A Framework for Non-Interactive Instance-Dependent
Commitment Schemes (NIC)
∗Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science
University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,[email protected]
September 17, 2009
Abstract
Zero-knowledge protocols are often studied through specific problems, like GRAPH-ISOMORPHISM. In many cases this approach prevents an important level of abstraction and leads to limited results, whereas in fact the constructions apply to a wide variety of problems. We propose to address this issue with a formal framework ofnon-interactive instance-dependent commitment schemes(NIC). We de-fineNICin both the perfect, statistical, and computational settings, and formally characterize problems admittingNICin all of these settings. We also prove other useful lemmas such as closure properties. Consequently, results that previously applied only to specific problems are now strengthened by our framework to apply toclasses of problems. By providing formal yet intuitive tools, our framework facil-itates the construction of zero-knowledge protocols for a wide variety of problems, in various settings, without the need to refer to a specific problem. Our results are unconditional.
Keywords: cryptography, zero knowledge, instant-dependent commitment schemes
1 Introduction
Zero-knowledge protocols enable one party (the prover) to prove an assertion to another party (the verifier), but without revealing anything to the verifier other than the truth of the assertion [20]. Intuitively, this is
made possible using a cryptographic primitive calleda bit commitment scheme. Such a scheme allows a
senderto commit to a bitbsuch that thereceivercannot learnbfrom the commitment, and at the same time
the sender cannot change the commitment to another value. The first property is calledhidingand the later
is calledbinding. Bit commitment schemes exist if and only if one-way functions exist [22, 30].
The key role that bit commitment schemes play in the study of zero-knowledge protocols explains why
languages such as GRAPH-ISOMORPHISM appear in many zero-knowledge constructions. Intuitively, the
graphs induce a primitive similar to a bit commitment scheme, and the primitive can be used to construct
the protocol. That is, given graphs hG0, G1i, a commitment to a bit b can be computed by choosing a
random permutationπand outputtingy=π(Gb), which perfectly hidesbif the graphs are isomorphic, and
perfectly binds tobotherwise. There are numerous examples of works that utilize variants of this idea to construct zero-knowledge protocols (c.f., [38, 19, 5, 36, 5]). A sample of recent works includes the quantum
zero-knowledge protocol of Watrous [41] for GRAPH-ISOMORPHISM, the linear locality zero-knowledge
proof of Micali and Pass [27] for GRAPH-NONISOMORPHISM, the concurrent zero-knowledge protocol of
Micciancio et al. [28] (based on [34]) for a variant of STATISTICAL-DISTANCE[35] calledSD11/2, and the
efficient-prover zero-knowledge protocol of Micciancio and Vadhan [29] for lattice problems.
The issue that we address in this paper is that many works (such as these mentioned above) construct
zero-knowledge protocols for specific problems. For example, the quantum zero-knowledge protocol of
Watrous [41] is designed specifically for GRAPH-ISOMORPHISM. This is an issue because these works
actually apply to a much larger class of problems, and therefore they can obtain stronger and more general results. Our goal is to provide a framework that will allow achieving these stronger and more general results. The other disadvantage in constructing zero-knowledge protocols for specific problems is that they prevent us from formally reasoning about other settings. For example, in many cases the protocol inherits its zero-knowledge property from the hiding property of the bit commitment scheme, and this can be argued
formally when using bit commitment schemes, but not when using a specific problem such as GRAPH
-ISOMORPHISM. Our framework will not suffer from this limitation. It will provide this level of abstraction while still being simple.
1.1 Our Results - TheNICFramework
One may suggest that instead of constructing protocols using specific problems like GRAPH-ISOMORPHISM,
we should use the notions of random self-reducibility (RSR) [38, 2] or Σ-protocols [8]. The first issue
with this idea is that, since these definitions are complex, they make protocol construction and analysis very cumbersome. Indeed, this may explain why most zero-knowledge works rather use the simpler and
more intuitive problem GRAPH-ISOMORPHISM. The second issue is that some of the specific problems
for which zero-knowledge protocols are constructed (such as variants of STATISTICAL-DISTANCEand the
lattice problems of [29]) are not known to satisfy these notions.
The notion of a non-interactive commitment scheme is significantly simpler than the notions of random
self-reducibility orΣ-protocols. Furthermore, commitment schemes are natural tools in the study of
zero-knowledge protocols. Thus, we propose that the issue of constructing zero-zero-knowledge protocols for specific
problems be addressed using a primitive which we call anon-interactive instance-dependent commitment
scheme(NIC). More formally, aNICis an efficient functionf(x, b;r)that outputs a commitment to a bit
busing randomnessr, just like a non-interactive bit commitment scheme. In addition, it takes an instance
xof a problem as an input, and the hiding and binding properties depend on whetherxis a YESor aNO
instance of the problem. The binding is perfect, and the hiding property can be either perfect, statistical, or computational (generalizing [23]).
To show thatNICcan replace specific problems used in zero-knowledge constructions, we had to find a
property of these problems that impliesNIC, be implied byNIC, and would apply in both the computational,
statistical, and perfect setting. As we mentioned earlier, random self-reducibility [38] andΣ-protocols [8]
are not suitable candidates because variants of STATISTICAL-DISTANCEand the lattice problems of [29]
are not known to satisfy these notions. Instead, we formalize a very simple property, which we callV-bit
protocols. Informally, these are 3-round protocols with perfect completeness where the message of the verifier is one random bit. This property is already satisfied by all the problems we want to capture. We then
Characterization ofNIC(informal). A problem has a perfectly (respectively, statistically,
computation-ally) hidingNICif and only if it has a V-bit perfect (respectively, statistical, computational) zero-knowledge.
This theorem yieldsNICfor a wide variety of problems, such as GRAPH-ISOMORPHISM, QUADRATIC
-RESIDUOUSITY, DISCRETE-LOGARITHMand any random self-reducible problem (RSR) [38, 2]. Problems
that are neither known to beRSRnor to admitΣ-protocols [8] are also included. For example, 1MOD4
and its variants [23], the version SD10 of STATISTICAL-DISTANCE (the general version is complete for
statistical zero-knowledge [35]), and problems with statistically hidingNICsuch asSD11/2 and the lattice
problems SHORTESTVECTORPROBLEM(SVP) and CLOSEST VECTOR PROBLEM (CVP) of [29]. Thus,
any protocol using the notion of aNICwould immediately apply to a wide variety of problems (as opposed
to a specific problem).
Our theorem facilitates the study of zero-knowledge protocols by providing useful abstractions. For
ex-ample, consider the non-black-box zero-knowledge protocol of Barak [4] applied to GRAPH-ISOMORPHISM.
If we use the graphs as explained earlier, instead of using a bit commitment scheme, then we obtain a
non-black-boxperfectzero-knowledge protocol for GRAPH-ISOMORPHISM.1 However, if instead of using
GRAPH-ISOMORPHISMwe replace the bit commitment scheme with aNIC, then we get a result that applies to a wide variety of problems, in both the perfect and the statistical setting. Moreover, since the notion of
aNICis very similar to that of a bit commitment-scheme, we can formally prove this claim by reusing the
proof given in [4]. Finally, by using theNICframework we guarantee that if more problems admittingNIC
are discovered in the future, then our result would apply to these problems as well.
In the second part of this paper we extend our approach to closure results. That is, we consider works that
provide closure results for specific problems such as GRAPH-ISOMORPHISM, and we show that stronger and
more general results can be achieved by using the notion of aNIC. For example, Itoh et al. [23] constructed
what we call a perfectly hidingNICfor theORand theAND variants of GRAPH-ISOMORPHISM. Instead,
we show that all the problems admittingNICcan be combined in any monotone boolean formula fashion.
Closure ofNIC(informal). The class of problems possessingNICis closed underarbitrary(as opposed to fixed) monotone boolean formulae.
Hence, any protocol using aNICwould automatically apply to any monotone boolean formula over all
the problems admitting aNIC. The formula can combine problems with different hiding properties (e.g.,
perfect and statistical), and can be chosen after the input is given to the parties (as opposed to fixing the protocol for one formula). Our result is also stronger and more general than that of De Santis et. al [36]. They showed a zero-knowledge protocol for monotone boolean formula statements over random self-reducible
(RSR) problems, whereas our closure result includes problems that are not known to beRSRand problems
where the hiding property is statistical or computational. The literature offers a variety of related closure results (c.f., [10, 11, 9]), but these apply to more restricted classes of problems and provide constructions that do not preserve the properties of the building blocks.
1.2 Related Work
The idea of a commitment scheme whose hiding and binding properties depend on an instance were implicit in [5, 36]. Itoh, Ohta, and Shizuya [23] were the first to formalize this notion and show that such schemes
1This is the first evidence thatperfect(as opposed to computational) non-black-box zero-knowledge protocols are possible,
can replace the bit commitment scheme in the protocols of [6, 19] forNP. We extend their definition from the perfect setting to the statistical and the computational settings. We remark that a similar notion to our
statistically hidingNIC(using a variant of STATISTICAL-DISTANCE) appeared in the work of Micciancio
and Vadhan [29] and used in [28], but it is not suitable because it cannot be generalized to the computational setting, and even in the perfect setting there are technical issues that prevent it from representing problems
that haveNIC, like GRAPH-ISOMORPHISM.
One direction in our characterization result shows thatNICimply what we callV-bitzero-knowledge
protocols. This is proved by applying the technique of [23] from perfect zero-knowledge to all settings (perfect, statistical, and computational). In the other direction, we adapt the technique of Damg˚ard [12].
This technique was originally used in the context of Σ-protocols that are also proofs of knowledge for
NP-hard relations. We show that it also applies in the case ofV-bit zero-knowledge protocols.
Our proof that problems admitting NIC are closed under arbitrary (as opposed to fixed) monotone
boolean formulae uses the technique of De Santis et. al [36], who used it in the context of random
self-reducible (RSR) problems, where the hiding property is perfect and therefore the construction can be
ap-plied many times without leaking any information. In our case, on the other hand, the hiding property can
be computational, statistical, or perfect, and we allow mixingNICwith different hiding properties. This
in-troduces several technical difficulties in the reductions, which we overcome by inductively summing up the leakage and relating the size of the formula to the size of the input. Related results were given in [10, 11, 9],
but whereas we show how to combineNICsuch that the resulting construction is also aNIC, they show how
to combine protocols such that the resulting construction does not belong to the same class of protocols. The relationship between commitment schemes and zero-knowledge protocols is one of the long stand-ing open questions in cryptography. On one hand, the existence of commitment schemes implies that of zero-knowledge proofs (e.g., [6, 19]). On the other hand, Ostrovsky and Wigderson [33, 31] showed that commitment schemes can be constructed from zero-knowledge proofs for hard on average problems (an alternative proof was given in [35, 39, 40]). More recently, Ong and Vadhan [32] showed that a problem has aconstant-roundinstance-dependent commitment scheme if and only if it has a zero-knowledge proof, but this equivalence does not apply to perfect zero-knowledge (PZK) proofs. Malka [26] showed an alternative
equivalence that applies to all settings, includingPZK, but this equivalence does not have useful properties,
such as being constant-round.
1.3 Organization.
Section 2 gives standard definitions and Section 3 defines NIC. In Section 4 we prove that V-bit
zero-knowledge protocols imply and are implied byNIC. Section 5 shows that random self-reducibility implies
NIC, and Section 6 shows thatNICcan be combined in monotone boolean formula fashion. Open questions
are given in Section 7. In Section A we prove that the notions of V-bit zero-knowledge proofs and Σ
-protocols are equivalent.
2 Definitions
2.1 Indistinguishability
The notion of zero-knowledge is based on indistinguishability of ensembles, which we now define. LetI
be a countable set of stringsx, and let|x|denote the length ofx. A sequence{Yx}x∈Iof random variables
functionf(n)isnegligibleonI if for any polynomialpthere isN such that for allx ∈I of length at least
N it holds thatf(|x|)<1/p(|x|). WhenI is clear from the context we simply say thatf(n)isnegligible.
Given a circuitD:{0,1}∗ → {0,1} and two distributionsY
x andZxwe define theadvantageofDto
distinguishYxfromZxto be the function
adv(D, Yx, Zx)=def|Pr[D(Yx) = 1]−Pr[D(Zx) = 1]|,
wherePr[D(X) = 1]denotes the probability thatDoutputs1on input an element chosen according to a
distributionX. Notice that ifDtakes randomnessras an input, then the probability is also over the uniform
distribution onr. We say thatDis a polynomial-size circuit if there is a polynomialpsuch that on inputs of
lengthnthe size ofDis at mostp(|n|).
We also need a definition of advantage in the stronger, information theoretic sense. LetXandY be two
discrete distributions. Thestatistical distancebetweenXandY is defined as
∆(X, Y)= 1def /2·X α
|Pr[X=α]−Pr[Y =α]|.
Definition 2.1 (Indistinguishability) Let {Yx}x∈I and {Zx}x∈I be probability ensembles. We say that
{Yx}x∈I and{Zx}x∈I are statistically identical(respectively, statistically indistinguishable) if∆(Yx, Zx)
is identically 0 (respectively, negligible) on I. We say that {Yx}x∈I and {Zx}x∈I are computationally
indistinguishableifadv(D, Yx, Zx)is negligible onIfor all non-uniform, polynomial-size circuitsD.
The notion of aNICis related to the promise problem STATISTICAL-DISTANCE[35]. Formally,SDα,β
is the pair(SDα
Y,SDβN), where SDαY
def
= {(X, Y)|∆(X, Y) ≥ α},SDβN = {(X, Y)|∆(X, Y) ≤ β}, and
hX, Yi is a pair of circuits viewed as distributions (under the convention that the input to the circuit is
uniformly distributed). In this paper we only consider theNP problemSD1,β forβ ≤ 1/2 (the problem
SD= SDdef 2/3,1/3, called STATISTICAL-DISTANCE, is complete forSZK).
2.2 Interactive Protocols and Zero-Knowledge
We use the standard definitions of interactive protocols, proofs, and zero-knowledge. We start with the notion of a protocol, which is a pair of parties communicating with each other.
Definition 2.2 (Interactive Protocols) An interactive protocol is a pairhP, Viof functions. Theinteraction
betweenP andV on common inputxis the following random process. 1. LetrP andrV be random inputs toP andV, respectively. 2. repeat the following fori= 1,2, . . .
(a) If iis odd, letmi =P(x, z, m1, . . . , mi−1;rP). (b) If iis even, letmi=V(x, z, m1, . . . , mi−1;rV). (c) If mi ∈ {accept,reject,fail}, then exit loop.
Each interaction yields atranscripthx, z, m1, . . . , mp;rVi, and the stringsmi are calledmessages. The probability space containing all the transcripts is calledthe view ofV onx, and is denotedhP, Vi(x). We say thatV acceptsxifmi =acceptfor an eveni.
We define interactive proofs, and remark that we consider complexity classes ofpromise problems[14] (or problems for short), as opposed to languages. Aproblem Π is a pairhΠY,ΠNi of disjoint sets, and
the complement ofΠisΠ def=hΠN,ΠYi. The setΠY containsYESinstances, and the setΠN containsNO
instances. Notice that a languageLcan be defined ashL, Li. Thus, using the notion of problems makes our results more general.
Informally, a problem has an interactive proof if it has an interactive protocol with a polynomial-time
verifier that acceptsYESinstances, and rejectsNOinstances.
Definition 2.3 (Interactive proofs and arguments) LetΠ =hΠY,ΠNibe a problem, and lethP, Vibe an interactive protocol. We say thathP, Viis aninteractive proofforΠif there isa, andc(n), s(n) :N→[0,1]
such that1−c(n)> s(n) + 1/nafor anyn, and the following conditions hold.
• Efficiency: V is a probabilistic Turing machine whose running time over the entire interaction is polynomial in|x|(this implies that the number of messages exchanged is polynomial in|x|).
• Completeness: ifx ∈ ΠY, then V accepts in hP, Vi(x) with probability at least1−c(|x|). The probability is overrP andrV (the randomness forP andV, respectively).
• Soundness: ifx∈ΠN, then for any functionP∗it holds thatV accepts inhP∗, Vi(x)with probability at mosts(|x|). The probability is over the randomnessrV forV.
If the soundness condition holds with respect to non-uniform polynomial-size circuits, then we say that hP, Viis aninteractive argumentforΠ.
The functioncis thecompleteness error, and the functionsis thesoundness error. We say thathP, Vi
hasperfect completeness(respectively,perfect soundness) ifc≡0(respectively,s≡0).
We denote byIPthe class of problems admitting interactive-proofs [20], and byAMthe class of problems
admittingpublic-coin, constant-roundinteractive-proofs [3, 25].
Definition 2.4 (Efficient prover) LethP, Vibe an interactive proof or argument for anNPproblemΠ =
hΠY,ΠNi. We say thatP is anefficient proverif on common inputx ∈ ΠY it runs in time polynomial in |x|given an arbitraryNPwitnesswforx.
Finally, an interactive proof (or an interactive argument) is zero-knowledge if there is a simulator such that the view of the verifier and the output of the simulator are indistinguishable. In the following definition the simulator is not allowed to fail so that we can work with the perfect setting (in the statistical and the
computational settings the simulator is allowed to fail). We use SV∗ to denote a Turing machineS with
oracle access to Turing machineV∗.
Definition 2.5 (Zero-knowledge protocols) A protocol hP, Vi for a problem Π = hΠY,ΠNi is perfect (respectively,statistical, computational)zero-knowledgeif there is a probabilistic, polynomial-time Turing machineS, calledthe simulator, such that
{hP, V∗i(x)}x∈ΠY and {SV∗(x)}x∈ΠY
3 Non-interactive, Instance-Dependent Commitment-Schemes (
NIC
)
In this section we definenon-interactive instance-dependent commitment schemes(NIC). Notice that our
definition applies to all settings (perfect, statistical, and computational) and that it can be used for studying
problems admittingNICas well as problems whose complement admits aNIC.
As a warm up, we start with the familiar notion of anon-interactive bit commitment scheme. Intuitively,
such a scheme allows a sender to commit to a bitb such that the receiver cannot learn the value ofb, yet
the sender cannot changeb. More precisely, the scheme is an efficient functionf(b;r), and to commit to
bthe sender chooses randomnessr, computesy = f(b;r), and sendsyto the receiver. This is thecommit
phase. In thereveal phasethe sender sendsbandrto the receiver, who computesf(b;r), thus confirming
thaty is indeed a commitment tob. The receiver does not send anything (hence the termnon-interactive).
The scheme is hiding if b cannot be determined from y, and binding if y binds the sender to b (that is,
f(0;r)6=f(1;r0)for anyr 6=r0).
Intuitively, a NICfor a problemΠis a non-interactive commitment scheme where the hiding and the
binding properties depend on instances ofΠ, and may not hold simultaneously. That is, instead off(b;r)
we considerf(x, b;r), and the hiding and binding properties depend on whetherxis aYESor aNOinstance
ofΠ. NICare attractive for many reasons. Firstly, since they are simple and non-interactive, they can be
used in various settings. Secondly, unlike bit commitment schemes, they can be constructed without any assumptions, thus facilitating an unconditional study of zero-knowledge protocols. Finally, the hiding and binding properties can be statistical (because, unlike in bit commitment schemes, these properties are not
required to hold simultaneously). This makes NIC suitable for the study of proofs in the statistical and
perfect settings. The following definition extends thepositively opaque and negatively transparentscheme
of [23] to the statistical and the computational settings.
Definition 3.1 (NIC) LetΠ =hΠY,ΠNibe a promise-problem, and letf(x, b;r)be a probabilistic Turing
machine running in time polynomial in|x|. The inputs tof are a stringx(denoting an instance ofΠ), a bit b, and a stringr(denoting the randomness off).
We say that f is bindingon ΠNif for any x ∈ ΠN, and for anyr andr0 it holds that f(x,0;r) 6=
f(x,1;r0). We say that f is perfectly (respectively, statistically, computationally) hiding on Π
Y if the
ensembles{f(x,0)}x∈ΠY and{f(x,1)}x∈ΠY are statistically identical (respectively, statistically indistin-guishable, computationally indistinguishable), where f(x, b) is a random variable obtained by uniformly choosingr, and outputtingf(x, b;r).
We say thatf is aperfectly(respectively,statistically, computationally)hidingNICforΠiffis binding onΠN, and perfectly (respectively, statistically, computationally) hiding onΠY.
Perfectly and statistically hidingNICare different from computationally hidingNIC. Firstly, in a
per-fectly or a statistically hiding NIC the hiding and the binding properties cannot hold at the same time,
whereas in a computationally hidingNICthey may [23, 17]. Secondly, ifΠhas a perfectly or a statistically
hidingNICf, then as a class of problemsNPcontainsΠ. This is so because ifx ∈ ΠY, then there is a
pairhr, r0isuch thatf(x,0;r) = f(x,1;r), and ifx∈ Π
N, then no such pair exists. However,Πmay not
be inNPiff is computationally hiding. Finally, as was observed by [23], if a problem has a statistically
hidingNIC, then it cannot beNP-complete, unless the polynomial hierarchy collapses [16, 1, 7]. We give
an example of aNIC.
and outputsy=π(Gb). If the graphs are isomorphic, thenyis isomorphic to bothG0andG1, andbcannot
be determined fromy. Conversely, if the graphs are not isomorphic, theny cannot be isomorphic to both G0andG1. Thus,f is a perfectly hidingNICforGRAPH-ISOMORPHISM.
Another example is the statistically hiding NICfor SD1,1/2 [29]. Instances of this problem are pairs
of circuitshX0, X1i, treated as distributions (under the convention that the input to the circuit is uniformly
distributed). The statistical distance betweenX0 andX1 is1/2forYESinstances, and1forNOinstances.
Notice that statistical distance of1means thatX0(r)6=X1(r0)for anyrandr0. Also, using techniques that
manipulate distributions, the statistical distance betweenX0andX1 can be reduced from1/2to1/2k[35,
29]. Hence, SD1,1/2 defines a statistically hidingNIC: to commit tobwe uniformly chooser and output
Xb(r). Notice that iff is a perfectly hidingNIC, thenhf(x,0), f(x,1)iis a pair of circuits with statistical
distance0whenxis aYESinstance, and statistical distance1whenxis aNOinstance. Thus, another way
to look at our main result is thatSD1,0is complete for the class of problems admitting perfectly hidingNIC
(equivalently, the class of problems admittingV-bit perfect zero-knowledge proofs). However, since the
NICfor GRAPH-ISOMORPHISMuses randomness drawn from a set of sizen!(the set of all permutations
on graphs withnvertices), unlessn!is a power of2, this randomness cannot be represented by a bit string.
In other words, GRAPH-ISOMORPHISMis not known to be reducible toSD1,0
4 Characterizing
NIC
as
V
-bit Zero-Knowledge Protocols
To characterize the problems admittingNIC, we had to find a definition that would implyNIC, be implied
byNIC, and apply to both the computational, statistical, and perfect setting. The definition of random
self-reducibility [38] is not suitable because the variants of STATISTICAL-DISTANCEand the lattice problems
of [29] are not known to satisfy it. Similarly, these problems are not known to admit Σ-protocols [8],
and therefore this notion is not suitable either. Instead, we formalize a natural notion, which we termV-bit
protocols. Informally, these are3-round public-coin protocols with perfect completeness, where the message
of the verifier (i.e., the second message) is one random bit.2 We then prove that this simple definition implies
NICand vice versa. We only consider proofs, but our result also applies to arguments, in which case it yields
NICwhere the binding property holds with respect to computationally bounded senders.
Theorem 4.1 A promise-problemΠhas a perfectly (respectively, statistically) hidingNICif and only if Π
has aV-bitPZK(respectively,SZK) proof. Similarly,Π∈NPandΠhas a computationally hidingNICif and only if Πhas aV-bitCZKproof.
This theorem shows that there is a tight relationship between natural types of zero-knowledge protocols and commitment schemes. The notion of a V-bit protocol can be demonstrated using the protocol for GRAPH-ISOMORPHISM[19], or the protocols of [6, 19] forNP. These protocols are public-coin, they have
perfect completeness, and they admit the following structure: the prover sends the first message m1, the
verifier sends back a random bitb, the prover replies with a messagem2, and the verifier accepts or rejects.
SinceV sends only one bit, we call these protocols V-bit protocols. Formally,
Definition 4.2 (V-bit protocol) LethP, Vibe a proof or an argument for a problemΠ = hΠY,ΠNi. We say thathP, ViisV-bitif for anyx ∈ΠY the interaction betweenP andV is as follows: P sendsm1 to
V, andV replies with a uniformly chosen bitb. P replies by sendingm2 toV, andV accepts or rejectsx
based onhx, m1, b, m2i. Ifx∈ΠY, thenV always accepts.
We have mentioned more than once that variants of STATISTICAL-DISTANCEand certain lattice
prob-lems admitV-bit protocols [29, 35], but are not known to admitΣ-protocols. Thus, we do not know if any
V-bit zero-knowledge protocol is also aΣ-protocol. However, from our characterization result it will follow
that a problem admits a V-bit zero-knowledge proof if and only if it admits aΣ-protocol. Thus, all the
consequences that follow from theNICframework immediately extend toΣ-protocols. The proof for the
following lemma can be found in Appendix A.
Lemma 4.3 A problemΠhas aV-bitHVPZK(respectively,HVSZK,HVCZK) proof if and only ifΠhas a perfect (respectively, statistical, computational)Σ-protocol.
4.1 FromNICtoV-bit Zero-Knowledge Protocols
We show that if a problem has aNIC, then it has a V-bit zero-knowledge protocol. Following [23], our
construction plugs theNICinto the zero-knowledge protocols of [6, 19] forNP. Combined with our lemma
from the next section (which proves that if a problem has aV-bit zero-knowledge proof, then it has aNIC),
our lemma yields a compiler that transforms any V-bit, zero-knowledge proof (i.e., honest-verifier,
ineffi-cient prover) into amalicious verifier V-bit zero-knowledge proof of knowledge withan efficient prover.
The idea is to extract the NIC for the V-bit zero-knowledge protocol and use it in the V-bit protocol of
Blum [6], which has an efficient prover, and is zero-knowledge against malicious verifiers.
Lemma 4.4 If a problemΠhas a perfectly (respectively, statistically) hidingNIC, thenΠhas a public-coin
PZK(respectively,SZK) proof with an efficient prover. If Π ∈NP, andΠhas a computationally hiding
NIC, thenΠhas a public-coinCZKproof with an efficient prover.
Proof:(sketch)We use the zero-knowledge protocol of [6] for theNP-complete problem HAMILTONIAN -CIRUIT(HC). Specifically, given inputx ∈ ΠY ∪ΠN, the prover and the verifier initially reducexto an
instanceGofHC, and then execute the protocol of [6] using theNICfforΠas a bit commitment scheme.
Notice that the prover can transform its witness forxinto a witness forG, and thus it is efficient. Now, if
x∈ΠY, thenGhas a Hamiltonian circuit, and thus the verifier accepts. Also, sincefis hiding, the protocol
inherits its zero-knowledge property from the hiding property of the scheme. Thus, the protocol has an
efficient prover, it is zero-knowledge with respect to cheating verifiers, and it isV-bit because it has perfect
completeness. Ifx ∈ ΠN, thenGdoes not have a Hamiltonian circuit, and the scheme is binding, which
implies that the verifier rejects with probability1/2over its random coin. Thus, the protocol is sound.
4.2 FromV-bit Zero-Knowledge Protocols toNIC
In this section we show how to construct aNICfrom a simulatorSfor any V-bit zero-knowledge protocol
hP, Vi. We adapt the technique of Damg˚ard [12] forΣ-protocols and apply it toV-bit protocols (see Feige
and Shamir [15] for a similar technique). The differences are that [12] constructed an interactive
commit-ment scheme from a proof of knowledge for anyNP-hard relation, provided that the proof is aΣ-protocol.
We, on the other hand, consider regular zero-knowledge proofs (as opposed to proofs of knowledge for NP-hard relations) and construct anon-interactive(as opposed to interactive)instance-dependent
and follows from the soundness of the underlying V-bit protocol, whereas in [12] the binding property is computational and follows from the hardness of the underlying problem.
We start with the following idea: to commit to a bit b, execute S(x) using randomness r, obtain a
transcripthm1, b0, m2isuch thatb=b0 andV accepts, and outputm1as a commitment. Let us verify that
thisNICis hiding onYES instances and binding onNOinstances. Ifx is aYESinstance, then the perfect
completeness property guarantees that we always obtain transcripts whereV accepts, and sincebcannot be
determined from suchm1, the commitment is hiding. Conversely, by the soundness property, ifxis aNO
instance, then there are no transcriptshm1,0, m2iandhm1,1, m02isuch thatV accepts in both. However,
the issue with this idea is thatb0may not be equal tob. To overcome this issue we redefine the commitment
to behm1, b0⊕bi. That is, we executeS(x), obtainhm
1, b0, m2i, and outputhm1, b0⊕bi. Intuitively, since
b0is hidden, the bitb0⊕bis also hidden. Our lemma follows.
Lemma 4.5 LetΠ =hΠY,ΠNibe a promise-problem. If Πhas aV-bit, public-coinHVPZK(respectively,
HVSZK,HVCZK) proof, then Πhas aNICthat is perfectly (respectively, statistically, computationally) hiding onΠYand perfectly binding onΠN.
Proof: Fix a public-coin V-bitHVPZK(respectively,HVSZK,HVCZK) proofhP, ViforΠ. We assume
thathP, Vihas a simulatorSthat outputs eitherfail, or transcripts in whichV accepts. UsingSwe define
aNICf forΠas follows. Letf(x, b;r)be the function that executesS(x)with randomnessr. Iff obtains
a transcripthx, m0
1, b0, m02isuch thatV(x, m01, b0, m02) =accept, thenf outputshm01, b0⊕bi. Otherwise,
f outputsb.
We show that f is binding on ΠN. Letx ∈ ΠN. Notice that for any r andb it holds that f(x, b;r)
outputs one bit if and only iff(x, b;r) =b. Thus, iff outputs one bit, then there are norandr0 such that
f(x,0;r) =f(x,1;r0). For the case wheref(x, b;r)outputs a pairhm˜
1,˜bi, recall that˜b=b0⊕b, whereb0
is taken from some transcripthx, m0
1, b0, m02i. Thus, by the definition off, for anym˜1,˜b, randr0 it holds
thatf(x,0;r) =f(x,1;r0) =hm˜1,˜biif and only if there arem2 andm02and such thatV(x,m˜1,0, m2) =
V(x,m˜1,1, m02) =accept. However,hP, Viis public coin, and by the soundness property ofhP, Vithere
are nom1, m2 andm02 such thatV(x, m1,0, m2) = V(x, m1,1, m02) = accept. Hence, if f does not
output one bit, then there are norandr0such thatf(x,0;r) =f(x,1;r0). We conclude thatf is perfectly
binding onΠN.
The rest of the proof shows thatf is hiding onΠY. We start with the statistical setting. To show thatfis
statistically hiding we need to calculate the statistical distance between commitments to0and commitments
to1overx∈ΠY. The following probabilities are over the randomnessrforf.
∆(f(x,0), f(x,1)) = 1 2
X
α
|Pr[f(x,0) =α]−Pr[f(x,1) =α]|
= 1 2
X
m1
|Pr[f(x,0) =hm1,0i]−Pr[f(x,1) =hm1,0i]|+
1 2
X
m1
|Pr[f(x,0) =hm1,1i]−Pr[f(x,1) =hm1,1i]|+
1 2
X
b∈{0,1}
|Pr[f(x,0) =b]−Pr[f(x,1) =b]|.
Notice that the third sum (i.e., the sum overb) equalsPr[S(x) = fail], the probability thatS fails. Now,
fail] = 0. It remains to deal with the sums overm1. We show that the first sum is upper bounded by
∆(hP, Vi(x), S(x))−Pr[S(x) = fail]/2, and since a symmetric argument applies to the second sum,
the total will be upper bounded by2·∆(hP, Vi(x), S(x)). The following probabilities forhP, Vi(x)and
S(x)are over the randomness toP, V andS, respectively.
1 2
P
m1 |Pr[f(x,0) =hm1,0i]−Pr[f(x,1) =hm1,0i]|=
1 2
P m1 |
X
m2
Pr[S(x) =hm1,0, m2i]− X
m2
Pr[S(x) =hm1,1, m2i]|=
1 2
P m1 |
X
m2
Pr[S(x) =hm1,0, m2i]−X m2
Pr[hP, Vi(x) =hm1,0, m2i]
−(X
m2
Pr[S(x) =hm1,1, m2i]− X
m2
Pr[hP, Vi(x) =hm1,1, m2i])| ≤
1 2
P
m1,m2 (|Pr[S(x) =hm1,0, m2i]−Pr[hP, Vi(x) =hm1,0, m2i]|+
|Pr[S(x) =hm1,1, m2i]−Pr[hP, Vi(x) =hm1,1, m2i]|) =
∆(hP, Vi(x), S(x))−Pr[S(x) =fail]/2.
In the first equality above we used the fact thatSoutputs transcripts in whichV accepts. In the second
equal-ity we used the fact thathP, Viis public-coin, which implies that for anym1the probability of choosing an
element ofhP, Vi(x) whose prefix ishm1,0i equals the probability of choosing an element ofhP, Vi(x)
whose prefix ishm1,1i. In the last equality we used the fact thathP, Vi(x)never outputsfail, whereas
S(x) outputs fail with probability Pr[S(x) = fail]. We conclude that ∆(f(x,0), f(x,1)) ≤ 2·
∆(S(x),hP, Vi(x)). Hence, ifSis aHVPZK(respectively,HVSZK) simulator, then∆(S(x),hP, Vi(x))
is0for anyx∈ΠY(respectively, negligible onΠY), which implies thatf is perfectly (respectively,
statis-tically) hiding onΠY.
It remains to deal with the case thatSis aHVCZKsimulator. The analysis is analogues to the statistical
setting, but in reverse. We define the function f0(·, b) just like f, except that instead of executing the
simulator,f0 receives a transcripthm
1, b0, m2iand outputs hm1, b0⊕bi. Thus,f0(S(x), b)andf(x, b)are
identically distributed for anyb∈ {0,1}. Assume towards a contradiction that there is a non-uniform family
Dof polynomial-size circuits that distinguishes{f(x,0)}x∈ΠY and{f(x,1)}x∈ΠY. Thus,Ddistinguishes
{f0(S(x),0)}
x∈ΠY and{f0(S(x),1)}x∈ΠY, and the following expression is non-negligible:
|Pr[D(f0(S(x),0)) = 1]−Pr[D(f0(S(x),1)) = 1]| ≤ |Pr[D(f0(S(x),0)) = 1]−Pr[D(f0(hP, Vi(x),0)) = 1]|+
|Pr[D(f0(S(x),1)) = 1]−Pr[D(f0(hP, Vi(x),1)) = 1]|.
Above we used the fact thathP, Vi is V-bit, which implies thatf0(hP, Vi(x),0)andf0(hP, Vi(x),1)are
identically distributed for any x ∈ ΠY. It follows that there is b ∈ {0,1} such that D distinguishes
{f0(hP, Vi, b)}
x∈ΠY and{f0(S(x), b)}x∈ΠY. This contradicts the fact thatS is aHVCZKsimulator. We
conclude thatf is computationally hiding onΠY. The lemma follows.
Theorem 4.1, presented in the beginning of this section, immediately follows from Lemmas 4.4 and 4.5.
Thus, we get a characterization of V-bit zero-knowledge protocols asNIC. We remark that Theorem 4.1
can be extended to arguments, in which case it yieldsNICwhere the binding property holds with respect
to computationally bounded senders. Also, it can be extended to relaxed notions ofV-bit protocols (e.g.,
where perfect completeness or public-coins are not required), but we avoid these extensions because they
5 Random Self-Reducibility Implies
NIC
We prove the folklore theorem that if a problem is random self-reducible (RSR), then it has a perfectly
hidingNIC. By replacing the notion of random-self reducibility with the simpler notion of aNIC, we make
protocol design and analysis simpler. Furthermore, we can includeRSRproblems in our closure result. This
allows combinations ofRSR problems with problems that are not known to beRSR(such as versions of
SD, and the lattice problems of [29]). Thus, we strengthen and unify the results of [38, 36, 23] and achieve
all the improvements claimed in the introduction.
The notion of random self-reducibility [2] considers a set of stringsx, each associated with a
polynomial-time relation Rx on pairshz, wi. Givenx, there is an algorithmS that uses randomnessr to sample the
domain ofRx (that is, it outputsy such thathy, w0i ∈ R
x for somew0). The heart of this notion consists
of two algorithms: A1, which converts a witness foryinto a witness forz, andA2, which converts witness
forzinto a witness fory. BothA1andA2user. Also, there is an algorithmGthat generates random pairs
hz0, w0ifromR
x. All of the algorithms are efficient. The following definition is similar to that of [36].
Definition 5.1 (A random self-reducible problem) Let N ⊂ {0,1}∗ be a countable set such thatR x is an NP-relation for each x ∈ N. The domain of Rx is denoted d(Rx)
def
= {z|∃w hz, wi ∈ Rx}. The languageL =def {hx, zi|x ∈ N,∃whz, wi ∈ Rx}israndom self-reducible (RSR) if there are polynomial time algorithmsG, A1, A2, andS such that S(x, z;r) = y ∈ d(Rx) for any x ∈ N, z, andr, and the following conditions hold.
1. If z∈d(Rx), andris uniformly distributed, thenyis uniformly distributed ind(Rx).
2. A witness for y yields a witness for z, and vice versa. That is, hz, A1(x, y, r, w0)i ∈ Rx for any hy, w0i ∈R
x, andhy, A2(x, z, r, w00)i ∈Rxfor anyhz, w00i ∈Rx. 3. G(x;r) =hz0, w0i ∈R
x, and ifris uniformly distributed, thenz0 is uniformly distributed ind(Rx), andw0is uniformly distributed in{w|hz, wi ∈R
x}.
We prove that random self-reducible problems have a perfectly hiding NIC. Our proof uses the idea
behind the construction of the subroutine in the protocol of [36] (see Section3.3in [36]). GivenN andRx
as in Definition 5.1, we define the problemΠL def
=hΠL
Y,ΠLNi, whereΠLY
def
={hx, zi|x∈ N,∃whz, wi ∈Rx},
andΠL
N
def
={hx, zi|x∈ N,∀whz, wi∈/ Rx}.
Lemma 5.2 If Lis a random self-reducible language, thenΠLhas a perfectly hidingNIC.
Proof: Let L def= {hx, zi|x ∈ N,∃w hz, wi ∈ Rx} be a random self-reducible language. Consider the
algorithmsSandGfrom Definition 5.1. LetG0(x;r)be the algorithm that executesG(x;r), obtainshz0, w0i,
and outputsz0. We useS andG0 to commit to0and1, respectively. Formally, we define ourNIC to be
a probabilistic polynomial-time Turing machine f(x, z, b;r) that on inputhx, zi ∈ ΠL
Y∪ΠLN, bitb, and
randomnessroutputsS(x, z;r)ifb= 0, andG0(x;r)ifb= 1.
The efficiency of f follows from the efficiency ofS andG. We show that f is perfectly hiding. By
Definition 5.1,S(x, z;r) =yis uniformly distributed overd(Rx)ifris uniformly distributed, andhx, zi ∈
ΠL
Y. Similarly,G(x;r) = hz0, w0i, andz0 is uniformly distributed overd(Rx)ifr is uniformly distributed
andx ∈ N. Since the output off is uniformly distributed overd(Rx) for any b andhx, zi ∈ ΠL
Y, the
ensembles {f(x, z,0;r)}hx,zi∈ΠL
Y and{f(x, z,1;r)}hx,zi∈ΠLY are statistically identical, and therefore f is
perfectly hiding onΠL
We show that f is binding on ΠLN. Let hx, zi ∈ ΠLN. Assume towards a contradiction that there are
r and r0 such that S(x, z;r) = f(x, z,0;r) = f(x, z,1;r0) = G0(x;r). Let y = S(x, z;r). By the
definition ofG0, there isw0such thatG(x;r) =hG0(x;r), w0i=hy, w0i ∈R
x. By the property ofA1from
Definition 5.1, it follows thathz, A1(x, y, r, w0)i ∈ Rx. Hence,hx, zi ∈ ΠLY, in contradiction to the choice
ofhx, zi ∈ΠL
N. Thus,f is binding onΠLN.
Notice that in the above proof we did not use AlgorithmA2from Definition 5.1. Neither did we use the
fact thatA1 runs in polynomial time, nor did we use the witness thatGoutputs.
6 Closure of Problems Possessing
NIC
under Monotone Boolean Formulae
In this section we show that the class of problems possessingNICis closed underarbitrary(as opposed to
fixed) monotone boolean formulae. Such results have been traditionally proved in the perfect setting, where, intuitively, no information is leaked at any stage. This is not the case here. We are proving closure where the formula can be chosen after the protocol is fixed and our analysis applies to all settings. This makes the proofs significantly more technical.
We start with notation, and formalize our theorem in Section 6.1. Intuitively, our goal is to show that
given instances x1, . . . , xn and a monotone boolean formulaφ overnvariables, the prover can prove to
the verifier that the instances satisfy the formula. Notice that we first fix the protocol, and then choosen,
x1, . . . , xnandφ. To formalize the above intuition we need the following definitions. Aboolean variableis
a variable that can only take the values0or1. We say thatφis a monotone boolean formula ifφis a boolean
variable, orφis of the formφ0∧φ1orφ0∨φ1, where bothφ0andφ1are monotone boolean formulae. Given
a problemΠ = hΠY,ΠNiandx∈ ΠY∪ΠN, we define thecharacteristic functionχΠofΠas follows: if
x ∈ ΠY, thenχΠ(x) = 1, and ifx ∈ΠN, thenχΠ(x) = 0. Letφbe a boolean formula overa1, . . . , am,
and letx1, . . . , xn∈ΠY∪ΠNfor somen≥m. Theevaluationofφin~x=hx1, . . . , xniis denotedφ(~x),
and equals1if and only ifφis satisfied whenaiis assignedχΠ(xi)for each1≤i≤m.
We say that a class C of problems is closed under arbitrary, monotone boolean formulae ifΠ ∈ C
implies thatΦ(Π)∈C, whereΦ(Π)is defined as follows.
Definition 6.1 LetΠ =hΠY,ΠNibe a problem. The problemΦ(Π)=defhΦ(Π)Y,Φ(Π)Niis defined as
Φ(Π)Y def
={hφ, x1, . . . , xni|φ(χΠ(x1), . . . , χΠ(xn)) = 1}
Φ(Π)N=def {hφ, x1, . . . , xni|φ(χΠ(x1), . . . , χΠ(xn)) = 0},
where φis a monotone boolean formula over a1, . . . , am such thatm ≤ n, andxi ∈ ΠY∪ΠN for all
1≤i≤n. We defineΦ(Π)k=defhΦ(Π)kY,Φ(Π)Ni, whereΦ(Π)kYis defined as
Φ(Π)kY=def {hφ, x1, . . . , xni|φ(χΠ(x1), . . . , χΠ(xn)) = 1∧ ∀i|xi|k≥ |φ, x1, . . . , xn|}.
The use ofkin the definition is necessary for bounding the advantage of the adversary in the statistical and
the computational settings. This issue does not arise in the considerably simpler perfect setting.
6.1 CombiningNICin a Monotone Boolean Formula Fashion
Our closure result states that if a problemΠhas aNIC, then the problemΦ(Π)also has aNIC. Notice that
The proofs would work with instances from different problems. Consequently, we get that the class of
problems possessingNIC(equivalently,V-bit zero-knowledge proofs) is closed under arbitrary, monotone
boolean formulae. This is stronger than saying that the class of problems admittingNICis closed under the
ANDand theORoperators.
Theorem 6.2 For any problemΠthat has aNICf, and for anyk∈N, there is aNICf0 such that 1. iff is a perfectly hidingNICforΠ, thenf0 is a perfectly hidingNICforΦ(Π).
2. iff is a statistically (respectively, computationally) hidingNICforΠ, thenf0 is a statistically (re-spectively, computationally) hidingNICforΦ(Π)k.
We will prove the above theorem by constructing a newNICforΦ(Π)from theNICforΠ. Compared
toΣ-protocols and random self-reducibility, the advantage of this approach is that we do not need to work
with involved notions such as interaction or zero-knowledge. Using the technique of [36] we constructNIC
as follows. Iff is aNICforΠ, then aNICfor instances of the formz =ha∧b, x1, x2ican be defined by
f0(z, b;r) =hf(x1, b), f(x2, b)i. Thus, if bothx1andx2areYESinstances ofΠ, thenf0is hiding (because
bothf(x1, b)andf(x2, b)are hiding), and ifx1 orx2 is aNOinstance, thenf0is binding (because at least
one off(x1, b)andf(x2, b)is binding). Notice that we omitted the randomness forf, but the intention is
thatf0 uses independent randomness in each execution. A similar idea applies to theORconnector. That is,
aNICfor instances of the formz =ha∨b, x1, x2ican be defined byf0(z, b;r) =hf(x1, b1), f(x2, b2)i,
whereb1 is uniformly chosen, andb2 is chosen such thatb1⊕b2 = b. Thus, if at least one ofx1, x2 is a
YES instance ofΠ, thenf0 is hiding (because eitherf(x1, b1) orf(x2, b2)is hiding), and if both x1 and
x2 areNOinstances, thenf0 is binding (because bothf(x1, b1)andf(x2, b2)are binding). The following
construction generalizes these ideas to any monotone boolean formula.
Construction 6.3 We define a recursive functionf0(φ, ~x, b;r). Letf be aNIC, and letb ∈ {0,1}. Letφ be a monotone boolean formula over the variablesa1, . . . , am, and let~x =hx1, . . . , xni be a vector ofn strings, wheren ≥m. The randomnessr forf0 is of length polynomial in|hφ, ~xi|, and the polynomial is determined from the construction off0, described below.
1. Ifφ=aifor some1≤i≤m, then returnf(xi, b, r).
2. Partitionrintor0andr1(that is, the concatenationr0r1equalsr).
3. Ifφ=φ0∧φ1, then returnhf0(φ
0, ~x, b, r0), f0(φ1, ~x, b, r1)i.
4. If φ = φ0 ∨ φ1, then return hf0(φ0, ~x, b0, r0), f0(φ1, ~x, b1, r1)i, where b0 ∈ {0,1} is uniformly
distributed, andb1 is chosen such thatb0⊕b1 =b.
6.2 Proof of the Closure Result
In this section we prove Theorem 6.2 from the previous section. This theorem states that if f is a NIC
for a problemΠ, thenf0 defined fromf as in Construction 6.3 is aNICforΦ(Π). We use the technique
of [36]. Intuitively, this technique admits a simple analysis in the perfect setting because the advantage of the adversary remains zero at every stage of construction 6.3, and therefore it sums up to zero. However, in the statistical and the computational settings the advantage is non-negligible, and the total may not be
negligible. This is why we introduced the constantkin Definition 6.1, and this is why we need to provide a
Lemma 6.4 If a functionf is binding on a setΠN, thenf0from Construction 6.3 is binding onΦ(Π)N.
Proof:We prove the lemma by induction on the number`of connectives inφ. For the base case,`= 0and
thereforef andf0 are identical. Sincef is binding onΠ
N, we get thatf0 is binding onΦ(Π)N. Assume
the induction hypothesis for all` ≥1. Letφbe a monotone boolean formula with`+ 1connectives, and
lethφ, ~xi ∈Φ(Π)N. Consider the case whereφ=φ0∧φ1, and assume towards contradiction that there are
r0, r00 andr1, r10 such that
f0(φ,0;r0r00) =hf0(φ0,0;r0), f0(φ1,0;r00)i=hf0(φ0,1;r1), f0(φ1,1;r10)i=f0(φ,1;r1r01).
Sincehφ, ~xi ∈Φ(Π)N, we can fixb∈ {0,1}for whichφb(~x) = 0. Hence,f0(φ0,0;rb) =f0(φ0,1;rb0), and
sinceφbhas at most`connectives, we get a contradiction to the induction hypothesis. The case whereφ=
φ0∨φ1is similar. Specifically, assume towards contradiction that there arer0, r0, r1, r10 andb0, b00, b1, b01 ∈ {0,1}such thatb0⊕b006=b1⊕b01, and
f0(φ, b0⊕b00;r0r00) =hf0(φ0, b0;r0), f0(φ1, b00;r00)i=hf0(φ0, b1;r1), f0(φ1, b01;r01)i=f0(φ, b1⊕b01;r1r10).
Thus, there is d ∈ {0,1} such that bd 6= b0
d and f0(φ0,0;rd) = f0(φ0,1;r0d). Since φd has at most `
connectives, we get a contradiction to the induction hypothesis.
In the following section we prove the hiding property in the statistical setting, hence obtaining
Theo-rem 6.2 for perfectly and statistically hidingNIC.
6.2.1 The Hiding Property in the Statistical Setting
Recall thatf0outputshf(x
1, b), f(x2, b)ion inputz=ha∧b, x1, x2i ∈Φ(Π)and bitb, and that if bothx1
andx2areYESinstances, thenf0is hiding (because bothf(x
1, b)andf(x2, b)are hiding). This motivation
works in the perfect setting, but in the statistical setting the output off(x1, b)andf(x2, b)may not perfectly
hide the bitb. Intuitively, bothf(x1, b)andf(x2, b)may leak a small amount of information aboutb. Thus,
we need to quantify this amount. We use the following lemma, which is similar to the Direct Product
Lemmaand theXOR Lemmafrom Vadhan’s thesis [39]. To simplify the presentation we omit~xandrfrom
the parameters tof0. The proof is technical, and appears in Appendix B.
Lemma 6.5 Let f0 be a function, let ~xbe a vector of strings, and let φ
0 andφ1 be monotone boolean
formula. Then,
∆(f0(φ0∧φ1,0), f0(φ0∧φ1,1)) ≤ ∆(f0(φ0,0), f0(φ0,1)) + ∆(f0(φ1,0), f0(φ1,1)),and ∆(f0(φ0∨φ1,0), f0(φ0∨φ1,1)) ≤ ∆(f0(φ0,0), f0(φ0,1))·∆(f0(φ1,0), f0(φ1,1)).
Now we prove Theorem 6.2 in the statistical setting. The idea is to recursively apply the above lemma, and to carefully add the the amount of information leaked at each stage of Construction 6.3. For this purpose
we introduce the notation ofP(φ), which denotes the multiset containing all the indices of boolean variables
in a formulaφ(e.g., ifφ= (α1∨α2)∧α1, thenP(φ) ={1,1,2}).
Lemma 6.6 If a functionf is perfectly (respectively, statistically) hiding on a setΠY, then for anyk ∈N Construction 6.3 off0is perfectly (respectively, statistically) hiding onΦ(Π)
Proof: Letk ∈ N. We start with the statistical setting, and the perfect setting will follow. Our goal is to
show that the statistical distance between commitments to0and commitments to1is negligible. Thus, as a
first step we prove that for any vectorhφ, ~xi=hφ,hx1, . . . , xniiit holds that
∆¡f0(φ, ~x,0), f0(φ, ~x,1)¢≤ X i∈P(φ)
∆¡f(xi,0), f(xi,1) ¢
.
We prove the above hypothesis by induction on the number`of connectives inφ. The base case is trivial
because` = 0, and thereforef andf0 are identical. Assume the induction hypothesis for all` ≥ 1, and
lethφ, ~xi =hφ, x1, . . . , xni ∈Φ(Π)kY. Notice that regardless of whetherφequalsφ0 ∧φ1 orφ0∨φ1, by Lemma 6.5 it holds that
∆(f0(φ, ~x,0), f0(φ, ~x,1))≤∆(f0(φ0, ~x,0), f0(φ0, ~x,1)) + ∆(f0(φ1, ~x,0), f0(φ1, ~x,1)).
Now we apply the induction hypothesis to bothφ0andφ1. Hence, we get that
∆(f0(φ, ~x,0), f0(φ, ~x,1))≤ X i∈P(φ0)
∆(f(xi,0), f(xi,1)) + X
i∈P(φ1)
∆(f(xi,0), f(xi,1)).
SinceP(φ) = P(φ0)∪P(φ1), the induction follows. Notice that iff is perfectly hiding, then the above
sum equals0, and thusf0 is perfectly hiding onΦ(Π)Y. In the statistical setting we are not done because
we need to show that this sum is negligible in the length ofhφ, ~xi. Thus, we proceed to the next step.
Leta∈N. Sincef is statistically hiding onΠY, there isN such that∆(f(x,0), f(x,1))≤1/|x|ak+k
for anyx∈ΠYof length at leastN. Notice that by Definition 6.1 ofΦ(Π)k, there isN0such that for any
hφ, x1, . . . , xni ∈ Φ(Π)kY of length at leastN0 it holds that|xi| ≥ N for each1 ≤ i≤ n. Hence, fixing
N0 we are guaranteed that for anyhφ, ~xi =hφ, x
1, . . . , xni ∈Φ(Π)kY of length of at leastN0 it holds that
∆(f(xi,0), f(xi,1))≤1/|xi|ak+kfor each1≤i≤n, and by the fact that we proved using induction,
∆(f0(φ, ~x,0), f0(φ, ~x,1))≤ X i∈P(φ)
∆(f(xi,0), f(xi,1))≤ X
i∈P(φ)
1/|xi|ak+k.
It remains to show that Pi∈P(φ)1/|xi|ak+k ≤ 1/|hφ, ~xi|a for anyhφ, ~xi ∈ Φ(Π)k of length at least N0.
This follows from Definition 6.1 of Φ(Π)k because for any hφ, x1, . . . , xni ∈ Φ(Π)kY and1 ≤ i ≤ nit
holds that|hφ, x1, . . . , xni| ≤ |xi|k, which implies that for any1≤i≤nthe total number of variables inφ
is at most|xi|k. Hence, for anyhφ, x1, . . . , xni ∈Φ(Π)kY there is1≤j≤nsuch that X
i∈P(φ)
1/|xi|ak+k≤ |P(φ)| ·1/|xj|ak+k ≤ |xj|k·1/|xj|ak+k≤1/|hφ, x1, . . . , xni|a.
We conclude that∆(f0(φ, ~x,0), f0(φ, ~x,1)) ≤ 1/|hφ, ~xi|a for anya ∈ N and sufficiently longhφ, ~xi ∈
Φ(Π)kY. Thus,f0is statistically hiding onΦ(Π)k
Y.
6.2.2 The Hiding Property in the Computational Setting
In the computational setting we need a lemma analogous to Lemma 6.5. Roughly speaking, we use a
distinguisherDonφ=φ0∧φ1to construct circuitsC0 andC1such that eitherC0is a distinguisher onφ0
orC1 is a distinguisher onφ1. Notice that we also need to make sure that the size ofC0 andC1 is related
to the size ofD, so that later, when we apply this lemma inductively, the size of the resulting distinguisher