Perfect Zero-Knowledge — Part 5

Our proof follows [17, Section 6] but we make the simplifying assumption that the verifier’s first message is the sequence of randomnessRmentioned in Step 2a (see Remark D.8). TheALIprotocol assumes two RS- IOPP systems, used in steps 2(c)i and 2(c)ii there, each with its own prover and verifier, letPf,Pg denote the two provers, respectively. Our STIK(andSTARK) instantiates bothPf,Pg to be theFRI prover (for different RS code parameters) but our proof of zero knowledge works foranychoice of RS-IOPP because our simulator uses the relevant RS-IOPP prover(s) in a black-box manner. We assume messages from the verifier have a canonical format that indicates which RS-IOPP prover is being addressed, and which oracle is being queried amongOassignmentand the various oracles produced by the pair of RS-IOPP protocols. The simulator Our straight-line PZK simulator is denotedSim. Given a verifierV∗ and instance x, the simulator starts by sampling uniformly random functionsf(0)∈RS[F, L, ρmax]andg(0) ∈RS[F, Lcmp, ρcmp] and recording them. The simulator also instantiates the two RS-IOPP provers —Pf andPgcorresponding to steps Item 2(c)i, Item 2(c)ii of theALIprotocol — withf(0)andg(0), respectively. It also invokesV∗and records the first message, which is the randomnessRprovided byV∗. The simulator now continues to run V∗. All messages and queries directed byV∗ to one of the two RS-IOPP protocols (dealing withf(0)_and

To complete the description of Sim we need only explain how it answers queries to Oassignment =

(w, fmask, gmask). Recall thatwis a collection of functions, each with domainL, and this is also the do- main offmask; the domain ofgmaskisLcmp. As in [17, Section 6],Simmaintains a set of partial functions w∗_{, f}∗

mask, gmask∗ (with the same domains as w, fmask, gmask); all these functions are initialized with∗val- ues that indicate “undetermined”. When a function inOassignmentis queried, Simanswers with the value recorded inw∗, f_mask∗ , g∗_mask, if determined, and will otherwise determine it, i.e., change its value from∗to some element ofF. The process by which undetermined values get determined is described next:

1. A query x0 ∈ Lsent to a function f ∈ w∪ {fmask}, is determined jointly for all functions f0 ∈ w∪ {fmask}. Consider Equation (49). The term on the left hand side,f(0)(x0), is already fixed by Sim. On the right hand side, the terms

n

rγ_τ,0+rγ_τ,1·x|L|·(ρmax−ρτ)

0 |τ ∈ T

o

(58) are all fixed. The only undetermined values are those off_mask∗ (x0) and{wτ∗(x0)|τ ∈ T }. Thus, our simulator determines these undetermined values by sampling a uniformly random solution to the linear constraint imposed byf(0)(x0)and Equation (58).

2. A query y0 ∈ Lcmp, sent to the function gmask, is determined thus. The left hand side of Equa- tion (50) is already determined bySim. For allx0 ∈ N(y0), our simulator determines the value of all

{w∗_τ(x0)|τ ∈ T }andf_mask∗ (x0)using the process described in Item 1. After all such valuesw∗τ(x0) are determined forx0 ∈ N(y0), notice that the rightmost summand of Equation (50) is also deter- mined. Thus,Simdeterminesg_mask∗ (y0)to be the unique field element that causes the linear constraint of Equation (50) to be satisfied.

Perfect zero knowledge First, noticeSimis straight-line, i.e., it never restartsV∗. To prove perfect zero knowledge, we shall show that the distribution sampled bySiminteracting withV∗on a satisfiable instance x, is the same as the distribution on transcripts of the interaction betweenV∗ and an honest prover holding a witness forxand operating as described inALI. Notice the following facts about the distribution supplied by the honest prover:

1. Eachwτ is sampled uniformly and independently from aκ|L|-wise independent space; 2. φR(αw,N(y0))is determined byRand{wτ(x0)|x0∈ N(y0), τ ∈ T };

3. the pair(fmask, gmask)is sampled uniformly fromRS[F, L, ρmax]×RS[F, Lcmp, ρcmp];

4. consequently, independently ofRandw, the pair(f(0), g(0))is sampled uniformly fromRS[F, L, ρmax]× RS[F, Lcmp, ρcmp]

Item 4 above relies on the completeness property, which says that ifwsatisfiesxthen the rightmost sum- mand of Equation (50) is a codeword ofRS[F, Lcmp, ρcmp].

Consequently, for every fixing of the first verifier message R, and for every subset S ⊂ L,|S| < κ|L|, the distribution onw|_S, fmask|S, f(0)|Sgenerated by the honestALIprover is theuniform distribution on field elements satisfying the linear constraint of Equation (49) for each x ∈ S. By construction, the distribution supplied bySiminvokingV∗which makes these queriesS, is precisely the same distribution.

Next, assume the aforementionedS includes all x0 ∈ N(S0), whereS0 ⊂ Lcmp is the set of queries made byV∗ togmask. By Item 2, the distribution on the rightmost term of Equation (50) generated by the

honestALIprover is the exact same distribution as that supplied by Sim invokingV∗. By Items 3 and 4 above, the distribution on g(0)_|

S0, g_mask|_S0 is thus the uniform distribution on field elements satisfying the

linear constraint of Equation (50) for everyy0 ∈ S0. By construction, Simproduces the same distribution ong(0)|_S0, g_mask|_S0.

Finally, the distribution of messages between V∗ and the sub-provers P1,P2 used as part of the RS- IOPP protocols are, by construction, the same distribution as provided bySim invokingV∗ because both the honestALIprover and the simulator invoke the same sub-proversP1,P2and supply them with the exact same uniformly random inputsf(0)andg(0).

We have shown that the distribution output by the straight-line simulatorSim invokingV∗ is equal to the distribution output byV∗ interacting with an honest prover on a satisfiable instance. This completes the proof of Item 5 of Theorem B.15.

Remark D.8. Inspection reveals that the proof of perfect zero knowledge appearing in [17, Section 6] can be adapted to our case (details omitted). That proof is more complicated, as it is designed to address the case where the verifier may query the first oracle (_Oassignment) evenbeforesending the randomnessR. We point out that in all concreteSTARKrealizations — both interactive (iSTARK) and non-interactive (nSTARK) — this assumption is unrealistic.