Zero-knowledge proof systems were introduced by Goldwasser, Micali and Rackofi in (1989). Informally, an interactive proof protocol is zero-knowledge if the prover can convince the verifier that a statement is true without revealing any information other than the fact itself. With such an intriguing nature, zero-knowledge proof has played a central role in the design and study of cryptographic protocols. The notion of *concurrent* zero knowledge(CZK) was first introduced by Dwork, Naor and Sahai (1998) to consider that many copies of the zero-knowledge protocol are executed simultaneously in an *asynchronous* network, where messages from different copies may be arbitrarily interleaved by the verifier. The notion of *non-malleable* zero knowledge(NMZK) was first introduced by Dolev, Dwork and Naor (2000) to consider the execution of zero-knowledge protocol in the setting where the *man-in-the-middle* adversary interacts with an honest prover in the left session and an honest verifier in the right session.

**Concurrent Non-malleable Zero-Knowledge.** By combining the *concurrent zero-knowledge* with the security against *man-in-the-middle* adversaries, Barak, Prabhakaran and Sahai (2006) introduced a stronger form of zero knowledge referred to as *concurrent non-malleable zero knowledge* (CNMZK). In such protocol, the adversary can complete control over the communication channel and participate in an *unbounded* number of concurrent executions. It guarantees that the proofs in the left sessions does not help the adversary to give proofs in the right sessions.

After the original protocol by (Barak et al. 2006), various other *concurrent non-malleable* ZK protocols have been obtained (Ostrovsky et al. 2008, 2010; Lin et al. 2010; Lin and Pass 2011; Orlandi et al. 2014; Kiyoshima 2015). Lin, Pass, Tseng and Venkitasubramaniam (2010) focused on enhancing the soundness property by combining the notation of *robust* non-malleable commitments introduced by Lin et al. (2009) with the *concurrently extractable* commitments (CECom) introduced by Micciancio et al. (2006). They showed a poly(*n*)-round CNMZK*proof* for all of **NP** based on *one way function* assumption and a \( \widetilde {O}(log(n)) \)-round protocol based on the existence of *collision resistant hash-functions*(CRHFs). Recently, Orlandi et al. (2014) achieved the first *statistical*CNMZK*argument system*. In their protocol, they used a special kind of commitment scheme called “*mixed non-malleable commitment*” scheme based on the DDH assumptions. Very recently, Kiyoshima (2015) achieved a poly(*n*) rounds *statistical*CNMZK*argument system* only assuming the existence of *one-way functions*. In their protocol, instead of using a non-malleable commitment to commit the real witness (see (Barak et al. 2006; Lin et al. 2010)), they used a constant-round *k-robust one-one CCA-secure* commitment (Canetti et al. 2010; Lin and Pass 2012; Kiyoshima 2014; Goyal et al. 2015) to commit a random string (e.g., 0^{n}).

However, we observe that the round complexity of all the above protocols based on the standard assumptions is at least \( \widetilde {O}(\log n) \) rounds. Indeed, in the standard model without set-up assumptions, Canetti, Kilian, Petrank and Rosen (2001) based on earlier works by (Kilian et al. 1998; Rosen 2000) have showed that any *black-box concurrent* zero-knowledge protocol require at least \(\widetilde {\Omega }(\log n)\) rounds. It can be observed that the lower bound also holds for the *black-box concurrent non-malleable* zero-knowledge protocol. A breakthrough work was made by Barak in (2001), he proposed the first *non-black-box* simulation techniques and constructed the first *constant-round bounded*CZK*argument system* assuming the existence of CRHFs. Recently, Pandey, Prabhakaran and Sahai (2015) showed a new *non-black-box* simulation technique independent of the PCP theorem and constructed a 4-round CZK*argument system* based on the existence of CRHFs and *differing-input obfuscation* (**diO**)(Barak et al. 2001; Boyle et al. 2014; Ishai et al. 2015). Very recently, Chung, Lin and Pass (2015) achieved *constant-round*CZK with *non-uniform* soundness assuming the existence of CRHFs, OWP and iO (Barak et al. 2001; Garg et al. 2013) for **P**/poly. We stress that Ostrovsky, Persiano and Visconti in (2008) have showed a *constant-round concurrent non-malleable* zero-knowledge argument system for **NP** in the Bare Public-Key model. However, in this model each verifier have to register the *public key* in a public file during a *preprocessing stage* and the *secret key* is known only to itself. Thus, one natural question we ask in this work is:

*Whether a constant rounds concurrent non-malleable zero-knowledge protocol in the standard model can be obtained*?

**Simultaneous Resettable Zero-Knowledge.** The notion of *resettable zero-knowledge* (rZK) was first introduced by Canetti, Goldreich, Goldwasser and Micali (2000). It requires the zero-knowledge condition holds even when the verifier can reset the prover to reuse the previous randomness. From the definition, we can see that the security of *resettable zero-knowledge* is stronger than that of *concurrent zero-knowledge*, because a resetting verifier could emulate any *concurrent attack* in the CZK protocol. Subsequently, Barak, Goldreich, Goldwasser and Lindell (2001) introduced the notion of *resettably-sound* zero-knowledge (rsZK). It requires the *soundness* condition holds even when the prover can reset the verifier to use the *same* random tape in multiple concurrent executions. Following the two works above, a number of works have investigated the resettable security in zero-knowledge protocols (Deng et al. 2009; Cho et al. 2012; Garg et al. 2012; Chung et al. 2013b, 2014; Bitansky and Paneth 2015; Ostrovsky et al. 2015), which focused on either reducing the complexity assumptions or reducing the round complexity and so on. Recently, Chung et al. (2013a) presented a construction of the *simultaneous resettable* zero-knowledge protocol with polynomial rounds based on the minimal assumption of *one-way functions*. Very recently, Chongchitmate et al. (2017) showed a *constant-round simultaneous resettable zero-knowledge argument system* based on the work of Chung et al. (2015). Thus, another question in this work is:

*Whether a constant rounds interactive protocol can be both simultaneous resettable zero-knowledge and non-malleable zero-knowledge*?

### Our results

In this paper, we combine the forementioned approaches and answer the above question positively. In the main result, we construct the first *constant-round non-malleable concurrent* zero-knowledge argument system.

###
**Theorem 1**

Assuming the existence of collision-resistant hash functions, one-way permutations and **iO** for **P**/poly (with *slightly* super-polynomial security), there exists a constant-round concurrent non-malleable zero-knowledge argument system for **NP**.

Our additional contribution is that by combining our CNMZK argument system with the approach of (Chongchitmate et al. 2017) and (Deng et al. 2009), we get the first *constant-round simultaneously resettable and non-malleable* zero-knowledge protocol.

###
**Theorem 2**

Assuming the existence of collision-resistant hash functions, one-way permutations and **iO** for **P**/poly (with *slightly* super-polynomial security), there exists a constant-round simultaneously resettable and non-malleable zero-knowledge argument system for **NP**.

### Our techniques

Below, we first recall the techniques in (Barak 2001; Chung et al. 2015; Kiyoshima 2015) and then give an overview of our construction approach.

**Barak’s protocol.** Barak’s non-black-box zero-knowledge argument system consists of three stages. In stage 1, the verifier *V* chooses a hash function \( h \xleftarrow {R} \mathcal {H}\) and sends it to the prover *P*, where \( \mathcal {H} \) is a *collision-resistant hash function family*. In stage 2, *P* sends a commitment *c*←Com(0^{n},*ρ*) to *V*, where Com is a *statistically binding* commitment scheme; then *V* responds with a random string *r*∈{0,1}^{2n} to *P*. In stage 3, *P* and *V* start a *witness-indistinguishable universal argument*(WIUA) system where *P* proves to *V* that there exists *x*∈*L* or (*h*,*c*,*r*)∈*Λ*. The language *Λ* is defined as (*h*,*c*,*r*)∈*Λ* iff there exists a program *Π* such that *c*=Com(*h*(*Π*),*ρ*) and *Π* on input *c* can output *r* within *n*^{log logn} steps.

The soundness of Barak’s protocol follows from the fact that even if a malicious prover *P*^{∗} tries to commit to some program *Π* (instead of committing to 0^{n}), with a high probability, the output of *Π*(*c*) will be different from the string *r* sent by *V* for every string *r*∈{0,1}^{2n}. To prove zero knowledge, just use the code of the malicious verifier *V*^{∗} as trapdoor in stage 2. By the definition of the language *Λ*, it must holds that *c*=Com(*h*(*Π*))=Com(*h*(*V*^{∗})) and *Π*(*c*)=*V*^{∗}(*c*)=*r*.

**Chung et al.’s constant-round CZK protocol.** In (Chung et al. 2013), Chung et.al presented a **P**-certificates assumption for the language *L*_{c}∈**P** where *L*_{c}={(*M*,*x*,*y*):*M*(*x*)=*y* within |*x*|^{c} steps}. In a **P**-certificate system, an *efficient* prover can generate a *short* certificate *π* of a *fixed* polynomial length (*independent* of the *running-time* and *size* of *M*) for a tuple (*M*,*x*,*y*) in a *prior bounded* polynomial time in |*x*|^{c}. By using *π* the verifier can check the validity of the *deterministic* polynomial-time computation *M*(*x*)=*y* in some *fixed* polynomial time (*independent* of the *running-time* of *M*). Such proof system has two salient features, i.e., the “non-interactivity” and “succinctness”, which guarantee the simulator can *reuse the same certificate* in many nested sessions and *amortize* the cost of generating WIUA proof. We stress that this is essentially to overcome the exponentially blow-up problem in the running time of the concurrent simulation. Based on the Barak’s non-black-box zero-knowledge protocol, they modified the part of the stage 3 and defined a new language *Λ*. More specifically, they defined that a statement (*h*,*c*,*r*)∈*Λ* iff there exists a program *M*, a certificate *π*, a vector *λ*=((1,*π*_{1}),(2,*π*_{2})⋯) and a vector \( \overrightarrow {m} \) such that *c*=Com(*h*(*M*)), *π* is a proof for *M*(*λ*)=*r* and each *π*_{j} certifies that *M*(*λ*_{<j}) outputs *m*_{j} in its *j*-th communication round (where *λ*_{<j}=((1,*π*_{1}),(2,*π*_{2})⋯(*j*−1,*π*_{j−1}))).

The soundness can be obtained as follows. Roughly speaking, from the *statistically binding* property of the Com, for every commitment *c* (i.e., *m*_{1}), there exists a prior fixed *deterministic* polynomial-time program *M*. By the *unique* certificate property of the **P**-certificate, we can infer that the certificate *π*_{1} for *M*(·)=*m*_{1} is also *uniquely* defined. Due to the same analysis, we can conclude that for every *j*>1, *m*_{j} is *uniquely* defined. Thus, also the *unique* (accepting) certificate *π*_{j} certifying *M*(*λ*_{<j})=*m*_{j}. That is, there is a *unique* valid vector *λ* for program *M*, so there exists a single *r* satisfied the computation *M*(*λ*)=*r*. From the soundness of the previous Barak’s protocol (Barak 2001), we can obtain that, with a high probability, the string *r* sent by *V* will be different from *M*(*λ*) for every string *r*∈{0,1}^{4n}.

To prove the zero-knowledge, the key difference from Barak’s protocol is that each certificate *π*_{i} generated during construct the WIUA proofs in stage 3 of a session, can be reused as a part of the input witness *λ*=((1,*π*_{1}),(2,*π*_{2})⋯) for the subsequent sessions that contains this session. Thus, *the only expensive part* of the generation of the WIUA in each session is *the generation of the* *P*-*certificates π*, which can be generated in a *prior bounded polynomial time* for the following reasons. Recall that when arriving at the point of stage 3, the simulator S has emulated the partial execution of *M* and outputted the message *r*. We assume that the time spent in this part is bounded by |*x*|^{c} for some constant \( c \in \mathbb {N} \), where *x* is the statement *M*(*λ*)=*r*. Then the *certificate* *π* for this part computation can be implemented in polynomial time in |*x*|^{c} by the **P**-certificates system. So the whole simulation can be finished in polynomial time, we refer the reader to (Chung et al. 2015) for more detail about this part.

**Our Approach on CNMZK.** Our protocol attempts to combine the constant-round CZK techniques and the previous CNMZK techniques together. Compared with the work of (Kiyoshima 2015; Lin et al. 2010), we use the *non-black-box* techniques to reduce the round complexity.

Recall that the definition of *standalone*NMZK requires the existence of a simulator-extractor SE that can simulate the view of a *man-in-the-middle* adversary \( \mathcal {A} \) while simultaneously extracting the witnesses for the statements proved by the adversary in the right interaction. On the high level, in order to satisfy this definition, the traditional method is that the verifier commits a trapdoor in the first stage, and then the prover uses a *non-malleable* commitment to commit the real witness, finally the prover uses the WIAOK protocol to prove that it either committed a real witness or known the trapdoor. So when considering the CNMZK protocols, intuitively, we need the prover to use a *concurrent non-malleable* commitment scheme (Pass and Rosen 2005; Lin et al. 2008, 2017; Ciampi et al. 2016; Khurana and Sahai 2017) to commit the real witness. However, we note that this is not necessary, as described in (Barak et al. 2006), since we only need to prove that the adversary still commits the real witness in each session rather than all the right sessions together. That is stand-alone non-malleable commitment is sufficient for our purpose.

By the definition of CNMZK, the crux of the proof is to show that even during simulation, when the simulator commits a fake witness (instead of real witnesses) in left interactions, the *man-in-the-middle* adversary \( \mathcal {A} \) still cannot change its committed values in right interactions. The most delicate part of the proof is that we need to consider the mutual influence on the both sides of the rewinds when extract the trapdoors in the left and the witnesses in the right. That is we should carefully design a series of hybrids to argument the rewinds do not affect the reduction of the *concurrent non-malleability* of our zero-knowledge protocol to *(non-concurrent) non-malleability* of the commitment scheme.

In the previous protocol (Lin et al. 2010), they used a special skill to reduce the difficulty of the proof. More specifically, the prover first uses a non-malleable commitment scheme with a *robust* property to commit to a witness *w**twice* (sequentially), and then they designed a series of hybrids to show that the adversary must commit the valid witness (except with a negligible probability) in each case. Otherwise, they can use the adversary to break the non-malleable property with respect to itself or the non-malleable property w.r.t. *k*-round protocols. In the protocol (Kiyoshima 2015), because their goal is to implement a *statistically*CNMZK argument system, instead of using a non-malleable commitment to commit the witness, they commit a random string (e.g., 0^{n}). Thus, in their simulation-extractability proof, they can not directly use the *extractability* of the commitment scheme, instead they have to rewind the sWIAOK proof to extract the witness in the right. Their proof strategy is that assume there exists an adversary which can extract a fake witness in the right, then they can give a series of indistinguishable hybrids to show that even the simulator in the right interaction (act as an honest verifier) just send a commitment with the value 0^{n}, the adversary still can extract this fake witness, this is a contradiction.

Because our goal is to construct the *constant-round concurrent non-malleable* zero-knowledge protocol, so the non-malleable commitment scheme should be constant rounds, here we use the *constant-round**4-robust one-one CCA-secure* commitment scheme which first appeared in (Kiyoshima 2015) based Canetti et al. (2010). Such commitment scheme can be based on the minimum assumption of the existence of *one way functions*. The difference from (Kiyoshima 2015) is that our protocol use the CCA-secure commitment scheme to commit the witness not the *random* string.

More specifically, the commitment scheme we use has a salient feature, i.e., its security can be guaranteed even the adversaries have access to the *committed-value oracle* in the right. This advantage brings us the convenience in designing the hybrids since we need not consider the impact on the left side when we do oracle access to the committed-value oracle in the right sessions. Indeed, in our final proof, we use an opposite argument which is essentially the same. Roughly speaking, we consider the following hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), where the former simulator-extractor SE uses the “fake” witness in the *i*-th left session and the later simulator-extractor SE uses the real witness in the *i*-th left session, while allowing both SE to access the committed oracle \( \mathcal {O} \). If the adversary \( \mathcal {A} \) can convince the verifier accept a right session and uses a different identity from all the left sessions, then from the soundness of the WIAOK and the binding property of the commitment, the *one-one CCA* commitment of this right session must commit a right witness *except with a negligible probability*. Now we can forward it to the external *committed-value oracle* and obtain its commit value. Next assume there exists an adversary \( \mathcal {A} \) which can distinguish the two simulator-extractor \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \), then we can use such adversary to break the *witness indistinguishability* of the 4-round WISSP or the *k-robust CCA security*. This gives a contradiction, thus each hybrids \( \textsf {SE}^{\mathcal {O}}_{i} \) and \( \textsf {SE}^{\mathcal {O}}_{i+} \) are indistinguishable and we can claim that our protocol is *concurrent non-malleable zero-knowledge argument*. The more details proofs are given in “Constant-round concurrent non-malleable zero-knowledge” section. Since we only add a *constant-round* commitment on the original *constant-round*CZK, the whole protocol also a *constant-round* protocol, so we can draw the conclusion given in Theorem 1.

**Towards Simultaneously-Resettable NMZK.** Let us turn to the second question namely the *simultaneously-resettable non-malleable zero-knowledge argument system*. The formal definition is somewhat complicated and will be given in the “Simultaneously-resettable and non-malleable zero-knowledge” section. Roughly speaking, the protocol need to satisfy the *non-malleable* security even if the *man-in-the-middle* adversary \( \mathcal {A} \) can reset the prover to have several interactions in the left, at the same time, \( \mathcal {A} \) can reset the verifier to have multiple interactions in the right. Thus, all the previous protocols will not satisfy our new security requirements, our solution is to enhance the recently result of Chongchitmate et al. (2017) in the following.

In (Chongchitmate et al. 2017) they given a *constant-round simultaneously-resettable zero-knowledge argument system*. More specifically, they first gave a transformation from any *ℓ*-round CZK*argument system* to *O*(*ℓ*)-round *resettable zero-knowledge argument*. Then they can achieve a *resettably-sound concurrent* zero-knowledge argument(rsCZK) by plugging a *constant-round*rZK into a *constant-round*CZK system. Finally, following the general transformation of (Deng et al. 2009), they obtained a *simultaneously-resettable* ZK protocol. We stress that, to the best of our knowledge, this transformation is the most direct route to achieve *simultaneously-resettable* zero-knowledge argument system (see also (Bitansky and Paneth 2015; Chung et al. 2013a; Canetti et al. 2013)). In this paper, we observe that this construction actually preserves non-malleability: If the original protocol is a *constant-round concurrent non-malleable* zero-knowledge argument system, then the new one is a *constant-round resettably-sound concurrent non-malleable* zero-knowledge argument. Further, by applying a combination of the transformations in (Deng et al. 2009), we can achieve a *constant-round simultaneously-resettable*NMZK, thus we can draw the conclusion given in Theorem 2.

### Organization

The rest of this paper is organized as follows. Some necessary preliminaries and security notion are given in “Preliminary” section. The concrete construction and the security analysis for *constant-round*CNMZK*argument system* are described in “Constant-round concurrent non-malleable zero-knowledge” section. Finally, we show how to use our CNMZK*argument system* to construct the *constant-round simultaneously-resettable non-malleable*ZK*argument system* in “Simultaneously-resettable and non-malleable zero-knowledge” section.