of any witness indistinguishable protocol preserves the WI property. This also directly proves that conditioned on not aborting, a real transcript is indistinguishable from an ideal transcript.

Next, we prove that the probability of abort is at most \(\mathsf {negl}(\lambda )\)-far between the real and ideal worlds. Note that by binding property of \(\mathsf {two}\)-\(\mathsf {com}\), the simulator obtains one opening out of \(\widehat{s}_0\) and \(\widehat{s}_1\) correctly. Therefore, the simulation proceeds to Step 4(b) after at most two non-aborting rewinds. Now, the simulator rewinds the verifier in Step 4(b): by computational hiding of the second message of the protocol, the probability that the simulated view aborts in these rewindings at the end of Step 3 is at most \(p \pm \mathsf {negl}(\lambda )\), where p is the probability that the verifier aborts after the second message, when interacting with an honest prover. Conditioned on the verifier not aborting in step 3, the simulator persists after rewinding until the verifier sends a non-aborting message. Thus, the probability of abort in the ideal world remains \(p \pm \mathsf {negl}(\lambda )\).

However, this strategy still suffers from the problem that the simulator may not be expected polynomial time. This issue, akin to [11] is resolved by ensuring that the simulator does not run for too long. Specifically, if the adversary did not abort in Step 3, and the simulator proceeds to the rewinding phase, then it first estimates the value of p, which is the probability that the verifier \(V^*\) did not abort given commitments to 0 values. This is done by repeating Steps 2 and 3 of the simulation (with fresh random commitments to all zeroes) until \(m = 12 \lambda \) successful decommits occur (to the same string q that it decommitted to in the main thread). Then, an estimate \(\widetilde{\epsilon }\) of p is taken to be m / T, where T is the overall number of attempts until m successful decommits occured. This suffices to ensure that the probability that \(\widetilde{\epsilon }\) is not within a constant factor of p is at most \(2^{-\lambda }\). An exact analyses of the probabilities can be found in Sect. 6.5.3 in [20].

Finally, we can switch the simulator to using the trapdoor witness in the three-round WI sub-protocol. More formally, we consider an intermediate hybrid \(\mathsf {Hyb}_{1}\), where the simulator follows the strategy above but continues to use the real witness in the WI argument.

Claim

\(\mathsf {Hyb}_1\) is computationally indistinguishable from the ideal world.

Proof

To prove that \(\mathsf {Hyb}_1\) and the ideal world are computationally indistinguishable, we build the following reduction R to the witness indistinguishability of the underlying protocol. The reduction R first completes the experiment by rewinding the adversary using the [11] strategy described above to extract the value \(s = \widehat{s}_0\) or \(\widehat{s}_1\). Next, the reduction rewinds back to the beginning of Step 2, and commits to s. It obtains the first message of the (delayed-input) WI argument externally, giving it both witnesses ws. In the third round, it computes \(a = r\alpha +w\) externally and obtains the WI argument externally proving at either \(a = r\alpha +w\) or \(s = \widehat{s}_0\) or \(s = \widehat{s}_1\).

Note that if w is used as witness, this corresponds to \(\mathsf {Hyb}_1\). If s is used as witness, the only difference between this and the simulation strategy is that the simulator computes a completely at random, instead of computing it as \(a = r\alpha +w\). These are perfectly indistinguishable because r completely hides w. Thus, any adversary that distinguishes \(\mathsf {Hyb}_1\) from the ideal world breaks the witness indistinguishability of \(\mathsf {two}\)-\(\mathsf {com}\).

Fig. 5.
figure 5

Black box equivocal commitment

Full size image

6 Extractable and Equivocal Commitments

We describe direct applications of our black-box commit-and-prove protocols to four round black-box extractable and equivocal commitments.

Extractable Commitments. The construction of black-box commit-and-prove ZK, given in Fig. 3, is already an extractable commitment to the witness w (proved in Lemma 4). The hiding of the extractable commitment scheme follows from the computational hiding of the commitment and the zero-knowledge property of the protocol proven in Lemma 5.

Equivocal Commitments. We give a construction of equivocal bit commitments in Fig. 5. This can be extended to an equivocal string commitments by committing to every bit using the protocol in Fig. 5. Our construction of equivocal bit commitment is standard: commit to two bits \(m_0\) and \(m_1\), and prove in zero-knowledge (via our round-optimal black-box commit-and-prove strategy) that \(m_0 = m_1\).

Lemma 6

The protocol in Fig. 5 is an equivocal commitment scheme.

Proof

The (computational) binding property of the scheme follows by the binding property of commit-and-prove ZK. The hiding of the equivocal commitment scheme follows directly based on the computational hiding of \(\mathsf {Com}\) (since the ZK proofs are not even completed in the commit phase).

The equivocal property is the most interesting, we now describe how this follows by simulating the zero-knowledge proof and generating a commitment to \(m_0 \ne m_1\). That is, we consider an intermediate hybrid \(\mathsf {Hyb}_1\) where the challenger commits to \(m_0 = m_1\) (just as in the real experiment), but starts simulating the underlying proof. This is indistinguishable from the real experiment by simulation security of the commit-and-prove protocol.

In the next hybrid, the challenger continues to simulate the ZK proof but sets \(m_0 \ne m_1\). This remains indistinguishable by the computational hiding of \(\mathsf {com}\). Note that the challenger can freely equivocate in this experiment. This completes our proof of security.