1 Introduction

Private randomness is essential for many cryptographic tasks, including zero-knowledge (ZK) proofs [24]. A natural question regards the possibility of having ZK proofs in applications where the computing machine is stateless and not equipped with a continuous source of randomness.

Resettable zero knowledge. The above question was put forth by Canetti et al. [8]. In particular, they considered a cheating verifier that mounts a reset attack, where provers are forced to execute the protocol multiple times possibly on the same inputs and random tapes, and without the ability to maintain states between executions. These attacks include the case of stateless provers, as well as provers implemented by devices that can physically be restored to their original states (e.g., through cloning, battery replacement).

More specifically, in [8], Canetti et al. introduced the notion of resettable zero knowledge (rZK), in which the zero-knowledge property is required to hold even against cheating verifiers that can reset the provers to the initial states therefore forcing them to play again with the same randomnesses. This notion is closely related to concurrent zero knowledge (cZK) proposed earlier by Dwork et al. [19] where a cheating verifier can engage in multiple possibly interleaving concurrent executions (called sessions) of the protocol. rZK is at least as hard to achieve as cZK since a resetting cheating verifier through specific reset strategies can emulate interleaving concurrent executions. In [21] Garg et al. showed that resettable statistical zero knowledge is possible for several interesting languages.

Round complexity of cZK and rZK. Constant-round cZK under plausible hardness assumptions has been a long-standing challenging open question that received a positive answer in the work of Chung et al. [11] by means of indistinguishability obfuscation (\(i\mathcal {O}\)) [11]. Instead the situation for rZK is worse. Canetti et al. in [8] constructed rZK proofs in the standard model relying on standard cryptographic assumptions but with polynomial round complexityFootnote 1.

The round complexity was then improved to poly-logarithmic in [29]. The state of affair leaves the following open problem.

Open Problem 1: is there a construction for rZK with sub-logarithmic rounds?

Resettably-sound zero knowledge. Barak et al. [3] considered the natural opposite setting, called resettably-sound zero knowledge (rsZK) arguments, where soundness is required to hold even against cheating provers that can reset the verifiers forcing them to re-use the same random tapes. The standard zero-knowledge property remains untouched. They showed a constant-round construction assuming collision-resistant hash functions. The recent work of [12] reached optimal round complexity and assumptions (i.e., 4 rounds and one-way functions).

The simultaneous resettability conjecture. Barak et al. in [3] conjectured the existence of a zero-knowledge argument that is secure simultaneously against resetting verifiers and against resetting provers: a resettably-sound resettable zero-knowledge argument system. The conjecture was proven true by Deng et al. [15] that presented a construction with a polynomial number of rounds and assuming collision-resistant hash functions and trapdoor permutations. The computational assumptions have been improved to one-way functions [4, 5, 13, 14, 33], while the barrier of the polynomial round complexity has remained untouched so far.

Open Problem 2: is there a construction for resettably-sound rZK with sub-polynomial rounds?

We stress that by relaxing the security against resetting verifiers from zero knowledge to witness indistinguishability, then constant-round simultaneous resettability is possible. Indeed just 1 or 2 rounds (i.e., ZAPs) are needed to obtain proofs, and a larger constant number of rounds is sufficient to obtain arguments of knowledge [9].

1.1 Our Results

In this paper, we answer the above questions positively. In the main result we construct a constant-round simultaneous resettable zero-knowledge argument for \(\mathcal {NP}\). Our result requires the existence of families of collision-resistant hash functions, one-way permutations and indistinguishability obfuscation (\(i\mathcal {O}\)) for \(\mathcal {P}/\mathtt{{poly}}\) (with slightly super-polynomial security). These assumptions are the same as the ones in [11] that showed a constant-round concurrent zero-knowledge argument for \(\mathcal {NP}\). Our result makes uses of the protocol of [11] twice in some nested way. More precisely, the first time we use the protocol of [11] \(\varGamma \) is to obtain a constant-round rZK argument \(\varLambda \). Then we start again with \(\varGamma \) and we modify it by using \(\varLambda \) (that is a modification of \(\varGamma \)) as subprotocol in the opposite direction (i.e., the verifier will prove something to the prover). Therefore we roughly use the protocol of [11] against the protocol of [11] which is somehow intriguing. This nested use of the protocol of [11] allows us to obtain a constant-round resettably-sound concurrent zero-knowledge argument \(\varDelta \). We can then apply a compiler due to [15] to \(\varDelta \) therefore obtaining our main argument system \(\varPi \) that is secure simultaneously against resetting provers and resetting verifiers needing only a constant number of rounds.

We now give our formal theorems that specify the precise complexity assumptions.

Theorem 1

Assuming the existence of one-way functions, than any \(\ell \)-round concurrent zero-knowledge argument system can be transformed in a \(\mathcal {O}(\ell )\)-round resettable zero-knowledge argument system.

Theorem 2

Assuming the existence of collision-resistant hash functions, one-way permutations and indistinguishability obfuscation for \(\mathcal {P}/\mathtt{{poly}}\) (with slightly super-polynomial security), there exists a constant-round resettably-sound resettable zero-knowledge argument system for \(\mathcal {NP}\).

1.2 Main Tools and Our New Techniques

Our constructions rely on new ideas as well as a combined use of several techniques used in previous results on concurrent, resettable and resettably-sound zero knowledge. We start by briefly describing the important tools that we use along with our new techniques for our constructions.

Barak’s non-black-block protocol. The starting point is Barak’s non-black-box zero-knowledge argument for \(\mathcal {NP}\) [1] that works as follows. The prover P sends a commitment \(c \in \{0,1\}^n\) of 0 to the verifier V. The verifier V then sends a uniformly generated random string \(r \in \{0,1\}^{2n}\). Finally, the prover gives a witness-indistinguishable universal argument (WIUA) that \(x \in L\) or there exists \(\sigma \in \{0,1\}^n\) such that c is a commitment of a program M such that \(M(\sigma ) = r\) Footnote 2. The soundness follows from the binding of the commitment scheme and the soundness of the WIUA as any program M committed by the cheating prover does not have r in its support with overwhelming probability. For the zero-knowledge property, the simulator uses the code of the adversary. Indeed it commits to a program M corresponding to the code of \(V^*\), the cheating verifier. Let \(\sigma \) be the commitment. We have that \(M(\sigma ) = r\) and \(\sigma \) is short compared to r.

Chung et al.’s constant-round cZK argument. In [11], Chung et al. construct a constant-round cZK argument by using unique \(\mathcal {P}\)-certificate systems [10] with delegatable CRS generation and \(i\mathcal {O}\). Informally, a \(\mathcal {P}\)-certificate system allows an efficient prover to convince a verifier of the validity of any deterministic polynomial-time computation \(M(x) = y\) using a certificate of fixed (polynomial) length, independent of the size and the running time of M. The verifier can also verify the certificate in fixed (polynomial) time, independent of the running time of M. In a \(\mathcal {P}\)-certificate system with delegatable CRS generation, the certificate is generated using a common reference string (CRS) that can be computed by using resources delegated by the verifier. More specifically, in this \(\mathcal {P}\)-certificate system, the \(\mathcal {P}\)-certificate verifier generates public and private parameters, PP and \(\kappa \), and sends PP to the \(\mathcal {P}\)-certificate prover. The \(\mathcal {P}\)-certificate prover uses the public parameter PP and the statement \(q=(M,x,y)\) to deterministically compute a short digest d, whose length is independent of the length of q, and sends it to the \(\mathcal {P}\)-certificate verifier. The \(\mathcal {P}\)-certificate verifier then computes the CRS from d and \(\kappa \). Finally, the \(\mathcal {P}\)-certificate prover computes the certificate from the CRS and q. The \(\mathcal {P}\)-certificate system is unique if there exists at most one accepted certificate for any statement and CRS.

The argument of [11] proceeds similarly to Barak’s argument with the following modifications. In the last step, instead of requiring the prover P to prove that \(x \in L\) or there exists \(\sigma \) such that c is a commitment to a program M such that \(M(\sigma ) = r\), the prover provides a special-sound witness-indistinguishability proof that \(x \in L\) or there exists a \(\mathcal {P}\)-certificate \(\pi \) which certifies that \(M(\sigma ) = r\) for some short string \(\sigma \). Additionally, P also commits and gives a WIUA proving that either \(x \in L\) or there exists a \(\mathcal {P}\)-certificate for the statement \(q = (M,\sigma ,r)\) before receiving the public parameter PP from V. Note that since the honest prover of the protocol in [11] has a witness for \(x \in L\), it can just ignore CRS, d and q, and simply commit to zeroes. In order to allow the zero-knowledge simulator (note that an honest prover will just use the witness for \(x\in L\)) to compute the CRS from d and \(\kappa \), the verifier sends an obfuscated program with \(\kappa \) embedded inside, that allows the simulator to compute CRS from d committed earlier. Finally, V also provides a zero-knowledge argument that the obfuscated program is computed correctly.

The simulator does not know a witness for \(x \in L\) but is instead able to commit to the code of the adversary. More formally, the simulator is divided in two parts: \(S_1\), which takes a \(\mathcal {P}\)-certificates \(\pi _i\) in the i-th round as an input, and interacts with the verifier \(V^*\), and \(S_2\) which, in the i-th round provides \(\mathcal {P}\)-certificates certifying that \(S_1\) on input \((1,\pi _1),\ldots ,(i-1,\pi _{i-1})\) outputs \(m_i\). Instead of committing to a program M, using the verifier \(V^*\)’s code, such that \(M(\sigma ) = r\) for some short string \(\sigma \), the simulator \(S = (S_1,S_2)\) commits to a program \(\widetilde{S}_1\). The program, on input \((1^n,j,s)\), runs an interaction between \(S_1\) and \(V^*\) for j rounds using s as a seed to generate pseudorandom coins while having an access to the oracle \(\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}\) which provides \(\mathcal {P}\)-certificates. This prevents the nesting of concurrent sessions which may result in the blow-up in the running time as the expensive part of S consists in generating the \(\mathcal {P}\)-certificates. The simulator of the protocol in [11] can therefore succeed in the special-sound witness-indistinguishability proof for the statement \(x \in L\) or there exists a \(\mathcal {P}\)-certificate \(\pi \) which certifies that \(\widetilde{S}_1^{\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}}(1^n,j,s) = r\) for some short string \((1^n,j,s)\) using the output from the oracle as a witness.

Deng, Goyal and Sahai’s transformation. In [15, 25], Deng et al. construct a hybrid resettably-sound and relaxed concurrent zero-knowledge argument \(\varPi _{DGS}\). Then they apply a series of transformations to achieve simultaneous resettability.

Relaxed concurrent zero knowledge allows verifiers to interact in multiple sessions with independent provers. However, the zero-knowledge property only guarantees for “relaxed” concurrent verifiers whose random coins are fixed in the beginning of each session, independently of sessions that start after that session. Note that any concurrent zero-knowledge argument/proof is also relaxed concurrent zero-knowledge as any relaxed concurrent verifier is also a concurrent verifier.

Hybrid resettable soundness means that the verifier can be separated into two parts, \(V_1\) and \(V_2\). \(V_1\) directly interacts with P, may relay some messages between P and \(V_2\), and can be reset by a cheating prover. \(V_2\) only interacts with \(V_1\), cannot be reset by a cheating prover, and is responsible to decide whether to “accept” or “reject” the argument. Moreover, for each determining message (the first message \(V_2\) receives in the protocol), P cannot find two different messages that P can convince \(V_1\) to pass to \(V_2\) in each round. We refer to [25] for a precise definition. Note that any resettably-sound argument is also hybrid resettably sound by letting \(V_1\) behave as V except that instead of accepting the argument, it sends a message to \(V_2\), and \(V_2\) always accepts the argument when it receives a message from \(V_1\).

The transformation of Deng et al. uses ZAPs and one-way functions to achieve simultaneous resettability and only increases the round complexity by a constant factor. However, the round complexity of \(\varPi _{DGS}\) is polynomial [15]. Thus, their simultaneously resettable argument system also requires polynomial rounds.

Inapplicability of the transformation of [15] to the construction of Chung et al. [11]. Intuitively, one may try to apply the transformation of [15] to the constant-round concurrent zero-knowledge argument in [11] to get simultaneous resettability. However, in order for the result of the transformation to be simultaneously resettable, it is required that the starting protocol be relaxed concurrent zero-knowledge and hybrid resettably sound. While the protocol in [11] is concurrent zero-knowledge, which implies that it is relaxed concurrent zero-knowledge, we argue that if the (non-resettable) ZK argument (proving that the obfuscated program is computed correctly) is not zero-knowledge against resetting verifiers, then the protocol can not be proved hybrid resettably sound. Two reasons follow below.

  1. 1.

    Suppose in the extreme case that there exists an adversarial resetting prover for the argument of [11] that runs a resetting adversary \(\mathcal {A}_{ZK}\) in the (non-resetting) zero-knowledge subprotocol in which the honest verifier proves that the obfuscated program is computed correctly. Remember that the zero-knowledge subprotocol could also be an argument of knowledge admitting a black-box (rewinding) extractor. By managing to run \(\mathcal {A}_{ZK}\), the adversarial resetting prover could succeed in extracting some relevant information (e.g., the secret parameter for \(\mathcal {P}\)-certificate CRS generation, that is used in the (non-resettable) ZK argument proven by the verifier to prover to guarantee the correctness of the obfuscated program). However, according to the definition of hybrid resettable soundness, we need to consider two separate parts of the verifier \(V = (V_1,V_2)\). One out of \(V_1\) and \(V_2\) will run as prover of the ZK argument proving that the obfuscated program is generated correctly. If the (non-resettable) ZK argument is played by \(V_1\) (as a prover), which can be reset, the malicious prover of the protocol in [11] can run \(\mathcal {A}_{ZK}\) to learn some relevant information (.e.g, the secret parameter), and this can potentially be used to generate a certificate for a false statement. On the other hand, if the (non-resettable) ZK argument is played by \(V_2\) (as a prover) then since the messages of the verifier of this argument are not fixed by a determining message in the protocol of [11], we have that \(V_2\) can receive two different messages for the same determining message, and thus, even in this case, the protocol is not hybrid resettably sound.

  2. 2.

    The \(\mathcal {P}\)-certificate generation in the protocol of [11] cannot be transformed into a resettably-sound protocol using the techniques of [3]. This is because the \(\mathcal {P}\)-certificate system is not public coin. Recall that the proof of resettable soundness in [3] uses the reduction to the non-resettable case by starting (by contradiction) with a (successful) resetting prover. If we repeat here the same reduction, we have that the non-resetting prover runs all but one session by simulating the verifier itself. Of course this requires to generate legit verifier messages under reset attacks. When trying to send the legit verifier messages, the non-resetting prover may send the obfuscated program of the real verifier of the reduction to the resetting prover, and the resetting prover may reset to the step after which it receives the public parameter for the \(\mathcal {P}\)-certificate. In that case, the non-resetting prover will not be able to generate a new obfuscated program as specified in the protocol without knowing the secret parameter.

Fig. 1.
figure 1

Our transformations of zero-knowledge argument systems

Full size image

1.3 Our Approach

In order to get a constant-round resettably-sound concurrent zero-knowledge argument system, we consider the protocol from [11] which is constant round and concurrent zero knowledge, but not resettably sound. As discussed above, there are two main problems that separate the protocol of [11] from resettable soundness: the non-resettable ZK argument for \(i\mathcal {O}\) and the delegatable CRS generation of the \(\mathcal {P}\)-certificate system, which cannot be generated without knowing the secret parameter generated in the earlier step.

Solving the first problem. We resolve the first problem by constructing a constant-round resettable ZK argument from the concurrent ZK argument of [11]. This transformation is implicit in some previous works on the topic [3, 15]. We explicitly present it here for completion (Fig. 1).

Unlike the concurrent verifier, the resetting verifier can exploit the reuse of the random tape during the resetting attack by sending different messages in order to extract additional information from the prover. We prevent such behavior by requiring (1) the verifier to commit to its random tape using a statistically binding commitment scheme and (2) to provide a zero-knowledge argument that it actually uses the random tape it has committed to. Note that since the verifier can reset the prover, a zero-knowledge argument without resettable soundness cannot be used by the verifier to prove that the verifier uses the committed random bits. Thus, the argument system needs to be resettably sound. In order to preserve the round complexity, this subprotocol must be constant round. This can be done using the 4-round resettably-sound zero-knowledge argument by Chung et al. [12]. A similar technique has been used in [26] for resettably-secure computation.

We note that the constant-round rsZK argument and the commitment scheme can be constructed from one-way functions, which is assumed for the constant-round concurrent zero-knowledge argument in [11]. Thus, applying this transformation on the protocol does not require any extra assumption. It turns out that the technique we use can be generalized to a compiler that works with any concurrent ZK protocol. The round complexity of the resulting protocol only increases by a constant factor.

Our compiler turning any concurrent ZK argument into a resettable ZK argument works as follows. First, we replace the random coin used by the prover to generate his messages with outputs of a PRF. This step allows a prover with fixed random tape to send different messages when the resetting verifier changes its messages after resetting similarly to the technique used in [3] against resetting provers. Additionally, the verifier commits to its random coins used in each round at the beginning of the protocol. After sending each message, the verifier gives a constant-round resettably-sound ZK argument that it uses the random coins committed in the first round. This modification ensures that the verifier follows the protocol in every session.

Solving the second problem. In order to solve the second problem, we observe that while the protocol of [11] is not public-coin, it is “almost public-coin”. By almost public-coin, we mean that, beside the ZK argument which is replaced by rZK argument above, there is only one message from the verifier that cannot be generated independently as public-coin, but depends on a hidden randomness. Thus, we modify the technique in [3] to resolve the problem in two steps as follows (Fig. 1).

First, we consider a modified version of the protocol of [11], in which we can prove its (non-resettable) soundness. In this protocol, the round in which the message from V cannot be generated with uniformly random coins is repeated m times, where \(m = \mathtt{{poly}}(n)\) is the upper bound on the running time of a cheating prover \(P^*\). More specifically, after receiving the public parameter for \(\mathcal {P}\)-certificate, the prover for the modified protocol \(P_S\) repeatedly commits to and proves the validity of the digest d of his statement while the verifier \(V_S\) repeatedly replies with the obfuscated program verifying the committed value and output the CRS for the \(\mathcal {P}\)-certificate. \(P_S\) then chooses which commitment and obfuscated program pair \(P_S\) will use to complete the protocol. Because of the security of the \(i\mathcal {O}\), \(P_S\) does not learn the secret parameter for the \(\mathcal {P}\)-certificate even after m repetitions. Thus, the resulting protocol is still sound.

Then we reduce the resettable soundness of the final protocol to the non-resettable soundness of the above protocol with polynomial reduction in success probability as follows. Given a resetting prover \(P^*\), we construct a non-resetting prover \(P_S^*\) by internally simulating \(P^*\) interaction with a verifier V, and randomly choosing which of the m repetitions will lead to accepting transcript. For other repetitions, \(P_S^*\) will generate the parameters for \(\mathcal {P}\)-certificate itself to get around the non-public-coin situation. In the case that \(P_S^*\) guesses the accepting transcript correctly, which occurs with probability 1/m, it will convince the verifier \(V_S\) with the accepting transcript from the simulation.

1.4 Open Questions

Unlike the above compiler from concurrent ZK to resettable ZK, our construction for resettably sound resettable zero knowledge uses in a non-black-box way the protocol of [11].

Our work leaves open the natural questions of producing a generic round-preserving transform from cZK to rZK, and of obtaining constant-round resettably sound resettable zero knowledge under more standard complexity assumptions.

2 Definitions

A polynomial-time relation R is a relation for which it is possible to verify in time polynomial in |x| whether \(R(x,w)=1\). Let us consider an \(\mathcal {NP}\)-language L and denote by \(R_L\) the corresponding polynomial-time relation such that \(x\in L\) if and only if there exists w such that \(R_L(x,w)=1\). We will call such a w a valid witness for \(x\in L\). Let \(\lambda \) denote the security parameter. A negligible function \(\nu (\lambda )\) is a non-negative function such that for any constant \(c<0\) and for all sufficiently large \(\lambda \), \(\nu (\lambda )< \lambda ^c\). We will denote by \(\Pr _r[X]\) the probability of an event X over coins r, and \(\Pr [X]\) when r is not specified. The abbreviation “PPT” stands for probabilistic polynomial time. For a randomized algorithm A, let A(xr) denote running A on an input x with random coins r. If r is chosen uniformly at random with an output y, we denote \(y \leftarrow A(x)\). For a pair of interactive Turing machines (PV), let \(\langle P, V \rangle (x)\) denotes V’s output after interacting with P upon common input x. We say V accepts if \(\langle P, V \rangle (x) = 1\) and rejects if \(\langle P, V \rangle (x) = 0\). We denote by \(\mathtt{{view}}^{P(w)}_{V(x,z)}\) the view (i.e., its private coins and the received messages) of V during an interaction with P(w) on common input x and auxiliary input z. We will use the standard notion of computational indistinguishability [23].

We now give definitions for interactive proof/argument systems with all variants that are useful in this work.

Definition 1

(interactive proofs [24]). An interactive proof system for the language L, is a pair of interactive Turing machines (PV) running on common input x such that:

  • Efficiency: P and V are PPT.

  • Completeness: For every \(\lambda \!\in \! \mathbb {N}\) and for every pair (xw) such that \(R_{L}(x,w)\!=\!1\),

    $$\Pr [\langle P(w),V \rangle (1^\lambda ,x)=1] = 1.$$

  • SoundnessFootnote 3: There exists a negligible function \(\nu (\cdot )\) such that for every pair of interactive Turing machines \((P_1^*,P_2^*)\)

    $$\Pr [(x,z) \leftarrow P_1^*(1^\lambda ): x \notin L \wedge \langle P_2^*,V \rangle (1^\lambda ,x)=1]<\nu (\lambda ).$$

In the above definition we can relax the soundness requirement by considering \(P^{*}\) as PPT. In this case, we say that (PV) is an interactive argument system [7].

Definition 2

(zero-knowledge arguments [24]). Let (PV) be an interactive argument system for a language L. We say that (PV) is zero knowledge (ZK) if, for any probabilistic polynomial-time adversary \(V^*\), there exists a probabilistic polynomial-time algorithm \(S_{V^*}\) such for all auxiliary inputs z and all pairs \((x,w) \in R_{L}\) the ensembles \(\{\mathtt{{view}}^{P(w)}_{V^*(x,z)}\}\) and \(\{S_{V^*}(x,z)\}\) are computationally indistinguishable.

Suppose (PV) is used as a sub-protocol of another interactive protocol \((A^1,A^2)\) where \(A^1\) runs P and \(A^2\) runs V. We call a Turing machine \(A^1_{\alpha }\) a residual prover if \(A^1_{\alpha }\) runs \(A^1\) on inputs \(\alpha = (\alpha _1,\ldots ,\alpha _\ell )\) from \(A^2\) up to and including the \(\ell \)th round when \(A^1\) invokes P. A residual verifier \(A^2_\alpha \) is defined similarly by switching \(A^1\) and \(A^2\). Note that the residual prover is invoked when simulating V (for soundness) while the residual verifier is invoked when simulating P (for zero-knowledge).

Definition 3

(resetting adversary [8]). Let (PV) be an interactive proof or argument system for a language L, \(t=\mathtt{{poly}}(\lambda )\), \(\bar{x} = x_1, \ldots , x_t\) be a sequence of common inputs and \(\bar{w}=w_1,\ldots , w_{t}\) the corresponding witnesses (i.e., \((x_{i},w_{i}) \in R_{L}\)) for \(i=1,\ldots ,t\). Let \(r_1,\ldots ,r_t\) be independent random tapes. We say that a PPT \(V^*\) is a resetting verifier if it concurrently interacts with an unbounded number of independent copies of P by choosing for each interaction the value i so that the common input will be \(x_i \in \bar{x}\), and the prover will use witness \(w_i\), and choosing j so that the prover will use \(r_j\) as randomness, with \(i,j\in \{1,\ldots ,t\}\). The scheduling or the messages to be sent in the different interactions with P are freely decided by \(V^*\). Moreover we say that the transcript of such interactions consists of the common inputs \(\bar{x}\) and the sequence of prover and verifier messages exchanged during the interactions. We refer to \(\mathtt{{view}}^{P(\bar{w})}_{V^*(\bar{x},z)}\) as the random variable describing the content of the random tape of \(V^*\) and the transcript of the interactions between P and \(V^*\), where z is an auxiliary input received by \(V^{*}\).

Definition 4

(resettable zero knowledge [8]). Let (PV) be an interactive argument system for a language L. We say that (PV) is resettable zero knowledge (rZK) if, for any PPT resetting verifier \(V^*\) there exists a expected probabilistic polynomial-time algorithm \(S_{V^*}\) such that the for all pairs \((\bar{x},\bar{w}) \in R_{L}\) the ensembles \(\{\mathtt{{view}}^{P({\bar{w}})}_{V^*(\bar{x},z)}\}\) and \(\{S_{V^*}(\bar{x},z)\}\) are computationally indistinguishable.

The definition of concurrent zero knowledge can be seen as a relaxation of the one of resettable zero knowledge. The adversarial concurrent verifier has the same power of the resetting verifier except it can not ask the prover to run multiple sessions with the same randomness.

Definition 5

(concurrent adversary). Let (PV) be an interactive proof or argument system for a language L, \(t=\mathtt{{poly}}(\lambda )\), \(\bar{x} = x_1, \ldots , x_t\) be a sequence of common inputs and \(\bar{w}=w_1,\ldots , w_{t}\) the corresponding witnesses (i.e., \((x_{i},w_{i}) \in R_{L}\)) for \(i=1,\ldots ,t\). We say that a PPT \(V^*\) is a concurrent verifier if it concurrently interacts with an unbounded number of independent copies of P by choosing for each interaction the value i so that the common input will be \(x_i \in \bar{x}\), and the prover will use witness \(w_i\). Each copy of P runs with independent randomness. The scheduling or the messages to be sent in the different interactions with P are freely decided by \(V^*\). Moreover we say that the transcript of such interactions consist of the common inputs \(\bar{x}\) and the sequence of prover and verifier messages exchanged during the interactions. We refer to \(\mathtt{{view}}^{P(\bar{w})}_{V^*(\bar{x},z)}\) as the random variable describing the content of the random tape of \(V^*\) and the transcript of the interactions between P and \(V^*\), where z is an auxiliary input received by \(V^{*}\).

Definition 6

(concurrent zero knowledge [19]). Let (PV) be an interactive argument system for a language L. We say that (PV) is concurrent zero knowledge (cZK) if, for any PPT concurrent verifier \(V^*\) there exists a probabilistic polynomial-time algorithm \(S_{V^*}\) such that the for all pairs \((\bar{x},\bar{w}) \in R_{L}\) the ensembles \(\{\mathtt{{view}}^{P({\bar{w}})}_{V^*(\bar{x},z)}\}\) and \(\{S_{V^*}(\bar{x},z)\}\) are computationally indistinguishable.

Definition 7

(witness indistinguishability [20]). Let L be a language in \(\mathcal {NP}\) and \(R_L\) be the corresponding relation. An interactive argument (PV) for L is witness indistinguishable (WI) if for every verifier \(V^*\), every pair \((w_0,w_1)\) such that \((x,w_0) \in R_L\) and \((x,w_1) \in R_L\) and every auxiliary input z, the following ensembles are computationally indistinguishable:

$$\{\mathtt{{view}}^{P(w_0)}_{V^*(x,z)}\} \;\;\; { and} \;\;\; \{\mathtt{{view}}^{P(w_1)}_{V^*(x,z)}\}.$$

Definition 8

(resettable WI [8]). Let L be a language in \(\mathcal {NP}\) and \(R_L\) be the corresponding relation. An interactive argument (PV) for L is resettable witness indistinguishable (rWI) if for every PPT resetting verifier \(V^*\) every \(t=\mathtt{{poly}}(\lambda )\), and every pair \((\bar{w}^{0}=(w^{0}_{1},\ldots ,w^{0}_t),\bar{w}^{1}=(w^{1}_{1},\ldots ,w^{1}_t))\) such that \((x_{i},w^{0}_{i}) \in R_L\) and \((x_{i},w^{1}_i) \in R_L\) for \(i=1,\ldots ,t\), and any auxiliary input z, the following ensembles are computationally indistinguishable:

$$\{\mathtt{{view}}^{P(\bar{w}^{0})}_{V^*(\bar{x},z)}\} \;\;\; {and} \;\;\; \{\mathtt{{view}}^{P(\bar{w}^{1})}_{V^*(\bar{x},z)}\}.$$

In [18], a construction of 2-round resettable witness-indistinguishable proof based on NIZK proofs has been shown, and then in [27], a non-interactive resettable witness-indistinguishable proof has been shown by relying on specific number-theoretic assumptions, and from \(i\mathcal {O}\) [6].

Let us recall the definition of resettable soundness due to [3].

Definition 9

(resettably-sound arguments [3]). A resetting attack of a cheating prover \(P^*\) on a resettable verifier V is defined by the following two-step random process, indexed by a security parameter \(\lambda \).

  1. 1.

    Uniformly select and fix \(t = \mathtt{{poly}}(\lambda )\) random-tapes, denoted \(r_1,\dots ,r_t\), for V, resulting in deterministic strategies \(V^{(j)}(x) = V_{x,r_j} \) defined by \(V_{x,r_j}(\alpha ) = V(x,r_j, \alpha )\),Footnote 4 where \(x \in \{0,1\}^\lambda \) and \(j \in [t]\). Each \(V^{(j)}(x)\) is called an incarnation of V.

  2. 2.

    On input \(1^\lambda \), machine \(P^*\) is allowed to initiate \(\mathtt{{poly}}(\lambda )\)-many interactions with the \(V^{(j)}(x)\)’s. The activity of \(P^*\) proceeds in rounds. In each round \(P^*\) chooses \(x \in \{0,1\}^\lambda \) and \(j \in [t]\), thus defining \(V^{(j)}(x)\), and conducts a complete session with it.

Let (PV) be an interactive argument for a language L. We say that (PV) is a resettably-sound argument for L if the following condition holds:

  • Resettable-soundness: For every polynomial-size resetting attack, the probability that in some session the corresponding \(V^{(j)}(x)\) has accepted and \(x \notin L\) is negligible.

Definition 10

(commitment scheme). Given a security parameter \(1^\lambda \), a commitment scheme \(\mathsf{com}\) is a two-phase protocol between two PPT interactive algorithms, a sender S and a receiver R. In the commitment phase S on input a message m interacts with R to produce a commitment \(c = \mathsf{com}(m)\). In the decommitment phase, S sends to R a decommitment information d such that R accepts m as the decommitment of c.

Formally, we say that \(\mathsf{com}\) is a perfectly binding commitment scheme if the following properties hold:

  • Correctness:

    • Commitment phase. Let \(c = \mathsf{com}(m)\) be the commitment of the message m given as output of an execution of \(\mathsf{com}\) where S runs on input a message m. Let d be the private output of S in this phase.

    • Decommitment phaseFootnote 5. R on input m and d accepts m as decommitment of c.

  • Statistical (resp. Computational) Hiding [30]: for any adversary (resp. PPT adversary) \(\mathcal {A}\) and a randomly chosen bit \(b\in \{0,1\}\), consider the following hiding experiment \(\mathsf {ExpHiding}^b_{\mathcal {A},\mathsf{com}}(\lambda )\):

    • Upon input \(1^\lambda \), the adversary \(\mathcal {A}\) outputs a pair of messages \(m_0, m_1\) that are of the same length.

    • S on input the message \(m_b\) interacts with \(\mathcal {A}\) to produce a commitment of \(m_b\).

    • \(\mathcal {A}\) outputs a bit \(b'\) and this is the output of the experiment.

  • For any adversary (resp. PPT adversary) \(\mathcal {A}\), there exist a negligible function \(\nu \), s.t.:

    $$\Big |\Pr [\mathsf {ExpHiding}^0_{\mathcal {A},\mathsf{com}}(\lambda )=1]-\Pr [\mathsf {ExpHiding}^1_{\mathcal {A},\mathsf{com}}(\lambda )=1]\Big | <\nu (\lambda ).$$

  • Statistical (resp. Computational) Binding: for every commitment \(\mathtt{com}\) generated during the commitment phase by a possibly malicious unbounded (resp. malicious PPT) sender \(S^*\) there exists a negligible function \(\nu \) such that \(S^*\), with probability at most \(\nu (\lambda )\), outputs two decommitments \((m_0, d_0)\) and \((m_1, d_1)\), with \(m_0 \ne m_1\), such that R accepts both decommitments.

  • We also say that a commitment scheme is perfectly binding iff \(\nu (\lambda )=0\).

In this paper, we consider non-interactive perfectly binding computationally hiding commitment schemes, which can be constructed from one-to-one one-way functions [22]. Two-message statistically binding commitment schemes can be obtained from one-way functions [28, 32].

Definition 11

(pseudorandom function (PRF)). A family of functions \(\{f_s\}_{s \in \{0,1\}^*}\) is called pseudorandom if for all adversarial PPT machines \(\mathcal {A}\), for every positive polynomial p(), and sufficiently large \(\lambda \in \mathbb {N}\), it holds that

$$\begin{aligned} |\Pr [\mathcal {A}^{f_s}(1^\lambda ) = 1] - \Pr [\mathcal {A}^{F}(1^\lambda ) = 1]| \le \frac{1}{p(\lambda )}. \end{aligned}$$

where \(|s| = n\) and F denotes a truly random function.

Definition 12

(indistinguishability obfuscation). A uniform machine \(i\mathcal {O}\) is an indistinguishability obfuscator for a class of deterministic circuits \(\{\mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\) if it satisfies the following:

  • Correctness: For all security parameter \(\lambda \!\in \! \mathbb {N}\), for all \(C \!\in \! \mathcal {C}_\lambda \), for all input x,

    $$\begin{aligned} \Pr [\varLambda \leftarrow i\mathcal {O}(1^\lambda ,C): \varLambda (x) = C(x)] = 1. \end{aligned}$$

  • Security: For every non-uniform PPT sampleable distribution \(\mathcal {D}\) and adversary \(\mathcal {A}\), there exists a negligible function \(\nu \) such that for sufficiently large \(\lambda \in \mathbb {N}\), if

    $$\begin{aligned} \Pr [(C_1,C_2,z) \leftarrow \mathcal {D}: \forall x, C_1(x) = C_2(x) ] > 1 - \nu (\lambda ), \end{aligned}$$

    then

    $$ \begin{array}{l} \Pr [(C_1,C_2,z) \leftarrow \mathcal {D}: \mathcal {A}(i\mathcal {O}(1^\lambda ,C_1),z)=1] \\ \, - \Pr [(C_1,C_2,z) \leftarrow \mathcal {D}: \mathcal {A}(i\mathcal {O}(1^\lambda ,C_2),z)=1] \end{array} \le \nu (\lambda ). $$

    We say an iO is super-polynomially secure if there is a super-polynomial function T such that the above condition holds for all adversary \(\mathcal {A}\) running in time at most \(T(\lambda )\).

Let \(R_U = \{((M,x,t),w): M \text { accepts } (x,w) \text { in } t \text { steps}\}\), \(S_U = \{(M,x,t): \exists w, ((M,x,t),w) \in R_U\}\) and \(R_U(M,x,t) = \{w: ((M,x,t),w) \in R_U\}\). Let \(T_M(x,w)\) denote the number of steps made by M on input (xw).

Definition 13

(universal argument [2]). A pair of interactive Turing machines (PV) is called a universal argument system if it satisfies the following properties:

  • Efficient verification: There exists a polynomial p such that for any \(y=(M,x,t)\), the total time spent by the (probabilistic) verifier V, on common input y, is at most p(|y|). In particular, all messages exchanged in the protocol have length smaller than p(|y|).

  • Completeness via a relatively efficient prover: For every \(((M,x,t),w) \in R_U\),

    $$\begin{aligned} \Pr [ \langle P(w),V \rangle (M,x,t)=1]=1. \end{aligned}$$

    Furthermore, there exists a polynomial q such that for every \(((M,x,t),w) \in R_U\), the total time spent by P(w), on common input (Mxt), is at most \(q(|M|+T_M(x,w)) \le q(|M|+t)\).

  • Computational soundness: For every polynomial-size circuit family \(\{\widetilde{P}_n\}_{n \in \mathbb {N}}\), and every \((M,x,t) \in \{0,1\}^n \setminus S_U\), there exists a negligible function \(\nu \) such that

    $$\begin{aligned} \Pr [\langle \widetilde{P}_n,V \rangle (M,x,t)=1] < \nu (n). \end{aligned}$$

  • Weak proof-of-knowledge property: For every positive polynomial p there exists a positive polynomial \(p'\) and a probabilistic polynomial-time oracle machine E such that the following holds: for every polynomial-size circuit family \(\{\widetilde{P}_n\}_{n \in \mathbb {N}}\), and every sufficiently long \(y = (M,x,t) \in \{0,1\}^*\), if \(\Pr [ \langle \widetilde{P}_n,V \rangle (y)=1] > 1/p(|y|)\), then

    $$\begin{aligned} \mathrm{Pr}_r[\exists w=w_1\ldots w_t \in R_U(y), \forall i\in [t], E_r^{\widetilde{P}_n}(y,i)=w_i ] > 1/p'(|y|) \end{aligned}$$

    where \(E_r^{\widetilde{P}_n}\) denotes the function defined by fixing the random-tape of E to r and providing it with oracle access to \(\widetilde{P}_n\).

By abusing the notation, we let E be the oracle machine, running in time \(\mathtt{{poly}}(n) \cdot t\), that extracts the whole witness. We call E a global proof-of-knowledge extractor. Note that E is not necessarily polynomial time.

Definition 14

(witness-indistinguishable universal argument [2]). A universal argument system, (PV), is called witness-indistinguishable (WIUA) if, for every polynomial p, every polynomial-size circuit family \(\{V_n^*\}_{n \in \mathbb {N}}\), and every three sequences \(\langle y_n=(M_n,x_n,t_n)\rangle _{n \in \mathbb {N}}\), \(\langle w_n^1\rangle _{n \in \mathbb {N}}\) and \(\langle w_n^2\rangle _{n \in \mathbb {N}}\) such that \(|y_n|=n\), \(t_n \le p(|x_n|)\) and \((y_n,w_n^1),(y_n,w_n^2) \in R_U\), the probability ensembles \(\{\langle P(w_n^1),V_n^*\rangle (y_n)\}_{n \in \mathbb {N}}\) and \(\{\langle P(w_n^2),V_n^*\rangle (y_n)\}_{n \in \mathbb {N}}\) are computationally indistinguishable.

Theorem 3

[2]. Assuming the existence of families of collision-resistant hash functions, there exists a 4-round public-coin WIUA.

Definition 15

(special-sound witness-indistinguishable proof [11]). A 4-round public-coin interactive proof for the language \(L \in \mathcal {NP}\) with witness relation \(R_L\) is special-sound with respect to \(R_L\), if for any two transcripts \((\delta ,\alpha ,\beta ,\gamma )\) and \((\delta ',\alpha ',\beta ',\gamma ')\) such that the initial two messages, \((\delta ,\alpha )\) and \((\delta ',\alpha ')\), are the same but the challenges \(\beta \) and \(\beta '\) are different, there is a deterministic procedure to extract the witness from the two transcripts and runs in polynomial time. Special-sound proofs with witness-indistinguishability (WISSP) for languages in \(\mathcal {NP}\) can be based on one-way functions.

Definition 16

(ZAP [25]). ZAPs are two round public coin witness indistinguishable proofs introduced by Dwork and Naor [18]. ZAPs further have the special property that the first message (sent by the prover) can be reused for multiple proofs. As noted in [3], any ZAP system already has the property of resettable soundness. Furthermore, resettable witness indistinguishability property can be obtained by applying the transformation in [8]. We refer to the resulting system as an rZAP system having the property of resettable soundness as well as resettable witness indistinguishability.

2.1 \(\mathcal {P}\)-Certificate with Delegatable CRS Generation

For \(c \in \mathbb {N}\), let \(L_c = \{(M,x,y): M(x)=y \text { within }|x|^c \text { steps}\}\). Let \(T_M(x)\) denote the number of steps made by M on input x.

Definition 17

( \(\mathcal {P}\)-certificate system [11]). A tuple of PPT algorithms \((\mathsf{Gen},{\mathsf{P}_\mathsf{cert}},\) \(\mathsf{V}_{\mathsf{cert}})\) is a \(\mathcal {P}\) -certificate system in the CRS model if there exist polynomials \(l_{CRS}\) and \(l_\pi \) such that for \(c,\lambda \in \mathbb {N}\) and \(q = (M,x,y) \in L_c\).

  • CRS Generation: \(CRS \leftarrow \mathsf{Gen}(1^\lambda ,c)\), where \(\mathsf{Gen}\) runs in time \(\mathtt{{poly}}(\lambda )\). The length of CRS is bounded by \(l_{CRS}(\lambda )\).

  • Proof Generation: \(\pi \leftarrow {\mathsf{P}_\mathsf{cert}}(1^\lambda ,c,CRS,q)\), where \({\mathsf{P}_\mathsf{cert}}\) runs in time \(\mathtt{{poly}}(\lambda ,\) \(|x|,T_M(x))\) with \(T_M(x) \le |x|^c\). The length of \(\pi \) is bounded by \(l_\pi (\lambda )\).

  • Proof Verification: \(b = \mathsf{V}_{\mathsf{cert}}(1^\lambda ,c,CRS,q,\pi )\), where \(\mathsf{V}_{\mathsf{cert}}\) runs in time \(\mathtt{{poly}}(\lambda ,|q|)\).

Completeness: For every \(c,d,\lambda \in \mathbb {N}\) and \(q = (M,x,y) \in L_c\) such that \(|q| \le \lambda ^d\),

$$\begin{aligned} \Pr [CRS \leftarrow \mathsf{Gen}(1^\lambda ,c), \pi \leftarrow {\mathsf{P}_\mathsf{cert}}(1^\lambda ,c,CRS,q):\mathsf{V}_{\mathsf{cert}}(1^\lambda ,c,CRS,q,\pi ) = 1] = 1. \end{aligned}$$

Strong soundness: There exists a super-polynomial function \(T(\lambda ) = \lambda ^{\omega (1)}\) and a super-constant function \(C(\lambda ) = \omega (1)\) such that for every probabilistic algorithm \(P^*\) with running time bounded by \(T(\lambda )\), there exists a negligible function \(\nu \) such that for every \(\lambda \in \mathbb {N}\) and \(c \le C(\lambda )\),

$$ \Pr \left[ \begin{array}{l} (q,st) \leftarrow P^*(1^\lambda ,c), \\ CRS \leftarrow \mathsf{Gen}(1^\lambda ,c), \\ \pi \leftarrow P^*(st,CRS) \end{array} : \mathsf{V}_{\mathsf{cert}}(1^\lambda ,c,CRS,q,\pi ) = 1 \wedge q \notin L_c \right] \le \nu (\lambda ). $$

A \(\mathcal {P}\)-certificate system is two-message if the generation of the CRS \(\mathsf{Gen}\) also depends on the statement q, i.e. \(CRS \leftarrow \mathsf{Gen}(1^\lambda ,c,q)\). The two-message \(\mathcal {P}\)-certificate system can be considered an interactive protocol as follows: the prover sends q to the verifier; the verifier replies with \(CRS \leftarrow \mathsf{Gen}(1^\lambda ,c,q)\); the prover sends \(\pi \leftarrow {\mathsf{P}_\mathsf{cert}}(1^\lambda ,c,CRS,q)\); the verifier accepts if \(\mathsf{V}_{\mathsf{cert}}(1^\lambda ,c,CRS,q,\pi )=1\).

A two-message \(\mathcal {P}\)-certificate system has a simple verification procedure if the verification algorithm \(\mathsf{V}_{\mathsf{cert}}\) only depends on the security parameter \(1^\lambda \), the CRS and the proof \(\pi \), i.e. it is independent of the statement q and the language index c. In this case, we denote the verification by \(\mathsf{V}_{\mathsf{cert}}(1^\lambda ,CRS,\pi )\).

A \(\mathcal {P}\)-certificate system is unique if for every \(\lambda ,c \in \mathbb {N}\), \(CRS,q \in \{0,1\}^*\), there exists at most one \(\pi \in \{0,1\}^*\) such that \(\mathsf{V}_{\mathsf{cert}}(1^\lambda ,c,CRS,q,\pi ) = 1\).

Note that the uniqueness of a \(\mathcal {P}\)-certificate holds even against invalid CRS.

Definition 18

(delegatable CRS generation [11]). A two-message \(\mathcal {P}\)-certificate \((\mathsf{Gen},{\mathsf{P}_\mathsf{cert}},\mathsf{V}_{\mathsf{cert}})\) has delegatable CRS generation if \(\mathsf{Gen}\) consists of three subroutines: \(\mathsf{SetUp}\), \(\mathsf{PreGen}\) and \(\mathsf{CRSGen}\), and there exist polynomials \(l_d\) and \(l_{CRS}\) satisfying the following properties:

  • Parameters Generation: \((PP,K) \leftarrow \mathsf{SetUp}(1^\lambda ,c)\), where \(\mathsf{SetUp}\) is probabilistic and runs in time \(\mathtt{{poly}}(\lambda )\). PP is a public parameter and K is a secret parameter.

  • Statement Processing: \(d = \mathsf{PreGen}(PP,q)\), where \(\mathsf{PreGen}\) is deterministic and runs in time \(\mathtt{{poly}}(\lambda ,|q|)\) and the length of d is bounded by \(l_d(\lambda )\) independent of |q|.

  • CRS Generation: \(\kappa \leftarrow \mathsf{CRSGen}(PP,K,d)\), where \(\mathsf{CRSGen}\) is probabilistic and runs in time \(\mathtt{{poly}}(\lambda )\) and the length of \(\kappa \) is bounded by \(l_{CRS}(\lambda )\).

\(\mathsf{Gen}\) outputs \(CRS=(PP,\kappa )\).

Theorem 4

[11]. Assuming the existence of an indistinguishability obfuscation for \(\mathcal {P}/poly\) and an injective one-way function (that are super-polynomially secure), there exists a (super-polynomially secure) two-message \(\mathcal {P}\)-certificate system with (strong) soundness, uniqueness and delegatable CRS generation.

3 Constant-Round Resettable Zero Knowledge

In [11], Chung et al. construct a constant-round concurrent ZK argument assuming the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for \(\mathcal {P}/\mathtt{{poly}}\) (with slightly super-polynomial security). We present it here as follows:

Let \(\mathsf{com}\) be a non-interactive perfectly binding computationally hiding commitment scheme. As mentioned in [11], the protocol can be modified to work with a 2-message statistically binding commitment scheme based on one-way functions [28, 32]. Let \(\{\mathcal {H}_n\}_{n \in \mathbb {N}}\) be a family of collision-resistant hash functions. Let \((\mathsf{Gen},{\mathsf{P}_\mathsf{cert}},\mathsf{V}_{\mathsf{cert}})\) be a two-message \(\mathcal {P}\)-certificate system with strong soundness, uniqueness and delegatable CRS generation where \(\mathsf{Gen}\) consists of subroutines \((\mathsf{SetUp},\mathsf{PreGen},\mathsf{CRSGen})\). Let \(D = D(n)\) be a super-constant function such that \(D(n) \le C(n)\) for \(C(\cdot )\) in Definition 17. Let \((P_{UA},V_{UA})\) be a constant-round public-coin WIUA. Let \((P_{SS},V_{SS})\) be a constant-round public-coin WISSP. Let \((P_{ZK},V_{ZK})\) be a constant-round ZK argument.

Let \(\varPi _{n,c_3,PP,K,\rho _{\mathsf{CRSGen}}}\) and \(\varPi '_{n,c_3,\kappa }\) be programs defined as follows:

figure a

Let \(\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}^n\) be a (deterministic) \(\mathcal {P}\)-certificate oracle which, on input CRS, outputs a (unique) \(\pi \) such that \(\mathsf{V}_{\mathsf{cert}}(1^n,CRS,\pi ) = 1\).

Let \(\mathsf {Emu}_n\) be a deterministic polynomial-time machine which, on input \((S,y,\sigma )\), emulates the execution of the deterministic oracle machine S on input y with access to the oracle \(\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}^n\). \(\mathsf {Emu}_n\) simulates \(\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}^n\) by, on input \(CRS_i\) in the ith call from S, checking if \(\pi _i\) in \(\sigma = (\pi _1,\pi _2,\ldots )\) satisfies \(\mathsf{V}_{\mathsf{cert}}(1^n,CRS_i,\pi ) = 1\). If so, it returns \(\pi _i\) to S, and halts otherwise.

figure b

Theorem 5

[11]. Assuming the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for \(\mathsf {P}/poly\) that are super-polynomially secure, there exists a constant-round concurrent zero-knowledge argument for \(\mathcal {NP}\).

3.1 From Concurrent ZK to Resettable ZK

Let \(\varGamma = (P_\varGamma ,V_\varGamma )\) be an \(\ell \)-round concurrent ZK argument. We construct a \(\mathcal {O}(\ell )\)-round resettable ZK argument \(\varLambda \) as follows:

Let \(\mathsf{com}\) be a non-interactive perfectly binding computationally hiding commitment scheme. Let \((P_{rsZK},V_{rsZK})\) be a constant-round resettably-sound ZK argument with the simulator \(\mathsf{Sim}_{rsZK}\).

figure c

3.2 Proofs

Lemma 1

\(\varLambda \) is a resettable ZK argument system.

Proof

First, we consider the protocol \(\varLambda _F\) where we replace a pseudorandom function \(f_s\) by a truly random function \(F: \{0,1\}^* \rightarrow \{0,1\}^{l(n)}\). We argue that \(\varLambda _F\) is indistinguishable from \(\varLambda \) by the reduction to the security of pseudorandom function as follows. We construct an adversary \(\mathcal {A}_{PRF}\) having access to an oracle computing either \(f_s\) or F such that \(\mathcal {A}_{PRF}\) runs \(\varLambda \) (or \(\varLambda _F\)) with the following modification: for each message \(m_i'\) sent by an honest P, \(\mathcal {A}_{PRF}\) asks the oracle using the transcript of the protocol up to that point as input; it then uses the oracle output as the random bits to compute \(m_i'\). Finally, \(\mathcal {A}_{PRF}\) runs and outputs the output of the distinguisher on the view of the protocol. Since \(\mathcal {A}_{PRF}\) runs the honest P from the beginning to the end, it has access to private parameters of P, and thus is able to finish the protocol. Thus, any non-uniform polynomial-size verifiers must behave in the same way except with negligible probability.

Let \(V_{RES}^*\) be a resetting verifier in \(\varLambda _F\). We construct a concurrent verifier \(V_{CONC}^*\) such that for any \(P_{CONC}\) there exists \(P_{RES}\) such that \(\{ \mathtt{{view}}_{V_{RES}^*}^{P_{RES}} \}\) and \(\{ \mathtt{{view}}_{V_{CONC}^*}^{P_{CONC}} \}\) are computationally indistinguishable as follows: \(V_{CONC}^*\) runs \(V_{RES}^*\) internally and delivers messages between \(V_{RES}^*\) and \(P_{CONC}\) while recording the first message (commitments) of \(V_{RES}^*\) and every message of \(P_{CONC}\). Whenever \(V_{RES}^*\) resets \(P_{RES}\) and sends the first message, \(V_{CONC}^*\) checks if it has been sent before. If so, \(V_{CONC}^*\) resends the appropriate responses or continues the session if necessary. Otherwise, \(V_{CONC}^*\) starts a new session of \(P_{CONC}\). The randomness used in this new session is indistinguishable from the randomness \(P_{RES}\) used by applying F to the new transcript (as \(m_0\) is different).

Claim

For a fixed seed s and \(m_0\), for each \(i \in [\ell ]\), \(V_r^*\) cannot find two different messages \(m_i,m_i'\) in the ith round such that it can make \(P_{RES}\) accepting the ith resettably-sound ZK argument except with negligible probability.

Proof

Let the first round message \(m_0 = (c_1,\ldots ,c_\ell )\). Assume for contradiction that there exists \(i\in [\ell ]\) such that \(V_r^*\) can find \(m_i \ne m_i'\) and the corresponding resettably-sound ZK argument that \(P_{RES}\) accepts with non-negligible probability. In such case, by the resettable soundness of the ZK argument, \(m_i\) and \(m_i'\) are both computed correctly with respect to the protocol \(\varLambda _F\) using the randomness committed in \(c_i\). In other words, there exists a deterministic polynomial-time function \(\mu _i\) such that \(m_i\) and \(m_i'\) have the form \(m_i = \mu _i(r_i)\) with \(c_i = \mathsf{com}(r_i)\) and \(m_i' = \mu _i(r_i')\) with \(c_i = \mathsf{com}(r_i')\), for some \(r_i \ne r_i'\). However, this implies \(\mathsf{com}(r_i) = \mathsf{com}(r_i')\), which contradicts the perfectly binding of \(\mathsf{com}\). \(\square \)

Thus, the transcript of the whole session depends only on s and \(m_0\). Therefore, \(\{ \mathsf {view}_{V_{RES}^*}^{P_{RES}} \}\) and \(\{ \mathsf {view}_{V_{CONC}^*}^{P_{CONC}} \}\) are computationally indistinguishable. \(\square \)

Lemma 2

\(\varLambda \) is sound.

Proof

Suppose there exists a cheating prover \(P_{RES}^*\) that can prove a false theorem \(x \notin L\) with non-negligible probability. Consider the following hybrid experiments:

Exp\(_0\): Run \(\langle P_{RES}^*,V_{RES}\rangle (1^n,x)\).

Let Exp\(_{1,0}\) be the same as Exp\(_0\), and for \(i=1,\ldots ,\ell \),

Exp\(_{1,i}\): Similar to Exp\(_{1,i-1}\) except that the execution of \(P_{rsZK}(r_i)\) following the message \(m_i\) is replaced by the execution of \(\mathsf {Sim}_{rsZK}^{P_{RES,i}^*}\) where \(P_{RES,i}^*\) is the residual rsZK verifier (note that \(P_{RES}^*\) runs \(V_{rsZK}\)) who has received \(m_0,\ldots ,m_i\) as inputs. Assume for contradiction that there exists a distinguisher D for Exp\(_{1,i}\) and Exp\(_{1,i-1}\). We construct a distinguisher \(D'\) for the (standard) zero-knowledge property of \((P_{rsZK},V_{rsZK})\) as follows. First, we generate \(r_1,\ldots ,r_{i-1},r_{i+1},\ldots ,r_\ell \) uniformly and let \(\tilde{c}_i = \mathsf{com}(0)\). Then we produce the transcript for \(P_{RES}^*\) as in \(\varLambda \) except that we use \(\tilde{c}_i\) instead of \(c_i = \mathsf{com}(r_i)\). By the computational hiding of \(\mathsf{com}\), \(P_{RES}^*\) cannot distinguish \(\tilde{c}_i\) from \(c_i\). Given either \(\{ \mathtt{{view}}_{V_{rsZK}}^{P_{rsZK}} \}\) where \(V_{rsZK}\) is run by \(P_{RES,i}^*\) or \(\mathsf {Sim}_{rsZK}^{P_{RES,i}^*}\), we generate the rest of the transcript for protocol \(\varLambda \) using \(r_j\) generated earlier. Finally, \(D'\) runs D on the entire transcript. In either case, the transcript is computationally indistinguishable to either Exp\(_{1,i}\) or Exp\(_{1,i-1}\). Thus, \(D'\) can break the zero-knowledge property of \((P_{rsZK},V_{rsZK})\), which is a contradiction. Hence, Exp\(_{1,i}\) and Exp\(_{1,i-1}\) are indistinguishable.

Let Exp\(_{2,0}\) be the same as Exp\(_{1,\ell }\), and for \(i=1,\ldots ,\ell \),

Exp\(_{2,i}\): Similar to Exp\(_{2,i-1}\) except that \(\mathsf{com}(r_i)\) in the first message \(m_0\) is replaced by \(\mathsf{com}(0)\). Consider the following reduction to the computational hiding property of \(\mathsf{com}\): \(\mathcal {A}_\mathsf{com}\) sends \(r_i\) and 0 to \(S_\mathsf{com}\); it passes the commitment from \(S_\mathsf{com}\) as the ith commitment in \(m_0\) of Exp\(_{2,i-1}\) (or Exp\(_{2,i}\)); \(\mathcal {A}_\mathsf{com}\) can complete the experiment as it does not need to know which message it commits using \(\mathsf {Sim}_{rsZK}\); \(\mathcal {A}_\mathsf{com}\) outputs the output of the experiment. The computational hiding property implies that Exp\(_{2,i}\) and Exp\(_{2,i-1}\) are indistinguishable.

Now we construct a cheating prover \(P_{CONC}^*\) for \(\varGamma \) by running Exp\(_{2,\ell }\) internally as follows: \(P_{CONC}^*\) sends \(\mathsf{com}(0)\) to \(P_{RES}^*\); \(P_c^*\) passes every messages from \(P_{RES}^*\) to \(V_{CONC}\); \(P_{CONC}^*\) passes every message from \(V_{CONC}\) to \(P_{RES}^*\) then runs \(\mathsf {Sim}_{rsZK}\) while \(P_{RES}^*\) runs \(V_{rsZK}\). Thus, \(P_{CONC}^*\) can prove a false theorem \(x \notin L\) with non-negligible probability, which contradicts the soundness of \(\varGamma \). \(\square \)

Theorem 6

Assuming one-way functions, there exists a compiler transforming an \(\ell \)-round concurrent zero-knowledge argument to a \(\mathcal {O}(\ell )\)-round resettable zero-knowledge argument.

Proof

The resettable zero knowledge and soundness are proved in Lemmas 1 and 2, respectively. The completeness follows from the completeness of \(\varGamma \) by inspection. For each round of \(\varGamma \), P and V has to run additional \(\mathcal {O}(1)\) rounds for resettably-sound ZK protocol that V uses the committed random bits, and 1 extra round in the beginning. Thus, the round complexity is \(\mathcal {O}(\ell )\). \(\square \)

Corollary 1

Assuming the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for \(\mathcal {P}/\mathtt{{poly}}\) that are super-polynomially secure, there exists a constant-round resettable zero-knowledge argument for \(\mathcal {NP}\).

Proof

We instantiate \(\varLambda \) by letting \(\varGamma \) be the constant-round concurrent zero-knowledge argument system of [11]. Perfectly binding \(\mathsf{com}\) can be constructed from one-way permutations. A constant-round resettably-sound ZK argument can be constructed from one-way functions [12]. \(\square \)

4 Concurrent ZK with Resettable Soundness

In this section, we construct a constant-round resettably-sound concurrent ZK argument based on the constant-round cZK argument in [11]. We make use of our constant-round rZK argument from the previous section (Corollary 1), the technique used in [3] to add resettable soundness to a public-coin protocol, and our new techniques to deal with non-public coin nature of the cZK protocol in [11].

4.1 Construction

Let \(\varGamma \) be the constant-round concurrent ZK argument from [11] described in Sect. 3. We construct a constant-round concurrent ZK argument with resettable soundness \(\varDelta \) as follows:

Let \((P_{rZK},V_{rZK})\) be a constant-round resettable ZK argument with the simulator \(\mathsf{Sim}_{rZK}\). The verifier V chooses a random seed s for a pseudorandom function \(f_s: \{0,1\}^* \rightarrow \{0,1\}^{l(n)}\), where l(n) is the upper bound on the size of random bits V need in each round of \(\varGamma \). Then P and V run \(\varGamma \) with the following modifications. In Step 10, instead of running a ZK argument \((P_{ZK},V_{ZK})\), V and P run the resettable ZK argument \((P_{rZK},V_{rZK})\). Additionally, for each message m that V sends in \(\varGamma \), V uses the output of \(f_s\) applying to the transcript from the protocol up to this point as random bits to compute m.

4.2 Proofs

Before we prove that the protocol above is a concurrent ZK argument with resettable soundness, we consider another modification, \(\varGamma '\), of the protocol \(\varGamma \) in [11]. First, P and V repeat Steps 7–9 for t times with V using the same \(\rho _{\mathsf{CRSGen}}\) for some \(t = \mathtt{{poly}}(n)\). Let Steps 7j–9j denoted jth repeat of Steps 7–9. Secondly, we remove the zero-knowledge proof in Step 10, and replace it with “P chooses \(i \in [t]\) and sends i to V”, and then P and V follows the rest of the protocol ignoring Steps 7j–9j for \(j \ne i\).

Lemma 3

\(\varGamma '\) is a sound interactive argument.

Proof

We strictly follow the proof of soundness of \(\varGamma \) in [11] with a modification necessary for the repetition of Steps 7–9. Assume for contradiction that there is a non-uniform deterministic polynomial-time prover \(P^*\) and a positive polynomial p such that for infinitely many \(n \in \mathbb {N}\), \(P^*\) can convince V to accept \(x \notin L\) with non-negligible probability 1/p(n). Let E be the global proof-of-knowledge extractor of the WIUA \((P_{UA},V_{UA})\), and \(E'\) be the knowledge extractor of the WISSP \((P_{SS},V_{SS})\). We define the experiment \(\mathsf{Exp}\) which runs \(\langle P^*,V \rangle (1^n,x)\) with the following addition:

  • In Step 5, let \(P^*_{\mathsf {prefix}_1}\) be the residual WIUA prover who has received \(\mathsf {prefix}_1 = (h,r)\) in Steps 1 and 3. Run \(w_1 \leftarrow E^{P^*_{\mathsf {prefix}_1}}_{s_1}\), where \(s_1\) is uniform randomness. If E fails, halt and output \(\bot \).

  • In Step 7j, for \(j=1,\ldots ,t\), let \(P^*_{\mathsf {prefix}_{2,j}}\) be the residual WIUA prover who has received \(\mathsf {prefix}_{2,j}\) consisting of h, r, WIUA messages, PP and \(\widehat{\varPi }_k\) in Steps 1, 3, 5, 6, 8k and 9k for \(k =1,\ldots ,j-1\). Run \(w_{2,j} \leftarrow E^{P^*_{\mathsf {prefix}_{2,j}}}_{s_{2,j}}\), where \(s_{2,j}\) is uniform randomness. If E fails, halt and output \(\bot \).

  • In Step 12, let \(P^*_{\mathsf {prefix}_3}\) be the residual WISSP prover who has received \(\mathsf {prefix}_3\) consisting of h, r, WIUA messages, PP and \(\widehat{\varPi }_j\) in Steps 1, 3, 5, 6, 8j and 9j for \(j =1,\ldots ,t\). Run \(w_3 \leftarrow E'^{P^*_{\mathsf {prefix}_3}}_{s_3}\), where \(s_3\) is uniform randomness. If \(E'\) fails, halt and output \(\bot \).

  • In Step 13, let \(P^*_{\mathsf {prefix}_4}\) be the residual WISSP prover who has received \(\mathsf {prefix}_4\) consisting of \(\mathsf {prefix}_3\) and WISSP messages in Step 12. Run \(w_4 \leftarrow E'^{P^*_{\mathsf {prefix}_4}}_{s_4}\), where \(s_4\) is uniform randomness. If \(E'\) fails, halt and output \(\bot \).

  • If V rejects, output \(\bot \). Otherwise,

    • Parse \(w_1 = (S,j,s,\sigma ,\rho _1,\rho _2)\). If \(w_1\) does not have this form, output \(\bot \).

    • Let \(q = (\mathsf {Emu}_n,(S,(1^n,j,s),\sigma ),r)\). For \(j=1,\ldots ,t\), if \(w_{2,j} \ne (q,\rho _{2,j},\rho _{3,j})\) for some \(\rho _{2,j},\rho _{3,j}\), output \(\bot \).

    • Let \(d = \mathsf{PreGen}(PP,q)\). If \(w_3 \ne (d,\rho _{3,i},\rho _4)\) for some \(\rho _4\) where \(i\in [t]\) is chosen by \(P^*\) in Step 10, output \(\bot \).

    • Let \(CRS = (PP,\widehat{\varPi }(d,\rho _{3,i}))\). If \(w_4 \ne (CRS,\rho _4,\pi )\) for some \(\pi \), output \(\bot \).

  • output (Sqr).

By the weak proof-of-knowledge property of WIUA and special soundness of WISSP, when \(P^*\) convinces V to accept \(x \notin L\), the extractors E and \(E'\) succeed in extracting the witnesses described above (instead of the actual witness of the theorem) with non-negligible probability \(1/p'(n)\). By perfectly binding property of \(\mathsf{com}\) and collision-resistance of \(\mathcal {H}\), the consistency check in the last step will pass except with negligible probability \(\nu (n)\). In this case, except with negligible probability, \(c_{3,j}\) sent in Step 7j is \(\mathsf{com}(d;\rho _{3,j})\) for the same \(d = \mathsf{PreGen}(PP,q)\) for all \(j=1,\ldots ,t\). Otherwise, we can construct a cheating WIUA prover that commits to \(c' = \mathsf{com}(d';\rho ')\) with \(d' \ne \mathsf{PreGen}(PP,q)\) with non-negligible probability by randomly pick \(j \in [t]\) and commit to \(c' = c_{3,j}\). This breaks the soundness of WIUA. So, the only output of \(\widehat{\varPi }_j\) is \(\mathsf{CRSGen}(PP,K,d,\rho _{\mathsf{CRSGen}}) = \kappa \) for all \(j=1,\ldots ,m\) except with negligible probability \(\nu '(n)\). Thus, the probability that \(\mathsf{Exp}\) does not output \(\bot \) and every \(\widehat{\varPi }_j\) output the same \(\kappa \) is \(1/p'(n)-\nu (n)-\nu '(n)\) which is non-negligible. We call this event \(\mathsf {Good}\).

Now consider a series of experiments \(\mathsf{Exp}'_j\) for \(j \in [t]\) defined as follows: \(\mathsf{Exp}'_0 = \mathsf{Exp}\), and \(\mathsf{Exp}'_j\) differs from \(\mathsf{Exp}'_{j-1}\) in Step 9j where we replace \(\widehat{\varPi }_j \leftarrow i\mathcal {O}(\varPi _{n,c_{3,j},PP,K,\rho _{\mathsf{CRSGen}}})\) with \(\widehat{\varPi }'_j \leftarrow i\mathcal {O}(\varPi '_{n,c_{3,j},\kappa })\) where \(\kappa = \mathsf{CRSGen}(PP,K,d;\rho _{\mathsf{CRSGen}})\). When \(\mathsf {Good}\) occurs, by perfectly binding property of \(\mathsf{com}\), \(\varPi '_{n,c_{3,j},\kappa }\) and \(\varPi _{n,c_{3,j},PP,K,\rho _{\mathsf{CRSGen}}}\) are functionally equivalent except with negligible probability. In this case, \(\mathsf{Exp}'_{j-1}\) and \(\mathsf{Exp}'_j\) are indistinguishable by the reduction to \(i\mathcal {O}\) as follows: \(\mathcal {D}_{i\mathcal {O}}\) runs \(\mathsf{Exp}'_{j-1}\) (or \(\mathsf{Exp}'_j\)) up to Step 8j and outputs \(\varPi '_{n,c_{3,j},\kappa }\) and \(\varPi _{n,c_{3,j},PP,K,\rho _{\mathsf{CRSGen}}}\) and the state of the experiment z; up to receiving obfuscated program \(\widehat{\varPi }\) and z, \(\mathcal {A}_{i\mathcal {O}}\) sends \(\widehat{\varPi }\) to \(P^*\), continues the experiment until the end, and outputs the output of the experiment. Thus, \(\mathsf{Exp}'_{j-1}\) and \(\mathsf{Exp}'_j\) are indistinguishable by the security of \(i\mathcal {O}\). Hence, by hybrid argument, the probability of \(\mathsf {Good}\) event is non-negligible in \(\mathsf{Exp}'_j\) for \(j=1,\ldots ,t\). Let \(\mathsf{Exp}' = \mathsf{Exp}'_t\).

Now suppose that \(\mathsf {Good}\) and q is false occurs with non-negligible probability. Then we construct \(P_{\mathcal {P}\mathsf {cert}}^*\) that breaks the strong soundness of the \(\mathcal {P}\)-certificate system as follows: \(P_{\mathcal {P}\mathsf {cert}}^*\) runs \(\mathsf{Exp}'\) up to Step 5 where it extracts q from \(w_1\). Up on receiving \(CRS = (PP,\kappa )\) where \((PP,K) \leftarrow \mathsf{SetUp}(1^n,D)\) and \(\kappa \leftarrow \mathsf{CRSGen}(PP,K,\mathsf{PreGen}(PP,q))\), it continues \(\mathsf{Exp}'\) using PP and \(\kappa \) and output \(\pi \) extracted from \(w_4\). If \(\mathsf {Good}\) occurs, by the soundness of WISSP, \(P_{\mathcal {P}\mathsf {cert}}^*\) succeeds and \(\mathsf{V}_{\mathsf{cert}}(CRS,\pi )=1\) except with negligible probability. Thus, \(P_{\mathcal {P}\mathsf {cert}}^*\) contradicts the strong soundness of the \(\mathcal {P}\)-certificate system. Hence, \(\mathsf {Good}\) and q is true occurs with non-negligible probability. We call this event \(\mathsf {Good}'\). By averaging argument, there exists h such that \(\mathsf {Good}'|h\) occurs with non-negligible probability.

Finally, consider \(\mathsf{Exp}''\) where \(\mathsf{Exp}'\) is run twice with this h but with the second execution replacing r in Step 3 by an independent random string \(r'\). With non-negligible probability, both executions succeed and output (Sqr) and \((S',q',r')\). Since \(c_1\) must be the same in both executions, \(S=S'\) except with negligible probability by perfectly binding property of \(\mathsf{com}\) and collision-resistance of \(\mathcal {H}\). Since \(q=(\mathsf {Emu}_n,(S,(1^n,j,s),\sigma ),r)\) and \(q'=(\mathsf {Emu}_n,(S,(1^n,j',s'),\sigma '),r')\) are true, we have \(S^{\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}^n}(1^n,j,s) = r\) and \(S^{\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}^n}(1^n,j',s') = r'\). We have that \(|(1^n,j,s)|< 3n < 4n = |r|\) and \(|(1^n,j',s')|<|r'|\). However, the deterministic machine \(S^{\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}^n}\) predicts independent r and \(r'\) with non-negligible probability. This is information theoretically impossible as there are at most \(2^{3n}\) possible outputs for \(S^{\mathcal {O}_{\mathsf{V}_{\mathsf{cert}}}^n}\). Thus, we reach a contradiction.

As in the proof of soundness of \(\varGamma \) in [11], the WIUA global proof-of-knowledge extractor E runs in super-polynomial time as a part of the witness q is of super-polynomial size. Thus, the collision-resistant hash functions \(\mathcal {H}\), the commitment scheme \(\mathsf{com}\) and indistinguishability obfuscators \(i\mathcal {O}\) need to be super-polynomially secure. \(\square \)

Now we can prove the main theorem of this section.

Theorem 7

\(\varDelta \) is a concurrent ZK argument with resettable soundness.

Proof

Since the rZK argument \((P_{rZK},V_{rZK})\) is also a ZK argument and we only further modify an honest verifier V, the concurrent zero-knowledge of \(\varDelta \) follows directly from the concurrent zero-knowledge property of \(\varGamma \). Now we consider the protocol \(\varDelta _F\) where we replace a pseudorandom function \(f_s\) by a truly random function \(F: \{0,1\}^* \rightarrow \{0,1\}^{l(n)}\). We argue that \(\varDelta _F\) is indistinguishable from \(\varDelta \) by the reduction to the security of pseudorandom function as follows. Fix \(x \notin L\) and \(P_{RES}^*\) that convinces a resettable verifier \(V_{RES}\) to accept \(x \notin L\) with probability \(\epsilon \) through protocol \(\varDelta _F\). We construct an adversary \(\mathcal {A}_{PRF}\) having access to an oracle computing either \(f_s\) or F such that \(\mathcal {A}_{PRF}\) runs \(\varDelta \) (or \(\varDelta _F\)) with the following modification: for each message m sent by an honest \(V_{RES}\), \(\mathcal {A}_{PRF}\) asks the oracle using the transcript of the protocol up to that point as input; it then uses the oracle output as the random bits to compute m. \(\mathcal {A}_{PRF}\) outputs the output of V. Since \(\mathcal {A}_{PRF}\) runs the honest \(V_{RES}\) from the beginning to the end, it has access to private parameter K that V generates in Step 6, and thus is able to compute the obfuscated program and rZK messages in Steps 9 and 10. Thus, any non-uniform polynomial-size provers must behave in the same way except with negligible probability. Hence, the completeness follows from the completeness of \(\varGamma \).

We now show the resettable soundness of the protocol. Assume for contradiction that there is a non-uniform polynomial-time resetting prover \(P_{RES}^*\) that convinces a resettable verifier \(V_{RES}\) to accept \(x \notin L\) with probability \(\epsilon \) through protocol \(\varDelta _F\). We construct a polynomial-time (standard) prover \(P_{S}^*\), emulating \(P_{RES}^*\), that convinces a (standard) verifier \(V_{S}\) to accept the same \(x \notin L\) through protocol \(\varGamma '\) repeating Steps 7–9 for t times, where \(t= \mathtt{{poly}}(n)\) is the total number of messages sent by \(P_{RES}^*\). Let c be the number of (prover) rounds in \(\varDelta \).

The cheating prover \(P_{S}^*\) proceeds as follows. First it uniformly selects \(i_1,\ldots ,i_c \in \{1,\ldots ,t\}\). It invokes \(P_{RES}^*\) while emulating \(V_{RES}\). In the jth round of \(\varDelta _F\), \(P_{S}^*\) answers a message from \(P_{RES}^*\) according to the following cases:

  • If the prefix of the current session transcript is identical to a corresponding prefix of a previous session, then \(P_{CONC}^*\) answers by using the same answer it has given in the previous session.

  • Otherwise, \(P_{S}^*\) either forwards the message to \(V_{S}\) and then forwards the reply it receives, or generates the reply itself according to the following conditions:

    • If the message is \(c_3\) or WIUA in Steps 7j–8j, \(P_{S}^*\) repeats its decision whether to forward the message in Step 6. In other words, if \(P_{S}^*\) forwards the message in Step 6, it will forward this message. If it generates the reply in Step 6 itself, it will generate the reply for this message as well. This is because it can only generate an answer in Step 9i if it has generated the answer in Step 6 of the same transcript (instead of passing to \(V_{S}\)).

    • If the message is \(i \in [t]\) in Step 10, \(P_{S}^*\) does not forward the message, but instead runs the simulator \(\mathsf{Sim}_{rZK}\) with \(P_{RES}^*\) corresponding to obfuscated program in Step 9i.

    • If the index of the current message from \(P_{RES}^*\) does not equal to \(i_j\) selected previously, \(P_{S}^*\) generates a reply message using a uniformly selected random bits.

    • Otherwise, \(P_{S}^*\) forwards the current message to \(V_{S}\) and sends \(P_{RES}^*\) a reply it receives from \(V_{S}\).

    In each case, \(P_{CONC}^*\) records the messages from both sides for later use.

By the resettable zero-knowledge of \((P_{rZK},V_{rZK})\), the probability of \(P_{RES}^*\) proving a false theorem \(x \notin L\) only changes negligibly by running \(\mathsf{Sim}_{rZK}\) instead of \(P_{rZK}\). By the property of truly random function, the view of \(P_{RES}^*\) is identical to the distribution that \(P_{RES}^*\) sees when interacting with an honest \(V_{RES}\). If the chosen \(i_1,\ldots ,i_c\) equal the indices of the messages that correspond to the c messages sent in a session in which \(P_{RES}^*\) convinces \(V_{RES}\) to accept \(x \notin L\), then \(P_{S}^*\) will also convince \(V_{S}\) to accept \(x \notin L\) by our construction of \(V_{RES}\). Thus, the probability of \(V_{S}\) accepting \(x \notin L\) is at least \(\epsilon /t^c - \nu (n)\) for some negligible function \(\nu \). This probability is non-negligible. Therefore, it contradicts Lemma 3. \(\square \)

Let \(\varLambda = (P_{rZK},V_{rZK})\) be the constant-round resettable ZK protocol obtained in Corollary 1, we get the following corollary.

Corollary 2

Assuming the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for \(\mathsf {P}/poly\) that are super-polynomially secure, there exists a constant-round resettably-sound concurrent zero-knowledge argument for \(\mathcal {NP}\).

5 Simultaneous Resettable ZK

To obtain our main theorem, we apply a combination of the transformations in Theorem 4 and 5 in Sect. 6, and Theorem 6 and 7 in Appendix C of [25] to our protocol in Sect. 4 to obtain simultaneous resettability.

More specifically, we combine three transformations in [25]:

  • from resettably-sound (relaxed) concurrent zero-knowledge argument to hybrid-sound hybrid-resettable zero-knowledge argument;

  • from hybrid-sound zero-knowledge argument to resettably-sound zero-knowledge argument while maintaining (hybrid) resettability;

  • from hybrid-resettable zero-knowledge argument to resettable zero-knowledge argument while maintaining (hybrid) resettable soundness.

We refer to Sect. 1 for an informal discussion and [25] for formal definitions of relaxed concurrent zero-knowledge, hybrid resettability and hybrid soundness.

Theorem 8

(implied from [25]). Assuming the existence of ZAPs (i.e., 2-round resettably-sound resettable witness-indistinguishable proof systems) and family of pseudorandom functions, there exists a transformation from an \(\ell \)-round resettably-sound concurrent zero-knowledge argument to a \(\mathcal {O}(\ell )\)-round resettably-sound resettable zero-knowledge argument.

Applying the transformations to the protocol \(\varDelta \) in Corollary 2 results in the following theorem. Note that ZAPs can be constructed from \(i\mathcal {O}\) and one-way functions [6], which can then be transformed to have resettable soundness and resettable witness indistinguishability. Furthermore, only the first transformation is based on ZAPs while all of them assume pseudorandom functions.

Theorem 9

Assuming the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for \(\mathcal {P}/\mathtt{{poly}}\) that are super-polynomially secure, there exists a constant-round resettably-sound resettable zero-knowledge argument for \(\mathcal {NP}\).