New Perspectives on Multi-Prover Interactive Proofs

The existing multi-prover interactive proof framework suffers from incompleteness in terms of soundness and zero-knowledge that is not completely addressed in the literature. The problem is that the existing definitions of what is local, entangled and no-signalling are not rich enough to capture the full generality of multi-prover interaction. In general, existing proofs do not take into account possible changes in locality either during a protocol's execution or when protocols are composed together. This is especially problematic for zero-knowledge, as composing commitments is the only known way of achieving zero-knowledge outside of some NP-intermediate languages. In this work, we introduce the locality hierarchy for multiparty (multi-round) interaction, and for the first time a complete definition of multi-round multiparty no-signalling distributions and strategies. Within this framework, we define the locality of a protocol which involves the provers, verifiers, simulators and distinguishers. We show that an existing protocol for NEXP [BFL90] and a zero-knowledge variant we introduce are sound in a local sense, but are zero-knowledge in a sense that is even stronger than usually understood. All prior claims of zero-knowledge proofs in the multi-prover model were actually incorrect. Finally, we present similar constructions for entangled and no-signalling prover sets for NEXP and EXP based on [IV12] and [KRR14] using new multi-prover commitment schemes.



There are no comments yet.


page 4

page 7


Non-Locality and Zero-Knowledge MIPs

The foundation of zero-knowledge is the simulator: a weak machine capabl...

Verifier Non-Locality in Interactive Proofs

In multi-prover interactive proofs, the verifier interrogates the prover...

Perfect zero knowledge for quantum multiprover interactive proofs

In this work we consider the interplay between multiprover interactive p...

Certified Everlasting Zero-Knowledge Proof for QMA

In known constructions of classical zero-knowledge protocols for NP, eit...

How to Authenticate MQTT Sessions Without Channel- and Broker Security

This paper describes a new but state-of-the-art approach to provide auth...

Toward Probabilistic Checking against Non-Signaling Strategies with Constant Locality

Non-signaling strategies are a generalization of quantum strategies that...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

An interactive proof is a dialog between two parties: a polynomial-time verifier and an all-powerful prover [1, 2]. They agree ahead of time on some language and a string . The prover wishes to convince the verifier that . If this is true, the prover should succeed almost all the time; if not, the prover should fail almost all the time. This is a generalization of the complexity class , except instead of simply being handed a polynomial-sized witness, the verifier is allowed to quiz the prover. The set of languages that admit an interactive proof is called .

An interactive proof is zero-knowledge if the verifier learns nothing except the truth of “”. This is usually defined by saying that a distinguisher is unable to tell apart a real conversation between the prover and the verifier, and one which is generated by a lone polynomial-time simulator. The set of zero-knowledge interactive proofs [1] is called .

One of the most important results regarding interactive proofs is that , which follows from seminal works of [3] and [4, 5]. However, the only known way to achieve the is through the use of commitments which, in the single-prover model, is dependent on complexity assumptions.

The multi-prover model was introduced in [6]. This model consists of multiple, non-communicating provers talking to a single verifier. The inspiration for this model was that of a detective interrogating a number of suspects, each of whom is isolated in a separate room. The suspects may share a strategy before being separated, but once the interrogation begins they are no longer able to talk to one another. The main motivation for studying this model was to remove the complexity assumptions used in the commitment schemes. We will abbreviate “multi-prover interactive proof” as MIP (resp. “zero-knowledge multi-prover interactive proof” as ZKMIP) and the set of languages which can be accepted by MIPs (resp. ZKMIPs) as the boldface (resp. ).

An important consequence of having multiple provers is that the verifier can use one prover to check the consistency of other provers’ answers. This gives the (weak) verifier more power over the (all-powerful) provers. Consequently, through the works of [6, 7, 8, 9], it was shown that . That is, any language in can be accepted by a MIP (optionally by a zero-knowledge MIP) without any computational assumptions.

1.1 (ZK)MIP Blind Spot

We have identified a blind spot in what we call the “standard” MIP model (one verifier talking to a number of provers) that is not addressed in existing literature. As a lead-up to describing this blind spot, we invite the readers to consider the following ridiculous two-prover protocol:


Protocol 1.1
( Ridiculous Protocol )

  1. Verifier sends Prover 1 a random string .

  2. Prover 1 replies with a string .

  3. Verifier sends Prover 2 the string .

  4. Prover 2 replies with a string .

  5. Verifier accepts if .


Suppose that we claim the following ridiculous theorem:

Theorem 1.2

(Ridiculous Theorem) The probability that the verifier accepts in the Ridiculous Protocol is exponentially small.


(Ridiculous Proof) By the definition of MIPs, the provers cannot communicate. If Prover 2 can output an that is the same as the uniformly random that only Prover 1 knows, then they must have communicated. Contradiction. ∎

The reader is astute in pointing out that steps 2 and 3 of the Ridiculous Protocol clearly show that the verifier is helping the provers by relaying the very answer it is supposed to keep secret. The Ridiculous Proof of the Ridiculous Theorem overlooked the blind spot that is the verifier’s interactions. This is our point, exaggerated.

The blind spot in the standard MIP model is what we shall call “non-local contamination” by the verifier. For example, a verifier talking to one prover and then talking to another prover risks unwittingly helping the provers (up to) signal. However, the most important (and the most subtle) of those contaminations are ones where the verifier helps the provers perform a no-signaling correlation; examples of this can be found in the following section, and also in [10].

In existing MIP literature, the proofs of soundness do not account for this blind spot. It is easy to see the Ridiculous Verifier as clearly contaminating (in fact, steps 2 and 3 signals for the provers). It is not so easy when the verifier is more complex. It is an even subtler point when we consider that the verifier could be helping the provers in a no-signaling manner. We believe that proofs within the standard model must be reconsidered in light of this observation. We will further discuss this last point in section 3.

To clarify, we are not claiming that any particular existing MIP protocol is unsound, only that their proofs of soundness either missed the above point, or implicitly assumes it. We would like to make this explicit. We wish to draw the community’s attention to this situation and offer our solution: a multi-prover, multi-verifier model which we shall call locality-explicit multi-prover interactive proofs (LE-MIP). MIPs in this form have prover-verifier pairs who are talking, but no communication between any of the pairs. At the end of a locality-explicit protocol, a special, read-only verifier accepts or rejects. Locality-explicit protocols do not have to worry about non-local contamination by the verifier. This new model offers the following advantages:

  1. The provers and verifiers are guaranteed to be local (i.e., a very strong notion of no-communicating), if desired.

  2. Any non-local resources of provers and verifiers are made explicit.

  3. It is possible to enforce “honest non-locality” on the provers by having the verifier provide them with non-local resources. Our model makes this explicit.

  4. A new property of zero-knowledge emerges naturally as a result.

1.2 Our Contributions

  • We explain the aforementioned blind spot with the standard (single-verifier) MIP model (section 3).

  • We describe the locality-explicit model and justify its definition by expanding on its advantages over the standard model (section 4).

  • We show that, in the LE-MIP model, a new, stronger property of zero-knowledge naturally emerges.(section 4.1).

  • We describe a protocol which is local-verifier, local-prover and zero-knowledge which accepts oracle-3-SAT, achieving zero-knowledge without needing the provers to authenticate any messages, and prove its security (section 5).

  • We describe how to simulate the above protocol with simulators which have only a specific no-signaling advantage (section 5.2).

2 Previous Work

The early claims by Ben-Or, Goldwasser, Kilian and Wigderson that from [6] and [9] use multi-round protocols and their (honest) verifiers are inherently signaling. This is precisely the situation we address in this work. Proving soundness is quite subtle in this case because the provers could use the (signaling) verifier to break binding of the commitments. In particular, soundness will not be valid if the protocol is composed concurrently with other executions of itself or even used as a sub-routine. In recent conversations with Kilian [11], we have realized that controlling the impact of signaling via the verifier has been a concern since the early days of MIPs. In particular, extra care had to be taken in the zero-knowledge protocols described in [6] and [9] because the verifier couriered messages from one prover to the other. The protocols as they are might be sound but it is not fully proven. However, it is also clear that no considerations had been given to general non-local correlations possible via the verifier. If soundness rests on the binding property of a commitment scheme (such as those zero-knowledge proofs) and this binding property rests on the inability to achieve a certain non-local correlation then impossibility to achieve this correlation via the verifier must be demonstrated.

The reader may think that the entire issue we address may seem trivial because it is a known fact that multi-round MIPs may be reduced to a single round using techniques of Lapidot-Shamir [12] and Feige-Lovasz [13]. Nevertheless, if we are interested in zero-knowledge MIPs, commitment schemes are generally used to obtain the zero-knowledge property and thus the single-round structure is lost in the process. Although single-round protocols bypass verifier’s non-local contamination problems we describe in this work, converting multi-round protocols into single-round ones is highly inefficient and complex. Preserving zero-knowledge while achieving single-round has turned out to be a major challenge. Practically, keeping a multi-round protocol’s structure, using only commitments to achieve zero-knowledge is very appealing.

In [12], Lapidot-Shamir proposed a parallel ZKMIP for , but they removed the zero-knowledge claim in the journal version [14] of their work without any explanation as of why. Feige and Kilian [15] were the last ones to follow this approach combining techniques drawn from Lapidot-Shamir [12], Feige-Lovasz [13] and Dwork, Feige, Kilian, Naor, and Safra, [16] to achieve a “2-prover 1-round 0-knowledge” proof for . As far as we can tell, this is the only paper in the ZKMIP literature that appears to address the problems that we will discuss. However, note that the analysis of [15] is partly based of that of [12], and the journal version of Feige-Kilian [17] does not contain their prior claim of zero-knowledge either. All other ZKMIPs for in the literature are multi-round, and thus our work applies to them.

Similar issues are possible using more recent results such as Ito-Vidick’s proof [18] that and Kalai, Raz and Rothblum’s proof [19] that ; the multi-round structure of their protocols requires that any straightforward extensions to and via commitment schemes be analyzed carefully and the locality of the verifiers be established.

At the time of writing this paper, Chiesa, Forbes, Gur, and Spooner [20] discovered a proof that . Their construction is based on refinements of Ito-Vidick’s proof and along the lines of Feige-Kilian, building on algebraic structures to bypass the need of commitment schemes. Unfortunately, this work is too recent to be assessed as to how it is related to ours.

Bellare, Feige, and Kilian [21] considered a multi-verifier model similar to ours in order to analyze the role of randomness in multi-prover proofs. This is completely unrelated to our goal of analyzing verifier non-local contamination.

Finally, the notion of relativistic commitment schemes put forward by Kent [22] leads to several results [23, 24, 25] where a similar multi-verifier model is necessary in order to assess spatial separation of the provers.

3 The Standard MIP Model

Multi-prover interactive proofs were introduced in [6]. The intuition for their model was that of a detective interrogating two suspects held in different rooms. This was formalized as follows:

Definition 1


be computationally unbounded Turing machines and let

be a probabilistic polynomial-time Turing machine. All machines have a read-only input tape, a read-only auxiliary-input tape, a private work tape and a random tape. The ’s share a joint, infinitely long, read-only random tape. Each has a write-only communication tape to , and vice-versa. We call a k-prover interactive protocol (k-prover IP).

This model is essentially equivalent to that of Bell [26] who introduced his famous Bell’s inequality to distinguish local parties from entangled parties.

Zero-knowledge MIPs were also defined in [6]:

Definition 2

Let be a k-prover IP for a language .Let denote the verifier’s incoming and outgoing messages with the provers, including his coin tosses. We say that is perfect zero-knowledge for if there exists an expected polynomial-time machine such that for all , and are identically distributed.

Let us call the above two definitions the standard MIP model. There have also been augmentations of the model by giving the provers various non-local resources, such as entanglement [18], or arbitrary no-signalling power [19].

The first work to point out the aforementioned blind spot in the standard MIP model, although it was not worded explicitly, was [10]. In order to understand their point, we need to understand the following two-prover protocol.


Protocol 3.1
( BGKW-type commitment for bit )

and pre-share a random -bit string .

  1. sends a random -bit strings to .

  2. replies with .

  3. announces to a string .

  4. accepts iff .


This is a two-prover commitment protocol. Steps 1 and 2 commit, while steps 3 and 4 unveil. An intuitive proof of its binding condition is that, since the provers cannot signal, and they both need to know in order to unveil the commitment in the way they want, therefore they cannot cheat. This intuition is incomplete, as was pointed out in [10], because breaking the binding condition does not require signaling. The following protocol, known as a PR-box, can be used to break binding without signaling.

@*=¡0em¿@C=1em @R=.7em *!R!¡.5em,0em¿=¡0em¿c [r] & *+¡1em,.9em¿PR @- [0,-1][0,0].[1,0];p !C *PR,p +LU;+RU **-+RU;+RD **-+RD;+LD **-+LD;+LU **- & *!L!¡-.5em,0em¿=¡0em¿r [l]
*!R!¡.5em,0em¿=¡0em¿w’ := c ×r ⊕x & *+¡1em,.9em¿PR @- [0,-1][r][l] & *!L!¡-.5em,0em¿=¡0em¿x (uniform)

Figure 1: a PR-box

By having obtain via the PR-box, can unveil the commitment the way it wishes, . This fact will become extremely important in Sections 5 and 4.1.

The punchline of [10] is that the verifier itself can act as a PR-box for the provers without violating their no-signaling assumption. Consider the following:

  1. Any security proof of protocol 3.1 must show that it does not contain a PR-box as a subroutine.

  2. More generally, any security proof of a protocol must show that no subroutine within itself can be commandeered by the provers to achieve a non-local functionally (like the PR-box).

  3. Composition of protocols, for instance between the committing and the opening of commitments, must be done in such a way that provably does not create a non-local box.

The solution proposed in [10] was that of verifier isolation. Informally, this means that any message an “isolating” verifier sends to a set of provers must be computed solely from messages that are received from . The end result is that an isolating verifier can never accidentally implement a PR-box and, in general, it will always enforce the locality of the provers. In a sense, we can think of an isolating verifier as “local”. Our new model will make this more precise and more general.

Furthermore, existing zero-knowledge MIPs such as [9] require that the verifier courier an authenticated message between the provers in order to obtain soundness while ensuring zero-knowledge. The gist of it goes like this:

  1. asks some questions.

  2. wants to check one of ’s answers with for consistency.

  3. In order for zero-knowledge to hold, must ask a question it has already asked .

  4. authenticates a question with a key that was committed at the beginning of the protocol and sends it to .

  5. sends the question and the authentication to , who proceeds only if authentication succeeds.

Steps 4 and 5 consists of sending a message from to . Proofs that this act does not contaminate non-locally (such as simulating a PR-box) is not found in any existing MIP. This needs to be proven, and the proof contained in [9] does not address this issue. Moreover, the zero-knowledge protocol of [9] allows to send an arbitrary message to (via the authentication key). Therefore, one cannot compose such a protocol in a nested fashion (as a subroutine call) since the inner instance would violate the no-communication assumption of the outer instance. For more details on the problems of the standard model, see [27].

Existing simulators for zero-knowledge protocols such as those found in [9] needs to know how to break commitments in order to simulate. The simulator accomplishes this by acting as both provers, thereby receiving the secret string which was meant for one prover only. This standard model of zero-knowledge gives the simulator unnecessary power, in a sense. We will discuss this further in section 4.1.

4 Locality-Explicit MIP

The standard MIP model allows the verifier to non-locally contaminate the provers. We neutralize this problem by defining a model with multiple verifiers, each of which talks to a single prover; in turn, each prover talks to a single verifier. There are no communication tapes between the verifiers, nor are there between provers. There is a special verifier which only reads the outputs of the other verifiers; this is the verifier that will decide to accept or reject membership to . We call this model “locality-explicit” since the provers and verifiers are explicitly local, and if any non-local resources (such as entanglement) are available to them, then it is explicitly specified via a supplementary entity named for the provers and for the verifiers.

This model is a generalization of the standard model because the special setting where is empty and signals for the verifiers corresponds to the standard MIP model.

Definition 3

An interactive Turning machine (ITM) is a Turing machine augmented with the following tapes:

  • read-only incoming communication tapes.

  • write-only outgoing communication tapes.

  • Private work, auxiliary-input, and random tapes.

An ITM can signal to an ITM if ’s write-only outgoing tape is ’s read-only incoming tape.

Definition 4

Let be a tuple of ITMs, where the ’s are computationally all-powerful and the ’s are polynomial-time. For each , there are two-way communication tapes between and , and that for all , there is a two-way communication tape between and and also between and . In addition, for each , there is a read-only tape going from to (where reads). Then, this is said to be a locality-explicit multi-prover interactive proof.

We call and correlators and say that the provers and verifiers are -local and -local respectively.

It is perhaps easier to understand our definition with the help of figure 2.

Figure 2: Locality-Explicit MIP

The solid lines represents two-way communication and the dashed arrows represents one-way communication, with the arrow indicating the direction of information flow.

We can define that an LE-MIP accepts a language if the usual soundness and completeness conditions hold:

Definition 5

An LE-MIP accepts a language if and only if

  • (completeness) ,

  • (soundness) ,

where is the read-only tape from to at the end of the interaction of with (or ) on input .

Note that we do not quantify over (nor ), as we want to use them not as (possibly malicious) participants to the protocol, but as a description of non-local resources available to the provers and verifiers.

Definition 6

An LE-MIP is local if and all of the provers’ (resp. verifiers’) random tapes are initialized with the same uniformly random string (resp. verifiers with another, independent uniformly random string )***By we mean the empty correlator that provides everyone with nothing at all as output..

Note that (single-verifier) standard MIPs in which provers do not have non-local resources are equivalent to LE-MIPs where and acts as a bulletin board. That is, a single verifier communicating with multiple provers is equivalent to multiple verifiers communicating with provers and each other.

In standard MIPs, it is possible that the honest (single) verifier bridges the provers non-locally. If a protocol does not desire this – and most existing MIPs do not – it must be proven. With local LE-MIPs, the special verifier decides to accept or reject. This verifier cannot communicate with anyone else, avoiding the aforementioned non-local contamination.

4.1 Zero-Knowledge LE-MIPs

Zero-knowledge is defined by simulations, the fundamental idea that if a transcript can be produced by an entity (simulator) with no more power than one (verifier) interrogating all-powerful provers, then no knowledge is gained.

The simulator of single-prover IP and standard MIP are equal to the verifier in computational power, but they do have “advantages” which allow them to fake transcripts. For single-prover IPs, the simulator is allowed to rewind computation; for standard MIPs, the simulator is given a (commitment-breaking) secret. Those advantages are, of course, independent of knowledge.

LE-MIPs naturally induces a new advantage for the simulator: non-local correlations. This is a very powerful advantage. Using the correct non-local correlations, simulators do not need to rewind, do not need to pretend to be multiple (isolated) provers, and do not need to know any commitment-breaking secrets. Multiple, no-signaling simulators can even produce transcripts in “real-time” (example will follow) if the proper correlations are used.

Definition 7

Let be a tuple of polynomial-time ITMs. Each machine has a random tape, and every random tape is initialized with the same random bits. For , there is a two-way communication tape between and . There are no communication tapes between any of the ’s. Then this is called a tuple of locality-explicit simulators and is the locality class of , which will be abbreviated -local.

Definition 8

Let be an LE-MIP for language . If there exists a correlator such that for all verifiers , there exists , such that the transcripts of conversations between


are identically distributed, where is a tuple of locality-explicit simulators, then we say that is a perfectly indistinguishable, -local zero-knowledge LE-MIP for .

Our motivations for the above definitions are twofold.

First, a simulator (or simulators) should not have more power than necessary. If two local simulators can output for two local verifiers, then it is not necessary to have a single simulator (equivalent to two signaling simulators) do the job. Allowing simulators to signal (equivalently, having a single simulator) in the multi-prover setting is analogous to allowing unbounded running-time simulation in single-prover zero-knowledge. In general, finding the minimal that will allow simulation may be of some theoretic interest.

Second, the non-locality of simulators is a characterization of the resilience of zero-knowledge. A protocol which local simulators can withstand arbitrary (malicious) verifiers is more resilient than one which signaling simulators are needed.

This may be of practical interest, if transcripts are timestamped. For example, under the relativistic assumption that one may not signal faster-than-light, one may be able to distinguish two spatially separated simulators from two spatially separated verifiers, if the simulators need to signal (transmit a commitment-breaking secret) in order to generate a transcript. On the other hand, if two entangled simulators are sufficient to produce the transcript, then they are indistinguishable from real verifiers and provers. Our protocol 5.2 can be modified as to let entangled simulators do their work, without needing PR-boxes or signaling. Details in section 5.

4.2 The Power of LE-MIPs

Local LE-MIPs form a subclass of standard MIPs. They are, by design, more restricted in what you can make the verifier do. An immediate question is whether this is too restrictive. Perhaps, in all interesting cases, it is necessary for a single verifier to go back-and-fourth between provers, using previous discussions to generate new questions.

The answer is that, of all the literature we have surveyed, almost all protocols can be re-written in a local-verifier manner without any loss of functionality. We explicitly demonstrate this for the multi-prover protocol for oracle-3-SAT in [8]. The protocol details can be found in the appendix. For the purpose of our discussion, we only need to look at the general form of the protocol:


Protocol 4.1
( BFL Classic, Single-Verifier )

  1. asks some questions non-adaptively.

  2. chooses a question from the pool of questions which were asked to .

  3. asks to .

  4. accepts if the interaction with was successful, and the answer from is consistent with those of .


The crucial observation is that does not adaptively ask questions to . Therefore, the questions asked on that entire side of the conversation can selected in advance, and thus they can be shared in advance with a second verifier. We can therefore naturally rewrite the BFL classic protocol as a local LE-MIP in the following way. The reader can check the details in the appendix, and in section 3 of [8].


Protocol 4.2
( BFL as an LE-MIP )

  1. prepares the questions which it will ask .

  2. chooses a question from the above list and shares it with .

  3. LE-MIP begins. All parties are local as per definitions.

  4. asks the questions to .

  5. asks to .

  6. , reading the responses, decides to accept or reject, based on the same criteria as in protocol 4.1.


The BFL protocol is for oracle-3-SAT, which is -complete. Rewritten as a local LE-MIP, it circumvents all non-locality issues we have mentioned. Thus, we can conclusively say that “local ; no transformation to single-round MIP necessary, and no need to invoke the general theory of PCPs.

5 A Local, Zero-Knowledge LE-MIP for NEXP

The question which follows naturally is whether there exists a zero-knowledge, local LE-MIP for . The existing technique for achieving zero-knowledge in MIP [6, 9] requires the (single) verifier to courier an authenticated message between provers. This is not possible with local-verifier LE-MIPs. We show that there is a way around that constraint.

By adapting the protocol from [8], we will exhibit a protocol with the following properties:

  1. The provers and verifiers are local: .

  2. The simulators need only access to instances of PR-boxes to work. That is, simply computes indexed instances of PR-boxes. We will abbreviate this as “PR-local.”

Let us call the set of multi-prover protocols with these properties “PR-local , local ”. This implies that “PR-local , local .

The generic way of turning an interactive proof into a zero-knowledge one is by running it in committed form [6, 9]. With this technique, provers commit their answers instead of directly responding, and use cryptographic techniques to convince the verifier that the answers are correct.

As shown in section 4.2, the BFL protocol can be turned into a local LE-MIP. If we try to turn it into a zero-knowledge LE-MIP by having the provers commit their answers (for example using protocol 3.1 as commitment), we run into a problem. In order to achieve zero-knowledge, the provers must ensure that the question receives from is one of the questions which has asked . On the other hand, since the provers and verifiers are local, the provers cannot communicate, nor can they ask the verifiers to courier authenticated messages between them.

Our solution essentially asks the provers to (strongly-universal-2) hash the selected committed answer with a key that is based on the verifier’s question. We force to behave honestly (to ask a question that has asked) by making bad questions meaningless. If the verifiers ask the provers the same question, they will receive the same hash of the same answer. Otherwise, they will receive two unrelated random hash values.

We need the PR commitment (protocol 5.1), which is secure in the local setting as previously proved in [22, 10, 23].

5.1 The Protocols

The following is a PR-type commitment that is perfectly concealing and statistically binding. In general, we use the commitment-box notation “” as the name of a commitment to bit in the next two protocols.


Protocol 5.1
A statistically binding, perfectly concealing commitment protocol to bit .

All parties agree on a security parameter .
and partition their private random tape into two -bit strings .

Pre-computation phase:

  • samples two -bit strings independently and uniformly, and provides them to .

  • sends to and sends to .

Commit phase:

  • commits to as , where is a multiplication in .

  • sends : .

Unveiling phase:

  • sends to .

  • computes if , or if .

  • rejects if is anything but or , or if and accepts otherwise.


Below is the zero-knowledge, local LE-MIP for oracle-3-SAT (Protocol 5.2). The basis of protocol 5.2 is the localized BFL protocol we presented in section 4.2 (details in the appendix). A note on notation: for a circuit , we will denote as the gate-by-gate committed circuit evaluated with x as the input. We also use statements such as “ proves to that was computed correctly”. The reader is expected familiarity with zero-knowledge computations on committed circuits as put forward by [28, 29, 4, 9].


Protocol 5.2
A local zero-knowledge LE-MIP for oracle-3-SAT

Let , an instance of oracle-3-SAT, be the common input, let , and let be the verifier’s program in protocol 6.2 (see appendix).

  1. Pre-computation:

    1. samples two -bit strings independently and uniformly, and provides them to .

    2. selects random bit strings (size specified implicitly by ) and evaluates the circuit of using the as randomness, resulting in questions , and provides them to

    3. randomly chooses , , the index of an oracle query that will be made to both and . provides to .

    4. sends to and sends to for future commitments.

    5. All parties agree on a family of strongly-universal-2 hash functions indexed by -bit keys.

    6. and agree on a -bit key , an index to the above family.

    7. commits to .

  2. Sumcheck with oracle:

    • Let be the arithmetization obtained in protocol 6.1, let be a string from and be strings of as generated in protocol 6.2. and execute protocol 6.1 in committed form. At the end of this phase, shows that the committed final value is equal to

      an evaluation in committed form of using the committed values that were used during the protocol’s loop. If this fails, instructs to reject.

  3. Multilinearity test:

    1. For :

      1. sends to ,

      2. commits his answer as .

    2. and evaluate a circuit description of in committed form with inputs to verify proper linearity among them. unveils the circuit’s committed output. If it rejects, instructs to reject.

  4. Consistency test:

    1. sends to .

    2. computes and sends to .

    3. proves to that was computed correctly, from the existing commitments.

    4. unveils for , who gets .

    5. sends to (recall that this was pre-agreed in step 1.(c))

    6. responds to with .

    7. accepts if and only if all of the following conditions are met:

      • All commitments which have been unveiled are valid.

      • did not reject in the two previous cases


5.2 Proofs of Security

5.2.1 Locality

Since the protocol is written as an LE-MIP in which , the protocol is local by definition 6.

5.2.2 Completeness

Completeness follows from the completeness of the underlying protocol [8], and the fact that the commitment protocol (protocol 5.1) is well-defined for honest provers (who will never send a commitment that they cannot unveil).

5.2.3 Soundness

Without loss of generality, we may assume that the soundness error in the BFL protocol to be , through sequential amplification. The probability that our commitment scheme (protocol 5.1) fails binding is exponentially small in . Local probabilistic provers are equivalent to local deterministic provers. This is because the success probability of randomized provers of breaking soundness is an average over the randomized provers’ random tapes. Each instance of a random tape represents a deterministic strategy. Therefore there is a deterministic strategy which succeeds with probability at least , and hence we only need to consider local deterministic provers.

Since is deterministic, we may unambiguously consider what happens if we were to “rewind” the prover machine. Suppose that at some point unveils a particular commitment to . We rewind and let make different choices before that point. Suppose that, with these alternate choices, then unveils to (an attempt to break binding). Because of locality, ’s behavior is independent of what receives (namely ). Therefore, there is only one such which will ultimately accept as a valid unveiling of in both ways (recall that our commitment is statistically binding).

Therefore, in the worst case, for every commitment there exists a sequence of interactions between and such that will attempt to break the binding of that commitment. Each such commitment-breaking corresponds to at most one string that will actually work.

Let us denote the set of such binding-breaking strings by . If , then the provers will not break binding, and the soundness error is reduced to that of the underlying protocol (at most ). On the other hand, since , the probability that is at most .

Therefore, the soundness error of our protocol is at most

5.2.4 Zero-Knowledge

The simulation will be divided in two parts. In the first part, the simulator produces a transcript of the pre-computation, multilinearity test and sumcheck with oracle parts, which involves only interactions with . In the second part, the simulator will fake a valid consistency test.


Protocol 5.3
( Perfectly Indistinguishable, PR-Local Simulator for Protocol 5.2, Part 1)

The setup:

  • Let be a set of locality-explicit simulators.

  • and can send an index along with a bit.

  • completes the indexed PR box (protocol 3.1) for both simulators.

The simulation strategy:

  1. The simulators agree on unique indices for every commitment used in the protocol.

  2. interacts with the way would. Whenever should commit, commits to random bits, just like the single-simulator from section 5.

  3. For each commitment, sends a string . sends to the index of the commitment and .

  4. runs the PR box (protocol 3.1) and replies with ’s half of the output.

  5. Whenever needs to unveil a commitment, it can be unveiled in the way desires by sending the corresponding index and bit to .

  6. completes the corresponding PR box which outputs . sends to .

  7. sends to .


The second part (the consistency test) can be done by having the simulators ignore the question.


Protocol 5.4
( Perfectly Indistinguishable, PR-Local Simulator for Protocol 5.2, Part 2)

  1. sends to .

  2. computes .

  3. Using to break binding, convinces that is actually .

  4. unveils for , who gets .

  5. sends to .

  6. responds with .


By the properties of the strongly-universal-2 hash , if then . Otherwise with probability exponentially close to one. This produces the result as desired. The simulators then feed the transcripts to , and terminates simulation.

5.3 Entangled Simulators

The binding condition of commitment used above (protocol 5.1) can be broken given PR-boxes. However, if the verifier were willing to tolerate approximately of errors in the provers’ unveiling string ( or ), then it is possible to break binding with shared entanglement [30] while maintaining soundness against local provers. Using this weakened version of commitment in place of protocol 5.1 still yields a local LE-MIP for oracle-3-SAT, but easier to simulate (using weaker non-local resources). We leave the details of this modified protocol to the reader.

6 Conclusions and Future Work

We close with three open questions.

First, although protocol 5.2 is a local LE-MIP, the only known ways of simulating the transcript are to give the simulators some kind of non-local resource such as a PR box (or a fully signaling box, but that is not necessary). We do not know whether it is possible to simulate protocol 5.2 with local simulators, but we are unable to show this to be impossible.

Second, as of the time of this writing, it is an open question whether [18]. Under the locality-explicit setup, we ask a slightly more general question: does there exist a correlator and a corresponding LE-MIP which accepts a language ? We remind the reader that characterizing the complexity classes of MIPs where the provers have non-local resources are generally open questions.

Third, although the verifier’s non-local contamination is undesirable (in the standard MIP model) and is the motivation for this work, is it possible to turn it into a resource? For example, given local provers, let the verifier provide them with some non-local resources, such PR boxes or entanglement that can be simulated in polynomial-time. This can be seen as “enforceable honest non-local resources.” Malicious provers would not be able to use these resources at will. Perhaps this concept would be useful in the design of multi-prover protocols.


We would like to thank G. Brassard, A. Chailloux, S. Fehr, J. Kilian, S. Laplante, J. Li, A. Leverrier, A. Massenet, S. Ranellucci, L. Salvail, C. Schaffner, and T. Vidick for various discussions about earlier versions of this work. We would also like to thank Jeremy Clark for his insightful comments. Finally, we are grateful to Raphael Phan and Moti Yung for inviting us to publish a lead-up paper to this work as an Insight Paper at MyCrypt 2016.


  • [1] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proof-systems,” SIAM. J. Computing, vol. 18, pp. 186–208, Feb. 1989.
  • [2] L. Babai, “Trading group theory for randomness,” in

    Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing

    , pp. 421–429, May 1985.
  • [3] A. Shamir, “IP = PSPACE,” J. ACM, vol. 39, pp. 869–877, Oct. 1992.
  • [4] R. Impagliazzo and M. Yung, “Direct minimum-knowledge computations,” in Advances in Cryptology: Proceedings of Crypto ’87 (C. Pomerance, ed.), vol. 293, pp. 40–51, Springer-Verlag, 1988.
  • [5] M. Ben-Or, O. Goldreich, S. Goldwasser, J. Håstad, J. Kilian, S. Micali, and P. Rogaway, “Everything provable is provable in zero-knowledge,” in Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’88, (London, UK, UK), pp. 37–56, Springer-Verlag, 1990.
  • [6] M. Ben-Or, S. Goldwasser, J. Kilian, and A. Wigderson, “Multi-prover interactive proofs: How to remove intractability assumptions,” in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, (New York, NY, USA), pp. 113–131, ACM, 1988.
  • [7] L. Fortnow, J. Rompel, and M. Sipser, “On the power of multi-prover interactive protocols,” Theor. Comput. Sci., vol. 134, pp. 545–557, Nov. 1994.
  • [8] L. Babai, L. Fortnow, and C. Lund, “Non-deterministic exponential time has two-prover interactive protocols,” Comput. Complex., vol. 2, pp. 374–374, Dec. 1992.
  • [9] J. Kilian, Uses of randomness in algorithms and protocols. MIT Press, 1990.
  • [10] C. Crépeau, L. Salvail, J.-R. Simard, and A. Tapp, “Two provers in isolation,” in Advances in Cryptology – ASIACRYPT 2011: 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings, (Berlin, Heidelberg), pp. 407–430, Springer Berlin Heidelberg, 2011.
  • [11] J. Kilian, “Personal e-mail communication,” July 2018.
  • [12] D. Lapidot and A. Shamir, “Fully parallelized multi prover protocols for nexp-time (extended abstract),” in 32nd Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 1-4 October 1991, pp. 13–18, IEEE Computer Society, 1991.
  • [13] U. Feige and L. Lovász, “Two-prover one-round proof systems: Their power and their problems (extended abstract),” in Proceedings of the Twenty-fourth Annual ACM Symposium on Theory of Computing, STOC ’92, (New York, NY, USA), pp. 733–744, ACM, 1992.
  • [14] D. Lapidot and A. Shamir, “Fully parallelized multi-prover protocols for nexp-time,” J. Comput. Syst. Sci., vol. 54, no. 2, pp. 215–220, 1997.
  • [15] U. Feige and J. Kilian, “Two prover protocols: low error at affordable rates,” in Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, 23-25 May 1994, Montréal, Québec, Canada (F. T. Leighton and M. T. Goodrich, eds.), pp. 172–183, ACM, 1994.
  • [16] C. Dwork, U. Feige, J. Kilian, M. Naor, and S. Safra, “Low communication 2-prover zero-knowledge proofs for NP,” in Advances in Cryptology - CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings (E. F. Brickell, ed.), vol. 740 of Lecture Notes in Computer Science, pp. 215–227, Springer, 1992.
  • [17] U. Feige and J. Kilian, “Two-prover protocols - low error at affordable rates,” SIAM J. Comput., vol. 30, no. 1, pp. 324–346, 2000.
  • [18] T. Ito and T. Vidick, “A multi-prover interactive proof for nexp sound against entangled provers,” in Proceedings of the 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, FOCS ’12, (Washington, DC, USA), pp. 243–252, IEEE Computer Society, 2012.
  • [19] Y. T. Kalai, R. Raz, and R. D. Rothblum, “How to delegate computations: The power of no-signaling proofs,” in Proceedings of the Forty-sixth Annual ACM Symposium on Theory of Computing, STOC ’14, (New York, NY, USA), pp. 485–494, ACM, 2014.
  • [20] A. Chiesa, M. A. Forbes, T. Gur, and N. Spooner, “Spatial isolation implies zero knowledge even in a quantum world,” Electronic Colloquium on Computational Complexity (ECCC), vol. 25, p. 44, 2018.
  • [21] M. Bellare, U. Feige, and J. Kilian, “On the role of shared randomness in two prover proof systems,” in Third Israel Symposium on Theory of Computing and Systems, ISTCS 1995, Tel Aviv, Israel, January 4-6, 1995, Proceedings, pp. 199–208, IEEE Computer Society, 1995.
  • [22] A. Kent, “Unconditionally secure bit commitment,” Phys. Rev. Lett., vol. 83, pp. 1447–1450, Aug 1999.
  • [23] T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, S. Wehner, and H. Zbinden, “Practical relativistic bit commitment,” Phys. Rev. Lett., vol. 115, p. 030502, Jul 2015.
  • [24] E. Adlam and A. Kent, “Deterministic relativistic quantum bit commitment,” CoRR, vol. abs/1504.00943, 2015.
  • [25] A. Chailloux and A. Leverrier, “Relativistic (or 2-prover 1-round) zero-knowledge protocol for NP secure against quantum adversaries,” in Advances in Cryptology – EUROCRYPT 2017: 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 – May 4, 2017, Proceedings, Part III, pp. 369–396, Springer International Publishing, 2017.
  • [26] J. S. Bell, “On the Einstein-Podolsky-Rosen paradox,” Physics, vol. 1, pp. 195–200, 1964.
  • [27] C. Crépeau and N. Yang, “Multi-prover interactive proofs: Unsound foundations,” in Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology: Second International Conference, Mycrypt 2016, Kuala Lumpur, Malaysia, December 1-2, 2016, Revised Selected Papers, pp. 485–493, Springer International Publishing, 2017.
  • [28] G. Brassard and C. Crépeau, “Zero-knowledge simulation of boolean circuits (extended abstract),” in Advances in Cryptology: Proceedings of Crypto ’86 (A. M. Odlyzko, ed.), vol. 263, pp. 223–233, Springer-Verlag, 1987.
  • [29] G. Brassard and C. Crépeau, “Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond,” in Symp. of Found. of Computer Sci., pp. 188–195, IEEE, 1986.
  • [30] G. Brassard, A. Broadbent, and A. Tapp, “Multi-party pseudo-telepathy,” in Algorithms and Data Structures (F. Dehne, J.-R. Sack, and M. Smid, eds.), (Berlin, Heidelberg), pp. 1–11, Springer Berlin Heidelberg, 2003.

Appendix: Babai, Fortnow and Lund’s MIP for Languages in NEXP

This section describes a variant of the multi-prover protocol for oracle-3-SAT found in [8]. We refer to this as the BFL protocol, or BFL classic.

Definition 9

Let be integers. Let be strings of variables, where and . Let be a Boolean formula in variables. A Boolean function is a 3-satisfying oracle for if

for every string .

is oracle-3-satisfiable if such a function exists.

The Oracle-3-SAT problem asks whether a Boolean formula is oracle-3-satisfiable, where and denote the lengths of and , as above.

Lemma 1

Oracle-3-SAT is -complete.

Definition 10

Let be an arbitrary field. Let be a Boolean function. An arithmetization of is a polynomial such that for all , . A specific one is given in [8], proposition 3.1 .

Equivalently, the condition can be replaced with .


Protocol 6.1
( Sumcheck Protocol )

Let be the 3-CNF formula which the prover is trying to show to be a tautology to a verifier . Let be a field of sufficient size (of order at least will suffice where is the number of clauses of ).

  1. takes and computes its arithmetization according to [8] Proposition 3.1 and sends it to .

  2. and agree on a set of size at least where is the degree of .

  3. assigns , which is supposed to be equal to the sum

  4. .

  5. sends the coefficients of the univariate polynomial in ,

  6. checks whether . If not, abort.

  7. chooses a random , computes and sends to .

  8. If then and go to step 4.

  9. checks whether .



Protocol 6.2
( Babai, Fortnow and Lund’s MIP for Oracle-3-SAT )

Given as common input.

  1. (sumcheck with oracle) and execute protocol 6.1. Let be ’s questions during this phase.

  2. (multilinearity test) asks to simulate an oracle storing the function . queries with random, linearly related values in . If any response does not satisfy linearity, abort protocol. Let be ’s questions during this phase.

  3. (non-adaptiveness test) chooses uniformly at random an such that and asks to . If ’s answer differs from that of , reject. Otherwise accept.