ConstantRound Concurrent ZeroKnowledge from Indistinguishability Obfuscation
 16 Citations
 2.6k Downloads
Abstract
We present a constantround concurrent zeroknowledge protocol for \({\mathsf {NP}} \). Our protocol relies on the existence of families of collisionresistant hash functions, oneway permutations, and indistinguishability obfuscators for \(\mathbf{P}/poly\) (with slightly superpolynomial security).
Keywords
Certificate System Communication Round Random Coin Reference String Common Reference String1 Introduction
Zeroknowledge (\({\mathcal {ZK}} \)) interactive proofs [30] are paradoxical constructs that allow one player (called the Prover) to convince another player (called the Verifier) of the validity of a mathematical statement \(x \in L\), while providing zero additional knowledge to the Verifier. Beyond being fascinating in their own right, \({\mathcal {ZK}} \) proofs have numerous cryptographic applications and are one of the most fundamental cryptographic building blocks.
The notion of concurrent zero knowledge, first introduced and achieved in the paper by Dwork, Naor and Sahai [24], considers the execution of zeroknowledge proofs in an asynchronous and concurrent setting. More precisely, we consider a single adversary mounting a coordinated attack by acting as a verifier in many concurrent executions (called sessions). Concurrent \({\mathcal {ZK}} \) proofs are significantly harder to construct and analyze. Since the original protocol by DNS Dwork, Naor and Sahai (which relied on “timing assumptions”), various other concurrent \({\mathcal {ZK}} \) protocols have been obtained based on different setup assumptions (e.g., [22, 25]), or in alternative models (e.g., superpolynomialtime simulation [44, 53]).
In the standard model, without setup assumptions (the focus of our work), Canetti, Kilian, Petrank and Rosen [14] (building on earlier works by [38, 58]) show that concurrent \(\mathcal {ZK}\) proofs for nontrivial languages, with “blackbox” simulators, require at least \(\tilde{\varOmega } (\log n)\) number of communication rounds. Richardson and Kilian [56] constructed the first concurrent \({\mathcal {ZK}} \) argument in the standard model without any extra setup assumptions. Their protocol, which uses a blackbox simulator, requires \(O(n^{\epsilon })\) number of rounds. The roundcomplexity was later improved in the work of Kilian and Petrank (KP) [37] to \(\tilde{O}(\log ^2 n)\) round. More recent work by Prabhakaran, Rosen and Sahai [55] improves the analysis of the KP simulator, achieving an essentially optimal, w.r.t. blackbox simulation, roundcomplexity of \(\tilde{O} (\log n)\); see also [52] for an (arguably) simplified and generalized analysis.
The central open problem in the area is whether a constantround concurrent \({\mathcal {ZK}} \) protocol (for a nontrivial language) can be obtained. Note that it could very well be the case that all “classic” zeroknowledge protocols already are concurrent zeroknowledge; thus, simply assuming that those protocols are concurrent zeroknowledge yields an assumption under which constantround concurrent zeroknowledge (trivially) exists—in essence, we are assuming that for every attacker a simulator exists. Furthermore, as shown in [33] (and informally discussed in [16]) under various “extractability” assumptions of the knowledgeofexponent type [8, 21, 34], constantround concurrent zeroknowledge is easy to construct. But such extractability assumptions also simply assume that for every attacker, a simulator (in essence, “the extractor” guaranteed by the extractability assumption) exists. In particular, an explicit construction of the concurrent zeroknowledge simulator is not provided—it is simply assumed that one exists. For some applications of zeroknowledge such as deniability (see e.g., [24, 44]), having an explicit simulator is crucial. Rather, we are here concerned with the question of whether constantround concurrent zeroknowledge, with an explicit simulator, exits.
1.1 Towards ConstantRound Concurrent ZeroKnowledge
Recently, the authors [16] provided a first construction a constantround concurrent zeroknowledge protocol with an explicit simulator, based on a new cryptographic hardness assumption—the existence of socalled \(\mathbf{P} \)certificates, roughly speaking, succinct noninteractive arguments for languages in \(\mathbf{P} \). An issue with their approach, however, is we only have candidate constructions of \(\mathbf{P} \)certificates that are sound against uniform polynomialtime attackers (as opposed to nonuniform ones), and the protocol of [16] inherits the soundness property of the underlying \(\mathbf{P} \)certificate. Additionally, whereas the assumption that a particular proof system is a \(\mathbf{P} \)certificates is a falsifiable assumption [42, 54], it is unclear whether the existence of \(\mathbf{P} \)certificates itself can be based on some more natural hardness assumptions.
A very recent elegant work by Pandey, Prabhakaran and Sahai [43] takes a different approach and instead demonstrates the existence of constantround concurrent zeroknowledge protocol with an explicit simulator based on the existence of differinginput obfuscation (\({\varvec{diO}}\)) for (restricted classes of) \(\mathbf{P}/poly\) [1, 6, 11]. Whereas the assumption that a particular scheme is a \(\mathbf{diO } \) is an “extractability” assumption (similar in flavor to knowledgeofexponent type [8, 21, 34] assumptions), the intriguing part of the scheme of Pandey et al. [43] is that the extractability assumption is only used to prove soundness of the protocol; concurrent zeroknowledge is proved in the “standard” model, through providing an explicit simulator. Nevertheless, \(\mathbf{diO } \) is a strong and subtle assumption—as shown by recent work [12, 27, 36]; unless we restrict the class of programs for which \(\mathbf{diO } \) should hold, we may end up with a notion that is unsatisfiable. Additionally, there are currently no known approaches for basing \(\mathbf{diO } \) on more “natural” (or in fact any) hardness (as opposed to extractability) assumption.
1.2 Our Results
In this paper, we combine the abovementioned two approaches. Very roughly speaking, we will use obfuscation to obtain a variant of the notion of a \(\mathbf{P} \)certificate, and we next show that this variant still suffices to obtain constantround concurrent zeroknowledge (where the soundness conditions holds also against nonuniform PPT attackers). More importantly, rather than using \(\mathbf{diO } \), we are able to use indistinguishability obfuscation (\({\varvec{iO}}\)) [6, 26]. Following the groundbreaking work of Garg et al. [26], there are now several candidate constructions of \(\mathbf{iO } \) that can be based on hardness assumptions on (approximate) multilinear maps [29, 51].
Theorem 1
Assume the existence of indistinguishability obfuscation for \(\mathbf{P}/poly\) (with slightly superpolynomial security), oneway permutations (with slightly superpolynomial security) and collisionresistant hash function. Then there exists a constantround concurrent zeroknowledge argument for \({\mathsf {NP}} \).
 1.
We first observe that a warmup case considered in [16]—which shows the existence of constantround concurrent zeroknowledge based on, socalled, unique \(\mathbf{P} \)certificates (that is, \(\mathbf{P} \)certificates for which there exists at most one accepting certificate for each statement) directly generalizes also to unique \(\mathbf{P} \)certificates in the Common Random String model (a.k.a. the Uniform Random String model (URS)) satisfying an adaptive soundness property (where the statement to be proved can be selected after the URS).
 2.
We next show that by appropriately modifying the protocol, we can handle also unique \(\mathbf{P} \)certificates in the URS model satisfying even just a “static” soundness condition (where the statement needs to be selected before the URS is picked), and additionally also unique \(\mathbf{P} \)certificates (with static soundness) in the Common Reference String (CRS) model, where the reference string no longer is required to be uniform. Unique \(\mathbf{P} \)certificates in the CRS model (also with nonuniform soundness) can be constructed based on the existence of \(\mathbf{diO } \) for (a restricted class of) \(\mathbf{P}/poly\) [12], and as such this preliminary step already implies the result of [43] in a modular way (but with worse concrete round complexity).
 3.
We next show how to use fully homomorphic encryption (FHE) [28, 57] and \(\mathbf{iO } \) to modify the protocol to handle also tworound unique \(\mathbf{P} \) certificates. Tworound \(\mathbf{P} \)certificates are a generalization of \(\mathbf{P} \)certificates in the CRS model, where we allow the CRS (i.e., the “first message” from the verifier to the prover) to depend on the statement to be proven.
 4.
We finally leverage recent results on delegation of computation based on \(\mathbf{iO } \) from [9, 13, 39] and show that the beautiful scheme of Koppula, Lewko and Waters [39] can be modified into a twomessage unique \(\mathbf{P} \)certificate (also with nonuniform soundness).
More precisely, we show that any “succint” message hiding encoding [39], which is a relaxed version of a “succint” randomized encoding [9, 35], together with injective oneway functions yields a tworound unique \(\mathbf{P} \)certificate. [39] shows how to construct succint messagehiding encodings based on \(\mathbf{iO } \) and injective PRGs.
The above steps show how to obtain constantround concurrent \({\mathcal {ZK}} \) based on collisionresistant hashfunctions, \(\mathbf{iO } \) for \(\mathbf{P}/poly\), oneway permutations, and FHE. We finally observe that the messagehiding encoding of [39] has a particular nice structure that enables us to refrain from using FHE in the final protocol, thus reaching our final theorem.
1.3 Outline of Our Techniques
We here provide a detailed outline of our techniques. As mentioned, our construction heavily relies on a “warmup” case of the construction of [16], which we start by recalling (closely following the description in [16]). The starting point of the construction of [16] is the construction is Barak’s [2] nonblackbox zeroknowledge argument for \({\mathsf {NP}} \). Below, we briefly recall the ideas behind his protocol (following a slight variant of this protocol due to [47]).
Barak’s Protocol. Roughly speaking, on common input \(1^n\) and \(x \in \{0,1\}^{{{\mathrm{poly}}}(n)}\), the Prover \(\mathbf{P} \) and Verifier V, proceed in two stages. In Stage 1, P starts by sending a computationallybinding commitment \(c \in \{0,1\}^n\) to \(0^n\); V next sends a “challenge” \(r \in \{0,1\}^{2n}\). In Stage 2, P shows (using a witness indistinguishable argument of knowledge) that either x is true, or there exists a “short” string \(\sigma \in \{0,1\}^n\) such that c is a commitment to a program M such that \(M(\sigma )=r\).^{1}
Soundness follows from the fact that even if a malicious prover \(P^*\) tries to commit to some program M (instead of committing to \(0^n\)), with high probability, the string r sent by V will be different from \(M(\sigma )\) for every string \(\sigma \in \{0,1\}^n\). To prove ZK, consider the nonblackbox simulator S that commits to the code of the malicious verifier \(V^*\); note that by definition it thus holds that \(M(c) = r\), and the simulator can use \(\sigma =c\) as a “fake” witness in the final proof. To formalize this approach, the witness indistinguishable argument in Stage 2 must actually be a witness indistinguishable universal argument (WIUA) [4, 41] since the statement that c is a commitment to a program M of arbitrary polynomialsize, and that \(M(c) = r\) within some arbitrary polynomial time, is not in NP.
Now, let us consider concurrent composition. That is, we need to simulate the view of a verifier that starts poly(n) concurrent executions of the protocol. The above simulator no longer works in this setting: the problem is that the verifier’s code is now a function of all the prover messages sent in different executions. (Note that if we increase the length of r we can handle a bounded number of concurrent executions, by simply letting \(\sigma \) include all these messages).
So, if the simulator could commit not only to the code of \(V^*\), but also to a program M that generates all other prover messages, then we would seemingly be done. And at first sight, this doesn’t seem impossible: since the simulator S is actually the one generating all the prover messages, why don’t we just let M be an appropriate combination of S and \(V^*\)? This idea can indeed be implemented [47, 50], but there is a serious issue: if the verifier “nests” its concurrent executions, the runningtime of the simulation quickly blows up exponentially—for instance, if we have three nested sessions, to simulate session 3 the simulator needs to generate a WIUA regarding the computation needed to generate a WIUA for session 2 which in turn is regarding the generation of the WIUA of session 1 (so even if there is just a constant overhead in generating a WIUA, we can handle at most \(\log n\) nested sessions).
Unique Pcertificates to The Rescue: The “WarmUp” Case [16]. As shown in [16], the blowup in the runningtime can be prevented using Unique \(\mathbf{P} \)certificates. Roughly speaking, we say that (P, V) is a \(\mathbf{P} \)certificate system if (P, V) is a noninteractive proof system (i.e., the prover send a single message to the verifier, who either accepts or rejects) allowing an efficient prover to convince the verifier of the validity of any deterministic polynomialtime computation\(M(x) = y\) using a “certificate” of some fixed polynomial length (independent of the size and the runningtime of M) whose validity the verifier can check in some fixed polynomial time (independent of the runningtime of M). The \(\mathbf{P} \)certificate system is unique if there exists at most one accepted proof for any statement.
 Commitment Consistency:c is a commitment to a program \(M_1\), and

Input Certification: there exists a vector \(\lambda = ( (1,\pi _1), (2,\pi _2), \ldots )\) and a vector of messages \({\varvec{m}}\) such that \(\pi _j\) certifies that \(M_1(\lambda _{<j})\) outputs \(m_j\) in its j’th communication round, where \(\lambda _{<j} = ( (1,\pi _1), \ldots , (j1,\pi _{j1}))\), and

Prediction Correctness: there exists a \(\mathbf{P} \)certificate \(\pi \) of length n demonstrating that \(M_1(\lambda ) = r\).

Soundness of the modified protocol, roughly speaking, follows since by the unique certificate property, for every program \(M_1\) it inductively follows that for every j, \(m_j\) is uniquely defined, and thus also the unique (accepting) certificate \(\pi _j\) certifying \(M_1(\lambda _{<j}) = m_j\); it follows that \(M_1\) determines a unique vector \(\lambda \) that passes the input certification conditions, and thus there exists a single r that make \(M_1\) also pass the prediction correctness conditions. Note that we here inherently rely on the fact that the \(\mathbf{P} \)certificate is unique to argue that the sequence \(\lambda \) is uniquely defined. (Technically, we here need to rely on a \(\mathbf{P} \)certificate that is sound for slightly superpolynomialtime as there is no apriori polynomial bound on the runningtime of \(M_1\), nor the length of \(\lambda \).)
To prove zeroknowledge, roughly speaking, our simulator will attempt to commit to its own code in a way that prevents a blowup in the runningtime. Recall that the main reason that we had a blowup in the runningtime of the simulator was that the generation of the WIUA is expensive. Observe that in the new protocol, the only expensive part of the generation of the WIUA is the generation of the \(\mathbf{P} \)certificates \(\pi \); the rest of the computation has apriori bounded complexity (depending only on the size and runningtime of \(V^*\)). To take advantage of this observation, we thus have the simulator only commit to a program that generates prover messages (in identically the same way as the actual simulator), but getting certificates \(\varvec{{\pi }}\) as input.
In more detail, to describe the actual simulator S, let us first describe two “helper” simulators \(S_1,S_2\). \(S_1\) is an interactive machine that simulates prover messages in a “right” interaction with \(V^*\). Additionally, \(S_1\) is expecting some “external” messages on the “left”—looking forward, these “left” messages will later be certificates provided by \(S_2\).
\(S_1\) proceeds as follows in the right interaction. In Stage 1 of every session i, \(S_1\) first commits to a machine \(\tilde{S}_1(j',\tau )\) that emulates an interaction between \(S_1\) and \(V^*\), feeding \(S_1\) input \(\tau \) as messages on the left, and finally \(\tilde{S}_1\) outputs the verifier message in the \(j'\)’th communication round in the right interaction with \(V^*\). (Formalizing what it means for \(S_1\) to commit to \(\tilde{S}_1\) is not entirely trivial since the definition of \(\tilde{S}_1\) depends on \(S_1\); we refer the reader to the formal proof for a description of how this circularity is broken.^{2}) \(S_1\) next simulates Stage 2 by checking if it has received a message \((j,\pi _j)\) in the left interaction, where j is the communication round (in the right interaction with \(V^*\)) where the verifier sends its random challenge and expects to receive the first message of Stage 2; if so, it uses \(M_1=\tilde{S}_1\) (and the randomness it used to commit to it), j and \(\sigma \) being the list of messages received by \(S_1\) in the left interaction, as a “fake” witness to complete Stage 2.
The job of \(S_2\) is to provide \(\mathbf{P} \)certificates \(\pi _j\) for \(S_1\) allowing \(S_1\) to complete its simulation. \(S_2\) emulates the interaction between \(S_1\) and \(V^*\), and additionally, at each communication round j, \(S_2\) feeds \(S_1\) a message \((j,\pi _j)\) where \(\pi _j\) is a \(\mathbf{P} \)certificate showing that \(\tilde{S}_1(j,\sigma _{< j}) = r_j\), where \(\sigma _{<j}\) is the list of messages already generated by \(S_2\), and \(r_j\) is the verifier message in the j’th communication round. Finally, \(S_2\) outputs its view of the full interaction.
The actual simulator S just runs \(S_2\) and recovers from the view of \(S_2\) the view of \(V^*\) and outputs it. Note that since \(S_1\) has polynomial runningtime, generating each certificate about \(\tilde{S_1}\) (which is just about an interaction between \(S_1\) and \(V^*\)) also takes polynomial time. As such \(S_2\) can also be implemented in polynomial time and thus also S.
Finally, indistinguishability of this simulation, roughly speaking, follow from the hiding property of the commitment in Stage 1, and the WI property of the WIUA in Stage 2. (There is another circularity issue that arises in formalizing this—as \(S_1\) in essence needs to commit to its own randomness—but it can be dealt with as shown in [15, 16]; in this overview, we omit the details as they are not important for our modifications to the protocol, but they can be found in the formal proof.)
Generalizing to Unique Pcertificates in CRS model. The key technical contribution in [16] was to generalize the above approach to deal also with “nonunique” \(\mathbf{P} \)certificates. Here we instead aim to generalize the above approach to work with \(\mathbf{P} \)certificates in the CRS model, but still relying on the uniqueness property.
Let us first note that if we had access to unique \(\mathbf{P} \)certificate in the URS (i.e., the uniform reference string) model satisfying an adaptive soundness property (where the statement to be proved can be selected after the URS, then abovementioned protocol can be almost directly generalized to work with them (as opposed to using unique \(\mathbf{P} \)certificates in the “plain” model) by simply having the Verifier send the URS \(\rho \) along with its first message of the protocol.^{3} The only issue that needs to be addressed in implementing this change is to specify what it means that “\(\pi _j\) certifies that \(M_1(\lambda _{<j})\) outputs \(m_j\)” in the input certification step in Stage 2, since this certification needs to be done with respect to some URS. We modify Stage two to require that \(M_1\) outputs not only messages \(m_i\), but also reference strings \(\rho _i\). Let us remark that to ensure that soundness still holds, we require the \(\mathbf{P} \)certificate system to satisfy a strong uniqueness property: uniqueness of accepting proofs needs to hold for all reference strings \(\rho \).

We add a Stage 1.5 to the protocol where the Prover is asked to provide a commitment \(c_2\) to \(0^n\) and then asked to provide a WIUARG that either \(x\in L\) or \(c_2\) is a commitment to a “wellformed” statement (but not that the statement is true) for the \(\mathbf{P} \)certificate in use in Stage 2.

Stage 2 of the protocol is then modified to first have the Verifier send the URS for the \(\mathbf{P} \)certificate, and then requiring that the prover uses a \(\mathbf{P} \)certificate for the statement committed to in \(c_2\). In other words, we require the Prover to commit in advance, and prove knowledge of, the statement to be used in the \(\mathbf{P} \)certificate and thus static soundness suffices.
Additionally, this approach generalizes also to deal with unique \(\mathbf{P} \)certificates in the Common Reference String (CRS) model (where the reference string no longer needs to be uniform), by having the Verifier provide a zeroknowledge proof that the CRS was wellformed.^{4} Let us again remark that to ensure that soundness still holds, we require the uniqueness property of the \(\mathbf{P} \)certificate system to hold for all reference strings \(\rho \), even invalid ones.
Generalizing to Tworound Unique Pcertificates. The notion of a \(\mathbf{P} \)certificate in the CRS model requires that the same CRS can be used to prove any statement q of any (polynomiallyrelated) length. We will now consider a weaker notion of a \(\mathbf{P} \)certificate in the CRS model, where the CRS is “statementdependent”—that is, the CRS is generated as a function of the statement q to be proved. (On the other hand, while we allow the CRS to depend on the statement q, we require the length of the CRS to the independent of the lenght of q.) In essence, we are considering tworound publiclyverifiable delegation protocols. We refer to such schemes as tworound\(\mathbf{P} \)certificates. We now generalize the above approach to work with unique tworound \(\mathbf{P} \)certificates.

Instead of having the Verifier send the CRS in the clear (which it cannot compute as it does not know the statement q on which it will be run), it simply send an FHE encryption \(\hat{\alpha }\) of random coins \(\alpha \) needed to run the CRS generation. (Using PRGs, we may assume wlog that the lenght of \(\alpha \) is n.)

The Prover is then asked to provide a third commitment \(c_3\) to \(0^n\) and provide a WIUARG that either \(x \in L\) or \(c_3\) is a commitment to an FHE encryption \(\hat{\rho }\) obtained by running the CRSgeneration procedure (using the appropriate FHE operations) on the ciphertext \(\hat{\alpha }\). (That is, \(\hat{\rho }\) is an encryption of the CRS \(\rho \) obtained by running the CRS generation algorithm with random coins \(\alpha \).)

Next, the Verifier sends an indistinguishability obfuscation \(\tilde{\varPi } = \mathbf{iO } (\varPi )\) of a program \(\varPi \) that on input a decommitment \((\hat{\rho },r')\) to \(c_3\) decrypts \(\hat{\rho }\) (using the FHE secret key) into a CRS \(\rho \) and outputs it. (The reason that the Verifier cannot simply decrypt \(\hat{\rho }\) for the Prover is that \(\hat{\rho }\) cannot be sent to the Verifier in the clear; recall that the honest prover will never compute any such ciphertext, it is meant to commit to \(0^n\) and prove that \(x\in L\).) Additionally, the verifier gives a zeroknowledge proof that the obfuscation is correctly computed.

Then, the Prover provides a commitment \(c_4\) to \(0^n\) and provides a WI proof of knowledge that \(x\in L\) or \(c_4\) is a commitment to a CRS \(\rho \) computed by applying the obfuscated code \(\tilde{\varPi }\) to a proper decommitment of \(c_3\).

Finally, in Stage 2 of the protocol, we require the Prover to provide \(\mathbf{P} \)certificates w.r.t to the CRS \(\rho \) committed to in \(c_4\).
Note that if \(c_3\) is perfectly binding, then by \(\mathbf{iO } \) security of the obfuscation, we can replace \(\varPi \) with a program that has the CRS \(\rho \) hardcoded (without any knowledge of the random coins \(\alpha \) used to generate \(\rho \)), and this suffices for arguing that soundness of the protocol still holds. On the other hand, the simulation can proceed just as before except that the simulator now uses the obfuscated code \(\tilde{\varPi }\) to generate the CRS \(\rho \) and commits to it in \(c_4\).
Realizing Unique TwoRound PCertificates. We finally leverage recent results on delegation of computation based on \(\mathbf{iO } \) from [9, 13, 39] and show that the beautiful scheme of Koppula, Lewko and Waters [39] can be massaged (and slightly modified) into a twomessage unique \(\mathbf{P} \)certificate. More precisely, we show how to use the notion of a “succint” message hiding encoding [39]—a relaxed version of a “succint” randomized encoding [9, 35]—together with injective oneway functions to construct a tworound unique \(\mathbf{P} \)certificate. [39] shows how to construct succint messagehiding encodings (in fact, even succint randomized encodings) based on \(\mathbf{iO } \) for \(\mathbf{P}/poly\) and injective PRGs.
Let is point out that, just as [16], our protocol requires the use of \(\mathbf{P} \)certificates that satisfy a slightly strong soundness condition—namely, we require soundness to hold against circuits of size \(T(\cdot )\) where \(T(\cdot )\) is some “nice” (slightly) superpolynomial function (e.g., \(T(n) = n^{\log \log \log n}\)). To achieve such (delegatable) \(\mathbf{P} \)certificates, we thus rely on \(\mathbf{iO } \) for \(\mathbf{P}/poly\) secure against \(T(\cdot )\)size circuits.
Removing the Use of FHE. In a final step, we note that by relying on specific nice properties of the messagehiding encoding of [39], we obtain a tworound \(\mathbf{P} \)certificate satisfying a desirable property: Only a “small” part of the CRS generation procedure relies on secret coins. More precisely, the CRS generation procedure proceeds in three steps: (1) first, secret coins are used to generate a public parameter PP and a secret parameter K (this is done independently of the statement q), (2) next, only PP is used to deterministically process the statement q into a “short” digest d (independent of the length of q), and (3) the digest d and the secret parameter K is efficiently processed to finally generate the CRS (independent of the length of q). To emphasize, only step 2 requires work proportional to the length of q, but this work only requires public information.
We refer to such schemes as deletegable\(\mathbf{P} \)certificates in the CRS model and note that if we rely on such a scheme, then we can dispense the need for FHE in our final protocol, as the computation of the disgest can be directly delegated to the prover without the need of FHE.
This completes the informal description of our protocol and its proof of security. In our formal description of the final protocol, for simplicity, we directly present a solution using such delegetable \(\mathbf{P} \)certificates (without going through the construction using FHE). As mentioned above, the above description ignores certain subtleties required to prevent circularities in the simulation and the proof of security. To deal with these issue (already considered in [16]) as well as to streamline the description of the final protocol (to enable a better concrete roundcomplexity) the formal description slightly difference from what is outlined above.
Other Related Works. Since the work of Barak [2], nonblackbox simulation techniques have been used in several other contexts: Nonmalleability [3, 45, 48, 49], concurrent secure computation [7, 40, 45, 46], resettablesoundness [5, 10, 17, 18, 20, 23], covert secure computation [32] and more. We believe our techniques may yield improved constructions also in these settings.
We also mention recent work of [15, 31] that constructs publiccoin concurrent zeroknowledge protocols using nonblackbox simulation; these protocols are not constantround but instead rely on “standard” assumptions. Let us finally mention that the constantround concurrent zeroknowledge protocol of [16] (which relies on noninteractive \(\mathbf{P} \)certificates) actually also is publiccoin, whereas our protocol is not. We leave open the question of basing publiccoin concurrent zeroknowledge on \(\mathbf{iO } \).
Organization. In Sect. 2, we define unique twomessage \(\mathbf{P} \)certificates, and the property of delegatable CRS generation. We show how to instantiate them using message hiding encoding of [39] in the full version of the paper [19]. In Sect. 3, we present our constantround concurrent \({\mathcal {ZK}} \) protocol, and its simulator. We refer the reader to the full version [19] for preliminaries and full proof of our protocol.
2 TwoMessage \(\mathbf{P} \)certificates
We consider the following canonical languages for \(\mathbf{P} \): for every constant \(c \in N\), let \(L_c = \{ (M,x,y): M(x) =y\, \mathrm{within}\, x^c\, \mathrm{steps} \}\). Let \(T_M(x)\) denotes the running time of M on input x.
Definition 1
 Syntax and Efficiency: For every \(c \in N\), every \(q=(M,x,y) \in L_c\), and every \(k\in N\), the verification of the statement proceed as follows:

CRS Generation: Open image in new window , where \(\mathsf {Gen}\) runs in time \({{\mathrm{poly}}}(k, q)\). The length of \(\mathsf{CRS}\) is bounded by \(l _{\mathsf{CRS}}(k)\).

Proof Generation: Open image in new window , where \(\mathsf{P}_\mathsf{cert}\) runs in time \({{\mathrm{poly}}}(k, x, \min (T_M(x), x^c))\) with \(T_M(x)\le x^c\) the running time of M on input x. The length of the proof\(\pi \)is bounded by \(l _{\pi }(k)\).

Proof Verification: \( b = \mathsf{V}_\mathsf{cert}(1^k,c,\mathsf{CRS},q,\pi )\), where \(\mathsf{V}_\mathsf{cert}\) runs in time \({{\mathrm{poly}}}(k, q)\).


(Perfect) Completeness: For every \(c,d \in N\), there exists a negligible function \(\mu \) such that for every \(k \in N\) and every \(q=(M,x,y) \in L_c\) such that \(q \le k^d\), the probability that in the above execution \(\mathsf{V}_\mathsf{cert}\) outputs 1 is 1.
Definition 2
(Selective Strong Soundness). We say that a \(\mathbf{P} \)certificate system \((\mathsf {Gen},\mathsf{P}_\mathsf{cert},\mathsf{V}_\mathsf{cert})\) is (selectively) strong sound if the following holds:
Definition 3
(Uniqueness). We say that a \(\mathbf{P} \)certificate system \((\mathsf {Gen}, \mathsf{P}_\mathsf{cert},\mathsf{V}_\mathsf{cert})\) is unique if for every \(k\in N\), every constant \(c \in N\), string \(\mathsf{CRS}\in \{0,1\}^*\) and string \(q\in \{0,1\}^*\), there exists at most one string \(\pi \in \{0,1\}^*\), such that \(\mathsf{V}_\mathsf{cert}(1^k,c, \mathsf{CRS}, q, \pi ) = 1\).
Definition 4
(Delegatable CRS Generation). We say that a (twomessage) \(\mathbf{P} \)certificate \((\mathsf {Gen}, \mathsf{P}_\mathsf{cert}, \mathsf{V}_\mathsf{cert})\) has delegatable CRS generation if the CRS generation algorithm \(\mathsf {Gen}\) consists of three subroutines \((\mathsf{Setup}, \mathsf{PreGen}, \mathsf{CRSGen})\), and there are polynomials \(l _d\) and \(l _{\kappa }\), such that, the following holds:
 1.
Generate parameters: Open image in new window , where \(\mathsf{Setup}\) is probabilistic and runs in time \({{\mathrm{poly}}}(k)\). We call \({PP}\) the public parameter and \(K\) the key.
 2.
(Public) statement processing:\(d= \mathsf{PreGen}({PP}, q)\), where \(\mathsf{PreGen}\) is deterministic and runs in time \({{\mathrm{poly}}}(k, q)\), and the length of \(d\) is bounded by \(l _d(k)\). We call \(d\) the digest of the statement.
 3.
(Private) CRS generation: Open image in new window , where \(\mathsf{CRSGen}\) is probabilistic and runs in time \({{\mathrm{poly}}}(k)\), and the length of \({\kappa }\) is bounded by \(l _{{\kappa }}(k)\).
Finally, \(\mathsf {Gen}\) outputs \(\mathsf{CRS}= ({PP}, {\kappa })\).
The reason that we say such a CRS generation procedure is delegatable is because the only part of computation that depends on the statement is the statement processing step; all other steps runs in time a fixed polynomial in the security parameter. However, the statement processing step depends only on the public parameter and the statement; hence to ensure soundness, one only needs to ensure the correctness of this computation, without ensuring the “secrecy” of the computation. Therefore, we also call this step “public” statement processing.
Simple Verification Procedure. Finally, we define an additional property of \(\mathbf{P} \)certificates: We say that the verification algorithm of a \(\mathbf{P} \)certificate system is simple if \(\mathsf{V}_\mathsf{cert}\) only depends on the security parameter \(1^k\), the CRS \(\mathsf{CRS}\) and the proof \(\pi \) (independent of the statement q and the language index c). Naturally, the uniqueness property of this instantiation is that for any \(1^k\) and CRS string \(\mathsf{CRS}\), there is at most one unique accepting proof.
Instantiation of Pcertificates. In the full version of the paper [19], we show that unique twomessage \(\mathbf{P} \) certificates can be constructed from any “message hiding encoding scheme” [39] and injective oneway functions. Furthermore, we show that the \(\mathbf{P} \) certificates instantiated using the specific message hiding encoding of [39] has delegatable CRS generation and a simple verification procedure.
3 Our Protocol
 1.
A noninteractive perfectly binding commitment scheme \(\mathsf{com}\). We assume without loss of generality that \(\mathsf{com}\) only needs n bits of randomness to commit to any nbit string, (as it can always expand these n bits into a longer sequence using a PRG).
The requirement for a perfectly binding commitment scheme can be weakened to rely only on a statistically binding commitment scheme. See Remark 2 in the full version of the paper [19] for more details.
 2.A strong (twomessage) \(\mathbf{P} \)certificate system \((\mathsf {Gen}, \mathsf{P}_\mathsf{cert},\mathsf{V}_\mathsf{cert})\) with delegatable CRS generation \(\mathsf {Gen}= (\mathsf{Setup}, \mathsf{PreGen}, \mathsf{CRSGen})\) (and simple verification). The strong soundness property is associated with parameter \(T(\cdot )\) and \(C(\cdot )\), where \(T(\cdot )\) is a “nice” superpolynomial function and \(C(\cdot )\) is a “nice” superconstant function. The uniqueness property ensures that for every string \(\mathsf{CRS}\), there exists at most one proof \(\pi \) that is accepted by \(\mathsf{V}_\mathsf{cert}(1^n, \mathsf{CRS}, \pi ) = 1\). This allows us to define the following deterministic oracle \({\mathcal {O}} _{Vcert}^n\), which will be used in the CZK protocol later.We call \({\mathcal {O}} _{Vcert}^n\) the \(\mathbf{P} \)certificate oracle. Additionally, we consider a universal emulator \(\mathsf{Emulator}^n\) that on input (P, x, O) emulates the execution of a deterministic oracle machineP on input x with oracle \({\mathcal {O}} _{Vcert}^n\) as follows: It parses O as an vector; to answer the \(i^\mathrm{{th}}\) query \(\mathsf{CRS}_i\) from P, it checks whether \(O_i\) is the right answer from this CRS (i.e., \(\mathsf{V}_\mathsf{cert}(1^n, \mathsf{CRS}_i, O_i)\) = 1); if so, it returns \(O_i\) to P; otherwise, it aborts and outputs \(\bot \). Finally, the emulator outputs the output of P.$$\begin{aligned} {\mathcal {O}} _{Vcert}^n(\mathsf{CRS}) = {\left\{ \begin{array}{ll} \pi &{} \text {If there exists unique}\, \pi \text{ s.t. } \mathsf{V}_\mathsf{cert}(1^n, \mathsf{CRS}, \pi ) = 1\\ \bot &{} \text {otherwise} \end{array}\right. } \end{aligned}$$
For simplicity, we assume that the lengths of the \(\mathsf {CRS}\), the proof \(\pi \), and the digest of statement \(d\) are all bounded by n, the security parameter. This is without loss of generality, and can be achieved by scaling down the security parameter.
We assume by default that the two message \(\mathbf{P} \)certificate system has a simple verification procedure (i.e., \(\mathsf{V}_\mathsf{cert}\) depends only on \(1^k, \mathsf{CRS}, \pi \), but not the statement); this is w.l.o.g., since our instantiation based on the message hiding encoding of [39] satisfies this property. But this is not necessary. See Remark 3 in the full version of the paper [19] on how to avoid using this property.
 3.
A family of hash functions \(\left\{ {\mathcal{H}_n} \right\} _n\): to simplify the exposition, we here assume that both \(\mathsf{com}\) and \(\left\{ {\mathcal{H}_n} \right\} _n\) are collision resistant against circuits of size \(T'(\cdot )\), where \(T'(\cdot )\) is “nice” superpolynomial function.
As in [4], this assumption can be weakened to just collision resistance against polynomialsize circuits by modifying the protocol to use a “good” errorcorrecting code \(\mathtt{ECC}\) (i.e., with constant distance and with polynomialtime encoding and decoding), and replace commitments \(\mathsf{com}(h(\cdot ))\) with \(\mathsf{com}(h(\mathtt{ECC}(\cdot )))\). See Remark 1 in the full version of the paper [19] for more discussion.
 4.
An indistinguishability obfuscator \(i\mathcal {O}\) for circuits.
 5.
A constantround WIUA argument system, a constantround \(\mathcal {WISSP} \) proof system, and a constantround \({\mathcal {ZK}} \) argument system.

Phase 1—Program Slot:P and V exchanges the following three messages.
 (a)
V chooses a randomly sampled hash function \(h\leftarrow {\mathcal {H}}_n\).
 (b)
P sends a commitment c to \(0^n\) using \(\mathsf{com}\), and random coins \(\rho _1\).
 (c)
V replies with a random “challenge” r of length 4n.
 (a)

We call (c, r) the programslot.
Note:In simulation, the simulator commits to a program\(\tilde{S}_1\).

Phase 2—Commit to Statement:P and V exchanges the following messages.
 (a)
P sends a commitment \(c_2\) to \(0^n\) using \(\mathsf{com}\), and random coins \(\rho _2\).
 (b)P gives a WIUA argument of the statement that either \(x\in L\) OR there exists \( \tilde{S}_1 \in \{0,1\}^{\varGamma (n)}\), \(j \in [m]\), \(s \in \{0,1\}^n\), \(\pi \in \{0,1\}^n\), \(\sigma \in \{0,1\}^{\varGamma (n)}\), \(\rho \), \(\rho _2\) such that,

Knowledge of Statement:\(c_2= \mathsf{com}(h(q); \rho _2)\), where \(q\in \{0,1\}^{3\varGamma }\).
 Correctness of Statement: The statement \(q\) satisfies
 –
Use of Emulator:\(q\) is parsed into \((\mathsf{Emulator}^n, (\tilde{S}_1, (1^n, j, s), \sigma ), r)\).
 –
Program Consistency:\(c = \mathsf{com}(h(\tilde{S}_1); \rho )\).
 –

If the argument is not accepting, V aborts.

 (a)

Note:By definition of the emulator\(\mathsf{Emulator}^n\), on input\((\tilde{S}_1, (1^n, j, s), \sigma )\), it will emulate the execution of the deterministic oracle machine\(\tilde{S}_1(1^n, j, s)\)with oracle\({{\mathcal {O}} _{Vcert}^n}\) using answers stored in vector\(\sigma \).
The purpose of this phase is twofold: First, it enforces a cheating prover to commit to the “trapdoor” statement before the\(\mathsf {CRS}\)of the\(\mathbf{P} \)certificate is generated, and hence the soundness of the protocol only relies on theselectivesoundness of the\(\mathbf{P} \)certificate. Second, it checks whether the “trapdoor” statement has the right structure, in particular, the statement is about whether\(\tilde{S}_1^{{\mathcal {O}} _{Vcert}}(1^n, j, s) = r\), when the oracle is emulated by\(\mathsf{Emulator}^n\)using\(\sigma \), who checks the correctness of the proofs in\(\sigma \).

Note that the soundness of the protocol will crucially rely on the fact that the input to\(\tilde{S}_1\)has length at most 3n, much smaller than the length, 4n, of the outputr(and the deterministic oracle\({\mathcal {O}} _{Vcert}\)is emulated correctly by \(\mathsf{Emulator}^n\)). On the other hand, in the simulation, the simulator will commit to the “trapdoor” statement,\(q= (\mathsf{Emulator}^n, (\tilde{S}_1, (1^n, j, s), \sigma ), r)\)in order to “cheat”.
 Phase 3—Delegate Public Statement Processing:V delegates the public statement processing to P:
 (a)
V generates \(({PP}, K) = \mathsf{Setup}(1^n, D; \rho _\mathsf{Setup})\) using random coins \(\rho _\mathsf{Setup}\), and sends \({PP}\).
 (b)
P sends a commitment \(c_3\) to \(0^n\) using \(\mathsf{com}\), and random coins \(\rho _3\).
 (c)P gives a WIUA argument of the statement that either \(x\in L\) OR there exists, \(d\in \{0,1\}^n\), \(q\in \{0,1\}^{3\varGamma }\), \(\rho _2\), \(\rho _3\), such that,

Statement Consistency:\(c_2 = \mathsf{com}(h(q); \rho _2)\).

Digest Consistency:\(c_3 = \mathsf{com}(d; \rho _3)\).

Correctness of Digest:\(d= \mathsf{PreGen}({PP}, q)\).

If the argument is not accepting, V aborts.

 (a)

Note:The purpose of this Phase is to allow the verifier to delegate the computation of the digest of the statement toP. In simulation, the simulator will compute, commit to and prove correctness of\(d= \mathsf{PreGen}({PP},q)\). Vcannot compute\(d\)itself, since (1) it does not know the “trapdoor” statementqand (2) the computation takes\({{\mathrm{poly}}}(n, q)\), which is too expensive for the verifier.
 Phase 4—Delegate Private CRS Generation:V delegates the private CRS generation to P:
 (a)
V sends the indistinguishability obfuscation Open image in new window of program \({\mathbf {P}}= {\mathbf {P}}^{n, c_3,{PP},K,\rho _\mathsf{CRSGen}}\) with \(c_4\), \(K\), and a random string \(\rho _\mathsf{CRSGen}\) hardwired in. \({\mathbf {P}}\) on input \((d', \rho ')\) checks whether \(c_3 = \mathsf{com}(d', \rho ')\) and outputs \({\kappa }= \mathsf{CRSGen}({PP}, K, d; \rho _\mathsf{CRSGen})\) if it is the case, and \(\bot \) otherwise. The functionality of \({\mathbf {P}}\) is described formally in Fig. 1.
 (b)V gives a \({\mathcal {ZK}} \) argument of the statement that there exists \(K\in \{0,1\}^n\), \(\rho _\mathsf{Setup}\), \(\rho _\mathsf{CRSGen}\), \(\rho _{i\mathcal {O}}\), such that,

Correctness of Public Parameter:\(({PP}, K) = \mathsf{Setup}(1^n, D; \rho _\mathsf{Setup})\).

Correctness of Obfuscation: \(\varLambda = i\mathcal {O}({\mathbf {P}}^{c_3,{PP},K,\rho _\mathsf{CRSGen}}; \rho _{i\mathcal {O}})\)
If the argument is not accepting, P aborts.

 (c)
P sends commitment \(c_4\) of \(0^n\) using \(\mathsf{com}\) and random coins \(\rho _4\).
 (d)P gives a \(\mathcal {WISSP}\) proof of the statement that either \(x\in L\) OR there exists \(\mathsf{CRS}\in \{0,1\}^n\), \(d'\in \{0,1\}^n\), \(\rho '\), \(\rho _4\), such that,

CRS Consistency:\(c_4 = \mathsf{com}(\mathsf{CRS}; \rho _4)\).

Correctness of CRS:\(\mathsf{CRS}= ({PP}, {\kappa })\) and \({\kappa }= \overline{{\mathbf {P}}}(d', \rho ')\).

If the proof is not accepting, V aborts.

 (a)

Note:The purpose of this Phase is to allow the verifier to delegate the computation of\(\mathsf {CRS}\) to P. In simulation, the simulator will compute, commit to, and prove correctness of\(\mathsf {CRS}= ({PP}, {\kappa })\), with\({\kappa }=\overline{{\mathbf {P}}}(d, \rho _3)\). Vcannot compute\({\kappa }\)itself, even though the computation takes only polynomial time inn, since\(d\)cannot be revealed toVin order to ensure the indistinguishability of the simulation. On the other hand, to ensure the “privacy” of the CRS computation,Vdelegates this computation via obfuscation.
 Phase 5—Final Proof:P gives the final proof:
 (a)P gives a \(\mathcal {WISSP}\) proof of the statement that either \(x\in L\) OR there exists \(\pi \in \{0,1\}^n\), \(\mathsf{CRS}\in \{0,1\}^n\), \(\rho _4\), such that,

CRS Consistency:\(c_4 = \mathsf{com}(\mathsf{CRS}; \rho _4)\),

Proof Verification:\(\pi \) verifies w.r.t. \(\mathsf{CRS}\), \(\mathsf{V}_\mathsf{cert}(1^n, \mathsf{CRS}, \pi ) = 1\).

V accepts if the proof is accepting.

 (a)

Note:In simulation, the simulator computes proof Open image in new window , and succeed in the final proof by using\(\pi \) and \(\mathsf {CRS}, \rho _4\)generated in the last phase as “trapdoor” witness.
Theorem 1
Assume indistinguishability obfuscation for \(\mathbf{P}/poly\), an injective pseudorandom generator, and collision resistant hash functions that are superpolynomially secure. Then, the above protocol \(\langle P, V\rangle \) is a concurrent \({\mathcal {ZK}} \) argument system for \({\mathsf {NP}} \).
The completeness of the protocol follows from the completeness of the \(\mathsf{WIUA} \) argument of knowledge, \(\mathcal {WISSP} \), and the \({\mathcal {ZK}} \) argument. In the next subsection, we describe the concurrent zero knowledge simulator. The analysis of the simulator and the proof of concurrent \({\mathcal {ZK}} \) property, as well as the soundness proof, are provided in the full version of the paper [19].
3.1 Contruction of the Simulator
The goal of our simulator is to try to “commit to its own code” and prove about its own execution using \(\mathbf{P} \)certificates in a way that prevents a blowup in the runningtime. Note that the only expensive part of this process is the generation of the \(\mathbf{P} \)certificates \(\varvec{\pi }\); the rest of the computation has apriori bounded complexity (depending only on the size and runningtime of \(V^*\)). To take advantage of this observation, we thus have the simulator only commit to an oracle program that generates prover messages (in identically the same way as the actual simulator), but getting certificates \(\varvec{{\pi }}\) from the \(\mathbf{P} \)certificate oracle.
To describe the actual simulator S, let us first describe two “helper” simulators \(S_1,S_2\). Roughly speaking, \(S_1\) is an interactive machine that simulates prover messages in a “right” interaction with \(V^*\). Additionally, \(S_1\) excepts to have access to oracle \({\mathcal {O}} _{Vcert}\) on the “left”, in particular, at any point, it can send a CRS string \(\mathsf{CRS}\) and gets back the \(\pi = {\mathcal {O}} _{Vcert}(\mathsf{CRS})\) the unique accepting certificate w.r.t. this \(\mathsf{CRS}\) (or \(\bot \), if such a certificate does not exist); the oracle will be simulated by \(S_2\), who provides these “left” certificates.
Let us turn to a formal description of the \(S_1\) and \(S_2\). To simplify the exposition, we assume w.l.o.g that \(V^*\) has its nonuniform advice z hardcoded, and is deterministic (as it can always get its random tape as nonuniform advice).

Generate Randomness: Upon invocation, \(S_1\) generates its “randomtape” by expanding the seed s; more specifically, let \((s_{\ell }, s_{\ell 1}, \ldots s_1)\), \((q_{\ell }, q_{\ell 1}, \ldots , q_1)\) be the output of \(g(s,\ell )\). We assume without loss of generality that \(S_1\) only needs n bits of randomness to generate any prover message (it can always expand these n bits into a longer sequence using a PRG); in order to generate its \(j^\mathrm{{th}}\) prover message, it uses \(q_j\) as randomness.

Simulate Phase 1–Commit to Its Own Code: Upon receiving a hash function \(h_i\) in session i during the \(j^\mathrm{{th}}\) communication round, \(S_1\) provides a commitment \(c_i\) to (the hash of) the deterministic oracle machine \(\tilde{S}_1(1^n, \alpha , s') = wrap(M(1^n, x,M,s',\alpha ),\)\(V^*,\alpha )\), where \(wrap(A,B,\alpha )\) is the program that lets A communicate with B for \(\alpha \) rounds, while allowing A to access oracle \({\mathcal {O}} _{Vcert}\), and finally outputting B’s message in the \(j^\mathrm{{th}}\) communication round. Note:That is,\(\tilde{S}_1(1^n, \alpha ,s',\tau )\)emulates\(\alpha \) rounds of an execution between\(S_1\) and \(V^*\)where\(S_1\)expands out the seed\(s'\)into\(\alpha \)blocks of randomness and additionally have access to\({\mathcal {O}} _{Vcert}\).

Simulate Phase 2–Commit to the Trapdoor Statement: Upon receiving a challenge \(r_i\) in session i during the \(j^\mathrm{{th}}\) communication round, \(S_1\) needs to commit to the “trapdoor” statement it will later prove in the final proof. To do so, it prepares statement \(q_i = (\mathsf{Emulator}^n, (\tilde{S}_1, (1^n, j, s_j), \tau _{j1}), r_i)\), where \(\tau _{j1}\) is the list of oracle answers received by \(S_1\) in the first \(j1\) communication rounds.
Note:That is, the “trapdoor” statement is that the execution of\(\tilde{S}_1(1^n, j ,s_j)\), emulated by\(\mathsf{Emulator}^n\), outputsr, when its\(k^{th}\)oracle queries is answered using \(\tau _{j1, k}\); additionally, the validity of each answer is checked by\(\mathsf{Emulator}^n\)(i.e., the answer must be an accepting proof w.r.t. the query CRS string).
By construction of\(\tilde{S}_1\), this means after j communication rounds between\(S_1\) and \(V^*\), where\(S_1\)uses randomness expanded out from\(s_j\), and oracle answers\(\tau _{j1}\), \(V^*\)outputs\(r_i\)in the\(j^{th}\)s communication round. Note that since we only require\(\tilde{S}_1\)to generate the\(j^{th}\)verifier message, giving him the seed\((s_j,j)\)as input suffices to generate all prover messages in rounds\(j' < j\). It follows from the consistency requirement of the forward secure PRG that \(\tilde{S}_1\)using\((s_j,j)\)as seed will generate the exact same random sequence for the\(j1\)first blocks as if running \(\tilde{S}_1\)using\((s,\ell )\)as seed. Therefore, the “trapdoor” statement holds.
In later communication rounds, when \(S_1\) receives a message from \(V^*\) belonging to the \(\mathsf{WIUA} \) in Phase 2 of session i, \(S_1\) proves honestly that it knows the statement \(q_i\) it is committing to in session i, and the statement is correctly formatted and consistent with the program \(\tilde{S}_1\) committed to in Phase 1 of session i.

Simulate Phase 3–Process the Trapdoor Statement: Upon receiving a public parameter \({PP}_i\) in session i during the \(j^\mathrm{{th}}\) communication round, \(S_1\) needs to commit to the digest \(d_i\) of the “trapdoor” statement \(q_i\) of session i. To do so, it computes honestly Open image in new window and commits to \(d_i\) using \(\mathsf{com}\), and randomness \(\rho _i\).
In later communication rounds, when \(S_1\) receives a message from \(V^*\) belonging to the \(\mathsf{WIUA} \) in Phase 3 of session i, \(S_1\) proves honestly that it knows \(d_i\) committed to in Phase 3 of session i and it is computed correctly w.r.t. \({PP}_i\) and a statement \(q_i\) committed to in Phase 2 of session i.

Simulate Phase 4–Compute the CRS: Upon receiving an obfuscated program \(\varLambda _i\), \(S_1\) acts as an honest verifier of the \({\mathcal {ZK}} \) argument to verify that \({PP}_i\) and \(\varLambda _i\) in session i are correctly generated. Upon receiving the last message of the \({\mathcal {ZK}} \) argument, in the \(j^\mathrm{{th}}\) communication round, \(S_1\) needs to commit to the \(\mathsf{CRS}_i\) of session i. To do so, it computes \({\kappa }_i = \varLambda _i(d_i, \rho _i)\). If the output is \(\bot \), \(S_1\) aborts. Otherwise, it commits to \(\mathsf{CRS}_i = ({PP}_i,{\kappa }_i)\) using \(\mathsf{com}\).
In later communication rounds, when \(S_1\) receives a message from \(V^*\) belonging to the \(\mathcal {WISSP} \) in Phase 4 of session i, \(S_1\) proves honestly that it knows \({\kappa }_i\) committed to in Phase 4 of session i and it is computed correctly w.r.t. \(\varLambda _i\) and a digest \(d_i\) committed to in Phase 3 of session i.

Simulate Phase 5–Prove the Trapdoor Statement Using Pcertificate: Upon receiving the last message from \(V^*\) in Phase 4 of session i, during the \(j^\mathrm{{th}}\) communication round, \(S_1\) needs to prove in the \(\mathcal {WISSP} \) proof that there is a \(\mathbf{P} \)certificate that verifies the validity of the “trapdoor” statement \(q_i\) w.r.t. the CRS string \(\mathsf{CRS}_i\) committed to in Phase 4 of session i. To do so, it sends query \(\mathsf{CRS}_i\) to its oracle \({\mathcal {O}} _{Vcert}\), and obtains answer \(\pi _i\). It aborts if \(\pi _i = \bot \). Otherwise, \(S_1\) provides an honest \(\mathcal {WISSP}\) that \(\mathsf{V}_\mathsf{cert}(1^n, \mathsf{CRS}_i, \pi _i) = 1\) w.r.t. \(\mathsf{CRS}_i\) which is the committed value in Phase 4 of session i.
Due to the lack of space, the analysis of the simulator, including its running time, and the correctness of its output distribution is provided in the full version of the paper [19], which also contains the soundness proof.
Footnotes
 1.
We require that C is a commitment scheme allowing the committer to commit to an arbitrarily long string \(m \in \{0,1\}^*\). Any commitment scheme for fixedlength messages can easily be modified to handle arbitrarily long messages by asking the committer to first hash down m using a collisionresistant hash function h chosen by the receiver, and next commit to h(m).
 2.
Roughly speaking, we let \(S_1\) take the description of a machine M as input, and we then run \(S_1\) on input \(M=S_1\).
 3.
To make this work, we need to rely on \(\mathbf{P} \)certificates in the URS model with perfect completeness. This requirement can be removed by additionally performing a cointossing to determine the URS. For simplicity of exposition, we here simply assume perfect completeness.
 4.
Again, we here rely on \(\mathbf{P} \)certificates in the CRS model with perfect completeness. This requirement can also be avoided by having the prover and the verifier perform cointossinginthewell to determine the secret coins the verifier should use for generating the CRS. As our instantiations of \(\mathbf{P} \)certificates will satisfy perfect completeness, we do not further formalize this approach.
References
 1.Ananth, P., Boneh, D., Garg, S., Sahai, A., Zhandry, M.: Differinginputs obfuscation and applications (2013)Google Scholar
 2.Barak, B.: How to go beyond the blackbox simulation barrier. In: FOCS, pp. 106–115 (2001)Google Scholar
 3.Barak, B.: Constantround cointossing with a man in the middle or realizing the shared random string model. In: FOCS, Washington, DC, USA, 2002, pp. 345–355. IEEE Computer Society (2002)Google Scholar
 4.Barak, B., Goldreich, O.: Universal arguments and their applications. SIAM J. Comput. 38(5), 1661–1694 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 5.Barak, B., Goldreich, O., Goldwasser, S., Lindell, Y.: Resettablysound zeroknowledge and its applications. In: FOCS, pp. 116–125 (2001)Google Scholar
 6.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 7.Barak, B., Sahai, A.: How to play almost any mental game over the net  concurrent composition via superpolynomial simulation. In: FOCS, pp. 543–552 (2005)Google Scholar
 8.Bellare, M., Palacio, A.: Towards plaintextaware publickey encryption without random oracles. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 48–62. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 9.Bitansky, N., Garg, S., Lin, H., Pass, R., Telang, S.: Succint randomized encodings and obfuscations. Manuscript (subsuming an early version appearing as Succint Garbling Schemes and Applications [LinPass, Eprint Report 2014/766]) (2014)Google Scholar
 10.Bitansky, N., Paneth, O.: From the impossibility of obfuscation to a new nonblackbox simulation technique. In: FOCS, pp. 223–232 (2012)Google Scholar
 11.Boyle, E., Chung, K.M., Pass, R.: On extractability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 52–73. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 12.Boyle, E., Pass, R.: Limits of extractability assumptions with distributional auxiliary input. Cryptology ePrint Archive, Report 2013/703 (2013). http://eprint.iacr.org/
 13.Canetti, R., Holmgren, J., Jain, A., Vaikuntanathan, V.: Indistinguishability obfuscation of iterated circuits and ram programs. Cryptology ePrint Archive, Report 2014/769 (2014)Google Scholar
 14.Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Blackbox concurrent zeroknowledge requires \(\tilde{\omega }(\log n)\) rounds. In: STOC, pp. 570–579 (2001)Google Scholar
 15.Canetti, R., Lin, H., Paneth, O.: Publiccoin concurrent zeroknowledge in the global hash model. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 80–99. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 16.Chung, K., Lin, H., Pass, R.: Constantround concurrent zero knowledge from pcertificates. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 October 2013, Berkeley, CA, USA, pp. 50–59 (2013)Google Scholar
 17.Chung, K.M., Ostrovsky, R., Pass, R., Venkitasubramaniam, M., Visconti, I.: 4Round resettablysound zero knowledge. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 192–216. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 18.Chung, K., Pass, R., Seth, K.: Nonblackbox simulation from oneway functions and applications to resettable security. In: Symposium on Theory of Computing Conference, STOC 2013, 1–4 June 2013, Palo Alto, CA, USA, pp. 231–240 (2013)Google Scholar
 19.Chung, K.M., Lin, H., Pass, R.: Constantround concurrent zeroknowledge from indistinguishability obfuscation. Cryptology ePrint Archive, Report 2014/991 (2014). http://eprint.iacr.org/
 20.Chung, K.M., Ostrovsky, R., Pass, R., Visconti, I.: Simultaneous resettability from oneway functions (2013)Google Scholar
 21.Damgård, I.B.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992) Google Scholar
 22.Damgård, I.B.: Efficient concurrent zeroknowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 23.Deng, Y., Goyal, V., Sahai, A.; Resolving the simultaneous resettability conjecture and a new nonblackbox simulation strategy. In: FOCS, pp. 251–260 (2009)Google Scholar
 24.Dwork, C., Naor, M., Sahai, A.: Concurrent zeroknowledge. J. ACM 51(6), 851–898 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
 25.Dwork, C., Sahai, A.: Concurrent zeroknowledge: reducing the need for timing constraints. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 177–190. Springer, Heidelberg (1998) Google Scholar
 26.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: Proceedings of FOCS 2013 (2013)Google Scholar
 27.Garg, S., Gentry, C., Halevi, S., Wichs, D.: On the implausibility of differinginputs obfuscation and extractable witness encryption with auxiliary input. Technical report, Cryptology ePrint Archive, Report 2013/860, 6 (2013)Google Scholar
 28.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st Annual ACM Symposium on Theory of Computing, 31 May  2 June 2009, Bethesda, Maryland, USA, pp. 169–178. ACM Press (2009)Google Scholar
 29.Gentry, C., Lewko, A., Sahai, A., Waters, B.: Indistinguishability obfuscation from the multilinear subgroup elimination assumption. Cryptology ePrint Archive, Report 2014/309 (2014). http://eprint.iacr.org/
 30.Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
 31.Goyal, V.: Nonblackbox simulation in the fully concurrent setting. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, 1–4 June 2013, Palo Alto, CA, USA, pp. 221–230. ACM Press (2013)Google Scholar
 32.Goyal, V., Jain, A.: On the round complexity of covert computation. In: STOC, pp. 191–200 (2010)Google Scholar
 33.Gupta, D., Sahai, A.: On constantround concurrent zeroknowledge from a knowledge assumption. Cryptology ePrint Archive, Report 2012/572 (2012). http://eprint.iacr.org/
 34.Hada, S., Tanaka, T.: On the existence of 3round zeroknowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998) Google Scholar
 35.Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to roundefficient secure computation. In: 41st Annual Symposium on Foundations of Computer Science, 12–14 November 2000, Redondo Beach, California, USA, pp. 294–304. IEEE Computer Society Press (2000)Google Scholar
 36.Ishai, Y., Pandey, O., Sahai, A.: Publiccoin differinginputs obfuscation and its applications. Cryptology ePrint Archive, Report 2014/942 (2014). http://eprint.iacr.org/
 37.Kilian, J., Petrank, E.: Concurrent and resettable zeroknowledge in polyloalgorithm rounds. In: STOC, pp. 560–569 (2001)Google Scholar
 38.Kilian, J., Petrank, E., Rackoff, C.: Lower bounds for zero knowledge on the internet. In: FOCS, pp. 484–492 (1998)Google Scholar
 39.Koppula, V., Lewko, A.B., Waters, A.B.: Indistinguishability obfuscation for turing machines with unbounded memory. Cryptology ePrint Archive, Report 2014/925 (2014). http://eprint.iacr.org/
 40.Lindell, Y.: Boundedconcurrent secure twoparty computation without setup assumptions. In: STOC, pp. 683–692 (2003)Google Scholar
 41.Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
 42.Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 43.Pandey, O., Prabhakaran, M., Sahai, A.: Obfuscationbased nonblackbox simulation and four message concurrent zero knowledge for np. Cryptology ePrint Archive, Report 2013/754 (2013). http://eprint.iacr.org/
 44.Pass, R.: Simulation in quasipolynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003) Google Scholar
 45.Pass, R.: Boundedconcurrent secure multiparty computation with a dishonest majority. In: STOC, New York, NY, USA, pp. 232–241. ACM (2004)Google Scholar
 46.Pass, R., Rosen, A.: Boundedconcurrent secure twoparty computation in a constant number of rounds. In: FOCS, pp. 404–413 (2003)Google Scholar
 47.Pass, R., Rosen, A.: How to simulate using a computer virus. Unpublished manuscript (2003)Google Scholar
 48.Pass, R., Rosen, A.: Concurrent nonmalleable commitments. In: FOCS, pp. 563–572 (2005)Google Scholar
 49.Pass, R., Rosen, A.: New and improved constructions of nonmalleable cryptographic protocols. In: STOC, pp. 533–542 (2005)Google Scholar
 50.Pass, R., Rosen, A., Tseng, W.L.D.: Publiccoin parallel zeroknowledge for np. J. Cryptology 26, 1–10 (2011)MathSciNetCrossRefGoogle Scholar
 51.Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semanticallysecure multilinear encodings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 500–517. Springer, Heidelberg (2014) Google Scholar
 52.Pass, R., Tseng, W.L.D., Venkitasubramaniam, M.: Concurrent zeroknowledge, revisited. J. Cryptology 27, 45–66 (2012)CrossRefGoogle Scholar
 53.Pass, R., Venkitasubramaniam, M.: Private coins versus public coins in zeroknowledge proof systems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 588–605. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 54.Popper, K.: Conjectures and Refutations: The Growth of Scientific Knowledge. Routledge, New York (1963)Google Scholar
 55.Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic roundcomplexity. In: FOCS, pp. 366–375 (2002)Google Scholar
 56.Richardson, R., Kilian, J.: On the concurrent composition of zeroknowledge proofs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 415–432. Springer, Heidelberg (1999) Google Scholar
 57.Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms (1978)Google Scholar
 58.Rosen, A.: A note on the roundcomplexity of concurrent zeroknowledge. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 451–468. Springer, Heidelberg (2000) CrossRefGoogle Scholar