Batch Proofs Are Statistically Hiding

Batch proofs are proof systems that convince a verifier that x1,…,xt ∈ L, for some NP language L, with communication that is much shorter than sending the t witnesses. In the case of statistical soundness (where the cheating prover is unbounded but the honest prover is efficient given the witnesses), interactive batch proofs are known for UP, the class of unique-witness NP languages. In the case of computational soundness (where both honest and dishonest provers are efficient), non-interactive solutions are now known for all of NP, assuming standard lattice or group assumptions. We exhibit the first negative results regarding the existence of batch proofs and arguments: - Statistically sound batch proofs for L imply that L has a statistically witness indistinguishable (SWI) proof, with inverse polynomial SWI error, and a non-uniform honest prover. The implication is unconditional for obtaining honest-verifier SWI or for obtaining full-fledged SWI from public-coin protocols, whereas for private-coin protocols full-fledged SWI is obtained assuming one-way functions. This poses a barrier for achieving batch proofs beyond UP (where witness indistinguishability is trivial). In particular, assuming that NP does not have SWI proofs, batch proofs for all of NP do not exist. - Computationally sound batch proofs (a.k.a batch arguments or BARGs) for NP, together with one-way functions, imply statistical zero-knowledge (SZK) arguments for NP with roughly the same number of rounds, an inverse polynomial zero-knowledge error, and non-uniform honest prover. Thus, constant-round interactive BARGs from one-way functions would yield constant-round SZK arguments from one-way functions. This would be surprising as SZK arguments are currently only known assuming constant-round statistically-hiding commitments. We further prove new positive implications of non-interactive batch arguments to non-interactive zero knowledge arguments (with explicit uniform prover and verifier): - Non-interactive BARGs for NP, together with one-way functions, imply non-interactive computational zero-knowledge arguments for NP. Assuming also dual-mode commitments, the zero knowledge can be made statistical. Both our negative and positive results stem from a new framework showing how to transform a batch protocol for a language L into an SWI protocol for L.


INTRODUCTION
Batch proofs are interactive proof-systems that enable a prover to convince a veri er that input statements 1 , . . ., all belong to a language L ∈ NP, with communication that is much shorter than sending the witnesses.Batch proofs have been studied recently in two main threads: depending on whether the soundness property is required to hold against arbitrary cheating prover strategies, or only against computationally bounded ones.
The Statistical Setting.In the statistical setting, we require that even a computationally unbounded prover cannot convince the veri er to accept a false statement (other than with some bounded probability).On the other hand, we require that there is an e cient honest prover strategy (given the witnesses as an auxiliary input) for convincing the veri er of true statements.Such batch proofs systems are known as doubly e cient (see [27] for a recent survey on doubly e cient interactive proofs).
A recent sequence of works by Reingold et al. [54][55][56] construct doubly-e cient batch proofs for any language in the class UP (consisting of NP languages in which YES instances have a unique accepting witness).In particular, Rothblum and Rothblum [56] give such a protocol with communication poly( , log( )), where is the length of a single witness and poly is a polynomial that depends only on the UP language.Doubly-e cient batch proofs beyond UP remain unknown, leading to a natural question [55]: Does every language L ∈ NP have a statistically sound doubly-e cient batch proof?Do there exist other subclasses of NP (beyond UP) that have such proofs?
If we waive the restriction that the honest prover is e cient, there is a simple answer to this question.Speci cally, there is a space poly( , ) + log( ) algorithm for deciding whether 1 , . . ., ∈ L, where is the instance length and is the witness length.Thus, via the IP = PSPACE theorem [48,57], there is an interactive proof for this problem with communication poly( , , log( )).However, this protocol is entirely impractical as the honest prover runs in time 2 Ω ( ) .The Computational Setting.A natural relaxation of the statistical soundness condition is to only require computational soundness, which means that soundness is guaranteed only against e cient cheating provers.Such proof systems are commonly called argument systems.The seminal work of Kilian [42] gives generalpurpose succinct arguments for all of NP, assuming the existence of collision-resistant hash functions (CRH).In more detail, Kilian's protocol is a four-message argument-system with communication poly( , log( )), where is the security parameter, for any language L ∈ NP.In particular, for any L ∈ NP, we can apply Killian's result to the related NP language L ⊗ = ( 1 , . . ., ) ∈ ({0, 1} ) : 1 , . . ., ∈ L and obtain a batch argument (BARG) for L with communication poly( , log( ), log( )).
Kilian's protocol relies on collision-resistant hash functions (or certain relaxations thereof [9,44]).However, it is unclear whether such hash functions are also necessary.This gives rise to the following question: What are the minimal assumptions needed for succinct arguments for NP? Can BARGs be constructed based solely on the existence of one-way functions?
We remark that it is not clear that the existence of one-way functions is even necessary for general purpose succinct arguments for NP.The only result that we are aware of is by Wee [61], who showed that 2-message succinct arguments imply the existence of a hard-on-average search problem in NP.
The Non-Interactive (Computational) Setting.As noted above, Kilian's protocol requires four messages.Reducing the number of messages in succinct arguments is a major open question in the eld. 1 Restricting to the case of BARGs though, we have a much better understanding due to recent breakthrough works.In particular, a sequence of works [13,15,16,38,39,53,60] construct BARGs consisting of a single message, given a common reference string (equivalently, 2-message publicly veri able arguments in the plain model), assuming speci c cryptographic assumptions such as LWE or assumptions related to discrete log.This raises the question of whether one can make do with a general assumption as in Kilian's protocol.In particular: Can non-interactive BARGs be constructed from collision-resistant hash functions?

Our Results
In this work, with the above questions in mind, we exhibit the rst barriers for the existence of batch proofs and arguments.In the non-interactive setting, our results also have positive applications, giving rise to new non-interactive zero knowledge protocols.
Our main contribution is a new transformation that compiles a batch protocol (proof or argument) Π, for verifying that 1 , . . ., ∈ L, into a protocol Π ′ , for a single instance, which has a secrecy property.Speci cally, we consider batch protocols Π where the communication for proving that 1 , . . ., ∈ L is 1− • poly( ), for some > 0, witness length , and a polynomial poly that does not depend on .We show that any such Π can be transformed into a protocol Π ′ for a single instance satisfying statistical witness indistinguishability (SWI) against an honest veri er.Recall that a protocol for an NP relation R is SWI, if for every input and witnesses 0 , 1 ∈ { : R ( , ) = 1}, the view of the veri er when the prover uses 0 and when the prover uses 1 are statistically close.We say that the protocol is honest-veri er SWI if the SWI property only holds in an honest execution of the protocol.The transformation preserves the soundness of the original protocol; namely, if Π is computationally (resp., statistically) sound then the resulting protocol Π ′ is computationally (resp., statistically) sound.If Π has -rounds then Π ′ has + 1 rounds.
The transformation does have two caveats: First, the statistical WI error is inverse polynomial and not negligible.Speci cally, the statistical distance between the view of the veri er when the prover uses 0 and when the prover uses 1 can be set to any , at the cost of increasing the communication complexity polynomially in 1/ .The second caveat is that the e cient honest prover strategy of Π ′ is non-uniform, where the non-uniform advice depends on the speci cation of the protocol Π.Even given these two caveats, the transformation is a meaningful tool for deriving barriers (in terms of complexity or cryptographic assumptions) on the existence of batch proofs.On the positive side, in the setting of non-interactive protocols, we show an improved transformation that overcomes both caveats, thereby giving rise to new explicit protocols.
We next elaborate on our results in each of the settings discussed above.
A Barrier for Statistically Sound Batch Proofs.Our rst application of the above transformation is in the statistical setting.Given a statistically sound batch proof, we obtain SWI against malicious veri ers, in which the SWI error is inverse polynomial.In case we start from a public-coin batch proof the result is unconditional.Otherwise, we need to assume one-way functions (or settle for honest-veri er SWI). 2 The theorem is informally stated below.We refer the readers to Section 3 in the full version of our paper [10] for a formal statement and proof.
Theorem 1 (Informally Stated, see [10,Theorem 3.1] and [10,Corollaries 3.18 and 3.19]).Suppose that L ∈ NP has a statistically sound -round public-coin batch proof.Then, for any polynomial , the language L has an ( )-round SWI proof with SWI error 1 and a non-uniform honest prover.Furthermore, for general (i.e., private-coin) statistically sound batch proofs we achieve the weaker conclusion of honest-veri er SWI, or, assuming the existence of a one-way function, malicious veri er SWI.
It is worth pointing out that Theorem 1 is also applicable to languages in UP (for which batch proofs are known), but there the conclusion is meaningless since UP has a trivial SWI proofjust send the witness!In contrast, the existence of SWI proofs for all of NP would be surprising.In particular, there are no known languages with SWI proofs beyond UP ∪ SZK.Here SZK is the class of languages with statistical zero-knowledge proofs, and it is known not to contain NP (assuming the polynomial hierarchy does not collapse [1,24]). 3orollary 2 (Informally Stated).Assume that the class of languages with an SWI proof (as in Theorem 1) does not contain NP.Then NP does not have statistically-sound batch proofs.
We do not take for granted the fact that NP does not have SWI proofs, and we nd this to be an intriguing open question.Indeed, while we have a very deep understanding of the structure of SZK (see [58]), to the best of our knowledge, the structure of the class of languages having SWI proofs has not been explored.Theorem 1 provides concrete motivation for a similar study of the class SWI, which we leave to future work.
A Barrier for Computationally Sound Batch Proofs.Applying our framework in the computational setting, and assuming one-way functions, we are able to derive the stronger hiding property of statistical zero-knowledge.The theorem is informally stated below.We refer the readers to Section 3 in the full version of our paper [10] for a formal statement and proof.
Theorem 3 (Informally Stated, See [10, Theorem 3.1] and [10,Theorem 3.19]).Assume the existence of one-way functions.Suppose that every L ∈ NP has an -round BARG.Then, for every polynomial , every L ∈ NP has an ( )-round statistical zero-knowledge argument-system (SZKA) with ZK error 1 and a non-uniform honest prover.
Recall that constant-round SZKA for NP are only known to exist assuming constant-round statistically-hiding commitments, which in turn are only known based on primitives that are seemingly stronger than one-way functions, such as collision-resistant hash functions (or variants thereof [7][8][9]45]).In fact, there are known black-box separations between constant-round statistically-hiding commitments and one way functions [35].Thus, Theorem 3 can be seen as a barrier toward basing constant-round BARGs for NP on one-way functions.
In this context, a related positive result was obtained recently by Amit and Rothblum [2], who constructed constant-round succinct arguments for deterministic languages (speci cally for the class NC) from one-way functions.Theorem 3 poses a barrier toward extending their result to BARGs for NP.
Explicit Proof Systems from Non-Interactive BARGs.In the context of non-interactive BARGs we are able to push the transformation further, constructing explicit (uniform) protocols with a negligible WI error.In particular, while one may still take a negative perspective and view these results as barriers on noninteractive BARGs, they can also be viewed positively, as a new route to constructing non-interactive WI (and in fact ZK) protocols.
One subtlety in applying our transformation in the noninteractive setting concerns adaptive soundness (in the interactive setting we do away with this concern by adding a round of interaction).Here we assume that the BARGs we start from satisfy a weak form of adaptive soundness called somewhere soundness, which is a relaxation of somewhere extractability [16], achieved by recent BARG constructions.
We obtain the following result.We refer the readers to Sections 4 and 5 in the full version of our paper [10] for a formal statement of the result and its proof.
Theorem 4 (Informally Stated, See [10, Corollaries 4.11 and 5.10]).Assume that NP has somewhere-sound non-interactive BARGs.Then, assuming also one-way functions, NP has noninteractive computational zero-knowledge arguments (NICZKA), with a negligible non-adaptive soundness error, a negligible zeroknowledge error, and a uniform honest prover.Assuming also the existence of dual-mode commitments,4 the same implications holds for statistical zero knowledge (NISZKA).
Like non-interactive BARGs, non-interactive ZK (computational or statistical) is currently only known to exist based on trapdoor permutations or speci c algebraic and number-theoretic assumptions.Accordingly, one (negative) perspective on Theorem 4 is as evidence that constructing non-interactive BARGs from "relatively weak" assumptions, such as one-way functions or collision-resistant hash functions, would be di cult.From a positive perspective, construction of non-interactive BARGs from new assumptions would yield analogous results for NICZKA.
Toward proving Theorem 4 we prove two general enhancement theorems for NISZKA that we nd valuable on their own.The rst is a reduction between average-case and worst-case notions of SZK, and the second is an ampli cation theorem that reduces SZK error.
Remark 1.1 (Lossy Encryption from BARGs).We also observe that lossy public-key encryption follows from a variant of somewhere extractable BARGs, which guarantees that it is possible to extract the speci c witness that was used in some prede ned index in an honest proof.This is in contrast to the standard notion of somewhere extractability guaranteeing that some witness can be extracted (even from maliciously generated accepting proofs).Furthermore, we show that the standard notion of somewhere extractable BARGs imply private information retrieval and thus also statistically senderprivate oblivious transfer and lossy public-key encryption.while perfectly-correct lossy public key encryption would imply dual-mode commitments, lossy public-key encryption obtained has (negligible) decryption errors (which is not su cient for Theorem 4).We refer the readers to [10, Appendix B] for further details.
Remark 1.2 (Hiding for Batch Protocols).All of the results listed above start with a batch protocol for a language L and derive a protocol with hiding properties (i.e., either SWI or SZK) for a single instance of L. We note that all of the results can be used to obtain similar hiding properties also for a batch protocol for L via the following simple transformation: rather than applying the basic result to L, we can apply it to L ⊗ ′ for any ′ ≪ .
Remark 1.3 (On the Possibility of Weak Batching).All of our results assume a batch protocol for instances, with communication 1− .5Thus, our results are inapplicable to very weakly compressing batch protocols that have slightly non-trivial communication such as say, • √ + poly( ), where is the witness length.Such weak batch protocols can nevertheless be quite useful (see [55]) and we leave the study of this setting as an interesting open problem.

Additional Related Works
The study of the minimal necessary communication in statistically sound interactive proofs, focusing on the prover to veri er communication, was initiated in [28,31].In particular, Goldreich et al. [31] transform interactive proofs with a single bit of communication to be SZK.We emphasize that the results in [28,31] are inapplicable in the setting of batch proofs.For example, the main result in [28] says that proofs with short communication can be emulated in time that is exponential in the communication, but this merely indicates that the communication in batch proofs for NP needs to be Ω( + log ), where is the witness length.
Kaslasi et al. [40,41] consider batch veri cation of protocols that are a priori statistical zero-knowledge, while retaining the zero-knowledge property.The constructions of [40,41] are not doubly-e cient and so our results are inapplicable in their context.
Batch veri cation is also related to the problem of AND instance compression [25,36].In AND instance compression, the goal is, given formulas 1 , . . ., , to generate in polynomial time a new formula that is satis able if and only if 1 , . . ., are all satis able, and so that the length of is less than .Batch veri cation considers the dual problem of compressing the witnesses.We note that strong infeasibility results for AND instance compression were shown by Drucker [20].Despite the di erences, a main technical lemma used by Drucker (and a subsequent simpli cation by Dell [18]) is a key inspiration for our analysis.We note that this lemma has previously been used for identifying su cient conditions for obtaining cryptographic primitives from average-case hardness [4].A closely related lemma was established even earlier in the context of constructing an oblivious transfer protocol from any private information retrieval scheme [19].
The minimax theorem has found several applications in cryptography: see [59] for the references.The work of [17] also establishes (among other results) a result of the form "succinctness implies hiding" using the minimax theorem.To be speci c, they showed that for a proof system with a laconic prover, i.e, where the communication from the prover is (log( )) bits, [31] implies distributional comp-utational zero knowledge.It is also worth pointing out that the usage of the minimax theorem there is for a di erent purpose compared to us: it is used there to switch the order of quanti ers of the simulator and distinguisher to obtain (normal) zero knowledge from weak zero knowledge .
Lastly, we mention a recent result of Kitagawa et al. [43], who show how to transform any (adaptively-secure) SNARG (a much stronger notion than non-interactive BARG, and not known based on standard assumptions) into a NICZKA, assuming oneway functions.We show a similar result from a weaker proof system (in particular, one that is known based on various standard assumptions).
Comparison with [12,14].In a concurrent and independent work, Champion and Wu [14] constructed computational NIZK arguments assuming non-interactive BARGs, extractable dualmode commitments (a.k.a lossy encryption) and sub-exponentiallysecure local pseudorandom generators.In the rst posting of our paper [10], which was concurrent to [14], we obtained a weaker NIZK result (compared to Theorem 4) which was technically incomparable to that in [14] since our prover was non-uniform.Since [14] builds on the result of Kitagawa et al. [43], their approach is quite di erent from ours.
In later revisions of the current work, subsequent to [14], we obtained the strictly stronger Theorem 4, which achieves a uniform prover and (1) computational zero-knowledge assuming only oneway functions (on top of BARG), or (2) statistical zero-knowledge assuming (non-extractable) dual-mode commitments.
In an independent work, concurrent to the above revision, Bradley, Waters and Wu [12] obtain computational NIZK arguments assuming one-way functions and either adaptively-sound noninteractive BARGs or somewhere-sound non-interactive BARGs against sub-exponential adversaries.Adaptive soundness is a stronger requirement than somewhere soundness and in particular is not known to be satis ed by existing polynomially-secure BARG constructions, and so Theorem 4 is strictly stronger than their result.Their techniques build upon [14] and are quite di erent from ours.

Technical Overview
Let R be an NP relation, and let be the corresponding batch relation.We start by assuming a batch protocol for R ⊗ (without specifying yet whether soundness is statistical or computational).For simplicity, let us assume that R ⊗ has an entirely non-interactive protocol -that is, a single message sent from the prover to the veri er.We view the prover message in this case as a "compression function" that takes as input ( 1 , . . ., , 1 , . . ., ) and outputs a short proof string that convinces the veri er.
Since outputs a short string, of length less than , its output cannot contain all of the witnesses.Thus, intuitively at least, a large portion of the information about the witnesses must be lost.This leads us to the following natural idea for a protocol, for a single instance of R,6 that has hiding properties.P( , ) : (where is an input and is a corresponding witness) (1) Choose a random index * ∈ [ ].
The veri er V accepts if (1) * = and (2) the batch veri er accepts the input ( 1 , . . ., ) with the proof .Completeness and soundness of this protocol follow immediately from the completeness and soundness of the batch protocol (notice that for soundness, it su ces that is a NO instance for R to make ( 1 , . . ., ) a NO instance for R ⊗ .
The key question is how to choose the instance-witness pairs in Step 2 in such a way that hides * .This choice is crucial.To see this, consider a contrived compression function whose goal is to be maximally non-hiding for some speci c input * .For example, the compression function, in addition to outputting a convincing proof, might check if one of the inputs is equal to * .If so, it also outputs the corresponding witness as part of the proof.Notice that this strategy is still highly compressing.While this is clearly a contrived strategy, since we seek to give a general result, that compiles any batch proof, we have to consider such strategies as well.
The above contrived strategy is a major concern for SWI as there exists a speci c input, namely * , for which the prover always reveals the witness.A natural approach to circumvent this attack is to consider a distributional notion of SWI.That is, consider some e ciently sampleable distribution D supported over triples ( , 0 , 1 ), where ( , 0 ), ( , 1 ) ∈ R. Suppose we only want SWI to hold for random instance/witness pairs sampled from D. In such a case, P can choose each ( , ) from D independently.Now, for inputs ( , 0 , 1 ) that are also generated from D, by symmetry, the function will be unable to discover whether 0 or 1 was guessed (other than with inverse polynomial probability).Intuitively, and this can be formalized, this leads to a distributional-SWI protocol (with an SWI error that decreases polynomially with ).
While the distributional approach described above works, it is weaker than what we aim to achieve in two ways.First, it is restricted to NP languages that have a solved instance generator (recall that if the language is also hard with respect to this distribution then the sampler is a one-way function).Second, the SWI property is distributional -it only holds with respect to instance-witness pairs sampled from D (rather than the usual worstcase guarantee).
At this point we face a problem.If we aim to get a worst-case SWI guarantee, the contrived compression function that targets some speci c * seems like a non-starter.Indeed, using as a blackbox, it is hopeless to try to discover * .Still, if we happened to know that the compression function is precisely the contrived one described above, we could x the same * as part of prover P and then use * (with corresponding random witnesses that are also hardwired) in all of the coordinates of .Doing so would hide the speci c witness that P uses in the -th coordinate.But what about a general compression function ?Can we somehow x speci c instance/witness pairs that are speci cally good for fooling ?Somewhat surprisingly the answer turns out to be yes.
How to nd instance-witness pairs.We prove that for every compression function there exists a polynomial-size multiset ⊆ R ⊗ (i.e. a polynomial number of instance-witness -tuples), so that if the tuple (( 1 , 1 ), . . ., ( , )) used in the above protocol is sampled uniformly from , then the resulting protocol is SWI (with error that depends on how compressing is).
Central to our approach is a lemma of Dell [18] (building on work by Drucker [20] and related to a result of [19]) about information lost by compressing functions.Consider a function : {0, 1} → {0, 1} for some < 1. Intuitively, as the function is compressing, it must be losing information about some of its input bits.Dell formalized this by showing that the output distribution of when its input bits are chosen uniformly at random is not a ected much by arbitrarily xing the bit at a randomly chosen location.Let be the uniform distribution over {0, 1} , and denote by | ← the variable corresponding to sampling and setting the th co-ordinate to .Dell showed that in terms of statistical distance: Suppose is a function parameterized by triples ( , 0 , 1 ), where ( , 0 ), ( , 1 ) ∈ R, and uses its input bits to select witness , and outputs computed with these instance-witness pairs ( , ).The above lemma would then say that picking a random ∈ [ ] and xing the witness used for to be either of 0 or 1 would not make much of a di erence to the output distribution of .Denoting ( 1 , . . ., ) by and ( 1 , . . ., ) by , with ← [ ] and each sampled uniformly from 0 , 1 , this implies that: This is already reminiscent of witness-indistinguishability, though the property here only holds for a randomly chosen instance among a set of instances.We can, in fact, use this to get the distributional version of SWI discussed above.Consider any distribution over ( , 0 , 1 ) such that ( , 0 ), ( , 1 ) ∈ R. Now, with ( , 0 , 1 ) and all the ( , 0 , 1 ) sampled from D, we have: Note that in the protocol above, when the prover inserts the given ( , ) at location and uses instances and witnesses in the remaining locations, the view of the veri er is precisely , | ← , ( | ← , | ← ) .So the above implies that the expected SWI error for the protocol when everything is sampled as speci ed is small.
In other words, for every distribution over ( , 0 , 1 ), there is a distribution over ( , 0 , 1 ) such that with samples from these, the expected SWI error in our protocol is small.We can view this process as a 2-player zero-sum game: the row player chooses ( , 0 , 1 ) and the column player chooses a distribution over all such tuples.The payo is the expected SWI error in our protocol.The above argument shows that for every strategy for the column player there is a mixed strategy for the row player (speci cally, the strategy ), for which we can bound the expected payo .The minimax theorem now implies that there is a single distribution ′ over tuples ( , 0 , 1 ) such that for every ( , 0 , 1 ), if the prover uses a sample from ′ to populate the other inputs to , the SWI error is small.Using a sparse minimax theorem [47] now implies the existence of a polynomial-sized multiset of ( , 0 , 1 ) 's such that sampling from this leads to almost the same SWI error.This implies the existence of the set we want, which we hard-code into the prover's algorithm as a non-uniform advice. 7emark 1.4.The ( √ ) error in our analysis is tight for some functions (e.g., if is the majority function).
Handling Multi-round Protocols.To handle multi-round protocols we follow the same basic strategy, running the underlying batch protocol using tailor-made instance/witness pairs.While we are unable to show that this approach satis es malicious-veri er SWI, we manage to show that it is honest-veri er SWI.We do so by rst extending the above analysis to 2-message protocols (i.e. a veri er message followed by a prover message).To handle protocols with more messages, we observe that when analyzing honest-veri er SWI, we can imagine that the veri er sends to the prover all of its randomness in advance and reduce back to the 2-message case.
Augmenting the Basic Result in The Interactive Setting.At this point we have a transformation from any batch protocol into an honest-veri er SWI protocol with inverse polynomial SWI error and a non-uniform prover.In the interactive setting, we improve this state of a airs as follows: (1) In the case of statistical soundness, if the batch proof is public-coin, we can rely on an information-theoretic coinipping protocol due to Goldreich et al. [30] which leads to malicious-veri er SWI. 8 For the case of private-coin protocols, following an approach of [5,50,52], we show that assuming the existence of a one-way function, we can transform any honest-veri er SWI protocol to be maliciousveri er SWI.We emphasize that despite the usage of a oneway function, both soundness and hiding properties are statistical.
(2) In the case of computational soundness, assuming the existence of a one-way function, we can rely on the celebrated "FLS trick" of Feige et al. [21] to bootstrap the honest-veri er SWI argument to an honest-veri er SZK argument. 9Then, using the [29] compiler from honestveri er to malicious veri er we obtain a full-edged malicious veri er zero-knowledge argument (using the [22] constant-round private-coin argument-system as the underlying zero-knowledge proof).
Explicit Proof Systems in the Non-Interactive Setting.We now discuss our results in the non-interactive setting, where we are able to construct new explicit proof systems from BARGs.Recall that here we provide a computational ZK system based on oneway functions, or a statistical ZK system based on dual-mode commitments.We start by addressing a challenge common to both, then we address the techniques required for each of the proof systems.
Somewhere Soundness.In the non-interactive setting, the prover sends a single message that depends on the common random string (CRS).While in the interactive setting, our transformation required that the prover sends its choice of ( 1 , . . ., ) before starting the batch protocol, now these have to be chosen after the CRS is generated, which may foil soundness.One obvious solution is to rely on adaptively-sound BARGs.However, that is a rather strong requirement that is not met by existing non-interactive BARGs (in fact, adaptively-sound BARGs of knowledge would already imply full-edged succinct non-interactive arguments [13]).Instead, we use the notion of somewhere soundness, which is a relaxation of the somewhere extractability notion that is satis ed by all existing non-interactive BARGs.Somewhere soundness requires that the CRS can be programmed with a speci c index , so that adaptive soundness is guaranteed only with respect to the instance , furthermore the programmed CRS is indistinguishable from a normal one.This notion is already su cient to obtain soundness of the resulting non-interactive SWI (in the CRS model).
Given the above, we can already apply a similar minmax argument to before, and obtain a non-interactive system with a non-uniform prover and inverse polynomial WI error.We next explain how we avoid both caveats.We start with the construction of the second (statistical ZK) system based on lossy encryption, as it is simpler to describe and already contains most of the machinery needed.
From Distributional ZK to Worst-Case ZK, Uniformly.Our starting point is the distributional SWI protocol we obtain from the basic transformation.Indeed, for e ciently uniformly samplable instance-witness distributions, this protocol is uniform.Before, to enhance the distributional SWI requirement to worst-case SWI requirement, we invoked the minmax theorem, which led to non-uniformity.Now, we take a di erent route -we show a general transformation from the distributional setting to the worstcase setting that, assuming lossy encryption, preserves statistical security.It will be easier to describe the transformation (as well as the next one) for SZK rather than SWI; this is w.l.o.g as the gap between the two can be bridged using one-way functions, using the well-known FLS trick [21].
The distributional to worst-case transformation is inspired by local to global transformations from the zero knowledge literature such as reducing general ZK to ZK for xed-length statements (c.f.[26, Section 4.10]) or the NIZK of [34].Speci cally, in the constructed (worst-case) NIZK, the prover commits to all the wires of the NP veri cation circuit, and proves local consistency of each gate using distributional NISZKA.Speci cally, for each gate, we consider the distribution of random commitments of random wire values satisfying the gate.While the prover actually uses a speci c (worst-case) wire assignment for the gate, this only skews the distribution by a constant factor, as the total number of assignments is constant.As the commitment we use dual-mode commitments where for computationally indistinguishable common reference strings, we get either statistical hiding or statistical binding.The actual proof system uses the statistically-hiding mode, and accordingly preserves statistical ZK.In the soundness analysis, we use the binding mode.
Reducing the SWI Error.Recall that our distributional SWI system has an inverse polynomial WI error, accordingly so does the worst-case SZK system resulting from the last transformation.We prove a statistical ampli cation theorem that enables us to reduce this error.Previously, an ampli cation theorem was shown in the computational setting by [33] (assuming subexponential publickey encryption).The statistical transformation we show follows a similar blueprint to the computational one -we construct a combiner based on MPC-in-the-head (in our case, an informationtheoretic one, such as [6]).The analysis in the statistical setting is di erent.We show based on a coupling proof, similar to the one in [46], that the combiner is in fact also an ampli er.This transformation too uses dual mode commitments as a building block.
Computational Zero Knowledge from One-Way Functions.The only assumption used in the above transformations (on top of BARGs) is dual-mode commitments.The rst question that comes to mind is whether the dual-mode commitments can be replaced with plain statistically-hiding commitments (which can be constructed, for instance, based on collision-resistant hashing).However, this turns out to be insu cient for soundness.If we replace the dual-mode commitment with a plain statisticallybinding commitment (which can be constructed from one-way functions) then soundness can be proven.Since such commitments are only computationally hiding, we can no longer hope for statistical ZK of the nal scheme, but one could hope that this would achieve computational ZK.However, while we are able to prove that the distributional ZK to worst-case ZK work also in the computational setting, we are unable to do the same for the second application that reduces the SWI error to negligible.Also, we wish to avoid the computational ampli cation of [33], which requires also sub-exponential public-key encryption.
We overcome this di culty using the notion of computationally instance-dependent commitments (CIDC) [23].Such commitments are parameterized by an instance of a given NP language L. When ∉ L they guarantee statistical binding.When ∈ L, there is a way to generate fake commitments that are perfectly hiding.Speci cally, given any witness for , it is possible to e ciently generate a fake commitment and opening ( , ) for message such that , are computationally indistinguishable from a real commitment to with its decommitment , .Such commitments are known to exist for all of NP assuming one-way functions [23]. 10e replace the commitments in the previous two transformations with CIDC depending on an NP language L ′ .This essentially allows us to construct a L ′ -dependent NIZK for proving membership in any NP language L.Here soundness is guaranteed when the system is parameterized by ∉ L ′ and computational ZK is guaranteed when ∈ L ′ .Indeed, when ∉ L ′ , the corresponding commitments are statistical binding as required for soundness.When ′ ∈ L ′ , we can switch (in the analysis) to a computationally-indistinguishable world where the commitments are statistically hiding, and where accordingly the previous described transformations do hold.To obtain our nal proof system we choose L ′ to be the same NP language L for which we prove membership.
Remark 1.5 (On Using the Above in the Interactive Setting).A natural question is whether we can use similar transformations as above to also achieve uniform protocols in the interactive setting.While the answer is generally "yes", the resulting interactive protocols are not as interesting, as they are subsumed by known results.In particular, constant round computational ZK is already known from one-way functions [21], and constant round statistical ZK is already known from statistically-hiding commitments (c.f.[11]), which in turn follow from lossy encryption.
Neither the European Union nor the granting authority can be held responsible for them.
Prashant Nalini Vasudevan is supported by the National Research Foundation, Singapore, under its NRF Fellowship programme, award no.NRF-NRFF14-2022-0010.