Teatro y Discapacidad

We provide a transformation that compiles any 2-message WZK protocol against explainable verifiers with soundness against quasipolynomial provers (like the one from Section3.2) into one against malicious verifiers.

Ingredients and notation:

• A 2-message WI argument for NPwith delayed input with a quasipolynomial witness extractor hWI.P,(WI.V1,WI.V2)i. We denote its messages by(wi1,wi2).

• A conditional disclosure of secrets scheme(CDS.R,CDS.S,CDS.D)forNP, with receiver simu- lation security against quasi-polynomial time senders.

• A 2-message argument system hP,Vi for an NP language L that is WZK against explainable verifiers and sound against quasipolynomial provers. We denote its messages by(arg₁,arg₂). We describe the protocol in Figure4.

Analysis. We now analyze the transformation. Proposition 5.3. Protocol4is sound.

Proof. To prove soundness, we transform any cheating prover _P¯∗ _{against Protocol 4 into a quasi-} polynomial cheating proverP∗against the original protocolhP,Vi. We describeP∗.

P∗_λ:

• Obtain the first messagearg₁ from the verifierV.

• Simulate the CDS receiver first messagectR = CDS.Sim(Ψ), relative to the statementΨ(arg1) attesting thatarg₁is honest.

• Sample a first WI messagewi1, feed(wi1,arg1,ctR)toP¯∗λ, and obtain(ctS,wi2).

• Apply the quasipolynomial witness extractorarg₂ ←E(Φ,wi1,wi2)for the statementΦ(x,arg1,ctS,ctR).

• Send the extractedarg₂toV.

Prover analysis. Fix any polynomial-size prover P¯∗ = {P¯∗_λ}_λ. First note that the corresponding new proverP∗ runs in quasipolynomial time. We show that for anyx6∈ L, ifP¯∗_λconvincesV¯ to accept with

noticeable probabilityε(λ), the new proverP∗_λ convincesVto accept with probabilityε−λ−ω(1). First, we consider a hybrid experiment where the prover strategyeP∗is identical to that ofP∗, except that instead of sampling a simulated CDS receiver message ctR ← CDS.Sim(Ψ) for the statement

Ψ(arg₁),Pe∗obtains externally a CDS messagect_R ← CDS.R(Ψ, r)corresponding to the randomness used byVto samplearg₁. (eP∗then usesct_RlikeP∗).

Claim 5.2. Pe∗convincesVwith the same probability asP∗does, up to a negligible difference.

Proof. Otherwise, we can useeP∗to construct a quasipolynomial distinguisherDthat breaks the receiver simulation property. Dλ emulates an interaction betweenPe∗_λ andV. It then submitsΨ(arg₁) andr to a challenger, wherearg₁is the message generated byV∗using randomnessr. It receives backctR, and

completes the emulation. It is left to note that ifctR ←CDS.Sim(Ψ), then the view ofVis distributed

as in an interaction withP∗_λ, whereas ifctR ←CDS.S(Ψ, r), the view is distributed as in an interaction

Protocol4

Common Input: an instancex∈ L ∩ {0,1}λ_{, for security parameterλ.}

¯

P’s auxiliary input: a witnessw∈ RL(x). 1. _V¯ _computes

• (wi1, τV)←WI.V1(1λ), the first WI message.

• arg₁, the verifier message in the original protocolhP,Vi(x). It stores the randomnessr used by the verier to generate the message.

• (ctR,k)← CDS.R(Ψ, r), a CDS receiver message for the statementΨ(arg1)attesting thatarg₁was computed according to the honest verifierV, usingras the witness. It sends(wi1,arg1,ctR).

2. _P¯ _computes

• arg₂, the prover message in the original protocolhP,Vi.

• ctS ←CDS.S(Ψ,arg2,ctR), a CDS sender message encryptingarg2. • wi2 ←WI.P(Φ,arg2,wi1), the second WI message for the statement

Φ(x,Ψ,ctS,ctR) := ∃arg : ctS ∈CDS.S(Ψ,arg,ctR)

_

x∈ L . It sends(ctS,wi2).

3. _V¯ _then

• RunsWI.V2(Φ,wi1,wi2;τV)to verify the WI argument for the statementΦ.

• Decryptsargf2 ←CDS.Dk(ctS).

• Verifies the original argument(arg₁,arg_f2).

Figure 4: A WZK argumenthP¯,V¯iforNPagainst malicious verifiers.

From hereon we focus on proving thateP∗convincesVof accepting with probabilityε−λ−ω(1). Let arg₁be the message received fromV, letctSbe sender encryption emulated byPe∗_λ, letarg₂be the prover message thateP∗_λ extracts fromP¯∗_λ, and letarg_f2 =CDS.D_k(ct_S)be the decrypted message with respect to the secret keykproduced when generating the receiver messagectR. Also let(wi1,wi2) be the WI argument for the statementΦ(x,Ψ,ctR,ctS)generated byP¯∗_λduring its emulation byeP∗_λ.

Claim 5.3. With probability at leastε−λ−ω(1),

1. Vaccepts(arg₁,arg_f2).

2. argf2 =arg2.

This implies that that eP∗, who sends arg₂, convinces V with probability at least ε−λ−ω(1), as required and would complete the proof.

Proof of Claim5.3. By construction, an interaction betweeneP∗andVperfectly emulates an interaction between_P¯∗ _{and V¯. In such an interaction the verifierV¯ both accepts the WI argument (wi1,wi2)for}

Φ(x,Ψ,ctR,ctS)and accepts the underlying(arg1,argf2). Sincex /∈ L, it follows by the extraction guar- antee, that except with negligible probabilityλ−ω(1)_,ct

Sis a valid CDS encryption ofarg2. Furthermore, by CDS correctness, it holds thatargf2 =CDS.Dk(ctS) =arg2.

This completes the proof of sounenss.

Proposition 5.4. Protocol4is weak zero-knowledge against malicious verifiers.

Proof. We describe a simulator¯_{S. Throughout, we assume w.l.o.g that the simulated verifierV}¯∗_=¯ V∗_{λ λ}

is deterministic and always outputs the prover message it receives (Remark2.4). ¯

S(x,V¯∗_λ,D¯λ,11/ε):

• Obtain(wi1,arg1,ctR)fromV¯∗λ.

• Construct a new verifierV∗_λthat sendsarg₁as its first message, and givenarg₂fromP, outputs it.

• Construct a new distinguisherDλthat givenarg2 fromP:

– SamplesctS←CDS.S(Ψ,arg2,ctR), an encryption ofarg2underΨ(arg1).

– Sampleswi2 ←WI.P(Φ,(arg2, rcds),wi1), a second WI message for the statementΦ(x,Ψ,ctR,ctS),

using as the witness the messagearg₂and randomnessrcdsused for generatingctS.

– RunsD¯λ(ctS,wi2). • Obtainargf2 ←S(x,V

∗

λ,Dλ,11/ε), whereSis the simulator for the protocolhP,Vi.

• Compute a CDS encryptioncteS←CDS.S(Ψ,argf2,ctR).

• Compute a second WI messagewie₂ ←WI.P(Φ,(arg_f2,r˜_cds),wi1), using as the witness the message f

arg₂ and randomnessr˜cdsused for generatingcteS.

• Output(cteS,wie2).

Simulator analysis. The simulatorS¯clearly runs in polynomial time. We now prove its validity.

Assume toward contradiction that there exist polynomial-size distinguisher_D¯ _=¯

Dλ _λand verifier

¯

V∗ = _¯

V∗_{λ λ} that for infinitely many x ∈ L and w ∈ RL(x) distinguishes ¯S(x,V¯∗_λ,D¯λ,11/ε) from

OUT_V¯∗

λh

¯

P∗(w),V¯∗_λi(x)with advantageε(λ) +δ(λ)for noticeableε, δ. We consider two cases.

Case 1: There exists a setH of infinitely manyx as above such that the verifier’s messagearg₁ is in

the support of the honest verifier’s messages. We show that this contradicts WZK against explainable verifiers.

By the WZK guarantee ofhP,Viagainst explainable verifiers, there exists a negligible µ(λ)such that for anyx∈H∩ {0,1}λ_,

Dλ(OUTV∗_λhP(w),V∗λi(x))≈ε+λ−ω(1) D_λ(S(x,V∗_λ,D_λ,11/ε)) .

Furthermore, by the definition of_S¯_{,D, for any suchx,}

Dλ(S(x,Vλ∗,Dλ,11/ε))≡D¯λ(¯S(x,V¯λ∗,D¯λ,11/ε)) .

Finally, by the definition ofD,V∗,P, for any suchx, ¯

Dλ(OUT_V¯∗

λh

¯

It follows that for anyx∈H∩ {0,1}λ_, OUT_V¯∗ λh ¯ P(w),V¯∗_λi(x)≈¯_D λ,ε+λ−ω(1) ¯ S(x,V¯_λ∗,D¯λ,11/ε) .

This disproves Case 1.

Case 2: There exists a set M of infinitely many x as above such that the verifier’s message arg₁ is

malicious (not in the support of the honest verifier’s messages). We show how to use_V¯∗_{, ,to break} the CDS message hiding. First we consider an alternative simulator0 _{that has the witnessw ∈ RL(x)} hardwired. It computeswif2in the simulation using the witnesswinstead of using as the witnessargg2,˜rcds. Similarly, we consider an alternative prover_P¯0_{, which computes its own messagewi}

2usingwinstead of arg₂ andrcds. By witness indistinguishability:

OUT_V¯∗ λh ¯ P0(w),V¯∗_λi(x)≈_D¯_λ,λ−ω(1) OUT_V¯∗ λh ¯ P(w),V¯∗_λi(x) ¯ S0(x,V¯∗_λ,D¯λ,11/ε)≈¯Dλ,λ−ω(1) ¯ S(x,V¯∗_λ,D¯λ,11/ε) .

Thus_D¯_{distinguishes the view(CDS.S(Ψ,} f

arg₂,ctR)),wie₂(w)generated by¯S0from(CDS.S(Ψ,arg₂,ct_R)),wi₂(w) generated byP0with advantageε+δ−λ−ω(1)_{. However, since the verfier’s message is maliciousΨ(arg}

1) is false. Thus in this case we obtain a distinguisher against the CDS message hiding.

This completes the proof of the proposition.