 Research
 Open Access
 Published:
Concurrent nonmalleable zeroknowledge and simultaneous resettable nonmalleable zeroknowledge in constant rounds
Cybersecurityvolume 1, Article number: 12 (2018)
Abstract
Concurrent nonmalleable zeroknowledge (CNMZK) considers the concurrent execution of zeroknowledge protocols in a setting even when adversaries can simultaneously corrupt multiple provers and verifiers. As far as we know, the round complexity of all the constructions of CNMZK arguments for NP is at least ω(logn). In this paper, we provide the first construction of a constantround concurrent nonmalleable zeroknowledge argument for every language in NP. Our protocol relies on the existence of families of collisionresistant hash functions, oneway permutations and indistinguishability obfuscators. As an additional contribution, we study the composition of two central notions in zero knowledge, the simultaneously resettable zeroknowledge and nonmalleable zeroknowledge, which seemingly have stronger proved security guarantees. We give the first construction of a constantround simultaneouslyresettable nonmalleable zeroknowledge. To the best of our knowledge, this is the first study to combine the two security concepts described above together in the zeroknowledge protocols.
Introduction
Zeroknowledge proof systems were introduced by Goldwasser, Micali and Rackofi in (1989). Informally, an interactive proof protocol is zeroknowledge if the prover can convince the verifier that a statement is true without revealing any information other than the fact itself. With such an intriguing nature, zeroknowledge proof has played a central role in the design and study of cryptographic protocols. The notion of concurrent zero knowledge(CZK) was first introduced by Dwork, Naor and Sahai (1998) to consider that many copies of the zeroknowledge protocol are executed simultaneously in an asynchronous network, where messages from different copies may be arbitrarily interleaved by the verifier. The notion of nonmalleable zero knowledge(NMZK) was first introduced by Dolev, Dwork and Naor (2000) to consider the execution of zeroknowledge protocol in the setting where the maninthemiddle adversary interacts with an honest prover in the left session and an honest verifier in the right session.
Concurrent Nonmalleable ZeroKnowledge. By combining the concurrent zeroknowledge with the security against maninthemiddle adversaries, Barak, Prabhakaran and Sahai (2006) introduced a stronger form of zero knowledge referred to as concurrent nonmalleable zero knowledge (CNMZK). In such protocol, the adversary can complete control over the communication channel and participate in an unbounded number of concurrent executions. It guarantees that the proofs in the left sessions does not help the adversary to give proofs in the right sessions.
After the original protocol by (Barak et al. 2006), various other concurrent nonmalleable ZK protocols have been obtained (Ostrovsky et al. 2008, 2010; Lin et al. 2010; Lin and Pass 2011; Orlandi et al. 2014; Kiyoshima 2015). Lin, Pass, Tseng and Venkitasubramaniam (2010) focused on enhancing the soundness property by combining the notation of robust nonmalleable commitments introduced by Lin et al. (2009) with the concurrently extractable commitments (CECom) introduced by Micciancio et al. (2006). They showed a poly(n)round CNMZKproof for all of NP based on one way function assumption and a \( \widetilde {O}(log(n)) \)round protocol based on the existence of collision resistant hashfunctions(CRHFs). Recently, Orlandi et al. (2014) achieved the first statisticalCNMZKargument system. In their protocol, they used a special kind of commitment scheme called “mixed nonmalleable commitment” scheme based on the DDH assumptions. Very recently, Kiyoshima (2015) achieved a poly(n) rounds statisticalCNMZKargument system only assuming the existence of oneway functions. In their protocol, instead of using a nonmalleable commitment to commit the real witness (see (Barak et al. 2006; Lin et al. 2010)), they used a constantround krobust oneone CCAsecure commitment (Canetti et al. 2010; Lin and Pass 2012; Kiyoshima 2014; Goyal et al. 2015) to commit a random string (e.g., 0^{n}).
However, we observe that the round complexity of all the above protocols based on the standard assumptions is at least \( \widetilde {O}(\log n) \) rounds. Indeed, in the standard model without setup assumptions, Canetti, Kilian, Petrank and Rosen (2001) based on earlier works by (Kilian et al. 1998; Rosen 2000) have showed that any blackbox concurrent zeroknowledge protocol require at least \(\widetilde {\Omega }(\log n)\) rounds. It can be observed that the lower bound also holds for the blackbox concurrent nonmalleable zeroknowledge protocol. A breakthrough work was made by Barak in (2001), he proposed the first nonblackbox simulation techniques and constructed the first constantround boundedCZKargument system assuming the existence of CRHFs. Recently, Pandey, Prabhakaran and Sahai (2015) showed a new nonblackbox simulation technique independent of the PCP theorem and constructed a 4round CZKargument system based on the existence of CRHFs and differinginput obfuscation (diO)(Barak et al. 2001; Boyle et al. 2014; Ishai et al. 2015). Very recently, Chung, Lin and Pass (2015) achieved constantroundCZK with nonuniform soundness assuming the existence of CRHFs, OWP and iO (Barak et al. 2001; Garg et al. 2013) for P/poly. We stress that Ostrovsky, Persiano and Visconti in (2008) have showed a constantround concurrent nonmalleable zeroknowledge argument system for NP in the Bare PublicKey model. However, in this model each verifier have to register the public key in a public file during a preprocessing stage and the secret key is known only to itself. Thus, one natural question we ask in this work is:
Whether a constant rounds concurrent nonmalleable zeroknowledge protocol in the standard model can be obtained?
Simultaneous Resettable ZeroKnowledge. The notion of resettable zeroknowledge (rZK) was first introduced by Canetti, Goldreich, Goldwasser and Micali (2000). It requires the zeroknowledge condition holds even when the verifier can reset the prover to reuse the previous randomness. From the definition, we can see that the security of resettable zeroknowledge is stronger than that of concurrent zeroknowledge, because a resetting verifier could emulate any concurrent attack in the CZK protocol. Subsequently, Barak, Goldreich, Goldwasser and Lindell (2001) introduced the notion of resettablysound zeroknowledge (rsZK). It requires the soundness condition holds even when the prover can reset the verifier to use the same random tape in multiple concurrent executions. Following the two works above, a number of works have investigated the resettable security in zeroknowledge protocols (Deng et al. 2009; Cho et al. 2012; Garg et al. 2012; Chung et al. 2013b, 2014; Bitansky and Paneth 2015; Ostrovsky et al. 2015), which focused on either reducing the complexity assumptions or reducing the round complexity and so on. Recently, Chung et al. (2013a) presented a construction of the simultaneous resettable zeroknowledge protocol with polynomial rounds based on the minimal assumption of oneway functions. Very recently, Chongchitmate et al. (2017) showed a constantround simultaneous resettable zeroknowledge argument system based on the work of Chung et al. (2015). Thus, another question in this work is:
Whether a constant rounds interactive protocol can be both simultaneous resettable zeroknowledge and nonmalleable zeroknowledge?
Our results
In this paper, we combine the forementioned approaches and answer the above question positively. In the main result, we construct the first constantround nonmalleable concurrent zeroknowledge argument system.
Theorem 1
Assuming the existence of collisionresistant hash functions, oneway permutations and iO for P/poly (with slightly superpolynomial security), there exists a constantround concurrent nonmalleable zeroknowledge argument system for NP.
Our additional contribution is that by combining our CNMZK argument system with the approach of (Chongchitmate et al. 2017) and (Deng et al. 2009), we get the first constantround simultaneously resettable and nonmalleable zeroknowledge protocol.
Theorem 2
Assuming the existence of collisionresistant hash functions, oneway permutations and iO for P/poly (with slightly superpolynomial security), there exists a constantround simultaneously resettable and nonmalleable zeroknowledge argument system for NP.
Our techniques
Below, we first recall the techniques in (Barak 2001; Chung et al. 2015; Kiyoshima 2015) and then give an overview of our construction approach.
Barak’s protocol. Barak’s nonblackbox zeroknowledge argument system consists of three stages. In stage 1, the verifier V chooses a hash function \( h \xleftarrow {R} \mathcal {H}\) and sends it to the prover P, where \( \mathcal {H} \) is a collisionresistant hash function family. In stage 2, P sends a commitment c←Com(0^{n},ρ) to V, where Com is a statistically binding commitment scheme; then V responds with a random string r∈{0,1}^{2n} to P. In stage 3, P and V start a witnessindistinguishable universal argument(WIUA) system where P proves to V that there exists x∈L or (h,c,r)∈Λ. The language Λ is defined as (h,c,r)∈Λ iff there exists a program Π such that c=Com(h(Π),ρ) and Π on input c can output r within n^{log logn} steps.
The soundness of Barak’s protocol follows from the fact that even if a malicious prover P^{∗} tries to commit to some program Π (instead of committing to 0^{n}), with a high probability, the output of Π(c) will be different from the string r sent by V for every string r∈{0,1}^{2n}. To prove zero knowledge, just use the code of the malicious verifier V^{∗} as trapdoor in stage 2. By the definition of the language Λ, it must holds that c=Com(h(Π))=Com(h(V^{∗})) and Π(c)=V^{∗}(c)=r.
Chung et al.’s constantround CZK protocol. In (Chung et al. 2013), Chung et.al presented a Pcertificates assumption for the language L_{c}∈P where L_{c}={(M,x,y):M(x)=y within x^{c} steps}. In a Pcertificate system, an efficient prover can generate a short certificate π of a fixed polynomial length (independent of the runningtime and size of M) for a tuple (M,x,y) in a prior bounded polynomial time in x^{c}. By using π the verifier can check the validity of the deterministic polynomialtime computation M(x)=y in some fixed polynomial time (independent of the runningtime of M). Such proof system has two salient features, i.e., the “noninteractivity” and “succinctness”, which guarantee the simulator can reuse the same certificate in many nested sessions and amortize the cost of generating WIUA proof. We stress that this is essentially to overcome the exponentially blowup problem in the running time of the concurrent simulation. Based on the Barak’s nonblackbox zeroknowledge protocol, they modified the part of the stage 3 and defined a new language Λ. More specifically, they defined that a statement (h,c,r)∈Λ iff there exists a program M, a certificate π, a vector λ=((1,π_{1}),(2,π_{2})⋯) and a vector \( \overrightarrow {m} \) such that c=Com(h(M)), π is a proof for M(λ)=r and each π_{j} certifies that M(λ_{<j}) outputs m_{j} in its jth communication round (where λ_{<j}=((1,π_{1}),(2,π_{2})⋯(j−1,π_{j−1}))).
The soundness can be obtained as follows. Roughly speaking, from the statistically binding property of the Com, for every commitment c (i.e., m_{1}), there exists a prior fixed deterministic polynomialtime program M. By the unique certificate property of the Pcertificate, we can infer that the certificate π_{1} for M(·)=m_{1} is also uniquely defined. Due to the same analysis, we can conclude that for every j>1, m_{j} is uniquely defined. Thus, also the unique (accepting) certificate π_{j} certifying M(λ_{<j})=m_{j}. That is, there is a unique valid vector λ for program M, so there exists a single r satisfied the computation M(λ)=r. From the soundness of the previous Barak’s protocol (Barak 2001), we can obtain that, with a high probability, the string r sent by V will be different from M(λ) for every string r∈{0,1}^{4n}.
To prove the zeroknowledge, the key difference from Barak’s protocol is that each certificate π_{i} generated during construct the WIUA proofs in stage 3 of a session, can be reused as a part of the input witness λ=((1,π_{1}),(2,π_{2})⋯) for the subsequent sessions that contains this session. Thus, the only expensive part of the generation of the WIUA in each session is the generation of the Pcertificates π, which can be generated in a prior bounded polynomial time for the following reasons. Recall that when arriving at the point of stage 3, the simulator S has emulated the partial execution of M and outputted the message r. We assume that the time spent in this part is bounded by x^{c} for some constant \( c \in \mathbb {N} \), where x is the statement M(λ)=r. Then the certificate π for this part computation can be implemented in polynomial time in x^{c} by the Pcertificates system. So the whole simulation can be finished in polynomial time, we refer the reader to (Chung et al. 2015) for more detail about this part.
Our Approach on CNMZK. Our protocol attempts to combine the constantround CZK techniques and the previous CNMZK techniques together. Compared with the work of (Kiyoshima 2015; Lin et al. 2010), we use the nonblackbox techniques to reduce the round complexity.
Recall that the definition of standaloneNMZK requires the existence of a simulatorextractor SE that can simulate the view of a maninthemiddle adversary \( \mathcal {A} \) while simultaneously extracting the witnesses for the statements proved by the adversary in the right interaction. On the high level, in order to satisfy this definition, the traditional method is that the verifier commits a trapdoor in the first stage, and then the prover uses a nonmalleable commitment to commit the real witness, finally the prover uses the WIAOK protocol to prove that it either committed a real witness or known the trapdoor. So when considering the CNMZK protocols, intuitively, we need the prover to use a concurrent nonmalleable commitment scheme (Pass and Rosen 2005; Lin et al. 2008, 2017; Ciampi et al. 2016; Khurana and Sahai 2017) to commit the real witness. However, we note that this is not necessary, as described in (Barak et al. 2006), since we only need to prove that the adversary still commits the real witness in each session rather than all the right sessions together. That is standalone nonmalleable commitment is sufficient for our purpose.
By the definition of CNMZK, the crux of the proof is to show that even during simulation, when the simulator commits a fake witness (instead of real witnesses) in left interactions, the maninthemiddle adversary \( \mathcal {A} \) still cannot change its committed values in right interactions. The most delicate part of the proof is that we need to consider the mutual influence on the both sides of the rewinds when extract the trapdoors in the left and the witnesses in the right. That is we should carefully design a series of hybrids to argument the rewinds do not affect the reduction of the concurrent nonmalleability of our zeroknowledge protocol to (nonconcurrent) nonmalleability of the commitment scheme.
In the previous protocol (Lin et al. 2010), they used a special skill to reduce the difficulty of the proof. More specifically, the prover first uses a nonmalleable commitment scheme with a robust property to commit to a witness wtwice (sequentially), and then they designed a series of hybrids to show that the adversary must commit the valid witness (except with a negligible probability) in each case. Otherwise, they can use the adversary to break the nonmalleable property with respect to itself or the nonmalleable property w.r.t. kround protocols. In the protocol (Kiyoshima 2015), because their goal is to implement a statisticallyCNMZK argument system, instead of using a nonmalleable commitment to commit the witness, they commit a random string (e.g., 0^{n}). Thus, in their simulationextractability proof, they can not directly use the extractability of the commitment scheme, instead they have to rewind the sWIAOK proof to extract the witness in the right. Their proof strategy is that assume there exists an adversary which can extract a fake witness in the right, then they can give a series of indistinguishable hybrids to show that even the simulator in the right interaction (act as an honest verifier) just send a commitment with the value 0^{n}, the adversary still can extract this fake witness, this is a contradiction.
Because our goal is to construct the constantround concurrent nonmalleable zeroknowledge protocol, so the nonmalleable commitment scheme should be constant rounds, here we use the constantround4robust oneone CCAsecure commitment scheme which first appeared in (Kiyoshima 2015) based Canetti et al. (2010). Such commitment scheme can be based on the minimum assumption of the existence of one way functions. The difference from (Kiyoshima 2015) is that our protocol use the CCAsecure commitment scheme to commit the witness not the random string.
More specifically, the commitment scheme we use has a salient feature, i.e., its security can be guaranteed even the adversaries have access to the committedvalue oracle in the right. This advantage brings us the convenience in designing the hybrids since we need not consider the impact on the left side when we do oracle access to the committedvalue oracle in the right sessions. Indeed, in our final proof, we use an opposite argument which is essentially the same. Roughly speaking, we consider the following hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), where the former simulatorextractor SE uses the “fake” witness in the ith left session and the later simulatorextractor SE uses the real witness in the ith left session, while allowing both SE to access the committed oracle \( \mathcal {O} \). If the adversary \( \mathcal {A} \) can convince the verifier accept a right session and uses a different identity from all the left sessions, then from the soundness of the WIAOK and the binding property of the commitment, the oneone CCA commitment of this right session must commit a right witness except with a negligible probability. Now we can forward it to the external committedvalue oracle and obtain its commit value. Next assume there exists an adversary \( \mathcal {A} \) which can distinguish the two simulatorextractor \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), then we can use such adversary to break the witness indistinguishability of the 4round WISSP or the krobust CCA security. This gives a contradiction, thus each hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \) are indistinguishable and we can claim that our protocol is concurrent nonmalleable zeroknowledge argument. The more details proofs are given in “Constantround concurrent nonmalleable zeroknowledge” section. Since we only add a constantround commitment on the original constantroundCZK, the whole protocol also a constantround protocol, so we can draw the conclusion given in Theorem 1.
Towards SimultaneouslyResettable NMZK. Let us turn to the second question namely the simultaneouslyresettable nonmalleable zeroknowledge argument system. The formal definition is somewhat complicated and will be given in the “Simultaneouslyresettable and nonmalleable zeroknowledge” section. Roughly speaking, the protocol need to satisfy the nonmalleable security even if the maninthemiddle adversary \( \mathcal {A} \) can reset the prover to have several interactions in the left, at the same time, \( \mathcal {A} \) can reset the verifier to have multiple interactions in the right. Thus, all the previous protocols will not satisfy our new security requirements, our solution is to enhance the recently result of Chongchitmate et al. (2017) in the following.
In (Chongchitmate et al. 2017) they given a constantround simultaneouslyresettable zeroknowledge argument system. More specifically, they first gave a transformation from any ℓround CZKargument system to O(ℓ)round resettable zeroknowledge argument. Then they can achieve a resettablysound concurrent zeroknowledge argument(rsCZK) by plugging a constantroundrZK into a constantroundCZK system. Finally, following the general transformation of (Deng et al. 2009), they obtained a simultaneouslyresettable ZK protocol. We stress that, to the best of our knowledge, this transformation is the most direct route to achieve simultaneouslyresettable zeroknowledge argument system (see also (Bitansky and Paneth 2015; Chung et al. 2013a; Canetti et al. 2013)). In this paper, we observe that this construction actually preserves nonmalleability: If the original protocol is a constantround concurrent nonmalleable zeroknowledge argument system, then the new one is a constantround resettablysound concurrent nonmalleable zeroknowledge argument. Further, by applying a combination of the transformations in (Deng et al. 2009), we can achieve a constantround simultaneouslyresettableNMZK, thus we can draw the conclusion given in Theorem 2.
Organization
The rest of this paper is organized as follows. Some necessary preliminaries and security notion are given in “Preliminary” section. The concrete construction and the security analysis for constantroundCNMZKargument system are described in “Constantround concurrent nonmalleable zeroknowledge” section. Finally, we show how to use our CNMZKargument system to construct the constantround simultaneouslyresettable nonmalleableZKargument system in “Simultaneouslyresettable and nonmalleable zeroknowledge” section.
Preliminary
krobust (oneone) CCAsecure Commitment Schemes (Canetti et al. 2010)
A tagbased commitment scheme 〈C,R〉 is a commitment scheme where the committer and the receiver receive a tag ∈{0,1}^{n} (also called id) as common input. An adversary \( \mathcal {A}^{\mathcal {O}} \) can interact with a committed value oracle \( \mathcal {O} \) as a committer by using identities adaptively in many sessions. At the end of each session, if the session is valid, the oracle \( \mathcal {O} \)reveals the unique committed value of that session to \( \mathcal {A} \); otherwise, it sends ⊥. Consider the following probabilistic experiment \( \textsf {IND}_{b}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, 1^{n}, z\right) \). The oracle adversary \( \mathcal {A}^{\mathcal {O}} \) is allowed to adaptively choose an id and a pair of values (v^{0},v^{1})∈{0,1}^{n} as the challenge messages. When the adversary \( \mathcal {A}^{\mathcal {O}} \) receives a commitment to v_{b}, it guess a bit b^{′} as the output of the experiment. The additional constraint is that if during the execution the adversary \( \mathcal {A} \) interacts with \( \mathcal {O} \) using the challenge identity id, then the experiment outputs ⊥.
Definition 1
We say a tagbased commitment scheme 〈C,R〉 is CCAsecure w.r.t. the committedvalue oracle\( \mathcal {O} \), if for every PPT oracle machine \( \mathcal {A} \), the following ensembles are computationally indistinguishable:

\( \left \{\sf {IND}_{0}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, n, z\right) \right \}_{n \in \mathbb {N}, z \in \{0,1\}^{*}}\)

\( \left \{\sf {IND}_{1}\left (\left \langle C,R \right \rangle, \mathcal {A}^{\mathcal {O}}, n, z\right) \right \}_{n \in \mathbb {N}, z \in \{0,1\}^{*}}\)
Additionally, if 〈C,R〉 is CCAsecure only against adversaries that start a single session with \(\mathcal {O}\), then we say that 〈C,R〉 is oneoneCCAsecure.
The notion of nonmalleability w.r.t. arbitrary kround protocols is introduced in (Lin and Pass 2009), which considers the maninthe middle adversaries can participate arbitrary kround protocols in the left when running the commitment scheme in the right. Roughly speaking, we say 〈C,R〉 is krobust w.r.t \( \mathcal {O} \) if the (joint) output of every kround interaction with an adversary having access to the oracle \( \mathcal {O} \), can be simulated without the oracle.
Definition 2
Let 〈C,R〉 be a tagbased commitment scheme and \( \mathcal {O} \) be the committedvalue oracle. For any constant \( k \in \mathbb {N} \), we say that 〈C,R〉 is krobust w.r.t. \( \mathcal {O} \) if there exists a PPT oracle machine S such that for any PPT adversary \( \mathcal {A} \) and any kround PPT interactive Turing machine B, the following are computationally indistinguishable:

\( \{{\sf {output}}_{B,\mathcal {A}^{\mathcal {O}}}[B(1^{n},x,y)]\leftrightarrow \mathcal {A}^{\mathcal {O}}(1^{n},x,z)\}_{n \in \mathbb {N}, x,y,z \in \{0,1\}^{*}}\)

\( \{{\sf {output}}_{B,S^{\mathcal {A}}}[B(1^{n},x,y)]\leftrightarrow S^{{\mathcal {A}}}(1^{n},x,z)]\}_{n \in \mathbb {N}, x,y,z \in \{0,1\}^{*}}\)
In our protocol, we use the constantround 4robust oneoneCCAsecure commitment scheme (namely CCACom^{1:1}) which first appeared in (Kiyoshima 2015) and can be constructed from oneway functions based on the result of (Goyal et al. 2015).
Forwardsecure PRG (Bellare and Yee 2003; Chung et al. 2013)
Definition 3
(Forwardsecure Pseudorandom Generator) We say a polynomialtime computable function is a forward secure pseudorandom generator (fsPRG) if the following properties hold: Consistency: For every \( n,{\ell } \in \mathbb {N} \), s∈{0,1}^{n}, if fsPRG(s,ℓ)=((s_{ℓ},s_{ℓ−1},⋯,s_{1}),(ρ_{ℓ},ρ_{ℓ−1},⋯,ρ_{1})), then fsPRG(s_{ℓ},ℓ−1)=((s_{ℓ−1},⋯,s_{1}),(ρ_{ℓ−1},⋯,ρ_{1})). Forward Security: For every polynomial p(n), the following ensembles are computationally indistinguishable:

\( \{s\leftarrow U_{n},(\vec {s},\vec {\rho }) \leftarrow \text {\sf {fsPRG}}(s,{\ell }):s_{t},\vec {\rho }_{\leq t}\}\text {} _{n \in \mathbb {N},{\ell }\in [p(n)],t\in {[\ell ]}} \)

\( \{s_{t} \leftarrow U_{n},\vec {\rho } \leftarrow (U_{n})^{\ell }:s_{t},\vec {\rho }_{\leq t}\}\text {} _{n \in \mathbb {N},{\ell }\in [p(n)],t\in {[\ell }]} \)
where U_{n} is the uniform distribution over {0,1}^{n}, and \( \vec {\rho }_{\leq t}=(\rho _{t},\rho _{t1},\cdots,\rho _{1}). \)
From the definition above, if the seed s_{t} is exposed then the later sequence (ρ_{t+1},ρ_{t+2},⋯) are also exposed, but the earlier sequence ρ_{1},⋯,ρ_{t} remain pseudorandom. The existence of a fsPRG is implied by any (traditional) PRG, thus it is also implied by the existence of oneway functions (Håstad et al. 1999).
Pcertificates in the delegatable CRS model (Chung et al. 2015)
For every constant \( c \in \mathbb {N} \), consider the language L_{c}∈P such that L_{c}={(M,x,y):M(x)=y within x^{c} steps}, let T_{M}(x) denotes the running time of M on input x.
Definition 4
A tuple of PPT algorithms (Setup,PreGen,CRSGen,P_{cert},V_{cert}), is a Pcertificate system in the delegatable CRS model if there exist polynomials ℓ_{d},ℓ_{κ},ℓ_{CRS} and ℓ_{π}, such that the following holds:

Syntax and Efficiency: for every \( c \in \mathbb {N} \) and every q=(M,x,y)∈L_{c}, the verification of the statement proceed as follows:

1)CRS Setup:\((PP,K)\xleftarrow {\text {\$}}\textsf {Setup}(1^{n}, c) \), where PP the public parameter and K the key;

2)CRS Preprocessing: d=PreGen(PP,q) where d is bounded by ℓ_{d};

3)CRS Generation:\( \kappa \xleftarrow {\text {\$}} \textsf {CRSGen}(PP,K,q) \) and CRS=(PP,κ), where k is bounded by ℓ_{κ} and CRS is bounded by ℓ_{CRS}

4)Proof Generation:\( \pi \xleftarrow {\text {\$}} \textsf {P}_{\textsf {cert}}(1^{n}, c, q, CRS)\), where π is bounded by l_{π} and P_{cert} runs in time poly (1^{n},x,min(T_{M}(x),x^{c}))

5)Proof Verification: b =V_{cert}(1^{n},c,CRS,q,π), where V_{cert} runs in time poly (k,q). Additionally, if the verification procedure V_{cert} is independent of the statement q and the language index c, then we say that the verification algorithm is simple.


(Perfect) Completeness: For every \( c,c^{\prime } \in \mathbb {N} \), there exists a negligible function μ such that for every q=(M,x,y)∈L_{c} such that \(\phantom {\dot {i}\!} q \leq k^{c^{\prime }} \), the probability that V_{cert} outputs 1 is 1.

Selective Strong Soundness: There exists a superpolynomial function T(n)=n^{ω(1)} and a superconstant function C(n)=ω(1) such that for every probabilistic algorithm P^{∗} with runningtime bounded by T(n), there exists a negligible function μ(n), such that, for every \( n \in \mathbb {N} \) and c≤C(n),
$${\begin{aligned} \Pr\left[ \begin{array}{lll} \begin{array}{rll} (q,\textsf{st}) &\xleftarrow{\text{\$}} & P^{*}(1^{n}, c)\\ \textsf{CRS} &\xleftarrow{\text{\$}} & Gen(1^{n}, c)\\ \pi &\xleftarrow{\text{\$}} & P^{*}(\textsf{st}, \textsf{CRS}) \end{array} : \textsf{V}_{\textsf{cert}}(1^{n}, c, CRS, q, \pi)=1 \wedge q\notin L_{c} \end{array} \right] \leq \mu(n) \end{aligned}} $$ 
Unique certificate: We say that a Pcertificate system is unique if for every \( c \in \mathbb {N} \), string CRS ∈{0,1}^{∗} and q∈{0,1}^{∗}, there exists at most one string π such that V_{cert}(1^{n},c,CRS,q,π)=1.
Theorem 3
(Chung et al. 2015) Assume the existence of an \( i\mathcal {O} \) for P/poly and an injective pseudorandom generator, then there exists a Pcertificate system for NTIME (n^{w(1)}) with (strong) soundness, uniqueness in delegatable CRS Model and the verification algorithm is simple.
Concurrent nonmalleable zeroknowledge arguments (Barak et al. 2006; Lin et al. 2010; Kiyoshima 2015)
Let (P,V) be an interactive protocol for a language L, n be the security parameter and m be a polynomial. Consider a PPTmaninthemiddle adversary \( \mathcal {A} \) given the common input (x_{1},⋯,x_{m}) and an auxiliary input z∈{0,1}^{∗}. On the left, the adversary \( \mathcal {A} \) acts as a verifier V^{∗} to interact with m independent copies of P using (id_{1},⋯,id_{m}), and each copy of prover P will be given a valid witness w_{i}∈R_{L}(x_{i}). On the right, the adversary \( \mathcal {A} \) acts as a prover P^{∗} that, on common input \(\left (\widetilde {x}_{1},\cdots,\widetilde {x}_{m}\right) \) to prove the validity of each statement using \(\left (\widetilde {\textsf {id}}_{1},\cdots,\widetilde {\textsf {id}}_{m}\right) \). During the experiment, the statements proved in the right interactions and the identities in both the left and right interactions are all chosen by the adversary \( \mathcal {A} \), and the messages of the left sessions can be scheduled by the adversary \( \mathcal {A} \) without any restriction. Let \( \textsf {view}_{\mathcal {A}}(1^{n},x_{1},\cdots,x_{m},z) \) denotes the random variable that describes the view of \( \mathcal {A} \) in the above experiment. Loosely speaking, an interactive proof is a concurrent nonmalleable zeroknowledge protocol, if for all maninthemiddle adversary \( \mathcal {A} \), there exists a PPT machine (called the simulatorextractor) that can simulate both the left and the right interactions for \( \mathcal {A} \), while outputting a witness for each statement proved by the adversary in the right interactions.
Definition 5
An interactive protocol (P,V) for L∈NP is said to be concurrent nonmalleable zeroknowledge if for every \( n \in \mathbb {N} \), every polynomial m, and every PPT maninthemiddle adversary \( \mathcal {A} \) that participates in at most m(n) concurrent executions, there exists a PPT machine SE such that:

1.
The following ensembles are computationally indistinguishable:

\( \{{\sf {view}}_{\mathcal {A}}(\!1^{n},x_{1},\!\cdots \!,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\!\cdots \!,x_{m} \in L\cap \{0,1\}\text {} ^{n},\! z \in \{0,1\}\text {} ^{n} }\)

\( \{{\sf {S}}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n}} \)
where S(1^{n},x_{1},⋯,x_{m},z) is the first output of SE(1^{n},x_{1},⋯,x_{m},z).


2.
Let \(\left (\widetilde {x}_{1},\cdots,\widetilde {x}_{m}\right) \) be the statements to be proved in the right interactions and \( ({\sf {view}},\{\widetilde {w}_{i}\}\text {} _{i \in m}) \) denote the outputs of SE(1^{n},x_{1},⋯,x_{m},z). For every i∈[m], if the ith right interaction is accepting and \( \widetilde {\textsf {id}}_{i} \neq \textsf {id}_{j} \) for all j∈[m], then \( \widetilde {w}_{i} \) is a valid witness such that \( R_{L}\left (\widetilde {x}_{i}, \widetilde {w}_{i}\right) = 1 \).
Indistinguishability obfuscation (Barak et al. 2001)
Definition 6
(Indistinguishability obfuscation) A PPT algorithm \( i\mathcal {O} \) is said to be an indistinguishability obfuscator for a collection of polynomial size circuits \( \mathcal {C}=\cup _{n \in \mathbb {N}}\mathcal {C}_{n} \), if it satisfies:

1.
Functionality: For any \( C \in \mathcal {C} \),
$$ \underset{i\mathcal{O}}{\Pr}[\forall x : i\mathcal{O}(C)(x)=C(x)]=1~. $$ 
2.
Indistinguishability: For any polysize distinguisher \( \mathcal {D} \) there exists a negligible function μ, such that for any \( n \in \mathbb {N} \), \( C_{1}, C_{2} \in \mathcal {C}_{n} \) of the same size and functionality
$$ \left\underset{i\mathcal{O}}{\Pr}[D(i\mathcal{O}(C_{1}))=1]  \underset{i\mathcal{O}}{\Pr}[D(i\mathcal{O}(C_{2}))=1] \right\leq \mu(n). $$
Resettable zeroknowledge (Canetti et al. 2000)
Let (P,V) be an interactive proof system for a language L, z be an auxiliary input received by V^{∗}, t=poly(n), \( \overline {x} = x_{1},x_{2},\cdots,x_{t} \in L \cap \{0, 1\}\text {} ^{n} \) be a sequence of common inputs and \( \overline {w} = w_{1},w_{2},\cdots,w_{t}\) be the corresponding witnesses such that (x_{i},w_{i})∈R_{L} for i=1,⋯,t. The distribution \( \{\textsf {view}^{P(\overline {w})}_{V^{*}(z)}(\overline {x})\} \) is the view of V^{∗} that defined as follows:

1.
Randomly select and fix t random tapes r_{1},r_{2},⋯,r_{t} for P, resulting in deterministic strategies \( P^{(i,j)}=P_{x_{i},w_{i},r_{j}} \), defined by \( P_{x_{i},w_{i},r_{j}}(\alpha)=P(x_{i},w_{i},r_{j},\alpha) \)^{Footnote 1}, for i,j∈[t].

2.
A resetting verifier V^{∗} is allowed to run poly(n)many sessions with the P^{(i,j)}. V^{∗} can send arbitrary messages to each of the P^{(i,j)} and obtain the responses of P^{(i,j)} to such message.

3.
Once V^{∗} decides it is done interacting with the P, it produces its view of these interactions.
The distribution \( \{\textsf {S}_{V^{*}(z)}(\overline {x})\}\), indexed by a sequence of common inputs\( \overline {x} = x_{1},x_{2},\cdots,x_{poly(n)} \in L \cap \{0, 1\}\text {} ^{n} \), is the output of an expectedPPT machine S that interacts with V^{∗} on common inputs\( \overline {x} \).
Definition 7
(Resettable Zeroknowledge) We say that (P,V) is resettable zeroknowledge if for every PPT adversary V^{∗} there exists an expectedPPT simulator \(\phantom {\dot {i}\!} S_{V^{*}} \) such that the for all pairs \( (\overline {x}, \overline {w}) \in R_{L} \), the ensembles \( \left \{{\sf {view}}^{P(\overline {w})}_{V^{*}(z)}(\overline {x})\right \} \) and \( \{\textsf {S}_{V^{*}(z)}(\overline {x})\} \) are computationally indistinguishable
Theorem 4
(Chongchitmate et al. 2017) Assuming the existence of oneway functions, then any ℓround concurrent zeroknowledge argument system can be transformed into a O(ℓ)round resettable zeroknowledge argument system.
Resettablysound arguments (Barak et al. 2001)
Definition 8
(Resettablysound arguments). Let (P,V) is an interactive proof protocol for L∈NP. A resetting attack of a cheating prover P^{∗} is defined as follows:

1.
Let t=poly(n), uniformly select and fix t randomtapes r_{1},⋯,r_{t} for V, resulting in deterministic strategies \( V^{(j)}(x) = V_{x,r_{j}} \), defined by \( V_{x,r_{j}}(\alpha) = V(x,r_{j},\alpha) \)^{Footnote 2}, where x∈{0,1}^{n} and j∈[t]. Each V^{(j)}(x) is called an incarnation of V.

2.
P^{∗} is allowed to initiate poly(n)many interactions with the V^{(j)}(x). The activity of P^{∗} proceeds in rounds. In each round, P^{∗} chooses x∈{0,1}^{n} and j∈[t], defines V^{(j)}(x), and conducts a complete session with it.
We say that (P,V) is a resettablysound argument if for every polynomialsize resetting attack, the probability that in some session the corresponding V^{(j)}(x) has accepted and x∉L is negligible.
Theorem 5
(Chung et al. 2014) Assume the existence of oneway functions, then there exists a 4round resettablysound zeroknowledge argument of knowledge for every language in NP.
Theorem 6
(Deng et al. 2009, Chongchitmate et al. 2017) Assuming the existence of ZAPs (i.e., 2round resettablysound resettable witnessindistinguishable proof systems) and family of pseudorandom functions, then there exists a transformation from a ℓround resettablysound concurrent zeroknowledge argument to a O(ℓ)round resettablysound resettable zeroknowledge argument.
Constantround concurrent nonmalleable zeroknowledge
Our protocol
In this section, we give our construction of the constantround concurrent nonmalleable zeroknowledge argument system. We use the following building blocks:

1.
Tworound statistically binding commitment scheme: Com

2.
O(1)round 4robust oneone CCAsecure commitment scheme: CCACom^{1:1}

3.
Fourround specialsound witness indistinguishability proofs: WISSP

4.
O(1)round witness indistinguishability universal argument: WIUA

5.
Fourround Pcertificates in the delegatable CRS Model: PC
Now consider a language L∈NP and a security parameter n. Let the prover and verifier receive a common inputs x∈{0,1}^{n}, id∈{0,1}^{n}. The auxiliary input to the prover is a NP witness w such that R_{L}(x,w)=1. Let m(n) be a polynomial that upper bounds the number of concurrent sessions, and D be a superconstant bounded by log log logn. Then, our protocol proceeds in five stages as follows:

In stage 1, the prover P computes c_{1}=Com(0^{n},ρ_{1}) and sends it to V; V responds with a string \(r \xleftarrow {R} \{0,1\}\text {} ^{4n}\).

In stage 2, the prover P computes c_{2}=Com(0^{n},ρ_{2}) and sends it to V. P and V run a WIUA system where P proves to V that there exists \((M,\rho _{1},\mathcal {O}_{\pi },(j,s_{j}),\rho _{2})\) s.t., (h,c_{1},c_{2},r)∈Λ_{1} or exists w s.t., (x,w)∈R_{L}. In more detail, in the simulation phase, P proves that c_{1}=Com(h(M)) for a program M and c_{2}=Com(h(q)) for \( \textsf {q}=((M,\mathcal {O}_{\pi }),(j,s_{j}),r) \). The statement q represents that the oracle program \( M^{\mathcal {O}_{\pi }} \) on input (j,s_{j}) can output a message r. The oracle \( \mathcal {O}_{\pi } \) stores all the CRS and proof pairs {(CRS_{i},π_{i})} that generated by the Pcertificate system in the current history(see the definition in Table 1).

In stage 3, the verifier V invokes the algorithm PC.setup to generate (PP,K) and sends the public parameter PP to P. The prover P computes c_{3}=Com(0^{n},ρ_{3}) and sends it to V. P and V run a WIUA system where P proves to V that there exists \((M,\mathcal {O}_{\pi },(j,s_{j}),d,\rho _{2},\rho _{3})\) s.t., (h,PP,c_{2},c_{3},r)∈Λ_{2} or exists w s.t., (x,w)∈R_{L}. In more detail, in the simulation phase, P proves that c_{2}=Com(h(q)) and c_{3}=Com(d,ρ_{3}) where d=PC.PreGen(PP,q).

In stage 4, the verifier V sends an obfuscation algorithm\( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \) to P and gives a ZK argument of the statement \((\textsf {PP},c_{3},\hat {\mathcal {P}}_{\textsf {{CRSGen}}}) \in \Lambda \)_{3}. In more detail, V proves that there exists \((\textsf {K},\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{\textsf {{Setup}}},\rho _{\textsf {{CRSGen}}},\rho _{i\mathcal {O}})\) such that (PP,K)=PC.Setup(1^{n},D,ρ_{Setup}) and \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} =i\mathcal {O}(\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{i\mathcal {O}}) \). The detailed descriptions of the circuit \( \mathcal {P} \) and \( \mathcal {Q} \) are given in Table 1.

In stage 5, the prover P computes \(c_{4}=\textsf {CCACom}_{\textsf {id}}^{1:1}(w,\rho _{4})\) under identity id, c_{5}=Com(0^{n},ρ_{5}) and sends them to V. P and V runs a WISSP system where P proves to V that there exists (d,ρ_{3},π) s,t., \( (\textsf {PP},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c_{5}) \in \Lambda _{4} \) or exists w s.t., \(c_{4}=\textsf {CCACom}_{\textsf {id}}^{1:1}(w,\rho _{4})\) and (x,w)∈R_{L}. In more detail, in the simulation phase, P proves that \( \kappa = \hat {\mathcal {P}}_{\textsf {{CRSGen}}}(d,\rho _{3}) \), c_{5}=Com((PP,κ),ρ_{5}) and PC.V_{cert}(1^{n},(PP,κ),π)=1.
The formal protocol CNMZK is described below in Table 1 and Table 2.
Completeness and soundness
Completeness. The completeness of the protocol can be directly obtained from the construction in Table 2. More specifically, for any x∈L, w∈R_{L}(x) and id∈{0,1}^{n}, from the completeness of the WIUA system in stage 2 and stage 3, the completeness of the ZK argument system in stage 4 and the completeness of WISSP system in stage 5, we have that Pr[P(w),V(z)(x,id)]=1.
Soundness. The soundness of protocol follows from (1) the binding property of the commitments c_{1},c_{2},c_{3} in stage 1, 2 and 3; (2) the hiding property of \( i\mathcal {O} \) for the circuit \( \mathcal {P} \) in stage 4; (3) the selective strong soundness of Pcertificates and (4) the specialsoundness of WISSP used in stage 5. Roughly speaking, assume that the statement x∉L. Consider the point where the prover has given the commitment c_{3} and is now expecting the verifier message \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \). Because at this point, c_{1},c_{2},c_{3},PP,K are determined, the two circuit \( \mathcal {P} \) and \( \mathcal {Q} \) described in Table 1 are functional equivalent. We assume that, w.l.o.g, \( \mathcal {P} \) and \( \mathcal {Q} \) have the same polynomial size in n, then from the security definition of \( i\mathcal {O} \), we can infer that the secret key K is hiding in the obfuscation circuit \( \hat {\mathcal {P}} \). Otherwise, we can use the adversary to distinguish the circuit \( i\mathcal {O(P)} \) and \( i\mathcal {O(Q)}\), which leads to a contradiction. Next in stage 5, if there exists a PPT cheating P^{∗} who can convince the verifier, then from the definition of Pcertificate system, there must exist an accepted Pcertificate π argument of the statement q is true based on CRS=(PP,κ)except with negligible probability. That is there exists an PPT machine M on input a short bit string (j,s) (of length bounded in 3n) can predict the challenge message r (length of 4n). However, this is information theoretically impossible. Thus, we reach a contradiction through violate the soundness of Barak’s protocol.
Next, we describe the construction of our simulatorextractor SE in “Our simulatorextractor” section and show its correctness satisfies the definition of CNMZK in “The view generated by the simulator” section and “The witnesses output by the extractor” section.
Our simulatorextractor
Recall that the definition of CNMZK requires the existence of a simulatorextractor SE that can simulate the view of a maninthemiddle adversary \( \mathcal {A} \) while extracting a witness in every accepted right session. Below, we sketch how to build a simulatorextractor. First, we construct a PPT simulator S that simulates the view of \( \mathcal {A} \) but does not extract witnesses in the right seasons. Then, we construct a PPT simulatorextractor SE via the intermediate simulator S, which can simulate the view of \( \mathcal {A} \) and extract the witnesses by the committed value oracle. Simulator S On a high level, S internally invokes \( \mathcal {A} \) and interacts with \( \mathcal {A} \) as honest prover and honest verifier in the following way. To simulate the view of each session in the right interactions, S simply follows the honest verifier strategy. To simulate the view of each session in the left interactions, S uses the description of the adversary \( \mathcal {A} \) as the fake witness and reused the previous generated Pcertificates if necessary in a straightline manner. The formal description of this process will be given below. Finally, S outputs the view of the adversary \( \mathcal {A} \). Simulator SE On a high level, SE simulates the view of \( \mathcal {A} \) by executing S as the first part of its output. For each i∈[m], if the ith right session is accepted and \( \widetilde {\textsf {id}}_{i} \) is different from id_{j} for all j∈[m], SE extracts a witness from the session i by oracle access to the onesession committedvalue oracle\( \mathcal {O}_{\textsf {cca}} \) of CCACom^{1:1}.
The view generated by the simulator
In this section, we show that the view generated by S is indistinguishable from the real view of \( \mathcal {A} \):
Lemma 1
The following ensembles are computationally indistinguishable:

\( \{\textsf {view}_{\mathcal {A}}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n} }\)

\( \{\textsf {S}(1^{n},x_{1},\cdots,x_{m},z)\}\text {} _{n \in \mathbb {N},x_{1},\cdots,x_{m} \in L\cap \{0,1\}\text {} ^{n}, z \in \{0,1\}\text {} ^{n}} \)
Proof
To simplify the exposition, w.l.o.g, we assume that the maninthemiddle adversary \( \mathcal {A} \) is a deterministic Turing machine with a nonuniform advice. Let N=c·m denote the total number of messages between the simulator S and \( \mathcal {A} \), where c is the rounds of our CNMZK protocol and m is the total number of concurrent sessions bounded by a polynomial.
We invoke the forwardsecure pseudorandom generator to generate the randomtape we needed. Let fsPRG(s,N)=((s_{N},⋯,s_{1}),(ρ_{N},⋯,ρ_{1})), where s∈{0,1}^{n} is the random seed and each ρ_{j}∈{0,1}^{n} is the randomness used to generate the jth prover message in the left side.
We use three tables \(\mathcal {V},\mathcal {O}_{\pi },\mathcal {T}\). \( \mathcal {V} \) stores the commitment values in the simulation of the left interaction. \( \mathcal {O}_{\pi } \) stores all the CRS and proof pairs {(CRS_{i},π_{i})} generated by the Pcertificate system in the current history. \( \mathcal {T} \) stores the messages simulated so far in both left and right sides. We initialize \( \mathcal {O}_{\pi },\mathcal {T} \) to be empty and add the code descriptions of the simulator S and \( \mathcal {A} \) to table \( \mathcal {V} \). Next we give a detailed description of the program \( \textsf {S}(1^{n},x_{1},\cdots,x_{m},\mathcal {A},\mathcal {V},\mathcal {O}_{\pi },\mathcal {T},s,N) \):
In each right session, S interacts with \( \mathcal {A} \) simply by following the honest verifier strategy described in our protocol 2. It can generate its random coins by using the PRG on a random seed in this part of the execution. In each left session, do as follows:

Simulate Stage 1 Upon receiving a hash function h_{i} in session i, S provides a commitment \( c^{1}_{i} \) to \(M_{i}((\cdot,\cdot),\mathcal {A},\mathcal {T})\), where M_{i} is an interactive Turing machine with the code description of S and \( \mathcal {A} \) plus the current state of them. Here the first two parameters of M_{i} will be given when M_{i} is used as the witness to construct the statement q_{i} in stage 2.

Simulate Stage 2 Upon receiving a challenge r_{i} in session i during the jth communication round, S retrieves the committed value M_{i} and provides a commitment \( c^{2}_{i} \) to the trapdoor statement \( \textsf {q}_{i}=((M_{i},\mathcal {O}_{\pi }),(j,s_{j}),r_{i}) \), where s_{j} is the random seed used by fsPRG in the jth round. According to our previous definition, the oracle program \( M^{\mathcal {O}_{\pi }} \) on input (j,s_{j}) can recover all the previous randomness and any oracle queries {CRS_{i}} that \( M^{\mathcal {O}_{\pi }} \) makes before it outputs r can be answered using the current \( \mathcal {O}_{\pi } \). Thus, the simulator S can use \( (M_{i},\mathcal {O}_{\pi },(j,s_{j})) \) and the corresponding randomness to finish the WIUA for the statement \((h_{i},c^{1}_{i},c^{2}_{i},r_{i}) \in \Lambda \)_{1}.

Simulate Stage 3 Upon receiving a challenge PP_{i} in session i during the jth communication round, S provides a commitment \( c^{3}_{i} \) to the digest d_{i}, where d_{i}=PC.PreGen(PP_{i},q_{i}). Now we can make S use the fake witnesses \( (M_{i},\mathcal {O}_{\pi },(j,s_{j}),d_{i}) \) and the corresponding randomness to finish the WIUA for the statement \((h_{i},\textsf {PP}_{i},c^{2}_{i},c^{3}_{i},r_{i}) \in \Lambda \)_{2}.

Simulate Stage 4 Upon receiving an obfuscated program \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \) in session i during the jth communication round, S interacts with \( \mathcal {A} \) as an honest verifier to finish the ZK argument part.

Simulate Stage 5 Upon receiving the last message from \( \mathcal {A} \) in Stage 4 of session i, S computes \(\kappa _{i} = \hat {\mathcal {P}}_{\textsf {{CRSGen}}}(d,\rho _{3})\) and π_{i}=PC.P_{cert}(q_{i},CRS_{i}). Now for the CRS_{i}=(PP_{i},κ_{i}), S checks if PC.V_{cert}(1^{n},CRS_{i},π_{i})=1 and extends the pair (CRS_{i},π_{i}) to the oracle \(\mathcal {O}_{\pi }\), otherwise it will abort. Next, S provides a commitment \( c^{4}_{i} \) to a dummy string i.e., 0^{n} and a commitment \( c^{5}_{i} \) to CRS_{i}. Thus, S has all the witnesses \(\phantom {\dot {i}\!} (\textsf {d}_{i},\rho _{\textsf {d}_{i}},\pi _{i}) \) for the statement \(\left (\textsf {PP}_{i},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c^{5}_{i}\right) \in \Lambda \)_{4}, it can finish the WISSP in stage 5.
Finally, the simulator will output all the messages of the both interactive sides stored in the table \(\mathcal {T}\).
Correctness of the simulation. We observe the correctness of S. By our construction, the only place where abort is likely to happen is when the simulator computes an unaccepted certificate π_{i} for CRS_{i} based on a true statement q_{i} in stage 5. However, the only difference of the Pcertificates system used in our protocol is that, instead of sending κ in directly, the verifier first send the indistinguishability obfuscation of the GenCRS algorithm and then give a ZK argument to prove their correctness. Thus, from the perfect correctness of the indistinguishability obfuscator, the completeness of zeroknowledge argument and the perfect completeness of our Pcertificates system, it suffices to show that for a true statement q_{i}, the probability of V_{cert}(1^{n},CRS_{i},π_{i})≠1 is only negligible. So the probability of simulator output abort is also negligible.
Indistinguishability of the simulation. Now we use the hybrid argument to show the indistinguishability of the simulation, consider 2N hybrid experiments as follows. Experiment Hyb^{i}, 0≤i≤N: the first i communication rounds are simulated by simulator S with the pseudorandomness and fake witness, and all the later communication round j>i are simulated by simulator S with true randomness and the true witnesses. We also define hybrid \( \textsf {Hyb}^{i}_{+} \) that proceed identically as Hyb^{i} except that it simulates the ith round following the honest prover strategy using the real witness.
Claim 1
The output of \( \textsf {Hyb}^{i}_{+} \) and Hyb^{i} are computationally indistinguishable. □
Proof
Because \( \textsf {Hyb}^{i}_{+} \) and Hyb^{i} differs only which witness (fake or real) is used in the iround of the left interaction. If in the ith round the prover message is a commitment to a witness, indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hyb^{i} follows directly by the hiding property of the commitment scheme. If in the ith round the prover message is a message of the WIUA or WISSP subprotocol, indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hyb^{i} follows directly by the witness indistinguishability property of the WIUA or WISSP. □
Claim 2
The output of \( \textsf {Hyb}^{i}_{+} \) and Hyb^{i+1} are computationally indistinguishable.
Proof
Because \( \textsf {Hyb}^{i}_{+} \) and Hyb^{i+1} differs only which randomness (true or pseudo) is used in the iround of the left interaction. The indistinguishability of \( \textsf {Hyb}^{i}_{+} \) and Hyb^{i+1} follows directly from the forward security of the PRG. □
Finally, it is easy to see that the output of Hyb^{N} is identical to the output of S, and the output of Hyb^{0} is identical to the real view \( \textsf {view}_{\mathcal {A}} \). Because there are at most polynomial hybrids in this experiment, we can conclude that the output of S is indistinguishable from the output of the real interaction.
Combining the above, the Lemma 1 follows.
The witnesses output by the extractor
Proof
Our simulatorextractor SE in “Our simulatorextractor” section allows the extractor to access the decommitment oracle. We note that this is allowed for the reason of a krobust CCAsecure commitment scheme used in our protocol. From the definition 2, we know that, for any constantround k, the joint output of every kround interaction, with an adversary (here it means the SE) having access to the oracle \( \mathcal {O}_{\textsf {cca}} \), can be simulated without the oracle in polynomial time. That is, the simulatorextractor SE access to the oracle does not help it in participating in any kround protocols. But allowing the simulatorextractor SE to access the oracle has the following benefits, we only need to pay attention to the impact of the hybrid experiment on SE when switching on the left witness from real to fake, without any further analysis of the interference from the right rewinding. So in the following, we just need to analyze whether such simulatorextractor can output the witness.
Consider the series of hybrids, we define \( \textsf {SE}^{i} \left (\textsf {SE}_{+}^{i}\right)\) the same as SE except that the execution of S is replaced with that of \( \textsf {Hyb}^{i}\left (\textsf {Hyb}_{+}^{i}\right) \). Then, by the definition of CNMZK, we need to argument that, in the experiment SE^{N} (which identical to SE), for any PPTmaninthemiddle adversary \( \mathcal {A} \) and every x_{1},⋯,x_{m}∈{0,1}^{n}∩L, such that for each right interaction that is accepted and uses a different identity from all left interactions, the simulatorextractor SE does extract a valid witness of the statement proved.
Observe that in the experiment \( \textsf {SE}_{+}^{0} \), the simulator S holds all the real witnesses of the left sessions and just acts as an honest prover in each left interaction and an honest verifier in each right interaction. Then following from the soundness of our protocol, we can conclude that in every accepted right interaction, \( \mathcal {A} \) commits a real witness in the CCACom^{1:1} successfully except with negligible probability. In other words, \( \mathcal {A} \) never cheats in \( \textsf {SE}_{+}^{0} \), so the simulatorextractor can extract the witness with the help of the committed value oracle except with negligible probability.
Next, we observe the experiment SE^{N} which based on the definition of Hyb^{N}. Now we assume that there exists a polynomial function p such that \( \mathcal {A} \) cheats in one of the right sessions in the experiment SE^{N} with probability 1/p(n). In other words, there exists a right session which is accepted and uses a different identity from all the left interactions such that \( \mathcal {A} \) fails to commit to a valid witness in Stage 5 with probability 1/p(n). Then SE^{N} can not extract the witness from this right session with probability 1/p(n) as well. However, we have that \( \textsf {SE}_{+}^{0} \) can extract the witness from this right session except with negligible probability. Thus, from an average argument, there must exist an i such that the probability of cheating differ by at least a polynomial amount in the hybrids SE^{i} and \( \textsf {SE}_{+}^{i} \) or in the hybrids \( \textsf {SE}_{+}^{i}\) and SE^{i+1}. Therefore, there is a gap between A’s chance of committing the valid witness on the right in \( \textsf {SE}_{+}^{i}\) and SE^{i+1} or there is a gap between A’s chance of committing the valid witness on the right in SE^{i} and \( \textsf {SE}_{+}^{i} \). We analyze these two cases as follows:
In the first case, the only difference between \( \textsf {SE}_{+}^{i}\) and SE^{i+1} is which randomness (true or pseudo) is used in the iround of the left interaction. Therefore, they are computationally indistinguishable from claim 2. In the second case, the only difference between SE^{i} and \( \textsf {SE}_{+}^{i} \) is which witness (fake or real) is used in the ith round. The former, in stage 5, uses a dummy string 0^{n} as the committed value of CCACom^{1:1} followed with an WISSP for knowing the fake witness instead of the witness w_{i} of x_{i}. The latter, in stage 5, acts as an honest prover holding a real witness w_{i} of x_{i}. If the gap is due to the committed value of CCACom^{1:1}, then we can use this gap to break the security of the nonmalleable w.r.t itself. If the gap is due to the witness used in the fourround WISSP of the left session, then we can use this gap to break the 4robustness CCAsecure of CCACom^{1:1}.
Thus, we reach a contradiction, in the experiment SE^{N}, \( \mathcal {A} \) must commit to a valid witness in Stage 5 except with negligible probability. We know that the output of SE^{N} is identical to the output of SE, hence the simulationextractability of protocol 2 follows.
Combining “The view generated by the simulator” section and “The witnesses output by the extractor” section, the concurrent nonmalleable zeroknowledge property follows. This completes the proof of Theorem 1. □
Simultaneouslyresettable and nonmalleable zeroknowledge
From concurrent NMZK to resettable NMZK
In (Chongchitmate et al. 2017), Chongchitmate et al. gave a transformation from any constantround concurrent ZK to a constantround resettable ZK based on (Barak et al. 2001; Deng et al. 2009). We observe that this transformation essentially preserves the nonmalleability. That is, if the original protocol is a constantround concurrentNMZK, then the new protocol will be a constantround resettableNMZK. We provide the details of the transformation in Table 3, which are taken almost verbatim from (Chongchitmate et al. 2017), except that we require the prover and the verifier to have a extra common id. Then we give a proof about the nonmalleability for this new protocol.
Lemma 2
Protocol rNMZK in Table 3 is a constantround resettable nonmalleable ZK argument system.
Proof
The proof of the completeness and soundness conditions are similar to our proof in “The view generated by the simulator” section, and are omitted. The proof of the resettable zeroknowledge can be directly obtained from the Theorem 4, because the protocol CNMZK itself is a constantroundCZK protocol. Next, we give the analysis of nonmalleability.
Roughly speaking, for a maninthemiddle adversary \( \mathcal {A} \) with an extra power of resetting attack, we need to prove that the view of \( \mathcal {A} \) in the real interaction can be simulated by a simulator without all the witnesses of the left sessions, and there exists an extractor that can extract the witnesses in every accepting right session from this simulated view. More specifically, we first construct a simulator and give an extractor based on this simulator as the previous section. Then, we reduce the security to the underlying assumptions by using a series of hybrids.
Let \( \textsf {H}_{0}=\{\textsf {realview}_{f_{s}},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) denote the combined view of \( \mathcal {A} \) in the real experiment of the protocol rNMZK and the values extracted by the committed value oracle. Then, following from the soundness of the protocol rNMZK that, except with negligible probability, in every accepting right interaction, \( \mathcal {A} \) commits to a real witness in stage 5 and the extracted value is a real witness as well.
Next, we modify the protocol rNMZK into a protocol rNMZK_{F} by replacing the pseudorandom function f_{s} with a truly random function F:{0,1}^{∗}→{0,1}^{l(n)}. Let \( \textsf {H}_{1}=\{\textsf {realview}_{F},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) denote the combined view of \( \mathcal {A} \) in the real experiment of the protocol rNMZK_{F} and the values extracted the committed value oracle. It then follows from the security of pseudorandom function that, the view and the value extracted from oracle are computationally indistinguishable in H_{0} and H_{1}. Otherwise, we can use the adversary to break the indistinguishability between the pseudorandom function family and truly random function family.
Next, we construct our simulator \( \hat {\textsf {S}} \) based on the simulator S in the “The view generated by the simulator” section. We need \( \hat {\textsf {S}} \) to be able to emulate the execution for the maninthemiddle and resetting adversary \( \mathcal {A} \) in the protocol rNMZK_{F}. For the adversary \( \mathcal {A} \), we divide its resetting attack in the left into two cases. The first case is that the new first message m_{0} sent by \( \mathcal {A} \) is different from all the first messages in the previous sessions on the left. Because our protocol rNMZK_{F} uses the truly random function F, in such case, we can see it as a new session, and simulator \( \hat {\textsf {S}} \) just does the simulation of the left and right interactions in the same manner as S. Additionally, when executing the part of resettablyroundness ZK protocol, the simulator \( \hat {\textsf {S}} \) will act as an honest verifier on the left. The second case is that the new first message m_{0} sent by \( \mathcal {A} \) has been sent in a previous session, and then the simulator \( \hat {\textsf {S}} \) just resends the responses from its history records of the corresponding session. This is because, for a fixed truly random function F, the transcript of the whole session are fixed when the message m_{0} is fixed. Otherwise, we can use this experiment to break the binding property of the commitment scheme Com.
Let simview_{F} be the view of \( \mathcal {A} \) in the simulated experiment of the protocol rNMZK_{F} by the simulator \( \hat {\textsf {S}} \), \( \{\widetilde {w}_{i}\}\text {} _{i\in [m]} \) be the values extracted by the committed value oracle. It is easy to see that the {simview_{F}} and {realview_{F}} are computationally indistinguishable, otherwise we can use this experiment to break the concurrent zeroknowledge of the protocol CNMZK. Now denote \( \textsf {H}_{2} = \{\textsf {simview}_{F},\{\widetilde {w}_{i}\}\text {} _{i\in [m]}\} \) as the combined view of \( \mathcal {A} \) in the simulate and extract experiment of the protocol rNMZK_{F}. As before, we can construct a series of hybrids as “The witnesses output by the extractor” section to argument that the view and the values are indistinguishable in H_{2} and H_{1} by reducing to the security of the 4robust oneone CCAsecure commitment scheme Com^{1:1}(the nonmalleable w.r.t itself or the 4round WISSP).
More specifically, suppose that when the adversay \( \mathcal {A} \) complete the resetting attack against the prover, the total number of rounds of the left interactions is N^{′} and w.l.o.g, we assume N^{′} is bounded by a fixed polynomial. For each i∈[N^{′}], define the simulator \( \hat {\textsf {S}}^{i} \) that the first i communication rounds are simulated by simulator \( \hat {\textsf {S}} \) with the pseudorandomness and fake witness, and all the later communication round j>i are simulated by simulator \( \hat {\textsf {S}} \) with true randomness and the true witnesses. We also define the simulator \( \hat {\textsf {S}}^{i}_{+} \) that proceed identically as \( \hat {\textsf {S}}^{i} \) except that it simulates the ith round following the honest prover strategy using the real witness. Then, let us consider the following hybrid experiments. The experiment \( \hat {\textsf {H}}^{i} \left (\hat {\textsf {H}}_{+}^{i}\right)\) is the same as H_{2} except that the execution of \( \hat {\textsf {S}} \) is replaced with that of \( \hat {\textsf {S}}^{i}\left (\hat {\textsf {S}}^{i}_{+} \right) \). It is easy to see that the output of \( \hat {\textsf {H}}^{N'} \) is identical to the output of H_{2}, and the output of \( \hat {\textsf {H}}^{0} \) is identical to the real view of H_{1}.
Now, assume there exists a polynomial function p, such that the resetting attacker \( \mathcal {A} \) cheats in one of the right sessions in the experiment H_{2} with probability 1/p(n). We mean that there exists a right session that is accepted and uses a different identity from all the left interactions, \( \mathcal {A} \) fails to commit to a valid witness in Stage 5 with probability 1/p(n). Then H_{2} can not extract the witness from this right session with probability 1/p(n) as well. However, we have that H_{1} can extract the witness from this right session except with negligible probability. Thus, from an average argument, there must exist an i such that the probability of cheating differ by at least a polynomial amount in the hybrids \( \hat {\textsf {H}}^{i} \) and \(\hat {\textsf {H}}_{+}^{i} \) or in the hybrids \( \hat {\textsf {H}}_{+}^{i}\) and \( \hat {\textsf {H}}^{i+1} \).
The same analysis as before, the only difference between \( \hat {\textsf {H}}_{+}^{i}\) and \( \hat {\textsf {H}}^{i+1} \) is which randomness (true or pseudo) is used in the iround of the left interaction, hence the two ensembles are computationally indistinguishable. On the other hand, the only difference between \( \hat {\textsf {H}}^{i} \) and \(\hat {\textsf {H}}_{+}^{i} \) is which witness (fake or real) is used in the ith round. The former, uses a dummy string 0^{n} as the committed value of CCACom^{1:1} followed with an WISSP for knowing the fake witness instead of the witness w_{i} of x_{i}; the latter, acts as an honest prover holding a real witness w_{i} of x_{i}. If the gap is due to the committed value of CCACom^{1:1}, then we can use this gap to break the security of the nonmalleable w.r.t itself. If the gap is due to the witness used in the fourround WISSP of the left session, then we can use this gap to break the 4robustness CCAsecure of CCACom^{1:1}. Hence, we obtain a contradiction.
Thus, we have that H_{2} is computationally indistinguishable from H_{1}. Recall that in the beginning we have proved that H_{1}≈H_{0}, so we have that H_{2} is also computationally indistinguishable from H_{0}. Combining the above, we obtain that the protocol in Table 3 is resettable nonmalleable zeroknowledge.
This concludes the proof of Lemma 2. □
Towards constantround simultaneouslyresettable NMZK
Towards the constantround simultaneouslyresettableNMZK, we first transform the constantroundCNMZK protocol into a constantround resettablysoundCNMZK (rsCNMZK), which is similar to the method of (Chongchitmate et al. 2017). More specifically, in each round, we let the verifier generate its randomness by using a pseudorandom function f_{s}:{0,1}^{∗}→{0,1}^{l(n)} to his transcript so far. Additionally, we replace the ZK argument in stage 4 with a constantround rNMZK argument constructed in Table 3.
The final step, to obtain our Theorem 2, we apply the transformation of (Deng et al. 2009) (Theorem 6) to our constantround rsCNMZK protocol to obtain the constantround simultaneous resettability NMZK. This step can be proved by using the same approach in “The view generated by the simulator” section based on the analysis of (Deng et al. 2009). Intuitively, on the one hand, a protocol with an extra resettablysound property will not increase the power of the maninthemiddle adversary on the right; on the other hand, for a maninthemiddle adversary with resettingattack on the left, we can construct a simulatorextractor to simulate its view and extract the witnesses in the right accepted session, otherwise we can use this experiment to break the 4robust oneone CCAsecure commitment scheme Com^{1:1}.
Combining “From concurrent NMZK to resettable NMZK” section and “Towards constantround simultaneouslyresettable NMZK” section, the constantround simultaneouslyresettable nonmalleable zeroknowledge protocol follows.
This completes the proof of Theorem 2. □
Conclusions
In this paper, we provide the first construction of a constantround concurrent nonmalleable zeroknowledge argument for every language in NP and give a detailed proof for our protocol. Furthermore, by studying the composition of the simultaneously resettable zeroknowledge and the nonmalleable zeroknowledge, we give the first construction of a constantround simultaneouslyresettable nonmalleable zeroknowledge. However, there is still an interesting question about how to design a roundoptimal concurrent nonmalleable zeroknowledge argument. Here we leave it as an open problem.
Notes
 1.
Here, P(x_{i},w_{i},r_{j},α) denotes the message sent by the strategy P on common input x_{i}, auxiliary input w_{i} and randomtape r_{j}, after seeing the messagesequence α.
 2.
Here, V(x,r_{j},α) denotes the message sent by the strategy V on common input x, randomtape r_{j}, after seeing the messagesequence α.
References
Barak, B (2001) How to go beyond the blackbox simulation barrier In: 42nd Annual Symposium on Foundations of Computer Science, FOCS, 106–115.. IEEE Computer Society, Las Vegas. https://doi.org/10.1109/SFCS.2001.959885.
Barak, B, Goldreich O, Goldwasser S, Lindell Y (2001) Resettablysound zeroknowledge and its applications In: 42nd Annual Symposium on Foundations of Computer Science, FOCS, 116–125.. IEEE Computer Society, Las Vegas. https://doi.org/10.1109/SFCS.2001.959886.
Barak, B, Goldreich O, Impagliazzo R, Rudich S, Sahai A, Vadhan SP, Yang K (2001) On the (im)possibility of obfuscating programs In: Advances in Cryptology  CRYPTO 2001, 21st Annual International Cryptology Conference, Proceedings, 1–18.. Springer, Santa Barbara. https://doi.org/10.1007/3540446478_1.
Barak, B, Prabhakaran M, Sahai A (2006) Concurrent nonmalleable zero knowledge In: 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2006), Proceedings, 345–354.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2006.21.
Bellare, M, Yee BS (2003) Forwardsecurity in privatekey cryptography In: Topics in Cryptology  CTRSA 2003, The Cryptographers’ Track at the RSA Conference, Proceedings, 1–18.. Springer, San Francisco. https://doi.org/10.1007/354036563X_1.
Bitansky, N, Paneth O (2015) On nonblackbox simulation and the impossibility of approximate obfuscation. SIAM J Comput 44(5):1325–1383.
Boyle, E, Chung K, Pass R (2014) On extractability obfuscation In: Theory of Cryptography  11th Theory of Cryptography Conference, TCC. Proceedings, 52–73.. Springer, San Diego. https://doi.org/10.1007/9783642542428_3.
Canetti, R, Goldreich O, Goldwasser S, Micali S (2000) Resettable zeroknowledge (extended abstract) In: Proceedings of the ThirtySecond Annual ACM Symposium on Theory of Computing, 235–244.. ACM, Portland. https://doi.acm.org/10.1145/335305.335334.
Canetti, R, Kilian J, Petrank E, Rosen A (2001) Blackbox concurrent zeroknowledge requires omega~(log n) rounds In: Proceedings on 33rd Annual ACM Symposium on Theory of Computing, STOC, 570–579.. ACM, Heraklion. http://doi.acm.org/10.1145/380752.380852.
Canetti, R, Lin H, Paneth O (2013) Publiccoin concurrent zeroknowledge in the global hash model In: Theory of Cryptography  10th Theory of Cryptography Conference, TCC. Proceedings, 80–99.. Springer, Tokyo. https://doi.org/10.1007/9783642365942_5.
Canetti, R, Lin H, Pass R (2010) Adaptive hardness and composable security in the plain model from standard assumptions In: 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 541–550.. IEEE Computer Society, Las Vegas. https://doi.org/10.1109/FOCS.2010.86.
Cho, C, Ostrovsky R, Scafuro A, Visconti I (2012) Simultaneously resettable arguments of knowledge In: Theory of Cryptography  9th Theory of Cryptography Conference, TCC. Proceedings, 530–547.. Springer, Taormina. https://doi.org/10.1007/9783642289149_30.
Chongchitmate, W, Ostrovsky R, Visconti I (2017) Resettablysound resettable zero knowledge in constant rounds In: Theory of Cryptography  15th International Conference, TCC, Proceedings, Part II, 111–138.. Springer, Baltimore. https://doi.org/10.1007/9783319705033_4.
Chung, KM, Lin H, Pass R (2013) Constantround concurrent zero knowledge from pcertificates In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 50–59.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2013.14.
Chung, KM, Lin H, Pass R (2015) Constantround concurrent zeroknowledge from indistinguishability obfuscation In: Advances in Cryptology  CRYPTO 2015  35th Annual Cryptology Conference, Proceedings, Part I, 287–307.. Springer, Santa Barbara. https://doi.org/10.1007/9783662479896_14.
Chung, KM, Ostrovsky R, Pass R, Venkitasubramaniam M, Visconti I (2014) 4round resettablysound zero knowledge In: Theory of Cryptography  11th Theory of Cryptography Conference, TCC. Proceedings, 192–216.. Springer, San Diego. https://doi.org/10.1007/9783642542428_9.
Chung, KM, Ostrovsky R, Pass R, Visconti I (2013a) Simultaneous resettability from oneway functions In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 60–69.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2013.15.
Chung, KM, Pass R, Seth K (2013b) Nonblackbox simulation from oneway functions and applications to resettable security In: Symposium on Theory of Computing Conference, STOC’13, 231–240.. ACM, Palo Alto. http://doi.acm.org/10.1145/2488608.2488638.
Ciampi, M, Ostrovsky R, Siniscalchi L, Visconti I (2016) Concurrent nonmalleable commitments (and more) in 3 rounds In: Advances in Cryptology  CRYPTO 2016  36th Annual International Cryptology Conference, Proceedings, Part III, 270–299.. Springer, Santa Barbara. https://doi.org/10.1007/9783662530153_10.
Deng, Y, Goyal V, Sahai A (2009) Resolving the simultaneous resettability conjecture and a new nonblackbox simulation strategy In: 50th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 251–260.. IEEE Computer Society, Atlanta. https://doi.org/10.1109/FOCS.2009.59.
Dolev, D, Dwork C, Naor M (2000) Nonmalleable cryptography. SIAM J Comput 30(2):391–437.
Dwork, C, Naor M, Sahai A (1998) Concurrent zeroknowledge In: Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing, STOC, 409–418.. ACM, Dallas. http://doi.acm.org/10.1145/276698.276853.
Garg, S, Gentry C, Halevi S, Raykova M, Sahai A, Waters B (2013) Candidate indistinguishability obfuscation and functional encryption for all circuits In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 40–49.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2013.13.
Garg, S, Ostrovsky R, Visconti I, Wadia A (2012) Resettable statistical zero knowledge In: Theory of Cryptography  9th Theory of Cryptography Conference, TCC. Proceedings, 494–511.. Springer, Taormina. https://doi.org/10.1007/9783642289149_28.
Goldwasser, S, Micali S, Rackoff C (1989) The knowledge complexity of interactive proof systems. SIAM J Comput 18(1):186–208. https://doi.org/10.1137/0218012.
Goyal, V, Lin H, Pandey O, Pass R, Sahai A (2015) Roundefficient concurrently composable secure computation via a robust extraction lemma In: Theory of Cryptography  12th Theory of Cryptography Conference, TCC, Proceedings, Part I, 260–289.. Springer, Warsaw. https://doi.org/10.1007/9783662464946_12.
Håstad, J, Impagliazzo R, Levin LA, Luby M (1999) A pseudorandom generator from any oneway function. SIAM J Comput 28(4):1364–1396.
Ishai, Y, Pandey O, Sahai A (2015) Publiccoin differinginputs obfuscation and its applications In: Theory of Cryptography  12th Theory of Cryptography Conference, TCC, Proceedings, Part II, 668–697.. Springer, Warsaw. https://doi.org/10.1007/9783662464977_26.
Khurana, D, Sahai A (2017) How to achieve nonmalleability in one or two rounds In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, 564–575.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2017.58.
Kilian, J, Petrank E, Rackoff C (1998) Lower bounds for zero knowledge on the internet In: 39th Annual Symposium on Foundations of Computer Science, FOCS ’98, 484–492.. IEEE Computer Society, Palo Alto. https://doi.org/10.1109/SFCS.1998.743499.
Kiyoshima, S (2014) Roundefficient blackbox construction of composable multiparty computation In: Advances in Cryptology  CRYPTO 2014  34th Annual Cryptology Conference, Proceedings, Part II, 351–368.. Springer, Santa Barbara. https://doi.org/10.1007/9783662443811_20.
Kiyoshima, S (2015) An alternative approach to nonblackbox simulation in fully concurrent setting In: Theory of Cryptography  12th Theory of Cryptography Conference, TCC, Proceedings, Part I, 290–318.. Springer, Warsaw. https://doi.org/10.1007/9783662464946_13.
Lin, H, Pass R (2009) Nonmalleability amplification In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC, 189–198.. ACM, Bethesda. http://doi.acm.org/10.1145/1536414.1536442.
Lin, H, Pass R (2011) Concurrent nonmalleable zero knowledge with adaptive inputs In: Theory of Cryptography  8th Theory of Cryptography Conference, TCC. Proceedings, 274–292.. Springer, Providence. https://doi.org/10.1007/9783642195716_17.
Lin, H, Pass R (2012) Blackbox constructions of composable protocols without setup In: Advances in Cryptology  CRYPTO 2012  32nd Annual Cryptology Conference. Proceedings, 461–478.. Springer, Santa Barbara. https://doi.org/10.1007/9783642320095_27.
Lin, H, Pass R, Soni P (2017) Tworound and noninteractive concurrent nonmalleable commitments from timelock puzzles In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, 576–587.. IEEE Computer Society, Berkeley. https://doi.org/10.1109/FOCS.2017.59.
Lin, H, Pass R, Tseng WD, Venkitasubramaniam M (2010) Concurrent nonmalleable zero knowledge proofs In: Advances in Cryptology  CRYPTO 2010, 30th Annual Cryptology Conference. Proceedings, 429–446.. Springer, Santa Barbara. https://doi.org/10.1007/9783642146237_23.
Lin, H, Pass R, Venkitasubramaniam M (2008) Concurrent nonmalleable commitments from any oneway function In: Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC, 571–588.. Springer, New York. https://doi.org/10.1007/9783540785248_31.
Micciancio, D, Ong SJ, Sahai A, Vadhan S (2006) Concurrent zero knowledge without complexity assumptions In: Theory of Cryptography, Third Theory of Cryptography Conference, TCC, Proceedings, 1–20.. Springer, New York. https://doi.org/10.1007/11681878_1.
Orlandi, C, Ostrovsky R, Rao V, Sahai A, Visconti I (2014) Statistical concurrent nonmalleable zero knowledge In: Theory of Cryptography  11th Theory of Cryptography Conference, TCC. Proceedings, 167–191.. Springer, San Diego. https://doi.org/10.1007/9783642542428_8.
Ostrovsky, R, Pandey O, Visconti I (2010) Efficiency preserving transformations for concurrent nonmalleable zero knowledge In: Theory of Cryptography, 7th Theory of Cryptography Conference, TCC. Proceedings, 535–552.. Springer, Zurich. https://doi.org/10.1007/9783642117992_32.
Ostrovsky, R, Persiano G, Visconti I (2008) Constantround concurrent nonmalleable zero knowledge in the bare publickey model In: Automata, Languages and Programming, 35th International Colloquium, ICALP, Proceedings, 548–559.. Springer, Reykjavik. https://doi.org/10.1007/9783540705833_45.
Ostrovsky, R, Scafuro A, Venkitasubramaniam M (2015) Resettably sound zeroknowledge arguments from owfs  the (semi) blackbox way In: Theory of Cryptography  12th Theory of Cryptography Conference, TCC, Procee6dings, Part I.. Springer, Warsaw. https://doi.org/10.1007/9783662464946_15.
Pandey, O, Prabhakaran M, Sahai A (2015) Obfuscationbased nonblackbox simulation and four message concurrent zero knowledge for NP In: Theory of Cryptography  12th Theory of Cryptography Conference, TCC, Proceedings, Part II, 638–667.. Springer, Warsaw. https://doi.org/10.1007/9783662464977_25.
Pass, R, Rosen A (2005) Concurrent nonmalleable commitments In: 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2005), Proceedings, 563–572.. IEEE Computer Society, Pittsburgh. https://doi.org/10.1109/SFCS.2005.27.
Rosen, A (2000) A note on the roundcomplexity of concurrent zeroknowledge In: Advances in Cryptology  CRYPTO 2000, 20th Annual International Cryptology Conference, Proceedings, 451–468.. Springer, Santa Barbara. https://doi.org/10.1007/3540445986_28.
Acknowledgments
This work was supported in part by the National Natural Science Foundation of China (Grant No. 61772521), Key Research Program of Frontier Sciences, CAS (QYZDBSSWSYS035), and the Open Project Program of the State Key Laboratory of Cryptology. The first author wants to thank Yiwen Gao for making useful comments on the paper.
Author information
Affiliations
Contributions
All authors read and approved the final manuscript.
Corresponding author
Correspondence to Yi Deng.
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Received
Accepted
Published
DOI
Keywords
 Zeroknowledge
 Concurrent nonmalleable zeroknowledge
 Simultaneously resettable zeroknowledge
 Concurrent security computation