Interactive Oracle Proofs

  • Eli Ben-Sasson
  • Alessandro Chiesa
  • Nicholas Spooner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9986)


We initiate the study of a proof system model that naturally combines interactive proofs (IPs) and probabilistically-checkable proofs (PCPs), and generalizes interactive PCPs (which consist of a PCP followed by an IP). We define an interactive oracle proof (IOP) to be an interactive proof in which the verifier is not required to read the prover’s messages in their entirety; rather, the verifier has oracle access to the prover’s messages, and may probabilistically query them. IOPs retain the expressiveness of PCPs, capturing NEXP rather than only PSPACE, and also the flexibility of IPs, allowing multiple rounds of communication with the prover. IOPs have already found several applications, including unconditional zero knowledge [BCGV16], constant-rate constant-query probabilistic checking [BCG+16], and doubly-efficient constant-round IPs for polynomial-time bounded-space computations [RRR16].

We offer two main technical contributions. First, we give a compiler that maps any public-coin IOP into a non-interactive proof in the random oracle model. We prove that the soundness of the resulting proof is tightly characterized by the soundness of the IOP against state restoration attacks, a class of rewinding attacks on the IOP verifier that is reminiscent of, but incomparable to, resetting attacks.

Second, we study the notion of state-restoration soundness of an IOP: we prove tight upper and lower bounds in terms of the IOP’s (standard) soundness and round complexity; and describe a simple adversarial strategy that is optimal, in expectation, across all state restoration attacks.

Our compiler can be viewed as a generalization of the Fiat–Shamir paradigm for public-coin IPs (CRYPTO ’86), and of the “CS proof” constructions of Micali (FOCS ’94) and Valiant (TCC ’08) for PCPs. Our analysis of the compiler gives, in particular, a unified understanding of these constructions, and also motivates the study of state restoration attacks, not only for IOPs, but also for IPs and PCPs.

When applied to known IOP constructions, our compiler implies, e.g., blackbox unconditional ZK proofs in the random oracle model with quasilinear prover and polylogarithmic verifier, improving on a result of [IMSX15].

Supplementary material


  1. [ALM+92]
    Arora, S., Lund, C., Motwani, R., Sudan, M., Szegedy, M.: Proof verification and hardness of approximation problems (1992)Google Scholar
  2. [ALM+98]
    Arora, S., Lund, C., Motwani, R., Sudan, M., Szegedy, M.: Proof verification and the hardness of approximation problems. JACM 45(3), 501–555 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  3. [AS98]
    Arora, S., Safra, S.: Probabilistic checking of proofs: a new characterization of NP. JACM 45(1), 70–122 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  4. [Bab85]
    Babai, L.: Trading group theory for randomness. In: STOC 1985 (1985)Google Scholar
  5. [Bab90]
    Babai, L.: E-mail and the unexpected power of interaction. Technical report, University of Chicago, Chicago, IL, USA (1990)Google Scholar
  6. [BBP04]
    Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24676-3_11 CrossRefGoogle Scholar
  7. [BC86]
    Brassard, G., Crépeau, C.: Non-transitive transfer of confidence: a perfect zero-knowledge interactive protocol for SAT and beyond. In: FOCS 1986 (1986)Google Scholar
  8. [BCC88]
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  9. [BCG+16]
    Ben-Sasson, E., Chiesa, A., Gabizon, A., Riabzev, M., Spooner, N.: Short interactive oracle proofs with constant query complexity, via composition and sumcheck (2016). Crypto ePrint 2016/324Google Scholar
  10. [BCGV16]
    Ben-Sasson, E., Chiesa, A., Gabizon, A., Virza, M.: Quasilinear-size zero knowledge from linear-algebraic PCPs. In: TCC 2016-A (2016)Google Scholar
  11. [BCI+13]
    Bitansky, N., Chiesa, A., Ishai, Y., Ostrovsky, R., Paneth, O.: Succinct non-interactive arguments via linear interactive proofs. In: TCC 2013 (2013)Google Scholar
  12. [BCS16]
    Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs, 2016. Crypto ePrint 2016/116Google Scholar
  13. [BD16]
    Bishop, A., Dodis, Y.: Interactive coding for interactive proofs. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 352–366. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49099-0_13 CrossRefGoogle Scholar
  14. [BDG+13]
    Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., Kalai, Y.T., López-Alt, A., Wichs, D.: Why "Fiat-Shamir for proofs" lacks a proof. In: TCC 2013 (2013)Google Scholar
  15. [BFL90]
    Babai, L., Fortnow, L., Lund, C.: Nondeterministic exponential time has two-prover interactive protocols. In: SFCS 1990 (1990)Google Scholar
  16. [BFLS91]
    Babai, L., Fortnow, L., Levin, L.A., Szegedy, M.: Checking computations in polylogarithmic time. In: STOC 1991 (1991)Google Scholar
  17. [BG93]
    Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_28 CrossRefGoogle Scholar
  18. [BG08]
    Barak, B., Goldreich, O.: Universal arguments and their applications. SIAM J. Comput. 38(5), 1661–1694 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  19. [BGGL01]
    Barak, B., Goldreich, O., Goldwasser, S., Lindell, Y.: Resettably-sound zero-knowledge and its applications. In: FOCS 2001 (2001)Google Scholar
  20. [BGH+04]
    Ben-Sasson, E., Goldreich, O., Harsha, P., Sudan, M., Vadhan, S.: Robust PCPs of proximity, shorter PCPs and applications to coding. In: STOC 2004 (2004)Google Scholar
  21. [BGKW88]
    Ben-Or, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multi-prover interactive proofs: how to remove intractability assumptions. In: STOC 1988 (1988)Google Scholar
  22. [BHZ87]
    Boppana, R.B., Håstad, J., Zachos, S.: Does co-NP have short interactive proofs? Inf. Process. Lett. 25(2), 127–132 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  23. [BKK+13]
    Ben-Sasson, E., Kaplan, Y., Kopparty, S., Meir, O., Stichtenoth, H.: Constant rate PCPs for circuit-SAT with sublinear query complexity. In: FOCS 2013 (2013)Google Scholar
  24. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993 (1993)Google Scholar
  25. [BS08]
    Ben-Sasson, E., Sudan, M.: Short PCPs with polylog query complexity. SIAM J. Comput. 38(2), 551–607 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  26. [BW15]
    Bernhard, D., Warinschi, B.: On limitations of the Fiat-Shamir transformation. ePrint 2015/712 (2015)Google Scholar
  27. [CGH04]
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. JACM 51(4), 557–594 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  28. [COPV13]
    Chung, K.-M., Ostrovsky, R., Pass, R., Visconti, I.: Simultaneous resettability from one-way functions. In: FOCS 2013 (2013)Google Scholar
  29. [CPSV16]
    Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the Fiat-Shamir transform without programmable random oracles. In: TCC 2016-A (2016)Google Scholar
  30. [Dam89]
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990). doi: 10.1007/0-387-34805-0_39 CrossRefGoogle Scholar
  31. [DNRS03]
    Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. JACM 50(6), 852–921 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  32. [Fis05]
    Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 152–168. Springer, Heidelberg (2005). doi: 10.1007/11535218_10 CrossRefGoogle Scholar
  33. [FRS88]
    Fortnow, L., Rompel, J., Sipser, M.: On the power of multi-prover interactive protocols (1988)Google Scholar
  34. [FS86]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi: 10.1007/3-540-47721-7_12 CrossRefGoogle Scholar
  35. [GGPR13]
    Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_37 CrossRefGoogle Scholar
  36. [GH98]
    Goldreich, O., Håstad, J.: On the complexity of interactive proofs with bounded communication. Inf. Process. Lett. 67(4), 205–214 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  37. [GIMS10]
    Goyal, V., Ishai, Y., Mahmoody, M., Sahai, A.: Interactive locking, zero-knowledge PCPs, and unconditional cryptography. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 173–190. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_10 CrossRefGoogle Scholar
  38. [GK03]
    Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: FOCS 2003 (2003)Google Scholar
  39. [GKR08]
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for Muggles. In: STOC 2008 (2008)Google Scholar
  40. [GMR89]
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  41. [GOSV14]
    Goyal, V., Ostrovsky, R., Scafuro, A., Visconti, I.: Black-box non-black-box zero knowledge. In: STOC 2014 (2014)Google Scholar
  42. [Gro10]
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17373-8_19 CrossRefGoogle Scholar
  43. [GS86]
    Goldwasser, S., Sipser, M.: Private coins versus public coins in interactive proof systems. In: STOC 1986 (1986)Google Scholar
  44. [GVW02]
    Goldreich, O., Vadhan, S., Wigderson, A.: On interactive proofs with a laconic prover. Comput. Complex. 11(1–2), 1–53 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  45. [HS00]
    Harsha, P., Sudan, M.: Small PCPs with low query complexity. Comput. Complex. 9(3–4), 157–201 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  46. [HT98]
    Hada, S., Tanaka, T.: On the existence of 3-round zero-knowledge protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 408–423. Springer, Heidelberg (1998). doi: 10.1007/BFb0055744 CrossRefGoogle Scholar
  47. [IKM09]
    Ito, T., Kobayashi, H., Matsumoto, K.: Oracularization and two-prover one-round interactive proofs against nonlocal strategies. In: CCC 2009 (2009)Google Scholar
  48. [IKO07]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Efficient arguments without short PCPs. In: CCC 2007 (2007)Google Scholar
  49. [IMS12]
    Ishai, Y., Mahmoody, M., Sahai, A.: On efficient zero-knowledge PCPs. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 151–168. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28914-9_9 CrossRefGoogle Scholar
  50. [IMSX15]
    Ishai, Y., Mahmoody, M., Sahai, A., Xiao, D.: On zero-knowledge PCPs: limitations, simplifications, and applications (2015).
  51. [Ito10]
    Ito, T.: Polynomial-space approximation of no-signaling provers. In: ICALP 2010 (2010)Google Scholar
  52. [Kil92]
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: STOC 1992 (1992)Google Scholar
  53. [KR08]
    Kalai, Y., Raz, R.: Interactive PCP. In: ICALP 2008 (2008)Google Scholar
  54. [KR09]
    Kalai, Y.T., Raz, R.: Probabilistically checkable arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 143–159. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_9 CrossRefGoogle Scholar
  55. [KRR13]
    Kalai, Y., Raz, R., Rothblum, R.: Delegation for bounded space. In: STOC 2013 (2013)Google Scholar
  56. [KRR14]
    Kalai, Y.T., Raz, R., Rothblum, R.D.: How to delegate computations: the power of no-signaling proofs. In: STOC 2014 (2014)Google Scholar
  57. [KRR16]
    Kalai, Y.T., Rothblum, G.N., Rothblum, R.D.: From obfuscation to the security of Fiat-Shamir for proofs. ePrint 2016/303 (2016)Google Scholar
  58. [LFKN92]
    Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. JACM 39(4), 859–868 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  59. [Lin15]
    Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and non-programmable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46494-6_5 Google Scholar
  60. [Lip12]
    Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28914-9_10 CrossRefGoogle Scholar
  61. [Mer89a]
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990). doi: 10.1007/0-387-34805-0_21 CrossRefGoogle Scholar
  62. [Mer89b]
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990). doi: 10.1007/0-387-34805-0_40 CrossRefGoogle Scholar
  63. [Mic00]
    Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  64. [MV16]
    Mittelbach, A., Venturi, D.: Fiat-shamir for highly sound protocols is instantiable. ePrint 2016/313 (2016)Google Scholar
  65. [Pas03]
    Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_19 CrossRefGoogle Scholar
  66. [PGHR13]
    Parno, B., Gentry, C., Howell, J., Raykova, M.: Pinocchio: nearly practical verifiable computation. In: Oakland 2013 (2013)Google Scholar
  67. [PS96]
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In EUROCRYPT ’96, 1996Google Scholar
  68. [PSSV07]
    Pavan, A., Selman, A.L., Sengupta, S., Vinodchandranm, N.V.: Polylogarithmic-round interactive proofs for coNP collapse the exponential hierarchy. Theoret. Comput. Sci. 385(1), 167–178 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  69. [PTW09]
    Pass, R., Tseng, W.-L.D., Wikström, D.: On the composition of public-coin zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 160–176. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_10 CrossRefGoogle Scholar
  70. [RRR16]
    Reingold, O., Rothblum, R., Rothblum, G.: Constant-round interactive proofs for delegating computation. In: STOC 2016 (2016)Google Scholar
  71. [SBV+13]
    Setty, S., Braun, B., Victor, V., Blumberg, A.J., Parno, B., Walfish, M.: Resolving the conflict between generality and plausibility in verified computation. In: EuroSys 2013 (2013)Google Scholar
  72. [SBW11]
    Setty, S., Blumberg, A.J., Walfish, M.: Toward practical and unconditional verification of remote computations. In: HotOS 2011 (2011)Google Scholar
  73. [Sha92]
    Shamir, A.: IP = PSPACE. JACM 39(4), 869–877 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  74. [SMBW12]
    Setty, S., McPherson, M., Blumberg, A.J., Walfish, M.: Making argument systems for outsourced computation practical (sometimes). In: NDSS 2012 (2012)Google Scholar
  75. [SVP+12]
    Setty, S., Victor, V., Panpalia, N., Braun, B., Blumberg, A.J., Walfish, M.: Taking proof-based verified computation a few steps closer to practicality. In: Security 2012 (2012)Google Scholar
  76. [Val08]
    Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78524-8_1 CrossRefGoogle Scholar
  77. [Wee09]
    Wee, H.: Zero knowledge in the random oracle model, revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 417–434. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_25 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Eli Ben-Sasson
    • 1
  • Alessandro Chiesa
    • 2
  • Nicholas Spooner
    • 3
  1. 1.TechnionHaifaIsrael
  2. 2.UC BerkeleyBerkeleyUSA
  3. 3.University of TorontoTorontoCanada

Personalised recommendations