Constant-Round Restricted-Verifier Zero-Knowledge with Polynomial Precision ∗

Ning Ding, Dawu GuDepartment of Computer Science and Engineering

Shanghai Jiao Tong UniversityShanghai, 200240, China

dingning, dwgu@sjtu.edu.cn

Abstract

We provide the first proof of that for every languageL ∈ NP there exists an O(1)-round computational zero-knowledge argument with polynomial precision for L. Ourresult assumes that ratio of running-time of any adversaryverifier in some same verifier round of any two different exe-cutions of the argument is bounded by na, where n is secureparameter and a is any predeterminate constant. Such veri-fiers are called restricted verifiers. Precise zero-knowledgewas introduced by Micali and Pass in STOC’06 (They usedthe term ”local zero-knowledge” there.) and they con-structed some ω(1)-round polynomial/linear precise zero-knowledge protocols for NP and hence left an open prob-lem how to construct O(1)-round polynomial/linear precisezero-knowledge protocols. By providing a precise simulatorfor Barak’s O(1)-round non-black-box zero-knowledge ar-gument, we prove that the argument is polynomial precise.

1. Introduction

Zero-knowledge proof was introduced by Goldwasser,Micali and Rackoff [11]. Their definition essentially statesthat an interactive proof of x ∈ L provides zero (additional)knowledge if, for any efficient verifier V , the view of V inthe interaction can be ”indistinguishably reconstructed” byan efficient simulator S-interacting with no one- on just in-put x. Since efficiency is formalized as polynomial-time,a worst-case notion, zero knowledge too automatically be-comes a worst case notion. The refinement of [9] calls fora tighter coupling between the expected running time of Vand that of S: a proof is zero knowledge with tightness t(·)if there exists a fixed polynomial p(·) such that the expectedrunning time of S(x) is upper-bounded by t(|x|) times theexpected running time of V (x) plus p(|x|).

∗This work is supported by the National Natural Science Foundation ofChina under Grant No.60573031 and New Century Excellent Talent Pro-gram of Education Ministry of China under Grant NCET–05–0398.

Micali and Pass [12] argues, however, that such cou-pling may still be insufficient, even when the tightness func-tion is a constant and the polynomial p(·) is identically 0.Consider a malicious verifier V that, on input an instancex ∈ 0, 1n, takes n10 computational steps with probabil-ity 1

n , and n steps the rest of the time. The expected run-ning time of V is n9, and thus zero knowledge with optimaltightness only requires that V be simulated in expected timeΩ(n9). [12] thinks that it is doubtful to take indifference forV to get out and interact with the prover or to stay homeand run S for granted. Since by interacting with P , V willalmost always execute n steps of computation, while (in ab-sence of extra guarantees) running the simulator might al-ways cause him to invest n9 steps of computation! (Thisis not just a theoretical worry or an artifact of the defini-tion: it actually occurs for classical protocols and simula-tors.) This discussion shows that we need a stronger notionof zero knowledge.

Therefore, [12] put forward a stronger notion of zero-knowledge: precise zero-knowledge (In [12] Micali andPass used the term ”local zero-knowledge”. In [14] Passused the term ”precise zero-knowledge” instead ”local zero-knowledge”. Our paper adopts the term ”precise zero-knowledge”). Informally, P provides a zero-knowledgeproof of x ∈ L if the view v of any verifier V in an in-teraction with P about x can be reconstructed, on just inputx, in the almost same time as that taken by V in the partic-ular view v. [12] also shows that the definition of precisezero-knowledge doesn’t make any reference to complexityclasses, which makes this definition more general and con-ceptually simpler and applicable. Several examples are pre-serving success/time distribution, securing semi-easy prop-erties and more deniable identification.

1.1. Known results and open problem

Known results. [12] proposes the definitions of poly-nomial/linear precise zero-knowledge proof /argument andproof of knowledge and achieves some results of zero-

First International Symposium on Data, Privacy and E-Commerce

0-7695-3016-8/07 $25.00 © 2007 IEEEDOI 10.1109/ISDPE.2007.68

437

First International Symposium on Data, Privacy and E-Commerce

0-7695-3016-8/07 $25.00 © 2007 IEEEDOI 10.1109/ISDPE.2007.68

439

knowledge for languages in NP. We list their results inTheorem 1, 2.

Theorem 1 Assume the existence of k(n)-roundstatistically-hiding commitments. Then, every language Lin NP has:

1. An ω(k(n))-round computational zero-knowledgeproof with polynomial precision.

2. An ω(k(n) log n)-round computational zero-knowledge proof with linear precision.

3. An k(n) + ω(1)-round statistical zero-knowledge ar-gument with polynomial precision.

4. An k(n) + ω(log n)-round statistical zero-knowledgeargument with linear precision.

Theorem 2 Assume the existence of one-way functions.Then there exists an ω(1)-round computational zero-knowledge argument with polynomial precision for all lan-guages in NP. There also exists an ω(log n)-round compu-tational zero-knowledge argument with linear precision forall languages in NP.

[12] obtain these results in a common manner. Firstly aWitness-Indistinguishable (WI) proof of knowledge (P, V )[5] is repeated a sufficient number of times, yields a pre-cise WI proof of knowledge, if (P, V ) satisfies special-soundness [4]. Then, use the precise WI proof of knowledgeto replace those WI proofs of knowledge in known zero-knowledge [7][6][10] and thus achieve zero-knowledgewith different levels of precision.Open problem. As Theorem 1, 2 show, all known precisezero-knowledge systems use at least ω(1) rounds. Hencethe existence of O(1)-round polynomial/linear precise zero-knowledge arguments/proofs is an open problem.

1.2. Our results

In this paper we solve this open problem with respect topolynomial precision. Our result assumes that for every ad-versary verifier ratio of running-time of the verifier in somesame verifier round (shown in Section 3.3) of any two dif-ferent executions of the argument is bounded by na, wheren is secure parameter and a is any predeterminate constant.Such verifiers are called restricted verifiers.

Theorem 3 Assume the existence of standard collision-freehash functions. Then for every language L ∈ NP thereexists an O(1)-round computational zero-knowledge argu-ment with polynomial precision for L.

Our starting point is Barak’s non-black-box zero-knowledge argument [1]. [14] points out that known simu-lator [1] for the non-black-box zero-knowledge argument isnot precise. By providing a precise simulator for Barak’sprotocol, we show that it satisfies polynomial precision.Plus its constant-round property, we achieve Theorem 3.

1.3. Related works

A first step towards precision was taken already in [9].The refinement of [15][13], aimed at measuring the ”ac-tual security” of a zero-knowledge proof system, calls fora tighter coupling between the worst-case running time ofV and the expected running time of S. [8] introduces thenotion of a conservative proof of knowledge that bounds theknowledge of a player in terms of its expected running time(but not in terms of higher-order moments of it). [12][14]propose the notion of precise zero-knowledge and WI proofof knowledge. Known precise zero-knowledge systems arealso brought forward in [12][14]. Our results have alsobenefited from Barak’s non-black-box zero-knowledge ar-gument [1] which uses the Witness-Indistinguishable uni-versal argument in [2].

1.4. Organizations

The sections of this paper are arranged as follows. Sec-tion 2 contains basic notions and definitions used through-out this paper. Section 3 presents our results.

2. Notations and Definitions

This section contains the notions and definitions usedthroughout this paper. We follow the notations and defi-nitions used in [14][2].

2.1. Notations

Throughout our paper we use the terms ”Turing ma-chine”and ”algorithm” interchangeably. We assume famil-iarity with [11] notation of an Interactive Turing Machine[20] (ITM for brevity) and a protocol (inessence a pair ofITMs).

A function ν(·) from non-negative integers to reals iscalled negligible if for every constant c > 0 and all suffi-ciently large n, it holds that ν(n) < n−c. If M is a deter-ministic algorithm, we denote by STEPSM(x) the numberof computational steps taken by M on input x. If M is aprobabilistic algorithm, we denote by Mr the deterministicone obtained by fixing the content of M ′s random tape to r.Then STEPSMr(x) denotes the number of computationalsteps taken by M on input x when receiving r as randomtape. We let the notion M•(x) denote the probability distri-bution over the outputs of M on input x where each bit ofthe random tape r is selected at random and independently.Executions, transcripts and views. Let MA,MB bevectors of strings MA = m1

A,m2A, · · ·, MB =

m1B ,m2

B , · · · and let x, r1, r2, z1, z2 ∈ 0, 1∗. We saythat the pair ((x, z1, r1,MA), (x, z2, r2,MB)) is an execu-tion of the protocol (A,B) if, running ITM A on common

438440

input x, auxiliary input z1 and random tape r1 with ITMB on x, z2 and r2, results in mi

A being the i′th messagereceived by A and in mi

B being the i′th message receivedby B. We also denote such an execution by Ar1(x, z1) ↔Br2(x, z2).

In an execution ((x, z1, r1,MA), (x, z2, r2,MB)) =(VA, VB) of the protocol (A,B), we call VA theview of A (in the execution), and VB the viewof B. We let VIEW1[Ar1(x, z1) ↔ Br2(x, z2)]denote A′s view in the execution Ar1(x, z1) ↔Br2(x, z2) and VIEW2[Ar1(x, z1) ↔ Br2(x, z2)]B′s view in the same execution. In an execution((x, z1, r1,MA), (x, z2, r2,MB)), the pair (MA,MB) iscalled the transcript of the execution.Outputs of executions and views. If e is an execution of aprotocol (A1, A2) we denote by OUTi(e) the output of Ai,where i ∈ 1, 2. Analogously, if v is the view of A, wedenote by OUT(v) the output of A in v.Random executions. We denote by A•(x, z1) ↔Br2(x, z2), Ar1(x, z1) ↔ B•(x, z2) and A•(x, z1) ↔B•(x, z2) the probability distribution of the random vari-able obtained by selecting each bit of r1 (respectively, eachbit of r2, and each bit of r1 and r2) randomly and indepen-dently, and then outputting Ar1(x, z1) ↔ Br2(x, z2). Thecorresponding probability distributions for VIEW and OUTare analogously defined.Counting ITM steps. Let A be an ITM and v =(x, z, r, (m1,m2, ...,mk)). Then by STEPSA(v) we de-note the number of computational steps taken by A runningon common input x, auxiliary input z, random tape r, andletting the ith message received be mi. (In counting steps,we assume that an algorithm A, given the code of a secondalgorithm B and an input x, can simulate the computationof B on input x with linear-time overhead.)

2.2. Definitions

Definition 1 (Interactive proof/argument system [11][3]).An interactive machines (P, V ) is called an interactiveproof system for a language L if machine V is polynomial-time and the following conditions hold with respect to somenegligible function ν(·).

1. (Completeness) For every x ∈ L, there exists a(witness) string y such that for every z ∈ 0, 1∗ thenPr[OUTV [P•(x, y), V•(x, z)] = 1] = 1.

2. (Soundness) For every x /∈ L, then for every P ∗ andevery y, z ∈ 0, 1∗ Pr[OUTV [P ∗

• (x, y), V•(x, z)] = 1] ≤ν(|x|).

In case that the soundness conditions is required to holdonly with respect to a computational bounded prover, thepair (P, V ) is called an interactive argument.

Definition 2 (Zero-knowledge [11]) Let L be a languagein NP, RL a witness relation for L, (P, V ) an interactive

proof (argument) system for L. We say that (P, V ) is per-fect/statistical/computational zero-knowledge, if for everyprobabilistic polynomial-time V ∗ there exists a probabilis-tic polynomial-time algorithm S, such that the followingensembles are identical/statistically close/computationallyindistinguishable over L.a) VIEW2[P•(x, y)↔ V ∗

• (x, z)]x∈L,y∈RL(x),z∈0,1∗

b) S•(x, z)x∈L,y∈RL(x),z∈0,1∗

Definition 3 (Precise zero-knowledge [12][14]) Let L be alanguage in NP, RL a witness relation for L, (P, V ) an in-teractive proof (argument) system for L, and p : N ×N →N a monotonically increasing function. We say that (P, V )is perfect/statistical zero-knowledge proof (argument) sys-tem with precision p if for every ITM V ∗, there exists aprobabilistic algorithm S such that the following conditionshold:1. The following two ensembles are identical/statisticallyclose over L:a) VIEW2[P•(x, y)↔ V ∗

• (x, z)]x∈L,y∈RL(x),z∈0,1∗

b) S•(x, z)x∈L,y∈RL(x),z∈0,1∗

2. For every x ∈ L, every auxiliary input z ∈ 0, 1∗,and every sufficiently long r ∈ 0, 1∗, STEPSSr(x,z) ≤p(|x|,STEPSV ∗(Sr(x, z))).

We refer to S as above as a precise simulator, or as asimulator with precision p. If p(n, t) is a polynomial (alinear function) in only t, we say that (P, V ) has polynomial(linear) precision.

Computational zero-knowledge. We obtain the notion ofcomputational zero-knowledge by adding restrition that V ∗

is a probabilistic polynomial-time machine and by requir-ing that two ensembles of Condition 1 are computationalindistinguishable.

Let LU denote the universal language: the tuple (M,x, t)is in LU if M is a non-deterministic machine that accepts xwithin t steps, RU denote the witness-relation for LU . Weshow the definition of universal arguments.

Definition 4 (Universal argument [2]) A universal argu-ment system is a pair of ITMs, denoted (P, V ), that satisfiesthe following properties:1. Efficient verification: There exists a polynomial p suchthat for any y = (M,x, t), the total time spent by the (prob-abilistic) verifier strategy V , on common input y, is at mostp(|y|). In particular, all messages exchanged in the protocolhave length smaller than p(|y|).2. Completeness by a relatively-efficient prover: For every(y = (M,x, t), w) in RU and every z2 ∈ 0, 1∗,

Pr[OUTV [(P•(y, w)↔ V•(y, z2)] = 1] = 1Furthermore, there exists a polynomial p such that the

total time spent by P (w), on common input (M,x, t), is atmost p(TM (x,w)) ≤ p(t).

439441

3. Computational soundness: For every probabilistic algo-rithm P , every z1, z2 ∈ 0, 1∗, every y = (M,x, t) ∈0, 1n\LU , there exists some negligible function ν(·),

Pr[OUTV [P•(y, z1)↔ V•(y, z2)] = 1] < ν(n)4. A weak proof of knowledge property: For every positivepolynomial p there exists a positive polynomial p′ and aprobabilistic polynomial-time oracle machine E such thatthe following holds: For every probabilistic algorithm P ∗

and every z1, z2 ∈ 0, 1∗, and every sufficiently long in-put y = (M,x, t) ∈ 0, 1∗ if Pr[OUTV (P•(y, z1) ↔V•(y, z2)] = 1] > 1

p′(|y|) then Pr[EP∗(y) = C s.t.[C] ∈RU (y)] > 1

p′(|y|)(where [C] denotes the function computed by the

Boolean circuit C).The oracle machine E is called a (knowledge) extractor.

3. O(1)-round computational zero-knowledgeargument with polynomial precision

In this section we will prove Theorem 3, i.e., the exis-tence of O(1)-round computational zero-knowledge argu-ment with polynomial precision for NP. Before present-ing our proof, we will review Barak’s non-black-box zero-knowledge [1] and interpret the reason of its non-precision(even in restricted-verifier setting) as [14] shows.

3.1. Non-black-box zero-knowledge

Let L be any language in NP, WI-UARG be a Witness-Indistinguishable universal argument, T (n) = nlog log n.Denote by Com a commitment scheme, by Hnn∈N hashfunctions, where Hn = hn, hn : 0, 1∗ → 0, 1n. Ahigh-level overview of Barak’s protocol [1] is depicted asprotocol 3.1 shows.

Protocol 3.1: Barak’s non-black-box zero-knowledgeargument

Public input: an instance x ∈ 0, 1n of L with witnessrelation RL.

Prover’s auxiliary input: w (a witness that x ∈ L).Step V1 : Verifier chooses h←R Hn and sends h to prover.Step P2 : Prover computes c←R Com(h(0n)) and sends c

to verifier.Step V3 : Verifier selects r ←R 0, 1n and sends it.WI-UARG: Prover runs a WI-UARG with verifier

proving the OR of the following two statements:1. There exists w ∈ 0, 1poly(n) so that RL(x,w) = 1.2. c is a commitment to a hash using the function h, of

the program Π such that Π(c) = r within T (n) steps.

[1] presents a (universal) simulator S for protocol 3.1.That is, for every adversary V ∗ S can generate view for

V ∗ on receiving the description of V ∗. S is described inAlgorithm 3.1.

Algorithm 3.1:The (universal) simulator S for Protocol 3.1Input: An instance x ∈ 0, 1n of a language L.

V ∗: description of a polynomial-time verifier, and itsauxiliary input z ∈ 0, 1poly(n). W.l.o.g. assumeV ∗ is deterministic. Let V ∗∗ denote the descriptionof verifier V ∗ with x hardwired into it that takes atmost 2n bits.

Simulated Step V1: Compute h.Simulated Step P2: Compute the next message algorithm

Π of V ∗∗(z). Then compute c = Com(h(Π); s)where s←R 0, 1poly(n) are coins chosen for Com.

Simulated Step V3: Compute the verifier V ∗∗(z)’sresponse to the message c, i.e. r = Π(c).

Simulated Steps in WI-UARG: Run a WI-UARG withV ∗∗ proving the OR of the following two statementsusing the witness (Π, s):

1. There exists w ∈ 0, 1poly(n) so that RL(x,w) = 1.2. c = Com(h(Π), s) and Π(c) = r within T (n) steps.

As shown in [2], Protocol 3.1 is an O(1)-round com-putational zero-knowledge argument under assumption thatHnn∈N is constructed by combing a specific tree-hashing approach with any standard collision-free (i.e.against polynomial-size circuits) hash functions.

3.2. Known simulator is not precise

[14] states the reason that Barak’s non-black-box zero-knowledge is not precise briefly. We explain the reason in aprecise way.

Denote by v a view generated by S in a random execu-tion with random tape r′. Then STEPSV ∗(v) is total stepstaken by V ∗ on receiving v.

Denote by LENGTH(n) the bit length of z. ThenLENGTH(n) can not be bounded by any predeterminatepolynomial in general case. In simulated Step P2, stepstaken by S is p1(LENGTH(n)) where p1 is a polynomialdecided by computing Π, commitment Com and hash func-tion h. Obviously STEPSSr′ (x,V ∗,z) > p1(LENGTH(n)).

Hence for any p(n, t), a polynomial in t (expressing pre-cision property), if LENGTH(n) > p(n,STEPSV ∗(v)),then STEPSSr′ (x,V ∗,z) > p(n,STEPSV ∗(v)). Hence thesimulation is not precise.

3.3. Non-black-box zero-knowledge is poly-nomial precise via our simulator

This subsection presents the proof of Theorem 3. Ourstarting point is Protocol 3.1 which is not precise due toits non-precise simulator S. Hence we will provide this

440442

protocol a precise simulator. Assume that for every adver-sary verifier ratio of running-time of the adversary verifierin Step V3 of any two different executions of Protocol 3.1is bounded by na, where a is any predeterminate constant.

For any string str denote by strm the mth bit of z, bystr1;m the m-bit prefix of str (If str is less than m bits,then let str1;m denote str).

Theorem 3 (restated). Assume the existence of standardcollision-free hash functions. Then for every languageL ∈ NP there exists an O(1)-round computational zero-knowledge argument with polynomial precision for L.Proof: We present our simulation strategy for Protocol 3.1in the first. Denote by S′ our simulator.

The reason that S is not precise is that the auxiliary inputz of V ∗∗ may be very long, but just a small portion of it isaccessed by V ∗∗. However, S will always commit to hashof V ∗∗ and the whole z and will thus take long time. Hencethe fundamental strategy of S′ is not to commit to hash ofthe V ∗∗ and whole z in simulated Step P2. Details follows.

The difference between our simulator S′ and known sim-ulator S ,described in Section 3.1, lies in simulated Step P2,V3. In simulated Step P2, S′ doesn’t commit to hash ofV ∗∗ and the whole auxiliary input z, but to commit to hashof V ∗∗ and the (almost) exact bits of z to be used actually insimulated step V3 instead of whole z. That is to say, S′ onlycommit to the hash of V ∗∗ and a sufficiently long prefix ofz (The input to S′ are x, V ∗ and z. W.l.o.g. suppose S′ hastwo input tapes. x and V ∗ are placed on one tape while z isplaced on the other one. Both S′’s read heads always pointto the leftmost bit (i.e. the 1st bit) of the corresponding in-put tapes before computing. Read heads move one bit to leftor to right in each computational step. Since z may be verylong, bits of z accessed by V ∗ (simulated by S′) is actuala prefix of z.). We expect that this prefix is long enough toguarantee that on receiving the commitment c V ∗∗ will notuse any bit of z beyond this prefix in simulated Step V3.

Denote by z′ this enough long prefix of z. Furthermore,we also expect that the bit length of z′ is bounded by a poly-nomial of number of total steps taken by V ∗. Therefore, ifsuch z′ exists and can be found effectively, polynomial pre-cision of non-black-box zero-knowledge can be achieved.Hence the remaining problem is how to compute such z′.

Let S′ compute z′ and simulate Step P2, V3 in a loopprogram. Let g(·) be any polynomial. W.l.o.g let g(n) = n.In simulated Step P2, S′ computes Π, the next message al-gorithm of V ∗∗(z1;g(n)). Then compute c = Com(h(Π); s)where s ←R 0, 1poly(n). In simulated Step V3 S′ runsV ∗∗ to output r on receiving c and checks whether V ∗∗

accesses any bit of z beyond z1;g(n) during simulation.If zg(n)+1 is accessed, S′ cancels simulation, multipliesg(n) by n, goes back to simulated Step P2 and re-simulatesStep P2, V3. Otherwise, it implies that (Π, s) is the very

witness that c = Com(h(Π), s) and Π(c) = r. Hencez1;g(n) is such z′. So S can use (Π, s) as witness to makeV ∗∗ accepted in the remaining WI-UARG. Full descriptionof S′ is showed in Algorithm 3.2.

Algorithm 3.2: Our precise (universal) simulator S′ forProtocol 3.1

Input: An instance x ∈ 0, 1n of a language L. V ∗:description of a polynomial-time restricted verifier,and its auxiliary input z ∈ 0, 1poly(n). W.l.o.g.assume V ∗ is deterministic. Let V ∗∗ denote thedescription of V ∗ with x hardwired into it that takesat most 2n bits.

Initialization: Set polynomial g(n) = n initially.Simulated Step V1: Compute h.Simulated Step P2: Compute the next message algorithm

Π of V ∗∗(z1;g(n)). Then compute c = Com(h(Π); s)where s←R 0, 1poly(n) are coins chosen for Com.

Simulated Step V3: Simulate V ∗∗ to compute r onreceiving c. If zg(n)+1 is accessed during simulation,then cancel simulation, compute g(n) ← g(n) · n,go back to simulated Step P2 and re-simulate StepP2, V3. Otherwise, (Π, s) is the witness such thatc = Com(h(Π), s) and Π(c) = r.

Simulated Steps in WI-UARG: Run a WI-UARG withV ∗∗ proving the OR of the following two statementsusing the witness (Π, s):

1. There exists w ∈ 0, 1poly(n) so that RL(x,w) = 1.2. c = Com(h(Π), s) and Π(c) = r within T (n) steps.

Polynomial precision: Since V ∗ runs in polynomial-time,then a sufficiently long prefix of z will make S′ finish theloop program. Hence S′ will halt to a certainty after re-peating some loops. Denote by v the view generated by S′

with inputs x, V ∗ and z by fixing random tape r′. In realinteraction running-time of V ∗ on v is STEPSV ∗(v). Wewill give an (non-tight) upper-bound for STEPSS′

r′ (x,V ∗,z).Denote by l the linear-time overhead for S′ simulating V ∗’s(i.e. V ∗∗’s) computing. Then steps taken by S′ in simulatedStep V1 are less than l · STEPSV ∗(v).

In simulation steps taken by V ∗ (run by S′) in simulatedStep V3 in the last loop are less than STEPSV ∗(v). Thensteps taken by V ∗ in each other loop in simulated Step V3are less than na · STEPSV ∗(v) since V ∗ is a restricted ver-ifier. Then there exists d, where nd ≤ na · STEPSV ∗(v) <nd+1, such that the loop program in simulated Step P2, V3must have terminated after running at most d + 1 loops(including the 1’st loop). In each loop steps taken by S′

in simulated Step P2 are less than p1(g(n)), where p1(·)is interpreted in Section 3.2 and g(n) indicates its currentvalue in this loop. Let p2(·) denote the polynomial bound-ing steps to compute g(n) · n. Since the loop programrepeats at most d + 1 times, then the maximal value of

441443

g(n) ≤ nd+1 ≤ na+1 · STEPSV ∗(v). Hence, steps takenby S′ are less than (d + 1) · (p1(na+1 · STEPSV ∗(v)) +lna · STEPSV ∗(v)) + d · p2(d log2 n) to finish simulatedStep P2, V3.

In WI-UARG, it is the statement 2 that S′ actually provesto V ∗∗ and statement 2 can be non-deterministic decidedwithin a polynomial of STEPSV ∗(v) steps. Combing Con-dition 2 in Definition 4, there exists a polynomial p3(·) suchthat steps taken by S′ as prover in WI-UARG are less thanp3(STEPSV ∗(v)).

Therefore, STEPSS′r′ (x,V ∗,z) ≤ l ·STEPSV ∗(v)+(d+

1) · (p1(na+1 · STEPSV ∗(v)) + lna · STEPSV ∗(v)) + d ·p2(d log2 n)+p3(STEPSV ∗(v)), where l is the linear-timeoverhead, a is the predeterminate constant, d ≤ a + 1 +logn STEPSV ∗(v), p1(·), p2(·) and p3(·) are fixed polyno-mials. Hence it is easy to verify that there exists a monoton-ically increasing 2-variate polynomial p(·, ·) such that forevery restricted V ∗, every x ∈ L and every sufficient r′ andevery z, STEPSS′

r′ (x,V ∗,z) ≤ p(n,STEPSV ∗(v)).O(1)-round computational zero-knowledge argument:Since we just provide a different simulator for Protocol 3.1instead of modifying the protocol, its constant-round prop-erty, completeness and computational soundness remain.But we should explain that zero-knowledge property re-mains. The proof is actually not complicated. Assume thatS′ and S have same inputs (i.e. x, V ∗ and z). Firstly S′

and S compute the same h in simulated Step V1. Then thehiding property of Com and z1;g(n) being sufficiently longguarantee that outputs of S′ and S in simulated Step P2and V3 are computationally indistinguishable respectively.Hence, plus the witness-indistinguishability of WI-UARG,views generated by S′ and S are still computational indis-tinguishable. That is, computational zero-knowledge prop-erty is still satisfied. Details omitted for lack of space.

Proof is completed.

References

[1] B. Barak. How to Go Beyond the Black-Box Simu-lation Barrier. In Proc. 42nd FOCS, pages 106-115,2001.

[2] B. Barak and O. Goldreich. Universal Arguments andTheir Applications. In Proc. 17th CCC, pages 194-203, 2002.

[3] G. Brassard, D. Chaum and C. Crepeau. MinimumDisclosure Proofs of Knowledge. JCSS, Vol. 37, No.2, pages 156-189, 1988. Preliminary version in 27thFOCS, 1986.

[4] R. Cramer, I. Damgard and B. Schoenmakers. Proofsof Partial Knowledge and Simplified Design of Wit-

ness Hiding Protocols. In Crypto’94, Springer LNCS839, pages. 174-187, 1994.

[5] U. Feige and A. Shamir. Witness Indistinguishabilityand Witness Hiding Protocols. InProc. 22nd STOC,pages 416-426, 1990.

[6] U. Feige and A. Shamir. Zero Knowledge Proofs ofKnowledge in Two Rounds. In Crypto’89, SpringerLNCS 435, pages 526-544, 1989.

[7] A. Fiat and A. Shamir. How to Prove Yourself: Prac-tical Solutions to Identification and Signature Prob-lems. In Crypto’86, Springer LNCS 263, pages 181-187, 1987.

[8] S. Halevi and S. Micali. Conservative Proofs ofKnowledge. MIT/LCS/TM-578, May 1998.

[9] O. Goldreich. Foundations of Cryptography - BasicTools. Cambridge University Press, 2001.

[10] O. Goldreich, S. Micali and A. Wigderson. Proofs thatYield Nothing But Their Validity or All Languages inNP Have Zero-Knowledge Proof Systems. JACM, Vol.38(1), pages 691-729, 1991.

[11] S. Goldwasser, S. Micali, and C. Rackoff. The Knowl-edge Complexity of Interactive Proof-Systems. InProc. 17th STOC, pages 291-304, 1985.

[12] S. Micali and R. Pass. Local Zero Knowledge. In Proc.38th STOC, 2006.

[13] S. Micali and P. Rogaway. Secure computation. InCrypto91, Springer LNCS 576, pages 392-404, 1991.

[14] R. Pass. A Precise Computational Approach toKnowledge. MIT Ph.D Thesis, July, 2006.

[15] R. Pass. Simulation in Quasi-polynomial Time andits Application to Protocol Composition. In Euro-Crypt’03, Springer LNCS 2656, pages 160-176, 2003.

442444