DistinguisherDependent Simulation in Two Rounds and its Applications
 25 Citations
 2.1k Downloads
Abstract

Tworound witness indistinguishable (WI) arguments for \(\mathrm {NP}\) from different assumptions than previously known.

Tworound arguments and threeround arguments of knowledge for \(\mathrm {NP}\) that achieve strong WI, witness hiding (WH) and distributional weak zero knowledge (WZK) properties in a setting where the instance is only determined by the prover in the last round of the interaction. The soundness of these protocols is guaranteed against adaptive provers.

Threeround twoparty computation satisfying inputindistinguishable security as well as a weaker notion of simulation security against malicious adversaries.

Threeround extractable commitments with guaranteed correctness of extraction from polynomial hardness assumptions.
Our threeround protocols can be based on DDH or QR or \(\text {N}^{\text {th}}\) residuosity and our tworound protocols require quasipolynomial hardness of the same assumptions. In particular, prior to this work, tworound WI arguments for NP were only known based on assumptions such as the existence of trapdoor permutations, hardness assumptions on bilinear maps, or the existence of program obfuscation; we give the first construction based on (quasipolynomial) DDH or QR or \(\text {N}^{\text {th}}\) residuosity.
Our simulation technique bypasses known lower bounds on blackbox simulation [GoldreichKrawcyzk’96] by using the distinguisher’s output in a meaningful way. We believe that this technique is likely to find additional applications in the future.
1 Introduction
The notion of zeroknowledge (ZK) proofs [38] is fundamental to cryptography. Intuitively, zeroknowledge proofs guarantee that the proof of a statement does not reveal anything beyond the validity of the statement. This seemingly paradoxical requirement is formalized via the simulation paradigm, namely, by requiring the existence of an efficient simulator that simulates the view of a malicious verifier, without access to any witness for the statement.
Over the years, ZK proofs (and arguments) have been integral to the design of numerous cryptographic protocols, most notably generalpurpose secure computation [36], as well as specific tasks such as cointossing, equivocal and/or extractable commitments and nonmalleable protocols [25]. Even protocols satisfying weaker notions of ZK such as strong witness indistinguishability and witness hiding (WH) [29], are typically constructed only via a ZK protocol^{1}. In particular, the round complexity of ZK determines the round complexity of known constructions for these tasks.
Goldreich and Krawcyzk (GK) [35] established that three round ZK arguments for \(\mathrm {NP}\) with blackbox simulation do not exist for languages outside \(\mathrm {BPP}\). Furthermore, all known nonblackbox simulation techniques [3] require more than three rounds.^{2} This has acted as a barrier towards achieving roundefficient protocols for many of the aforementioned tasks. In this work, we investigate the possibility of overcoming this barrier.
(When) Is ZK Necessary? ZK proofs are typically used to enforce “honest behaviour” for participants of a cryptographic protocol. The zeroknowledge property additionally ensures privacy of the inputs of honest parties. However, many applications of ZK described above do not themselves guarantee simulationbased security but only weaker indistinguishabilitybased security. As such, it is not immediately clear whether the “full” simulation power of ZK is necessary for such applications.
For example, strong witness indistinguishability requires that for two indistinguishable statement distributions \({\mathcal X} _1, {\mathcal X} _2\), a proof (or argument) for statement \(x_1 \leftarrow {\mathcal X} _1\) must be indistinguishable from a proof (or argument) for statement \(x_2 \leftarrow {\mathcal X} _2\). All known constructions of strong witness indistinguishable protocols rely on ZK arguments with standard simulation – and therefore end up requiring at least as many rounds as ZK arguments. Similar issues arise in constructing inputhiding/inputindistinguishable secure computation, witness hiding arguments and proofs, and extractable (or other sophisticated) commitment schemes. However, it is unclear whether ZK is actually necessary in these settings.
This raises the question of whether it is possible to devise “weaker” simulation strategies in three rounds or less that can be used to recover several applications of ZK. In this work, we implement such a blackbox simulation strategy in only two rounds.
DistinguisherDependent Simulation. Our starting observation is that for any cryptographic protocol that only aims to achieve indistinguishabilitybased security, the security reduction has access to an efficient distinguisher. In such scenarios, one can hope to argue security via a (weaker) simulation strategy that potentially makes use of the distinguisher in a nontrivial manner.
The idea of distinguisherdependent simulation is not new and has previously been studied in the context of interactive proofs, where it is referred to as weak zero knowledge (WZK) [28]^{3}. Informally, WZK says that any bit of information that can be learned by the verifier by interacting with the prover can be simulated given only the instance. As such, WZK suffices for many applications of ZK, and in particular, implies meaningful weaker notions such as WH and WI [29].
The immediate question is whether distinguisherdependent simulation can be realized in three rounds or less. At first, the answer seems to be negative since the lower bound of GK also extends to WZK (this was already noted in [10]).
A key insight in our work is that in many applications of ZK proofs, the statement being proven is chosen by the prover from a (public) distribution. Suppose that the proof system is delayedinput [48], namely, where the instance and witness are only required for computing the last prover message. In this case, it is to an honest prover’s advantage to reveal the instance to the verifier only in the last round. This does not violate correctness due to the delayed input property, but “weakens” a malicious verifier, and in particular, ensures that a malicious verifier’s messages are independent of the instance. Interestingly, we observe that the lower bound of GK no longer holds in this case^{4}.
At a highlevel, this is because in this setting, a simulator may be able to learn nontrivial information about the distinguisher’s behavior by observing its output on different samples created using possibly different instances from the same distribution. This observation is, in fact, not limited to delayedinput proofs and extends to a large class of important twoparty functionalities including cointossing, generating common reference strings and oblivious PRFs.
This observation opens doors to the possibility of constructing proof systems and secure computation in three rounds or less with meaningful simulationbased and indistinguishabilitybased security guarantees.
A New Blackbox Simulation Technique. We devise a new distinguisherdependent blackbox simulation technique that only requires tworounds of communication. Roughly, we show that a single bit of information (of whether the proof is accepted or rejected by the distinguisher) can be used to learn information about the (possibly) malicious verifier and distinguisher, in a bitbybit fashion, and that this information can later be used to efficiently simulate the proof.
We remark that the ability to learn a bit of information based on whether the protocol execution is accepted or rejected has in the past been viewed as a source of insecurity in cryptographic protocols. For example, in the delegation of computation schemes of [18, 33], an adversarial prover can successfully cheat if it is able to observe the verifier’s output over multiple executions. For similar reasons, special care is taken to prevent “inputdependent aborts” in the design of many secure computation protocols.
In this work, we turn this apparent weakness into a positive by using it to devise a new blackbox simulation strategy. Using this strategy, we obtain several new results on proof systems and secure computation. Most of our results were previously unknown even using nonblackbox simulation techniques.
Our Setting. In order to prove privacy, we must sometimes restrict ourselves to a setting where the prover has the flexibility to sample instances and witnesses in the last round of the argument. More specifically, our simulator will require knowledge of any witnesses that are fixed (implicitly or explicitly) before the last message is sent; however, it will not require knowledge of witnesses fixed in the last round.
1.1 Our Results
We now proceed to describe our results. We start with our results on interactive proof systems and then describe their applications to secure twoparty computation and extractable commitment schemes. All of these results rely on our new blackbox simulation strategy.
I. DelayedInput Interactive Proofs. We study two and three round delayedinput interactive proof systems where the instance to be proven can be chosen by the prover in the last round, and soundness holds even against adaptive cheating provers who choose the instance depending upon the verifier’s message. First studied by [48], delayedinput protocols have found numerous applications over the years in the design of roundefficient cryptographic protocols for a variety of tasks such as secure computation [31, 44, 47], resettable security [24, 60], nonmalleable commitments [20, 58], improved \(\varSigma \)protocols [21, 22, 50], and so on.
In the context of establishing various privacy notions, we consider both adaptive verifiers, who receive the instance at the beginning of the protocol, and hence may choose their message based on this instance, and nonadaptive verifiers, who receive the instance only in the last round of the protocol, and hence their message is independent of the instance. As we discuss later, guaranteeing privacy against nonadaptive verifiers suffices for many natural applications of delayedinput proof systems.
(i). Two Round Argument Systems. Our first contribution is a tworound delayedinput argument system that achieves witnessindistinguishability (WI) against adaptive verifiers, and strong WI, witness hiding (WH) and distributional weak zeroknowledge (WZK) against nonadaptive verifiers.
Theorem 1

WI against adaptive verifiers.

Strong WI, WH and distributional WZK against nonadaptive verifiers.
Oblivious transfer (OT) protocols as required in the above theorem can be constructed based on quasipolynomial hardness of Decisional DiffieHellman (DDH) [51] or N’th Residuosity or Quadratic Residuosity [43, 45].
Comparison with Prior Work. If we know an a priori superpolynomial bound on the hardness of the language, then tworound WH can be obtained from tworound ZK with superpolynomial time simulators (SPS) [53]. However, no constructions of tworound WH or distributional WZK for \(\mathrm {NP}\) against nonuniform verifiers were previously known. (We refer the reader to Sect. 1.3 for a more thorough discussion.)
WI proofs in two rounds (or less) were previously only known based on either trapdoor permutations^{5} [27], or the decision linear assumption on bilinear groups [40], or indistinguishability obfuscation [11]. Our result in Theorem 1 substantially adds to the set of standard assumptions that suffice for tworound WI. We remark that unlike previous protocols, our WI protocol is not publicly verifiable.
Privacy Amplification via Round Compression. We obtain Theorem 1 by “compressing” any \(\varSigma \)protocol^{6} [23] into a tworound privatecoin argument using OT. Our compiler follows the approach of [1, 46], except that we use a maliciously secure OT as opposed to a computational PIR [17].
Interestingly, our approach of compressing a \(\varSigma \)protocol into a tworound argument results in amplifying its privacy guarantees. Indeed, standard \(\varSigma \)protocols are not known to be WZK. Furthermore, [42, 54] proved that such protocols cannot be proven WH using blackbox reductions.
Avoiding \(\mathrm {NP}\) Reductions. An added benefit of our approach is that given a \(\varSigma \)protocol for a language L, we obtain a tworound privatecoin argument system with the security guarantees stated in Theorem 1 for the same language L, without using expensive \(\mathrm {NP}\) reductions. To the best of our knowledge, no such tworound argument system was previously known.
(ii). Three Round Arguments of Knowledge. Our second contribution is a threeround delayedinput interactive argument of knowledge system that achieves WH and distributional WZK against nonadaptive verifiers. This protocol uses only polynomial assumptions, but requires an extra round.
Theorem 2
(Informal). Assuming the existence of tworound oblivious transfer (OT) that is secure against malicious PPT receivers and semihonest PPT senders, as well as dense cryptosystems, there exists a threeround interactive argument of knowledge for \(\mathrm {NP}\) that achieves soundness against adaptive (unbounded) provers and Strong WI, WH and distributional WZK against nonadaptive PPT verifiers.
Comparison with Prior Work. Threeround ZK arguments are known either based on nonstandard “knowledge assumptions” [5, 41], or against adversaries with bounded nonuniformity [7, 9]. In this work, we consider security against adversaries with nonuniform advice of arbitrarily large polynomial length, based on standard cryptographic assumptions. Prior to our work, threeround WH and WZK arguments for \(\mathrm {NP}\) were known from nonblackbox techniques that rely on auxiliary input point obfuscation assumptions [10]. These protocols, unlike ours, guarantee privacy also against adaptive verifiers. However, some of their underlying assumptions have recently been shown to be implausible [6, 14]. (See Sect. 1.3 for a more detailed discussion.)
II. Secure TwoParty Computation. We next study twoparty computation against malicious adversaries in the plain model without trusted setup assumptions. In this setting, the state of the art result is due to Katz and Ostrovsky [47] who constructed a fourround protocol for general functions in the setting where only one party receives the output. We refer to the output recipient as the receiver and the other party as the sender.
As an application of our new simulation technique, we obtain two new results on twoparty computation in three rounds. Our first result achieves inputindistinguishable security [49] against malicious receivers, while our second result achieves distinguisherdependent simulation security against malicious receivers. In both of these results, we achieve standard simulation security against malicious senders. We elaborate on these results below.
(i). Three Round InputIndistinguishable Computation. The notion of inputindistinguishable computation (IIC) was introduced by Micali, Pass and Rosen [49] as a weakening of standard simulationbased security notion for secure computation while still providing meaningful security. (See also [30, 52]). Roughly, inputindistinguishable security against malicious receivers guarantees^{7} that for any function f and a pair of inputs \((x_1,x_2)\) for the sender, a malicious receiver cannot distinguish whether the sender’s input is \(x_1\) or \(x_2\) as long as the receiver’s “implicit input” y in the execution is such that \(f(x_1,y)=f(x_2,y)\).^{8}
We construct the first threeround IIC protocol for general functions based on polynomial hardness assumptions. In fact, our protocol achieves standard simulationbased security against malicious senders and inputindistinguishable security against malicious receivers.
Theorem 3
(Informal). Assuming the existence of tworound oblivious transfer that is secure against malicious PPT receivers and semihonest PPT senders, along with dense cryptosystems, there exists a threeround secure twoparty computation protocol for general functions between a sender and a receiver, where only the receiver obtains the output, with standard simulation security against malicious senders and inputindistinguishable security against malicious receivers.
(ii). Three Round TwoParty Computation with Distinguisher Dependent Simulation. We also consider a weak simulationbased security notion for twoparty computation that is defined analogously to distributional WZK by allowing the simulator to depend (nonuniformly) upon the distinguisher and the distribution over the public input to the adversary. We refer to this as distributional distinguisherdependent simulation secure twoparty computation. While this generalizes the notion of distributional WZK, it also implies distinguisherdependent simulation security for all functionalities where the honest party’s input can be efficiently sampled (without the need for nonuniform advice) even if the input of the malicious party and any common input is already fixed.
We show that the same protocol as in Theorem 3 also satisfies distributional distinguisherdependent security for all functionalities. In particular, we obtain three round distinguisherdependent simulation secure two party computation for inherently distributional functionalities such as cointossing, generating common reference strings and oblivious PRFs.
Theorem 4
(Informal). Assuming the existence of tworound oblivious transfer that is secure against malicious PPT receivers and semihonest PPT senders, as well as dense cryptosystems, there exists a threeround protocol for secure twoparty computation for any function between a sender and receiver, where only the receiver obtains the output, with standard simulation security against a malicious sender and distributional distinguisherdependent simulation security against a malicious receiver. This implies distinguisherdependent simulation secure twoparty computation for any function where the sender’s input can be efficiently sampled even if the receiver’s input (and any common input) is already fixed.
A Tworound Protocol. We also remark that our threeround twoparty computation protocol can be downgraded to a tworound protocol that achieves distributional distinguisherdependent simulation security or inputindistinguishable security against malicious receivers and quasipolynomial time simulation security against malicious senders (or polynomialtime simulation security against semihonest senders).
Outputs for Both Parties. Theorems 3 and 4 consider the case where only one party, namely the receiver, learns the output. As observed in [47], such a protocol can be easily transformed into one where both parties receive the output by computing a modified functionality that outputs signed values. Now the output recipient can simply forward the output to the other party who accepts it only if the signature verifies.
This adds a round of communication, making the protocol four rounds in total. Because we consider distinguisherdependent simulation security (or inputindistinguishable security), this bypasses the lower bound of [47] who proved that cointossing cannot be realized with standard simulationbased security in less than five rounds when both parties receive output.
III. Extractable Commitments. We finally discuss application of our techniques to extractable commitments. A commitment scheme is said to be extractable if there exists a PPT extractor that can extract the committed value with guaranteed correctness of extraction. In particular, if the commitment is not “wellformed” (i.e., not computed honestly), then the extractor must output \(\bot \), while if the commitment is wellformed, then the extractor must output the correct committed value. Extractable commitments are very useful in the design of advanced cryptographic protocols, in particular, to facilitate the extraction of the adversary’s input in tasks such as secure computation, nonmalleable commitments, etc.
A standard way to construct extractable commitment schemes is to “compile” a standard commitment scheme with a ZKAoK, namely, by having a committer commit to its value using a standard commitment and additionally give a ZKAoK to prove knowledge of the decommitment value. The soundness property of ZKAoK guarantees the wellformedness of commitment, which in turn guarantees correctness of extraction of the committed value using the AoK extractor for ZKAoK, while the ZK property preserves the hiding of the underlying commitment. This approach yields a four round extractable commitment scheme starting from any four round ZKAoK. However, in the absence of threeround ZKAoK, constructing threeround extractable commitments from polynomial hardness assumptions have so far proven to be elusive.^{9}
The main challenge here is to enforce honest behavior on a malicious committer, while at the same time guaranteeing privacy for honest committers. Indeed, natural variations of the above approach (e.g., using weaker notions such as WIPOK that are known in three rounds) seem to only satisfy one of these two requirements, but not both.
As an application of Theorem 2, we construct the first threeround extractable commitment scheme based on standard polynomialtime hardness assumptions.
Theorem 5
(Informal). Assuming the existence of tworound oblivious transfer that is secure against malicious PPT receivers and semihonest PPT senders, as well as dense cryptosystems, there exists a threeround extractable commitment scheme.
Roughly, our construction of extractable commitments follows the same approach as described above. Our main observation is that the hiding property of the extractable commitment can be argued if the AoK system satisfies a strong WI property (instead of requiring fullfledged ZK).
1.2 Discussion
Nonadaptive Verifiers. Our results on distributional WZK, WH and strong WI are w.r.t. nonadaptive verifiers who learn the statement in the last round of the protocol. To the best of our knowledge, privacy against nonadaptive verifiers has not been studied before, and therefore, it is natural to ask whether it is a meaningful notion of privacy.

We construct a threeround extractable commitment scheme by combining a standard commitment with a threeround delayedinput strong WIAoK of correctness of the committed value, that achieves security against nonadaptive verifiers. By sending the commitment in the last round, we automatically make the verifier nonadaptive.

In secure computation using garbled circuits (GCs) [59], a malicious sender must prove correctness of its GC. In this case, the instance (i.e., the GC) can simply be sent together with the last prover message, which automatically makes the verifier nonadaptive. This does not affect the security of the receiver if the proof system achieves adaptive soundness (which is true for our constructions). Indeed, our construction uses exactly this approach.
We anticipate that the notion of privacy against nonadaptive verifiers will find more applications in the future.
Bypassing GK and GO Lower Bounds. We now elaborate on the reasons why we are able to bypass the lower bounds of [35, 37]. The blackbox impossibility result of [35] for threeround ZK crucially uses an adaptive verifier. More specifically, they consider a verifier that has a random seed to a pseudorandom function hardwired into it, and for any instance and first message sent by the prover, it uses its PRF seed, to answer honestly with freshlooking randomness. It is then argued that a blackbox simulator can be used to break soundness. Very roughly, this is because a cheating prover can simply run the blackbox simulator; if the simulator rewinds the verifier, then the cheating prover answers it with a random message on behalf of the verifier. This proof also extends to WZK because any query made by the simulator to the distinguisher can simply be answered with “reject.”
Note, however, that in the nonadaptive setting, the verifier is not allowed to generate different messages for different instances, and hence the simulator has more power than a cheating prover, since it can fix the first message of the prover and then test whether the distinguisher accepts or not with various instances and various third round messages. Indeed, we exploit exactly this fact to design a distinguisherdependent simulator for our protocols.
We next explain why we are able to overcome the lower bound of [37] for tworound ZK. A key argument in the proof of [37] is that no (possibly nonblackbox) simulator can simulate the prover’s message for a false statement (even when the protocol is privately verifiable). For ZK, this is argued by setting the verifier’s auxiliary input to be an honestly generated first message and providing the corresponding private randomness to the distinguisher, who is chosen after the simulator. Now, if the simulator succeeds, then we can break soundness of the protocol. However, in WZK, since the distinguisher is fixed in advance, the above approach does not work. In particular, if the distinguisher is given the private randomness then the simulator is given it as well (and hence can simulate), and otherwise, the simulator can succeed by simulating a rejecting transcript.
1.3 Related Work
Concurrent Work. Concurrent to our work, Badrinarayanan et al. [2] construct protocols that are similar to our tworound protocols. However their focus is on superpolynomial simulation, whereas we focus on polynomial time distinguisherdependent simulation. They also give other instantiations of tworound OT, which can be combined with our results to obtain tworound delayedinput distributional weak zeroknowledge from additional assumptions.
Proof Systems. We mention two related works on tworound ZK proofs that overcome the lower bound of [37] in different ways. A recent work of [19] constructs a tworound \((T,t,\epsilon )\)ZK proof system for languages in statistical zeroknowledge, where roughly, \((T,t,\epsilon )\) ZK requires the existence of a simulator that simulates the view of the verifier for any distinguisher running in time t and distinguishing probability \(\epsilon \). The running time T of the simulator depends upon t and \(\epsilon \). In another recent work, [9] construct a tworound ZK argument system against verifiers with auxiliary inputs of a priori bounded size.
Threeround ZK proofs are known either based on nonstandard “knowledge assumptions” [5, 41], or against adversaries that receive auxiliary inputs of a priori bounded size [7, 9]. In contrast, in this work, we consider security against adversaries with nonuniform advice of arbitrarily polynomial size, based on standard cryptographic assumptions.
Finally, we discuss WI, WH and WZK in three rounds. While three round WI is known from injective oneway functions [29], WH and WZK are nontrivial to realize even in three rounds. In particular, [42] proved a lower bound for threeround publiccoin WH w.r.t. a natural class of blackbox reductions. More recently, [54] extended their result to rule out all blackbox reductions. Presently, the only known constructions of threeround WH and WZK for \(\mathrm {NP}\) require either “knowledge assumptions” [5, 41], or rely on the assumption of auxiliaryinput point obfuscation (AIPO) and auxiliaryinput multibit point obfuscation (AIMPO), respectively, with an additional “recognizability” property [10]. For general auxiliary inputs, however, AIMPO was recently proven to be impossible w.r.t. general auxiliary inputs [14], assuming the existence of indistinguishability obfuscation [4]. Further, one of the assumptions used by [10] to build recognizable AIPO, namely, strong DDH assumption [15], was recently shown to be impossible w.r.t. general auxiliary inputs [6], assuming the existence of virtual greybox obfuscation [8].
Secure Computation. Katz and Ostrovsky [47] constructed a fourround twoparty computation protocol for general functions where only one party receives the output. A recent work of Garg et al. [31] extends their result to the simultaneousmessage model to obtain a fourround protocol where both parties receive the outputs.
The notion of inputindistinguishable computation (IIC) was introduced by Micali, Pass and Rosen [49] as a weakening of standard simulationbased security notion for secure computation while still providing meaningful security. (See also [30, 52].) We provide the first threeround protocol that provides inputindistinguishable security.
A recent work of Döttling et al. [26] constructs a tworound twoparty computation protocol for oblivious computation of cryptographic functionalities. They consider semihonest senders and malicious receivers, and prove gamebased security against the latter. We remark that our threeround twoparty computation protocol can be easily downgraded to a tworound protocol that achieves weak simulation security against malicious receivers and superpolynomial time simulation security against malicious senders (or polynomialtime simulation against semihonest senders). We note that our result is incomparable to [26], because we consider a restricted class of distributions (such as product distributions), albeit any functionality, whereas [26] considers the class of cryptographic functionalities.
1.4 Organization
The rest of this paper is organized as follows. We begin with an overview of our techniques in Sect. 2. In Sect. 3, we describe important relevant preliminaries including \(\varSigma \)protocols and oblivious transfer. In Sect. 4, we recall definitions of adaptive soundness, witness indistinguishability, distributional weakZK and witness hiding against nonadaptive verifiers. In Sect. 5, we describe our tworound protocol, which uses any \(\varSigma \)protocol with a special structure, together with 2message OT. In the same section, we describe how to modify our protocol so as to rely on any \(\varSigma \)protocol, and also show how to base security on polynomial hardness assumptions at the cost of adding an extra round. Due to lack of space, we defer additional details of our three round protocols and their applications to the full version of the paper.
2 Technical Overview
We now give an overview of our main ideas and techniques.
2.1 Argument Systems

Any \(\varSigma \)protocol consisting of three messages (a, e, z) that is secure against unbounded provers,

Any twomessage oblivious transfer protocol, denoted by \((\mathsf {OT} _1, \mathsf {OT} _2)\), which is secure against malicious PPT receivers, and malicious senders running in time at most \(2^{z}\). For receiver input b and sender input messages \((m_0, m_1)\), we denote the two messages of the OT protocol as \(\mathsf {OT} _1(b)\) and \(\mathsf {OT} _2(m_0, m_1)\). We note that \(\mathsf {OT} _2(m_0, m_1)\) also depends on the message \(\mathsf {OT} _1(b)\) sent by the receiver. For the sake of simplicity, we omit this dependence from the notation.
For simplicity, throughout most of the paper, we assume that the \(\varSigma \)protocol is a parallel repetition of \(\varSigma \)protocols with a singlebit challenge and constant soundness^{10}. Namely, we assume that the \(\varSigma \)protocol contains three messages, denoted by (a, e, z) and that these messages can be parsed as \(a=(a_1,\ldots ,a_{\kappa })\), \(e=(e_1,\ldots ,e_{\kappa })\), and \(z=(z_1,\ldots ,z_{\kappa })\), where for each \(i\in [{\kappa } ]\), the triplet \((a_i,e_i,z_i)\) are messages corresponding to an underlying \(\varSigma \)protocol with a singlebit challenge (i.e., where \(e_i\in \{0,1\}\)). We denote by \(f_1\) and \(f_2\) the functions that satisfy \(a_i = f_1(x,w;r_i)\) and \(z_i = f_2(x, w, r_i,e_i)\), for answers provided by the honest prover, and where \(r_i\) is uniformly chosen randomness.
We show how to convert any such \(\varSigma \)protocol into a tworound protocol (P, V) using OT. Our transformation is essentially the same as the one suggested by Aeillo et. al. [1], and used by Kalai and Raz [46], to reduce rounds in interactive protocols, except that we use an OT scheme rather than a computational PIR scheme (since as opposed to [1, 46] we are not concerned with compressing the length of the messages). Specifically, given any such \(\varSigma \)protocol and OT protocol, our tworound protocol (P, V), proceeds as follows.

For \(i \in [{\kappa } ]\), V picks Open image in new window , and sends \(\mathsf {OT} _{1,i}(e_i)\) in parallel. Each \(e_i\) is encrypted with a fresh OT instance.

For \(i \in [{\kappa } ]\), P computes \(a_i = f_1(x,w;r_i), z_i ^{(0)}= f_2(x, w, r_i,0), z_i ^{(1)}= f_2(x, w, r_i,1)\). The prover P then sends \(a_i, \mathsf {OT} _{2,i}(z_i^{(0)}, z_i^{(1)})\) in parallel for all \(i \in [{\kappa } ]\).

The verifier V recovers \(z_i^{(e_i)}\) from the OT, and accepts if and only if for every \(i \in [{\kappa } ]\), the transcript \((a_i, e_i, z_i^{(e_i)})\) is an accepting transcript of the underlying \(\varSigma \)protocol.
To prove soundness, we rely on the following specialsoundness property of \(\varSigma \)protocols: There exists a polynomialtime algorithm A that given any instance x of some \(\mathrm {NP}\) language L with witness relation \(R_L\), and a pair of accepting transcripts \((a, e, z), (a, e', z')\) for x with the same first prover message, where \(e \ne e'\), outputs w such that \(w \in R_L(x)\). In particular, this means that for any \(x \not \in L\), for any fixed message a, there exists at most one unique value of receiver challenge e, for which there exists z such that (a, e, z) is an accepting transcript (as otherwise the algorithm A would output a witness \(w \in R_L(x)\), which is impossible).
Going back to our protocol – suppose a cheating prover, on input the verifier message \(\mathsf {OT} _1(e^*)\), outputs \(x^* \not \in L\), together with messages \(a^*, \mathsf {OT} _2(z^*)\), such that the verifier accepts with nonnegligible probability. Since, for any \(x^* \not \in L\) and any \(a^*\), there exists at most one unique value of receiver challenge e, for which there exists a z that causes the verifier to accept – intuitively, this means that \(a^*\) encodes the receiver challenge \(e^*\).
Thus, for fixed \(a^*\), a reduction can enumerate over all possible values of z (corresponding to all possible e), and check which single e results in an accepting transcript. Then, this would allow a reduction to break receiver security of the oblivious transfer. Since such a reduction would require time at least \(2^{z}\), we need the underlying oblivious transfer to be \(2^{z}\)secure (or, subexponentially secure). If z can be scaled down to be of size polylogarithmic in the security parameter, we can rely on an oblivious transfer protocol which is quasipolynomially secure against malicious receivers.
A New Extraction Technique for Proving Weaker Notions of ZeroKnowledge. We now proceed to describe our main ideas for proving the privacy guarantees of our protocol. For simplicity, consider a single repetition of the protocol outlined above. That is, consider a protocol where the verifier picks a random bit Open image in new window and sends \(r = \mathsf {OT} _1(e)\) to the prover. The prover then sends \(a, \mathsf {OT} _2(z^{(0)}, z^{(1)})\) to the verifier, where \((a, z^{(0)}, z^{(1)})\) are computed similarly as before.

Its output distribution when the prover sends \((a, \mathsf {OT} _2(z^{(0)}, z^{(0)}))\) (implicitly corresponding to receiver choice bit 0).

Its distribution output when the prover sends \((a, \mathsf {OT} _2(z^{(1)}, z^{(1)}))\) (implicitly corresponding to receiver choice bit 1).
Suppose the message of the verifier, \(\mathsf {OT} _1(e)\) is generated independently of the instance x, and suppose that the instance x is generated according to some distribution \(\mathcal{D}\). Then an extractor \({\mathcal E} \), given the message \(\mathsf {OT} _1(e)\), can guess e (if the distinguisher “knows” e), up to \(\epsilon \)error in time \(\mathsf {poly} (1/\epsilon )\), as follows: The extractor will generate \(\mathsf {poly} (1/\epsilon )\) many instancewitness pairs \((x,w)\in R_L\), where each x is distributed independently from \(\mathcal{D}\) (\({\mathcal E} \) will have these instancewitness pairs hardwired if they are hard to sample). Then for each such instancewitness pair the extractor will generate \((a, z^{(0)}, z^{(1)})\), and will observe the distinguisher’s output corresponding to the prover’s message \((a, \mathsf {OT} _2(z^{(0)}, z^{(0)}))\), \((a, \mathsf {OT} _2(z^{(1)}, z^{(1)}))\), and \((a, \mathsf {OT} _2(z^{(0)}, z^{(1)}))\). If the distinguisher cannot distinguish between these three distributions then the extractor outputs \(\bot \) (indicating that the distinguisher does not know e). If the extractor outputs \(\bot \), the distinguisher is (distributionally) insensitive to the prover’s response, so we can behave as if it was approximated to 0.
However, if the distinguisher can distinguish between \((a, \mathsf {OT} _2(z^{(0)}, z^{(1)}))\) and \((a, \mathsf {OT} _2(z^{(b)}, z^{(b)}))\), then the distinguisher will guess \(e=1b\). In this way, the extractor can approximate (up to \(\epsilon \)error) whether the implicit receiver choice bit is 0 or 1, while running in time \(\mathsf {poly} (1/\epsilon )\). This idea forms the basis of our new extraction technique.
Witness Indistinguishability. Since witness indistinguishability is known to compose under parallel repetition, it suffices to prove WI for a single repetition of the protocol outlined above. In fact, we will try to prove something even stronger.
As explained above, there exists a distinguisherdependent simulator \(\mathsf {Sim} _{{\mathcal D} _V}\), that, given a fixed receiver message r, can try to approximate the verifier’s implicit challenge bit e, by observing the distinguisher’s output corresponding to various sender messages, up to error \(\epsilon \). Once \(\mathsf {Sim} _{{\mathcal D} _V}\) has successfully extracted the verifier’s challenge, it can use the honestverifier zeroknowledge simulator of the underlying \(\varSigma \)protocol.
Of course, to even begin the extraction process, \(\mathsf {Sim} _{{\mathcal D} _V}\) needs to observe the output of the distinguisher on \((a, \mathsf {OT} _2(z^{(0)}, z^{(1)}))\). However, even computing \((a, \mathsf {OT} _2(z^{(0)}, z^{(1)}))\) correctly, requires access to a witness! This is because a correctly compute tuple \((a, z^{(0)}, z^{(1)})\) actually encodes a witness.
In the case of witness indistinguishability, this is not a problem – since an “intermediate” simulator for witness indistinguishability has access to both witnesses in question, and therefore can generate valid messages \((a, \mathsf {OT} _2(z^0, z^1))\) using both witnesses. It can use these transcripts to learn the verifier’s challenge bit, and then use the bit it learned, to generate a simulated transcript for the same receiver message r (where the simulated transcript uses neither of the two witnesses). We mainly rely on OT security to show that the distinguisher \({\mathcal D} _V\) cannot distinguish between the view generated by such a simulator \(\mathsf {Sim} _{{\mathcal D} _V}\) and the real view of the verifier, when he interacts with an honest prover that uses only one of the witnesses.
There are additional subtleties in the proof, for instance, in ensuring that the extracted values when the simulator uses one particular witness for learning, do not contradict the values extracted when it uses the other witness. We refer the reader to Sect. 5.3 for a detailed proof.
Distributional Weak ZeroKnowledge. We prove that the same protocol satisfies distributional weak zeroknowledge against nonadaptive verifiers (which can also be easily seen to imply witnesshiding against nonadaptive verifiers). Distributional weak zeroknowledge is a “distributional” relaxation of the standard notion of zeroknowledge where the simulator is additionally allowed to depend on the distribution of instances, and on the distinguisher. This notion roughly requires that for every distribution \({\mathcal X} \) over instances, every verifier V and distinguisher \({\mathcal D} _V\) that obtains the view of V, every \(\epsilon = \frac{1}{\mathsf {poly} ({\kappa })}\) for some polynomial \(\mathsf {poly} (\cdot )\), there exists a simulator \(\mathsf {Sim} _{{\mathcal D} _V}\) that runs in time \(\mathsf {poly} (1/\epsilon )\) and outputs a view, such that the distinguisher \({\mathcal D} _V\) has at most \(\epsilon \)advantage in distinguishing the real view of V from the simulated view.
Fix the first message of the verifier (since the verifier is nonadaptive, this is fixed independently of the instance). The simulator \(\mathsf {Sim} _{{\mathcal D} _V}\) obtains as (nonuniform) advice, \(\mathsf {poly} (1/\epsilon )\) randomly chosen instancewitness pairs from the distribution in question.^{11} It then uses these pairs together with the extraction strategy \({\mathcal E} \) described above, to “learn” an approximation to the verifier’s implicit challenge string in the fixed verifier message. However, distributional weak zeroknowledge is not known to be closed under parallel composition. Therefore, we modify the simple extraction strategy described previously for a single repetition, so as to extract all bits of the verifier’s challenge, while still remaining efficient in \(\mathsf {poly} (1/\epsilon )\).

It generates a “fake” output for the first \((i1)\) parallel repetitions as follows: for \(j \in [i1]\), if the \(j^{th}\) bit of the verifier’s challenge was approximated to 0, respond with \(a_j, (z^0_j, z^0_j)\) in the \(j^{th}\) repetition (and similarly, if it was approximated to 1, respond with \(a_j, (z^1_j, z^1_j)\)).

For all \(j \in [i+1, {\kappa } ]\) it responds honestly with \(a_j, (z^0_j, z^1_j)\) in the \(j^{th}\) repetition.

With outputs for all \(j < i\) set to “fake” according to approximated challenge, and for all \(j>i\) set to honest, at \(j = i\), \(\mathsf {Sim} _{{\mathcal D} _V}\) uses the extraction strategy \({\mathcal E} \) described above. That is, for \(j = i\), it sets the output to \(a_i, (z^0_i, z^1_i)\), \(a_i, (z^0_i, z^0_i)\), and \(a_i, (z^1_i, z^1_i)\), and checks whether the output of the distinguisher when given inputs corresponding to \(a_i, \mathsf {OT} _{2,i}(z^0_i, z^1_i)\) is close to its output when given inputs corresponding to \(a_i, \mathsf {OT} _{2,i}(z^0_i, z^0_i)\) or to \(a_i, \mathsf {OT} _{2,i}(z^i_i, z^i_i)\). It uses this to approximate the \(i^{th}\) bit of the verifier’s challenge.
Via an inductive hybrid argument, we prove that with high probability, the approximation computed by \(\mathsf {Sim} _{{\mathcal D} _V}\) has at most \(\varTheta (\epsilon )\)error when \(\mathsf {Sim} _{{\mathcal D} _V}\) runs in time \(\mathsf {poly} (1/\epsilon )\). Once \(\mathsf {Sim} _{{\mathcal D} _V}\) has successfully extracted the verifier’s challenge, it can use the honestverifier zeroknowledge simulator of the underlying \(\varSigma \)protocol as before.
Note that in order to perform extraction, the simulator is required to generate various \(a_i, \mathsf {OT} _{2,i}(z^0_i, z^1_i)\) tuples, which it does using the instancewitness pairs it sampled or obtained as advice. \(\mathsf {Sim} _{{\mathcal D} _V}\) then uses the challenge it extracted to generate fake proofs for various other \(x \leftarrow {\mathcal X} \). Nonadaptivity of the verifier ensures that the simulator can, for a fixed verifier messages, generate proofs for several other statements in the distribution while observing the output of the distinguisher. We refer the reader to Sect. 5.4 for a complete proof.
Three Round Protocols from Polynomial Hardness Assumptions. We also describe how quasipolynomial assumptions can be avoided at the cost of an extra round. The need for quasipolynomial assumptions in our tworound protocols is to guarantee soundness: roughly, we require that a cheating prover should be unable to “maul” the receiver’s challenge while providing his message. In the tworound setting, this is achieved by ensuring (via complexity leveraging) that the security of receiver OT message is stronger than the security of the prover’s response. Three rounds, however, give an opportunity to rewind and extract the value inside the prover’s message, while relying on (polynomial) hiding of the receiver OT message.
We assume here that the first round of the \(\varSigma \)protocol consists of commitments to certain values, and the third round consists of decommitments to a subset of these commitments, together with additional auxiliary information (for instance, the Blum protocol for Graph Hamiltonicity satisfies this requirement). We modify the protocol to have the prover send extractable commitments (instead of standard commitments) to commit to the values needed for the first round of the \(\varSigma \)protocol.
Consider a PPT cheating prover that generates a proof for \(x \not \in L\). A reduction can obtain the receiver OT message externally as an encryption of some nbit challenge, and then extract the values committed by the prover. Because the underlying \(\varSigma \)protocol is specialsound against unbounded provers, any accepting proof for \(x \not \in L\), will allow recovering the receiver challenge directly by observing the values committed by the prover. We must, however, ensure that adding such extractable commitments does not harm privacy – since our simulator is required to generate several actual proofs before it is able to output a simulated proof. To accomplish this, we design a special kind of (weakly) extracting commitments, details of which can be found in Sect. 5.7. We note here that overextraction suffices, in particular, we only care about extracting the values committed by provers that generate accepting transcripts.
2.2 Applications
We now describe some applications of our proof systems. As a first step, we describe a transformation from our threeround distributional WZK argument system to an argument of knowledge ^{12} (that retains the distributional weak ZK/strong WI property against nonadaptive verifiers).
To prove weak ZK/strong WI property for the same protocol, we would ideally like to have the following sequence of hybrid arguments: First, we start simulating the weak ZK proof, by observing the output of the distinguisher on several different instances from the distribution \({\mathcal X} \), while using correct witnesses for these instances. We then use the information learned to simulate the weak ZK proof for c obtained externally in the main transcript. Since the string c is not used in the main thread at all, we change it so that \(\mathsf {com}(0^{\kappa }; r)\) for uniformly random r. Next, we must begin using (c, r) as witnesses in the WIPoK, instead of using the witness for x.
It is in this step that there arises a subtle issue, because of the way our simulator works. In each experiment, before it can generate a simulated proof, it must first generate several real proofs for other random instances. We require the WIPoK to maintain witness indistinguishability, even when the simulator provides multiple proofs for different instances using the same first two messages. This is in general, not true for proof systems such as LapidotShamir [48]. This is also not as strong a requirement as resettableWI [16] since the verifier’s message is fixed and remains the same for all proofs.
We refer to this property as reusable WI and construct an adaptively sound argument of knowledge satisfying this property. The argument of knowledge works by the prover sending two threeround extractable commitments (with “over” extraction) [55, 56] to random strings, encrypting the witness with each of these strings using standard private key encryption, and sending a threeround delayedinput reusable WI argument (this does not need to be an argument of knowledge, and could be instantiated with a ZAP, or with our three round arguments) to establish that one of the two commitments is a valid extractable commitment, and the corresponding ciphertext correctly encrypts the witness. The use of private key encryption gives us the additional desired property of reusability.
Extractable Commitments. Given the weak ZK argument of knowledge, our construction of threeround extractable commitments simply consists of sending a noninteractive statistically binding commitment to the message in the last round, together with a (distributional) weak ZK argument of knowledge to establish knowledge of the committed message and randomness. The weak ZK property helps prove hiding of this scheme, while the proof of knowledge property guarantees correct polynomialtime extraction, with overwhelming probability. We refer the reader to the full version for details.
Three Round, Two Party, InputIndistinguishable Secure Computation. We begin by considering the following tworound protocol for twoparty computation: The receiver generates OT messages corresponding to his inputs, together with the first message of a tworound weak ZK argument. Then, the sender generates garbled circuits corresponding to his own input labels, together with the second message of the tworound weak ZK argument.
This protocol already satisfies inputindistinguishable security against malicious receivers, as well as distinguisherdependent security against malicious receivers, when an honest sender’s input is sampled from some public distribution. Even though our weak ZK proof guarantees hiding against malicious receivers, security is not immediate. Indeed, we must first extract an adversarial receiver’s input from his OT messages, and weak ZK does not help with that. Thus, apart from simulating the weak ZK, we must use our extraction strategy in this context, in order to (distributionally) learn the receiver’s input.
In the full version, we describe applications of our techniques to obtaining inputindistinguishable secure computation, as well as distributional distinguisherdependent secure computation in three rounds from polynomial assumptions. In particular, we also note that a large class of functionalities such as coin tossing, generating common reference strings, oblivious PRFs, etc. (that we call independentinput functions) are distributional by definition, and can be realized with distinguisherdependent polynomial simulation security in three rounds.
3 Preliminaries
Throughout this paper, we will use \({\kappa } \) to denote the security parameter, and \(\mathsf {negl} ({\kappa })\) to denote any function that is asymptotically smaller than \(\frac{1}{\mathsf {poly} ({\kappa })}\) for any polynomial \(\mathsf {poly} (\cdot )\).
Definition 1

Completeness: \(\mathrm {Pr} [\langle P(x,w(x)), V(x) \rangle = 1] = 1  \mathsf {negl} ({\kappa })\), assuming P and V follow the protocol honestly.

Special Soundness: There exists a polynomialtime algorithm A that given any x and a pair of accepting transcripts \((a, e, z), (a, e', z')\) for x with the same first prover message, where \(e \ne e'\), outputs w such that \(w \in R_L(x)\).
 Honest verifier zeroknowledge: There exists a probabilistic polynomial time simulator \(S_\varSigma \) such thatwhere \(S_\varSigma (x, e)\) denotes the output of simulator S upon input x and e, and \(\langle P (x, w(x)), V(x, e) \rangle \) denotes the output transcript of an execution between P and V, where P has input (x, w), V has input x and V’s random tape (determining its query) is e.$$ \left\{ S_\varSigma (x, e) \right\} _{x \in L, e \in {\{0,1\}} ^{\kappa }}\approx _c \left\{ \langle P(x,w(x)), V(x, e) \rangle \right\} _{x \in L, e \in {\{0,1\}} ^{\kappa }} $$
Definition 2
(Oblivious Transfer). Oblivious transfer is a protocol between two parties, a sender S with messages \((m_0, m_1)\) and receiver R with input a choice bit b, such that R obtains output \(m_b\) at the end of the protocol. We let \(\langle S(m_0, m_1), R(b) \rangle \) denote an execution of the OT protocol with sender input \((m_0, m_1)\) and receiver input bit b. It additionally satisfies the following properties.
Receiver Security. For any sender \(S^*\), all auxiliary inputs \(z \in {\{0,1\}} ^*\), and all \((b, b') \in {\{0,1\}} \), \( \mathsf {View} _{S^*}(\langle S^*(z), R(b) \rangle ) \approx _c \mathsf {View} _{S^*}(\langle S^*(z), R(b') \rangle ). \)
Sender Security. This is defined using the realideal paradigm, and requires that for all auxiliary inputs \(z \in {\{0,1\}} ^*\), every distribution on the inputs \((m_0, m_1)\) and any adversarial receiver \(R^*\), there exists a (possibly unbounded) simulator \(\mathsf {Sim} _{R^*}\) that interacts with an ideal functionality \({\mathcal F} _{\mathsf {ot}} \) on behalf of \(R^*\). Here \({\mathcal F} _{\mathsf {ot}} \) is an oracle that obtains the inputs \((m_0, m_1)\) from the sender and b from the \(\mathsf {Sim} _{R^*}\) (simulating the malicious receiver), and outputs \(m_b\) to \(\mathsf {Sim} _{R^*}\). Then \(\mathsf {Sim} ^{{\mathcal F} _{\mathsf {ot}}}_{R^*}\) outputs a receiver view \(V_{\mathsf {Sim}}\) that is computationally indistinguishable from the real view of the malicious receiver \(\mathsf {View}_{R^*}(\langle S(m_0, m_1,z), R^* \rangle )\).
We will make use of twomessage oblivioustransfer protocols with security against malicious receivers and semihonest senders. Such protocols have been constructed based on the DDH assumption [51], and a stronger variant of smoothprojective hashing, which can be realized from DDH as well as the \(N^{th}\)residuosity and Quadratic Residuosity assumptions [43, 45]. Such protocols can also be based on indistinguishability obfuscation (iO) together with oneway functions [57].

For all \(m_0, m_1\), \(\mathsf {View} _{R^*}\langle S(m_0, m_1,z), R^* \rangle ) \approx _c \mathsf {View} _{R^*}(\langle S(m_0, m_0, z), R^* \rangle )\)

Or, for all \(m_0, m_1\), \(\mathsf {View} _{R^*}(\langle S(m_0, m_1,z), R^* \rangle ) \approx _c \mathsf {View} _{R^*}(\langle S(m_1, m_1, z), R^* \rangle )\)
This follows from the (unbounded) simulation property, i.e., there exists a simulator that extracts some receiver input b from the first message of \(R^*\), sends it to the ideal functionality, obtains \(m_b\) and generates an indistinguishable receiver view. Then, by the definition of sender security, the simulated view must be close to both \(\mathsf {View} _{R^*}(\langle {S(m_0, m_1,z), R^*\rangle })\), and \(\mathsf {View} _{R^*}(\langle {S(m_b, m_b,z), R^*\rangle })\).
We also note that all the aforementioned instantiations of twomessage oblivioustransfer are additionally secure against unbounded malicious receivers.
4 Definitions
4.1 Proof Systems

At the beginning of the protocol, P and V receive the size of the instance and execute the first \(n1\) rounds.

At the start of the last round, P receives an input \((x,w)\in R_L\) and V receives x. Upon receiving the last round message from P, V outputs 1 or 0.
An execution of (P, V) with instance x and witness w is denoted as \(\langle P,V\rangle (x,w)\). Whenever clear from context, we also use the same notation to denote the output of V.
DelayedInput Interactive Arguments. An nround delayedinput interactive argument for a language L must satisfy the standard notion of completeness as well as adaptive soundness, where the soundness requirement holds even against malicious PPT provers who choose the statement adaptively, depending upon the first \(n1\) rounds of the protocol.
Definition 3
 Completeness: For every \((x,w)\in R_L\),where the probability is over the random coins of P and V.$$\mathrm {Pr} \big [\langle P,V \rangle (x,w) = 1\big ] \ge 1\mathsf {negl} ({\kappa }),$$
 Adaptive Soundness: For every \(z\in {\{0,1\}} ^*\), every PPT prover \(P^*\) that chooses \(x\in {\{0,1\}} ^{\kappa } \setminus L\) adaptively, depending upon the first \(n1\) rounds,where the probability is over the random coins of V.$$\mathrm {Pr} \big [\langle P^*(z),V \rangle (x) = 1\big ] \le \mathsf {negl} ({\kappa }),$$
Witness Indistinguishability. A proof system is witness indistinguishable if for any statement with at least two witnesses, proofs computed using different witnesses are indistinguishable.
Definition 4
Nonadaptive Distributional Weak Zero Knowledge. Zero knowledge (ZK) requires that for any adversarial verifier, there exists a simulator that can produce a view that is indistinguishable from the real one to every distinguisher. Weak zero knowledge (WZK) relaxes the standard notion of ZK by reversing the order of quantifiers, and allowing the simulator to depend on the distinguisher.
We consider a variant of WZK, namely, distributional WZK [28, 34], where the instances are chosen from some hard distribution over the language. Furthermore, we allow the simulator’s running time to depend upon the distinguishing probability of the distinguisher. We refer to this as distributional \(\epsilon \)WZK, which says that for every distinguisher D with distinguishing probability \(\epsilon \) (where \(\epsilon \) is an inverse polynomial) there exists a simulator with running time polynomial in \(\epsilon \). This notion was previously considered in [19, 28].
We define distributional \(\epsilon \)WZK property against nonadaptive malicious verifiers that receive the instance only in the last round of the protocol.
Definition 5
Nonadaptive Witness Hiding. Let L be an \(\mathrm {NP}\) language and let \(({\mathcal X},{\mathcal W})\) be a distribution over the associated relation \(R_L\). A proof system is witness hiding w.r.t. \(({\mathcal X},{\mathcal W})\) if for any \((x,w)\leftarrow ({\mathcal X},{\mathcal W})\), a proof for x is “oneway” in the sense that no verifier can extract a witness for x from its interaction with the prover. Note that in order for WH to be nontrivial, it is necessary that \(({\mathcal X},{\mathcal W})\) be a “hard” distribution.
Below, we define witness hiding property against nonadaptive malicious verifiers that receive the instance only in the last round of the protocol.
Definition 6
Definition 7
Nonadaptive Strong Witness Indistinguishability
Definition 8
Remark 1
A nonadaptive distributional weak ZK argument of knowledge is an argument of knowledge that satisfies the distributional weak ZK property against nonadaptive verifiers. Similarly, a nonadaptive strong WI argument of knowledge is an argument of knowledge that satisfies the strong WI property against nonadaptive verifiers. Finally, a nonadaptive witness hiding argument of knowledge can be defined similarly as an argument of knowledge that satisfies the witness hiding property against nonadaptive verifiers.
5 Two Round Argument Systems
5.1 Construction
We show how to use twomessage malicioussecure oblivious transfer (OT) to convert any threemessage \(\varSigma \)protocol according to Definition 1, into a twomessage argument system. We then prove soundness of the resulting argument system, assuming subexponential security of oblivious transfer. We also prove that this protocol is witness indistinguishable, satisfies distributional weak zeroknowledge, strong WI and witness hiding against nonadaptive verifiers.
Let \(\mathsf {OT} = (\mathsf {OT} _1, \mathsf {OT} _2)\) denote a twomessage bit oblivious transfer protocol according to Definition 2. Let \(\mathsf {OT} _1(b)\) denote the first message of the \(\mathsf {OT}\) protocol with receiver input b, and let \(\mathsf {OT} _2(m_0, m_1)\) denote the second message of the OT protocol with sender input bits \(m_0, m_1\).
Let \(\varSigma = (a, e, z)\) denote the three messages of a \(\varSigma \)protocol. For most of this paper, we consider \(\varSigma \)protocols that are a parallel composition of individual protocols with a singlebit challenge and constant soundness, i.e., the \(\varSigma \)protocol contains three messages, denoted by (a, e, z) and that these messages can be parsed as \(a=(a_1,\ldots ,a_{\kappa })\), \(e=(e_1,\ldots ,e_{\kappa })\), and \(z=(z_1,\ldots ,z_{\kappa })\), where for each \(i\in [{\kappa } ]\), the triplet \((a_i,e_i,z_i)\) are messages corresponding to an underlying \(\varSigma \)protocol with a singlebit challenge (i.e., where \(e_i\in \{0,1\}\)). We denote by \(f_1\) and \(f_2\) the functions that satisfy \(a_i = f_1(x,w;r_i)\) and \(z_i = f_2(x, w, r_i,e_i)\), where \(r_i\) is uniformly chosen randomness.
5.2 Adaptive Soundness
The protocol in Fig. 1 compiles a threeround public coin proof to a tworound argument using oblivious transfer. KalaiRaz [46] proved that such a compiler, applied to any publiccoin proof system preserves soundness. Specifically, the following theorem in [46] proves (static) soundness of the above protocol, assuming subexponential oblivious transfer.
Imported Theorem 1
(Rephrased) Let \(\varSigma = (a,e,z)\) denote a \(\varSigma \)protocol, and let \(\ell = \mathsf {poly} ({\kappa }, s)\) be the size of z, where \({\kappa } \) is the security parameter, and s is an upper bound on the length of allowed instances. Assuming the existence of an oblivious transfer protocol secure against probabilistic senders running in time at most \(2^{\ell }\), the protocol in Fig. 1 is sound.
We observe that the proof in KalaiRaz [46] can be extended to prove adaptive soundness, i.e., soundness against malicious provers that can adaptively choose \(x \not \in L\) based on the verifier’s input message.
Lemma 1
Let \(\varSigma = (a,e,z)\) denote a \(\varSigma \)protocol, and let \(\ell \) be the size of z. Assuming the existence of an oblivious transfer protocol secure against probabilistic senders running in time at most \(2^{\ell }\), the protocol in Fig. 1 is adaptively sound.
Proof
We will use a prover that breaks soundness to break subexponential receiver security of the underlying oblivious transfer. The reduction samples two random challenge strings \(e_0, e_1\) and reduction sends them to an external OT challenger. The external OT challenger picks Open image in new window , and outputs \(\mathsf {OT} _1(e_{i,b})\) for \(i \in [{\kappa } ]\), which the reduction forwards to the cheating prover \(P^*\).
\(P^*\) outputs \(x \not \in L\), together with messages \(a_i\), \(\mathsf {OT} _2(z_{i}^0, z_{i}^1)\) for \(i \in [{\kappa } ]\). Next, the reduction R does a bruteforce search over all possible values of z, checking whether \((a, e_0, z)\) is an accepting transcript for any \(z \in {\{0,1\}} ^\ell \) and whether \((a, e_1, z')\) is an accepting transcript for any \(z' \in {\{0,1\}} ^\ell \).
Suppose a cheating prover breaks soundness with probability \(p = \frac{1}{\mathsf {poly} ({\kappa })}\) over the randomness of the experiment. Since the reduction chooses prover messages \(e_0, e_1\) uniformly at random, with probability p, the prover \(P^*\) outputs \(a^*_i\), \(\mathsf {OT} _2(z^0_{i}, z^1_{i})\) for \(i \in [{\kappa } ]\) that cause the verifier to accept.
Thus, with probability p, R finds at least one z such that \((a^*, e_b, z)\) is an accepting transcript.
Since \(e_{\overline{b}}\) was picked uniformly at random and independent of \(e_b\), we argue that with at most \(\mathsf {negl} ({\kappa })\) probability, R finds one or more \(z'\) such that \((a^*, e_{\overline{b}}, z')\) is an accepting transcript. Note that with probability \(1  2^{{\kappa }}\), we have that \(e_b \ne e_{\overline{b}}\). By specialsoundness of the underlying \(\varSigma \)protocol, if there exists \(z'\) such that \((a^*, e_{\overline{b}}, z')\) is an accepting transcript, conditioned on \(e_b \ne e_{\overline{b}}\), this would allow obtaining a witness w from \((a, e_b, z)\) and \((a, e_{\overline{b}}, z')\), which is a contradiction since \(x \not \in L\).
Therefore, if R finds z such that \((a^*, e_b, z)\) is an accepting transcript, R outputs \(e_b\) as its guess for the first OT message, and this guess is correct with probability at least \(p  \mathsf {negl} ({\kappa })\). Since R runs in time \(2^{\ell }\) and guesses the OT message with nonnegligible probability, this is a contradiction to the security of OT against \(2^{\ell }\)time malicious senders.
Observing the Verifier’s output. The protocol is not sound when the prover is allowed to generate apriori unbounded arguments using the same verifier message, as an adaptive function of the verifier’s accept/reject outputs on prior arguments. Looking ahead, such a prover can use the simulation strategy from Sect. 5.4 to explicitly break soundness.
However, the protocol is sound when the prover is only allowed to generate an apriori bounded arguments that adaptively depend on the verifier’s accept/reject outputs on prior arguments. This can be ensured via simply having the verifier output a longer challenge string – to obtain adaptive soundness for B executions, the protocol requires the verifier to generate Open image in new window , and encrypt it using \({\kappa } \cdot B\) OT instances. The prover uses the first \({\kappa } \) instances for the first argument, the second set of \({\kappa } \) instances for the second, and so forth. It is easy to see then that the argument of Lemma 1 easily extends to the bounded execution case.
5.3 Witness Indistinguishability
We have the following theorem, the proof of which can be found in the full version of the paper.
Theorem 6
Assuming tworound oblivious transfer (OT) secure against malicious PPT receivers, the tworound protocol in Fig. 1 is witnessindistinguishable against PPT verifiers.
Recall that witness indistinguishability (WI) is closed under parallel composition [29], therefore it suffices to prove WI for a single repetition (i.e., for some \(i \in [{\kappa } ]\)) of the protocol in Fig. 1. Our proof proceeds via a sequence of hybrid arguments, where, in an intermediate hybrid, we construct a distinguisherdependent simulator, that learns (using both witnesses \(w_1\) and \(w_2\)), an approximation for the verifier’s challenge e. Upon learning the challenge, the simulator uses the honestverifier ZK property to generate a simulated proof, without using any of the witnesses.
5.4 Distributional Weak Zero Knowledge
In this section, we have the following theorem:
Theorem 7
Assuming oblivious transfer (OT) secure against malicious PPT receivers, the protocol in Fig. 1 is distributional weak zeroknowledge against nonadaptive verifiers.
Proof
(Overview) The proof of weak zeroknowledge is more involved that WI, because weak ZK is not closed under parallel composition. We develop an inductive analysis and a simulation strategy that learns the receiver’s challenge bitbybit.
Fix any PPT \(V^*\), any distinguisher \({\mathcal D} \), any distribution \(({\mathcal X}, {\mathcal W}, {\mathcal Z})\), and any \(\epsilon >0\). We construct a simulator \(\mathsf {Sim} _\epsilon \) that obtains nonuniform advice z, \(p_\epsilon = \mathsf {poly} (1/\epsilon )\) random instancewitness samples \((x^*_1, w^*_1), (x^*_2, w^*_2), \ldots (x^*_{p_\epsilon }, w^*_{p_\epsilon })\) from the distribution \(({\mathcal X}, {\mathcal W})\). Or, if the distribution \(({\mathcal X}, {\mathcal W})\) is efficiently samplable, \(\mathsf {Sim} _\epsilon \) samples \((x^*_1, w^*_1), (x^*_2, w^*_2), \ldots (x^*_{p_\epsilon }, w^*_{p_\epsilon })\) these on its own.
At a high level, the simulator uses these instances to approximatelylearn the verifier’s challenge string e (call this approximation \(e_\mathsf {approx} \)), and then generates a transcript corresponding to a random \(x \sim {\mathcal X} \), by using the honestverifier ZK simulation strategy of the underlying \(\varSigma \)protocol, corresponding to verifier challenge \(e_\mathsf {approx} \). Our simulation strategy can be found, together with the complete proof, in the full version of the paper.
5.5 Strong Witness Indistinguishability
We note that the simulator’s learning is monotone for two distributions, i.e., given two distributions \({\mathcal X} _1, {\mathcal X} _2\), then the view generated by a simulator \(\mathsf {Sim} _\epsilon \) that learns using samples from both distributions, \({\mathcal X} _1 \cup {\mathcal X} _2\), but outputs the simulation for a sample from \({\mathcal X} _1\), is indistinguishable from the view generated by a simulator \(\mathsf {Sim} _\epsilon \) that learns using samples from only \({\mathcal X} _1\) and then outputs the simulation for a sample from \({\mathcal X} _1\).
In other words, learning using additional distributions can only provide “more” information to the simulator. This observation coupled with the proof of weak ZK, directly implies strong witness indistinguishability, when the instances are sampled either from distribution \({\mathcal X} _1\) or from (an indistinguishable) distribution \({\mathcal X} _2\). This is because, the simulator can learn (in all hybrids) using instances from \({\mathcal X} _1 \cup {\mathcal X} _2\), and use these to simulate external samples generated according to either \({\mathcal X} _1\) or \({\mathcal X} _2\).
Corollary 8
Assuming oblivious transfer (OT) secure against malicious PPT receivers, the protocol in Fig. 1 is strong witnessindistinguishable against nonadaptive verifiers.
5.6 Witness Hiding
It is easy to see that distributional weak zeroknowledge implies witness hiding. Suppose there exists a distribution \({\mathcal X} _{\kappa } \) and a PPT verifier \(V^*\) with auxiliary input z, that interacts with prover P. P samples random \(X \sim {\mathcal X} _{\kappa } \) together with some witness W(X) and generates a proof for \(V^*\) – such that \(V^*\) outputs a witness for \(X \in {\mathcal X} \) with probability \(\gamma = \frac{1}{\mathsf {poly} ({\kappa })}\) for some polynomial \(\mathsf {poly} (\cdot )\). Then, by the distributional weak zeroknowledge property, there exists a nonuniform simulator \(\mathsf {Sim} _\epsilon \) that uses \(V^*\) to output a witness for \(X \sim {\mathcal X} \) with probability at least \(\gamma  \epsilon \). Setting \(\epsilon = \frac{\gamma }{2}\), we obtain a nonuniform polynomial size circuit \((\mathsf {Sim} _\epsilon , V^*)\) that outputs a witness for \(X \sim {\mathcal X} \) with probability at least \(\gamma /2\), which is a contradiction to the assumption in Definition 7. This implies the following corollary.
Corollary 9
Assuming twomessage oblivious transfer (OT) secure against malicious PPT receivers, the protocol in Fig. 1 is witnesshiding against nonadaptive verifiers.
5.7 Extensions
In this section, we sketch some simple extensions of our main results.
Two Round WI and Distributional WZK from any \(\varvec{\varSigma }\)Protocol. So far, we assumed that the \(\varSigma \)protocol contains three messages, denoted by (a, e, z) and that these messages can be parsed as \(a=(a_1,\ldots ,a_{\kappa })\), \(e=(e_1,\ldots ,e_{\kappa })\), and \(z=(z_1,\ldots ,z_{\kappa })\), where for each \(i\in [{\kappa } ]\), the triplet \((a_i,e_i,z_i)\) are messages corresponding to an underlying \(\varSigma \)protocol with a singlebit challenge (i.e., where \(e_i\in \{0,1\}\)). We denote by \(f_1\) and \(f_2\) the functions that satisfy \(a_i = f_1(x,w;r_i)\) and \(z_i = f_2(x, w, r_i,e_i)\), where \(r_i\) is uniformly chosen randomness.
Three Round Protocols from Polynomial Assumptions. Our three round protocol from polynomial assumptions is described in Fig. 3. We denote the three messages of a \(\varSigma \)protocol by (a, e, z), and assume that the \(\varSigma \)protocol is a parallel repetition of protocols with a single bit receiver challenge. We further assume that a consists of a string of commitments, and z contains decommitment information for some of these commitments. We denote the \(i^{th}\) set of commitments (in the \(i^{th}\) parallel repetition of the \(\varSigma \)protocol) by \(a_i = \mathsf {commit}(h_i)\). We will implement this commitment differently in our protocol in Fig. 3. We let \(\mathsf {com}\) denote a noninteractive statistically binding commitment scheme, and let \(\mathsf {wi}= (\mathsf {wi}_1, \mathsf {wi}_2, \mathsf {wi}_3)\) denote the messages of a 3message delayedinput WI argument for NP. We also assume the existence of dense cryptosystems which are known based on DDH, QR, RSA, etc.
Theorem 10
There exists a 3message argument that satisfies distributional weak zeroknowledge, strong witness indistinguishability, witness hiding and witness indistinguishability against nonadaptive malicious verifiers, assuming either polynomiallyhard DDH, \(N^{th}\)residuosity or Quadratic Residuosity.
The proof of soundness, and privacy against malicious verifiers, of the scheme in Fig. 3 is deferred to the full version of the paper.
Footnotes
 1.
The work of Bitansky and Paneth [10] constructing 3 round witnesshiding and weak zeroknowledge from variants of auxiliaryinput point obfuscation, is an exception.
 2.
 3.
Recall that standard ZK requires that for any adversarial verifier, there exists a simulator that can produce a view that is indistinguishable from the real one to every distinguisher. WZK relaxes this notion by reversing the order of quantifiers, and allowing the simulator to depend on the distinguisher.
 4.
Indeed, the GK proof strategy crucially uses a verifier that chooses its protocol message as a function of the instance. See Sect. 1.2 for further discussion.
 5.
 6.
Very roughly, a \(\varSigma \)protocol is a three round protocol that is honest verifier zeroknowledge, and has a strong soundness guarantee. We refer the reader to Definition 1.
 7.
Security against malicious senders can be defined analogously.
 8.
The formal security definition of IIC is much more delicate, and we refer the reader to the technical sections for details.
 9.
All known constructions of threeround extractable commitments from polynomialhardness assumptions (such as [55, 56]) only satisfy a weak extraction property where either the extractor outputs (with nonnegligible probability) a non \(\bot \) value when the commitment is not wellformed, or it fails to output the correct value when the commitment is wellformed. It is, however, possible to construct extractable commitments using quasipolynomial hardness [39] or using three round zeroknowledge with superpolynomial simulation [53].
 10.
We later describe how garbled circuits can be used in order to modify our construction to work with any \(\varSigma \)protocol.
 11.
In most cryptographic applications, and in all our applications, it is possible for the simulator to efficiently sample random instancewitness pairs from the distribution on its own, without the need for any nonuniform advice.
 12.
Despite using a variant of extractable commitments, the threeround argument described in the previous section not a standard AoK in the delayedinput setting.
References
 1.Aiello, W., Bhatt, S., Ostrovsky, R., Rajagopalan, S.R.: Fast verification of any remote procedure call: short witnessindistinguishable oneround proofs for NP. In: Montanari, U., Rolim, J.D.P., Welzl, E. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 463–474. Springer, Heidelberg (2000). doi: 10.1007/354045022X_39 CrossRefGoogle Scholar
 2.Badrinarayanan, S., Garg, S., Ishai, Y., Sahai, A., Wadia, A.: Twomessage witness indistinguishability and secure computation in the plain model from new assumptions. IACR Cryptology ePrint Archive 2017/433 (2017). http://eprint.iacr.org/2017/433
 3.Barak, B.: How to go beyond the blackbox simulation barrier. In: FOCS, pp. 106–115 (2001)Google Scholar
 4.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). doi: 10.1007/3540446478_1 CrossRefGoogle Scholar
 5.Bellare, M., Palacio, A.: The knowledgeofexponent assumptions and 3round zeroknowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004). doi: 10.1007/9783540286288_17 CrossRefGoogle Scholar
 6.Bellare, M., Stepanovs, I., Tessaro, S.: Contention in cryptoland: obfuscation, leakage and UCE. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 542–564. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_20 CrossRefGoogle Scholar
 7.Bitansky, N., Brakerski, Z., Kalai, Y., Paneth, O., Vaikuntanathan, V.: 3message zero knowledge against human ignorance. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 57–83. Springer, Heidelberg (2016). doi: 10.1007/9783662536414_3 CrossRefGoogle Scholar
 8.Bitansky, N., Canetti, R.: On strong simulation and composable point obfuscation. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 520–537. Springer, Heidelberg (2010). doi: 10.1007/9783642146237_28 CrossRefGoogle Scholar
 9.Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable oneway functions. In: Symposium on Theory of Computing, STOC 2014, New York, 31 May–03 June 2014, pp. 505–514 (2014)Google Scholar
 10.Bitansky, N., Paneth, O.: Point obfuscation and 3round zeroknowledge. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 190–208. Springer, Heidelberg (2012). doi: 10.1007/9783642289149_11 CrossRefGoogle Scholar
 11.Bitansky, N., Paneth, O.: ZAPs and noninteractive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_16 CrossRefGoogle Scholar
 12.Bitansky, N., Paneth, O., Wichs, D.: Perfect structure on the edge of chaos. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 474–502. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_20 CrossRefGoogle Scholar
 13.Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, pp. 1444–1451 (1987)Google Scholar
 14.Brzuska, C., Mittelbach, A.: Indistinguishability obfuscation versus multibit point obfuscation with auxiliary input. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 142–161. Springer, Heidelberg (2014). doi: 10.1007/9783662456088_8 Google Scholar
 15.Canetti, R.: Towards realizing random oracles: hash functions that hide all partial information. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 455–469. Springer, Heidelberg (1997). doi: 10.1007/BFb0052255 CrossRefGoogle Scholar
 16.Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zeroknowledge (extended abstract). In: Proceedings of the ThirtySecond Annual ACM Symposium on Theory of Computing, Portland, OR, USA, 21–23 May 2000, pp. 235–244 (2000)Google Scholar
 17.Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: 36th Annual Symposium on Foundations of Computer Science, Milwaukee, Wisconsin, 23–25 October 1995, pp. 41–50 (1995)Google Scholar
 18.Chung, K.M., Kalai, Y., Vadhan, S.: Improved delegation of computation using fully homomorphic encryption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 483–501. Springer, Heidelberg (2010). doi: 10.1007/9783642146237_26 CrossRefGoogle Scholar
 19.Chung, K.M., Lui, E., Pass, R.: From weak to strong zeroknowledge and applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 66–92. Springer, Heidelberg (2015). doi: 10.1007/9783662464946_4 Google Scholar
 20.Ciampi, M., Ostrovsky, R., Siniscalchi, L., Visconti, I.: Concurrent nonmalleable commitments (and more) in 3 rounds. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 270–299. Springer, Heidelberg (2016). doi: 10.1007/9783662530153_10 CrossRefGoogle Scholar
 21.Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved ORcomposition of sigmaprotocols. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 112–141. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_5 CrossRefGoogle Scholar
 22.Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Online/Offline or composition of sigma protocols. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 63–92. Springer, Heidelberg (2016). doi: 10.1007/9783662498965_3 CrossRefGoogle Scholar
 23.Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). doi: 10.1007/3540486585_19 Google Scholar
 24.Crescenzo, G., Persiano, G., Visconti, I.: Constantround resettable zero knowledge with concurrent soundness in the bare publickey model. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 237–253. Springer, Heidelberg (2004). doi: 10.1007/9783540286288_15 CrossRefGoogle Scholar
 25.Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography (extended abstract). In: Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, New Orleans, Louisiana, USA, 5–8 May 1991, pp. 542–552 (1991)Google Scholar
 26.Döttling, N., Fleischhacker, N., Krupp, J., Schröder, D.: TwoMessage, oblivious evaluation of cryptographic functionalities. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 619–648. Springer, Heidelberg (2016). doi: 10.1007/9783662530153_22 CrossRefGoogle Scholar
 27.Dwork, C., Naor, M.: Zaps and their applications. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, Redondo Beach, California, USA, 12–14 November 2000, pp. 283–293 (2000)Google Scholar
 28.Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: 40th Annual Symposium on Foundations of Computer Science, FOCS 1999, New York, NY, USA, 17–18 October 1999, pp. 523–534 (1999)Google Scholar
 29.Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, 13–17 May 1990, pp. 416–426 (1990)Google Scholar
 30.Garg, S., Goyal, V., Jain, A., Sahai, A.: Concurrently secure computation in constant rounds. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 99–116. Springer, Heidelberg (2012). doi: 10.1007/9783642290114_8 CrossRefGoogle Scholar
 31.Garg, S., Mukherjee, P., Pandey, O., Polychroniadou, A.: The exact round complexity of secure computation. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 448–476. Springer, Heidelberg (2016). doi: 10.1007/9783662498965_16 CrossRefGoogle Scholar
 32.Garg, S., Pandey, O., Srinivasan, A., Zhandry, M.: Breaking the subexponential barrier in obfustopia. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 156–181. Springer, Cham (2017). doi: 10.1007/9783319566177_6 CrossRefGoogle Scholar
 33.Gennaro, R., Gentry, C., Parno, B.: Noninteractive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). doi: 10.1007/9783642146237_25 CrossRefGoogle Scholar
 34.Goldreich, O.: A uniformcomplexity treatment of encryption and zeroknowledge. J. Cryptol. 6(1), 21–53 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
 35.Goldreich, O., Krawczyk, H.: On the composition of zeroknowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
 36.Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In: STOC (1987)Google Scholar
 37.Goldreich, O., Oren, Y.: Definitions and properties of zeroknowledge proof systems. J. Cryptol. 7(1), 1–32 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
 38.Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proofsystems. In: STOC, pp. 291–304 (1985)Google Scholar
 39.Goyal, V., Pandey, O., Richelson, S.: Textbook nonmalleable commitments. In: Wichs, D., Mansour, Y. (eds.) Proceedings of the 48th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2016, Cambridge, MA, USA, 18–21 June 2016, pp. 1128–1141. ACM (2016). doi: 10.1145/2897518.2897657
 40.Groth, J., Ostrovsky, R., Sahai, A.: Noninteractive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). doi: 10.1007/11818175_6 CrossRefGoogle Scholar
 41.Hada, S., Tanaka, T.: On the existence of 3round zeroknowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998). doi: 10.1007/BFb0055744 CrossRefGoogle Scholar
 42.Haitner, I., Rosen, A., Shaltiel, R.: On the (Im)possibility of arthurmerlin witness hiding protocols. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 220–237. Springer, Heidelberg (2009). doi: 10.1007/9783642004575_14 CrossRefGoogle Scholar
 43.Halevi, S., Kalai, Y.T.: Smooth projective hashing and twomessage oblivious transfer. J. Cryptol. 25(1), 158–193 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 44.Hazay, C., Venkitasubramaniam, M.: On the power of secure twoparty computation. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 397–429. Springer, Heidelberg (2016). doi: 10.1007/9783662530085_14 CrossRefGoogle Scholar
 45.Kalai, Y.T.: Smooth projective hashing and twomessage oblivious transfer. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 78–95. Springer, Heidelberg (2005). doi: 10.1007/11426639_5 CrossRefGoogle Scholar
 46.Kalai, Y.T., Raz, R.: Probabilistically checkable arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 143–159. Springer, Heidelberg (2009). doi: 10.1007/9783642033568_9 CrossRefGoogle Scholar
 47.Katz, J., Ostrovsky, R.: Roundoptimal secure twoparty computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004). doi: 10.1007/9783540286288_21 CrossRefGoogle Scholar
 48.Lapidot, D., Shamir, A.: Publicly verifiable noninteractive zeroknowledge proofs. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353–365. Springer, Heidelberg (1991). doi: 10.1007/3540384243_26 CrossRefGoogle Scholar
 49.Micali, S., Pass, R., Rosen, A.: Inputindistinguishable computation. In: 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2006), pp. 367–378, October 2006Google Scholar
 50.Mittelbach, A., Venturi, D.: Fiatshamir for highly sound protocols is instantiable. In: Proceedings of the 10th International Conference on Security and Cryptography for Networks, SCN 2016, Amalfi, Italy, 31 August–2 September 2016, pp. 198–215 (2016)Google Scholar
 51.Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Proceedings of the Twelfth Annual Symposium on Discrete Algorithms, 7–9 January 2001, Washington, DC, USA, pp. 448–457 (2001)Google Scholar
 52.Ostrovsky, R., Persiano, G., Visconti, I.: On input indistinguishable proof systems. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014. LNCS, vol. 8572, pp. 895–906. Springer, Heidelberg (2014). doi: 10.1007/9783662439487_74 Google Scholar
 53.Pass, R.: Simulation in quasipolynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003). doi: 10.1007/3540392009_10 CrossRefGoogle Scholar
 54.Pass, R.: Limits of provable security from standard assumptions. In: Proceedings of the 43rd ACM Symposium on Theory of Computing, STOC 2011, San Jose, CA, USA, 6–8 June 2011, pp. 109–118 (2011)Google Scholar
 55.Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic roundcomplexity. In: Proceedings of the 43rd Symposium on Foundations of Computer Science (FOCS 2002), Vancouver, BC, Canada, 16–19 November 2002, pp. 366–375 (2002)Google Scholar
 56.Rosen, A.: A note on constantround zeroknowledge proofs for NP. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 191–202. Springer, Heidelberg (2004). doi: 10.1007/9783540246381_11 CrossRefGoogle Scholar
 57.Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) Symposium on Theory of Computing, STOC 2014, New York, NY, USA, 31 May–03 June 2014, pp. 475–484. ACM (2014). doi: 10.1145/2591796.2591825
 58.Wee, H.: Blackbox, roundefficient secure computation via nonmalleability amplification. In: 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2010, Las Vegas, Nevada, USA, 23–26 October 2010, pp. 531–540 (2010)Google Scholar
 59.Yao, A.C.: How to generate and exchange secrets (extended abstract). In: 27th Annual Symposium on Foundations of Computer Science, Toronto, Canada, 27–29 October 1986, pp. 162–167 (1986)Google Scholar
 60.Yung, M., Zhao, Y.: Generic and practical resettable zeroknowledge in the bare publickey model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 129–147. Springer, Heidelberg (2007). doi: 10.1007/9783540725404_8 CrossRefGoogle Scholar