Statistical Concurrent Non-malleable Zero-Knowledge from One-Way Functions

Abstract

Concurrent non-malleable zero-knowledge (\(\mathrm {CNMZK}\)) protocols are zero-knowledge protocols that are secure even when the adversary interacts with multiple provers and verifiers simultaneously. Recently, the first statistical \(\mathrm {CNMZK}\) argument for \(\mathcal {NP}\) was constructed by Orlandi et al. (TCC’14) under the DDH assumption.

In this paper, we construct a statistical \(\mathrm {CNMZK}\) argument for \(\mathcal {NP}\) assuming only the existence of one-way functions. The security is proven via black-box simulation, and the round complexity is \(\mathsf {poly}(n)\). Under the existence of collision-resistant hash functions, the round complexity can be reduced to \(\omega (\log n)\), which is essentially optimal for black-box concurrent zero-knowledge.

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Zero-knowledge (\(\mathrm {ZK}\)) proofs and arguments are protocols that enable the prover to convince the verifier of the correctness of a mathematical statement while providing zero additional knowledge. This “zero additional knowledge” property is formalized by using the simulation paradigm: An interactive proof or argument is said to be zero-knowledge if for any adversarial verifier there exists a simulator that can output a simulated view of the adversary. In the original definition of the \(\mathrm {ZK}\) property, the adversary interacts with a single prover at a time. Thus, the original definition guarantees the \(\mathrm {ZK}\) property in the stand-alone setting.

Non-malleable zero-knowledge (\(\mathrm {NMZK}\)) [6] and concurrent zero-knowledge (\(\mathrm {CZK}\)) [7] are security notions that guarantee the \(\mathrm {ZK}\) property in the concurrent setting. Specifically, \(\mathrm {NMZK}\) guarantees the \(\mathrm {ZK}\) property in the setting where the adversary concurrently interacts with a honest prover in the left session and a honest verifier in the right session, and \(\mathrm {CZK}\) guarantees the \(\mathrm {ZK}\) property in the setting where the adversary concurrently interacts with unbounded number of honest provers.

As a security notion that implies both \(\mathrm {NMZK}\) and \(\mathrm {CZK}\), Barak et al. [1] proposed concurrent non-malleable zero-knowledge (\(\mathrm {CNMZK}\)). \(\mathrm {CNMZK}\) guarantees the \(\mathrm {ZK}\) property in the setting where the adversary concurrently interacts with many provers in the left sessions and many verifiers in the right sessions. In particular, it guarantees that receiving proofs in the left session does not help the adversary to give proofs in the right sessions—that is, it guarantees that if the adversary can prove some statements in the right sessions while receiving proofs in the left sessions, the adversary could prove the same statements even without receiving proofs in the left sessions. In the definition of \(\mathrm {CNMZK}\), this guarantee is formalized as the existence of a simulator-extractor that can simulate the adversary’s view in the left and right sessions while extracting witnesses from the adversary in the simulated right sessions.

The first \(\mathrm {CNMZK}\) argument was constructed by Barak et al. [1]. Subsequently, a computationally efficient construction was shown by Ostrovsky et al. [21]. The first \(\mathrm {CNMZK}\) proof was constructed by Lin et al. [16], and a variant of their protocol was shown to be secure with adaptively chosen inputs by Lin and Pass [14]. Additionally, a \(\mathrm {CNMZK}\) argument that is secure with “fully” adaptively chosen inputs was recently constructed by Venkitasubramaniam [26].

Very recently, Orlandi et al. [20] constructed the first statistical \(\mathrm {CNMZK}\) argument—that is, a \(\mathrm {CNMZK}\) argument such that the view simulated by the simulator-extractor is statistically indistinguishable from the adversary’s view. Statistical \(\mathrm {CNMZK}\) is clearly of great interest since it guarantees quite strong security in the concurrent setting. However, statistical \(\mathrm {CNMZK}\) is hard to achieve, and the existing techniques of computational \(\mathrm {CNMZK}\) protocols seem to be insufficient for constructing statistical \(\mathrm {CNMZK}\) protocols (see Sect. 2.1).

On statistical \(\mathrm {CNMZK}\) protocols, an important open question is what hardness assumption is needed for constructing them. The statistical \(\mathrm {CNMZK}\) argument of Orlandi et al. [20] was constructed under the DDH assumption (or the existence of dense cryptosystems). Thus, it is already known that statistical \(\mathrm {CNMZK}\) protocols can be constructed under standard assumptions. However, since it is known that the existence of one-way functions is sufficient for constructing both statistical \(\mathrm {ZK}\) protocols and computational \(\mathrm {CNMZK}\) protocols [1, 10], it is important to study the following question.

Can we construct statistical concurrent non-malleable zero-knowledge protocols by assuming only the existence of one-way functions?

1.1 Our Result

In this paper, we answer the above question affirmatively.

Theorem 1

Assume the existence of one-way functions. Then, there exists a statistical concurrent non-malleable zero-knowledge argument for \(\mathcal {NP}\) with round complexity \(\mathsf {poly}(n)\). Furthermore, if there exists a family of collision-resistant hash functions, the round complexity can be reduced to \(\omega (\log n)\).

The round complexity of our statistical \(\mathrm {CNMZK}\) argument—\(\mathsf {poly}(n)\) rounds when only the existence of one-way functions is assumed and \(\omega (\log n)\) rounds when the existence of a family of collision-resistant hash functions is assumed—is the same as the round complexity of the known statistical \(\mathrm {CZK}\) arguments [9]. Thus, our result closes the gap between statistical \(\mathrm {CNMZK}\) arguments and statistical \(\mathrm {CZK}\) arguments. Furthermore, since the security of our statistical \(\mathrm {CNMZK}\) protocol is proven via black-box simulation, the logarithmic round complexity of our hash-function-based protocol is essentially tight due to the lower bound on black-box \(\mathrm {CZK}\) protocols [3].

2 Techniques

2.1 Previous Techniques

Before explaining our technique, we explain the difficulty of constructing statistical \(\mathrm {CNMZK}\) protocols by using the techniques of existing computational \(\mathrm {CNMZK}\) protocols [1, 16].

We first recall the protocols of [1, 16]. The definition of \(\mathrm {CNMZK}\) requires the existence of a simulator-extractor that simulates the adversary’s view while extracting the witnesses for the statements proven by the adversary in the simulated view. To satisfy this definition, protocols need to satisfy the following properties: (i) the proofs in the left sessions can be simulated for the adversary; (ii) even when the adversary receives simulated proofs in the left sessions, the witnesses can be extracted from the adversary in the right sessions. In the protocol of [1, 16], the simulatability of the left sessions is guaranteed by requiring the verifier to commit to a random trapdoor by using a concurrently extractable commitment scheme \(\mathsf {CECom}\) [17]. Since the committed values of \(\mathsf {CECom}\) can be extracted by a rewinding extractor even in the concurrent setting, the proofs in the left sessions can be simulated by extracting the trapdoors from \(\mathsf {CECom}\). On the other hand, the witness-extractability of the right sessions is guaranteed by requiring the prover to commit to the witness with a non-malleable commitment scheme \(\mathsf {NMCom}\) [6] and additionally designing the protocols so that the following hold.

1. 1.

   When the adversary receives honest proofs in the left sessions, the committed value of the \(\mathsf {NMCom}\) commitment is indeed a valid witness in every accepted right session.

2. 2.

   When the proofs in the left sessions are switched to the simulated ones, the committed values of the \(\mathsf {NMCom}\) commitments do not change in the right sessions due to the non-malleability of \(\mathsf {NMCom}\).

It follows from these that even when the adversary receives simulated proofs in the left sessions, the committed value of the \(\mathsf {NMCom}\) commitment is a witness for the statement in every accepted right session. Therefore, the witnesses can be extracted in the right sessions by extracting the committed values of the \(\mathsf {NMCom}\) commitments.

As mentioned above, the techniques of [1, 16] alone seem to be insufficient for constructing statistical \(\mathrm {CNMZK}\) protocols. This is because the techniques of [1, 16] requires the prover to commit to the witness by using \(\mathsf {NMCom}\), which is only computationally hiding.¹ Since in the simulation the committed values of \(\mathsf {NMCom}\) need to be switched to another values (e.g., \(0^{n}\)) in the left sessions, the simulated view can be only computational indistinguishable from the real view.

Recently, Orlandi et al. [20] constructed a statistical \(\mathrm {CNMZK}\) protocol by modifying the \(\mathrm {CNMZK}\) protocol of [1] with mixed non-malleable commitment scheme \(\mathsf {MXNMCom}\). \(\mathsf {MXNMCom}\) is parametrized by a string and is either statistically hiding or non-malleable depending on the string.² Very roughly speaking, Orlandi et al. circumvent the above problem by switching the parameter string of \(\mathsf {MXNMCom}\) in the security proof—when proving the statistical indistinguishability of the simulation, the string is set so that \(\mathsf {MXNMCom}\) is statistically hiding, and when proving the non-malleability, the string is set so that \(\mathsf {MXNMCom}\) is non-malleable. The use of \(\mathsf {MXNMCom}\), however, requires assumptions that are stronger than the existence of one-way functions (such as the DDH assumption or the existence of dense cryptosytems). Thus, the technique of Orlandi et al. cannot be used to construct statistical \(\mathrm {CNMZK}\) protocols from one-way functions.

2.2 Our Technique

Since the techniques of [1, 16] cannot be used for statistical \(\mathrm {CNMZK}\) protocols because the committed values of \(\mathsf {NMCom}\) need to be switched during the simulation, one potential strategy for statistical \(\mathrm {CNMZK}\) is to construct a protocol such that the adversary’s view can be simulated without switching the committed value of \(\mathsf {NMCom}\) (and of any other computationally hiding commitment). However, when the simulator commits to the same value in \(\mathsf {NMCom}\) as a honest prover, it is not clear how non-malleability of \(\mathsf {NMCom}\) can be used in the security proof. Below, we show that the \(\mathrm {CNMZK}\) property can be shown even in this case if we use a stronger variant of \(\mathsf {NMCom}\).

A key technical tool in our technique is CCA-secure commitment schemes [4], which is a stronger variant of (concurrent) non-malleable commitment schemes. Roughly speaking, CCA security guarantees that the scheme is hiding even against adversaries that have access to the committed-value oracle, which receives concurrent commitments from the adversary and returns their committed values to the adversary. (In non-malleability, the oracle receives only parallel commitments from the adversary and returns the committed values only after the adversary finishes the interaction with the committer.) Several CCA-secure commitment schemes were constructed from one-way functions [4, 8, 12, 15]; furthermore, although CCA security itself does not provide any extractability, all of these schemes satisfy concurrent extractability as well.

Using CCA-secure commitment schemes, we construct the following protocol as a starting point.

• Stage 1. ( V commits to trapdoor)

  1. 1.

     The verifier V chooses random \(r_V\in \{0,1 \}^{n}\) and commits to \(r_V\) by using a statistically binding commitment scheme \(\mathsf {Com}\), which can be constructed from one-way functions [11, 18]. Let \((r_V, d)\) be the decommitment.

  2. 2.

     V commits to \((r_V, d)\) by using \(\mathsf {CCA}\text {-}\mathsf {CECom}\), where \(\mathsf {CCA}\text {-}\mathsf {CECom}\) is a CCA-secure commitment scheme that is also concurrent extractable [4, 8, 12, 15].

• Stage 2. ( P proves \(x \in L\) or knowledge of trapdoor) The prover P proves that it knows a witness for \(x \in L\) or a valid decommitment \((r_V, d)\) of the \(\mathsf {Com}\) commitment that V gives in Stage 1. P proves this statement by using a statistical witness-indistinguishable argument of knowledge \(\mathsf {sWIAOK}\), which can be constructed from one-way functions by instantiating Blum’s Hamiltonian-cycle protocol with the statistically hiding commitment scheme of [10].

In this protocol, the verifier’s view can be statistically simulated by a simulator that extracts \((r_V, d)\) from \(\mathsf {CCA}\text {-}\mathsf {CECom}\) and uses it as a witness in \(\mathsf {sWIAOK}\). (Note that this simulator executes Stage 1 honestly; thus, even if computationally hiding commitment schemes are used as building blocks in \(\mathsf {CCA}\text {-}\mathsf {CECom}\), the simulator commits to the same values by using them as a honest prover.) Also, intuitively this protocol seems to be \(\mathrm {CNMZK}\) from the following reason.

• The CCA security of \(\mathsf {CCA}\text {-}\mathsf {CECom}\) guarantees that the trapdoors of the right sessions are hidden from the adversary even when the trapdoors of the left sessions are extracted and returned to the adversary.

• Then, since the simulated proofs are generated in the left sessions by extracting the trapdoors, the trapdoors in the right sessions are hidden from the adversary even when the adversary receives simulated proofs in the left sessions.

• Thus, even when the adversary receives the simulated proofs in the left sessions, the adversary cannot “cheat” in the right sessions, and therefore witnesses for the statements must be extractable from \(\mathsf {sWIAOK}\) in the right sessions.

Of course, to formally show the statistical \(\mathrm {CNMZK}\) property, we need to show a simulator-extractor that statistically simulates the adversary’s view and also extracts witnesses for the statements in the right sessions.

As the simulator-extractor, we consider the following \(\mathcal {SE}\).

1. 1.

   First, \(\mathcal {SE}\) simulates the view of the adversary by executing the following simulator \(\mathcal {S}\): Simulator \(\mathcal {S}\) internally invokes and interacts with it in the left and right sessions honestly except that in each left session, \(\mathcal {S}\) extracts \((r_V, d)\) by using the concurrent extractor of \(\mathsf {CCA}\text {-}\mathsf {CECom}\) and uses it as a witness in \(\mathsf {sWIAOK}\).

2. 2.

   After simulating the view of as above, \(\mathcal {SE}\) extracts witnesses from the right sessions by doing the following for each right session. First, \(\mathcal {SE}\) rewinds \(\mathcal {S}\) until the point just before \(\mathcal {S}\) sends the challenge message of \(\mathsf {sWIAOK}\) to .³ Then, \(\mathcal {SE}\) repeatedly executes \(\mathcal {S}\) from this point with flesh randomness until it obtains another accepted transcript of \(\mathsf {sWIAOK}\). After obtaining another accepted transcript, \(\mathcal {SE}\) extracts a witness by using the argument-of-knowledge property of \(\mathsf {sWIAOK}\).

It is easy to see that \(\mathcal {SE}\) statistically simulates the real view of . Thus, it remains to show that \(\mathcal {SE}\) extracts witnesses for the statements in the right sessions.

To show the witness extractability of \(\mathcal {SE}\), a natural approach is to follow the above-mentioned approach of [1, 16] and show the following.

1. 1.

   When receives honest proofs in the left sessions, a witness for the statement is extracted from the \(\mathsf {sWIAOK}\) proof in every accepted right session.

2. 2.

   When the honest proofs in the left sessions are switched to the simulated ones, the value extracted from \(\mathsf {sWIAOK}\) does not change in every accepted right session.

Note that here we argue about the extracted values instead of the committed values. At first sight, it seems that this is not a big difference and it seems that the above can be shown by using an argument similar to the one used in [1, 16].

However, this approach does not work. In particular, we cannot show the second part—that is, we cannot show that the extracted values remain to be the same when the honest proofs in the left sessions are switched to the simulated ones. To see this, observe the following. Since the witnesses used in \(\mathsf {sWIAOK}\) are switched in the simulated proofs, we need to use the witness indistinguishability of \(\mathsf {sWIAOK}\) of the left sessions. However, since is rewound during the witness extraction of the \(\mathsf {sWIAOK}\) proofs of the right sessions, if the left and the right sessions are scheduled so that the \(\mathsf {sWIAOK}\) proofs of the left sessions are executed in parallel with the \(\mathsf {sWIAOK}\) proofs of the right sessions, the \(\mathsf {sWIAOK}\) proofs of the left sessions are also rewound, and thus we cannot use their witness indistinguishability.⁴

Thus, we instead use the following approach. Informally, the above approach does not work because the honest proofs and the simulated proofs are “too different.” We thus introduce a hybrid experiment in which receives hybrid proofs in the left sessions, where a hybrid proof is generated by extracting \((r_V, d)\) by brute force and using it as a witness in \(\mathsf {sWIAOK}\). (Notice that the only difference between the hybrid proofs and the simulated proofs is how the trapdoors are extracted.) We then show that (i) witnesses for the statements are extracted in the right sessions when receives hybrid proofs in the left sessions, and (ii) when hybrid proofs are switched to the simulated ones, the extracted values do not change. In particular, our analysis proceeds as follows.

• First, we show the second part, i.e., we show that the values extracted in the right sessions do not change when the proofs in the left sessions are switched from the hybrid proofs to the simulated ones. Since the only difference between the hybrid proofs and the simulated ones is how the committed values of the \(\mathsf {CCA}\text {-}\mathsf {CECom}\) commitments are extracted (by brute-force or by the concurrent extractability), we can show this by using the concurrent extractability of \(\mathsf {CCA}\text {-}\mathsf {CECom}\). We note however that there is a subtlety since \(\mathsf {CCA}\text {-}\mathsf {CECom}\) in the left sessions can be rewound not only by the concurrent extractor of \(\mathsf {CCA}\text {-}\mathsf {CECom}\) but also by the extractor of \(\mathsf {sWIAOK}\). Nonetheless, by carefully using a standard technique (the “good prefix” argument), we can show that the concurrent extractor of \(\mathsf {CCA}\text {-}\mathsf {CECom}\) works even in this case.

• Next, we show that in the hybrid experiment, witnesses for the statements are extracted from the right sessions. Since the simulated proofs can be efficiently generated given access to the committed-value oracle of \(\mathsf {CCA}\text {-}\mathsf {CECom}\), at first sight it seems that this follows directly from the CCA security of \(\mathsf {CCA}\text {-}\mathsf {CECom}\) and argument-of-knowledge property of \(\mathsf {sWIAOK}\)—if a witness for the statement is not extracted, \((r_V, d)\) must be extracted, and thus we can break the CCA security of \(\mathsf {CCA}\text {-}\mathsf {CECom}\). However, there are two problems.

  1. 1.

     Since \(\mathsf {CCA}\text {-}\mathsf {CECom}\) in the left sessions can be rewound during the witness extraction of \(\mathsf {sWIAOK}\) of the right sessions, the hybrid experiment cannot be emulated even given access to the committed-value oracle of \(\mathsf {CCA}\text {-}\mathsf {CECom}\). Hence, the CCA-secure commitments in the right sessions may not be hiding in the hybrid experiment.

  2. 2.

     Since the adversary obtains hybrid proofs, which are generated in super-polynomial time, the argument-of-knowledge property of \(\mathsf {sWIAOK}\) may not hold in the hybrid experiment. We note that although existing CCA-secure commitment schemes provides robustness, which guarantees that arbitrary “small”-round protocol remains secure even when adversaries have access to the committed-value oracle, we cannot use robustness here since \(\mathsf {CCA}\text {-}\mathsf {CECom}\) in the left sessions can be rewound during the witness extraction of \(\mathsf {sWIAOK}\) of the right sessions and therefore the hybrid experiment cannot be emulated even given access to the committed-value oracle.

  Because of these problems, we cannot use the security of \(\mathsf {CCA}\text {-}\mathsf {CECom}\) directly in the analysis. Thus, instead of using existing CCA-secure commitment schemes in a modular way, we directly use their building blocks in the protocol and directly use their proof technique in the analysis. (In particular, we use the robust concurrent extraction technique of [8] and a one-one CCA-secure commitment scheme of [13].) The proof techniques of existing CCA-secure commitment schemes are strong enough to solve the above problems, and thus we can show that witnesses for the statements are extracted in the hybrid experiment.

From the above two, it follows that even when receives simulated proofs in the left session, valid witnesses are extracted in right sessions. This completes the overview of our technique.

3 Definitions

In this section, we sketch the definitions used in this paper. The formal definitions are given in the full version.

3.1 Statistical Concurrent Non-malleable Zero-Knowledge Arguments

The definition of (statistical) concurrent non-malleable zero-knowledge [1, 20] is closely related to the definition of simulation extractability of [22]. Let \(\langle P, V \rangle \) be an interactive argument for a language \(L \in \mathcal {NP}\). For any man-in-the-middle adversary , let us consider a probabilistic experiment in which participates in the following left and right interactions. In the left interaction, interacts with a honest prover P of \(\langle P, V \rangle \) and verifies the validity of statements \(x_1, \ldots , x_m\) using identities \(\mathsf {id}_1, \ldots , \mathsf {id}_m\). In the right interaction, interacts with a honest verifier V of \(\langle P, V \rangle \) and proves the validity of statements \(\widetilde{x}_1, \ldots , \widetilde{x}_m\) using identities \(\widetilde{\mathsf {id}}_1, \ldots , \widetilde{\mathsf {id}}_m\). The statements proven in the left interaction, \(x_1, \ldots , x_m\), are given to P and prior to the experiment. In contrast, the statements proven in the right interaction, \(\widetilde{x}_1, \ldots , \widetilde{x}_m\), and the identities used in the left and the right interactions, \(\mathsf {id}_1, \ldots , \mathsf {id}_m\) and \(\widetilde{\mathsf {id}}_1, \ldots , \widetilde{\mathsf {id}}_m\), are chosen by during the experiment. Then, roughly speaking, \(\langle P, V \rangle \) is statistical concurrent non-malleable zero-knowledge (statistical \(\mathrm {CNMZK}\)) if for any adversary , there exists a \(\textsc {ppt} \) machine called the simulator-extractor that can statistically simulate the view of in the above experiment while extracting witnesses for the statements proven by in the accepted right interactions that use different identities from the left interactions.

3.2 Concurrently Extractable Commitment Schemes

Roughly speaking, a commitment scheme is concurrently extractable if there exists a ppt extractor such that for any adversarial committer that concurrently commits to many values by using the scheme, the extractor can extract the committed value from the adversarial committer in every valid commitment.⁵

Micciancio et al. [17] showed a \(\omega (\log n)\)-round concurrently extractable commitment \(\mathsf {CECom}\) (Fig. 1), which is an abstraction of the preamble stage of the concurrent zero-knowledge protocol of [25] and can be constructed from one-way functions. The extractor of \(\mathsf {CECom}\) performs the extraction by rewinding the adversarial committer according to the rewinding strategy of [23, 25]—the extractor internally invokes the adversarial committer \(C^*\) and interacts with \(C^*\) as honest receivers on the “main thread”; at the same time, the extractor rewinds the main thread and generates “look-ahead threads” on which the extractor interacts with \(C^*\) again as honest receivers with flesh randomness; then, at the end of each commitment on each thread, the extractor extracts the committed values by using the information collected on the other threads.

Fig. 1.

Concurrently extractable commitment \(\mathsf {CECom}\) [17].

Robust Concurrent Extraction. On the concurrently extractable commitment scheme \(\mathsf {CECom}\) of [17], Goyal et al. [8] showed a very useful lemma called the robust concurrent extraction lemma. Roughly speaking, this lemma states that even when the adversarial committer additionally participates in an external protocol, the committed values can be extracted from the adversarial committer without rewinding the external protocol as long as the round complexity of the external protocol is “small.” In particular, the lemma guarantees that the robust concurrent extraction is possible as long as \(\ell - O(k\cdot \log n) = \omega (\log n)\), where \(\ell \) is the parameter of \(\mathsf {CECom}\) and k is the round complexity of the external protocol. (Thus, we need to set \(\ell := \omega (\log n)\) when \(k = O(1)\) and set \(\ell := \mathsf {poly}(n)\) when \(k = \mathsf {poly}(n)\).)

In this work, we cannot use the lemma in a black-box way since in the security analysis we use a specific property of the extractor shown in [8]. In particular, in our security analysis, it is important that the extractor of [8] performs the extraction by generating the main thread and the look-ahead threads as in the rewinding strategies of [23, 25].

3.3 (One-one) CCA-secure Commitment Schemes

We recall the definition of (one-one) CCA security and \(\kappa \)-robustness of commitment schemes [4, 13, 15].

(One-one) CCA Security. Roughly speaking, a tag-based commitment scheme \(\langle C,R \rangle \) (i.e., a commitment scheme that takes an n-bit string—a tag—as an additional input) is CCA-secure if it is hiding even against adversary that interacts with the following committed-value oracle: The committed-value oracle \(\mathcal {O}\) interacts with as an honest receiver in many concurrent sessions of the commit phase of \(\langle C,R \rangle \) using tags chosen adaptively by ; at the end of each session, if the commitment of this session is invalid or has multiple committed values, \(\mathcal {O}\) returns \(\bot \) to ; otherwise, \(\mathcal {O}\) returns the unique committed value to .

If \(\langle C,R \rangle \) is CCA secure only against adversaries that interact with the one-session committed-value oracle, which is the same as the committed-value oracle except that it interacts with the adversary only in a single session, \(\langle C,R \rangle \) is one-one CCA secure.

\(\kappa \)-Robustness. Roughly speaking, a tag-based commitment scheme is \(\kappa \) -robust if for any adversary and any ITM B, the joint output of a \(\kappa \)-round interaction between and B can be simulated without \(\mathcal {O}\) by a \(\textsc {ppt} \) simulator. Intuitively, \(\kappa \)-robustness guarantees that the security of any \(\kappa \)-round protocol (say, the hiding property of a \(\kappa \)-round commitment scheme) holds even against the adversary that interacts with \(\mathcal {O}\).

The Scheme We Use. From a result shown in [8], we can obtain a constant-round \(\kappa \)-robust one-one CCA-secure commitment scheme for every constant \(\kappa \in \mathbb {N}\) from one-way functions. In [8], Goyal et al. constructed a \(\omega (\log n)\)-round CCA-secure commitment scheme from one-way functions. This scheme has \(\omega (\log n)\) rounds because \(\mathsf {CECom}\) with parameter \(\ell = \omega (\log n)\) is used as a building block. The reason why \(\ell \) is set to be \(\omega (\log n)\) is that in the security analysis, the committed values of \(\mathsf {CECom}\) need to be extracted when polynomially many \(\mathsf {CECom}\) commitments are concurrently executed. In the setting of one-one CCA security, however, the security analysis works even if the committed values of \(\mathsf {CECom}\) are extractable only when a single \(\mathsf {CECom}\) commitment is executed; hence, we can set \(\ell := O(1)\). For completeness, we give the protocol and the proof of one-one CCA security in the full version.

4 Our Statistical Concurrent Non-malleable ZK Argument

We show that a statistical concurrent non-malleable zero-knowledge argument can be constructed from any statistically hiding commitment scheme.

Theorem 2

Assume the existence of statistically hiding commitment schemes with round complexity \(R_{{\mathsf {SH}}}(n)\). Then, there exists an \(\omega (R_{{\mathsf {SH}}}(n)\log n)\)-round statistical concurrent non-malleable zero-knowledge argument \(\mathsf {sCNMZK}\).

Since \(\mathsf {poly}(n)\)-round statistically hiding commitment schemes can be constructed from one-way functions [10] and constant-round ones can be constructed from a family of collision-resistant hash functions [5, 19], our main theorem (Theorem 1) follows from Theorem 2.

Fig. 2.

Statistical concurrent non-malleable zero-knowledge argument \(\mathsf {sCNMZK}\).

Proof  (of Theorem 2 ). In \(\mathsf {sCNMZK}\), we use the following building blocks, all of which can be constructed from \(R_{{\mathsf {SH}}}(n)\)-round statistically hiding commitment schemes (or one-way functions, which can be obtained from statistically hiding commitment schemes).

• Two-round statistically binding commitment scheme \(\mathsf {Com_{SB}}\) [11, 18].

• Constant-round 4-robust one-one CCA-secure commitment scheme \(\mathsf {CCACom}^{1:1}\) (see Sect. 3.3).

• Four-round witness-indistinguishable proof of knowledge \(\mathsf {WIPOK}\), which is a parallel version of Blum’s Hamiltonian-cycle protocol [2].

• \((R_{{\mathsf {SH}}}(n)+2)\)-round statistical witness-indistinguishable argument of knowledge \(\mathsf {sWIAOK}\), which is a parallel version of Blum’s Hamiltonian-cycle protocol that is instantiated with a \(R_{{\mathsf {SH}}}(n)\)-round statistically hiding commitment scheme \(\mathsf {Com_{SH}}\).

• \(\omega (R_{{\mathsf {SH}}}(n)\log n)\)-round concurrently extractable commitment scheme \(\mathsf {CECom}\), which is the scheme of [17] with parameter \(\ell = \omega (R_{{\mathsf {SH}}}(n)\log n)\). From the robust concurrent extraction lemma [8], we can extract the committed values from any adversarial committer even when it additionally participates in any \(O(R_{{\mathsf {SH}}}(n))\)-round external protocol.

Protocol \(\mathsf {sCNMZK}\) is shown in Fig. 2. Roughly speaking, soundness can be proven as follows. Assume that an adversary breaks the soundness. From the witness extractability of \(\mathsf {sWIAOK}\), a valid decommitment \((r'_V, d')\) of the \(\mathsf {Com_{SB}}\) commitment of Stage I can be extracted from this adversary in Stage III. Furthermore, from the hiding property of \(\mathsf {CECom}\) and the witness indistinguishability of \(\mathsf {WIPOK}\), it can be shown that \((r'_V, d')\) can be extracted even when Stage I is simulated by extracting \(r_P\) in Stage II-1 and using it in Stage II-2 and II-4. Then, since Stage 2 is now simulated without using the decommitment of the \(\mathsf {Com_{SB}}\) commitment of Stage 1, we can derive a contradiction by breaking the hiding property of \(\mathsf {Com_{SB}}\) or \(\mathsf {CECom}\) by using \((r'_V, d')\). The formal proof is given in the full version.

In the following, we prove the statistical \(\mathrm {CNMZK}\) property.

Simulator-Extractor \(\mathcal{{SE}}\) . Recall that to prove the statistical \(\mathrm {CNMZK}\) property, we need to show a simulator-extractor that simulates the view of the adversary and also extracts a witness in every accepted right session. We construct our simulator-extractor step by step. First, we construct a super-polynomial-time simulator \(\hat{\mathcal {S}}\) that simulates the view of but does not extract witnesses in the right seasons. Next, we construct a super-polynomial-time simulator-extractor \(\hat{\mathcal {SE}}\) that simulates the view of by executing \(\hat{\mathcal {S}}\) and then extracts the witnesses by rewinding \(\hat{\mathcal {S}}\). Finally, we construct a polynomial-time simulator-extractor \(\mathcal {SE}\) that emulates the execution of \(\hat{\mathcal {SE}}\) in polynomial time.

Remark 1

In the following, we use the hat symbol in the names of simulators and simulator-extractors if they run in super-polynomial time (e.g., \(\hat{\mathcal {S}}\) and \(\hat{\mathcal {SE}}\)). Also, we use the tilde symbol in the names of the messages of \(\mathsf {sCNMZK}\) if they are the messages of the right sessions (e.g., \(\widetilde{r}_V\) and \(\widetilde{r}_P\)); if necessary, we use subscript to denote the index of the session.

Super-Polynomial-Time Simulator \(\hat{\mathcal {S}}\). First, we show the simulator \(\hat{\mathcal {S}}\), which simulates the view of in super-polynomial time as follows. \(\hat{\mathcal {S}}\) internally invokes and interacts with as provers and verifiers in the following way.

• In each left session, \(\hat{\mathcal {S}}\) interacts with in the same way as a honest prover except for the following. In Stage I-2, \(\hat{\mathcal {S}}\) extracts the committed value \((r_V, d)\) of the \(\mathsf {CECom}\) commitment by brute force. (If the committed value is not uniquely determined, \((r_V, d)\) is defined to be \((\bot , \bot )\).) In Stage III, \(\hat{\mathcal {S}}\) checks whether \((r_V, d)\) is a valid decommitment of the \(\mathsf {Com_{SB}}\) commitment of Stage I-1; if so, \(\hat{\mathcal {S}}\) gives a \(\mathsf {sWIAOK}\) proof by using \((r_V, d)\) as a witness; otherwise, \(\hat{\mathcal {S}}\) terminates with output \(\mathsf {fail}\).

• In each right session, \(\hat{\mathcal {S}}\) interacts with in the same way as a honest verifier.

Finally, \(\hat{\mathcal {S}}\) outputs the view of internal . Notice that \(\hat{\mathcal {S}}\) does not rewind .

Super-Polynomial-Time Simulator-Extractor \(\hat{\mathcal {SE}}\) . Next, we show the simulator-extractor \(\hat{\mathcal {SE}}\), which simulates the view of in super-polynomial time and also extracts witnesses in every accepted right session as follows. First, \(\hat{\mathcal {SE}}\) simulates the view of by executing \(\hat{\mathcal {S}}\). We call this execution of \(\hat{\mathcal {S}}\) the wi -main thread. Next, for each \(i\in [m]\), if the i-th right session is accepted on the wi-main thread and uses a different identity from every left session, \(\hat{\mathcal {SE}}\) extracts a witness from this session as follows.

• \(\hat{\mathcal {SE}}\) rewinds the wi-main thread until the point just before the challenge message of \(\mathsf {sWIAOK}\) of the i-th right session is sent. Then, from this point, \(\hat{\mathcal {SE}}\) executes \(\hat{\mathcal {S}}\) again with flesh randomness (i.e., interacts with as \(\hat{\mathcal {S}}\) does with flesh randomness). \(\hat{\mathcal {SE}}\) repeats this rewinding until it obtains another accepting transcript of the i-th right session. We call each execution of \(\hat{\mathcal {S}}\) in this step a wi -auxiliary thread.

• After obtaining two accepting transcripts of the i-th right session (one is on the wi-main thread and the other is on an wi-auxiliary thread), \(\hat{\mathcal {SE}}\) extracts a witness from \(\mathsf {sWIAOK}\) by using the witness extractability of \(\mathsf {sWIAOK}\). If \(\hat{\mathcal {SE}}\) fails to extract a witness for \(\widetilde{x}_{i} \in L\) (the statement proven in the i-th right session), \(\hat{\mathcal {SE}}\) terminates with output \(\mathsf {fail}_{\mathsf {WI}}\). Otherwise, let \(\widetilde{w}_i\) be the extracted witness.

If the i-th right session is not accepted or uses the same identity as a left session, define \(\widetilde{w}_i \mathop {=}\limits ^\mathrm{def}\bot \). The output of \(\hat{\mathcal {SE}}\) is \((\mathsf {view}, \{\widetilde{w}_i \}_{i\in [m]})\), where \(\mathsf {view}\) is the view of on the wi-main thread.

Polynomial-Time Simulator-Extractor \(\mathcal {SE}\). Finally, we show the simulator-extractor \(\mathcal {SE}\), which emulates the execution of \(\hat{\mathcal {SE}}\) in polynomial time as follows. First, \(\mathcal {SE}\) emulates the wi-main thread in polynomial time as follows.

• \(\mathcal {SE}\) internally invokes and interacts with as \(\hat{\mathcal {S}}\) does except that in each left session, \(\mathcal {SE}\) extracts \((r_V, d)\) by using the concurrent extractability of \(\mathsf {CECom}\). Recall that a concurrent extraction of \(\mathsf {CECom}\) involves the generation of a main thread and many look-ahead threads. We call the main thread generated during the concurrent extraction of \(\mathsf {CECom}\) the cec -main thread, and call the look-ahead threads generated during the concurrent extraction of \(\mathsf {CECom}\) the cec-auxiliary threads.⁶

Next, for each \(i\in [m]\), if the i-th right session is accepted on the emulated wi-main thread and uses a different identity from every left session, \(\mathcal {SE}\) emulates wi-auxiliary threads as follows.

• \(\mathcal {SE}\) rewinds the emulation of the wi-main thread until the point just before the challenge message of \(\mathsf {sWIAOK}\) of the i-th right session is sent on the cec-main thread. Then, from this point, \(\hat{\mathcal {SE}}\) emulates the wi-main thread again with flesh randomness (i.e., generates the rest of cec-main thread and cec-auxiliary threads with flesh randomness). \(\mathcal {SE}\) repeats this rewinding until it obtains another accepted transcript of the i-th right session on an emulated wi-auxiliary thread.

Let \((\mathsf {view}, \{\widetilde{w}_i \}_{i\in [m]})\) be the output of the emulated \(\hat{\mathcal {SE}}\). Then, \(\mathcal {SE}\) outputs \((\mathsf {view}, \{\widetilde{w}_i \}_{i\in [m]})\).

4.1 Analysis of Poly-Time Simulator-Extractor \(\mathcal {SE}\).

To prove the statistical \(\mathrm {CNMZK}\) property, we show that \(\mathcal {SE}\) statistically simulates the view of and also extracts witnesses for the statements in the right sessions.

Lemma 1

The view of simulated by \(\mathcal {SE}\) is statistically indistinguishable from the view of in the real experiment. Furthermore, except with negligible probability, \(\mathcal {SE}\) outputs witnesses for the statements proven by in the accepted right sessions that use different identities from the left sessions.

Proof (sketch). In this proof, we use the following claim, which states that the super-polynomial-time simulator-extractor \(\hat{\mathcal {SE}}\) statistically simulates the view of and also extracts the witnesses from the right sessions.

Claim 1

The view of simulated by \(\hat{\mathcal {SE}}\) is statistically indistinguishable from the view of in the real experiment. Furthermore, except with negligible probability, \(\hat{\mathcal {SE}}\) outputs witnesses for the statements proven by in the accepted right sessions that use different identities from the left sessions.

Before proving this claim, we finish the proof of Lemma 1. Given Claim 1, we can prove Lemma 1 by showing that the output of \(\mathcal {SE}\) is statistically indistinguishable from that of \(\hat{\mathcal {SE}}\). This indistinguishability can be shown by observing the following.

• In \(\mathcal {SE}\), the emulation of \(\hat{\mathcal {SE}}\) is perfect if in every left session that reaches Stage III, the value extracted by the concurrent extractability of \(\mathsf {CECom}\) is equal to the value that would be extracted by brute force.

• In every such left session, the value extracted by the concurrent extractability of \(\mathsf {CECom}\) is indeed equal to the value that would be extracted by brute force. This is because the \(\mathsf {CECom}\) commitment in Stage I-2 is valid in every such left session except with negligible probability, which in turn is because of the soundness of \(\mathsf {WIPOK}\) and the hiding property of \(\mathsf {CCACom}^{1:1}\).

We note that there is a subtlety since the concurrent extraction of \(\mathsf {CECom}\) itself is rewound in \(\mathcal {SE}\) when the witnesses are extracted from the right sessions. The formal proof is given in the full version.   \(\square \)

4.2 Analysis of Super-Poly-Time Simulator-Extractor \(\hat{\mathcal {SE}}\).

It remains to prove Claim 1, which states that (i) super-polynomial-time simulator-extractor \(\hat{\mathcal {SE}}\) statistically simulates the real view of and (ii) \(\hat{\mathcal {SE}}\) also extracts a valid witness from every accepted right session in the simulated view.

Proof  (of Claim 1 ). First, we show that \(\hat{\mathcal {SE}}\) statistically simulates the real view of . Since \(\hat{\mathcal {SE}}\) simulates the view of by executing \(\hat{\mathcal {S}}\), it suffices to show that the output of \(\hat{\mathcal {S}}\) is statistically indistinguishable from the real view of . In \(\hat{\mathcal {S}}\), each left session is simulated by extracting \((r_V, d)\) from the \(\mathsf {CECom}\) commitment in Stage I-2 and giving a \(\mathsf {sWIAOK}\) proof in Stage III with witness \((r_V, d)\). Hence, the indistinguishability follows from the statistical witness indistinguishability of \(\mathsf {sWIAOK}\) and the following claim.

Claim 2

In \(\hat{\mathcal {S}}\), the following holds except with negligible probability: In every left session that reaches Stage III, the \(\mathsf {CECom}\) commitment in Stage I-2 of this session is valid and its committed value is a valid decommitment of the \(\mathsf {Com_{SB}}\) commitment of Stage I-1.

We do not prove Claim 2, since it is implied by the claim that we prove later (Claim 5).

Next, we show that \(\hat{\mathcal {SE}}\) extracts a valid witness from every accepted right session except with negligible probability. Since \(\hat{\mathcal {SE}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) when it fails to extract a witness in an accepted right session, it suffices to show that \(\hat{\mathcal {SE}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) only with negligible probability. Assume for contradiction that there exists \(\widetilde{i^*}\in [m]\) such that \(\hat{\mathcal {SE}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) during the witness extraction of the \(\widetilde{i^*}\)-th right session with non-negligible probability. Then, let us consider the following hybrid simulator-extractor \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\).

• \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) is the same as \(\hat{\mathcal {SE}}\) except that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) tries to extract a witness only from the \(\widetilde{i^*}\)-th right session (and therefore rewinds the wi-main thread only from the challenge message of \(\mathsf {sWIAOK}\) of the \(\widetilde{i^*}\)-th right session).

Clearly, \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) with non-negligible probability. Then, we reach a contradiction roughly as follows.

• Step 1. First, we show that in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\), the probability that \(\widetilde{r}_V\) is extracted as a witness during the witness extraction of the \(\widetilde{i^*}\)-th right session is non-negligible, where \(\widetilde{r}_V\) is the value chosen by the verifier in Stage I-1 of the \(\widetilde{i^*}\)-th right session.

• Step 2. Next, we define a sequence of hybrid simulator-extractors. The first hybrid is the same as \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\), and we gradually modify the \(\widetilde{i^*}\)-th right session so that it is independent of \(\widetilde{r}_V\) in the last hybrid.

• Step 3. Finally, we show that even in the last hybrid, the probability that \(\widetilde{r}_V\) is extracted during the witness extraction of the \(\widetilde{i^*}\)-th right session is non-negligible. Since the \(\widetilde{i^*}\)-th right session is independent of \(\widetilde{r}_V\) in the last hybrid, we reach a contradiction.

Details are given below.

Step 1. Prove that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) extracts \(\widetilde{r}_V\) . We first prove the following claim.

Claim 3

Let \(\widetilde{r}_V\) be the value chosen by the verifier in Stage I-1 of the \(\widetilde{i^*}\)-th right session. If \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) with non-negligible probability, then in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) the probability that \(\widetilde{r}_V\) is extracted during the witness extraction of the \(\widetilde{i^*}\)-th right session is non-negligible.

Proof. Assume for contradiction that \(\widetilde{r}_V\) is extracted during the witness extraction of the \(\widetilde{i^*}\)-th right session with at most negligible probability. Then, since we assume that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) with non-negligible probability, the following occurs in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) with non-negligible probability:

• \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) obtains two accepting transcript of the \(\widetilde{i^*}\)-th right session (and therefore that of \(\mathsf {sWIAOK}\)) such that the commit-messages of \(\mathsf {sWIAOK}\) are the same,⁷ but

• from these two transcript, \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) fails to extract any witness from \(\mathsf {sWIAOK}\) (either a witness for \(\widetilde{x}_{\widetilde{i^*}} \in L\) or a valid decommitment of the Stage I-1 commitment).

We first show that when the above occurs, the two accepting \(\mathsf {sWIAOK}\) transcripts are admissible except with negligible probability, where a pair of accepted transcripts of \(\mathsf {sWIAOK}\) are admissible if their commit-messages are the same but their challenge-messages are different. Toward this end, it suffices to show that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) chooses the same challenge-message of \(\mathsf {sWIAOK}\) on two wi-auxiliary threads with at most negligible probability. This can be shown as follows.

• From a standard argument, we can show that the expected number of rewinding of the wi-main thread is 1 in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\).⁸ Thus, the probability that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) rewinds the wi-main thread more than \(2^{n/2}\) times is at most \(2^{-n/2}\). Furthermore, under the condition that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) rewinds the wi-main thread at most \(2^{n/2}\) times, the probability that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) chooses the same challenge-message on two wi-auxiliary threads is at most \(2^{n/2} \cdot 2^{-n} = 2^{-n/2}\). Thus, the probability that \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) chooses the same challenge-message in two wi-auxiliary thread is at most \(2^{-n/2} + 2^{-n/2} = \mathsf {negl}(n)\).

Thus, with non-negligible probability \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) obtains two admissible transcripts of \(\mathsf {sWIAOK}\) from which no witness can be computed.

We then reach a contradiction as follows. Since \(\mathsf {sWIAOK}\) is a parallel version of Blum’s Hamiltonian-cycle protocol, if no witness is extracted from two admissible transcripts of \(\mathsf {sWIAOK}\), a \(\mathsf {Com_{SH}}\) commitment in the commit-messages is decommitted to two different values in the transcripts. Thus, we derive a contradiction by breaking the binding property of \(\mathsf {Com_{SH}}\) using \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\). A problem is that since \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) runs in super-polynomial time, the computational hiding property of \(\mathsf {Com_{SH}}\) may not hold in \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\). To overcome this problem, we consider hybrid simulator-extractor \(\mathcal {SE}_{\widetilde{i^*}}\) that emulates the execution of \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) in polynomial time. Specifically, \(\mathcal {SE}_{\widetilde{i^*}}\) emulates \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) in the same way as \(\mathcal {SE}\) emulates \(\hat{\mathcal {SE}}\) (i.e., by using the concurrent extractability of \(\mathsf {CECom}\) instead of the brute-force extraction) except for the following.

• During the emulation of the wi-main thread, the value \((r_V, d)\) is extracted in Stage I-2 of each left session by using the robust concurrent extractability of \(\mathsf {CECom}\) so that the commit-message of \(\mathsf {sWIAOK}\) of the \(\widetilde{i^*}\)-th right session is not rewound.

As in the proof of Lemma 1, we can show that \(\mathcal {SE}_{\widetilde{i^*}}\) statistically emulates the execution of \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\). Thus, with non-negligible probability, \(\mathcal {SE}_{\widetilde{i^*}}\) obtains two valid decommitments of a \(\mathsf {Com_{SH}}\) commitment (in the commit-messages of \(\mathsf {sWIAOK}\) of the \(\widetilde{i^*}\)-th right session) such that decommitted values are different. Then, since \(\mathcal {SE}_{\widetilde{i^*}}\) runs in polynomial time and since the commit-messages of \(\mathsf {sWIAOK}\) (and therefore the \(\mathsf {Com_{SH}}\) commitment) of the \(\widetilde{i^*}\)-th right session is not rewound in \(\mathcal {SE}_{\widetilde{i^*}}\),⁹ we can break the binding property of \(\mathsf {Com_{SH}}\). Thus, we reach a contradiction.   \(\square \)

Step 2. Introduce hybrid simulator-extractor. Next, we introduce hybrid simulator-extractors. To clarify the exposition, we first define a sequence of hybrid simulators by gradually modifying \(\hat{\mathcal {S}}\) and then define the hybrid simulator-extractors by using them. Below, when we refer to a particular stage of \(\mathsf {sCNMZK}\), we always means the corresponding stage of \(\mathsf {sCNMZK}\) in the \(\widetilde{i^*}\)-th right session.

• Hybrid simulator \({h\hbox {-}{\hat{\mathcal {S}}}}_0\) is identical with \(\hat{\mathcal {S}}\).

• Hybrid simulator \({h\hbox {-}{\hat{\mathcal {S}}}}_1\) is the same as \({h\hbox {-}{\hat{\mathcal {S}}}}_0\) except that \(\widetilde{r}_P\) is extracted by brute force in Stage II-1 and the committed value of the \(\mathsf {CECom}\) commitment in Stage II-2 is switched from \(0^{n}\) to \(\widetilde{r}_P\).

• Hybrid simulator \({h\hbox {-}{\hat{\mathcal {S}}}}_2\) is the same as \({h\hbox {-}{\hat{\mathcal {S}}}}_1\) except that in Stage II-4, the \(\mathsf {WIPOK}\) proof is computed by using a witness for the fact that the committed value of the \(\mathsf {CECom}\) commitment of Stage II-2 is \(\widetilde{r}_P\).

• Hybrid simulator \({h\hbox {-}{\hat{\mathcal {S}}}}_3\) is the same as \({h\hbox {-}{\hat{\mathcal {S}}}}_2\) except that in Stage I-2, the committed value of the \(\mathsf {CECom}\) commitment is switched from \((\widetilde{r}_V, \widetilde{d})\) to \((0^{|\widetilde{r}_V|}, 0^{|\widetilde{d}|})\).

• Hybrid simulator \({h\hbox {-}{\hat{\mathcal {S}}}}_4\) is the same as \(h\hbox {-}{\hat{\mathcal {S}}}_{3}\) except that in Stage I-1, the committed value of the \(\mathsf {Com_{SB}}\) commitment is switched from \(\widetilde{r}_V\) to \(0^{n}\).

Then, for each \(k\in \{0,\ldots ,4 \}\), hybrid simulator-extractor \(h\hbox {-}{\hat{\mathcal {SE}}}_k\) is defined as follows.

• Hybrid simulator-extractor \(h\hbox {-}{\hat{\mathcal {SE}}}_k\) is the same as \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) except that the execution of \(\hat{\mathcal {S}}\) is replaced with that of \(h\hbox {-}{\hat{\mathcal {S}}}_k\). The output of \(h\hbox {-}{\hat{\mathcal {SE}}}_k\) is the value extracted during the witness extraction of the \(\widetilde{i^*}\)-th right session.

Note that the value \(\widetilde{r}_V\) is not used anywhere in \(h\hbox {-}{\hat{\mathcal {SE}}}_4\).

Step 3. Prove that \(\widetilde{r}_V\) is extracted in every hybrid. Finally, we show that \(\widetilde{r}_V\) is extracted with non-negligible probability in each hybrid. First, we consider \(h\hbox {-}{\hat{\mathcal {SE}}}_1\).

Claim 4

Let \(\widetilde{r}_V\) be the value chosen by the verifier in Stage I-1 of the \(\widetilde{i^*}\)-th right session. If \(\hat{\mathcal {SE}}_{\widetilde{i^*}}\) outputs \(\mathsf {fail}_{\mathsf {WI}}\) with non-negligible probability, then in \(h\hbox {-}{\hat{\mathcal {SE}}}_1\) the probability that \(\widetilde{r}_V\) is extracted during the witness extraction of the \(\widetilde{i^*}\)-th right session is non-negligible.

Proof. In this proof, we use intermediate hybrid simulator-extractors in which the \(\mathsf {CECom}\) commitment in Stage II-2 of the \(\widetilde{i^*}\)-th right session is gradually modified. Again, we first introduce hybrid simulators. Recall that a \(\mathsf {CECom}\) commitment consists of \(\ell = \omega (R_{{\mathsf {SH}}}(n)\log n)\) \(\mathsf {ExtCom}\) commitments. Then, the intermediate hybrid simulators \(h\hbox {-}{\hat{\mathcal {S}}}_{0:0}, \ldots , h\hbox {-}{\hat{\mathcal {S}}}_{0:\ell }\) are defined as follows.

• Hybrid simulator \(h\hbox {-}{\hat{\mathcal {S}}}_{0:0}\) is the same as \(h\hbox {-}{\hat{\mathcal {S}}}_0\) except that \(\widetilde{r}_P\) is extracted by brute force in Stage II-1 of the \(\widetilde{i^*}\)-th right session.

• Hybrid simulator \(h\hbox {-}{\hat{\mathcal {S}}}_{0:k}\) (\(k\in [\ell ]\)) is the same as \(h\hbox {-}{\hat{\mathcal {S}}}_{0:k-1}\) except that the committed value of the k-th \(\mathsf {ExtCom}\) commitment in the \(\mathsf {CECom}\) commitment of Stage II-2 is switched from \(0^{n}\) to \(\widetilde{r}_P\) in the \(\widetilde{i^*}\)-th right session.

Then, for each \(k\in \{0,\ldots ,\ell \}\), hybrid simulator-extractor \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) is defined as follows.

• Hybrid simulator-extractor \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) is the same as \(h\hbox {-}{\hat{\mathcal {SE}}}_0\) except that the execution of \(h\hbox {-}{\hat{\mathcal {S}}}_0\) is replaced with that of \(h\hbox {-}{\hat{\mathcal {S}}}_{0:k}\).

Note that \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:\ell }\) is identical with \(h\hbox {-}{\hat{\mathcal {SE}}}_{1}\).

Below, we show that for every \(k\in [\ell ]\), the output of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\) and that of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) are indistinguishable. (Recall that the outputs of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\) and \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) are the value extracted in the \(\widetilde{i^*}\)-th right session.) Since the probability that \(\widetilde{r}_V\) is extracted in \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:0}\) is non-negligible from Claim 3, this suffices to prove Claim 4.

Roughly speaking, we show this indistinguishability as follows. Since \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\) and \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) differ only in the committed values of a \(\mathsf {ExtCom}\) commitment, we use the hiding property of the \(\mathsf {ExtCom}\) commitment to show the indistinguishability. A problem is that we cannot use it directly since \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\) and \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) run in super-polynomial time. To overcome this problem, we observe that the only super-polynomial computations in \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\) and \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) are the brute-force extraction of \(\mathsf {CCACom}^{1:1}\) in the \(\widetilde{i^*}\)-th right session and those of \(\mathsf {CECom}\) in the left sessions. Based on this observation, we first show that the execution of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\) and \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) can be emulated in polynomial-time by using the one-session committed-value oracle \(\mathcal {O}\) of \(\mathsf {CCACom}^{1:1}\) and the concurrent extractability of \(\mathsf {CECom}\). We then combine the 4-robustness of \(\mathsf {CCACom}^{1:1}\) with the hiding property of \(\mathsf {ExtCom}\) (which has only four rounds) to argue that the output of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\) and that of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) are indistinguishable. To formally implement this idea, we need to make sure that the \(\mathsf {ExtCom}\) commitment and the \(\mathsf {CCACom}^{1:1}\) commitment are not rewound during the concurrent extraction of \(\mathsf {CECom}\). Details are given below.

First, we introduce hybrid simulator-extractors \(h\hbox {-}\mathcal {SE}_{0:k-1}^{\mathcal {O}}\) and \(h\hbox {-}\mathcal {SE}_{0:k}^{\mathcal {O}}\), where \(\mathcal {O}\) is the one-session committed-value oracle of \(\mathsf {CCACom}^{1:1}\). Hybrid \(h\hbox {-}\mathcal {SE}_{0:k}^{\mathcal {O}}\) (resp., \(h\hbox {-}\mathcal {SE}_{0:k-1}^{\mathcal {O}}\)) emulates \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) (resp., \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\)) in the same way as \(\mathcal {SE}\) emulates \(\hat{\mathcal {SE}}\) except for the following.

• During the emulation of the wi-main thread, the value \((r_V, d)\) is extracted in Stage I-2 of each left session by using the robust concurrent extractability so that the \(\mathsf {CCACom}^{1:1}\) commitment of Stage II-1 and the k-th \(\mathsf {ExtCom}\) commitment of the \(\mathsf {CECom}\) commitment of Stage II-2 are not rewound in the \(\widetilde{i^*}\)-th right session. In addition, in the \(\widetilde{i^*}\)-th right session, the committed value of \(\mathsf {CCACom}^{1:1}\) is extracted by forwarding the commitment to \(\mathcal {O}\). Note that the \(\mathsf {CCACom}^{1:1}\) commitment in the \(\widetilde{i^*}\)-th right session is not rewound and therefore it can be forwarded to \(\mathcal {O}\).

Next, we show that for each \(h\in \{k-1, k \}\), the output of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:h}\) and that of \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:h}\) are indistinguishable. This can be proven in a similar way to Lemma 1. In particular, we can use the same argument if we use the following claim instead of Claim 2.

Claim 5

In \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h}\) for each \(h\in \{k-1, k \}\), the following holds except with negligible probability: In every left session that reaches Stage III, the \(\mathsf {CECom}\) commitment in Stage I-2 of this session is valid and its committed value is a valid decommitment of the \(\mathsf {Com_{SB}}\) commitment of Stage I-1.

Note that since \(h\hbox {-}{\hat{\mathcal {S}}}_{0:0}\) is identical to \(\hat{\mathcal {S}}\), Claim 5 implies Claim 2.

Proof (of Claim 5 ). Let us say that a left session is bad if it reaches Stage III and either the \(\mathsf {CECom}\) commitment in Stage I-2 is invalid or its committed value is not a valid decommitment of the \(\mathsf {Com_{SB}}\) commitment in Stage I-1; a left session is good if it is not bad. What we want to prove is that every left session is good except with negligible probability.

Roughly speaking, the proof proceeds as follows. From the soundness of \(\mathsf {WIPOK}\), if a left session is bad, then in Stage II-2 of this left session, the committed value of the \(\mathsf {CECom}\) commitment is \(r_P\), which is the committed value of the \(\mathsf {CCACom}^{1:1}\) commitment of Stage II-1; thus, before \(r_P\) is decommitted to in Stage II-3, we can obtain \(r_P\) by extracting the committed value from \(\mathsf {CECom}\) in Stage II-2. This itself does not contradict to the hiding property of \(\mathsf {CCACom}^{1:1}\) since \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h}\) runs in super-polynomial time in the brute-force extraction of \(\mathsf {CECom}\) and \(\mathsf {CCACom}^{1:1}\). Thus, we again replace the brute-force extraction with the concurrent extraction of \(\mathsf {CECom}\) and an oracle access to the one-session committed-value oracle \(\mathcal {O}\) of \(\mathsf {CCACom}^{1:1}\), and use the one-one CCA-security of \(\mathsf {CCACom}^{1:1}\) instead of its hiding property. Here, since we want to use the one-one CCA-security of \(\mathsf {CCACom}^{1:1}\), we perform the concurrent extraction of \(\mathsf {CECom}\) so that the \(\mathsf {CCACom}^{1:1}\) commitment in a left session and the \(\mathsf {CCACom}^{1:1}\) in the \(\widetilde{i^*}\)-th right session are not rewound. Details are given below.

Assume for contradiction that there exists \(h\in \{k-1, k \}\) such that in \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h}\), a left session is bad with non-negligible probability. (Here, the indices of the left sessions are determined by the order in which Stage III begins; the reason why we define the indices in this way will become clear later.) Then, there exists \(i^*\in [m]\) such that in \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h}\), the first \((i^*-1)\) left sessions are good except with negligible probability but the \(i^*\)-th left session is bad with non-negligible probability. Note that from the soundness of \(\mathsf {WIPOK}\), when the \(i^*\)-th left session is bad, the committed value of the \(\mathsf {CECom}\) commitment in Stage II-2 is \(r_P\) in the \(i^*\)-th left session except with negligible probability, where \(r_P\) is the value committed to in Stage II-1 of the \(i^*\)-th left session. In the following, we use \(\mathsf{BAD }\) to denote the event that the \(i^*\)-th left session is bad, and use \(\mathsf{CHEAT }\) to denote the event that the committed value of the \(\mathsf {CECom}\) commitment in Stage II-2 is \(r_P\) in the \(i^*\)-th left session. Then, let us consider the following hybrids.

• Hybrid simulator \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:0}\) is the same as \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h}\). From our assumption, \(\mathsf{BAD }\) occurs in \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:0}\) with non-negligible probability. Thus, from the above argument, \(\mathsf{CHEAT }\) occurs in \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:0}\) with non-negligible probability.

• Hybrid simulator \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:1}\) is the same as \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:0}\) except that \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:1}\) terminates just before Stage III of the \(i^*\)-th left session begins. Clearly, \(\mathsf{BAD }\) and \(\mathsf{CHEAT }\) also occur in \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:1}\) with non-negligible probability.

• Hybrid simulator \(h\hbox {-}\mathcal {S}_{0:h:1}^{\mathcal {O}}\) emulates \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:1}\) in polynomial time as follows.

  1. –

     At the beginning, a random left session s is chosen. (Here, we guess that session s is the \(i^*\)-th left session.)

  2. –

     In every left session, in Stage I-2, the committed value \((r_V, d)\) is extracted by the robust concurrent extractor of \(\mathsf {CECom}\) in such a way that the \(\mathsf {CCACom}^{1:1}\) commitment of left session s and the \(\mathsf {CCACom}^{1:1}\) commitment of the \(\widetilde{i^*}\)-th right session are not rewound. In addition, in the \(\widetilde{i^*}\)-th right session, the committed value of \(\mathsf {CCACom}^{1:1}\) is extracted by forwarding the commitment to \(\mathcal {O}\).

  3. –

     In left session s, the committed value is also extracted in Stage II-2 by the robust concurrent extractor of \(\mathsf {CECom}\) without rewinding the \(\mathsf {CCACom}^{1:1}\) commitment of the \(\widetilde{i^*}\)-th right session.

  Note that when Stage III of a left session is executed, the \(\mathsf {CECom}\) commitment in Stage I-2 of that session is valid except with negligible probability (since that session is one of the first \((i^*-1)\) left sessions and therefore it is good except with negligible probability). Thus, the values extracted from the concurrent extractor are equal to the values that would be extracted by brute force except with negligible probability; therefore, \(h\hbox {-}\mathcal {S}_{0:h:1}^{\mathcal {O}}\) statistically emulates \(h\hbox {-}{\hat{\mathcal {S}}}_{0:h:1}\), and \(\mathsf{BAD }\) and \(\mathsf{CHEAT }\) occur in \(h\hbox {-}\mathcal {S}_{0:h:1}^{\mathcal {O}}\) with non-negligible probability.

Note that session s is the \(i^*\)-th left session with non-negligible probability. Then, since \(\mathsf{CHEAT }\) occurs in \(h\hbox {-}\mathcal {S}_{0:h:1}^{\mathcal {O}}\) with non-negligible probability, \(r_P\) is extracted from the \(\mathsf {CECom}\) commitment in Stage II-2 of session s with non-negligible probability, where \(r_P\) is the value committed to in Stage II-1 of session s. Then, since the \(\mathsf {CCACom}^{1:1}\) commitment of session s is not rewound in \(h\hbox {-}\mathcal {S}_{0:h:1}^{\mathcal {O}}\), we can break the one-one CCA security of \(\mathsf {CCACom}^{1:1}\). Thus, we reach a contradiction.   \(\square \)

Thus, for each \(h\in \{k-1, k \}\), the outputs of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:h}\) and \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:h}\) are indistinguishable.

To show that the outputs of \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k-1}\) and \(h\hbox {-}{\hat{\mathcal {SE}}}_{0:k}\) are indistinguishable, it remains to prove that the outputs of \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k-1}\) and \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k}\) are indistinguishable. This can be shown as follows. Observe that \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k-1}\) and \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k}\) differ only in the k-th \(\mathsf {ExtCom}\) commitment of the \(\mathsf {CECom}\) commitment of the \(\widetilde{i^*}\)-th right session, and this \(\mathsf {ExtCom}\) commitment is not rewound in \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k-1}\) and \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k}\). In addition, \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k-1}\) and \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k}\) run in polynomial time given oracle access to the one-session committed-value oracle \(\mathcal {O}\) of \(\mathsf {CCACom}^{1:1}\). Thus, from the hiding property of \(\mathsf {ExtCom}\) and the 4-robustness of \(\mathsf {CCACom}^{1:1}\), the output of \(\mathcal {SE}^{\mathcal {O}}_{0:k-1}\) and that of \(h\hbox {-}\mathcal {SE}^{\mathcal {O}}_{0:k}\) are indistinguishable.

Thus, we conclude that the probability that \(\widetilde{r}_V\) is extracted in \(h\hbox {-}{\hat{\mathcal {SE}}}_1\) is non-negligible. This concludes the proof of Claim 4.   \(\square \)

By using essentially the same argument as in the proof of Claim 4, we can show that \(\widetilde{r}_V\) is extracted with non-negligible probability also in \(h\hbox {-}{\hat{\mathcal {SE}}}_2\), \(h\hbox {-}{\hat{\mathcal {SE}}}_3\), and \(h\hbox {-}{\hat{\mathcal {SE}}}_4\).

Concluding the Proof of Claim 1 . In \(h\hbox {-}{\hat{\mathcal {SE}}}_4\), the \(\widetilde{i^*}\)-th right session is independent of \(\widetilde{r}_V\), and therefore the probability that \(\widetilde{r}_V\) is extracted is negligible. However, we show above that this probability is non-negligible. Thus, we reach a contradiction.

This concludes the proof of Theorem 2.   \(\square \)