1 Introduction
An interactive proof is a dialog between two parties: a polynomialtime verifier and an allpowerful prover [1, 2]. They agree ahead of time on some language and a string . The prover wishes to convince the verifier that . If this is true, the prover should succeed almost all the time; if not, the prover should fail almost all the time. This is a generalization of the complexity class , except instead of simply being handed a polynomialsized witness, the verifier is allowed to quiz the prover. The set of languages that admit an interactive proof is called .
An interactive proof is zeroknowledge if the verifier learns nothing except the truth of “”. This is usually defined by saying that a distinguisher is unable to tell apart a real conversation between the prover and the verifier, and one which is generated by a lone polynomialtime simulator. We will denote sets of zeroknowledge interactive proofs with a bold prefix.
The multiprover model was introduced in [3]. This model consists of multiple, noncommunicating^{*}^{*}*The precise meaning of these words shall become a lot clearer throughout the rest of this paper. provers talking to a single verifier. We will abbreviate “multiprover interactive proof” as MIP and the set of languages which can be accepted by MIPs as the boldface .
From a complexity perspective, the zeroknowledge aspect of interactive proofs is characterized by for singleprover IPs ([4, 5, 6]), and for multiprover IPs ([3, 7, 8, 9, 10, 11, 12]). The (conjectured) necessity of complexity assumptions for zeroknowledge in the singleprover case was the initial motivation for the multiprover model.
1.1 A Cryptographic Perspective
The foundation of zeroknowledge is the idea of a simulator: a machine, with no more power than the verifier, which can pretend to having interacted with allpowerful provers. Obviously, this simulator cannot accomplish this task without some kind of advantage (something independent of knowledge). In singleprover zeroknowledge proofs, this advantage can be in the form of the ability to rewind computation, the ability to discard failed simulations, or knowledge of a trapdoor in a commitment scheme. In multiprover zeroknowledge proofs, the advantage in existing literature can be summed up as signalling: the simulator, acting in the name of several provers, knows secrets which real provers, in a real instance of the protocol, would not because they are unable to communicate.
From a complexity perspective, this simulator advantage can be anything as long as it is truly independent of knowledge – we do not want to exclude anything a priori. But, in practice, zeroknowledge is ultimately applied cryptography and from a cryptographic perspective, not all advantages are equal.
1.2 Relativistic Motivation
The need for more nuanced simulators is motivated by relativistic cryptography, an example of which can be found in [13]. Relativistic cryptography exploits the fact that it is impossible to signal faster than light. We can enforce the nosignalling condition of MIPs by spatially separating the provers from each other. In order to enforce the provers’ spatial separation during the execution of the protocol, each prover is paired with a verifier of its own, which is located nearby. The verifiers can use the timing of the replies of their respective provers to judge their relative distance.
In practice, this means that we can implement MIPs under relativistic assumptions if the verifier can be “split” into multiple verifiers, each locally interacting with its corresponding prover. An example of relativistic cryptography can be found in [13], where a commitment was sustained for over 24 hours.
Some MIPs have verifiers which, intrinsically, cannot be split. Examples include [3] and [9]. In these examples, the verifier is used to courier an authenticated message between provers. In the relativistic setting, if the verifier has time to pass a message between provers, then the provers just signal between themselves.
Luckily, most MIPs in the literature have verifiers that are nonadaptive. These verifiers’ questions to one prover are independent of the answers from all the provers. MIPs with nonadaptive verifiers can be rewritten into a format with multiple, split verifiers; this format we will call localityexplicit, and will be defined formally in section 4.
As an example of what we mean, consider the following twoprover interactive proof for graph 3coloring:
Protocol 1.1
( Simple MIP, SingleVerifier )
Two provers , one verifier . On input graph , and agree on a 3coloring.
asks for the colors of an edge .
asks for the colors of one of the nodes of .
accepts if and only if the colors of that edge from are not equal, and corroborates with ’s answer by replying with the same color for the same node.
In the above protocol, ’s questions to either prover does not depend on answers from any prover. This is what is commonly known as a nonadaptive verifier. We can therefore split the above verifier into a twoverifier version:
Protocol 1.2
( Simple MIP, MultiVerifier )
Two provers , two verifiers . On input graph , and agree on a 3coloring, and agree on an edge .
asks for the colors of .
asks for the colors of one of the nodes of .
Post execution, and confer with each other, and accept if and only if the colors of that edge from are not equal, and corroborates with ’s answer by replying with the same color.
This version of the protocol is naturally suited for relativistic implementation. However, it is not zeroknowledge because even if and agreed on a randomly selected 3coloring each time, a dishonest verifier may sample a node which is not from . We can make a zeroknowledge, multiverifier MIP with the help of the following commitment scheme, which is adapted from [3]:
Protocol 1.3
( MultiVerifier Commitment )
Two provers , two verifiers . The provers share a random string , and the verifiers share a random string . Operations are over a finite field. wishes to commit .
(Commit) sends the string . replies with .
(Unveil) sends the string .
Post execution, the verifiers confer. They accept if and only if or .
Combining protocol 1.3 and the zeroknowledge protocol of [14] gives us a zeroknowledge, multiverifier MIP.
Protocol 1.4
( ZKMIP, MultiVerifier )
Two provers , two verifiers . On input graph , and agree on a randomly selected 3coloring and strings , and agree on an edge and strings .
commits the colouring of to using the , they preagreed.
asks to unveil the colours of the edge .
Post execution, and confer with each other, and accept if and only if the commitment is valid, and the colors unveiled are not equal.
What makes this protocol zeroknowledge? In the commitment scheme (protocol 1.3), if has knowledge of , then it can break the commitment by unveiling either way (by sending or as needed). Following the precedents set by existing literature’s definition of zeroknowledge, the (single) simulator, interacting with both verifiers, learns . Therefore it can break the commitment and always unveil a color that will be accepted by the verifiers.
1.3 Simulator’s Advantage
As mentioned, the (single) simulator’s advantage is its ability to interact with both verifiers at once. This is equivalent to having a pair of simulators signaling and, as we will see, is actually a tremendous power. However, it turns out that simulators do not need to signal in order to break the above commitment (section 3); a weaker nonlocal distribution will do. What we wish is to construct a framework in which this “nonlocal advantage” of the simulators can be quantified. We do this in section 4.
To see how much overkill signaling is for the simulators, imagine that in the above protocol, the distinguisher were able to eavesdrop on the “conversation” between the (possibly malicious) verifiers and black boxes, inside of which are either real provers, or simulators. This is giving the distinguisher more power than simply reading a transcript; and yet, the (signaling) simulators can succeed not only in generating the transcript, but behave as if they were provers in realtime. If we consider existing zeroknowledge as “transcriptindistinguishable”, then we may consider this as “eavesdropindistinguishable”. We will leave these terms undefined (as intuition) as they are not the focus of this work.
1.4 Our Contributions
In this work, we propose a framework for writing MIPs which is naturally suited for implementation and analysis under relativistic assumptions. We discuss how this framework extends naturally to zeroknowledge protocols and quantifies the nonlocal advantage which simulators use in many ZKMIPs. We show that can be accepted by MIPs in this form, and discuss the relationship between simulators’ nonlocal advantage and soundness.
We exhibit a MIP for which, if is zeroknowledge, then cannot be sound; we introduce this as a tool for proving impossibility results of soundness against nosignalling provers but it could be used for for any nonlocality class similarly.
2 Previous Work
The early work by BenOr, Goldwasser, Kilian and Wigderson asserting that from [3] and [9] use multiround protocols and their (honest) verifiers are inherently signaling. This is precisely why we address the situation in this work. Proving soundness is quite subtle in this case because the provers could use the (signaling) verifier to break binding of the commitments. In particular, soundness will not be valid if the protocol is composed concurrently with other executions of itself or even used as a subroutine. In recent conversations with Kilian [15], we have learned that controlling the impact of this signaling (via the verifier) has been a concern since the early days of MIPs. The protocols as they are might be sound but it is not fully proven anywhere in writing. However, it is also clear that no considerations had been given to the fact that general nonlocal correlations are possible via the verifier. If soundness rests on the binding property of a commitment scheme (such as those zeroknowledge proofs) and this binding property rests on the inability to achieve a certain nonlocal correlation then impossibility to achieve this correlation via the verifier must be demonstrated. It is not done or hinted in these papers.
The multiround issue we address may seem trivial because it is a known fact that multiround MIPs may be reduced to a single round using techniques of LapidotShamir [16] and FeigeLovasz [17]. Nevertheless, if interested in zeroknowledge MIPs, commitment schemes are generally used to obtain the zeroknowledge property and thus the singleround structure is lost in the process. Although singleround protocols bypass verifier’s nonlocal contamination problems we describe in this work, converting multiround protocols into singleround ones is highly inefficient and complex. Preserving zeroknowledge while achieving singleround has turned out to be a major challenge. Practically, keeping a multiround protocol’s structure, using only commitments to achieve zeroknowledge is very appealing.
In [16], LapidotShamir proposed a parallel ZKMIP for , but they removed the zeroknowledge claim in the journal version [18] of their work without any explanation as of why. Feige and Kilian [10] were the last ones to follow this approach combining techniques drawn from LapidotShamir [16], FeigeLovasz [17] and Dwork, Feige, Kilian, Naor, and Safra, [11] to achieve a “2prover 1round 0knowledge” proof for . As far as we can tell, this is the only paper in the ZKMIP literature that appears to avoid the multiround problems and the nonlocal contamination that we discuss. However, note that the analysis of [10] is partly based of that of [16], and the journal version of FeigeKilian [12] does not contain their prior claim of zeroknowledge either. All other ZKMIPs for in the literature are multiround, and thus our analysis applies to them.
Similar issues are possible using more recent results such as ItoVidick’s proof [19] that , Kalai, Raz and Rothblum’s proof [20] that and NatarajanWright’s proof [21] that . The reason why these multiround constructions may maintain their soundness despite the potential nonlocality contamination (via the verifier) is the nonadaptive nature of their verifiers. Nonadaptive verifiers cannot take advantage of information acquired in recent rounds to construct new questions to the provers: all their questions are preestablished before the interaction with the provers start. This is a special simpler case of local verifiers. Nowhere in this large literature can one find a single statement observing the nonadaptiveness of the verifiers and its importance to guarantee soundness of those MIPs. Moreover, their multiround structure requires that any straightforward extensions to or via commitment schemes be analyzed very carefully and the locality of the resulting verifiers be reestablished. This is part of the reasons why the ZK version did not follow easily. Recently, Chiesa, Forbes, Gur, and Spooner [22] discovered a proof that . Their construction is based on refinements of ItoVidick’s proof and along the lines of FeigeKilian, building on algebraic structures to bypass the need of commitment schemes. Unfortunately, this work is so complicated that we are unable to assess whether their verifier is actually nonadaptive. And of course, this is not mentioned or proven anywhere nor available from the authors… At the time of writing this paper, we just found out that indeed as proven by Grilo, Slofstra and Yuen [23].
Bellare, Feige, and Kilian [24] considered a multiverifier model similar to ours in order to analyze the role of randomness in multiprover proofs. This is completely unrelated to our goal of analyzing verifier nonlocal contamination. Finally, the notion of relativistic commitment schemes put forward by Kilian [25] and Kent [26] leads to several results [13, 27, 28] where a similar multiverifier model is necessary in order to assess spatial separation of the provers. The new (nonlocal) zeroknowledge definition is 100% fresh from this work. No prior work exists at all.
3 The Standard MIP Model
Multiprover interactive proofs were introduced in [3]. The intuition for their model was that of a detective interrogating two suspects held in different rooms. This was formalized as follows:
Definition 1
Let
be computationally unbounded Turing machines and let
be a probabilistic polynomialtime TM. All machines have a readonly input tape, a readonly auxiliaryinput tape, a private work tape and a random tape. The ’s share a joint, infinitely long, readonly random tape. Each has a writeonly communication tape to , and viceversa. We call a prover IP, or multiprover interactive proof (MIP).This model is essentially equivalent to that of Bell [29] who introduced his famous Bell’s inequality to distinguish local parties from entangled parties.
Zeroknowledge MIPs were also defined in [3]:
Definition 2
Let be a kprover IP for language . Let denote the verifier’s incoming and outgoing messages with the provers, and his coin tosses^{‡}^{‡}‡We ignore auxiliary inputs because we are not going to discuss composition.. We say that is perfect zeroknowledge for if there exists an expected polynomialtime machine such that for all , and are identically distributed.
Let us call the above two definitions the standard MIP model. There have also been augmentations of the model by giving the provers various nonlocal resources, such as entanglement [19], or arbitrary nosignaling power [20].
Of specific interest to us are standard MIPs which have verifiers that are nonadaptive.
Definition 3
A verifier is nonadaptive if the verifier’s questions depend only on its random coins and the input . A MIP with a nonadaptive verifier is a nonadaptive MIP.
Some zeroknowledge MIPs such as [9] require that the verifier courier an authenticated message between the provers in order to obtain soundness while ensuring zeroknowledge. The gist of it goes like this:

asks some questions.

wants to check one of ’s answers with for consistency.

In order for zeroknowledge to hold, must ask a question it has already asked .

authenticates a question with a key that was committed at the beginning of the protocol and sends it to .

sends the question and the authentication to , who proceeds only if it succeeds.
Steps 4 and 5 consists of sending a message from to . This is problematic under relativistic assumptions, as discussed in the introduction. Therefore, the nosignaling assumption of standard MIPs are not immediately compatible with the nofasterthanlightsignaling assumption of relativity.
4 LocalityExplicit MIP
We define a framework for writing MIPs guaranteeing compatibility with relativistic assumptions. This framework uses multiple verifiers, each of which talks to a single prover; in turn, each prover talks to that single verifier. There are no communication tapes between the verifiers, nor are there between provers. There is a special verifier which only reads the outputs of the other verifiers; this is the verifier that will decide to accept or reject membership to . We call this model “localityexplicit” since the provers and verifiers are explicitly local.
Any correlational resources available are explicitly specified via a supplementary correlator named for the provers and for the verifiers. Examples of these resources include entanglement, nosignalling distributions, or slowerthanlight signalling.
Definition 4
An interactive Turning machine (ITM) is augmented with the following tapes:

readonly incoming communication tapes.

writeonly outgoing communication tapes.

Private work, auxiliaryinput, and random tapes.
An ITM can signal to ITM if ’s writeonly outgoing tape is ’s readonly incoming tape.
Definition 5
Let be a tuple of ITMs, where the ’s are computationally allpowerful and the ’s are polynomialtime. For each , there are twoway communication tapes between and , and that for all , there is a twoway communication tape between and and also between and . In addition, for each , there is a readonly tape going from to (where reads). Then, this is said to be a localityexplicit multiprover interactive proof.
We call and correlators and say that the provers and verifiers are local and local respectively. We define the class of all MIPs with such correlators .
It is perhaps easier to understand our definition with the help of figure 1.
The solid lines represents twoway communication and the dashed arrows represents oneway communication, with the arrow indicating the direction of information flow.
We can define that an LEMIP accepts a language if the usual soundness and completeness conditions hold:
Definition 6
An LEMIP accepts a language if and only if

(completeness) ,

(soundness) ,
where is the readonly tape from to at the end of ’s interaction with (or ) on input .
Note that we do not quantify over (nor ), as we want to use them not as (possibly malicious) participants to the protocol, but as a description of correlational resources available to the provers and verifiers.
Definition 7
An LEMIP is local if and all of the provers’ (resp. verifiers’) random tapes are initialized with the same uniformly random string (resp. verifiers with another, independent uniformly random string )^{§}^{§}§By we mean the empty correlator that provides everyone with nothing at all as output whatever the input is..
MIPs in the standard model (with local provers) are equivalent to LEMIPs where and acts as a bulletin board. That is, a single verifier communicating with multiple provers is equivalent to multiple verifiers individually communicating with a local prover and each among themself.
Lemma 1
If a MIP is nonadaptive, then there exists a local LEMIP which accepts it.
This is obvious as a nonadaptive verifier’s questions are decided ahead of time, once its random coins are fixed. Therefore, we may split the verifier into one for each prover with a list of predetermined questions.
4.1 ZeroKnowledge LEMIPs
As discussed in the introduction, zeroknowledge is defined by simulations. The simulator of singleprover IP and standard MIP are equal to the verifier in computational power, but they do have “advantages” – such as the ability to rewind computation.
LEMIPs makes explicit a new advantage for the simulator: nonlocal correlations, a very powerful advantage. Using the correct nonlocal correlations, simulators do not need to rewind, do not need to pretend to be multiple (isolated) provers, and do not need to know any commitmentbreaking secrets. In short, they do not need to signal. Multiple, nosignaling simulators can even produce transcripts in “realtime” (example will follow) if the proper correlations are used.
Definition 8
Let be a tuple of polynomialtime ITMs. Each machine has a random tape, and every random tape is initialized with the same random bits. For , there is a twoway communication tape between and . There are no communication tapes between any of the ’s. Then this is called a tuple of localityexplicit simulators and is the locality class of , which will be abbreviated local.
Definition 9
Let be an LEMIP for language . If there exists a tuple of localityexplicit simulators , such that for all verifiers , such that for all the transcripts of conversations
and those generated by
are identically distributed, then we say that is a local perfect zeroknowledge LEMIP for . Note that the simulators are responsible for using , if necessary, to ensure that the verifier oracles^{¶}^{¶}¶Each simulator is restricted to oracle calls to its own corresponding . receive the necessary inputs.
We will denote the set of all ZK LEMIPs where the provers, verifiers, and simulators are local, local, and local by
Let be sets of correlators. We will denote, by convention,
as the set of all ZK LEMIPs where each correlator comes from each of the respective sets.
Our motivations for the above definition are twofold.
First, a simulator (or simulators) should not have more power than necessary. If two local simulators can output for two local verifiers, then it is not necessary to have a single simulator (equivalent to two signaling simulators) do the job. In general, finding the minimal that will allow simulation establishes how little extra is needed to obtain the zeroknowledge property.
Second, the nonlocality of simulators is a characterization of the resilience of zeroknowledge. A protocol with local simulators which can withstand arbitrary (malicious) verifiers is more resilient than one in which signaling simulators are needed.
This may be of practical interest, if transcripts are timestamped. For example, under the relativistic assumption that one may not signal fasterthanlight, one may be able to distinguish two spatially separated simulators from two spatially separated verifiers, if the simulators need to signal (transmit a commitmentbreaking secret) in order to generate a transcript. On the other hand, if two entangled simulators are sufficient to produce the transcript, then they are indistinguishable from real verifiers and provers. Our protocol 5.3 can be modified as to let entangled simulators do their work, without needing PRboxes or signaling. Details in section 5
The complexity of LEMIPs are the same as those of MIP, namely:
Theorem 4.1
There exists a LEMIP which accepts .
5 ZeroKnowledge LEMIP for
The question which follows naturally is whether there exists a zeroknowledge, local LEMIP for where . By adapting the protocol from [8], we will exhibit a protocol with the following properties:

The provers and verifiers are local: .

The simulators need only access to instances of boxes to work. That is, simply computes indexed instances of boxes. We will abbreviate this as “local.”
We may succinctly summarize the above as:
Theorem 5.1
, where denotes a correlator which simply computes boxes for the simulators.
We prove the above theorem by constructing an LEMIP with the right properties: protocol 5.3. The generic way of turning an interactive proof into a zeroknowledge one is by running it in committed form [3, 9]. With this technique, provers commit their answers instead of directly responding, and use cryptographic techniques to convince the verifier that the answers are correct. As argued previously, this is not possible to enforce from relativistic assumptions alone.
Our solution essentially asks the provers to (stronglyuniversal2) hash the selected committed answer with a key that is based on the verifier’s question. We force to behave honestly (to ask a question that has asked) by making bad questions meaningless. If the verifiers ask the provers the same question, they will receive the same hash of the same answer. Otherwise, they will receive two independent random hash values.
The type commitment (protocol 5.2) is secure in the local setting as previously proved in [26, 30, 13]. It is perfectly concealing and statistically binding. In general, we use the commitmentbox notation as the name of a commitment to bit in the next two protocols.
Protocol 5.2
A statistically binding, perfectly concealing commitment protocol to bit .
All parties agree on a security parameter .
and partition their private random tape into two bit strings .
Precomputation phase:
samples two bit strings independently and uniformly, and provides them to .
sends to and sends to .
Commit phase:
commits to as , where is a multiplication in .
sends : .
Unveiling phase:
sends to .
computes if , or if .
rejects if is anything but or , or if and accepts otherwise.
A note on notation: for a circuit , we will denote as the gatebygate committed circuit evaluated with x as the input. We also use statements such as “ proves to that was computed correctly”. The reader is expected familiarity with zeroknowledge computations on committed circuits as put forward by [31, 32, 5, 9].
Protocol 5.3
A local zeroknowledge LEMIP for oracle3SAT
Let , an instance of oracle3SAT, be the common input, let , and let be the verifier’s program in protocol 0.B (see appendix).
Precomputation:
samples two bit strings independently and uniformly, and provides them to .
selects random bit strings (size specified implicitly by ) and evaluates the circuit of using the as randomness, resulting in questions , and provides them to
randomly chooses , , the index of an oracle query that will be made to both and . provides to .
sends to and sends to for future commitments.
All parties agree on a family of stronglyuniversal2 hash functions indexed by bit keys.
and agree on a bit index to the above family. commits to .
Sumcheck with oracle:
Let be the arithmetization obtained in protocol 0.B.1, let be a string from and be strings of as generated in protocol 0.B. and execute protocol 0.B.1 in committed form. At the end of this phase, shows that the committed final value is equal to
an evaluation in committed form of using the committed values that were used during the protocol’s loop. If this fails, instructs to reject.
Multilinearity test:
For :
sends to ,
commits his answer as .
and evaluate a circuit description of in committed form with inputs to verify proper linearity among them. unveils the circuit’s committed output. If it rejects, instructs to reject.
Consistency test:
sends to .
computes and sends to .
proves to that was computed correctly, from the existing commitments.
unveils for , who gets .
sends to (recall that this was preagreed in step 1.(c))
responds to with .
accepts if and only if all of the following conditions are met:
All commitments which have been unveiled are valid.
did not reject in the two previous cases.
The proofs of security can be found in appendix 0.A.
5.1 Minimal Simulator Advantage
What is the minimal simulator advantage needed for achieving zeroknowledge for ?
It is clear that signalling simulators can succeed in the above protocol. This is the zeroknowledge simulator of standard MIPs. We can summarize this as
where is a signalling correlator.
Signalling is however unnecessary, as the binding condition of commitment used above (protocol 5.2) can be broken given boxes. This is what the proof of security shows in appendix 0.A. Thus, the simulator’s advantage can be lowered to boxes, or
If the verifiers were willing to tolerate approximately of errors in the provers’ unveiling string ( or ), then it is possible to break binding with shared entanglement [33] while maintaining soundness against local provers. Making this slight change in the protocol reduces the simulator advantage further:
where denotes polynomial amount of shared entanglement for the simulators.
Ideally, the simulators would not need any nonlocal advantage over the verifiers. However, we are unable to find a zeroknowledge MIP where the simulators are local which can accept , or prove that it is impossible. We make the following conjecture:
Conjecture 1
, where is the set of languages with statistical zeroknowledge interactive proofs without computational assumptions (i.e., graph isomorphism).
5.2 Soundness Against NoSignalling Provers
As a further example of the drastic differences between MIP simulators’ nonlocal advantages and singleprover IP simulators’ advantages (e.g., rewinding), consider the following:
Theorem 5.4
Suppose that the provers in protocol 5.3 have access to PRboxes (thus they are nosignalling, but not local), then the protocol is not sound.
Proof
The provers adopt the simulators’ strategy. Since commitment binding is broken with the aid of PRboxes, the verifiers will always accept.
This is the sense to which we referred to as “eavesdrop indistinguishable” from “transcript indistinguishable” earlier. A prover having the ability to rewind computations, although enough for simulators in IPs, is not enough to break soundness. We will generalize the above theorem in a future work, on the relationship between zeroknowledge and soundness.
5.2.1 Another Example
In appendix E a zeroknowledge protocol for is extracted from [34]. This protocol is not only sound against local provers but also against entangled provers. It is zeroknowledge in both cases. However, since the ZK simulator (also provided in appendix E) can be implemented as nosignalling simulators, this same protocol cannot be sound against nosignalling provers since they can adopt exactly the simulators’ strategy.
6 Conclusions and Future Work
Zeroknowledge simulators need advantages in order to function. In the case of MIPs, it was always implicitly assumed this advantage is necessarily signaling. We have shown that this is not true, and that this aspect of zeroknowledge remains unexplored. LEMIPs make this explicit, while providing a template for relativistic implementations of the nosignaling assumption.
We close with three open questions.
First, although the provers and verifiers of protocol 5.3 are local, the simulators are not – they use PRboxes. We do not know whether it is possible to simulate protocol 5.3 with local simulators. In fact, we conjecture that there does not exist a protocol for any language outside .
Second, as we have sketched out in section 5.1, by weakening the commitment scheme used, we get . What is a minimal such that ?
Third, what is the relationship between zeroknowledge and soundness in MIPs? As we have shown in section 5.2, some simulators’ strategy can be adopted by provers to break soundness, if only the provers had some additional (in this case, nonlocal) resources. Is there a relationship between the nonlocal resources needed to achieve zeroknowledge and those that are forbidden in order to achieve soundness?
Acknowledgements
We would like to thank G. Brassard, A. Chailloux, S. Fehr, J. Kilian, S. Laplante, J. Li, A. Leverrier, A. Massenet, S. Ranellucci, L. Salvail, C. Schaffner, and T. Vidick for various discussions about earlier versions of this work. We would also like to thank Jeremy Clark for his insightful comments. Finally, we are grateful to Raphael Phan and Moti Yung for inviting us to publish a leadup paper to this work as an Insight Paper at MyCrypt 2016.
References
References
 [1] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proofsystems,” SIAM. J. Computing, vol. 18, pp. 186–208, Feb. 1989.

[2]
L. Babai, “Trading group theory for randomness,” in
Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing
, pp. 421–429, May 1985.  [3] M. BenOr, S. Goldwasser, J. Kilian, and A. Wigderson, “Multiprover interactive proofs: How to remove intractability assumptions,” in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, (New York, NY, USA), pp. 113–131, ACM, 1988.
 [4] A. Shamir, “IP = PSPACE,” J. ACM, vol. 39, pp. 869–877, Oct. 1992.
 [5] R. Impagliazzo and M. Yung, “Direct minimumknowledge computations,” in Advances in Cryptology: Proceedings of Crypto ’87 (C. Pomerance, ed.), vol. 293, pp. 40–51, SpringerVerlag, 1988.
 [6] M. BenOr, O. Goldreich, S. Goldwasser, J. Håstad, J. Kilian, S. Micali, and P. Rogaway, “Everything provable is provable in zeroknowledge,” in Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’88, (London, UK, UK), pp. 37–56, SpringerVerlag, 1990.
 [7] L. Fortnow, J. Rompel, and M. Sipser, “On the power of multiprover interactive protocols,” Theor. Comput. Sci., vol. 134, pp. 545–557, Nov. 1994.
 [8] L. Babai, L. Fortnow, and C. Lund, “Nondeterministic exponential time has twoprover interactive protocols,” Comput. Complex., vol. 2, pp. 374–374, Dec. 1992.
 [9] J. Kilian, Uses of randomness in algorithms and protocols. MIT Press, 1990.
 [10] U. Feige and J. Kilian, “Two prover protocols: low error at affordable rates,” in Proceedings of the TwentySixth Annual ACM Symposium on Theory of Computing, 2325 May 1994, Montréal, Québec, Canada (F. T. Leighton and M. T. Goodrich, eds.), pp. 172–183, ACM, 1994.
 [11] C. Dwork, U. Feige, J. Kilian, M. Naor, and S. Safra, “Low communication 2prover zeroknowledge proofs for NP,” in Advances in Cryptology  CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1620, 1992, Proceedings (E. F. Brickell, ed.), vol. 740 of Lecture Notes in Computer Science, pp. 215–227, Springer, 1992.
 [12] U. Feige and J. Kilian, “Twoprover protocols  low error at affordable rates,” SIAM J. Comput., vol. 30, no. 1, pp. 324–346, 2000.
 [13] T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, S. Wehner, and H. Zbinden, “Practical relativistic bit commitment,” Phys. Rev. Lett., vol. 115, p. 030502, Jul 2015.
 [14] O. Goldreich, S. Micali, and A. Wigderson, “Proofs that yield nothing but their validity or all languages in np have zeroknowledge proof systems,” J. ACM, vol. 38, pp. 690–728, July 1991.
 [15] J. Kilian, “Personal email communication,” July 2018.
 [16] D. Lapidot and A. Shamir, “Fully parallelized multi prover protocols for nexptime (extended abstract),” in 32nd Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 14 October 1991, pp. 13–18, IEEE Computer Society, 1991.
 [17] U. Feige and L. Lovász, “Twoprover oneround proof systems: Their power and their problems (extended abstract),” in Proceedings of the Twentyfourth Annual ACM Symposium on Theory of Computing, STOC ’92, (New York, NY, USA), pp. 733–744, ACM, 1992.
 [18] D. Lapidot and A. Shamir, “Fully parallelized multiprover protocols for nexptime,” J. Comput. Syst. Sci., vol. 54, no. 2, pp. 215–220, 1997.
 [19] T. Ito and T. Vidick, “A multiprover interactive proof for nexp sound against entangled provers,” in Proceedings of the 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, FOCS ’12, (Washington, DC, USA), pp. 243–252, IEEE Computer Society, 2012.
 [20] Y. T. Kalai, R. Raz, and R. D. Rothblum, “How to delegate computations: The power of nosignaling proofs,” in Proceedings of the Fortysixth Annual ACM Symposium on Theory of Computing, STOC ’14, (New York, NY, USA), pp. 485–494, ACM, 2014.
 [21] A. Natarajan and J. Wright, “ in *,” CoRR, vol. abs/1904.05870, 2019.
 [22] A. Chiesa, M. A. Forbes, T. Gur, and N. Spooner, “Spatial isolation implies zero knowledge even in a quantum world,” Electronic Colloquium on Computational Complexity (ECCC), vol. 25, p. 44, 2018.
 [23] A. B. Grilo, W. Slofstra, and H. Yuen, “Perfect zero knowledge for quantum multiprover interactive proofs,” CoRR, vol. abs/1905.11280, 2019.
 [24] M. Bellare, U. Feige, and J. Kilian, “On the role of shared randomness in two prover proof systems,” in Third Israel Symposium on Theory of Computing and Systems, ISTCS 1995, Tel Aviv, Israel, January 46, 1995, Proceedings, pp. 199–208, IEEE Computer Society, 1995.
 [25] J. Kilian, “Strong separation models of multi prover interactive proofs,” in DIMACS Workshop on Cryptography, 1990.
 [26] A. Kent, “Unconditionally secure bit commitment,” Phys. Rev. Lett., vol. 83, pp. 1447–1450, Aug 1999.
 [27] E. Adlam and A. Kent, “Deterministic relativistic quantum bit commitment,” CoRR, vol. abs/1504.00943, 2015.
 [28] A. Chailloux and A. Leverrier, “Relativistic (or 2prover 1round) zeroknowledge protocol for NP secure against quantum adversaries,” in Advances in Cryptology – EUROCRYPT 2017: 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 – May 4, 2017, Proceedings, Part III, pp. 369–396, Springer International Publishing, 2017.
 [29] J. S. Bell, “On the EinsteinPodolskyRosen paradox,” Physics, vol. 1, pp. 195–200, 1964.
 [30] C. Crépeau, L. Salvail, J.R. Simard, and A. Tapp, “Two provers in isolation,” in Advances in Cryptology – ASIACRYPT 2011: 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 48, 2011. Proceedings, (Berlin, Heidelberg), pp. 407–430, Springer Berlin Heidelberg, 2011.
 [31] G. Brassard and C. Crépeau, “Zeroknowledge simulation of boolean circuits (extended abstract),” in Advances in Cryptology: Proceedings of Crypto ’86 (A. M. Odlyzko, ed.), vol. 263, pp. 223–233, SpringerVerlag, 1987.
 [32] G. Brassard and C. Crépeau, “Nontransitive transfer of confidence: A perfect zeroknowledge interactive protocol for SAT and beyond,” in Symp. of Found. of Computer Sci., pp. 188–195, IEEE, 1986.
 [33] G. Brassard, A. Broadbent, and A. Tapp, “Multiparty pseudotelepathy,” in Algorithms and Data Structures (F. Dehne, J.R. Sack, and M. Smid, eds.), (Berlin, Heidelberg), pp. 1–11, Springer Berlin Heidelberg, 2003.
 [34] C. Crépeau, A. Y. MassenetOshima, L. Salvail, L. S. Stinchcombe, and N. Yang, “Zeroknowledge s for sound against entangled provers using a tiny amount of commitments,” in (submitted to) Theory of Cryptography, Springer International Publishing, 2019.
 [35] A. Acín, T. Fritz, A. Leverrier, and A. B. Sainz, “A combinatorial approach to nonlocality and contextuality,” Communications in Mathematical Physics, vol. 334, pp. 533–628, Mar 2015.
 [36] H. Barnum, C. A. Fuchs, J. M. Renes, and A. Wilce, “Influencefree states on compound quantum systems,” CoRR, vol. quantph/0507108v1, 2005.
 [37] J. Barrett, N. Linden, S. Massar, S. Pironio, S. Popescu, and D. Roberts, “Nonlocal correlations as an informationtheoretic resource,” Phys. Rev. A, vol. 71, p. 022101, Feb 2005.
 [38] M. Forster and S. Wolf, “Bipartite units of nonlocality,” Phys. Rev. A, vol. 84, p. 042112, Oct 2011.
 [39] T. Ito, H. Kobayashi, D. Preda, X. Sun, and A. C. Yao, “Generalized tsirelson inequalities, commutingoperator provers, and multiprover interactive proof systems,” in Proceedings of the 23rd Annual IEEE Conference on Computational Complexity, CCC 2008, 2326 June 2008, College Park, Maryland, USA, pp. 187–198, IEEE Computer Society, 2008.
 [40] C. Crépeau and N. Yang, “Multiprover interactive proofs: Unsound foundations,” in Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology: Second International Conference, Mycrypt 2016, Kuala Lumpur, Malaysia, December 12, 2016, Revised Selected Papers, pp. 485–493, Springer International Publishing, 2017.
Appendix 0.A Proofs of Security for Protocol 5.3
0.a.0.1 Locality
Since the protocol is written as an LEMIP in which , the protocol is local by definition 7.
0.a.0.2 Completeness
0.a.0.3 Soundness
Without loss of generality, we may assume that the soundness error in the BFL protocol to be
, through sequential amplification. The probability that our commitment scheme (protocol
5.2) fails binding is exponentially small in . Local probabilistic provers are equivalent to local deterministic provers. This is because the success probability of randomized provers of breaking soundness is an average over the randomized provers’ random tapes. Each instance of a random tape represents a deterministic strategy. Therefore there is a deterministic strategy which succeeds with probability at least , and hence we only need to consider local deterministic provers.Since is deterministic, we may unambiguously consider what happens if we were to “rewind” the prover machine. Suppose that at some point unveils a particular commitment to . We rewind and let make different choices before that point. Suppose that, with these alternate choices, then unveils to (an attempt to break binding). Because of locality, ’s behavior is independent of what receives (namely ). Therefore, there is only one such which will ultimately accept as a valid unveiling of in both ways (recall that our commitment is statistically binding).
Therefore, in the worst case, for every commitment there exists a sequence of interactions between and such that will attempt to break the binding of that commitment. Each such commitmentbreaking corresponds to at most one string that will actually work.
Let us denote the set of such bindingbreaking strings by . If , then the provers will not break binding, and the soundness error is reduced to that of the underlying protocol (at most ). On the other hand, since , the probability that is at most .
Therefore, the soundness error of our protocol is at most
0.a.0.4 ZeroKnowledge
The simulation will be divided in two parts. In the first part, the simulator produces a transcript of the precomputation, multilinearity test and sumcheck with oracle parts, which involves only interactions with . In the second part, the simulator will fake a valid consistency test.
Protocol 0.A.1
( Perfectly Indistinguishable, Local Simulator for Protocol 5.3, Part 1)
The setup:
Let be a set of localityexplicit simulators.
and can send an index along with a bit.
completes the indexed box (protocol 5.2) for both simulators.
The simulation strategy:
The simulators agree on unique indices for every commitment used in the protocol.
interacts with the way would. Whenever should commit, commits to random bits, just like the singlesimulator from section 5.
For each commitment, sends a string . sends to the index of the commitment and .
runs the box (protocol 5.2) and replies with ’s half of the output.
Whenever needs to unveil a commitment, it can be unveiled in the way desires by sending the corresponding index and bit to .
completes the corresponding box which outputs . sends to .
sends to .
The second part (the consistency test) can be done by having the simulators ignore the question.
Protocol 0.A.2
( Perfectly Indistinguishable, Local Simulator for Protocol 5.3, Part 2)
sends to .
computes .
Using to break binding, convinces that is actually .
unveils for , who gets .
sends to .
responds with .
By the properties of the stronglyuniversal2 hash , if then . Otherwise with probability exponentially close to one. This produces the result as desired. The simulators then feed the transcripts to , and terminates simulation.
Appendix 0.B Babai, Fortnow and Lund’s MIP for Languages in NEXP
This section describes a variant of the multiprover protocol for oracle3SAT found in [8]. We refer to this as the BFL protocol, or BFL classic.
Definition 10
Let be integers. Let be strings of variables, where and . Let be a Boolean formula in variables. A Boolean function is a 3satisfying oracle for if
for every string .
is oracle3satisfiable if such a function exists.
The Oracle3SAT problem asks whether a Boolean formula is oracle3satisfiable, where and denote the lengths of and , as above.
Lemma 2
Oracle3SAT is complete.
Definition 11
Let be an arbitrary field.
Let be a Boolean function. An arithmetization of is a polynomial such that for all , . A specific one is given in [8], proposition 3.1 .
Equivalently, the condition can be replaced with .
Protocol 0.B.1
( Sumcheck Protocol )
Let be the 3CNF formula which the prover is trying to show to be a tautology to a verifier . Let be a field of sufficient size (of order at least will suffice where is the number of clauses of ).
takes and computes its arithmetization according to [8] Proposition 3.1 and sends it to .
and agree on a set of size at least where is the degree of .
assigns , which is supposed to be equal to the sum
.
sends the coefficients of the univariate polynomial in ,
checks whether . If not, abort.
chooses a random , computes and sends to .
If then and go to step 4.
checks whether .
Protocol 0.B.2
( Babai, Fortnow and Lund’s MIP for Oracle3SAT )
Given as common input.
(sumcheck with oracle) and execute protocol 0.B.1. Let be ’s questions during this phase.
(multilinearity test) asks to simulate an oracle storing the function . queries with random, linearly related values in . If any response does not satisfy linearity, abort protocol. Let be ’s questions during this phase.
(nonadaptiveness test) chooses uniformly at random an such that and asks to . If ’s answer differs from that of , reject. Otherwise accept.
Appendix 0.C NonLocality – an introduction
In this section we solely focus on the twoparty singleround games and strategies that are sufficient to discuss and analyze most of the MIPs. Definitions and proofs for complete generalizations to multiparty multiround games and strategies will appear in a forthcoming paper with coauthor Adel Magra.
0.c.0.1 Games:
Let be a predicate on (for some finite sets and ) and let
be a probability distribution on
. Then and define a (singleround) game as follows: A pair of questions is randomly chosen according to distribution , and is sent to Alice and is sent to Bob. Alice must respond with an answer and Bob with an answer . Alice and Bob win if evaluates to 1 on and lose otherwise.0.c.0.2 Strategies: TwoParty Channels
A strategy for Alice and Bob is simply a probability distribution describing exactly how they will answer on every pair of questions . We now breakdown the set of all possible strategies for Alice and Bob according to their nonlocality.
0.c.0.3 Deterministic and Local Strategies:
A strategy is deterministic if there exists functions such that
A deterministic strategy corresponds to the situation where Alice and Bob agree on their individual actions before any knowledge of the values is provided to them. In this case they use only their own input to determine their individual output.
A strategy is local if there exists a finite set and functions such that
A local strategy corresponds to the situation where Alice and Bob agree on a deterministic strategy selected uniformly among such possibilities. The choice of Alice and Bob’s strategy, and the choice of inputs
provided to Alice and Bob are generally agreed to be statistically independent random variables.
0.c.1 Local Reducibility
We now turn to the notion of locally reducing a strategy to another, that is how Alice and Bob limited to local strategies but equipped with a particular (not necessarily local) strategy are able to achieve another particular (not necessarily local) strategy . For this purpose we introduce a notion of distance between strategies in order to analyze strategies that are approaching each other asymptotically.
0.c.1.1 Distances between Strategies:
Several distances could be selected here as long as their meaning as it approaches zero are the same. In the definitions below, are strategies and is a finite set of strategies.
Definition 12
Definition 13
0.c.1.2 Local extensions of Strategies:
For natural integer , we define the set of strategies that are local extensions (of order ) of to be all the strategies Alice and Bob can achieve using local strategies where strategy may be used up to times as subroutine calls^{∥}^{∥}∥Done by selecting functions , to determine the input of each subroutine from input and previous outputs.. If we restrict all the functions used to be polynomialtime computable we analogously define .
Definition 14
Locally (poly)Reduces to () iff .
Definition 15
is Locally (poly)Equivalent to () iff
0.c.1.3 NonAdaptive extensions of Strategies:
For natural integer , we define the set of strategies that are NonAdaptive extensions (of order )
of to be all the strategies Alice and Bob can achieve using NonAdaptive strategies where strategy may be used up to times as subroutine
calls^{**}^{**}**Done by selecting functions ,
to determine the input of each subroutine from input only.. If we restrict the functions used to be polytime computable we get .
Definition 16
NonAdaptively (poly)Reduces to () iff .
Definition 17
is NonAdaptively (poly)Equivalent to () iff
In general, NonAdaptive reducibility is a weaker notion than local reducibility. However, for certain distributions it may result that as follows.
0.c.2 Locality
We now define the lowest of the nonlocality classes . We could define it directly from the notion of local strategies as defined above, but for analogy with the other classes we later define, is defined as all those strategies locally reducible to a complete strategy we call (see Fig. 2). Of course, any strategy is complete for this class.
Definition 18
and
Note: is the class of strategies that John Bell [29] considered as classical hiddenvariable theories that he compared to entanglement. It is also the class of strategies that BenOr, Goldwasser, Kilian and Wigderson [3] chose to define classical Provers in MultiProvers Interactive Proof Systems. is also those strategies NonAdaptively reducible to
Definition 19
Alternatively, and
Alternatively, we can also define from an empty box as used in the core of this paper
Definition 20
Alternatively,
0.c.3 OneWay Signalling
We now turn to OneWay Signalling which allows communication from one side to the other. We name the directions arbitrarily Left and Right. We define (resp. ) as all those strategies locally reducible to a complete strategy we call (see Fig. 4) (resp. (see Fig. 5)). These classes are useful to define what it means for a strategy to signal as well as the notion of NoSignalling strategies.
Definition 21
and
Definition 22
We say that Right Signals (is verbose^{††}^{††}††We define the notion of verbose in analogy to hard: it means “as verbose as any distribution in nonlocality class ”. In consequence, a distribution is complete if and is verbose.) iff .
Definition 23
and
Definition 24
We say that Left Signals (is verbose) iff .
Definition 25
We say that Signals iff Right Signals or Left Signals.
We prove a first result that is intuitively obvious. We show that the complete strategy cannot be approximated in and the other way around.
Theorem 0.C.1
and .
Proof
Follows from a simple capacity argument. For all , all the channels in have zero leftcapacity, while has nonzero leftcapacity. And viceversa.
0.c.4 Signalling
We are now ready to define the largest of the nonlocality classes . Indeed every possible strategy is in .
Definition 26
and
Comments
There are no comments yet.