Round-Optimal Black-Box Commit-and-Prove with Succinct Communication

Abstract

We give a four-round black-box construction of a commit-and-prove protocol with succinct communication. Our construction is WI and has constant soundness error, and it can be upgraded into a one that is ZK and has negligible soundness error by relying on a round-preserving transformation of Khurana et al. (TCC 2018). Our construction is obtained by combining the MPC-in-the-head technique of Ishai et al. (SICOMP 2009) with the two-round succinct argument of Kalai et al. (STOC 2014), and the main technical novelty lies in the analysis of the soundness—we show that, although the succinct argument of Kalai et al. does not necessarily provide soundness for \(\mathcal {NP}\) statements, it can be used in the MPC-in-the-head technique for proving the consistency of committed MPC views. Our construction is based on sub-exponentially hard collision-resistant hash functions, two-round PIRs, and two-round OTs.

1 Introduction

In this paper, we obtain a new commit-and-prove protocol by relying on techniques in the area of succinct arguments. We start by giving some backgrounds.

Succinct arguments. Informally speaking, a succinct argument is an argument system with small communication complexity and fast verification time—typically, when a statement about T-time deterministic or non-deterministic computation is proven, the communication complexity and the verification time are required to be polylogarithmic in T. (The security requirements are, as usual, completeness and computational soundness.) Succinct arguments are useful when resources for communication and verification are limited; for example, a direct application of succinct arguments is delegating computation [GKR15] (or verifiable computation [GGP10]), where a computationally weak client delegates heavy computations to a powerful server and the client uses succinct arguments to verify the correctness of the server’s computation efficiently. It was shown that a four-round succinct argument for all statements in \(\mathcal {NP}\) can be obtained from collision-resistance hash functions [Kil92]. Since then, succinct arguments have been actively studied, and protocols with various properties have been proposed.

Among existing succinct arguments, the most relevant to this work is the one by Kalai et al. [KRR14] (KRR succinct argument in short), which has several desirable properties such as (1) being doubly efficient [GKR15] (i.e., not only the verifier but also the prover is efficient), (2) being a two-round protocol (i.e., the scheme consists of a single query message from the verifier and a single answer message from the prover), and (3) being proven secure under standard assumptions, especially without relying on unfalsifiable assumptions and random oracles. More concretely, when the statement is about the correctness of a T-time computation, the communication complexity and the verifier running time is polylogarithmic in T while the prover running time is polynomial in T, and the security is proven assuming the existence of private information retrieval (PIR) or fully homomorphic encryption (FHE).

Given the powerful properties of KRR succinct argument, it is natural to expect that it has many cryptographic applications. For example, since argument systems have been extensively used in the design of cryptographic protocols, one might expect that the efficiency of such cryptographic protocols can be improved by simply plugging in KRR succinct argument.

However, using KRR succinct argument in cryptographic applications is actually non-trivial. One difficulty is that the soundness of KRR succinct argument is currently proven only for some specific types of \(\mathcal {NP}\) statements [KP16, BHK17, BKK18] (originally, its soundness was proven for statements in \(\mathcal {P}\) [KRR14]). Another difficulty is that it does not provide any privacy on witnesses when it is used for \(\mathcal {NP}\) statements.

Nonetheless, recent works showed that KRR succinct argument can be used in some cryptographic applications. For example, by cleverly combining KRR succinct argument with other cryptographic primitives, Bitansky et al. [BBK16] obtained a three-round zero-knowledge argument against uniform cheating provers, Brakerski and Kalai [BK20] obtained a succinct private access control protocol for the access structures that can be expressed by monotone formulas, and Morgan et al. [MPP20] obtained a succinct non-interactive secure two-party computation protocol.

The number of applications is, however, still limited. A potential reason for this limitation is that the current techniques inherently use cryptographic primitives in non-black-box ways. Concretely, to hide the prover’s witness, the current techniques use KRR succinct argument under other cryptographic protocols (such as garbling schemes) and thus require non-black-box accesses to the codes of the cryptographic primitives that underlies KRR succinct argument. Consequently, the current techniques cannot be used for applications where black-box uses of cryptographic protocols are desirable, such as the application to commit-and-prove protocols, which we discuss next.

Commit-and-prove protocols. Informally speaking, a commit-and-prove protocol is a commitment scheme in which the committer can prove a statement about the committed value without opening the commitment. Proofs by the committer are required to be zero-knowledge (ZK) or witness-indistinguishable (WI), where the former requires that the views of the receiver in the commit and prove phases can be simulated in polynomial time without knowing the committed value, and the latter requires that for any two messages and any statement such that both of the messages satisfy the statement, the receiver cannot tell which of the messages is committed even after receiving a proof on the statement. Commit-and-prove protocols were implicitly used by Goldreich et al. [GMW87] for obtaining a secure multi-party computation protocol with malicious security, and later formalized by Canetti et al. [CLOS02].

A desirable property of commit-and-prove protocols is that they are constructed in a black-box way, i.e., in a way that uses the underlying cryptographic primitives as black-box by accessing them only through their input/output interfaces. Indeed, this black-box construction property is essential when commit-and-prove protocols are used as a tool for enforcing honest behaviors on malicious parties without relying on non-black-box uses of the underlying cryptographic primitives (see, e.g., [GLOV12, LP12, GOSV14]).

Very recently, Hazay and Venkitasubramaniam [HV18] and Khurana et al. [KOS18] gave four-round black-box constructions of ZK commit-and-prove protocols, where the round complexity of a commit-and-prove protocol is defined as the sum of that of the commit phase and that of the prove phase. Their protocols are round optimal since the commit and prove phases of their commit-and-prove protocols can be thought of as black-box ZK arguments (where the prover first commits to a witness and then proves the validity of the committed witness) and black-box ZK arguments are known to require at least four rounds [GK96]. Their protocols also have the delayed-input property, i.e., the property that statements to be proven on committed values can be chosen adaptively in the last round of the prove phase.

The commit-and-prove protocols by Hazay and Venkitasubramaniam [HV18] and Khurana et al. [KOS18] are not succinct in the sense that when the statement is expressed as a T-time predicate on the committed value, the communication complexity depends at least linearly on T. This is because both of their protocols were obtained via transformations from the three-round constant-sound commit-and-prove protocol of Hazay and Venkitasubramaniam [HV16], which is not succinct in the above sense.

1.1 Our Result

Our main result is a four-round black-box construction of a constant-sound WI commit-and-prove protocol with succinct communication complexity.

Theorem 1

Assume the existence of sub-exponentially hard versions of the following cryptographic primitives: a collision-resistant hash function family, a two-round oblivious transfer protocol, and a two-round private information retrieval protocol. Then, there exists a constant-sound WI commit-and-prove protocol with the following properties.

1. 1.

   The round complexity is 4, and the protocol satisfies the delayed-input property and uses the above cryptographic primitives in a black-box way.

2. 2.

   When the length of the committed value is \(n\) and the statement to be proven on the committed value is a T-time predicate, the communication complexity depends polynomially on \(\log n\), \(\log T\), and the security parameter.

Our commit-and-prove protocol uses a variant of KRR succinct argument (which is obtained from the private information retrieval protocol), and succinctness of our commit-and-prove protocol is inherited from that of KRR succinct argument. We assume sub-exponential hardness on the cryptographic primitives since we use complexity leveraging.

ZK and negligible soundness error. Given our constant-sound WI commit-and-prove protocol, we can use (a minor variant of) a transformation of Khurana et al. [KOS18] to transform it into a 4-round ZK commit-and-prove protocol with negligible soundness error. The resultant commit-and-prove protocol still satisfies the delayed-input property, the black-box uses of the underlying primitives, and the succinct communication complexity. (See the full version of this paper for details.)

Verification time. The verification of our commit-and-prove protocol is not succinct, i.e., the verifier running time depends polynomially on T. Although we might be able to make it succinct by appropriately modifying our protocol (see Appendix A for details), we do not explore this possibility in this work so that we can focus on our main purpose, i.e., on showing how to use KRR succinct argument in black-box constructions of commit-and-prove protocols.

Complexity leveraging. As mentioned above, we use complexity leveraging in the proof of Theorem 1. Although we might be able to avoid the use of complexity leveraging by using known techniques (e.g., by relying on extractable commitments [PW09]), we do not explore this possibility in this work for the same reason as above.

Comparison with existing schemes. As explained above, Hazay and Venkitasubramaniam [HV18] and Khurana et al. [KOS18] gave four-round black-box ZK commit-and-prove protocols with the delayed-input property. Their schemes rely on a weak primitive (injective one-way functions) but do not have succinct communication.

Goyal et al. [GOSV14] and Ishai and Weiss [IW14] studied black-box commit-and-prove protocols with succinct communication under slightly different definitions than ours.¹ If their techniques are used to obtain schemes under our definitions, the resultant schemes will rely on a weak primitive (collision-resistant hash functions) but have round complexity larger than 4.²

Kalai and Paneth [KP16] observed that when messages are committed by using Merkle tree-hash, KRR succinct argument can be used for proving statements on the committed messages. The resultant scheme is succinct in terms of both communication complexity and verification time, but uses the underlying hash function in a non-black-box way and does not have privacy properties (which are not needed for the purpose of [KP16]).

1.2 Overview of Our Commit-and-Prove Protocol

The overall approach is to combine KRR succinct argument with the MPC-in-the-head technique [IKOS09].

Let us first recall how we can obtain a non-succinct WI commit-and-prove protocol by using the MPC-in-the-head technique. Let \(M\in \mathbb {N}\) be an arbitrary constant, \(\varPi \) be any 2-private semi-honest secure \(M\)-party computation protocol with perfect completeness,³ \(\mathsf {OT}\) be any two-round 1-out-of-\(M^2\) oblivious transfer (OT) protocol, \(\mathsf {SBCom}\) be any statistically binding commitment scheme, and \(\mathsf {SHCom}\) be any statistically hiding commitment scheme. We assume that the hiding property of \(\mathsf {SBCom}\) can be broken in a quasi-polynomial time \(T_{\textsc {sb}}\), and the security of the other primitives holds against \(\mathsf {poly}(T_{\textsc {sb}})\)-time adversaries.

• Commit phase. To commit to a message \(x_{\textsc {com}}\), the committer (1) chooses random \(x_{\textsc {mpc}}^1, \ldots , x_{\textsc {mpc}}^{M}\) such that \(x_{\textsc {mpc}}^1 \oplus \cdots \oplus x_{\textsc {mpc}}^{M} = x_{\textsc {com}}\), (2) chooses randomness \(r_{\textsc {mpc}}^{1}, \ldots , r_{\textsc {mpc}}^{M}\) for the \(M\) parties of \(\varPi \), and (3) commits to \(\mathsf {st}_0^{\mu } \,{:}{=}\, (x_{\textsc {mpc}}^{\mu }, r_{\textsc {mpc}}^{\mu })\) for each \(\mu \in [M]\) by using \(\mathsf {SHCom}\). (Note that each \(\mathsf {st}_0^{\mu }\) can be thought of as an initial state of a party of \(\varPi \).) For each \(\mu \in [M]\), let \(\mathsf {dec}_{\textsc {sh}}^{\mu }\) denote the decommitment of \(\mathsf {SHCom}\) for revealing \(\mathsf {st}_0^{\mu }\).

• Prove phase. In the first round, the receiver computes a receiver message of \(\mathsf {OT}\) by using random \((\alpha , \beta )\in [M]\times [M]\) as the input,⁴ and sends it to the committer.

  In the second round, to prove \(f(x_{\textsc {com}}) = 1\) for a predicate f, the committer does the following. (1) Execute \(\varPi \) in the head by using \(\mathsf {st}_0^1, \ldots , \mathsf {st}_0^{M}\) as the initial states of the \(M\) parties and using \(f': (y^1, \ldots , y^{M}) \mapsto f(y^1\oplus \cdots \oplus y^{M})\) as the functionality to be computed. Let \(\mathsf {view}^1, \ldots , \mathsf {view}^{M}\) be the views of the parties in this execution of \(\varPi \). (2) For each \(\mu \in [M]\), compute a commitment to \((\mathsf {dec}_{\textsc {sh}}^{\mu }, \mathsf {view}^{\mu })\) by using \(\mathsf {SBCom}\). Let \(\mathsf {dec}_{\textsc {sb}}^{\mu }\) be the decommitment of \(\mathsf {SBCom}\) for revealing \((\mathsf {dec}_{\textsc {sh}}^{\mu }, \mathsf {view}^{\mu })\). (3) Compute a sender message of \(\mathsf {OT}\) by using \(\{(\mathsf {dec}_{\textsc {sb}}^{\mu }, \mathsf {dec}_{\textsc {sb}}^{\nu }) \}_{\mu ,\nu \in [M]}\) as the input. (4) Send the commitments and the OT message to the receiver.

  In the verification, the receiver (1) recovers \(\mathsf {dec}_{\textsc {sb}}^{\alpha }, \mathsf {dec}_{\textsc {sb}}^{\beta }\) from the \(\mathsf {OT}\) message, (2) checks that they are valid decommitments of \(\mathsf {SBCom}\) for revealing \(\mathsf {dec}_{\textsc {sh}}^{\alpha }, \mathsf {view}^{\alpha }, \mathsf {dec}_{\textsc {sh}}^{\beta }, \mathsf {view}^{\beta }\) and that \(\mathsf {dec}_{\textsc {sh}}^{\alpha }, \mathsf {dec}_{\textsc {sh}}^{\beta }\) are valid decommitments of \(\mathsf {SHCom}\) for revealing \(\mathsf {st}_0^{\alpha }, \mathsf {st}_0^{\beta }\), and (3) checks the following two conditions on \(\mathsf {st}_0^{\alpha }, \mathsf {view}^{\alpha }, \mathsf {st}_0^{\beta }, \mathsf {view}^{\beta }\).

  1. 1.

     The views \(\mathsf {view}^{\alpha }, \mathsf {view}^{\beta }\) are consistent in the sense that the messages that the party \(P^{\alpha }\) receives from the party \(P^{\beta }\) in \(\mathsf {view}^{\alpha }\) is equal to the messages that \(P^{\beta }\) sends to \(P^{\alpha }\) in \(\mathsf {view}^{\beta }\) and vice versa.

  2. 2.

     For each \(\xi \in \{\alpha , \beta \}\), the view \(\mathsf {view}^{\xi }\) indicates that the initial state of \(P^{\xi }\) is \(\mathsf {st}_0^{\xi }\) and the output is 1.

First, the constant soundness follows from the receiver security of \(\mathsf {OT}\) and the perfect completeness of \(\varPi \). Roughly speaking, this is because (1) the receiver security of \(\mathsf {OT}\) guarantees that the committer can convince the verifier with high probability only when it commits to initial states and views that satisfy the above two conditions for every \(\alpha ,\beta \in [M]\),⁵ and (2) when the committed initial states and views satisfy the above two conditions for every \(\alpha ,\beta \in [M]\), the perfect completeness of \(\varPi \) guarantees \(f(x_{\textsc {com}})=1\), where \(x_{\textsc {com}}\) is derived from the committed initial states. Next, the witness-indistinguishability follows from the receiver security of \(\mathsf {OT}\) and the 2-privacy of \(\varPi \). This is because the former guarantees that the receiver only learns the committed initial states and views of two parties and the latter guarantees the committed initial states and views of any two parties do not reveal any information about \(x_{\textsc {com}}\). Finally, this scheme is not succinct since the committer sends the initial states and views of \(\varPi \) (or more precisely the decommitments to them) via \(\mathsf {OT}\).

Now, to make the above scheme succinct, we combine it with KRR succinct argument. The idea is to let the committer send succinct arguments about the initial states and views (instead of the initial states and views themselves) via \(\mathsf {OT}\). That is, we let the committer prove that the above two conditions hold on the committed initial states and views of each pair of the parties, where a separate instance of KRR succinct argument is used for each pair of the parties, and let it send the resultant \(M^2\) succinct arguments via \(\mathsf {OT}\). (Note that KRR succinct argument can naturally be combined with \(\mathsf {OT}\) since it is a two-round protocol.) As a minor modification, we also let the committer use a succinct commitment scheme to commit to the initial states and the views.

Unfortunately, although the modifications are intuitive, proving the soundness of the resultant scheme is non-trivial. (In contrast, the WI property can be proven similarly to the WI property of the original scheme. The key point is that, although KRR succinct argument does not provide any witness privacy, we can still prove WI of the whole scheme since in each instance of KRR succinct argument, the witness—initial states and views of a pair of the parties—does not reveal any secret information anyway.)

A natural approach for proving the soundness would be to first prove the soundness of each instance of KRR succinct argument and then derive the soundness of the whole scheme from it. Indeed, if we can show that each of the \(M^2\) instances of KRR succinct argument provides an argument-of-knowledge property (which allows us to extract the committed initial states and views from the cheating committer), we can easily prove the soundness of the whole scheme.

The problem of this approach is that KRR succinct argument is not known to provide soundness for all statements in \(\mathcal {NP}\), and hence, does not necessarily provide soundness when it is used as above.

Our actual approach is to show that, while each of the instances of KRR succinct argument does not necessarily provide soundness, they as a whole provide a meaningful notion of the soundness, which can be used to prove the soundness of the whole scheme. Specifically, by getting into the security proof of the soundness of KRR succinct argument, we show that when \(M^2\) instances of KRR argument are used in parallel for proving the consistency of each pair of the committed views etc. as above, then they as a whole guarantee that the committed views are mutually consistent etc.

We give more detailed overviews of our approach from Sect. 3 to Sect. 6 after giving necessary definitions in Sect. 2.

2 Preliminaries

2.1 Notations and Conventions

We denote the security parameter by \(\lambda \). We assume that every algorithm takes the security parameter as input, and often do not write it explicitly.

We identify a bit-string with a function in the following manner: a bit-string \(x = (x_1, \ldots , x_{n})\) is thought of as a function \(x: [n] \rightarrow \{0,1 \}\) such that \(x(i) = x_i\). More generally, for any finite field F, we identify a string over F with a function in the same manner. For a vector \(\textit{\textbf{v}} = (v_1, \ldots , v_{n})\) and a set \(S\subseteq [n]\), we define \(\textit{\textbf{v}}|_{S}\) by \(\textit{\textbf{v}}|_{S} {:}{=} \{v_i \}_{i\in S}\). Similarly, for a function \(f: D \rightarrow R\) and a set \(S \subseteq D \), we define \(f|_{S}\) by \(f|_{S} {:}{=} \{f(i) \}_{i\in S}\).

For any two probabilistic interactive Turing machines A and B and any input \(x_A\) to A and \(x_B\) to B, we denote by \((\mathsf {out}_A,\mathsf {out}_B) \leftarrow \langle A(x_A), B(x_B) \rangle \) that the output of an interaction between \(A(x_A)\) and \(B(x_B)\) is \((\mathsf {out}_A,\mathsf {out}_B)\), where \(\mathsf {out}_A\) is the output from A and \(\mathsf {out}_B\) is the output from B.

2.2 Witness-Indistinguishable Commit-and-Prove Protocols

We give the definition of witness-indistinguishable commit-and-prove protocols. Our definition is based on the definition by Khurana et al. [KOS18] but is slightly different from it; see Appendix B for the differences.

A witness-indistinguishable (WI) commit-and-prove protocol \(\langle C, R \rangle \) is a protocol between a committer \(C= (\mathsf {C.Com}, \mathsf {C.Dec}, \mathsf {C.Prv})\) and a receiver \(R= (\mathsf {R.Com}, \mathsf {R.Dec}, \mathsf {R.Prv})\), and it consists of three phases.

1. 1.

   In the commit phase, \(\mathsf {C.Com}\) takes a message \(x\in \{0,1 \}^{n}\) as input and interacts with \(\mathsf {R.Com}\) to commit to x.⁶ At the end of the interaction, \(\mathsf {C.Com}\) outputs its internal state \(\mathsf {st}_{C}\) and \(\mathsf {R.Com}\) outputs the commitment \(\mathsf {com}\), which is the transcript of the commit phase.

2. 2.

   In the prove phase, \(\mathsf {C.Prv}\) takes a predicate f as input along with \(\mathsf {st}_{C}\), and interacts with \(\mathsf {R.Prv}\) to prove that \(f(x) = 1\) holds, where \(\mathsf {R.Prv}\) takes \((\mathsf {com}, f)\) as input, At the end of the interaction, \(\mathsf {R.Prv}\) outputs either 1 (accept) or 0 (reject).

3. 3.

   In the open phase, \(\mathsf {C.Dec}\) takes an index \(i\in [n]\) as input along with \(\mathsf {st}_{C}\), and interacts with \(\mathsf {R.Dec}\) to reveal the i-th bit of x, where \(\mathsf {R.Dec}\) takes \((\mathsf {com}, i)\) as input. At the end of the interaction, \(\mathsf {R.Dec}\) outputs either a bit \(x_i\) as the decommitted bit, or \(\bot \) (reject).

In this paper, we focus on a WI commit-and-prove protocol such that (1) both the prove phase and the open phase consist of two rounds, (2) the first round of the prove phase does not depend on the commitment \(\mathsf {com}\) and the predicate f,⁷ and (3) the first round of the open phase does not depend on the commitment \(\mathsf {com}\). Because of (1) and (2), \(\mathsf {R.Prv}\) can be split into two algorithms, \(\mathsf {R.Prv.Q}_{}\) and \(\mathsf {R.Prv.D}_{}\), such that the prove phase proceeds as follows: \((Q, \mathsf {st}_{R})\leftarrow \mathsf {R.Prv.Q}_{}\); \(\pi \leftarrow \mathsf {C.Prv}(\mathsf {st}_{C}, f, Q)\); \(b\leftarrow \mathsf {R.Prv.D}_{}(\mathsf {st}_{R}, \mathsf {com}, f, \pi )\). Similarly, because of (1) and (3), \(\mathsf {R.Dec}\) can be split into two algorithms, \(\mathsf {R.Dec.Q}_{}\) and \(\mathsf {R.Dec.D}_{}\), such that the open phase proceeds as follows: \((Q, \mathsf {st}_{R})\leftarrow \mathsf {R.Dec.Q}_{}(i)\); \(\mathsf {dec}\leftarrow \mathsf {C.Dec}(\mathsf {st}_{C}, i, Q)\); \(b\leftarrow \mathsf {R.Dec.D}_{}(\mathsf {st}_{R}, \mathsf {com}, \mathsf {dec})\).

WI commit-and-prove protocols need to satisfy the following security notions.

Definition 1 (Completeness)

A commit-and-prove protocol \(\langle C, R \rangle \) is complete if for any polynomial \(n: \mathbb {N}\rightarrow \mathbb {N}\) and any \(\lambda \in \mathbb {N}\), \(x\in \{0,1 \}^{n(\lambda )}\), and \(i\in [n(\lambda )]\),

Definition 2 (Binding)

A commit-and-prove protocol \(\langle C, R \rangle \) is (computationally) binding if for any polynomial \(n: \mathbb {N}\rightarrow \mathbb {N}\), any \(\textsc {ppt} \) cheating committer \(C^*= (\mathsf {C.Com}^*, \mathsf {C.Dec}^*)\), and any \(\lambda \in \mathbb {N}\), the following binding condition holds with overwhelming probability over the choice of \((\mathsf {st}_{C}, \mathsf {com}) \leftarrow \langle \mathsf {C.Com}^*, \mathsf {R.Com} \rangle \).

• Binding Condition: For every \(i\in [n(\lambda )]\), it holds \(\Pr _{} \left[ b_{\textsc {bad}}= 1 \right] \le \mathsf {negl}(\lambda )\) in the following probabilistic experiment \(\textsc {Exp}^{\mathrm {bind}}(\mathsf {C.Dec}^*, \mathsf {st}_{C}, \mathsf {com}, i)\).

  1. 1.

     For each \(b\in \{0,1 \}\), sample \(Q_b\) by \((Q_b, \mathsf {st}_b) \leftarrow \mathsf {R.Dec.Q}_{}(i)\).

  2. 2.

     Run \(\{\mathsf {dec}_b \}_{b\in \{0,1 \}} \leftarrow \mathsf {C.Dec}^*(\mathsf {st}_{C}, i, \{Q_b \}_{b\in \{0,1 \}})\).

  3. 3.

     For each \(b\in \{0,1 \}\), let \(x^*_b \leftarrow \mathsf {R.Dec.D}_{}(\mathsf {st}_b, \mathsf {com}, \mathsf {dec}_b)\).

  4. 4.

     Output \(b_{\textsc {bad}}{:}{=} 1\) if and only if \(x^*_0 \ne \bot \wedge x^*_1 \ne \bot \wedge x^*_0 \ne x^*_1\) holds.

Definition 3 (Soundness)

Let \(\epsilon : \mathbb {N}\rightarrow [0,1]\) be a function. A commit-and-prove protocol \(\langle C, R \rangle \) is (computationally) \(\epsilon \)-sound if for any constant \(c\in \mathbb {N}\), there exists a \(\textsc {ppt} \) oracle Turing machine E (called an extractor) such that for any polynomial \(n: \mathbb {N}\rightarrow \mathbb {N}\), any \(\textsc {ppt} \) cheating committer \(C^*= (\mathsf {C.Com}^*, \mathsf {C.Prv}^*)\), and any sufficiently large \(\lambda \in \mathbb {N}\), the following soundness condition holds with overwhelming probability over the choice of \((\mathsf {st}_{C}, \mathsf {com})\leftarrow \langle \mathsf {C.Com}^*, \mathsf {R.Com} \rangle \).

• Soundness Condition⁸: If it holds

  

  then there exists \(x^* = (x^*_1, \ldots , x^*_{n})\in \{0,1 \}^{n(\lambda )}\) such that

  

  and

  

\(\langle C, R \rangle \) is said to be sound if it is \(\epsilon \)-sound for a negligible function \(\epsilon \).

Definition 4 (Witness Indistinguishability)

\(\langle C, R \rangle \) is witness-indistinguishable if for any polynomial \(n: \mathbb {N}\rightarrow \mathbb {N}\), any two sequences \(\{x_{\lambda }^0 \}_{\lambda \in \mathbb {N}}\) and \(\{x_{\lambda }^1 \}_{\lambda \in \mathbb {N}}\) such that \(x_{\lambda }^0, x_{\lambda }^1\in \{0,1 \}^{n(\lambda )}\), any \(\textsc {ppt} \) cheating receiver \(R^*= (\mathsf {R.Com}^*, \mathsf {R.Prv.Q}_{}{}^*)\), the outputs of Experiment 0 and Experiment 1 are computationally indistinguishable.

• Experiment b (\(b\in \{0,1 \}\)).

  1. 1.

     \((\mathsf {st}_{C}, \mathsf {st}_{R})\leftarrow \langle \mathsf {C.Com}(x_{\lambda }^b), \mathsf {R.Com}^*(x_{\lambda }^0, x_{\lambda }^1) \rangle \).

  2. 2.

     \((f, Q, \mathsf {st}'_{R}) \leftarrow \mathsf {R.Prv.Q}_{}{}^*(\mathsf {st}_{R})\). If \(f(x_{\lambda }^0) \ne 1\) or \(f(x_{\lambda }^1) \ne 1\), abort.

  3. 3.

     \(\pi \leftarrow \mathsf {C.Prv}(\mathsf {st}_{C}, f, Q)\).

  4. 4.

     Output \((\mathsf {st}'_{R}, \pi )\).

2.3 Secure Multi-party Computation

We recall the definition of secure multi-party computation (MPC) protocols based on the description by Ishai et al. [IKOS09]. (We assume that the readers are familiar with the concept of secure MPC protocols.)

The basic model that is used in this paper is the following. The number of parties is denoted by \(M\). We focus on MPC protocols that realize any deterministic \(M\)-party functionality that outputs a single bit (which is obtained by all the parties), given the synchronous communication over secure point-to-point channels. We assume that every party implicitly takes as input the \(M\)-party functionality to be computed.

Recall that the view of a party in an execution of an MPC protocol consists of its input, its randomness, and all the incoming messages that it received from the other parties during the execution of the protocol. The consistency between a pair of views is defined as follows.

Definition 5 (Consistent Views)

A pair of views \(\mathsf {view}^i, \mathsf {view}^j\) is consistent (w.r.t. an MPC protocol \(\varPi \) for a functionality f) if the outgoing messages that are implicitly reported in \(\mathsf {view}^i\) are identical to the incoming messages that are reported in \(\mathsf {view}^j\) and vice versa.

We consider security against semi-honest adversaries. Concretely, we use the following two security notions.

Definition 6 (Perfect correctness)

We say that an MPC protocol \(\varPi \) satisfies perfect correctness if for any deterministic \(M\)-party functionality f and for any private inputs to the parties, the probability that the output of some party in an honest execution of \(\varPi \) is different from the output of f is 0.

Definition 7

(2-privacy). We say that an MPC protocol \(\varPi \) satisfies perfect 2-privacy if for any deterministic \(M\)-party functionality f, there exists a \(\textsc {ppt} \) simulator \(\mathcal {S}_{\textsc {mpc}}\) such that for any private inputs \(x_1, \ldots , x_{M}\) to the parties and every pair of corrupted parties, \(T \subset [M]\) such that \(|T | = 2\), the joint view \(\mathsf {View}_{T}(x_1, \ldots , x_{M})\) of the parties in T is identically distributed with \(\mathcal {S}_{\textsc {mpc}}(T, \{x_i \}_{i\in T}, f(x_1, \ldots , x_{M}))\).

2.4 Probabilistically Checkable Proofs (PCPs)

We recall the definition of probabilistically checkable proofs (PCPs) based on the description by Brakerski et al. [BHK17]. Roughly speaking, PCPs are proof systems with which one can probabilistically verify the correctness of statements by reading only a few bits or symbols of the proof strings. A formal definition is given below.

Definition 8

A \(\kappa \)-query PCP system \((\mathsf {P}, \mathsf {V})\) for an NP language L, where \(\mathsf {V}= (\mathsf {Q}, \mathsf {D})\), satisfies the following.

• (Completeness) For all \(\lambda \in \mathbb {N}\) and \(x\in L\) (with witness w) such that \(|x |\le 2^{\lambda }\),

  

  The PCP proof \(\pi \) is a string of characters over some alphabet \(\varSigma \), and it can be thought that this string is indexed by a set \(\varGamma \) (by identifying \(\varGamma \) with [N] in a canonical way, where N is the length of the string) and \(Q\subseteq \varGamma \). Alternatively, \(\pi \) can be thought of as a function from \(\varGamma \) to \(\varSigma \).

• (Soundness) For all \(\lambda \in \mathbb {N}\), all \(x\not \in L\) such that \(|x |\le 2^{\lambda }\), and all proof string \(\pi ^*\),

  

• (Query Efficiency) If \((Q, \mathsf {st})\leftarrow \mathsf {Q}(1^{\lambda })\), then \(|Q |\le \kappa (\lambda )\) and the combined run-time of \(\mathsf {Q}\) and \(\mathsf {D}\) is \(\mathsf {poly}(\lambda )\).

• (Prover Efficiency) The prover \(\mathsf {P}\) runs in polynomial time, where its input is \((1^{\lambda }, x, w)\).

2.5 Definitions from Kalai et al. [KRR14] and Subsequent Works

Computational no-signaling (CNS). We recall the definition of adaptive (computational) no-signaling [KRR14, BHK17].

Definition 9

Fix any alphabet \(\{\varSigma _{\lambda } \}_{\lambda \in \mathbb {N}}\), any \(\{N_{\lambda } \}_{\lambda \in \mathbb {N}}\) such that \(N_{\lambda }\in \mathbb {N}\), any function \(\kappa _{\mathrm {max}}: \mathbb {N}\rightarrow \mathbb {N}\) such that \(\kappa _{\mathrm {max}}(\lambda )\le N_{\lambda }\), and any algorithm \(\mathsf {Algo}\) such that for any \(\lambda \in \mathbb {N}\), on input a subset \(Q\subset [N_{\lambda }]\) of size at most \(\kappa _{\mathrm {max}}(\lambda )\), \(\mathsf {Algo}\) outputs (the truth table of) a function \(A: Q\rightarrow \varSigma \cup \{\bot \}\) with an auxiliary output \(\mathsf {out}\).

Then, the algorithm \(\mathsf {Algo}\) is adaptive \(\kappa _{\mathrm {max}}\)-computational no-signaling (CNS) if for any \(\textsc {ppt} \) distinguisher \(\mathcal {D}\), any sufficiently large \(\lambda \in \mathbb {N}\), any \(Q, S \subset [N_{\lambda }]\) such that \(Q\subseteq S\) and \(|S |\le \kappa _{\mathrm {max}}(\lambda )\), and any \(z\in \{0,1 \}^{\mathsf {poly}(\lambda )}\),

We remark that the above definition can be naturally extended for the case that \(\mathsf {Algo}\) takes auxiliary inputs, as well as for the case that \(\mathsf {Algo}\) takes multiple subsets as input and then outputs multiple functions (see the full version of this paper).

Adaptive local assignment generator. We recall the definition of adaptive local assignment generators [PR14, BHK17].

Definition 10

For any function \(\kappa _{\mathrm {max}}: \mathbb {N}\rightarrow \mathbb {N}\), an adaptive \(\kappa _{\mathrm {max}}\)-local assignment generator \(\mathsf {Assign}\) on variables \(\{V_{\lambda } \}_{\lambda \in \mathbb {N}}\) is an algorithm that takes as input a security parameter \(1^{\lambda }\) and a set of at most \(\kappa _{\mathrm {max}}(\lambda )\) queries \(W\subseteq \{1, \ldots , |V_{\lambda } | \}\), and outputs a 3CNF formula \(\varphi \) on variables \(V_{\lambda }\) and assignments \(A: W\rightarrow \{0,1 \}\) such that the following two properties hold.

• Everywhere Local Consistency. For every \(\lambda \in \mathbb {N}\) and every set \(W\subseteq \{1, \ldots , |V_{\lambda } | \}\) such that \(|W |\le \kappa _{\mathrm {max}}(\lambda )\), with probability at least \(1-\mathsf {negl}(\lambda )\) over sampling \((\varphi , A) \leftarrow \mathsf {Assign}(1^{\lambda }, W)\), the assignment A is “locally consistent” with the formula \(\varphi \). That is, for any \(i_1, i_2, i_3\in W\), if \(\varphi \) has a clause whose variables are \(v_{i_1}, v_{i_2}, v_{i_3}\), then this clause is satisfied with the assignment \(A(i_1), A(i_2), A(i_3)\) with probability at least \(1-\mathsf {negl}(\lambda )\).

• Computational No-signaling. \(\mathsf {Assign}\) is adaptive \(\kappa _{\mathrm {max}}\)-CNS.

No-signaling PCPs. We recall the definition of (computational) no-signaling PCPs [KRR14, BHK17]. Essentially, no-signaling PCPs are PCP systems that are sound against no-signaling cheating provers. Specifically, for any function \(\kappa _{\mathrm {max}}: \mathbb {N}\rightarrow \mathbb {N}\), a PCP system \((\mathsf {P},\mathsf {V})\) for a language L, where \(\mathsf {V}=(\mathsf {Q},\mathsf {D})\), is adaptive \(\kappa _{\mathrm {max}}\)-no-signaling sound with negligible soundness error if it satisfies the following.

• (No-signaling Soundness) For any adaptive \(\kappa _{\mathrm {max}}\)-CNS cheating prover \(P^*\) and any \(\lambda \in \mathbb {N}\),

  

3 Outline of Proof of Theorem 1

As mentioned in Sect. 1.2, our commit-and-prove protocol uses the succinct argument of Kalai et al. [KRR14] (KRR succinct argument in short). Unfortunately, we do not use it modularly—we slightly modify a building block of KRR succinct argument (namely, their no-signaling PCP system) when constructing our protocol, and we see low-level parts of the analysis of KRR succinct argument when analyzing our protocol.

At a high level, KRR succinct argument is obtained in three steps, starting from a scheme with a weak soundness notion.

1. 1.

   Obtain a PCP system such that no CNS adversary can break the soundness with overwhelming success probability.

2. 2.

   Obtain a PCP system such that no CNS adversary can break the soundness with non-negligible success probability.

3. 3.

   Obtain a succinct argument such that no adversary can break the soundness with non-negligible success probability.

Somewhat similarly, our commit-and-prove protocol is obtained in five steps, starting from a non-WI scheme with a weak soundness notion.

1. 1.

   Obtain a non-WI scheme, \(\langle C_1, R_1 \rangle \), such that no CNS “well-behaving” adversary can break the soundness with overwhelming success probability. (Well-behaving adversaries is the class of adversaries that we introduce later.)

2. 2.

   Obtain a non-WI scheme, \(\langle C_2, R_2 \rangle \), such that no CNS adversary can break the soundness with overwhelming success probability.

3. 3.

   Obtain a non-WI scheme, \(\langle C_3, R_3 \rangle \), such that no CNS adversary can break the soundness with non-negligible success probability.

4. 4.

   Obtain a non-WI scheme, \(\langle C_4, R_4 \rangle \), such that no adversary can break the soundness with non-negligible success probability.

5. 5.

   Obtain a WI scheme, \(\langle C_5, R_5 \rangle \), such that no adversary can break the soundness with constant success probability.

The most technically interesting step is the first step, and an extensive overview of this step is given in Sect. 4. Overviews of the other steps are given in Sect. 5 and Sect. 6. The formal proof is given in the full version of this paper.

3.1 Building Block: Perfect 2-Private MPC Protocol \(\varPi \)

In addition to the cryptographic primitives that are listed in Theorem 1, we use a 2-private semi-honest secure \(M\)-party computation protocol \(\varPi \) with perfect completeness, where \(M\) is an arbitrary constant. (Note that such an MPC protocol can be obtained unconditionally; cf. Footnote 3.) We denote the parties of \(\varPi \) by \(P^1, \ldots P^{M}\).

For editorial simplicity, we make several simplifying assumptions on \(\varPi \).

• The length of the initial state of each party is denoted by \(n_{\mathrm {st}}= n+ n_{\textsc {mpc}}\), where \(n\) is the input length and \(n_{\textsc {mpc}}\) is the randomness length, and each party has \(n_{\mathrm {st}}\)-bit internal state at the beginning of each round.

• Every party uses the same next-message function in every round.⁹

• Every party sends a 1-bit message to each party at the end of each round.

• Every party receives dummy incoming messages from all the parties at the beginning of the first round, and every party sends a dummy outgoing message to itself at the end of each round. (This assumption is made so that the next-message function always takes an \((n_{\mathrm {st}}+M)\)-bit input, where the last \(M\) bits are the concatenation of the incoming messages.)

• The first bit of the final state of each party denotes the output of that party.

4 Overview of Step 1 (Non-WI Scheme with Soundness Against CNS Well-Behaving Provers)

We give an extensive overview of our non-WI commit-and-prove protocol \(\langle C_1, R_1 \rangle \), which is \((1-\mathsf {negl})\)-sound against CNS “well-behaving” provers. At a high level, we follow the approach that we outline in Sect. 1.2. That is, we implement the MPC-in-the-head technique with the MPC protocol \(\varPi \) and a succinct argument. However, instead of using KRR succinct argument, we use a variant of the no-signaling PCP system \((\mathsf {PCP}\mathsf {.P}_{\mathsf {KRR}}, \mathsf {PCP}\mathsf {.V}_{\mathsf {KRR}})\) of Kalai et al. [KRR14] (which is the main building block of KRR succinct argument and is referred to as KRR no-signaling PCP in what follows), and we do not use any cryptographic primitives in this step so that we can focus on information theoretical arguments in the analysis. As a result, we can prove soundness only against very restricted provers, which we define as CNS well-behaving provers.

For simplicity, in this overview, we focus on static soundness, where the statement to be proven by the cheating prover is fixed at the beginning of the prove phase. We will also make several implicit oversimplifications in this overview.

4.1 Preliminary: Overview of Analysis of KRR No-Signaling PCP

We start by briefly recalling the analysis of KRR no-signaling PCP (i.e., the analysis of its no-signaling soundness for statements in \(\mathcal {P}\)), focusing on the parts that are relevant to this work.¹⁰

We first remark that KRR no-signaling PCP is a PCP system for 3SAT, so at the beginning the statement to be proven is converted into a 3SAT instance. Specifically, given any statement in \(\mathcal {P}\) of the form “(f, x) satisfies \(f(x) = 1\)” for some public function f and input x, first the function f is converted into a carefully designed Boolean circuit \(\mathsf {C}\) that computes f, and next the statement is converted into a 3SAT instance \(\varphi \) that has the following properties.

1. 1.

   \(\varphi \) has a variable for each of the wires in \(\mathsf {C}\), and the values that are assigned to these variables are interpreted as an assignment to the corresponding wires in \(\mathsf {C}\).

2. 2.

   The clauses of \(\varphi \) checks that (1) for each gate in \(\mathsf {C}\), the assignment to its input and output wires is consistent with the computation of the gate, (2) the assignment to the input wires of \(\mathsf {C}\) is equal to x, and (3) the assignment to the output wire of \(\mathsf {C}\) is equal to 1.

Now, the analysis of KRR no-signaling PCP roughly consists of three parts.

The first part of the analysis shows that any successful CNS cheating prover for a statement (f, x) can be converted into a local assignment generator for the 3SAT instance \(\varphi \) that is obtained from (f, x) as above. That is, it shows that any successful CNS cheating prover can be converted into a probabilistic algorithm \(\mathsf {Assign}\) such that (1) \(\mathsf {Assign}\) takes as input a small-size subset of the variables of \(\varphi \) and it outputs an assignment to these variables, and (2) \(\mathsf {Assign}\) is guaranteed to satisfy the following everywhere local consistency.

• Everywhere local consistency. \(\mathsf {Assign}\) does not make an assignment that violates any clause of \(\varphi \). Specifically, when \(\mathsf {Assign}\) is asked to make an assignment to the three variables that appear in a clause of \(\varphi \), it makes an assignment that satisfies this clause.

(Actually, \(\mathsf {Assign}\) is also guaranteed to be CNS, but we ignore it in this overview for simplicity.¹¹) We note that \(\mathsf {Assign}\) does not necessarily comply with a single global assignment, that is, \(\mathsf {Assign}\) can assign different values to the same variable depending on the randomness and the input. We also note that this part of the analysis holds even for statements in \(\mathcal {NP}\). For simplicity, in this overview we assume that \(\mathsf {Assign}\) does not err (i.e., the everywhere local consistency holds with probability 1).

The second part of the analysis shows that the local assignment generator \(\mathsf {Assign}\) that is obtained in the first part is guaranteed to comply with a single global “correct” assignment. A bit more precisely, this part shows the following.

Let the correct assignment to a wire in \(\mathsf {C}\) (or, equivalently, to a variable in \(\varphi \)) be defined as the assignment that is obtained by evaluating \(\mathsf {C}\) on x, and let \(\mathsf {Assign}\) be called correct on a wire in \(\mathsf {C}\) (or variable in \(\varphi \)) if \(\mathsf {Assign}\) makes the correct assignment to it whenever \(\mathsf {Assign}\) is asked to make an assignment to it. Then, \(\mathsf {Assign}\) is correct on any wire in \(\mathsf {C}\) (or variable in \(\varphi \)), and in particular correct on the output wire of \(\mathsf {C}\).

Roughly speaking, the above is shown in two steps.

1. 1.

   First, it is shown, by relying on a specific structure of \(\mathsf {C}\), that \(\mathsf {Assign}\) is correct on any wire in \(\mathsf {C}\) if \(\mathsf {Assign}\) is correct on each input wire of \(\mathsf {C}\).

2. 2.

   Next, it is observed that \(\mathsf {Assign}\) is indeed correct on each input wire of \(\mathsf {C}\) due to the everywhere local consistency and the definition of \(\varphi \) (which has clauses that check that the assignment to the input wires of \(\mathsf {C}\) is equal to x).

Finally, the last part of the analysis obtains the soundness by combining what are shown by the preceding two parts. In particular, it is observed that the existence of \(\mathsf {Assign}\) as above implies \(f(x) = 1\) since (1) on the one hand, \(\mathsf {Assign}\) always assigns 1 to the output wire of \(\mathsf {C}\) due to the everywhere local consistency and the definition of \(\varphi \) (which has clauses that check that the assignment to the output wire of \(\mathsf {C}\) is 1), and (2) on the other hand, \(\mathsf {Assign}\) always assigns f(x) to the output wire of \(\mathsf {C}\) since what is shown by the second part implies that \(\mathsf {Assign}\) is correct on the output wire of \(\mathsf {C}\).

Remark 1

(Difficulty in the case of \(\mathcal {NP}\) statements). The above analysis does not work in general for statements in \(\mathcal {NP}\). A difficulty is that when the statement is in \(\mathcal {NP}\), it is unclear how we should define the correct assignment in the second part of the analysis. Indeed, on the one hand, the correct assignment can be naturally defined in the case of statements in \(\mathcal {P}\) since there exists a unique assignment that any successful prover is supposed to use (namely the assignment that is derived from x); on the other hand, in the case of statements in \(\mathcal {NP}\), there does not exist a single such assignment. Jumping ahead, below we define well-behaving provers so that we can define the correct assignment naturally (while at the same time so that we can use cryptographic primitives later to force any prover to be well-behaving).    \(\Diamond \)

4.2 Protocol Description

In this overview, we consider the following protocol \(\langle C_1, R_1 \rangle = (\mathsf {C.Com}_1, \mathsf {C.Prv}_1, \mathsf {R.Com}_1, \mathsf {R.Prv.Q}_{1}, \mathsf {R.Prv.D}_{1})\), which is slightly oversimplified from the actual protocol (see the full version of this paper for the actual protocol). (At this point, we temporarily ignore the open phase.) We warn that \(\langle C_1, R_1 \rangle \) is not biding at all in sends no message in the commit phase.

Commit Phase:

• Round 1: Given \(x_{\textsc {com}}\) as the value to be committed, \(\mathsf {C.Com}_1\) does the following.

  1. 1.

     Sample random \(x_{\textsc {mpc}}^1, \ldots , x_{\textsc {mpc}}^{M}\) such that \(x_{\textsc {mpc}}^1 \oplus \cdots \oplus x_{\textsc {mpc}}^{M} = x_{\textsc {com}}\).

  2. 2.

     For each \(\mu \in [M]\), define \(x_{1,\mathsf {in}}^{\mu }\) as follows: sample random \(r_{\textsc {mpc}}^{\mu }\in \{0,1 \}^{n_{\textsc {mpc}}}\) and let \(\mathsf {st}_0^{\mu } {:}{=}\; x_{\textsc {mpc}}^{\mu }\!\parallel \!r_{\textsc {mpc}}^{\mu }\), \(\mathsf {i}\text {-}\mathsf {msgs}_1^{\mu }{:}{=}\; 0^{M}\), \(x_{1,\mathsf {in}}^{\mu } {:}{=}\; \mathsf {st}_0^{\mu } \!\parallel \! \mathsf {i}\text {-}\mathsf {msgs}_1^{\mu }\).

  3. 3.

     Output an empty string as the commitment and store \(\{x_{1,\mathsf {in}}^{\mu } \}_{\mu \in [M]}\) as the internal state.

Prove Phase:

• Round 1: \(\mathsf {R.Prv.Q}_{1}\) does the following.

  1. 1.

     For each \(\mu ,\nu \in [M]\), obtain a set of queries \(Q^{\mu ,\nu }\) by running the verifier of KRR no-signaling PCP.

  2. 2.

     Output \(\{Q^{\mu ,\nu } \}_{\mu ,\nu \in [M]}\) as the query.

• Round 2: Given the statement f and the query \(\{Q^{\mu ,\nu } \}_{\mu ,\nu \in [M]}\) as input, \(\mathsf {C.Prv}_1\) does the following.

  1. 1.

     Run the MPC protocol \(\varPi \) in the head for functionality \(f'\) and initial states \(\{(\mathsf {st}_0^{\mu }, \mathsf {i}\text {-}\mathsf {msgs}_1^{\mu }) \}_{\mu \in [M]}\),¹² where \(f'\) is defined as \(f': (y^1, \ldots , y^{M}) \mapsto f(y^1\oplus \cdots \oplus y^{M})\) and each \((\mathsf {st}_0^{\mu }, \mathsf {i}\text {-}\mathsf {msgs}_1^{\mu })\) is recovered from the internal state of the commit phase. Let \(\{\mathsf {view}^{\mu } \}_{\mu \in [M]}\) be the view of the parties in this execution.

  2. 2.

     For each \(\mu ,\nu \in [M]\), obtain a PCP proof \(\pi ^{\mu :\nu }\) by running the prover of KRR no-signaling PCP on the 3SAT instance \(\varphi ^{\mu :\nu }\) that we will carefully design later—roughly speaking, \(\varphi ^{\mu :\nu }\) takes views of the parties \(P^{\mu }, P^{\nu }\) of \(\varPi \) as input, and checks that the views are consistent and that \(P^{\mu }\) and \(P^{\nu }\) output 1 in the views. (In an honest execution, \(\mathsf {C.Prv}_1\) uses \((\mathsf {view}^{\mu },\mathsf {view}^{\nu })\) to obtain a satisfying assignment to \(\varphi ^{\mu :\nu }\) and then uses it to obtain \(\pi ^{\mu :\nu }\).)

  3. 3.

     Output \(\{\pi ^{\mu :\nu }|_{Q^{\mu :\nu }} \}_{\mu ,\nu \in [M]}\) as the proof.

• Verification: Given the statement f and the proof \(\{{\pi ^*}^{\mu :\nu } \}_{\mu ,\nu \in [M]}\) as input, \(\mathsf {R.Prv.D}_{1}\) does the following.

  1. 1.

     Verify each \({\pi ^*}^{\mu :\nu }\) by running the verifier of KRR no-signaling PCP, and let \(b^{\mu :\nu }\) be the verification result.

  2. 2.

     Output 1 if and only if \(b^{\mu :\nu }=1\) for every \(\mu ,\nu \in [M]\).

4.3 Proof of Soundness

We give an overview of the proof of the soundness. To focus on the main technical idea, in this overview we consider a weak version of the soundness where the extractor is only required to extract a committed value (rather than decommit the commitment as required in Definition 3). Thus, for any successful cheating prover, the extractor is required to extract a value such that the cheating prover cannot prove false statements on it.

Overall approach. At a very high level, the proof consists of two parts.

The first part is to obtain an extractor. Toward this end, we first observe that, by borrowing analyses from Kalai et al. [KRR14], we can convert any successful CNS cheating prover against \(\langle C_1, R_1 \rangle \) into a parallel local assignment generator \(\mathsf {p}\text {-}\mathsf {Assign}\), which gives \(M^2\) local assignments to the 3SAT instances \(\{\varphi ^{\mu :\nu } \}_{\mu ,\nu \in [M]}\) in parallel when it is given \(M^2\) subsets of the variables as input. (To see this, observe that the prove phase of \(\langle C_1, R_1 \rangle \) consists of \(M^2\) parallel executions of KRR no-signaling PCP.) Then, we obtain an extractor by using \(\mathsf {p}\text {-}\mathsf {Assign}\) as follows.

• Note that since each \(\varphi ^{\mu :\nu }\) is a 3SAT instance that takes views of \(P^{\mu },P^{\nu }\) as input, for any particular parts of \(P^{\mu }\) and \(P^{\nu }\)’s views, \(\varphi ^{\mu :\nu }\) has variables that are supposed to be assigned with these parts. In the following, when we say that \(\mathsf {p}\text {-}\mathsf {Assign}\) makes an assignment to particular parts of \(P^{\mu }\) and \(P^{\nu }\)’s views in \(\varphi ^{\mu :\nu }\), we mean that \(\mathsf {p}\text {-}\mathsf {Assign}\) makes an assignment to the variables that are supposed to be assigned with these parts in \(\varphi ^{\mu :\nu }\).

• Now, to extract the i-th bit of the committed value, the extractor obtains the i-th bit of each party’s MPC input by asking \(\mathsf {p}\text {-}\mathsf {Assign}\) to make an assignment to the i-th bit of \(P^{\mu }\)’s input in \(\varphi ^{\mu :\mu }\) for every \(\mu \in [M]\), and then takes XOR of the obtained bits.

The second part is to show that any cheating prover cannot prove false statements on the extracted value. In this part, the analysis proceeds similarly to the analysis of KRR no-signaling PCP. That is, we first define the correct assignment for each of \(\varphi ^{\mu :\nu }\), and next show that \(\mathsf {p}\text {-}\mathsf {Assign}\) always makes the correct assignment to any variable in any of \(\varphi ^{\mu :\nu }\).

Unfortunately, we do not know how to prove the second part against CNS cheating provers in general, and thus, we further restrict the provers to be “well-behaving”.

Well-behaving provers. Roughly speaking, we define well-behaving provers as follows. Recall that the extractor is obtained by converting the cheating prover into a parallel local assignment generator. Now, we define well-behaving provers so that when we convert a successful CNS well-behaving prover into a parallel local assignment generator \(\mathsf {p}\text {-}\mathsf {Assign}\), it satisfies the following two consistency properties.

• Consistency on the initial states: Once the commit phase is completed, there exists a unique set of MPC initial states \(\{(\mathsf {st}_0^{\mu }, \mathsf {i}\text {-}\mathsf {msgs}_1^{\mu }) \}_{\mu \in [M]}\) such that \(\mathsf {p}\text {-}\mathsf {Assign}\) always makes assignments that are consistent with it (i.e., for any \(\mu ,\nu \in [M]\), when \(\mathsf {p}\text {-}\mathsf {Assign}\) is asked to make an assignment to any bit of the initial state of \(P^{\mu }\) or \(P^{\nu }\) in \(\varphi ^{\mu :\nu }\), then \(\mathsf {p}\text {-}\mathsf {Assign}\) always assigns the corresponding bit of \((\mathsf {st}_0^{\mu }, \mathsf {i}\text {-}\mathsf {msgs}_1^{\mu })\) or \((\mathsf {st}_0^{\nu }, \mathsf {i}\text {-}\mathsf {msgs}_1^{\nu })\)).

• Consistency on the views: For every \(\mu ,\nu ,\xi \in [M]\), when \(\mathsf {p}\text {-}\mathsf {Assign}\) is asked to make an assignment to any bit of \(P^{\mu }\)’s view in both \(\varphi ^{\mu :\nu }\) and \(\varphi ^{\mu :\xi }\), then the value that \(\mathsf {p}\text {-}\mathsf {Assign}\) assigns to it in \(\varphi ^{\mu :\nu }\) is identical with the value that \(\mathsf {p}\text {-}\mathsf {Assign}\) assigns to it in \(\varphi ^{\mu :\xi }\). (The same holds for \(\varphi ^{\nu :\mu }\) and \(\varphi ^{\xi :\mu }\) and for \(\varphi ^{\mu :\nu }\) and \(\varphi ^{\xi :\mu }\) etc.)

Remark 2

(Intuition of the two consistency properties of \(\mathsf {p}\text {-}\mathsf {Assign}\)). Essentially, the above two consistency properties guarantee that \(\mathsf {p}\text {-}\mathsf {Assign}\) behaves as if it were obtained from an honest prover. This is because when \(\mathsf {p}\text {-}\mathsf {Assign}\) is indeed obtained from an honest prover, we can show that \(\mathsf {p}\text {-}\mathsf {Assign}\) always assigns the same MPC initial states once the commit phase is fixed, and assigns the same \(P^{\mu }\)’s view in any \(\varphi ^{\mu :\nu }\) and \(\varphi ^{\mu :\xi }\). (Roughly speaking, this is because in an honest execution of \(\langle C_1, R_1 \rangle \), a set of MPC initial states are fixed in the commit phase, and the same \(P^{\mu }\)’s view is used for computing PCPs on any \(\varphi ^{\mu :\nu }\) and \(\varphi ^{\mu :\xi }\) in the prove phase.)    \(\Diamond \)

Before giving more details on the definition of well-behaving provers, we show that by restricting the provers to be well-behaving, we can complete the second part of the above overall approach, where our goal is to show that any cheating prover cannot prove false statements on the extracted value.

Showing that cheating prover cannot prove false statements. As stated earlier, the analysis proceeds similarly to the analysis of KRR no-signaling PCP. That is, we first define the correct assignment for each of \(\varphi ^{\mu :\nu }\), and next show that \(\mathsf {p}\text {-}\mathsf {Assign}\) always makes the correct assignment to any variable in any of \(\varphi ^{\mu :\nu }\).

Step 1: Defining the correct assignments. We define the correct assignments for \(\{\varphi ^{\mu :\nu } \}_{\mu ,\nu \in [M]}\) by relying on that \(\mathsf {p}\text {-}\mathsf {Assign}\) satisfies the consistency on the initial states. Recall that it guarantees that once the commit phase is completed, there exists a unique set of MPC initial states \(\{(\mathsf {st}_0^{\mu }, \mathsf {i}\text {-}\mathsf {msgs}_1^{\mu }) \}_{\mu \in [M]}\) such that \(\mathsf {p}\text {-}\mathsf {Assign}\) always makes local assignments that are consistent with it. Then, we first define the correct views \(\{\mathsf {view}^{\mu } \}_{\mu \in [M]}\) as the views that are obtained by executing \(\varPi \) on these unique initial states \(\{(\mathsf {st}_0^{\mu }, \mathsf {i}\text {-}\mathsf {msgs}_1^{\mu }) \}_{\mu \in [M]}\), and then define the correct assignment for \(\varphi ^{\mu :\nu }\) (\(\mu ,\nu \in [M]\)) as the assignment that is derived from the correct views \((\mathsf {view}^{\mu }, \mathsf {view}^{\nu })\) of \(P^{\mu }, P^{\nu }\). (Recall that \(\varphi ^{\mu :\nu }\) is a 3SAT instance that takes views of \(P^{\mu }, P^{\nu }\) as input.)

From the definition, it is clear that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on the initial states in every \(\varphi ^{\mu :\nu }\) (i.e., \(\mathsf {p}\text {-}\mathsf {Assign}\) always assigns the correct assignment to any bit of the initial states of \(P^{\mu },P^{\nu }\) in \(\varphi ^{\mu :\nu }\) for every \(\mu ,\nu \in [M]\)). Also, since the extractor extracts the committed value by taking XOR of the MPC inputs that are obtained from \(\mathsf {p}\text {-}\mathsf {Assign}\), \(\mathsf {p}\text {-}\mathsf {Assign}\)’s correctness on the initial states implies that the value that the extractor extracts is unique and is equal to the XOR of the MPC inputs that are used in the correct views.

Step 2: Showing that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on every variable. At a high level, our approach is to apply the second part of the analysis of KRR no-signaling PCP (Sect. 4.1) on each party’s next-message computation in a “round-by-round” manner. More concretely, our approach is to first show that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on each of the variables that correspond to the internal states and incoming/outgoing messages of Round 1 of \(\varPi \) in every \(\varphi ^{\mu :\nu }\), next show it on each of the variables that correspond to those of Round 2 of \(\varPi \) in every \(\varphi ^{\mu :\nu }\), and so on.

Toward this end, we first remark that we design each 3SAT instance \(\varphi ^{\mu :\nu }\) carefully so that it has the following specific structure.

1. 1.

   Let \(N_{\mathrm {round}}\) be the round complexity of \(\varPi \). Then, \(\varphi ^{\mu :\nu }\) has variables that can be partitioned into \(4N_{\mathrm {round}}\) sequences of variables, \(\textit{\textbf{w}}_{1, \mathsf {in}}^{\xi }, \textit{\textbf{w}}_{1, \mathsf {out}}^{\xi }, \ldots , \textit{\textbf{w}}_{N_{\mathrm {round}}, \mathsf {in}}^{\xi },\textit{\textbf{w}}_{N_{\mathrm {round}}, \mathsf {out}}^{\xi }\) for \(\xi \in \{\mu ,\nu \}\), such that for each \(\ell \in [N_{\mathrm {round}}]\):

   • \(\textit{\textbf{w}}_{\ell , \mathsf {in}}^{\xi }\) is a sequence of variables such that the values that are assigned to them are interpreted as an internal state and incoming messages of \(P^{\xi }\) at the beginning of Round \(\ell \).¹³

   • \(\textit{\textbf{w}}_{\ell , \mathsf {out}}^{\xi }\) is a sequence of variables such that the values that are assigned to them are interpreted as an internal state and outgoing messages of \(P^{\xi }\) at the end of Round \(\ell \).

2. 2.

   \(\varphi ^{\mu :\nu }\) has clauses that check the following.

   • In each round, for each of \(P^{\mu }\) and \(P^{\nu }\), its end state (i.e., its internal state at the end of the round) and outgoing messages are correctly derived from its start state (i.e., its internal state at the beginning of the round) and incoming messages.

   • In each round, for each of \(P^{\mu }\) and \(P^{\nu }\), its start state is equal to its end state of the previous round.

   • In each round, \(P^{\mu }\)’s incoming message from \(P^{\nu }\) at the beginning of the round is equal to \(P^{\nu }\)’s outgoing message to \(P^{\mu }\) at the end of the previous round, and vise versa.

   • Both \(P^{\mu }\) and \(P^{\nu }\) output 1 in the last round.

We note that given consistent views of \(P^{\mu }, P^{\nu }\) in which they output 1, we can compute a satisfying assignment to the variables in \(\varphi ^{\mu :\nu }\) efficiently by obtaining each party’s end state and outgoing messages of each round through the next-message function.

Now, we first show that if in every \(\varphi ^{\mu :\nu }\), \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on \(P^{\mu }\) and \(P^{\nu }\)’s start states and incoming messages in Round 1, then in every \(\varphi ^{\mu :\nu }\), \(\mathsf {p}\text {-}\mathsf {Assign}\) is also correct on \(P^{\mu }\) and \(P^{\nu }\)’s end states and outgoing messages in Round 1. A key observation on this step is that, essentially, what we need to show is that in every \(\varphi ^{\mu :\nu }\), for each \(\xi \in \{\mu ,\nu \}\), if \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on the input of \(P^{\xi }\)’s next-message computation of Round 1, then \(\mathsf {p}\text {-}\mathsf {Assign}\) is also correct on the output of it. Given this observation (and by designing the details of \(\varphi ^{\mu :\nu }\) appropriately), we can complete this step by just reusing the second part of the analysis of KRR no-signaling PCP, where it is shown that if \(\mathsf {Assign}\) is correct on the input, then \(\mathsf {Assign}\) is also correct on the output.

We next show that in every \(\varphi ^{\mu :\nu }\), if \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on \(P^{\mu }\) and \(P^{\nu }\)’s end states and outgoing messages in Round 1, then in every \(\varphi ^{\mu :\nu }\), \(\mathsf {p}\text {-}\mathsf {Assign}\) is also correct on \(P^{\mu }\) and \(P^{\nu }\)’s start states and incoming messages in Round 2. In this step, we consider three cases for each \(\varphi ^{\mu :\nu }\).

• Case 1. We first consider the correctness on \(P^{\xi }\)’s start state of Round 2 (\(\xi \in \{\mu ,\nu \}\)). This case is easy and we just need to use the everywhere local consistency of \(\mathsf {p}\text {-}\mathsf {Assign}\) and the definition of \(\varphi ^{\mu :\nu }\). Specifically, since \(\varphi ^{\mu :\nu }\) has clauses that check that \(P^{\xi }\)’s start state of Round 2 is equal to its end state of Round 1, the everywhere local consistency of \(\mathsf {p}\text {-}\mathsf {Assign}\) guarantees that \(\mathsf {p}\text {-}\mathsf {Assign}\) assigns the same value on \(P^{\xi }\)’s start state of Round 2 and on \(P^{\xi }\)’s end state of Round 1, and thus, if \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on the latter, it is also correct on the former.

• Case 2. We next consider the correctness on \(P^{\mu }\)’s incoming message from \(P^{\nu }\) and \(P^{\nu }\)’s incoming message from \(P^{\mu }\) at the beginning of Round 2. Again, this case is easy and we just need to use the everywhere local consistency of \(\mathsf {p}\text {-}\mathsf {Assign}\) and the definition of \(\varphi ^{\mu :\nu }\) (which has clauses that check that the message that \(P^{\mu }\) receives from \(P^{\nu }\) at the beginning of Round 2 is equal to the one that \(P^{\nu }\) sends to \(P^{\mu }\) at the end of Round 1, and vise versa).

• Case 3. We finally consider the correctness on \(P^{\mu }\) and \(P^{\nu }\)’s incoming messages from the parties other than \(P^{\mu }\) and \(P^{\nu }\) at the beginning of Round 2. This case is not straightforward, and we rely on that \(\mathsf {p}\text {-}\mathsf {Assign}\) satisfies the consistency on the views, which is guaranteed since \(\mathsf {p}\text {-}\mathsf {Assign}\) is obtained from a well-behaving prover. Let us consider, for example, \(P^{\mu }\)’s incoming message from \(P^{\xi }\) (\(\xi \not \in \{\mu ,\nu \}\)). Then, since the consistency on the views guarantees that \(\mathsf {p}\text {-}\mathsf {Assign}\) assigns the same value in \(\varphi ^{\mu :\nu }\) and \(\varphi ^{\mu :\xi }\) as \(P^{\mu }\)’s incoming message from \(P^{\xi }\), if \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on it in \(\varphi ^{\mu :\xi }\), then \(\mathsf {p}\text {-}\mathsf {Assign}\) is also correct on it in \(\varphi ^{\mu :\nu }\). Then, since we showed in Case 2 that \(\mathsf {p}\text {-}\mathsf {Assign}\) is indeed correct on it in \(\varphi ^{\mu :\xi }\), we conclude that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on it in \(\varphi ^{\mu :\nu }\).¹⁴

By proceeding identically (and observing that, by definition, \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on \(P^{\mu }\) and \(P^{\nu }\)’s start states and incoming messages in Round 1 in every \(\varphi ^{\mu :\nu }\)), we conclude that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on any variable, and in particular correct on \(P^{\mu }\) and \(P^{\nu }\)’s final states in every \(\varphi ^{\mu :\nu }\).

Step 3: Obtaining soundness. On the one hand, the value that \(\mathsf {p}\text {-}\mathsf {Assign}\) assigns as the output of any party \(P^{\mu }\) is always 1 due to the everywhere local consistency of \(\mathsf {p}\text {-}\mathsf {Assign}\) (recall that \(\varphi ^{\mu :\nu }\) has a clause that checks that \(P^{\mu }\)’s output is 1). On the other hand, since \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on the output of \(P^{\mu }\), it is also equal to the value that \(P^{\mu }\) outputs in the correct views. Thus, \(P^{\mu }\) outputs 1 in the correct view, which means that the statement proven by the prover is true on the XOR of the MPC inputs of the correct views. From the definition of the extractor, it follows that the prover cannot prove false statements on the extracted value.

More details of well-behaving provers. It remains to give an overview of the concrete definition of well-behaving provers. As we mentioned earlier, we define well-behaving provers so that when we convert a CNS well-behaving prover into a parallel local assignment generator \(\mathsf {p}\text {-}\mathsf {Assign}\), then \(\mathsf {p}\text {-}\mathsf {Assign}\) has the aforementioned two consistency properties.

Before giving the definition of well-behaving provers, we give a few details about the construction of KRR no-signaling PCP.

• When a PCP proof \(\pi \) for a 3SAT instance \(\varphi \) is created by using a satisfying assignment \(\textit{\textbf{x}}\) to \(\varphi \), the PCP proof \(\pi \) contains an encoding of \(\textit{\textbf{x}}\),¹⁵ i.e., there is a set of queries \(D(X)\) such that \(\pi |_{D(X)}\) is an encoding of \(\textit{\textbf{x}}\).

• Furthermore, we can make sure that in our protocol, each PCP proof \(\pi ^{\mu :\nu }\) for \(\varphi ^{\mu :\nu }\) (where \(\pi ^{\mu :\nu }\) is created by using \((\mathsf {view}^{\mu }, \mathsf {view}^{\nu })\)) contains encodings of \(x_{1,\mathsf {in}}^{\mu }\), \(x_{1,\mathsf {in}}^{\nu }\), \(\mathsf {view}^{\mu }\), and \(\mathsf {view}^{\nu }\), i.e., there are sets of queries \(D(X_{1,\mathsf {in}}^{\mu }), D(X_{1,\mathsf {in}}^{\nu }), D(X^{\mu }), D(X^{\nu })\) such that:

  • \(\pi ^{\mu :\nu }|_{D(X_{1,\mathsf {in}}^{\mu })}\) and \(\pi ^{\mu :\nu }|_{D(X_{1,\mathsf {in}}^{\nu })}\) are encodings of \(x_{1,\mathsf {in}}^{\mu }\) and \(x_{1,\mathsf {in}}^{\nu }\), respectively.

  • \(\pi ^{\mu :\nu }|_{D(X^{\mu })}\) and \(\pi ^{\mu :\nu }|_{D(X^{\nu })}\) are encodings of \(\mathsf {view}^{\mu }\) and \(\mathsf {view}^{\nu }\), respectively.

    (Recall that \(x_{1,\mathsf {in}}^{\mu } {:}{=} \mathsf {st}_0^{\mu } \!\parallel \! \mathsf {i}\text {-}\mathsf {msgs}_1^{\mu }\) and \(x_{1,\mathsf {in}}^{\nu } {:}{=} \mathsf {st}_0^{\nu } \!\parallel \! \mathsf {i}\text {-}\mathsf {msgs}_1^{\nu }\) are the initial states and dummy incoming messages that are computed in the commit phase.)

Then, informally speaking, a CNS prover is said to be well-behaving if it satisfies the following two consistency properties.

• Consistency on \(D(X_{1,\mathsf {in}}^{\mu })\). Once the commit phase is completed, the prover gives the same response to a query in \(D(X_{1,\mathsf {in}}^{\mu })\) (\(\mu \in [M]\)) in different invocations. More concretely, for any queries \(\{Q_0^{\mu :\nu } \}_{\mu ,\nu \in [M]}, \{Q_1^{\mu :\nu } \}_{\mu ,\nu \in [M]}\), any \(\alpha ,\beta ,\gamma ,\delta \in [M]\) such that \(\exists \xi \in \{\alpha , \beta \}\cap \{\gamma , \delta \}\), and any \(q\in Q_0^{\alpha :\beta }\cap Q_1^{\gamma :\delta }\cap D(X_{1,\mathsf {in}}^{\xi })\), we have \({\pi ^*}_0^{\alpha :\beta }(q) = {\pi ^*}_1^{\gamma :\delta }(q)\), where \({\pi ^*}_0^{\alpha :\beta }\) and \({\pi ^*}_1^{\gamma :\delta }\) are generated as follows.

  1. 1.

     \((\mathsf {st}_{C}, \mathsf {com})\leftarrow \langle \mathsf {C.Com}^*_1, \mathsf {R.Com}_1 \rangle \)

  2. 2.

     \((f_0, \{{\pi ^*}_0^{\mu :\nu } \}_{\mu ,\nu \in [M]}) \leftarrow \mathsf {C.Prv}^*_1(\mathsf {st}_{C}, \{Q_0^{\mu :\nu } \}_{\mu ,\nu \in [M]})\)

  3. 3.

     \((f_1, \{{\pi ^*}_1^{\mu :\nu } \}_{\mu ,\nu \in [M]}) \leftarrow \mathsf {C.Prv}^*_1(\mathsf {st}_{C}, \{Q_1^{\mu :\nu } \}_{\mu ,\nu \in [M]})\)

• Consistency on \(D(X^{\mu })\). The prover gives the same responses to a query in \(D(X^{\mu })\) (\(\mu \in [M]\)) in a single invocation. More concretely, for any queries \(\{Q^{\mu :\nu } \}_{\mu ,\nu \in [M]}\), any \(\alpha , \beta , \gamma , \delta \in [M]\) such that \(\exists \xi \in \{\alpha , \beta \}\cap \{\gamma , \delta \}\), and any \(q\in Q^{\alpha :\beta }\cap Q^{\gamma :\delta }\cap D(X^{\xi })\), we have \({\pi ^*}^{\alpha :\beta }(q) = {\pi ^*}^{\gamma :\delta }(q)\), where \({\pi ^*}\) is generated as follows.

  1. 1.

     \((\mathsf {st}_{C}, \mathsf {com})\leftarrow \langle \mathsf {C.Com}^*_1, \mathsf {R.Com}_1 \rangle \)

  2. 2.

     \((f, \{{\pi ^*}^{\mu :\nu } \}_{\mu ,\nu \in [M]}) \leftarrow \mathsf {C.Prv}^*_1(\mathsf {st}_{C}, \{Q^{\mu :\nu } \}_{\mu ,\nu \in [M]})\)

To show that the above definition indeed implies the aforementioned two consistency properties of \(\mathsf {p}\text {-}\mathsf {Assign}\), we need to see the details of \(\mathsf {p}\text {-}\mathsf {Assign}\). Specifically, we rely on that \(\mathsf {p}\text {-}\mathsf {Assign}\) obtains local assignments by applying a procedure called self-correction on the cheating prover. In this overview, we do not give the details of self-correction, and we just note that \(\mathsf {p}\text {-}\mathsf {Assign}\) obtains local assignments in the following manner: \(\mathsf {p}\text {-}\mathsf {Assign}\) first creates some queries \(Q^{\mu :\nu }\) for each \(\mu ,\nu \in [M]\) based on its input, next queries \(\{Q^{\mu :\nu } \}_{\mu ,\nu \in [M]}\) to the prover, and finally obtains the local assignments based on the prover’s responses.

Now, at first sight, it seems trivial to show that the above definition of well-behaving provers implies the two consistency properties of \(\mathsf {p}\text {-}\mathsf {Assign}\). Consider, for example, showing that the above definition implies that \(\mathsf {p}\text {-}\mathsf {Assign}\) has the consistency on the initial states. Then, since \(\mathsf {p}\text {-}\mathsf {Assign}\) obtains local assignments based on the prover’s responses, and well-behaving provers are guaranteed to give unique responses to any queries on the initial states (i.e., any queries in \(D(X_{1,\mathsf {in}}^{\mu })\) (\(\mu \in [M]\))), it seems trivial to show that \(\mathsf {p}\text {-}\mathsf {Assign}\) makes unique assignments on the initial states.

However, this intuition is wrong. For example, in the case of showing the consistency on the initial states, the problem is that even when making assignments on the initial states, \(\mathsf {p}\text {-}\mathsf {Assign}\)’s queries to the prover includes those that are not in \(D(X_{1,\mathsf {in}}^{\mu })\) (\(\mu \in [M]\)), and well-behaving provers’ responses to such queries are not necessarily unique.

Fortunately, this problem can be solved relatively easily by using a technique in a previous work [HR18]. Specifically, by letting the verifier of KRR no-signaling PCP do several additional tests on the prover, we can show that it suffices to consider a modified version of \(\mathsf {p}\text {-}\mathsf {Assign}\), which obtains local assignments on the initial states (resp., the views) based solely on the prover’s responses to the queries in \(D(X_{1,\mathsf {in}}^{\mu })\) (resp., in \(D(X^{\mu })\)).¹⁶ On this modified version of \(\mathsf {p}\text {-}\mathsf {Assign}\), it is indeed easy to show that the two consistency properties of well-behaving provers imply the two consistency properties of \(\mathsf {p}\text {-}\mathsf {Assign}\) by relying on analyses given in [KRR14].

Towards formal proof. Finally, we discuss what modifications are needed to turn the above proof idea into a formal proof.

First, we need to modify the extractor so that it can open the commitment (instead of just extracting a committed value) as required in Definition 3; along the way, we also need to define the open phase of the protocol appropriately. Recall that in the above, the extractor uses the parallel local assignment generator \(\mathsf {p}\text {-}\mathsf {Assign}\) to extract a committed value. Motivated by this construction of the extractor, we follow the following overall approach: we define the open phase so that running \(\mathsf {p}\text {-}\mathsf {Assign}\) jointly with the receiver is sufficient for the committer to succeed in the open phase. To implement this approach, we rely on that, as mentioned above, \(\mathsf {p}\text {-}\mathsf {Assign}\) obtains local assignments in the following manner: \(\mathsf {p}\text {-}\mathsf {Assign}\) first creates some queries \(Q^{\mu :\nu }\) for each \(\mu ,\nu \in [M]\) based on its input, next queries \(\{Q^{\mu :\nu } \}_{\mu ,\nu \in [M]}\) to the prover, and finally obtains the local assignments based on the prover’s responses. Given this structure of \(\mathsf {p}\text {-}\mathsf {Assign}\), we define the open phase as follows.

1. 1.

   In the first round, the receiver computes queries as in \(\mathsf {p}\text {-}\mathsf {Assign}\) and sends them to the committer.

2. 2.

   In the second round, the committer gives responses to the queries.

3. 3.

   Finally, the receiver computes the local assignments from the responses as in \(\mathsf {p}\text {-}\mathsf {Assign}\) and then uses them to extract a committed value as in the extractor.

Then, we modify the extractor so that it simply forwards the queries from the receiver to the cheating prover and next forwards the responses from the cheating prover to the receiver. Since the extracted value is computed from the output of \(\mathsf {p}\text {-}\mathsf {Assign}\) just as before (the only difference is that now \(\mathsf {p}\text {-}\mathsf {Assign}\) is executed jointly between the extractor and the receiver), we can still prove that any CNS well-behaving cheating prover cannot prove false statements on the extracted value. Furthermore, we can show that the above open phase is strong enough to guarantee a meaningful binding property. Specifically, by letting the receiver make additional queries in the open phase,¹⁷ we can prove the binding property against CNS well-behaving decommitters, which are defined similarly to CNS well-behaving provers. (The proof of the binding property proceeds essentially in the same way as we show that \(\mathsf {p}\text {-}\mathsf {Assign}\) satisfies the consistency on the initial states in the proof of the soundness against well-behaving provers, where we show that once the commit phase is completed, the assignments by \(\mathsf {p}\text {-}\mathsf {Assign}\) on the MPC initial states—which define the committed value—are unique.)

Second, we need to consider the case that \(\mathsf {p}\text {-}\mathsf {Assign}\) can err (i.e., the everywhere local consistency does not necessarily hold with probability 1). Fortunately, this case is already handled in Kalai et al. [KRR14], and we can handle it identically. (Concretely, when showing that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on every variable in the round-by-round way, we only show that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on average, i.e., instead of showing that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on any variables that correspond to, say, the start state and incoming message of a round, we only show that \(\mathsf {p}\text {-}\mathsf {Assign}\) is correct on randomly chosen \(\omega (\log \lambda )\) such variables. It is shown in [KRR14] that showing such average-case correctness is sufficient to prove the soundness.)

Third, we need to consider adaptive soundness, where the cheating prover chooses the statement to prove at the last round of the prove phase. Fortunately, adaptive soundness is already considered in previous works (e.g., [BHK17]), and we can handle it identically.

5 Overview of Step 2 (Non-WI Scheme with Soundness Against CNS Provers)

We give an overview of our non-WI commit-and-prove protocol \(\langle C_2, R_2 \rangle \), which is \((1-\mathsf {negl})\)-sound against CNS provers.

Our high-level approach is to upgrade the protocol \(\langle C_1, R_1 \rangle \) that we give in Step 1 so that the soundness holds against any (not necessarily well-behaving) CNS provers. Recall that, roughly speaking, an adversary is well-behaving if for every \(\mu \in [M]\),

1. 1.

   it does not give different responses to a query in \(D(X_{1,\mathsf {in}}^{\mu })\) in different invocations, and

2. 2.

   it does not give different responses to a query in \(D(X^{\mu })\) in a single invocation,

where \(D(X_{1,\mathsf {in}}^{\mu })\) and \(D(X^{\mu })\) are sets of queries such that in \(\langle C_1, R_1 \rangle \), the prover is supposed to create PCPs \(\{\pi ^{\mu :\nu } \}_{\mu ,\nu \in [M]}\) such that \(\pi ^{\mu :\nu }|_{D(X_{1,\mathsf {in}}^{\mu })}\) is an encoding of \(x_{1,\mathsf {in}}^{\mu }\) and \(\pi ^{\mu :\nu }|_{D(X^{\mu })}\) is an encoding of \(\mathsf {view}^{\mu }\) for every \(\nu \in [M]\), where \(x_{1,\mathsf {in}}^{\mu }\) is the value that is fixed in the commit phase and \(\mathsf {view}^{\mu }\) is the view that is fixed in the prove phase. Naturally, we enforce this behavior on the prover by relying on collision-resistant hash functions: we require the prover to publish the roots of the tree-hash of the encodings of \(\{x_{1,\mathsf {in}}^{\mu } \}_{\mu \in [M]}\) and \(\{\mathsf {view}^{\mu } \}_{\mu \in [M]}\), and also require it to give responses along with appropriate certificates when it is queried on these values.

More concretely, we consider the following protocol (which is slightly oversimplified from the actual protocol). In the following, for a hash function \(\mathsf {hf}\), we denote by \(\mathsf {TreeHash}_{\mathsf {hf}}\) an algorithm that computes the Merkle tree-hash of the input.

• Commit Phase

  • Round 1: \(\mathsf {R.Com}_2\) sends a hash function \(\mathsf {hf}\in \mathcal {H}\) to \(\mathsf {C.Com}_2\).

  • Round 2: Given \((x_{\textsc {com}}, \mathsf {hf})\) as input, \(\mathsf {C.Com}_2\) obtains \(\{x_{1,\mathsf {in}}^{\mu } \}_{\mu \in [M]}\) by running \(\mathsf {C.Com}_1(x_{\textsc {com}})\), computes encodings \(\{X_{1,\mathsf {in}}^{\mu } \}_{\mu \in [M]}\) of them, and then outputs \(\{\mathsf {rt}_{1,\mathsf {in}}^{\mu } {:}{=} \mathsf {TreeHash}_{\mathsf {hf}}(X_{1,\mathsf {in}}^{\mu }) \}_{\mu \in [M]}\) as the commitment and store \((\mathsf {hf}, \{X_{1,\mathsf {in}}^{\mu } \}_{\mu \in [M]})\) as the internal state.

• Prove Phase

  • Round 1: \(\mathsf {R.Prv.Q}_{2}\) works identically with \(\mathsf {R.Prv.Q}_{1}\). That is, \(\mathsf {R.Prv.Q}_{2}\) obtains \(\{Q^{\mu ,\nu } \}_{\mu ,\nu \in [M]}\) just like \(\mathsf {R.Prv.Q}_{1}\) does, and outputs \(\{Q^{\mu ,\nu } \}_{\mu ,\nu \in [M]}\) as the query.

  • Round 2: Given the statement f and the query \(\{Q^{\mu ,\nu } \}_{\mu ,\nu \in [M]}\) as input, \(\mathsf {C.Prv}_2\) does the following.

    1. 1.

       Obtain \(\{\mathsf {view}^{\mu } \}_{\mu \in [M]}\) and \(\{\pi ^{\mu :\nu } \}_{\mu ,\nu \in [M]}\) just like \(\mathsf {C.Prv}_1\) does.

    2. 2.

       Compute encodings \(\{X^{\mu } \}_{\mu \in [M]}\) of \(\{\mathsf {view}^{\mu } \}_{\mu \in [M]}\), and compute \(\{\mathsf {rt}^{\mu } {:}{=} \mathsf {TreeHash}_{\mathsf {hf}}(X^{\mu }) \}_{\mu \in [M]}\).

    3. 3.

       Augment each \(\pi ^{\mu :\nu }\) as follows.

       • Augment each symbol in \(\pi ^{\mu :\nu }|_{D(X_{1,\mathsf {in}}^{\xi })}\) (\(\xi \in \{\mu ,\nu \}\)) with a certificate for opening \(\mathsf {rt}_{1,\mathsf {in}}^{\xi }\) to it.

       • Augment each symbol in \(\pi ^{\mu :\nu }|_{D(X^{\xi })\setminus D(X_{1,\mathsf {in}}^{\xi })}\) (\(\xi \in \{\mu ,\nu \}\)) with a certificate for opening \(\mathsf {rt}^{\xi }\) to it.

    4. 4.

       Output \((\{\mathsf {rt}^{\mu } \}_{\mu \in [M]}, \{\pi ^{\mu :\nu }|_{Q^{\mu :\nu }} \}_{\mu ,\nu \in [M]})\) as the proof.

  • Verification: Given the commitment \(\{\mathsf {rt}_{1,\mathsf {in}}^{\mu } \}_{\mu \in [M]}\), the statement f, and the proof \((\{\mathsf {rt}^{\mu } \}_{\mu \in [M]}, \{{\pi ^*}^{\mu :\nu } \}_{\mu ,\nu \in [M]})\) as input, \(\mathsf {R.Prv.D}_{2}\) works identically with \(\mathsf {R.Prv.D}_{1}\) except that before the verification, each \({\pi ^*}^{\mu :\nu }\) is “filtered” as follows.

    • Replace each symbol \((x, \mathsf {cert})\) in \({\pi ^*}^{\mu :\nu }|_{D(X_{1,\mathsf {in}}^{\xi })}\) (\(\xi \in \{\mu ,\nu \}\)) with x if \(\mathsf {cert}\) is a valid certificate for opening \(\mathsf {rt}_{1,\mathsf {in}}^{\xi }\) to x, and replace it with \(\bot \) otherwise.

    • Replace each symbol \((x, \mathsf {cert})\) in \({\pi ^*}^{\mu :\nu }|_{D(X^{\xi })\setminus D(X_{1,\mathsf {in}}^{\xi })}\) (\(\xi \in \{\mu ,\nu \}\)) with x if \(\mathsf {cert}\) is a valid certificate for opening \(\mathsf {rt}^{\xi }\) to x, and replace it with \(\bot \) otherwise.

We prove the soundness of \(\langle C_2, R_2 \rangle \) by relying on the soundness of \(\langle C_1, R_1 \rangle \). Specifically, for any cheating committer-prover \(C^*_2 = (\mathsf {C.Com}^*_2, \mathsf {C.Prv}^*_2)\) against \(\langle C_2, R_2 \rangle \), we consider the following cheating committer-prover \(C^*_1 = (\mathsf {C.Com}^*_1, \mathsf {C.Prv}^*_1)\) against \(\langle C_1, R_1 \rangle \).

• Committer. \(\mathsf {C.Com}^*_1\) runs \((\mathsf {st}_{C}, \mathsf {com})\leftarrow \langle \mathsf {C.Com}^*_2, \mathsf {R.Com}_2 \rangle \) internally, sends an empty string to \(\mathsf {R.Com}_1\) as the commitment, and stores \((\mathsf {com}, \mathsf {st}_{C})\) as the internal state.

• Prover. Given \((\mathsf {com}, \mathsf {st}_{C})\) and \(\{Q^{\mu :\nu } \}_{\mu ,\nu \in [M]}\) as input, \(\mathsf {C.Prv}^*_1\) first runs \((f, \{\mathsf {rt}^{\mu } \}_{\mu \in [M]}, \{{\pi ^*}^{\mu :\nu } \}_{\mu ,\nu \in [M]}) \leftarrow \mathsf {C.Prv}^*_2(\mathsf {st}_{C}, \{Q^{\mu :\nu } \}_{\mu ,\nu \in [M]})\). Then, \(\mathsf {C.Prv}^*_1\) filters each \({\pi ^*}^{\mu :\nu }\) as in the verification of \(\langle C_2, R_2 \rangle \), and sends \((f, \{{\pi ^*}^{\mu :\nu } \}_{\mu ,\nu \in [M]})\) to \(\mathsf {R.Prv}_1\) as the proof.

It is straightforward to show that (1) \(C^*_1\) is successful if \(C^*_2\) is successful and (2) \(C^*_1\) is well-behaving CNS. (The latter follows from the the binding property of \(\mathsf {TreeHash}_{\mathsf {hf}}\).)

6 Overview of Subsequent Steps of Proof of Theorem 1

In Step 3, we upgrade the soundness to the one with negligible soundness error. Fortunately, this type of soundness amplification is already studied by Kalai et al. [KRR14] as mentioned in Sect. 3, and it suffices to apply their soundness amplification on the protocol \(\langle C_2, R_2 \rangle \) that we obtained in Step 2. Concretely, in this step, we just borrow a soundness amplification technique from [KRR14, BHK17], which amplifies soundness by letting the verifier use a smaller threshold parameter for the PCP decision algorithm (i.e., letting the verifier tolerate a smaller number of failures on the tests that it applies on the prover).

In Step 4, we upgrade the soundness to the one against any (not necessarily CNS) adversaries. Again, this type of soundness amplification is already studied by Kalai et al. [KRR14] as mentioned in Sect. 3, and it suffices to apply their soundness amplification on the protocol \(\langle C_3, R_3 \rangle \) that we obtained in Step 3. Concretely, in this step, we just borrow a transformation from [KRR14], which enforces CNS behavior on the committer by encrypting the verifier queries by PIR. (Intuitively, encrypting the verifier queries by PIR is helpful to enforce CNS behavior since it forces the prover to answer each query independently of the other queries.)

In Step 5, we add the WI property while tolerating that the soundness error increases to a constant. Toward this end, we augment the protocol \(\langle C_4, R_4 \rangle \) that we obtained in Step 4 with commitment schemes and OT by using these two primitives as in the non-succinct protocol that we sketched in Sect. 1.2. The soundness and WI of the resultant protocol \(\langle C_5, R_5 \rangle \) can be shown similarly to those of the non-succinct protocol in Sect. 1.2. That is, the soundness follows from the security of OT and the soundness of \(\langle C_4, R_4 \rangle \),¹⁸ and the WI property follows from the 2-privacy of \(\langle C_4, R_4 \rangle \), which roughly guarantees that the verifier does not learn any secret information if it only obtains one of the \(M^2\) KRR no-signaling PCP strings. (The 2-privacy of \(\langle C_4, R_4 \rangle \), in turn, follows immediately from the 2-privacy of the underlying MPC protocol \(\varPi \).)

Appendices

A On Verification Time

The verification of our protocol is not succinct since we use a simpler version of KRR succinct argument where the verifier naively evaluates a low-degree extension (LDE) of the indicator function of a 3CNF formula whose size is polynomially related to the complexity of the statement. In Kalai et al. [KRR14] and subsequent works [BHK17, HR18], the verification is made succinct by observing that when the statement to be proven satisfies some conditions, the evaluation of the LDE can be either recursively delegated to the prover succinctly or locally performed by the verifier efficiently. In our protocol, KRR succinct argument is used for proving statements that are related to the next-message function of the underlying perfect 2-privacy MPC protocol (cf. Sect. 1.2 and Sect. 4). Thus, if we can show that the above-mentioned conditions are satisfied for a specific perfect 2-privacy MPC protocol, the verification of our protocol can be made succinct.

B On Definition of Commit-and-prove Protocols

1.1 B.1 Differences from Definition in Khurana et al. [KOS18]

Our definition of commit-and-prove protocols in Sect. 2.2 has several differences from the definition in Khurana et al. [KOS18]. First, our definition has several syntactical differences.

• Instead of thinking the prove phase as a part of the commit phase, we separate the prove phase from the commit phase.

• We focus on the case that each of the prove phase and the open phase consists of two rounds.

Next, our definition is stronger than the definition of Khurana et al. [KOS18] in the following points.

• We explicitly define the soundness and witness indistinguishability in the delayed-input setting, where the statement to be proven is chosen at the last round of the prove phase.

• In the definition of the soundness, we require the extractor to decommit the commitment to a value on which any committer cannot prove false statements. (In the definition in [KOS18], the extractor just outputs such a value without decommitment, with the guarantee that any committer cannot decommit the commitment to a value other than the extracted one.) We think that requiring the extractor to decommit the commitment is important, as otherwise the definition would not prevent an attack where the committer gives an accepting proof on an invalid commitment (i.e., a commitment that cannot be opened to any value).¹⁹ (This is because even if such an attack is possible, we can still show that any committer cannot decommit the commitment to a value other than the extracted one, since an invalid commitment cannot be opened to any value.) We remark that such an attack is possible if a commit-and-prove protocol is naively executed in parallel multiple times.

Finally, our definition is weaker than the definition of Khurana et al. [KOS18] in the following points.

• In the definitions of the binding and the soundness, the extractor succeeds only on an overwhelming fraction of the executions of the commit phase, rather than on any execution of the commit phase.

• In the definition of the soundness, the extractor is allowed to depend on the success probability of the cheating committer.

1.2 B.2 Rationale Behind Our Definition

Since our definition of commit-and-prove protocols in Sect. 2.2 might look too cumbersome, we explain the rationale behind it.

First, binding and witness-indistinguishability are defined naturally, and the only complication is that we allow the open phase to be interactive in the definition of binding. To guarantee a stronger notion of binding, our definition considers an adversary that obtains two sets of receiver decommitment queries simultaneously (rather than obtain each of them separately).

Next, soundness is defined similarly to proof-of-knowledge of interactive proofs [GMR89]. A complication is that we define it so that it guarantees the adaptive delayed-input property, i.e., it holds against an adversary that chooses the statement to prove at the last round of the prove phase.²⁰ To guarantee proof-of-knowledge with the adaptive delayed-input property, our definition requires that if a cheating prover convinces the verifier for a commitment \(\mathsf {com}\) with sufficiently high probability, then there exists a value \(x^*\) such that (1) the extractor can decommit \(\mathsf {com}\) to \(x^*\) and (2) the cheating prover cannot prove false statements about \(x^*\). (We remark that the extractor is required to succeed in the decommitment of each bit of \(x^*\) with overwhelming probability so that we can obtain the whole \(x^*\) by repeatedly using the extractor.)