1 Introduction
An interactive proof is a dialog between two parties: a polynomialtime verifier and an allpowerful prover [1, 2]. They agree ahead of time on some language and a string . The prover wishes to convince the verifier that . If this is true, the prover should succeed almost all the time; if not, the prover should fail almost all the time. This is a generalization of the complexity class , except instead of simply being handed a polynomialsized witness, the verifier is allowed to quiz the prover. The set of languages that admit an interactive proof is called .
An interactive proof is zeroknowledge if the verifier learns nothing except the truth of “”. This is usually defined by saying that a distinguisher is unable to tell apart a real conversation between the prover and the verifier, and one which is generated by a lone polynomialtime simulator. The set of zeroknowledge interactive proofs [1] is called .
One of the most important results regarding interactive proofs is that , which follows from seminal works of [3] and [4, 5]. However, the only known way to achieve the is through the use of commitments which, in the singleprover model, is dependent on complexity assumptions.
The multiprover model was introduced in [6]. This model consists of multiple, noncommunicating provers talking to a single verifier. The inspiration for this model was that of a detective interrogating a number of suspects, each of whom is isolated in a separate room. The suspects may share a strategy before being separated, but once the interrogation begins they are no longer able to talk to one another. The main motivation for studying this model was to remove the complexity assumptions used in the commitment schemes. We will abbreviate “multiprover interactive proof” as MIP (resp. “zeroknowledge multiprover interactive proof” as ZKMIP) and the set of languages which can be accepted by MIPs (resp. ZKMIPs) as the boldface (resp. ).
An important consequence of having multiple provers is that the verifier can use one prover to check the consistency of other provers’ answers. This gives the (weak) verifier more power over the (allpowerful) provers. Consequently, through the works of [6, 7, 8, 9], it was shown that . That is, any language in can be accepted by a MIP (optionally by a zeroknowledge MIP) without any computational assumptions.
1.1 (ZK)MIP Blind Spot
We have identified a blind spot in what we call the “standard” MIP model (one verifier talking to a number of provers) that is not addressed in existing literature. As a leadup to describing this blind spot, we invite the readers to consider the following ridiculous twoprover protocol:
Protocol 1.1
( Ridiculous Protocol )
Verifier sends Prover 1 a random string .
Prover 1 replies with a string .
Verifier sends Prover 2 the string .
Prover 2 replies with a string .
Verifier accepts if .
Suppose that we claim the following ridiculous theorem:
Theorem 1.2
(Ridiculous Theorem) The probability that the verifier accepts in the Ridiculous Protocol is exponentially small.
Proof
(Ridiculous Proof) By the definition of MIPs, the provers cannot communicate. If Prover 2 can output an that is the same as the uniformly random that only Prover 1 knows, then they must have communicated. Contradiction. ∎
The reader is astute in pointing out that steps 2 and 3 of the Ridiculous Protocol clearly show that the verifier is helping the provers by relaying the very answer it is supposed to keep secret. The Ridiculous Proof of the Ridiculous Theorem overlooked the blind spot that is the verifier’s interactions. This is our point, exaggerated.
The blind spot in the standard MIP model is what we shall call “nonlocal contamination” by the verifier. For example, a verifier talking to one prover and then talking to another prover risks unwittingly helping the provers (up to) signal. However, the most important (and the most subtle) of those contaminations are ones where the verifier helps the provers perform a nosignaling correlation; examples of this can be found in the following section, and also in [10].
In existing MIP literature, the proofs of soundness do not account for this blind spot. It is easy to see the Ridiculous Verifier as clearly contaminating (in fact, steps 2 and 3 signals for the provers). It is not so easy when the verifier is more complex. It is an even subtler point when we consider that the verifier could be helping the provers in a nosignaling manner. We believe that proofs within the standard model must be reconsidered in light of this observation. We will further discuss this last point in section 3.
To clarify, we are not claiming that any particular existing MIP protocol is unsound, only that their proofs of soundness either missed the above point, or implicitly assumes it. We would like to make this explicit. We wish to draw the community’s attention to this situation and offer our solution: a multiprover, multiverifier model which we shall call localityexplicit multiprover interactive proofs (LEMIP). MIPs in this form have proververifier pairs who are talking, but no communication between any of the pairs. At the end of a localityexplicit protocol, a special, readonly verifier accepts or rejects. Localityexplicit protocols do not have to worry about nonlocal contamination by the verifier. This new model offers the following advantages:

The provers and verifiers are guaranteed to be local (i.e., a very strong notion of nocommunicating), if desired.

Any nonlocal resources of provers and verifiers are made explicit.

It is possible to enforce “honest nonlocality” on the provers by having the verifier provide them with nonlocal resources. Our model makes this explicit.

A new property of zeroknowledge emerges naturally as a result.
1.2 Our Contributions

We explain the aforementioned blind spot with the standard (singleverifier) MIP model (section 3).

We describe the localityexplicit model and justify its definition by expanding on its advantages over the standard model (section 4).

We show that, in the LEMIP model, a new, stronger property of zeroknowledge naturally emerges.(section 4.1).

We describe a protocol which is localverifier, localprover and zeroknowledge which accepts oracle3SAT, achieving zeroknowledge without needing the provers to authenticate any messages, and prove its security (section 5).

We describe how to simulate the above protocol with simulators which have only a specific nosignaling advantage (section 5.2).
2 Previous Work
The early claims by BenOr, Goldwasser, Kilian and Wigderson that from [6] and [9] use multiround protocols and their (honest) verifiers are inherently signaling. This is precisely the situation we address in this work. Proving soundness is quite subtle in this case because the provers could use the (signaling) verifier to break binding of the commitments. In particular, soundness will not be valid if the protocol is composed concurrently with other executions of itself or even used as a subroutine. In recent conversations with Kilian [11], we have realized that controlling the impact of signaling via the verifier has been a concern since the early days of MIPs. In particular, extra care had to be taken in the zeroknowledge protocols described in [6] and [9] because the verifier couriered messages from one prover to the other. The protocols as they are might be sound but it is not fully proven. However, it is also clear that no considerations had been given to general nonlocal correlations possible via the verifier. If soundness rests on the binding property of a commitment scheme (such as those zeroknowledge proofs) and this binding property rests on the inability to achieve a certain nonlocal correlation then impossibility to achieve this correlation via the verifier must be demonstrated.
The reader may think that the entire issue we address may seem trivial because it is a known fact that multiround MIPs may be reduced to a single round using techniques of LapidotShamir [12] and FeigeLovasz [13]. Nevertheless, if we are interested in zeroknowledge MIPs, commitment schemes are generally used to obtain the zeroknowledge property and thus the singleround structure is lost in the process. Although singleround protocols bypass verifier’s nonlocal contamination problems we describe in this work, converting multiround protocols into singleround ones is highly inefficient and complex. Preserving zeroknowledge while achieving singleround has turned out to be a major challenge. Practically, keeping a multiround protocol’s structure, using only commitments to achieve zeroknowledge is very appealing.
In [12], LapidotShamir proposed a parallel ZKMIP for , but they removed the zeroknowledge claim in the journal version [14] of their work without any explanation as of why. Feige and Kilian [15] were the last ones to follow this approach combining techniques drawn from LapidotShamir [12], FeigeLovasz [13] and Dwork, Feige, Kilian, Naor, and Safra, [16] to achieve a “2prover 1round 0knowledge” proof for . As far as we can tell, this is the only paper in the ZKMIP literature that appears to address the problems that we will discuss. However, note that the analysis of [15] is partly based of that of [12], and the journal version of FeigeKilian [17] does not contain their prior claim of zeroknowledge either. All other ZKMIPs for in the literature are multiround, and thus our work applies to them.
Similar issues are possible using more recent results such as ItoVidick’s proof [18] that and Kalai, Raz and Rothblum’s proof [19] that ; the multiround structure of their protocols requires that any straightforward extensions to and via commitment schemes be analyzed carefully and the locality of the verifiers be established.
At the time of writing this paper, Chiesa, Forbes, Gur, and Spooner [20] discovered a proof that . Their construction is based on refinements of ItoVidick’s proof and along the lines of FeigeKilian, building on algebraic structures to bypass the need of commitment schemes. Unfortunately, this work is too recent to be assessed as to how it is related to ours.
Bellare, Feige, and Kilian [21] considered a multiverifier model similar to ours in order to analyze the role of randomness in multiprover proofs. This is completely unrelated to our goal of analyzing verifier nonlocal contamination.
3 The Standard MIP Model
Multiprover interactive proofs were introduced in [6]. The intuition for their model was that of a detective interrogating two suspects held in different rooms. This was formalized as follows:
Definition 1
Let
be computationally unbounded Turing machines and let
be a probabilistic polynomialtime Turing machine. All machines have a readonly input tape, a readonly auxiliaryinput tape, a private work tape and a random tape. The ’s share a joint, infinitely long, readonly random tape. Each has a writeonly communication tape to , and viceversa. We call a kprover interactive protocol (kprover IP).This model is essentially equivalent to that of Bell [26] who introduced his famous Bell’s inequality to distinguish local parties from entangled parties.
Zeroknowledge MIPs were also defined in [6]:
Definition 2
Let be a kprover IP for a language .Let denote the verifier’s incoming and outgoing messages with the provers, including his coin tosses. We say that is perfect zeroknowledge for if there exists an expected polynomialtime machine such that for all , and are identically distributed.
Let us call the above two definitions the standard MIP model. There have also been augmentations of the model by giving the provers various nonlocal resources, such as entanglement [18], or arbitrary nosignalling power [19].
The first work to point out the aforementioned blind spot in the standard MIP model, although it was not worded explicitly, was [10]. In order to understand their point, we need to understand the following twoprover protocol.
Protocol 3.1
( BGKWtype commitment for bit )
and preshare a random bit string .
sends a random bit strings to .
replies with .
announces to a string .
accepts iff .
This is a twoprover commitment protocol. Steps 1 and 2 commit, while steps 3 and 4 unveil. An intuitive proof of its binding condition is that, since the provers cannot signal, and they both need to know in order to unveil the commitment in the way they want, therefore they cannot cheat. This intuition is incomplete, as was pointed out in [10], because breaking the binding condition does not require signaling. The following protocol, known as a PRbox, can be used to break binding without signaling.
By having obtain via the PRbox, can unveil the commitment the way it wishes, . This fact will become extremely important in Sections 5 and 4.1.
The punchline of [10] is that the verifier itself can act as a PRbox for the provers without violating their nosignaling assumption. Consider the following:

Any security proof of protocol 3.1 must show that it does not contain a PRbox as a subroutine.

More generally, any security proof of a protocol must show that no subroutine within itself can be commandeered by the provers to achieve a nonlocal functionally (like the PRbox).

Composition of protocols, for instance between the committing and the opening of commitments, must be done in such a way that provably does not create a nonlocal box.
The solution proposed in [10] was that of verifier isolation. Informally, this means that any message an “isolating” verifier sends to a set of provers must be computed solely from messages that are received from . The end result is that an isolating verifier can never accidentally implement a PRbox and, in general, it will always enforce the locality of the provers. In a sense, we can think of an isolating verifier as “local”. Our new model will make this more precise and more general.
Furthermore, existing zeroknowledge MIPs such as [9] require that the verifier courier an authenticated message between the provers in order to obtain soundness while ensuring zeroknowledge. The gist of it goes like this:

asks some questions.

wants to check one of ’s answers with for consistency.

In order for zeroknowledge to hold, must ask a question it has already asked .

authenticates a question with a key that was committed at the beginning of the protocol and sends it to .

sends the question and the authentication to , who proceeds only if authentication succeeds.
Steps 4 and 5 consists of sending a message from to . Proofs that this act does not contaminate nonlocally (such as simulating a PRbox) is not found in any existing MIP. This needs to be proven, and the proof contained in [9] does not address this issue. Moreover, the zeroknowledge protocol of [9] allows to send an arbitrary message to (via the authentication key). Therefore, one cannot compose such a protocol in a nested fashion (as a subroutine call) since the inner instance would violate the nocommunication assumption of the outer instance. For more details on the problems of the standard model, see [27].
Existing simulators for zeroknowledge protocols such as those found in [9] needs to know how to break commitments in order to simulate. The simulator accomplishes this by acting as both provers, thereby receiving the secret string which was meant for one prover only. This standard model of zeroknowledge gives the simulator unnecessary power, in a sense. We will discuss this further in section 4.1.
4 LocalityExplicit MIP
The standard MIP model allows the verifier to nonlocally contaminate the provers. We neutralize this problem by defining a model with multiple verifiers, each of which talks to a single prover; in turn, each prover talks to a single verifier. There are no communication tapes between the verifiers, nor are there between provers. There is a special verifier which only reads the outputs of the other verifiers; this is the verifier that will decide to accept or reject membership to . We call this model “localityexplicit” since the provers and verifiers are explicitly local, and if any nonlocal resources (such as entanglement) are available to them, then it is explicitly specified via a supplementary entity named for the provers and for the verifiers.
This model is a generalization of the standard model because the special setting where is empty and signals for the verifiers corresponds to the standard MIP model.
Definition 3
An interactive Turning machine (ITM) is a Turing machine augmented with the following tapes:

readonly incoming communication tapes.

writeonly outgoing communication tapes.

Private work, auxiliaryinput, and random tapes.
An ITM can signal to an ITM if ’s writeonly outgoing tape is ’s readonly incoming tape.
Definition 4
Let be a tuple of ITMs, where the ’s are computationally allpowerful and the ’s are polynomialtime. For each , there are twoway communication tapes between and , and that for all , there is a twoway communication tape between and and also between and . In addition, for each , there is a readonly tape going from to (where reads). Then, this is said to be a localityexplicit multiprover interactive proof.
We call and correlators and say that the provers and verifiers are local and local respectively.
It is perhaps easier to understand our definition with the help of figure 2.
The solid lines represents twoway communication and the dashed arrows represents oneway communication, with the arrow indicating the direction of information flow.
We can define that an LEMIP accepts a language if the usual soundness and completeness conditions hold:
Definition 5
An LEMIP accepts a language if and only if

(completeness) ,

(soundness) ,
where is the readonly tape from to at the end of the interaction of with (or ) on input .
Note that we do not quantify over (nor ), as we want to use them not as (possibly malicious) participants to the protocol, but as a description of nonlocal resources available to the provers and verifiers.
Definition 6
An LEMIP is local if and all of the provers’ (resp. verifiers’) random tapes are initialized with the same uniformly random string (resp. verifiers with another, independent uniformly random string )^{*}^{*}*By we mean the empty correlator that provides everyone with nothing at all as output..
Note that (singleverifier) standard MIPs in which provers do not have nonlocal resources are equivalent to LEMIPs where and acts as a bulletin board. That is, a single verifier communicating with multiple provers is equivalent to multiple verifiers communicating with provers and each other.
In standard MIPs, it is possible that the honest (single) verifier bridges the provers nonlocally. If a protocol does not desire this – and most existing MIPs do not – it must be proven. With local LEMIPs, the special verifier decides to accept or reject. This verifier cannot communicate with anyone else, avoiding the aforementioned nonlocal contamination.
4.1 ZeroKnowledge LEMIPs
Zeroknowledge is defined by simulations, the fundamental idea that if a transcript can be produced by an entity (simulator) with no more power than one (verifier) interrogating allpowerful provers, then no knowledge is gained.
The simulator of singleprover IP and standard MIP are equal to the verifier in computational power, but they do have “advantages” which allow them to fake transcripts. For singleprover IPs, the simulator is allowed to rewind computation; for standard MIPs, the simulator is given a (commitmentbreaking) secret. Those advantages are, of course, independent of knowledge.
LEMIPs naturally induces a new advantage for the simulator: nonlocal correlations. This is a very powerful advantage. Using the correct nonlocal correlations, simulators do not need to rewind, do not need to pretend to be multiple (isolated) provers, and do not need to know any commitmentbreaking secrets. Multiple, nosignaling simulators can even produce transcripts in “realtime” (example will follow) if the proper correlations are used.
Definition 7
Let be a tuple of polynomialtime ITMs. Each machine has a random tape, and every random tape is initialized with the same random bits. For , there is a twoway communication tape between and . There are no communication tapes between any of the ’s. Then this is called a tuple of localityexplicit simulators and is the locality class of , which will be abbreviated local.
Definition 8
Let be an LEMIP for language . If there exists a correlator such that for all verifiers , there exists , such that the transcripts of conversations between
and
are identically distributed, where is a tuple of localityexplicit simulators, then we say that is a perfectly indistinguishable, local zeroknowledge LEMIP for .
Our motivations for the above definitions are twofold.
First, a simulator (or simulators) should not have more power than necessary. If two local simulators can output for two local verifiers, then it is not necessary to have a single simulator (equivalent to two signaling simulators) do the job. Allowing simulators to signal (equivalently, having a single simulator) in the multiprover setting is analogous to allowing unbounded runningtime simulation in singleprover zeroknowledge. In general, finding the minimal that will allow simulation may be of some theoretic interest.
Second, the nonlocality of simulators is a characterization of the resilience of zeroknowledge. A protocol which local simulators can withstand arbitrary (malicious) verifiers is more resilient than one which signaling simulators are needed.
This may be of practical interest, if transcripts are timestamped. For example, under the relativistic assumption that one may not signal fasterthanlight, one may be able to distinguish two spatially separated simulators from two spatially separated verifiers, if the simulators need to signal (transmit a commitmentbreaking secret) in order to generate a transcript. On the other hand, if two entangled simulators are sufficient to produce the transcript, then they are indistinguishable from real verifiers and provers. Our protocol 5.2 can be modified as to let entangled simulators do their work, without needing PRboxes or signaling. Details in section 5.
4.2 The Power of LEMIPs
Local LEMIPs form a subclass of standard MIPs. They are, by design, more restricted in what you can make the verifier do. An immediate question is whether this is too restrictive. Perhaps, in all interesting cases, it is necessary for a single verifier to go backandfourth between provers, using previous discussions to generate new questions.
The answer is that, of all the literature we have surveyed, almost all protocols can be rewritten in a localverifier manner without any loss of functionality. We explicitly demonstrate this for the multiprover protocol for oracle3SAT in [8]. The protocol details can be found in the appendix. For the purpose of our discussion, we only need to look at the general form of the protocol:
Protocol 4.1
( BFL Classic, SingleVerifier )
asks some questions nonadaptively.
chooses a question from the pool of questions which were asked to .
asks to .
accepts if the interaction with was successful, and the answer from is consistent with those of .
The crucial observation is that does not adaptively ask questions to . Therefore, the questions asked on that entire side of the conversation can selected in advance, and thus they can be shared in advance with a second verifier. We can therefore naturally rewrite the BFL classic protocol as a local LEMIP in the following way. The reader can check the details in the appendix, and in section 3 of [8].
Protocol 4.2
( BFL as an LEMIP )
prepares the questions which it will ask .
chooses a question from the above list and shares it with .
LEMIP begins. All parties are local as per definitions.
asks the questions to .
asks to .
, reading the responses, decides to accept or reject, based on the same criteria as in protocol 4.1.
The BFL protocol is for oracle3SAT, which is complete. Rewritten as a local LEMIP, it circumvents all nonlocality issues we have mentioned. Thus, we can conclusively say that “local ” ; no transformation to singleround MIP necessary, and no need to invoke the general theory of PCPs.
5 A Local, ZeroKnowledge LEMIP for NEXP
The question which follows naturally is whether there exists a zeroknowledge, local LEMIP for . The existing technique for achieving zeroknowledge in MIP [6, 9] requires the (single) verifier to courier an authenticated message between provers. This is not possible with localverifier LEMIPs. We show that there is a way around that constraint.
By adapting the protocol from [8], we will exhibit a protocol with the following properties:

The provers and verifiers are local: .

The simulators need only access to instances of PRboxes to work. That is, simply computes indexed instances of PRboxes. We will abbreviate this as “PRlocal.”
Let us call the set of multiprover protocols with these properties “PRlocal , local ”. This implies that “PRlocal , local ” .
The generic way of turning an interactive proof into a zeroknowledge one is by running it in committed form [6, 9]. With this technique, provers commit their answers instead of directly responding, and use cryptographic techniques to convince the verifier that the answers are correct.
As shown in section 4.2, the BFL protocol can be turned into a local LEMIP. If we try to turn it into a zeroknowledge LEMIP by having the provers commit their answers (for example using protocol 3.1 as commitment), we run into a problem. In order to achieve zeroknowledge, the provers must ensure that the question receives from is one of the questions which has asked . On the other hand, since the provers and verifiers are local, the provers cannot communicate, nor can they ask the verifiers to courier authenticated messages between them.
Our solution essentially asks the provers to (stronglyuniversal2) hash the selected committed answer with a key that is based on the verifier’s question. We force to behave honestly (to ask a question that has asked) by making bad questions meaningless. If the verifiers ask the provers the same question, they will receive the same hash of the same answer. Otherwise, they will receive two unrelated random hash values.
We need the PR commitment (protocol 5.1), which is secure in the local setting as previously proved in [22, 10, 23].
5.1 The Protocols
The following is a PRtype commitment that is perfectly concealing and statistically binding. In general, we use the commitmentbox notation “” as the name of a commitment to bit in the next two protocols.
Protocol 5.1
A statistically binding, perfectly concealing commitment protocol to bit .
All parties agree on a security parameter .
and partition their private random tape into two bit strings .
Precomputation phase:
samples two bit strings independently and uniformly, and provides them to .
sends to and sends to .
Commit phase:
commits to as , where is a multiplication in .
sends : .
Unveiling phase:
sends to .
computes if , or if .
rejects if is anything but or , or if and accepts otherwise.
Below is the zeroknowledge, local LEMIP for oracle3SAT (Protocol 5.2). The basis of protocol 5.2 is the localized BFL protocol we presented in section 4.2 (details in the appendix). A note on notation: for a circuit , we will denote as the gatebygate committed circuit evaluated with x as the input. We also use statements such as “ proves to that was computed correctly”. The reader is expected familiarity with zeroknowledge computations on committed circuits as put forward by [28, 29, 4, 9].
Protocol 5.2
A local zeroknowledge LEMIP for oracle3SAT
Let , an instance of oracle3SAT, be the common input, let , and let be the verifier’s program in protocol 6.2 (see appendix).
Precomputation:
samples two bit strings independently and uniformly, and provides them to .
selects random bit strings (size specified implicitly by ) and evaluates the circuit of using the as randomness, resulting in questions , and provides them to
randomly chooses , , the index of an oracle query that will be made to both and . provides to .
sends to and sends to for future commitments.
All parties agree on a family of stronglyuniversal2 hash functions indexed by bit keys.
and agree on a bit key , an index to the above family.
commits to .
Sumcheck with oracle:
Let be the arithmetization obtained in protocol 6.1, let be a string from and be strings of as generated in protocol 6.2. and execute protocol 6.1 in committed form. At the end of this phase, shows that the committed final value is equal to
an evaluation in committed form of using the committed values that were used during the protocol’s loop. If this fails, instructs to reject.
Multilinearity test:
For :
sends to ,
commits his answer as .
and evaluate a circuit description of in committed form with inputs to verify proper linearity among them. unveils the circuit’s committed output. If it rejects, instructs to reject.
Consistency test:
sends to .
computes and sends to .
proves to that was computed correctly, from the existing commitments.
unveils for , who gets .
sends to (recall that this was preagreed in step 1.(c))
responds to with .
accepts if and only if all of the following conditions are met:
All commitments which have been unveiled are valid.
did not reject in the two previous cases
5.2 Proofs of Security
5.2.1 Locality
Since the protocol is written as an LEMIP in which , the protocol is local by definition 6.
5.2.2 Completeness
5.2.3 Soundness
Without loss of generality, we may assume that the soundness error in the BFL protocol to be , through sequential amplification. The probability that our commitment scheme (protocol 5.1) fails binding is exponentially small in . Local probabilistic provers are equivalent to local deterministic provers. This is because the success probability of randomized provers of breaking soundness is an average over the randomized provers’ random tapes. Each instance of a random tape represents a deterministic strategy. Therefore there is a deterministic strategy which succeeds with probability at least , and hence we only need to consider local deterministic provers.
Since is deterministic, we may unambiguously consider what happens if we were to “rewind” the prover machine. Suppose that at some point unveils a particular commitment to . We rewind and let make different choices before that point. Suppose that, with these alternate choices, then unveils to (an attempt to break binding). Because of locality, ’s behavior is independent of what receives (namely ). Therefore, there is only one such which will ultimately accept as a valid unveiling of in both ways (recall that our commitment is statistically binding).
Therefore, in the worst case, for every commitment there exists a sequence of interactions between and such that will attempt to break the binding of that commitment. Each such commitmentbreaking corresponds to at most one string that will actually work.
Let us denote the set of such bindingbreaking strings by . If , then the provers will not break binding, and the soundness error is reduced to that of the underlying protocol (at most ). On the other hand, since , the probability that is at most .
Therefore, the soundness error of our protocol is at most
5.2.4 ZeroKnowledge
The simulation will be divided in two parts. In the first part, the simulator produces a transcript of the precomputation, multilinearity test and sumcheck with oracle parts, which involves only interactions with . In the second part, the simulator will fake a valid consistency test.
Protocol 5.3
( Perfectly Indistinguishable, PRLocal Simulator for Protocol 5.2, Part 1)
The setup:
Let be a set of localityexplicit simulators.
and can send an index along with a bit.
completes the indexed PR box (protocol 3.1) for both simulators.
The simulation strategy:
The simulators agree on unique indices for every commitment used in the protocol.
interacts with the way would. Whenever should commit, commits to random bits, just like the singlesimulator from section 5.
For each commitment, sends a string . sends to the index of the commitment and .
runs the PR box (protocol 3.1) and replies with ’s half of the output.
Whenever needs to unveil a commitment, it can be unveiled in the way desires by sending the corresponding index and bit to .
completes the corresponding PR box which outputs . sends to .
sends to .
The second part (the consistency test) can be done by having the simulators ignore the question.
Protocol 5.4
( Perfectly Indistinguishable, PRLocal Simulator for Protocol 5.2, Part 2)
sends to .
computes .
Using to break binding, convinces that is actually .
unveils for , who gets .
sends to .
responds with .
By the properties of the stronglyuniversal2 hash , if then . Otherwise with probability exponentially close to one. This produces the result as desired. The simulators then feed the transcripts to , and terminates simulation.
5.3 Entangled Simulators
The binding condition of commitment used above (protocol 5.1) can be broken given PRboxes. However, if the verifier were willing to tolerate approximately of errors in the provers’ unveiling string ( or ), then it is possible to break binding with shared entanglement [30] while maintaining soundness against local provers. Using this weakened version of commitment in place of protocol 5.1 still yields a local LEMIP for oracle3SAT, but easier to simulate (using weaker nonlocal resources). We leave the details of this modified protocol to the reader.
6 Conclusions and Future Work
We close with three open questions.
First, although protocol 5.2 is a local LEMIP, the only known ways of simulating the transcript are to give the simulators some kind of nonlocal resource such as a PR box (or a fully signaling box, but that is not necessary). We do not know whether it is possible to simulate protocol 5.2 with local simulators, but we are unable to show this to be impossible.
Second, as of the time of this writing, it is an open question whether [18]. Under the localityexplicit setup, we ask a slightly more general question: does there exist a correlator and a corresponding LEMIP which accepts a language ? We remind the reader that characterizing the complexity classes of MIPs where the provers have nonlocal resources are generally open questions.
Third, although the verifier’s nonlocal contamination is undesirable (in the standard MIP model) and is the motivation for this work, is it possible to turn it into a resource? For example, given local provers, let the verifier provide them with some nonlocal resources, such PR boxes or entanglement that can be simulated in polynomialtime. This can be seen as “enforceable honest nonlocal resources.” Malicious provers would not be able to use these resources at will. Perhaps this concept would be useful in the design of multiprover protocols.
Acknowledgements
We would like to thank G. Brassard, A. Chailloux, S. Fehr, J. Kilian, S. Laplante, J. Li, A. Leverrier, A. Massenet, S. Ranellucci, L. Salvail, C. Schaffner, and T. Vidick for various discussions about earlier versions of this work. We would also like to thank Jeremy Clark for his insightful comments. Finally, we are grateful to Raphael Phan and Moti Yung for inviting us to publish a leadup paper to this work as an Insight Paper at MyCrypt 2016.
References
 [1] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proofsystems,” SIAM. J. Computing, vol. 18, pp. 186–208, Feb. 1989.

[2]
L. Babai, “Trading group theory for randomness,” in
Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing
, pp. 421–429, May 1985.  [3] A. Shamir, “IP = PSPACE,” J. ACM, vol. 39, pp. 869–877, Oct. 1992.
 [4] R. Impagliazzo and M. Yung, “Direct minimumknowledge computations,” in Advances in Cryptology: Proceedings of Crypto ’87 (C. Pomerance, ed.), vol. 293, pp. 40–51, SpringerVerlag, 1988.
 [5] M. BenOr, O. Goldreich, S. Goldwasser, J. Håstad, J. Kilian, S. Micali, and P. Rogaway, “Everything provable is provable in zeroknowledge,” in Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’88, (London, UK, UK), pp. 37–56, SpringerVerlag, 1990.
 [6] M. BenOr, S. Goldwasser, J. Kilian, and A. Wigderson, “Multiprover interactive proofs: How to remove intractability assumptions,” in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, (New York, NY, USA), pp. 113–131, ACM, 1988.
 [7] L. Fortnow, J. Rompel, and M. Sipser, “On the power of multiprover interactive protocols,” Theor. Comput. Sci., vol. 134, pp. 545–557, Nov. 1994.
 [8] L. Babai, L. Fortnow, and C. Lund, “Nondeterministic exponential time has twoprover interactive protocols,” Comput. Complex., vol. 2, pp. 374–374, Dec. 1992.
 [9] J. Kilian, Uses of randomness in algorithms and protocols. MIT Press, 1990.
 [10] C. Crépeau, L. Salvail, J.R. Simard, and A. Tapp, “Two provers in isolation,” in Advances in Cryptology – ASIACRYPT 2011: 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 48, 2011. Proceedings, (Berlin, Heidelberg), pp. 407–430, Springer Berlin Heidelberg, 2011.
 [11] J. Kilian, “Personal email communication,” July 2018.
 [12] D. Lapidot and A. Shamir, “Fully parallelized multi prover protocols for nexptime (extended abstract),” in 32nd Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 14 October 1991, pp. 13–18, IEEE Computer Society, 1991.
 [13] U. Feige and L. Lovász, “Twoprover oneround proof systems: Their power and their problems (extended abstract),” in Proceedings of the Twentyfourth Annual ACM Symposium on Theory of Computing, STOC ’92, (New York, NY, USA), pp. 733–744, ACM, 1992.
 [14] D. Lapidot and A. Shamir, “Fully parallelized multiprover protocols for nexptime,” J. Comput. Syst. Sci., vol. 54, no. 2, pp. 215–220, 1997.
 [15] U. Feige and J. Kilian, “Two prover protocols: low error at affordable rates,” in Proceedings of the TwentySixth Annual ACM Symposium on Theory of Computing, 2325 May 1994, Montréal, Québec, Canada (F. T. Leighton and M. T. Goodrich, eds.), pp. 172–183, ACM, 1994.
 [16] C. Dwork, U. Feige, J. Kilian, M. Naor, and S. Safra, “Low communication 2prover zeroknowledge proofs for NP,” in Advances in Cryptology  CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1620, 1992, Proceedings (E. F. Brickell, ed.), vol. 740 of Lecture Notes in Computer Science, pp. 215–227, Springer, 1992.
 [17] U. Feige and J. Kilian, “Twoprover protocols  low error at affordable rates,” SIAM J. Comput., vol. 30, no. 1, pp. 324–346, 2000.
 [18] T. Ito and T. Vidick, “A multiprover interactive proof for nexp sound against entangled provers,” in Proceedings of the 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, FOCS ’12, (Washington, DC, USA), pp. 243–252, IEEE Computer Society, 2012.
 [19] Y. T. Kalai, R. Raz, and R. D. Rothblum, “How to delegate computations: The power of nosignaling proofs,” in Proceedings of the Fortysixth Annual ACM Symposium on Theory of Computing, STOC ’14, (New York, NY, USA), pp. 485–494, ACM, 2014.
 [20] A. Chiesa, M. A. Forbes, T. Gur, and N. Spooner, “Spatial isolation implies zero knowledge even in a quantum world,” Electronic Colloquium on Computational Complexity (ECCC), vol. 25, p. 44, 2018.
 [21] M. Bellare, U. Feige, and J. Kilian, “On the role of shared randomness in two prover proof systems,” in Third Israel Symposium on Theory of Computing and Systems, ISTCS 1995, Tel Aviv, Israel, January 46, 1995, Proceedings, pp. 199–208, IEEE Computer Society, 1995.
 [22] A. Kent, “Unconditionally secure bit commitment,” Phys. Rev. Lett., vol. 83, pp. 1447–1450, Aug 1999.
 [23] T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, S. Wehner, and H. Zbinden, “Practical relativistic bit commitment,” Phys. Rev. Lett., vol. 115, p. 030502, Jul 2015.
 [24] E. Adlam and A. Kent, “Deterministic relativistic quantum bit commitment,” CoRR, vol. abs/1504.00943, 2015.
 [25] A. Chailloux and A. Leverrier, “Relativistic (or 2prover 1round) zeroknowledge protocol for NP secure against quantum adversaries,” in Advances in Cryptology – EUROCRYPT 2017: 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 – May 4, 2017, Proceedings, Part III, pp. 369–396, Springer International Publishing, 2017.
 [26] J. S. Bell, “On the EinsteinPodolskyRosen paradox,” Physics, vol. 1, pp. 195–200, 1964.
 [27] C. Crépeau and N. Yang, “Multiprover interactive proofs: Unsound foundations,” in Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology: Second International Conference, Mycrypt 2016, Kuala Lumpur, Malaysia, December 12, 2016, Revised Selected Papers, pp. 485–493, Springer International Publishing, 2017.
 [28] G. Brassard and C. Crépeau, “Zeroknowledge simulation of boolean circuits (extended abstract),” in Advances in Cryptology: Proceedings of Crypto ’86 (A. M. Odlyzko, ed.), vol. 263, pp. 223–233, SpringerVerlag, 1987.
 [29] G. Brassard and C. Crépeau, “Nontransitive transfer of confidence: A perfect zeroknowledge interactive protocol for SAT and beyond,” in Symp. of Found. of Computer Sci., pp. 188–195, IEEE, 1986.
 [30] G. Brassard, A. Broadbent, and A. Tapp, “Multiparty pseudotelepathy,” in Algorithms and Data Structures (F. Dehne, J.R. Sack, and M. Smid, eds.), (Berlin, Heidelberg), pp. 1–11, Springer Berlin Heidelberg, 2003.
Appendix: Babai, Fortnow and Lund’s MIP for Languages in NEXP
This section describes a variant of the multiprover protocol for oracle3SAT found in [8]. We refer to this as the BFL protocol, or BFL classic.
Definition 9
Let be integers. Let be strings of variables, where and . Let be a Boolean formula in variables. A Boolean function is a 3satisfying oracle for if
for every string .
is oracle3satisfiable if such a function exists.
The Oracle3SAT problem asks whether a Boolean formula is oracle3satisfiable, where and denote the lengths of and , as above.
Lemma 1
Oracle3SAT is complete.
Definition 10
Let be an arbitrary field.
Let be a Boolean function. An arithmetization of is a polynomial such that for all , . A specific one is given in [8], proposition 3.1 .
Equivalently, the condition can be replaced with .
Protocol 6.1
( Sumcheck Protocol )
Let be the 3CNF formula which the prover is trying to show to be a tautology to a verifier . Let be a field of sufficient size (of order at least will suffice where is the number of clauses of ).
takes and computes its arithmetization according to [8] Proposition 3.1 and sends it to .
and agree on a set of size at least where is the degree of .
assigns , which is supposed to be equal to the sum
.
sends the coefficients of the univariate polynomial in ,
checks whether . If not, abort.
chooses a random , computes and sends to .
If then and go to step 4.
checks whether .
Protocol 6.2
( Babai, Fortnow and Lund’s MIP for Oracle3SAT )
Given as common input.
(sumcheck with oracle) and execute protocol 6.1. Let be ’s questions during this phase.
(multilinearity test) asks to simulate an oracle storing the function . queries with random, linearly related values in . If any response does not satisfy linearity, abort protocol. Let be ’s questions during this phase.
(nonadaptiveness test) chooses uniformly at random an such that and asks to . If ’s answer differs from that of , reject. Otherwise accept.
Comments
There are no comments yet.