Statistical Concurrent Nonmalleable ZeroKnowledge from OneWay Functions
 1 Citations
 2.6k Downloads
Abstract
Concurrent nonmalleable zeroknowledge (\(\mathrm {CNMZK}\)) protocols are zeroknowledge protocols that are secure even when the adversary interacts with multiple provers and verifiers simultaneously. Recently, the first statistical \(\mathrm {CNMZK}\) argument for \(\mathcal {NP}\) was constructed by Orlandi et al. (TCC’14) under the DDH assumption.
In this paper, we construct a statistical \(\mathrm {CNMZK}\) argument for \(\mathcal {NP}\) assuming only the existence of oneway functions. The security is proven via blackbox simulation, and the round complexity is \(\mathsf {poly}(n)\). Under the existence of collisionresistant hash functions, the round complexity can be reduced to \(\omega (\log n)\), which is essentially optimal for blackbox concurrent zeroknowledge.
Keywords
Hybrid Simulator Commitment Scheme Main Thread Negligible Probability Hiding Property1 Introduction
Zeroknowledge (\(\mathrm {ZK}\)) proofs and arguments are protocols that enable the prover to convince the verifier of the correctness of a mathematical statement while providing zero additional knowledge. This “zero additional knowledge” property is formalized by using the simulation paradigm: An interactive proof or argument is said to be zeroknowledge if for any adversarial verifier there exists a simulator that can output a simulated view of the adversary. In the original definition of the \(\mathrm {ZK}\) property, the adversary interacts with a single prover at a time. Thus, the original definition guarantees the \(\mathrm {ZK}\) property in the standalone setting.
Nonmalleable zeroknowledge (\(\mathrm {NMZK}\)) [6] and concurrent zeroknowledge (\(\mathrm {CZK}\)) [7] are security notions that guarantee the \(\mathrm {ZK}\) property in the concurrent setting. Specifically, \(\mathrm {NMZK}\) guarantees the \(\mathrm {ZK}\) property in the setting where the adversary concurrently interacts with a honest prover in the left session and a honest verifier in the right session, and \(\mathrm {CZK}\) guarantees the \(\mathrm {ZK}\) property in the setting where the adversary concurrently interacts with unbounded number of honest provers.
As a security notion that implies both \(\mathrm {NMZK}\) and \(\mathrm {CZK}\), Barak et al. [1] proposed concurrent nonmalleable zeroknowledge (\(\mathrm {CNMZK}\)). \(\mathrm {CNMZK}\) guarantees the \(\mathrm {ZK}\) property in the setting where the adversary concurrently interacts with many provers in the left sessions and many verifiers in the right sessions. In particular, it guarantees that receiving proofs in the left session does not help the adversary to give proofs in the right sessions—that is, it guarantees that if the adversary can prove some statements in the right sessions while receiving proofs in the left sessions, the adversary could prove the same statements even without receiving proofs in the left sessions. In the definition of \(\mathrm {CNMZK}\), this guarantee is formalized as the existence of a simulatorextractor that can simulate the adversary’s view in the left and right sessions while extracting witnesses from the adversary in the simulated right sessions.
The first \(\mathrm {CNMZK}\) argument was constructed by Barak et al. [1]. Subsequently, a computationally efficient construction was shown by Ostrovsky et al. [21]. The first \(\mathrm {CNMZK}\) proof was constructed by Lin et al. [16], and a variant of their protocol was shown to be secure with adaptively chosen inputs by Lin and Pass [14]. Additionally, a \(\mathrm {CNMZK}\) argument that is secure with “fully” adaptively chosen inputs was recently constructed by Venkitasubramaniam [26].
Very recently, Orlandi et al. [20] constructed the first statistical \(\mathrm {CNMZK}\) argument—that is, a \(\mathrm {CNMZK}\) argument such that the view simulated by the simulatorextractor is statistically indistinguishable from the adversary’s view. Statistical \(\mathrm {CNMZK}\) is clearly of great interest since it guarantees quite strong security in the concurrent setting. However, statistical \(\mathrm {CNMZK}\) is hard to achieve, and the existing techniques of computational \(\mathrm {CNMZK}\) protocols seem to be insufficient for constructing statistical \(\mathrm {CNMZK}\) protocols (see Sect. 2.1).
On statistical \(\mathrm {CNMZK}\) protocols, an important open question is what hardness assumption is needed for constructing them. The statistical \(\mathrm {CNMZK}\) argument of Orlandi et al. [20] was constructed under the DDH assumption (or the existence of dense cryptosystems). Thus, it is already known that statistical \(\mathrm {CNMZK}\) protocols can be constructed under standard assumptions. However, since it is known that the existence of oneway functions is sufficient for constructing both statistical \(\mathrm {ZK}\) protocols and computational \(\mathrm {CNMZK}\) protocols [1, 10], it is important to study the following question.
Can we construct statistical concurrent nonmalleable zeroknowledge protocols by assuming only the existence of oneway functions?
1.1 Our Result
In this paper, we answer the above question affirmatively.
Theorem 1
Assume the existence of oneway functions. Then, there exists a statistical concurrent nonmalleable zeroknowledge argument for \(\mathcal {NP}\) with round complexity \(\mathsf {poly}(n)\). Furthermore, if there exists a family of collisionresistant hash functions, the round complexity can be reduced to \(\omega (\log n)\).
The round complexity of our statistical \(\mathrm {CNMZK}\) argument—\(\mathsf {poly}(n)\) rounds when only the existence of oneway functions is assumed and \(\omega (\log n)\) rounds when the existence of a family of collisionresistant hash functions is assumed—is the same as the round complexity of the known statistical \(\mathrm {CZK}\) arguments [9]. Thus, our result closes the gap between statistical \(\mathrm {CNMZK}\) arguments and statistical \(\mathrm {CZK}\) arguments. Furthermore, since the security of our statistical \(\mathrm {CNMZK}\) protocol is proven via blackbox simulation, the logarithmic round complexity of our hashfunctionbased protocol is essentially tight due to the lower bound on blackbox \(\mathrm {CZK}\) protocols [3].
2 Techniques
2.1 Previous Techniques
Before explaining our technique, we explain the difficulty of constructing statistical \(\mathrm {CNMZK}\) protocols by using the techniques of existing computational \(\mathrm {CNMZK}\) protocols [1, 16].
We first recall the protocols of [1, 16]. The definition of \(\mathrm {CNMZK}\) requires the existence of a simulatorextractor that simulates the adversary’s view while extracting the witnesses for the statements proven by the adversary in the simulated view. To satisfy this definition, protocols need to satisfy the following properties: (i) the proofs in the left sessions can be simulated for the adversary; (ii) even when the adversary receives simulated proofs in the left sessions, the witnesses can be extracted from the adversary in the right sessions. In the protocol of [1, 16], the simulatability of the left sessions is guaranteed by requiring the verifier to commit to a random trapdoor by using a concurrently extractable commitment scheme \(\mathsf {CECom}\) [17]. Since the committed values of \(\mathsf {CECom}\) can be extracted by a rewinding extractor even in the concurrent setting, the proofs in the left sessions can be simulated by extracting the trapdoors from \(\mathsf {CECom}\). On the other hand, the witnessextractability of the right sessions is guaranteed by requiring the prover to commit to the witness with a nonmalleable commitment scheme \(\mathsf {NMCom}\) [6] and additionally designing the protocols so that the following hold.
 1.
When the adversary receives honest proofs in the left sessions, the committed value of the \(\mathsf {NMCom}\) commitment is indeed a valid witness in every accepted right session.
 2.
When the proofs in the left sessions are switched to the simulated ones, the committed values of the \(\mathsf {NMCom}\) commitments do not change in the right sessions due to the nonmalleability of \(\mathsf {NMCom}\).
It follows from these that even when the adversary receives simulated proofs in the left sessions, the committed value of the \(\mathsf {NMCom}\) commitment is a witness for the statement in every accepted right session. Therefore, the witnesses can be extracted in the right sessions by extracting the committed values of the \(\mathsf {NMCom}\) commitments.
As mentioned above, the techniques of [1, 16] alone seem to be insufficient for constructing statistical \(\mathrm {CNMZK}\) protocols. This is because the techniques of [1, 16] requires the prover to commit to the witness by using \(\mathsf {NMCom}\), which is only computationally hiding.^{1} Since in the simulation the committed values of \(\mathsf {NMCom}\) need to be switched to another values (e.g., \(0^{n}\)) in the left sessions, the simulated view can be only computational indistinguishable from the real view.
Recently, Orlandi et al. [20] constructed a statistical \(\mathrm {CNMZK}\) protocol by modifying the \(\mathrm {CNMZK}\) protocol of [1] with mixed nonmalleable commitment scheme \(\mathsf {MXNMCom}\). \(\mathsf {MXNMCom}\) is parametrized by a string and is either statistically hiding or nonmalleable depending on the string.^{2} Very roughly speaking, Orlandi et al. circumvent the above problem by switching the parameter string of \(\mathsf {MXNMCom}\) in the security proof—when proving the statistical indistinguishability of the simulation, the string is set so that \(\mathsf {MXNMCom}\) is statistically hiding, and when proving the nonmalleability, the string is set so that \(\mathsf {MXNMCom}\) is nonmalleable. The use of \(\mathsf {MXNMCom}\), however, requires assumptions that are stronger than the existence of oneway functions (such as the DDH assumption or the existence of dense cryptosytems). Thus, the technique of Orlandi et al. cannot be used to construct statistical \(\mathrm {CNMZK}\) protocols from oneway functions.
2.2 Our Technique
Since the techniques of [1, 16] cannot be used for statistical \(\mathrm {CNMZK}\) protocols because the committed values of \(\mathsf {NMCom}\) need to be switched during the simulation, one potential strategy for statistical \(\mathrm {CNMZK}\) is to construct a protocol such that the adversary’s view can be simulated without switching the committed value of \(\mathsf {NMCom}\) (and of any other computationally hiding commitment). However, when the simulator commits to the same value in \(\mathsf {NMCom}\) as a honest prover, it is not clear how nonmalleability of \(\mathsf {NMCom}\) can be used in the security proof. Below, we show that the \(\mathrm {CNMZK}\) property can be shown even in this case if we use a stronger variant of \(\mathsf {NMCom}\).
A key technical tool in our technique is CCAsecure commitment schemes [4], which is a stronger variant of (concurrent) nonmalleable commitment schemes. Roughly speaking, CCA security guarantees that the scheme is hiding even against adversaries that have access to the committedvalue oracle, which receives concurrent commitments from the adversary and returns their committed values to the adversary. (In nonmalleability, the oracle receives only parallel commitments from the adversary and returns the committed values only after the adversary finishes the interaction with the committer.) Several CCAsecure commitment schemes were constructed from oneway functions [4, 8, 12, 15]; furthermore, although CCA security itself does not provide any extractability, all of these schemes satisfy concurrent extractability as well.
Using CCAsecure commitment schemes, we construct the following protocol as a starting point.
 Stage 1. ( V commits to trapdoor)
 1.
The verifier V chooses random \(r_V\in \{0,1 \}^{n}\) and commits to \(r_V\) by using a statistically binding commitment scheme \(\mathsf {Com}\), which can be constructed from oneway functions [11, 18]. Let \((r_V, d)\) be the decommitment.
 2.
V commits to \((r_V, d)\) by using \(\mathsf {CCA}\text {}\mathsf {CECom}\), where \(\mathsf {CCA}\text {}\mathsf {CECom}\) is a CCAsecure commitment scheme that is also concurrent extractable [4, 8, 12, 15].
 1.

Stage 2. ( P proves \(x \in L\) or knowledge of trapdoor) The prover P proves that it knows a witness for \(x \in L\) or a valid decommitment \((r_V, d)\) of the \(\mathsf {Com}\) commitment that V gives in Stage 1. P proves this statement by using a statistical witnessindistinguishable argument of knowledge \(\mathsf {sWIAOK}\), which can be constructed from oneway functions by instantiating Blum’s Hamiltoniancycle protocol with the statistically hiding commitment scheme of [10].
In this protocol, the verifier’s view can be statistically simulated by a simulator that extracts \((r_V, d)\) from \(\mathsf {CCA}\text {}\mathsf {CECom}\) and uses it as a witness in \(\mathsf {sWIAOK}\). (Note that this simulator executes Stage 1 honestly; thus, even if computationally hiding commitment schemes are used as building blocks in \(\mathsf {CCA}\text {}\mathsf {CECom}\), the simulator commits to the same values by using them as a honest prover.) Also, intuitively this protocol seems to be \(\mathrm {CNMZK}\) from the following reason.

The CCA security of \(\mathsf {CCA}\text {}\mathsf {CECom}\) guarantees that the trapdoors of the right sessions are hidden from the adversary even when the trapdoors of the left sessions are extracted and returned to the adversary.

Then, since the simulated proofs are generated in the left sessions by extracting the trapdoors, the trapdoors in the right sessions are hidden from the adversary even when the adversary receives simulated proofs in the left sessions.

Thus, even when the adversary receives the simulated proofs in the left sessions, the adversary cannot “cheat” in the right sessions, and therefore witnesses for the statements must be extractable from \(\mathsf {sWIAOK}\) in the right sessions.
Of course, to formally show the statistical \(\mathrm {CNMZK}\) property, we need to show a simulatorextractor that statistically simulates the adversary’s view and also extracts witnesses for the statements in the right sessions.
As the simulatorextractor, we consider the following \(\mathcal {SE}\).
 1.
First, \(\mathcal {SE}\) simulates the view of the adversary Open image in new window by executing the following simulator \(\mathcal {S}\): Simulator \(\mathcal {S}\) internally invokes Open image in new window and interacts with it in the left and right sessions honestly except that in each left session, \(\mathcal {S}\) extracts \((r_V, d)\) by using the concurrent extractor of \(\mathsf {CCA}\text {}\mathsf {CECom}\) and uses it as a witness in \(\mathsf {sWIAOK}\).
 2.
After simulating the view of Open image in new window as above, \(\mathcal {SE}\) extracts witnesses from the right sessions by doing the following for each right session. First, \(\mathcal {SE}\) rewinds \(\mathcal {S}\) until the point just before \(\mathcal {S}\) sends the challenge message of \(\mathsf {sWIAOK}\) to Open image in new window .^{3} Then, \(\mathcal {SE}\) repeatedly executes \(\mathcal {S}\) from this point with flesh randomness until it obtains another accepted transcript of \(\mathsf {sWIAOK}\). After obtaining another accepted transcript, \(\mathcal {SE}\) extracts a witness by using the argumentofknowledge property of \(\mathsf {sWIAOK}\).
It is easy to see that \(\mathcal {SE}\) statistically simulates the real view of Open image in new window . Thus, it remains to show that \(\mathcal {SE}\) extracts witnesses for the statements in the right sessions.
To show the witness extractability of \(\mathcal {SE}\), a natural approach is to follow the abovementioned approach of [1, 16] and show the following.
 1.
When Open image in new window receives honest proofs in the left sessions, a witness for the statement is extracted from the \(\mathsf {sWIAOK}\) proof in every accepted right session.
 2.
When the honest proofs in the left sessions are switched to the simulated ones, the value extracted from \(\mathsf {sWIAOK}\) does not change in every accepted right session.
Note that here we argue about the extracted values instead of the committed values. At first sight, it seems that this is not a big difference and it seems that the above can be shown by using an argument similar to the one used in [1, 16].
However, this approach does not work. In particular, we cannot show the second part—that is, we cannot show that the extracted values remain to be the same when the honest proofs in the left sessions are switched to the simulated ones. To see this, observe the following. Since the witnesses used in \(\mathsf {sWIAOK}\) are switched in the simulated proofs, we need to use the witness indistinguishability of \(\mathsf {sWIAOK}\) of the left sessions. However, since Open image in new window is rewound during the witness extraction of the \(\mathsf {sWIAOK}\) proofs of the right sessions, if the left and the right sessions are scheduled so that the \(\mathsf {sWIAOK}\) proofs of the left sessions are executed in parallel with the \(\mathsf {sWIAOK}\) proofs of the right sessions, the \(\mathsf {sWIAOK}\) proofs of the left sessions are also rewound, and thus we cannot use their witness indistinguishability.^{4}
Thus, we instead use the following approach. Informally, the above approach does not work because the honest proofs and the simulated proofs are “too different.” We thus introduce a hybrid experiment in which Open image in new window receives hybrid proofs in the left sessions, where a hybrid proof is generated by extracting \((r_V, d)\) by brute force and using it as a witness in \(\mathsf {sWIAOK}\). (Notice that the only difference between the hybrid proofs and the simulated proofs is how the trapdoors are extracted.) We then show that (i) witnesses for the statements are extracted in the right sessions when Open image in new window receives hybrid proofs in the left sessions, and (ii) when hybrid proofs are switched to the simulated ones, the extracted values do not change. In particular, our analysis proceeds as follows.

First, we show the second part, i.e., we show that the values extracted in the right sessions do not change when the proofs in the left sessions are switched from the hybrid proofs to the simulated ones. Since the only difference between the hybrid proofs and the simulated ones is how the committed values of the \(\mathsf {CCA}\text {}\mathsf {CECom}\) commitments are extracted (by bruteforce or by the concurrent extractability), we can show this by using the concurrent extractability of \(\mathsf {CCA}\text {}\mathsf {CECom}\). We note however that there is a subtlety since \(\mathsf {CCA}\text {}\mathsf {CECom}\) in the left sessions can be rewound not only by the concurrent extractor of \(\mathsf {CCA}\text {}\mathsf {CECom}\) but also by the extractor of \(\mathsf {sWIAOK}\). Nonetheless, by carefully using a standard technique (the “good prefix” argument), we can show that the concurrent extractor of \(\mathsf {CCA}\text {}\mathsf {CECom}\) works even in this case.

Next, we show that in the hybrid experiment, witnesses for the statements are extracted from the right sessions. Since the simulated proofs can be efficiently generated given access to the committedvalue oracle of \(\mathsf {CCA}\text {}\mathsf {CECom}\), at first sight it seems that this follows directly from the CCA security of \(\mathsf {CCA}\text {}\mathsf {CECom}\) and argumentofknowledge property of \(\mathsf {sWIAOK}\)—if a witness for the statement is not extracted, \((r_V, d)\) must be extracted, and thus we can break the CCA security of \(\mathsf {CCA}\text {}\mathsf {CECom}\). However, there are two problems.
 1.
Since \(\mathsf {CCA}\text {}\mathsf {CECom}\) in the left sessions can be rewound during the witness extraction of \(\mathsf {sWIAOK}\) of the right sessions, the hybrid experiment cannot be emulated even given access to the committedvalue oracle of \(\mathsf {CCA}\text {}\mathsf {CECom}\). Hence, the CCAsecure commitments in the right sessions may not be hiding in the hybrid experiment.
 2.
Since the adversary obtains hybrid proofs, which are generated in superpolynomial time, the argumentofknowledge property of \(\mathsf {sWIAOK}\) may not hold in the hybrid experiment. We note that although existing CCAsecure commitment schemes provides robustness, which guarantees that arbitrary “small”round protocol remains secure even when adversaries have access to the committedvalue oracle, we cannot use robustness here since \(\mathsf {CCA}\text {}\mathsf {CECom}\) in the left sessions can be rewound during the witness extraction of \(\mathsf {sWIAOK}\) of the right sessions and therefore the hybrid experiment cannot be emulated even given access to the committedvalue oracle.
Because of these problems, we cannot use the security of \(\mathsf {CCA}\text {}\mathsf {CECom}\) directly in the analysis. Thus, instead of using existing CCAsecure commitment schemes in a modular way, we directly use their building blocks in the protocol and directly use their proof technique in the analysis. (In particular, we use the robust concurrent extraction technique of [8] and a oneone CCAsecure commitment scheme of [13].) The proof techniques of existing CCAsecure commitment schemes are strong enough to solve the above problems, and thus we can show that witnesses for the statements are extracted in the hybrid experiment.
 1.
From the above two, it follows that even when Open image in new window receives simulated proofs in the left session, valid witnesses are extracted in right sessions. This completes the overview of our technique.
3 Definitions
In this section, we sketch the definitions used in this paper. The formal definitions are given in the full version.
3.1 Statistical Concurrent Nonmalleable ZeroKnowledge Arguments
The definition of (statistical) concurrent nonmalleable zeroknowledge [1, 20] is closely related to the definition of simulation extractability of [22]. Let \(\langle P, V \rangle \) be an interactive argument for a language \(L \in \mathcal {NP}\). For any maninthemiddle adversary Open image in new window , let us consider a probabilistic experiment in which Open image in new window participates in the following left and right interactions. In the left interaction, Open image in new window interacts with a honest prover P of \(\langle P, V \rangle \) and verifies the validity of statements \(x_1, \ldots , x_m\) using identities \(\mathsf {id}_1, \ldots , \mathsf {id}_m\). In the right interaction, Open image in new window interacts with a honest verifier V of \(\langle P, V \rangle \) and proves the validity of statements \(\widetilde{x}_1, \ldots , \widetilde{x}_m\) using identities \(\widetilde{\mathsf {id}}_1, \ldots , \widetilde{\mathsf {id}}_m\). The statements proven in the left interaction, \(x_1, \ldots , x_m\), are given to P and Open image in new window prior to the experiment. In contrast, the statements proven in the right interaction, \(\widetilde{x}_1, \ldots , \widetilde{x}_m\), and the identities used in the left and the right interactions, \(\mathsf {id}_1, \ldots , \mathsf {id}_m\) and \(\widetilde{\mathsf {id}}_1, \ldots , \widetilde{\mathsf {id}}_m\), are chosen by Open image in new window during the experiment. Then, roughly speaking, \(\langle P, V \rangle \) is statistical concurrent nonmalleable zeroknowledge (statistical \(\mathrm {CNMZK}\)) if for any adversary Open image in new window , there exists a \(\textsc {ppt} \) machine called the simulatorextractor that can statistically simulate the view of Open image in new window in the above experiment while extracting witnesses for the statements proven by Open image in new window in the accepted right interactions that use different identities from the left interactions.
3.2 Concurrently Extractable Commitment Schemes
Roughly speaking, a commitment scheme is concurrently extractable if there exists a ppt extractor such that for any adversarial committer that concurrently commits to many values by using the scheme, the extractor can extract the committed value from the adversarial committer in every valid commitment.^{5}
Robust Concurrent Extraction. On the concurrently extractable commitment scheme \(\mathsf {CECom}\) of [17], Goyal et al. [8] showed a very useful lemma called the robust concurrent extraction lemma. Roughly speaking, this lemma states that even when the adversarial committer additionally participates in an external protocol, the committed values can be extracted from the adversarial committer without rewinding the external protocol as long as the round complexity of the external protocol is “small.” In particular, the lemma guarantees that the robust concurrent extraction is possible as long as \(\ell  O(k\cdot \log n) = \omega (\log n)\), where \(\ell \) is the parameter of \(\mathsf {CECom}\) and k is the round complexity of the external protocol. (Thus, we need to set \(\ell := \omega (\log n)\) when \(k = O(1)\) and set \(\ell := \mathsf {poly}(n)\) when \(k = \mathsf {poly}(n)\).)
In this work, we cannot use the lemma in a blackbox way since in the security analysis we use a specific property of the extractor shown in [8]. In particular, in our security analysis, it is important that the extractor of [8] performs the extraction by generating the main thread and the lookahead threads as in the rewinding strategies of [23, 25].
3.3 (Oneone) CCAsecure Commitment Schemes
We recall the definition of (oneone) CCA security and \(\kappa \)robustness of commitment schemes [4, 13, 15].
(Oneone) CCA Security. Roughly speaking, a tagbased commitment scheme \(\langle C,R \rangle \) (i.e., a commitment scheme that takes an nbit string—a tag—as an additional input) is CCAsecure if it is hiding even against adversary Open image in new window that interacts with the following committedvalue oracle: The committedvalue oracle \(\mathcal {O}\) interacts with Open image in new window as an honest receiver in many concurrent sessions of the commit phase of \(\langle C,R \rangle \) using tags chosen adaptively by Open image in new window ; at the end of each session, if the commitment of this session is invalid or has multiple committed values, \(\mathcal {O}\) returns \(\bot \) to Open image in new window ; otherwise, \(\mathcal {O}\) returns the unique committed value to Open image in new window .
If \(\langle C,R \rangle \) is CCA secure only against adversaries that interact with the onesession committedvalue oracle, which is the same as the committedvalue oracle except that it interacts with the adversary only in a single session, \(\langle C,R \rangle \) is oneone CCA secure.
\(\kappa \)Robustness. Roughly speaking, a tagbased commitment scheme is \(\kappa \) robust if for any adversary Open image in new window and any ITM B, the joint output of a \(\kappa \)round interaction between Open image in new window and B can be simulated without \(\mathcal {O}\) by a \(\textsc {ppt} \) simulator. Intuitively, \(\kappa \)robustness guarantees that the security of any \(\kappa \)round protocol (say, the hiding property of a \(\kappa \)round commitment scheme) holds even against the adversary that interacts with \(\mathcal {O}\).
The Scheme We Use. From a result shown in [8], we can obtain a constantround \(\kappa \)robust oneone CCAsecure commitment scheme for every constant \(\kappa \in \mathbb {N}\) from oneway functions. In [8], Goyal et al. constructed a \(\omega (\log n)\)round CCAsecure commitment scheme from oneway functions. This scheme has \(\omega (\log n)\) rounds because \(\mathsf {CECom}\) with parameter \(\ell = \omega (\log n)\) is used as a building block. The reason why \(\ell \) is set to be \(\omega (\log n)\) is that in the security analysis, the committed values of \(\mathsf {CECom}\) need to be extracted when polynomially many \(\mathsf {CECom}\) commitments are concurrently executed. In the setting of oneone CCA security, however, the security analysis works even if the committed values of \(\mathsf {CECom}\) are extractable only when a single \(\mathsf {CECom}\) commitment is executed; hence, we can set \(\ell := O(1)\). For completeness, we give the protocol and the proof of oneone CCA security in the full version.
4 Our Statistical Concurrent Nonmalleable ZK Argument
We show that a statistical concurrent nonmalleable zeroknowledge argument can be constructed from any statistically hiding commitment scheme.
Theorem 2
Assume the existence of statistically hiding commitment schemes with round complexity \(R_{{\mathsf {SH}}}(n)\). Then, there exists an \(\omega (R_{{\mathsf {SH}}}(n)\log n)\)round statistical concurrent nonmalleable zeroknowledge argument \(\mathsf {sCNMZK}\).
Proof (of Theorem 2 ). In \(\mathsf {sCNMZK}\), we use the following building blocks, all of which can be constructed from \(R_{{\mathsf {SH}}}(n)\)round statistically hiding commitment schemes (or oneway functions, which can be obtained from statistically hiding commitment schemes).

Tworound statistically binding commitment scheme \(\mathsf {Com_{SB}}\) [11, 18].

Constantround 4robust oneone CCAsecure commitment scheme \(\mathsf {CCACom}^{1:1}\) (see Sect. 3.3).

Fourround witnessindistinguishable proof of knowledge \(\mathsf {WIPOK}\), which is a parallel version of Blum’s Hamiltoniancycle protocol [2].

\((R_{{\mathsf {SH}}}(n)+2)\)round statistical witnessindistinguishable argument of knowledge \(\mathsf {sWIAOK}\), which is a parallel version of Blum’s Hamiltoniancycle protocol that is instantiated with a \(R_{{\mathsf {SH}}}(n)\)round statistically hiding commitment scheme \(\mathsf {Com_{SH}}\).

\(\omega (R_{{\mathsf {SH}}}(n)\log n)\)round concurrently extractable commitment scheme \(\mathsf {CECom}\), which is the scheme of [17] with parameter \(\ell = \omega (R_{{\mathsf {SH}}}(n)\log n)\). From the robust concurrent extraction lemma [8], we can extract the committed values from any adversarial committer even when it additionally participates in any \(O(R_{{\mathsf {SH}}}(n))\)round external protocol.
Protocol \(\mathsf {sCNMZK}\) is shown in Fig. 2. Roughly speaking, soundness can be proven as follows. Assume that an adversary breaks the soundness. From the witness extractability of \(\mathsf {sWIAOK}\), a valid decommitment \((r'_V, d')\) of the \(\mathsf {Com_{SB}}\) commitment of Stage I can be extracted from this adversary in Stage III. Furthermore, from the hiding property of \(\mathsf {CECom}\) and the witness indistinguishability of \(\mathsf {WIPOK}\), it can be shown that \((r'_V, d')\) can be extracted even when Stage I is simulated by extracting \(r_P\) in Stage II1 and using it in Stage II2 and II4. Then, since Stage 2 is now simulated without using the decommitment of the \(\mathsf {Com_{SB}}\) commitment of Stage 1, we can derive a contradiction by breaking the hiding property of \(\mathsf {Com_{SB}}\) or \(\mathsf {CECom}\) by using \((r'_V, d')\). The formal proof is given in the full version.
In the following, we prove the statistical \(\mathrm {CNMZK}\) property.
SimulatorExtractor \(\mathcal{{SE}}\) . Recall that to prove the statistical \(\mathrm {CNMZK}\) property, we need to show a simulatorextractor that simulates the view of the adversary Open image in new window and also extracts a witness in every accepted right session. We construct our simulatorextractor step by step. First, we construct a superpolynomialtime simulator \(\hat{\mathcal {S}}\) that simulates the view of Open image in new window but does not extract witnesses in the right seasons. Next, we construct a superpolynomialtime simulatorextractor \(\hat{\mathcal {SE}}\) that simulates the view of Open image in new window by executing \(\hat{\mathcal {S}}\) and then extracts the witnesses by rewinding \(\hat{\mathcal {S}}\). Finally, we construct a polynomialtime simulatorextractor \(\mathcal {SE}\) that emulates the execution of \(\hat{\mathcal {SE}}\) in polynomial time.
Remark 1
In the following, we use the hat symbol in the names of simulators and simulatorextractors if they run in superpolynomial time (e.g., \(\hat{\mathcal {S}}\) and \(\hat{\mathcal {SE}}\)). Also, we use the tilde symbol in the names of the messages of \(\mathsf {sCNMZK}\) if they are the messages of the right sessions (e.g., \(\widetilde{r}_V\) and \(\widetilde{r}_P\)); if necessary, we use subscript to denote the index of the session.
SuperPolynomialTime Simulator \(\hat{\mathcal {S}}\). First, we show the simulator \(\hat{\mathcal {S}}\), which simulates the view of Open image in new window in superpolynomial time as follows. \(\hat{\mathcal {S}}\) internally invokes Open image in new window and interacts with Open image in new window as provers and verifiers in the following way.

In each left session, \(\hat{\mathcal {S}}\) interacts with Open image in new window in the same way as a honest prover except for the following. In Stage I2, \(\hat{\mathcal {S}}\) extracts the committed value \((r_V, d)\) of the \(\mathsf {CECom}\) commitment by brute force. (If the committed value is not uniquely determined, \((r_V, d)\) is defined to be \((\bot , \bot )\).) In Stage III, \(\hat{\mathcal {S}}\) checks whether \((r_V, d)\) is a valid decommitment of the \(\mathsf {Com_{SB}}\) commitment of Stage I1; if so, \(\hat{\mathcal {S}}\) gives a \(\mathsf {sWIAOK}\) proof by using \((r_V, d)\) as a witness; otherwise, \(\hat{\mathcal {S}}\) terminates with output \(\mathsf {fail}\).

In each right session, \(\hat{\mathcal {S}}\) interacts with Open image in new window in the same way as a honest verifier.
Finally, \(\hat{\mathcal {S}}\) outputs the view of internal Open image in new window . Notice that \(\hat{\mathcal {S}}\) does not rewind Open image in new window .
SuperPolynomialTime SimulatorExtractor \(\hat{\mathcal {SE}}\) . Next, we show the simulatorextractor \(\hat{\mathcal {SE}}\), which simulates the view of Open image in new window in superpolynomial time and also extracts witnesses in every accepted right session as follows. First, \(\hat{\mathcal {SE}}\) simulates the view of Open image in new window by executing \(\hat{\mathcal {S}}\). We call this execution of \(\hat{\mathcal {S}}\) the wi main thread. Next, for each \(i\in [m]\), if the ith right session is accepted on the wimain thread and uses a different identity from every left session, \(\hat{\mathcal {SE}}\) extracts a witness from this session as follows.

\(\hat{\mathcal {SE}}\) rewinds the wimain thread until the point just before the challenge message of \(\mathsf {sWIAOK}\) of the ith right session is sent. Then, from this point, \(\hat{\mathcal {SE}}\) executes \(\hat{\mathcal {S}}\) again with flesh randomness (i.e., interacts with Open image in new window as \(\hat{\mathcal {S}}\) does with flesh randomness). \(\hat{\mathcal {SE}}\) repeats this rewinding until it obtains another accepting transcript of the ith right session. We call each execution of \(\hat{\mathcal {S}}\) in this step a wi auxiliary thread.

After obtaining two accepting transcripts of the ith right session (one is on the wimain thread and the other is on an wiauxiliary thread), \(\hat{\mathcal {SE}}\) extracts a witness from \(\mathsf {sWIAOK}\) by using the witness extractability of \(\mathsf {sWIAOK}\). If \(\hat{\mathcal {SE}}\) fails to extract a witness for \(\widetilde{x}_{i} \in L\) (the statement proven in the ith right session), \(\hat{\mathcal {SE}}\) terminates with output \(\mathsf {fail}_{\mathsf {WI}}\). Otherwise, let \(\widetilde{w}_i\) be the extracted witness.
If the ith right session is not accepted or uses the same identity as a left session, define \(\widetilde{w}_i \mathop {=}\limits ^\mathrm{def}\bot \). The output of \(\hat{\mathcal {SE}}\) is \((\mathsf {view}, \{\widetilde{w}_i \}_{i\in [m]})\), where \(\mathsf {view}\) is the view of Open image in new window on the wimain thread.
PolynomialTime SimulatorExtractor \(\mathcal {SE}\). Finally, we show the simulatorextractor \(\mathcal {SE}\), which emulates the execution of \(\hat{\mathcal {SE}}\) in polynomial time as follows. First, \(\mathcal {SE}\) emulates the wimain thread in polynomial time as follows.

\(\mathcal {SE}\) internally invokes Open image in new window and interacts with Open image in new window as \(\hat{\mathcal {S}}\) does except that in each left session, \(\mathcal {SE}\) extracts \((r_V, d)\) by using the concurrent extractability of \(\mathsf {CECom}\). Recall that a concurrent extraction of \(\mathsf {CECom}\) involves the generation of a main thread and many lookahead threads. We call the main thread generated during the concurrent extraction of \(\mathsf {CECom}\) the cec main thread, and call the lookahead threads generated during the concurrent extraction of \(\mathsf {CECom}\) the cecauxiliary threads.^{6}
Next, for each \(i\in [m]\), if the ith right session is accepted on the emulated wimain thread and uses a different identity from every left session, \(\mathcal {SE}\) emulates wiauxiliary threads as follows.

\(\mathcal {SE}\) rewinds the emulation of the wimain thread until the point just before the challenge message of \(\mathsf {sWIAOK}\) of the ith right session is sent on the cecmain thread. Then, from this point, \(\hat{\mathcal {SE}}\) emulates the wimain thread again with flesh randomness (i.e., generates the rest of cecmain thread and cecauxiliary threads with flesh randomness). \(\mathcal {SE}\) repeats this rewinding until it obtains another accepted transcript of the ith right session on an emulated wiauxiliary thread.
Let \((\mathsf {view}, \{\widetilde{w}_i \}_{i\in [m]})\) be the output of the emulated \(\hat{\mathcal {SE}}\). Then, \(\mathcal {SE}\) outputs \((\mathsf {view}, \{\widetilde{w}_i \}_{i\in [m]})\).
4.1 Analysis of PolyTime SimulatorExtractor \(\mathcal {SE}\).
To prove the statistical \(\mathrm {CNMZK}\) property, we show that \(\mathcal {SE}\) statistically simulates the view of Open image in new window and also extracts witnesses for the statements in the right sessions.
Lemma 1
The view of Open image in new window simulated by \(\mathcal {SE}\) is statistically indistinguishable from the view of Open image in new window in the real experiment. Furthermore, except with negligible probability, \(\mathcal {SE}\) outputs witnesses for the statements proven by Open image in new window in the accepted right sessions that use different identities from the left sessions.
Proof (sketch). In this proof, we use the following claim, which states that the superpolynomialtime simulatorextractor \(\hat{\mathcal {SE}}\) statistically simulates the view of Open image in new window and also extracts the witnesses from the right sessions.
Claim 1
The view of Open image in new window simulated by \(\hat{\mathcal {SE}}\) is statistically indistinguishable from the view of Open image in new window in the real experiment. Furthermore, except with negligible probability, \(\hat{\mathcal {SE}}\) outputs witnesses for the statements proven by Open image in new window in the accepted right sessions that use different identities from the left sessions.
Before proving this claim, we finish the proof of Lemma 1. Given Claim 1, we can prove Lemma 1 by showing that the output of \(\mathcal {SE}\) is statistically indistinguishable from that of \(\hat{\mathcal {SE}}\). This indistinguishability can be shown by observing the following.

In \(\mathcal {SE}\), the emulation of \(\hat{\mathcal {SE}}\) is perfect if in every left session that reaches Stage III, the value extracted by the concurrent extractability of \(\mathsf {CECom}\) is equal to the value that would be extracted by brute force.

In every such left session, the value extracted by the concurrent extractability of \(\mathsf {CECom}\) is indeed equal to the value that would be extracted by brute force. This is because the \(\mathsf {CECom}\) commitment in Stage I2 is valid in every such left session except with negligible probability, which in turn is because of the soundness of \(\mathsf {WIPOK}\) and the hiding property of \(\mathsf {CCACom}^{1:1}\).
We note that there is a subtlety since the concurrent extraction of \(\mathsf {CECom}\) itself is rewound in \(\mathcal {SE}\) when the witnesses are extracted from the right sessions. The formal proof is given in the full version. \(\square \)
4.2 Analysis of SuperPolyTime SimulatorExtractor \(\hat{\mathcal {SE}}\).
It remains to prove Claim 1, which states that (i) superpolynomialtime simulatorextractor \(\hat{\mathcal {SE}}\) statistically simulates the real view of Open image in new window and (ii) \(\hat{\mathcal {SE}}\) also extracts a valid witness from every accepted right session in the simulated view.
Proof (of Claim 1 ). First, we show that \(\hat{\mathcal {SE}}\) statistically simulates the real view of Open image in new window . Since \(\hat{\mathcal {SE}}\) simulates the view of Open image in new window by executing \(\hat{\mathcal {S}}\), it suffices to show that the output of \(\hat{\mathcal {S}}\) is statistically indistinguishable from the real view of Open image in new window . In \(\hat{\mathcal {S}}\), each left session is simulated by extracting \((r_V, d)\) from the \(\mathsf {CECom}\) commitment in Stage I2 and giving a \(\mathsf {sWIAOK}\) proof in Stage III with witness \((r_V, d)\). Hence, the indistinguishability follows from the statistical witness indistinguishability of \(\mathsf {sWIAOK}\) and the following claim.
Claim 2
In \(\hat{\mathcal {S}}\), the following holds except with negligible probability: In every left session that reaches Stage III, the \(\mathsf {CECom}\) commitment in Stage I2 of this session is valid and its committed value is a valid decommitment of the \(\mathsf {Com_{SB}}\) commitment of Stage I1.
We do not prove Claim 2, since it is implied by the claim that we prove later (Claim 5).
Next, we show that \(\hat{\mathcal {SE}}\) extracts a valid witness from every accepted right session except with negligible probability. Since \(\hat{\mathcal {SE}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) when it fails to extract a witness in an accepted right session, it suffices to show that \(\hat{\mathcal {SE}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) only with negligible probability. Assume for contradiction that there exists \(\widetilde{i^*}\in [m]\) such that \(\hat{\mathcal {SE}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) during the witness extraction of the \(\widetilde{i^*}\)th right session with nonnegligible probability. Then, let us consider the following hybrid simulatorextractor \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\).

\(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) is the same as \(\hat{\mathcal {SE}}\) except that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) tries to extract a witness only from the \(\widetilde{i^*}\)th right session (and therefore rewinds the wimain thread only from the challenge message of \(\mathsf {sWIAOK}\) of the \(\widetilde{i^*}\)th right session).
Clearly, \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) with nonnegligible probability. Then, we reach a contradiction roughly as follows.

Step 1. First, we show that in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\), the probability that \(\widetilde{r}_V\) is extracted as a witness during the witness extraction of the \(\widetilde{i^*}\)th right session is nonnegligible, where \(\widetilde{r}_V\) is the value chosen by the verifier in Stage I1 of the \(\widetilde{i^*}\)th right session.

Step 2. Next, we define a sequence of hybrid simulatorextractors. The first hybrid is the same as \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\), and we gradually modify the \(\widetilde{i^*}\)th right session so that it is independent of \(\widetilde{r}_V\) in the last hybrid.

Step 3. Finally, we show that even in the last hybrid, the probability that \(\widetilde{r}_V\) is extracted during the witness extraction of the \(\widetilde{i^*}\)th right session is nonnegligible. Since the \(\widetilde{i^*}\)th right session is independent of \(\widetilde{r}_V\) in the last hybrid, we reach a contradiction.
Details are given below.
Step 1. Prove that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) extracts \(\widetilde{r}_V\) . We first prove the following claim.
Claim 3
Let \(\widetilde{r}_V\) be the value chosen by the verifier in Stage I1 of the \(\widetilde{i^*}\)th right session. If \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) with nonnegligible probability, then in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) the probability that \(\widetilde{r}_V\) is extracted during the witness extraction of the \(\widetilde{i^*}\)th right session is nonnegligible.

\(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) obtains two accepting transcript of the \(\widetilde{i^*}\)th right session (and therefore that of \(\mathsf {sWIAOK}\)) such that the commitmessages of \(\mathsf {sWIAOK}\) are the same,^{7} but

from these two transcript, \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) fails to extract any witness from \(\mathsf {sWIAOK}\) (either a witness for \(\widetilde{x}_{\widetilde{i^*}} \in L\) or a valid decommitment of the Stage I1 commitment).
We first show that when the above occurs, the two accepting \(\mathsf {sWIAOK}\) transcripts are admissible except with negligible probability, where a pair of accepted transcripts of \(\mathsf {sWIAOK}\) are admissible if their commitmessages are the same but their challengemessages are different. Toward this end, it suffices to show that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) chooses the same challengemessage of \(\mathsf {sWIAOK}\) on two wiauxiliary threads with at most negligible probability. This can be shown as follows.

From a standard argument, we can show that the expected number of rewinding of the wimain thread is 1 in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\).^{8} Thus, the probability that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) rewinds the wimain thread more than \(2^{n/2}\) times is at most \(2^{n/2}\). Furthermore, under the condition that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) rewinds the wimain thread at most \(2^{n/2}\) times, the probability that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) chooses the same challengemessage on two wiauxiliary threads is at most \(2^{n/2} \cdot 2^{n} = 2^{n/2}\). Thus, the probability that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) chooses the same challengemessage in two wiauxiliary thread is at most \(2^{n/2} + 2^{n/2} = \mathsf {negl}(n)\).
Thus, with nonnegligible probability \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) obtains two admissible transcripts of \(\mathsf {sWIAOK}\) from which no witness can be computed.
We then reach a contradiction as follows. Since \(\mathsf {sWIAOK}\) is a parallel version of Blum’s Hamiltoniancycle protocol, if no witness is extracted from two admissible transcripts of \(\mathsf {sWIAOK}\), a \(\mathsf {Com_{SH}}\) commitment in the commitmessages is decommitted to two different values in the transcripts. Thus, we derive a contradiction by breaking the binding property of \(\mathsf {Com_{SH}}\) using \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\). A problem is that since \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) runs in superpolynomial time, the computational hiding property of \(\mathsf {Com_{SH}}\) may not hold in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\). To overcome this problem, we consider hybrid simulatorextractor \(\mathcal {SE}_{\widetilde{i^*}}\) that emulates the execution of \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) in polynomial time. Specifically, \(\mathcal {SE}_{\widetilde{i^*}}\) emulates \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) in the same way as \(\mathcal {SE}\) emulates \(\hat{\mathcal {SE}}\) (i.e., by using the concurrent extractability of \(\mathsf {CECom}\) instead of the bruteforce extraction) except for the following.

During the emulation of the wimain thread, the value \((r_V, d)\) is extracted in Stage I2 of each left session by using the robust concurrent extractability of \(\mathsf {CECom}\) so that the commitmessage of \(\mathsf {sWIAOK}\) of the \(\widetilde{i^*}\)th right session is not rewound.
As in the proof of Lemma 1, we can show that \(\mathcal {SE}_{\widetilde{i^*}}\) statistically emulates the execution of \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\). Thus, with nonnegligible probability, \(\mathcal {SE}_{\widetilde{i^*}}\) obtains two valid decommitments of a \(\mathsf {Com_{SH}}\) commitment (in the commitmessages of \(\mathsf {sWIAOK}\) of the \(\widetilde{i^*}\)th right session) such that decommitted values are different. Then, since \(\mathcal {SE}_{\widetilde{i^*}}\) runs in polynomial time and since the commitmessages of \(\mathsf {sWIAOK}\) (and therefore the \(\mathsf {Com_{SH}}\) commitment) of the \(\widetilde{i^*}\)th right session is not rewound in \(\mathcal {SE}_{\widetilde{i^*}}\),^{9} we can break the binding property of \(\mathsf {Com_{SH}}\). Thus, we reach a contradiction. \(\square \)
Step 2. Introduce hybrid simulatorextractor. Next, we introduce hybrid simulatorextractors. To clarify the exposition, we first define a sequence of hybrid simulators by gradually modifying \(\hat{\mathcal {S}}\) and then define the hybrid simulatorextractors by using them. Below, when we refer to a particular stage of \(\mathsf {sCNMZK}\), we always means the corresponding stage of \(\mathsf {sCNMZK}\) in the \(\widetilde{i^*}\)th right session.

Hybrid simulator \({h\hbox {}{\hat{\mathcal {S}}}}_0\) is identical with \(\hat{\mathcal {S}}\).

Hybrid simulator \({h\hbox {}{\hat{\mathcal {S}}}}_1\) is the same as \({h\hbox {}{\hat{\mathcal {S}}}}_0\) except that \(\widetilde{r}_P\) is extracted by brute force in Stage II1 and the committed value of the \(\mathsf {CECom}\) commitment in Stage II2 is switched from \(0^{n}\) to \(\widetilde{r}_P\).

Hybrid simulator \({h\hbox {}{\hat{\mathcal {S}}}}_2\) is the same as \({h\hbox {}{\hat{\mathcal {S}}}}_1\) except that in Stage II4, the \(\mathsf {WIPOK}\) proof is computed by using a witness for the fact that the committed value of the \(\mathsf {CECom}\) commitment of Stage II2 is \(\widetilde{r}_P\).

Hybrid simulator \({h\hbox {}{\hat{\mathcal {S}}}}_3\) is the same as \({h\hbox {}{\hat{\mathcal {S}}}}_2\) except that in Stage I2, the committed value of the \(\mathsf {CECom}\) commitment is switched from \((\widetilde{r}_V, \widetilde{d})\) to \((0^{\widetilde{r}_V}, 0^{\widetilde{d}})\).

Hybrid simulator \({h\hbox {}{\hat{\mathcal {S}}}}_4\) is the same as \(h\hbox {}{\hat{\mathcal {S}}}_{3}\) except that in Stage I1, the committed value of the \(\mathsf {Com_{SB}}\) commitment is switched from \(\widetilde{r}_V\) to \(0^{n}\).
Then, for each \(k\in \{0,\ldots ,4 \}\), hybrid simulatorextractor \(h\hbox {}{\hat{\mathcal {SE}}}_k\) is defined as follows.

Hybrid simulatorextractor \(h\hbox {}{\hat{\mathcal {SE}}}_k\) is the same as \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) except that the execution of \(\hat{\mathcal {S}}\) is replaced with that of \(h\hbox {}{\hat{\mathcal {S}}}_k\). The output of \(h\hbox {}{\hat{\mathcal {SE}}}_k\) is the value extracted during the witness extraction of the \(\widetilde{i^*}\)th right session.
Note that the value \(\widetilde{r}_V\) is not used anywhere in \(h\hbox {}{\hat{\mathcal {SE}}}_4\).
Step 3. Prove that \(\widetilde{r}_V\) is extracted in every hybrid. Finally, we show that \(\widetilde{r}_V\) is extracted with nonnegligible probability in each hybrid. First, we consider \(h\hbox {}{\hat{\mathcal {SE}}}_1\).
Claim 4
Let \(\widetilde{r}_V\) be the value chosen by the verifier in Stage I1 of the \(\widetilde{i^*}\)th right session. If \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) with nonnegligible probability, then in \(h\hbox {}{\hat{\mathcal {SE}}}_1\) the probability that \(\widetilde{r}_V\) is extracted during the witness extraction of the \(\widetilde{i^*}\)th right session is nonnegligible.
Proof. In this proof, we use intermediate hybrid simulatorextractors in which the \(\mathsf {CECom}\) commitment in Stage II2 of the \(\widetilde{i^*}\)th right session is gradually modified. Again, we first introduce hybrid simulators. Recall that a \(\mathsf {CECom}\) commitment consists of \(\ell = \omega (R_{{\mathsf {SH}}}(n)\log n)\) \(\mathsf {ExtCom}\) commitments. Then, the intermediate hybrid simulators \(h\hbox {}{\hat{\mathcal {S}}}_{0:0}, \ldots , h\hbox {}{\hat{\mathcal {S}}}_{0:\ell }\) are defined as follows.

Hybrid simulator \(h\hbox {}{\hat{\mathcal {S}}}_{0:0}\) is the same as \(h\hbox {}{\hat{\mathcal {S}}}_0\) except that \(\widetilde{r}_P\) is extracted by brute force in Stage II1 of the \(\widetilde{i^*}\)th right session.

Hybrid simulator \(h\hbox {}{\hat{\mathcal {S}}}_{0:k}\) (\(k\in [\ell ]\)) is the same as \(h\hbox {}{\hat{\mathcal {S}}}_{0:k1}\) except that the committed value of the kth \(\mathsf {ExtCom}\) commitment in the \(\mathsf {CECom}\) commitment of Stage II2 is switched from \(0^{n}\) to \(\widetilde{r}_P\) in the \(\widetilde{i^*}\)th right session.
Then, for each \(k\in \{0,\ldots ,\ell \}\), hybrid simulatorextractor \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) is defined as follows.

Hybrid simulatorextractor \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) is the same as \(h\hbox {}{\hat{\mathcal {SE}}}_0\) except that the execution of \(h\hbox {}{\hat{\mathcal {S}}}_0\) is replaced with that of \(h\hbox {}{\hat{\mathcal {S}}}_{0:k}\).
Note that \(h\hbox {}{\hat{\mathcal {SE}}}_{0:\ell }\) is identical with \(h\hbox {}{\hat{\mathcal {SE}}}_{1}\).
Below, we show that for every \(k\in [\ell ]\), the output of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\) and that of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) are indistinguishable. (Recall that the outputs of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\) and \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) are the value extracted in the \(\widetilde{i^*}\)th right session.) Since the probability that \(\widetilde{r}_V\) is extracted in \(h\hbox {}{\hat{\mathcal {SE}}}_{0:0}\) is nonnegligible from Claim 3, this suffices to prove Claim 4.
Roughly speaking, we show this indistinguishability as follows. Since \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\) and \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) differ only in the committed values of a \(\mathsf {ExtCom}\) commitment, we use the hiding property of the \(\mathsf {ExtCom}\) commitment to show the indistinguishability. A problem is that we cannot use it directly since \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\) and \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) run in superpolynomial time. To overcome this problem, we observe that the only superpolynomial computations in \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\) and \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) are the bruteforce extraction of \(\mathsf {CCACom}^{1:1}\) in the \(\widetilde{i^*}\)th right session and those of \(\mathsf {CECom}\) in the left sessions. Based on this observation, we first show that the execution of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\) and \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) can be emulated in polynomialtime by using the onesession committedvalue oracle \(\mathcal {O}\) of \(\mathsf {CCACom}^{1:1}\) and the concurrent extractability of \(\mathsf {CECom}\). We then combine the 4robustness of \(\mathsf {CCACom}^{1:1}\) with the hiding property of \(\mathsf {ExtCom}\) (which has only four rounds) to argue that the output of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\) and that of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) are indistinguishable. To formally implement this idea, we need to make sure that the \(\mathsf {ExtCom}\) commitment and the \(\mathsf {CCACom}^{1:1}\) commitment are not rewound during the concurrent extraction of \(\mathsf {CECom}\). Details are given below.
First, we introduce hybrid simulatorextractors \(h\hbox {}\mathcal {SE}_{0:k1}^{\mathcal {O}}\) and \(h\hbox {}\mathcal {SE}_{0:k}^{\mathcal {O}}\), where \(\mathcal {O}\) is the onesession committedvalue oracle of \(\mathsf {CCACom}^{1:1}\). Hybrid \(h\hbox {}\mathcal {SE}_{0:k}^{\mathcal {O}}\) (resp., \(h\hbox {}\mathcal {SE}_{0:k1}^{\mathcal {O}}\)) emulates \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) (resp., \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\)) in the same way as \(\mathcal {SE}\) emulates \(\hat{\mathcal {SE}}\) except for the following.

During the emulation of the wimain thread, the value \((r_V, d)\) is extracted in Stage I2 of each left session by using the robust concurrent extractability so that the \(\mathsf {CCACom}^{1:1}\) commitment of Stage II1 and the kth \(\mathsf {ExtCom}\) commitment of the \(\mathsf {CECom}\) commitment of Stage II2 are not rewound in the \(\widetilde{i^*}\)th right session. In addition, in the \(\widetilde{i^*}\)th right session, the committed value of \(\mathsf {CCACom}^{1:1}\) is extracted by forwarding the commitment to \(\mathcal {O}\). Note that the \(\mathsf {CCACom}^{1:1}\) commitment in the \(\widetilde{i^*}\)th right session is not rewound and therefore it can be forwarded to \(\mathcal {O}\).
Next, we show that for each \(h\in \{k1, k \}\), the output of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:h}\) and that of \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:h}\) are indistinguishable. This can be proven in a similar way to Lemma 1. In particular, we can use the same argument if we use the following claim instead of Claim 2.
Claim 5
In \(h\hbox {}{\hat{\mathcal {S}}}_{0:h}\) for each \(h\in \{k1, k \}\), the following holds except with negligible probability: In every left session that reaches Stage III, the \(\mathsf {CECom}\) commitment in Stage I2 of this session is valid and its committed value is a valid decommitment of the \(\mathsf {Com_{SB}}\) commitment of Stage I1.
Note that since \(h\hbox {}{\hat{\mathcal {S}}}_{0:0}\) is identical to \(\hat{\mathcal {S}}\), Claim 5 implies Claim 2.
Proof (of Claim 5 ). Let us say that a left session is bad if it reaches Stage III and either the \(\mathsf {CECom}\) commitment in Stage I2 is invalid or its committed value is not a valid decommitment of the \(\mathsf {Com_{SB}}\) commitment in Stage I1; a left session is good if it is not bad. What we want to prove is that every left session is good except with negligible probability.
Roughly speaking, the proof proceeds as follows. From the soundness of \(\mathsf {WIPOK}\), if a left session is bad, then in Stage II2 of this left session, the committed value of the \(\mathsf {CECom}\) commitment is \(r_P\), which is the committed value of the \(\mathsf {CCACom}^{1:1}\) commitment of Stage II1; thus, before \(r_P\) is decommitted to in Stage II3, we can obtain \(r_P\) by extracting the committed value from \(\mathsf {CECom}\) in Stage II2. This itself does not contradict to the hiding property of \(\mathsf {CCACom}^{1:1}\) since \(h\hbox {}{\hat{\mathcal {S}}}_{0:h}\) runs in superpolynomial time in the bruteforce extraction of \(\mathsf {CECom}\) and \(\mathsf {CCACom}^{1:1}\). Thus, we again replace the bruteforce extraction with the concurrent extraction of \(\mathsf {CECom}\) and an oracle access to the onesession committedvalue oracle \(\mathcal {O}\) of \(\mathsf {CCACom}^{1:1}\), and use the oneone CCAsecurity of \(\mathsf {CCACom}^{1:1}\) instead of its hiding property. Here, since we want to use the oneone CCAsecurity of \(\mathsf {CCACom}^{1:1}\), we perform the concurrent extraction of \(\mathsf {CECom}\) so that the \(\mathsf {CCACom}^{1:1}\) commitment in a left session and the \(\mathsf {CCACom}^{1:1}\) in the \(\widetilde{i^*}\)th right session are not rewound. Details are given below.
Assume for contradiction that there exists \(h\in \{k1, k \}\) such that in \(h\hbox {}{\hat{\mathcal {S}}}_{0:h}\), a left session is bad with nonnegligible probability. (Here, the indices of the left sessions are determined by the order in which Stage III begins; the reason why we define the indices in this way will become clear later.) Then, there exists \(i^*\in [m]\) such that in \(h\hbox {}{\hat{\mathcal {S}}}_{0:h}\), the first \((i^*1)\) left sessions are good except with negligible probability but the \(i^*\)th left session is bad with nonnegligible probability. Note that from the soundness of \(\mathsf {WIPOK}\), when the \(i^*\)th left session is bad, the committed value of the \(\mathsf {CECom}\) commitment in Stage II2 is \(r_P\) in the \(i^*\)th left session except with negligible probability, where \(r_P\) is the value committed to in Stage II1 of the \(i^*\)th left session. In the following, we use \(\mathsf{BAD }\) to denote the event that the \(i^*\)th left session is bad, and use \(\mathsf{CHEAT }\) to denote the event that the committed value of the \(\mathsf {CECom}\) commitment in Stage II2 is \(r_P\) in the \(i^*\)th left session. Then, let us consider the following hybrids.

Hybrid simulator \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:0}\) is the same as \(h\hbox {}{\hat{\mathcal {S}}}_{0:h}\). From our assumption, \(\mathsf{BAD }\) occurs in \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:0}\) with nonnegligible probability. Thus, from the above argument, \(\mathsf{CHEAT }\) occurs in \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:0}\) with nonnegligible probability.

Hybrid simulator \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:1}\) is the same as \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:0}\) except that \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:1}\) terminates just before Stage III of the \(i^*\)th left session begins. Clearly, \(\mathsf{BAD }\) and \(\mathsf{CHEAT }\) also occur in \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:1}\) with nonnegligible probability.

Hybrid simulator \(h\hbox {}\mathcal {S}_{0:h:1}^{\mathcal {O}}\) emulates \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:1}\) in polynomial time as follows.
 –
At the beginning, a random left session s is chosen. (Here, we guess that session s is the \(i^*\)th left session.)
 –
In every left session, in Stage I2, the committed value \((r_V, d)\) is extracted by the robust concurrent extractor of \(\mathsf {CECom}\) in such a way that the \(\mathsf {CCACom}^{1:1}\) commitment of left session s and the \(\mathsf {CCACom}^{1:1}\) commitment of the \(\widetilde{i^*}\)th right session are not rewound. In addition, in the \(\widetilde{i^*}\)th right session, the committed value of \(\mathsf {CCACom}^{1:1}\) is extracted by forwarding the commitment to \(\mathcal {O}\).
 –
In left session s, the committed value is also extracted in Stage II2 by the robust concurrent extractor of \(\mathsf {CECom}\) without rewinding the \(\mathsf {CCACom}^{1:1}\) commitment of the \(\widetilde{i^*}\)th right session.
Note that when Stage III of a left session is executed, the \(\mathsf {CECom}\) commitment in Stage I2 of that session is valid except with negligible probability (since that session is one of the first \((i^*1)\) left sessions and therefore it is good except with negligible probability). Thus, the values extracted from the concurrent extractor are equal to the values that would be extracted by brute force except with negligible probability; therefore, \(h\hbox {}\mathcal {S}_{0:h:1}^{\mathcal {O}}\) statistically emulates \(h\hbox {}{\hat{\mathcal {S}}}_{0:h:1}\), and \(\mathsf{BAD }\) and \(\mathsf{CHEAT }\) occur in \(h\hbox {}\mathcal {S}_{0:h:1}^{\mathcal {O}}\) with nonnegligible probability.
 –
Note that session s is the \(i^*\)th left session with nonnegligible probability. Then, since \(\mathsf{CHEAT }\) occurs in \(h\hbox {}\mathcal {S}_{0:h:1}^{\mathcal {O}}\) with nonnegligible probability, \(r_P\) is extracted from the \(\mathsf {CECom}\) commitment in Stage II2 of session s with nonnegligible probability, where \(r_P\) is the value committed to in Stage II1 of session s. Then, since the \(\mathsf {CCACom}^{1:1}\) commitment of session s is not rewound in \(h\hbox {}\mathcal {S}_{0:h:1}^{\mathcal {O}}\), we can break the oneone CCA security of \(\mathsf {CCACom}^{1:1}\). Thus, we reach a contradiction. \(\square \)
Thus, for each \(h\in \{k1, k \}\), the outputs of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:h}\) and \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:h}\) are indistinguishable.
To show that the outputs of \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k1}\) and \(h\hbox {}{\hat{\mathcal {SE}}}_{0:k}\) are indistinguishable, it remains to prove that the outputs of \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k1}\) and \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k}\) are indistinguishable. This can be shown as follows. Observe that \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k1}\) and \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k}\) differ only in the kth \(\mathsf {ExtCom}\) commitment of the \(\mathsf {CECom}\) commitment of the \(\widetilde{i^*}\)th right session, and this \(\mathsf {ExtCom}\) commitment is not rewound in \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k1}\) and \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k}\). In addition, \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k1}\) and \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k}\) run in polynomial time given oracle access to the onesession committedvalue oracle \(\mathcal {O}\) of \(\mathsf {CCACom}^{1:1}\). Thus, from the hiding property of \(\mathsf {ExtCom}\) and the 4robustness of \(\mathsf {CCACom}^{1:1}\), the output of \(\mathcal {SE}^{\mathcal {O}}_{0:k1}\) and that of \(h\hbox {}\mathcal {SE}^{\mathcal {O}}_{0:k}\) are indistinguishable.
Thus, we conclude that the probability that \(\widetilde{r}_V\) is extracted in \(h\hbox {}{\hat{\mathcal {SE}}}_1\) is nonnegligible. This concludes the proof of Claim 4. \(\square \)
By using essentially the same argument as in the proof of Claim 4, we can show that \(\widetilde{r}_V\) is extracted with nonnegligible probability also in \(h\hbox {}{\hat{\mathcal {SE}}}_2\), \(h\hbox {}{\hat{\mathcal {SE}}}_3\), and \(h\hbox {}{\hat{\mathcal {SE}}}_4\).
Concluding the Proof of Claim 1 . In \(h\hbox {}{\hat{\mathcal {SE}}}_4\), the \(\widetilde{i^*}\)th right session is independent of \(\widetilde{r}_V\), and therefore the probability that \(\widetilde{r}_V\) is extracted is negligible. However, we show above that this probability is nonnegligible. Thus, we reach a contradiction.
This concludes the proof of Theorem 2. \(\square \)
Footnotes
 1.
\(\mathsf {NMCom}\) need to be nonmalleable w.r.t. commitment [6], which roughly says that the committed value of the commitment that the maninthemiddle adversary gives is independent of the committed value of the commitment that adversary receives. Since the definition of nonmalleability w.r.t. commitment is meaningless when the committed values cannot be uniquely determined, \(\mathsf {NMCom}\) cannot be statistically hiding.
 2.
Specifically, Orlandi et al. [20] used the scheme such that (i) when the string is sampled from a uniform distribution, the scheme is statistically hiding and (ii) when the string is taken from another (computationally indistinguishable) distribution, the scheme is nonmalleable.
 3.
Since \(\mathcal {S}\) rewinds Open image in new window during the concurrent extraction of \(\mathsf {CCA}\text {}\mathsf {CECom}\), \(\mathcal {S}\) may send the challenge message of \(\mathsf {sWIAOK}\) of a right session to Open image in new window multiple times. Here, \(\mathcal {SE}\) rewinds \(\mathcal {S}\) until the point just before \(\mathcal {S}\) sends it to Open image in new window on the “main thread.”
 4.
If we use the robust extraction technique [8], for each left session there exists a rewinding strategy that allows us to extract witnesses from the right sessions without rewinding \(\mathsf {sWIAOK}\) of this left session. However, since what we want to show is that the values extracted in the right sessions by the rewinding strategy that \(\mathcal {SE}\) uses are unchanged, the robust extraction technique cannot be used here (unless there exists a rewinding strategy that allows us to extract witnesses from the right sessions without rewinding the \(\mathsf {sWIAOK}\) proof of every left session).
 5.
A commitment is valid if there exists a value to which it can be decommitted.
 6.
Note that the wimain thread is also a cecmain thread.
 7.
Recall that \(\mathsf {WIPOK}\) consists of three stages: commit, challenge, and response.
 8.
For any prefix \(\rho \) of the transcript up until the challenge message of \(\mathsf {sWIAOK}\) of the ith right session, let \(p_{\rho }\) be the probability that the ith right session is accepted when the prefix of the transcript is \(\rho \). Then, we have \(\mathrm {E} \left[ T_i \mid {\mathsf {prefix}}_{\rho } \right] = p_{\rho } \cdot 1/p_{\rho } = 1\), where \(T_i\) is the random variable representing the number of rewinding of the wimain thread and \({\mathsf {prefix}}_{\rho }\) is the event that the prefix of the transcript is \(\rho \). Thus, we have \(\mathrm {E} \left[ T_i \right] = \sum _{\rho } \mathrm {E} \left[ T_i \mid {\mathsf {prefix}}_{\rho } \right] \Pr \left[ {\mathsf {prefix}}_{\rho } \right] = 1\).
 9.
Note that the commitmessages of \(\mathsf {sWIAOK}\) of the \(\widetilde{i^*}\)th right session appear only on the wimain thread.
References
 1.Barak, B., Prabhakaran, M., Sahai, A.: Concurrent nonmalleable zero knowledge. In: FOCS, pp. 345–354 (2006)Google Scholar
 2.Blum, M.: How to prove a theorem so no one else can claim it. In: International Congress of Mathematicians, pp. 1444–1451 (1987)Google Scholar
 3.Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Blackbox concurrent zeroknowledge requires (almost) logarithmically many rounds. SIAM J. Comput. 32(1), 1–47 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Canetti, R., Lin, H., Pass, R.: Adaptive hardness and composable security in the plain model from standard assumptions. In: FOCS, pp. 541–550 (2010)Google Scholar
 5.Damgård, I., Pedersen, T.P., Pfitzmann, B.: Statistical secrecy and multibit commitments. IEEE Trans. Inf. Theory 44(3), 1143–1151 (1998)CrossRefzbMATHGoogle Scholar
 6.Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
 7.Dwork, C., Naor, M., Sahai, A.: Concurrent zeroknowledge. J. ACM 51(6), 851–898 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
 8.Goyal, V., Lin, H., Pandey, O., Pass, R., Sahai, A.: Roundefficient concurrently composable secure computation via a robust extraction lemma. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 260–289. Springer, Heidelberg (2015) Google Scholar
 9.Goyal, V., Moriarty, R., Ostrovsky, R., Sahai, A.: Concurrent statistical zeroknowledge arguments for NP from one way functions. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 444–459. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 10.Haitner, I., Nguyen, M.H., Ong, S.J., Reingold, O., Vadhan, S.P.: Statistically hiding commitments and statistical zeroknowledge arguments from any oneway function. SIAM J. Comput. 39(3), 1153–1218 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 11.Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any oneway function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
 12.Kiyoshima, S.: Roundefficient blackbox construction of composable multiparty computation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 351–368. Springer, Heidelberg (2014) Google Scholar
 13.Kiyoshima, S., Manabe, Y., Okamoto, T.: Constantround blackbox construction of composable multiparty computation protocol. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 343–367. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 14.Lin, H., Pass, R.: Concurrent nonmalleable zero knowledge with adaptive inputs. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 274–292. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 15.Lin, H., Pass, R.: Blackbox constructions of composable protocols without setup. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 461–478. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 16.Lin, H., Pass, R., Tseng, W.L.D., Venkitasubramaniam, M.: Concurrent nonmalleable zero knowledge proofs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 429–446. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 17.Micciancio, D., Ong, S.J., Sahai, A., Vadhan, S.P.: Concurrent zero knowledge without complexity assumptions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 18.Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991)CrossRefzbMATHGoogle Scholar
 19.Naor, M., Yung, M.: Universal oneway hash functions and their cryptographic applications. In: STOC, pp. 33–43 (1989)Google Scholar
 20.Orlandi, C., Ostrovsky, R., Rao, V., Sahai, A., Visconti, I.: Statistical concurrent nonmalleable zero knowledge. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 167–191. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 21.Ostrovsky, R., Pandey, O., Visconti, I.: Efficiency preserving transformations for concurrent nonmalleable zero knowledge. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 535–552. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 22.Pass, R., Rosen, A.: New and improved constructions of nonmalleable cryptographic protocols. In: STOC, pp. 533–542 (2005)Google Scholar
 23.Pass, R., Tseng, W.L.D., Venkitasubramaniam, M.: Concurrent zero knowledge, revisited. J. Cryptol. 27(1), 45–46 (2012)CrossRefGoogle Scholar
 24.Pass, R., Wee, H.: Blackbox constructions of twoparty protocols from oneway functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 403–418. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 25.Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic roundcomplexity. In: FOCS, pp. 366–375 (2002)Google Scholar
 26.Venkitasubramaniam, M.: On adaptively secure protocols. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 455–475. Springer, Heidelberg (2014) Google Scholar