In this section we prove Claim 4.3. Let{Ck}k∈Nbe a constructible ensemble of circuits. LetP
∗ be a
poly-size prover, letpbe a polynomial and let{xn}n∈Nbe sequence of inputs such thatk(n) =|xn|=
poly(n)and for all large enoughn:
Pr
CRS←GenBP(1n,1k(n))
[1←VBP(CRS, xn,P∗(CRS, xn))]≥
1
p(n) . (20)
We construct aQ-local assignment generatorAssignfor{xn}whereQ=O(log6n)is as defined in the
claim statement.
Local assignment generatorAssign.Fixn∈Nand takek=k(n), S =S(k(n)), m=m(k(n)), Q=
Q(n). Recall that on input 1n and a vector of wiresw = (w1, . . . , wQ) ∈ {0,1}m·Q, the output of
Assignis a locally consistent partial assignmenta∈ {0,1}Qfor the wires inw.
We start by giving a high-level description of the assignment generator. On input (1n,w), the generatorAssignemulatesGenBP, except that it samples the encoded curvesγ1, . . . , γQso that theq-th
curve passes throughwqinstead of though0m:
∀q∈[Q], γq(tq) =wq,
wheretq is a random and secret ring element. The curves are sampled using the sampling procedure
described in Section 3.2.1. By the semantic security of the curve sampling procedure (Lemma 3.13), this change is not detectable by the proverP∗.
The generator Assignruns P∗ on a CRS generated as above, and checks that the proof generated by P∗ is an accepting proof. If not, it simply generates a freshCRS using the same procedure (with curves passing throughw) and tries again. After(2n·p(n))attempts, if no accepting proof is found,
Assignaborts and outputs the all-0 assignment (this will only happen with negligible probability). Once an accepting proof is found,Assignobtains the encoded polynomials{Xe0q}q∈[Q]as computed byVBP. ThenAssignrecovers theq-th bit of the partial assignment as:
aq ←Xe0q(tq)
For each bit of the partial assignment, Assigntests if it is 0 or1 (if not, Assign fails - this will only happen with negligible probability)
The assignment generator. Assign(1n,w) repeats the following for up to2n·p(n) iterations, until some iteration produces an assignment. If no iterations succeed in producing an assignment, Assign
outputs the default assignment0Q.
1. Sample public parameters and re-randomization parameters:
pp,rp←InstGen(1n, δ0) ,
as sampled byGenBP.
2. For everyq ∈ [Q]sample an encoded curve passing thoughwq using the procedureCurve (see
Section 3.2.1): [γq]1,[tq]0 ←Curve(pp,rp, δ0) . 3. Set: CRS= pp, [γ1]1, . . . ,[γQ]1 ,
and run the proverP∗ to obtain:
Verify that:
VBP(CRS, x,Π) = 1.
Otherwise, proceed to the next iteration.
4. Using the proofΠ, obtain the encoded polynomial: nh e X0q i m o q∈[Q] ,
as computed byVBP (see Equation (14)).
5. Use the operationAdd,Multto obtain the encodings: nh e X0q(tq) i m o q∈[Q] ,
6. For everyq ∈[Q], use the operationsSub,isZeroto test ifXe0q(tq) = 0or ifXe0q(tq) = 1. If both
tests fail, outputs the default assignment0Q. 7. Output the assignment:
e
X10(t1), . . . ,XeQ0 (tQ)
.
Local assignment generator properties. We proceed to show that if indeedP∗ succeeds in making
VBP accept (with polynomial probability), that is, if Equation (20) holds, thenAssignis aQ-local as-
signment generator for{xn}satisfying the everywhereQ-local consistency and no-signaling properties
in Definition 4.2
EverywhereQ-local consistency.In each iteration,Assigngenerates curves that pass through the wires specified byw. The probability thatP∗generates a proof thatVBP accepts remains almost unchanged
compared to random curves passing through0m, and is at least1/2p(n). This follows from the semantic security of the curve encodings (Lemma 3.13). Otherwise, we could use P∗ andVBP to distinguish
random curves passing through0m from ones passing throughw. Thus, the probability that after(2n·
p(n))independent iterationsP∗doesn’t generate a proof that makesVBP accept isexp(−n).
To complete the local consistency proof, we show that in any iteration whereP∗generates a proofΠ
that makesVBP accept, it isalwaysthe case that the assignments derived fromΠare locally consistent.
Towards this end, recall that from the proof Π, the generator Assign obtains the encoding of the polynomials {Xe0q}. For any triplet of queries q = (q1, q2, q3) ∈ [Q]3, lett1, t2, t3 to be the points where the curvesγq1, γq2, γq3 get valueswq1, wq2, wq3. We want to show that the triplet of assignments:
a1←Xe0q(t1), a2 ←Xe0q(t2), a3 ←Xe0q(t3) are locally consistent, as per Definition 4.2.
In Claim 4.9 below, we show that for everyb∈ {0,1}3, j ∈[3m]it is always the case that:
P00b,q(t1, t2, t3) = 0.
This implies local consistency as follows. FromVBP’s test in Equation (18) have that that:
0 = P00b,q(t1, t2, t3) = φbx(γq1(t1), γq2(t2), γq3(t3))· Y i∈[3] 1−β(bi,Xeq0 i(ti)) = φbx(wq1, wq2, wq3)·(1−β(b1, a1))·(1−β(b2, a2))·(1−β(b3, a3)) .
This implies that for every clause in the 3-CNFϕxthat involves the assignments on wireswq1, wq2, wq3,
the bits values a1, a2, a3 assigned to those wires satisfy the clause. By the construction of ϕx, we
conclude that the values assigned toa1, a2, a3 are locally consistent (as per Definition 4.2).
Claim 4.9 below completes the proof of local consistency:
Claim 4.9 (VBP Accept ⇒ Consistency). For every inputx ∈ {0,1}k and every wire-vector w =
(w1, . . . , wQ) ∈ [S(n)]Q, for every challenge CRS generated by Assign(1n,w), ifVBP accepts the
proofΠ←P∗(x,CRS), then the following holds.
For everyq = (q1, q2, q3) ∈ [Q]3,b ∈ {0,1}3, letP00b,q be the encoded polynomial computed by
VBP fromΠvia Equation (18), and lett1, t2, t3be the points where the curvesγq1, γq2, γq3 get values wq1, wq2, wq3. We have that:
P00b,q(t1, t2, t3) = 0
Proof. We begin with notations. We take t = (t1, t2, t3), and z = (γq1, γq2, γq3)(t1, t2, t3). Note z= (wq1, wq2, wq3)∈ {0,1}
3mis aboolean vector.
FollowingVBP’s computations of the encoded polynomials:
h Pj0b,q i (3m−j)(δ+1)+j q∈[Q]3,b∈{0,1}3,j∈[0,3m] ,
by the fact thatVBP accepts, we know that for everyb∈ {0,1}3, j ∈[3m]:
Pj0b,q(t1, t2, t3) = X y∈{0,1} β(y,(γq1, γq2, γq3) (t1, t2, t3)[j])·P b,q j−1(t1, t2, t3, y) (21) = X y∈{0,1} β(y,z[j])·Pjb−,q1(t1, t2, t3, y) (22) =Pjb−,q1(t1, t2, t3,z[j]) (23) =Pj0b−,1q(t1, t2, t3) (24)
Where Equality (21) follows fromVBP’s test in Equation (19). Equality (22) is by definition ofz.
Equality (23) follows becausezis abooleanvector. Finally, Equality (24) follows by the definition of
Pj0b−,1q(see Equation (16)).
We conclude that under the conditions in the Claim’s statement:
∀b∈ {0,1}3, j∈[3m] : Pj0b,q(t1, t2, t3) = Pj0−b,1q(t1, t2, t3) (25)
Also, byVBP’s test in Equation (17), we have:
∀b∈ {0,1}3:P30bm,q(t1, t2, t3) = 0 (26)
From Equations (26) and (25), we conclude that
∀b∈ {0,1}3:P00b,q(t1, t2, t3) = 0
No-signaling.The no-signaling property ofAssignfollows rather directly from the semantic security of the encoded curves (Lemma 3.13) by a standard hybrid argument.
Assume toward contradiction that there exists a polynomialp1and a poly-size distinguisherDsuch
that for infinitely many values ofn∈N, there exists a setT ⊆[Q], and wire vectorsw0,w1 ∈ {0,1}m·Q
such that thatw0|T =w1|T and:
Pr a←Assign(1n,w)[D(a|T) = 1]−a←AssignPr(1n,w)[D(a|T) = 1] ≥ 1 p1(n) . (27)
Letδ0 =δ0(n)be a degree parameter defined as in the procedureGenBP and let:
pp,rp←GenBP(1n, δ0) .
For everyw∈ {0,1}mlet[γ
w]1be the encoded curve generated byCurve(pp,rp, δ0,w).
We use theDto construct another distinguisherD0such that: Pr D0 pp,rp,nhγw0 q i 1 o q∈[Q]\T = 1 − Pr D0 pp,rp,n γw1q 1 o q∈[Q]\T = 1 ≥ 1 n·p(n)·p1(n) . (28)
(Recall that the polynomialpdefined the success probability of the adversaryP∗ as per Equation (20).) We get a contradiction to Lemma 3.13 by a standard hybrid argument.
To prove Equation (28) we consider a sequence of hispid distributions. Recall that the strategy of
Assignproceeds in at mostn·p(n)iterations until an assignment is produced. For everyi∈[0, n·p(n)]
letaibe an assignment produced by the assignment generator that follows the strategy ofAssign(1n,w0)
for the firstiiterations, and the strategy ofAssign(1n,w1)for the rest of the iterations. By Equation (27) we have that for somei∈[n·p(n)]:
Pr D(ai|T) = 1 −PrD(ai−1|T) = 1 ≥ 1 n·p(n)·p1(n) . (29)
Fix suchi. The distinguisherD0 is defined as follows. Given as input parameterspp,rpand encoded
curves: nh γwb q i 1 o q∈[Q]\T ,
for someb ∈ {0,1},D0 emulates the assignment generatorAssignas follows. In the firsti−1itera- tionsD0 follows the strategy ofAssign(1n,w0) except it it uses its input parameterspp,rp instead of sampling parameters on its own in Step 1. From thei+ 1-th iteration onwards,D0 follows the strategy ofAssign(1n,w1)using the parameterspp,rp. If an assignmentais obtained in one of these iterations,
D0obtainsa|T.
In thei-th iteration,D0emulatesAssignusing the parameterspp,rpexcept that in Step 3 it samples
CRSas follows. For everyq ∈T,D0samples:
γw0
q1,[tq]0←Curve(pp,rp, δ
0 ,wq0) .
The challengeCRSconsists of the sampled curves as well as the input curves: n γw0 q 1 o q∈T , nh γwb q i 1 o q∈[Q]\T .
Sincew0|T = w1|T we have thatCRSis distributed as in the execution ofAssign(1n,wb). Using the
challengeCRS,D0continues to emulates thei-th iteration ofAssign. If an accepting proof is produced in Step 4, sinceD0only hastqforq ∈ T, it continues to emulates Steps 5,6 and 7 only forq ∈ T and
FinallyD0outputs the same asD(a|T). We argue that the assignmenta|T is indistinguishable from
ai|
T ifb= 0and fromai−1|T ifb= 1. This, together with (29) proves (28) and concludes the proof of
the no-signaling property.
Assume without loss of generality that b = 0. The only deference between the distributionsa|T
andai|T is that when samplingai|T, if in thei-th iteration ofAssignan accepting proof is produced in Step 4 but for someq∈[Q]\Tboth tests in Step 6 fail, thenai|T is set to the default assignment, while
ai|T will not (sinceD0only emulates Step 6 forq∈T). However, following the proof of Claim 4.9 this event only happens with negligible probability.