# Non-Locality and Zero-Knowledge MIPs

The foundation of zero-knowledge is the simulator: a weak machine capable of pretending to be a weak verifier talking with all-powerful provers. To achieve this, simulators need some kind of advantage such as the knowledge of a trapdoor. In existing zero-knowledge multi-prover protocols, this advantage is essentially signalling, something that the provers are explicitly forbidden to do. In most cases, this advantage is stronger than necessary as it is possible to define a sense in which simulators need much less to simulate. We define a framework in which we can quantify the simulators' non-local advantage and exhibit examples of zero-knowledge protocols that are sound against local or entangled provers but that are not sound against no-signalling provers precisely because the no-signalling simulation strategy can be adopted by malicious provers.

## Authors

• 7 publications
• 56 publications
01/14/2018

### New Perspectives on Multi-Prover Interactive Proofs

The existing multi-prover interactive proof framework suffers from incom...
12/18/2019

### Practical Relativistic Zero-Knowledge for NP

In this work we consider the following problem: in a Multi-Prover enviro...
04/08/2018

### Verifier Non-Locality in Interactive Proofs

In multi-prover interactive proofs, the verifier interrogates the prover...
02/08/2022

### Physical Zero-knowledge Proofs for Flow Free, Hamiltonian Cycles, and Many-to-many k-disjoint Covering Paths

In this paper we describe protocols which use a standard deck of cards t...
10/14/2021

### zk-Fabric, a Polylithic Syntax Zero Knowledge Joint Proof System

In this paper, we create a single-use and full syntax zero-knowledge pro...
06/17/2020

### ZKPs: Does This Make The Cut? Recent Advances and Success of Zero-Knowledge Security Protocols

How someone can get health insurance without sharing his health informat...
08/21/2018

### Machine learning non-local correlations

The ability to witness non-local correlations lies at the core of founda...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

An interactive proof is a dialog between two parties: a polynomial-time verifier and an all-powerful prover [1, 2]. They agree ahead of time on some language and a string . The prover wishes to convince the verifier that . If this is true, the prover should succeed almost all the time; if not, the prover should fail almost all the time. This is a generalization of the complexity class , except instead of simply being handed a polynomial-sized witness, the verifier is allowed to quiz the prover. The set of languages that admit an interactive proof is called .

An interactive proof is zero-knowledge if the verifier learns nothing except the truth of “”. This is usually defined by saying that a distinguisher is unable to tell apart a real conversation between the prover and the verifier, and one which is generated by a lone polynomial-time simulator. We will denote sets of zero-knowledge interactive proofs with a bold prefix.

The multi-prover model was introduced in [3]. This model consists of multiple, non-communicating***The precise meaning of these words shall become a lot clearer throughout the rest of this paper. provers talking to a single verifier. We will abbreviate “multi-prover interactive proof” as MIP and the set of languages which can be accepted by MIPs as the boldface .

From a complexity perspective, the zero-knowledge aspect of interactive proofs is characterized by for single-prover IPs ([4, 5, 6]), and for multi-prover IPs ([3, 7, 8, 9, 10, 11, 12]). The (conjectured) necessity of complexity assumptions for zero-knowledge in the single-prover case was the initial motivation for the multi-prover model.

### 1.1 A Cryptographic Perspective

The foundation of zero-knowledge is the idea of a simulator: a machine, with no more power than the verifier, which can pretend to having interacted with all-powerful provers. Obviously, this simulator cannot accomplish this task without some kind of advantage (something independent of knowledge). In single-prover zero-knowledge proofs, this advantage can be in the form of the ability to rewind computation, the ability to discard failed simulations, or knowledge of a trapdoor in a commitment scheme. In multi-prover zero-knowledge proofs, the advantage in existing literature can be summed up as signalling: the simulator, acting in the name of several provers, knows secrets which real provers, in a real instance of the protocol, would not because they are unable to communicate.

From a complexity perspective, this simulator advantage can be anything as long as it is truly independent of knowledge – we do not want to exclude anything a priori. But, in practice, zero-knowledge is ultimately applied cryptography and from a cryptographic perspective, not all advantages are equal.

### 1.2 Relativistic Motivation

The need for more nuanced simulators is motivated by relativistic cryptography, an example of which can be found in [13]. Relativistic cryptography exploits the fact that it is impossible to signal faster than light. We can enforce the no-signalling condition of MIPs by spatially separating the provers from each other. In order to enforce the provers’ spatial separation during the execution of the protocol, each prover is paired with a verifier of its own, which is located nearby. The verifiers can use the timing of the replies of their respective provers to judge their relative distance.

In practice, this means that we can implement MIPs under relativistic assumptions if the verifier can be “split” into multiple verifiers, each locally interacting with its corresponding prover. An example of relativistic cryptography can be found in [13], where a commitment was sustained for over 24 hours.

Some MIPs have verifiers which, intrinsically, cannot be split. Examples include [3] and [9]. In these examples, the verifier is used to courier an authenticated message between provers. In the relativistic setting, if the verifier has time to pass a message between provers, then the provers just signal between themselves.

Luckily, most MIPs in the literature have verifiers that are non-adaptive. These verifiers’ questions to one prover are independent of the answers from all the provers. MIPs with non-adaptive verifiers can be rewritten into a format with multiple, split verifiers; this format we will call locality-explicit, and will be defined formally in section 4.

As an example of what we mean, consider the following two-prover interactive proof for graph 3-coloring:

###### Protocol 1.1
( Simple MIP, Single-Verifier )

Two provers , one verifier . On input graph , and agree on a 3-coloring.

1. asks for the colors of an edge .

2. asks for the colors of one of the nodes of .

accepts if and only if the colors of that edge from are not equal, and corroborates with ’s answer by replying with the same color for the same node.

In the above protocol, ’s questions to either prover does not depend on answers from any prover. This is what is commonly known as a non-adaptive verifier. We can therefore split the above verifier into a two-verifier version:

###### Protocol 1.2
( Simple MIP, Multi-Verifier )

Two provers , two verifiers . On input graph , and agree on a 3-coloring, and agree on an edge .

1. asks for the colors of .

2. asks for the colors of one of the nodes of .

Post execution, and confer with each other, and accept if and only if the colors of that edge from are not equal, and corroborates with ’s answer by replying with the same color.

This version of the protocol is naturally suited for relativistic implementation. However, it is not zero-knowledge because even if and agreed on a randomly selected 3-coloring each time, a dishonest verifier may sample a node which is not from . We can make a zero-knowledge, multi-verifier MIP with the help of the following commitment scheme, which is adapted from [3]:

###### Protocol 1.3
( Multi-Verifier Commitment )

Two provers , two verifiers . The provers share a random string , and the verifiers share a random string . Operations are over a finite field. wishes to commit .

1. (Commit) sends the string . replies with .

2. (Unveil) sends the string .

Post execution, the verifiers confer. They accept if and only if or .

Combining protocol 1.3 and the zero-knowledge protocol of [14] gives us a zero-knowledge, multi-verifier MIP.

###### Protocol 1.4
( ZKMIP, Multi-Verifier )

Two provers , two verifiers . On input graph , and agree on a randomly selected 3-coloring and strings , and agree on an edge and strings .

1. commits the colouring of to using the , they pre-agreed.

2. asks to unveil the colours of the edge .

Post execution, and confer with each other, and accept if and only if the commitment is valid, and the colors unveiled are not equal.

What makes this protocol zero-knowledge? In the commitment scheme (protocol 1.3), if has knowledge of , then it can break the commitment by unveiling either way (by sending or as needed). Following the precedents set by existing literature’s definition of zero-knowledge, the (single) simulator, interacting with both verifiers, learns . Therefore it can break the commitment and always unveil a color that will be accepted by the verifiers.

As mentioned, the (single) simulator’s advantage is its ability to interact with both verifiers at once. This is equivalent to having a pair of simulators signaling and, as we will see, is actually a tremendous power. However, it turns out that simulators do not need to signal in order to break the above commitment (section 3); a weaker non-local distribution will do. What we wish is to construct a framework in which this “non-local advantage” of the simulators can be quantified. We do this in section 4.

To see how much overkill signaling is for the simulators, imagine that in the above protocol, the distinguisher were able to eavesdrop on the “conversation” between the (possibly malicious) verifiers and black boxes, inside of which are either real provers, or simulators. This is giving the distinguisher more power than simply reading a transcript; and yet, the (signaling) simulators can succeed not only in generating the transcript, but behave as if they were provers in real-time. If we consider existing zero-knowledge as “transcript-indistinguishable”, then we may consider this as “eavesdrop-indistinguishable”. We will leave these terms undefined (as intuition) as they are not the focus of this work.

### 1.4 Our Contributions

In this work, we propose a framework for writing MIPs which is naturally suited for implementation and analysis under relativistic assumptions. We discuss how this framework extends naturally to zero-knowledge protocols and quantifies the non-local advantage which simulators use in many ZKMIPs. We show that can be accepted by MIPs in this form, and discuss the relationship between simulators’ non-local advantage and soundness.

We exhibit a MIP for which, if is zero-knowledge, then cannot be sound; we introduce this as a tool for proving impossibility results of soundness against no-signalling provers but it could be used for for any non-locality class similarly.

## 2 Previous Work

The early work by Ben-Or, Goldwasser, Kilian and Wigderson asserting that from [3] and [9] use multi-round protocols and their (honest) verifiers are inherently signaling. This is precisely why we address the situation in this work. Proving soundness is quite subtle in this case because the provers could use the (signaling) verifier to break binding of the commitments. In particular, soundness will not be valid if the protocol is composed concurrently with other executions of itself or even used as a sub-routine. In recent conversations with Kilian [15], we have learned that controlling the impact of this signaling (via the verifier) has been a concern since the early days of MIPs. The protocols as they are might be sound but it is not fully proven anywhere in writing. However, it is also clear that no considerations had been given to the fact that general non-local correlations are possible via the verifier. If soundness rests on the binding property of a commitment scheme (such as those zero-knowledge proofs) and this binding property rests on the inability to achieve a certain non-local correlation then impossibility to achieve this correlation via the verifier must be demonstrated. It is not done or hinted in these papers.

The multi-round issue we address may seem trivial because it is a known fact that multi-round MIPs may be reduced to a single round using techniques of Lapidot-Shamir [16] and Feige-Lovasz [17]. Nevertheless, if interested in zero-knowledge MIPs, commitment schemes are generally used to obtain the zero-knowledge property and thus the single-round structure is lost in the process. Although single-round protocols bypass verifier’s non-local contamination problems we describe in this work, converting multi-round protocols into single-round ones is highly inefficient and complex. Preserving zero-knowledge while achieving single-round has turned out to be a major challenge. Practically, keeping a multi-round protocol’s structure, using only commitments to achieve zero-knowledge is very appealing.

In [16], Lapidot-Shamir proposed a parallel ZKMIP for , but they removed the zero-knowledge claim in the journal version [18] of their work without any explanation as of why. Feige and Kilian [10] were the last ones to follow this approach combining techniques drawn from Lapidot-Shamir [16], Feige-Lovasz [17] and Dwork, Feige, Kilian, Naor, and Safra, [11] to achieve a “2-prover 1-round 0-knowledge” proof for . As far as we can tell, this is the only paper in the ZKMIP literature that appears to avoid the multi-round problems and the non-local contamination that we discuss. However, note that the analysis of [10] is partly based of that of [16], and the journal version of Feige-Kilian [12] does not contain their prior claim of zero-knowledge either. All other ZKMIPs for in the literature are multi-round, and thus our analysis applies to them.

Similar issues are possible using more recent results such as Ito-Vidick’s proof [19] that , Kalai, Raz and Rothblum’s proof [20] that and Natarajan-Wright’s proof [21] that . The reason why these multi-round constructions may maintain their soundness despite the potential non-locality contamination (via the verifier) is the non-adaptive nature of their verifiers. Non-adaptive verifiers cannot take advantage of information acquired in recent rounds to construct new questions to the provers: all their questions are pre-established before the interaction with the provers start. This is a special simpler case of local verifiers. Nowhere in this large literature can one find a single statement observing the non-adaptiveness of the verifiers and its importance to guarantee soundness of those MIPs. Moreover, their multi-round structure requires that any straightforward extensions to or via commitment schemes be analyzed very carefully and the locality of the resulting verifiers be re-established. This is part of the reasons why the ZK version did not follow easily. Recently, Chiesa, Forbes, Gur, and Spooner [22] discovered a proof that . Their construction is based on refinements of Ito-Vidick’s proof and along the lines of Feige-Kilian, building on algebraic structures to bypass the need of commitment schemes. Unfortunately, this work is so complicated that we are unable to assess whether their verifier is actually non-adaptive. And of course, this is not mentioned or proven anywhere nor available from the authors… At the time of writing this paper, we just found out that indeed as proven by Grilo, Slofstra and Yuen [23].

Bellare, Feige, and Kilian [24] considered a multi-verifier model similar to ours in order to analyze the role of randomness in multi-prover proofs. This is completely unrelated to our goal of analyzing verifier non-local contamination. Finally, the notion of relativistic commitment schemes put forward by Kilian [25] and Kent [26] leads to several results [13, 27, 28] where a similar multi-verifier model is necessary in order to assess spatial separation of the provers. The new (non-local) zero-knowledge definition is 100% fresh from this work. No prior work exists at all.

## 3 The Standard MIP Model

Multi-prover interactive proofs were introduced in [3]. The intuition for their model was that of a detective interrogating two suspects held in different rooms. This was formalized as follows:

###### Definition 1

Let

be computationally unbounded Turing machines and let

be a probabilistic polynomial-time TM. All machines have a read-only input tape, a read-only auxiliary-input tape, a private work tape and a random tape. The ’s share a joint, infinitely long, read-only random tape. Each has a write-only communication tape to , and vice-versa. We call a -prover IP, or multi-prover interactive proof (MIP).

This model is essentially equivalent to that of Bell [29] who introduced his famous Bell’s inequality to distinguish local parties from entangled parties.

Zero-knowledge MIPs were also defined in [3]:

###### Definition 2

Let be a k-prover IP for language . Let denote the verifier’s incoming and outgoing messages with the provers, and his coin tossesWe ignore auxiliary inputs because we are not going to discuss composition.. We say that is perfect zero-knowledge for if there exists an expected polynomial-time machine such that for all , and are identically distributed.

Let us call the above two definitions the standard MIP model. There have also been augmentations of the model by giving the provers various non-local resources, such as entanglement [19], or arbitrary no-signaling power [20].

Of specific interest to us are standard MIPs which have verifiers that are non-adaptive.

###### Definition 3

A verifier is non-adaptive if the verifier’s questions depend only on its random coins and the input . A MIP with a non-adaptive verifier is a non-adaptive MIP.

Some zero-knowledge MIPs such as [9] require that the verifier courier an authenticated message between the provers in order to obtain soundness while ensuring zero-knowledge. The gist of it goes like this:

2. wants to check one of ’s answers with for consistency.

4. authenticates a question with a key that was committed at the beginning of the protocol and sends it to .

5. sends the question and the authentication to , who proceeds only if it succeeds.

Steps 4 and 5 consists of sending a message from to . This is problematic under relativistic assumptions, as discussed in the introduction. Therefore, the no-signaling assumption of standard MIPs are not immediately compatible with the no-faster-than-light-signaling assumption of relativity.

## 4 Locality-Explicit MIP

We define a framework for writing MIPs guaranteeing compatibility with relativistic assumptions. This framework uses multiple verifiers, each of which talks to a single prover; in turn, each prover talks to that single verifier. There are no communication tapes between the verifiers, nor are there between provers. There is a special verifier which only reads the outputs of the other verifiers; this is the verifier that will decide to accept or reject membership to . We call this model “locality-explicit” since the provers and verifiers are explicitly local.

Any correlational resources available are explicitly specified via a supplementary correlator named for the provers and for the verifiers. Examples of these resources include entanglement, no-signalling distributions, or slower-than-light signalling.

###### Definition 4

An interactive Turning machine (ITM) is augmented with the following tapes:

• write-only outgoing communication tapes.

• Private work, auxiliary-input, and random tapes.

An ITM can signal to ITM if ’s write-only outgoing tape is ’s read-only incoming tape.

###### Definition 5

Let be a tuple of ITMs, where the ’s are computationally all-powerful and the ’s are polynomial-time. For each , there are two-way communication tapes between and , and that for all , there is a two-way communication tape between and and also between and . In addition, for each , there is a read-only tape going from to (where reads). Then, this is said to be a locality-explicit multi-prover interactive proof.

We call and correlators and say that the provers and verifiers are -local and -local respectively. We define the class of all MIPs with such correlators .

It is perhaps easier to understand our definition with the help of figure 1.

The solid lines represents two-way communication and the dashed arrows represents one-way communication, with the arrow indicating the direction of information flow.

We can define that an LE-MIP accepts a language if the usual soundness and completeness conditions hold:

###### Definition 6

An LE-MIP accepts a language if and only if

• (completeness) ,

• (soundness) ,

where is the read-only tape from to at the end of ’s interaction with (or ) on input .

Note that we do not quantify over (nor ), as we want to use them not as (possibly malicious) participants to the protocol, but as a description of correlational resources available to the provers and verifiers.

###### Definition 7

An LE-MIP is local if and all of the provers’ (resp. verifiers’) random tapes are initialized with the same uniformly random string (resp. verifiers with another, independent uniformly random string )§§§By we mean the empty correlator that provides everyone with nothing at all as output whatever the input is..

MIPs in the standard model (with local provers) are equivalent to LE-MIPs where and acts as a bulletin board. That is, a single verifier communicating with multiple provers is equivalent to multiple verifiers individually communicating with a local prover and each among themself.

###### Lemma 1

If a MIP is non-adaptive, then there exists a local LE-MIP which accepts it.

This is obvious as a non-adaptive verifier’s questions are decided ahead of time, once its random coins are fixed. Therefore, we may split the verifier into one for each prover with a list of predetermined questions.

### 4.1 Zero-Knowledge LE-MIPs

As discussed in the introduction, zero-knowledge is defined by simulations. The simulator of single-prover IP and standard MIP are equal to the verifier in computational power, but they do have “advantages” – such as the ability to rewind computation.

LE-MIPs makes explicit a new advantage for the simulator: non-local correlations, a very powerful advantage. Using the correct non-local correlations, simulators do not need to rewind, do not need to pretend to be multiple (isolated) provers, and do not need to know any commitment-breaking secrets. In short, they do not need to signal. Multiple, no-signaling simulators can even produce transcripts in “real-time” (example will follow) if the proper correlations are used.

###### Definition 8

Let be a tuple of polynomial-time ITMs. Each machine has a random tape, and every random tape is initialized with the same random bits. For , there is a two-way communication tape between and . There are no communication tapes between any of the ’s. Then this is called a tuple of locality-explicit simulators and is the locality class of , which will be abbreviated -local.

###### Definition 9

Let be an LE-MIP for language . If there exists a tuple of locality-explicit simulators , such that for all verifiers , such that for all the transcripts of conversations

 (ˆP,P1,…,Pk,ˆV′,V′0,V′1,…,V′k)(x)

and those generated by

 ({ˆS,ˆV′},V′0,SV′11,…,SV′kk)(x)

are identically distributed, then we say that is a -local perfect zero-knowledge LE-MIP for . Note that the simulators are responsible for using , if necessary, to ensure that the verifier oraclesEach simulator is restricted to oracle calls to its own corresponding . receive the necessary inputs.

We will denote the set of all ZK LE-MIPs where the provers, verifiers, and simulators are -local, -local, and -local by

 ZKˆSMIPˆPˆV.

Let be sets of correlators. We will denote, by convention,

 ZKSMIPPV

as the set of all ZK LE-MIPs where each correlator comes from each of the respective sets.

Our motivations for the above definition are twofold.

First, a simulator (or simulators) should not have more power than necessary. If two local simulators can output for two local verifiers, then it is not necessary to have a single simulator (equivalent to two signaling simulators) do the job. In general, finding the minimal that will allow simulation establishes how little extra is needed to obtain the zero-knowledge property.

Second, the non-locality of simulators is a characterization of the resilience of zero-knowledge. A protocol with local simulators which can withstand arbitrary (malicious) verifiers is more resilient than one in which signaling simulators are needed.

This may be of practical interest, if transcripts are timestamped. For example, under the relativistic assumption that one may not signal faster-than-light, one may be able to distinguish two spatially separated simulators from two spatially separated verifiers, if the simulators need to signal (transmit a commitment-breaking secret) in order to generate a transcript. On the other hand, if two entangled simulators are sufficient to produce the transcript, then they are indistinguishable from real verifiers and provers. Our protocol 5.3 can be modified as to let entangled simulators do their work, without needing PR-boxes or signaling. Details in section 5

The complexity of LE-MIPs are the same as those of MIP, namely:

###### Theorem 4.1

There exists a LE-MIP which accepts .

The proof is a line-by-line inspection of the BFL protocol as found in [8], and checking that the verifier is non-adaptive, and therefore can be written as a LE-MIP. We have included a brief summary of the BFL protocol in appendix 0.B.

## 5 Zero-Knowledge LE-MIP for NEXP

The question which follows naturally is whether there exists a zero-knowledge, local LE-MIP for where . By adapting the protocol from [8], we will exhibit a protocol with the following properties:

1. The provers and verifiers are local: .

2. The simulators need only access to instances of -boxes to work. That is, simply computes indexed instances of -boxes. We will abbreviate this as “-local.”

We may succinctly summarize the above as:

###### Theorem 5.1

, where denotes a correlator which simply computes -boxes for the simulators.

We prove the above theorem by constructing an LE-MIP with the right properties: protocol 5.3. The generic way of turning an interactive proof into a zero-knowledge one is by running it in committed form [3, 9]. With this technique, provers commit their answers instead of directly responding, and use cryptographic techniques to convince the verifier that the answers are correct. As argued previously, this is not possible to enforce from relativistic assumptions alone.

Our solution essentially asks the provers to (strongly-universal-2) hash the selected committed answer with a key that is based on the verifier’s question. We force to behave honestly (to ask a question that has asked) by making bad questions meaningless. If the verifiers ask the provers the same question, they will receive the same hash of the same answer. Otherwise, they will receive two independent random hash values.

The -type commitment (protocol 5.2) is secure in the local setting as previously proved in [26, 30, 13]. It is perfectly concealing and statistically binding. In general, we use the commitment-box notation as the name of a commitment to bit in the next two protocols.

###### Protocol 5.2
A statistically binding, perfectly concealing commitment protocol to bit .

All parties agree on a security parameter .
and partition their private random tape into two -bit strings .

Pre-computation phase:

• samples two -bit strings independently and uniformly, and provides them to .

• sends to and sends to .

Commit phase:

• commits to as , where is a multiplication in .

• sends : .

Unveiling phase:

• sends to .

• computes if , or if .

• rejects if is anything but or , or if and accepts otherwise.

A note on notation: for a circuit , we will denote as the gate-by-gate committed circuit evaluated with x as the input. We also use statements such as “ proves to that was computed correctly”. The reader is expected familiarity with zero-knowledge computations on committed circuits as put forward by [31, 32, 5, 9].

###### Protocol 5.3
A local zero-knowledge LE-MIP for oracle-3-SAT

Let , an instance of oracle-3-SAT, be the common input, let , and let be the verifier’s program in protocol 0.B (see appendix).

1. Pre-computation:

1. samples two -bit strings independently and uniformly, and provides them to .

2. selects random bit strings (size specified implicitly by ) and evaluates the circuit of using the as randomness, resulting in questions , and provides them to

3. randomly chooses , , the index of an oracle query that will be made to both and . provides to .

4. sends to and sends to for future commitments.

5. All parties agree on a family of strongly-universal-2 hash functions indexed by -bit keys.

6. and agree on a -bit index to the above family. commits to .

2. Sumcheck with oracle:

• Let be the arithmetization obtained in protocol 0.B.1, let be a string from and be strings of as generated in protocol 0.B. and execute protocol 0.B.1 in committed form. At the end of this phase, shows that the committed final value is equal to

 f(z,Qk+1,Qk+2,Qk+3,\framebox{A(Qk+1)},% \framebox{A(Qk+2)},\framebox{A(Qk+3)}),

an evaluation in committed form of using the committed values that were used during the protocol’s loop. If this fails, instructs to reject.

3. Multilinearity test:

1. For :

1. sends to ,

2. commits his answer as .

2. and evaluate a circuit description of in committed form with inputs to verify proper linearity among them. unveils the circuit’s committed output. If it rejects, instructs to reject.

4. Consistency test:

1. sends to .

2. computes and sends to .

3. proves to that was computed correctly, from the existing commitments.

4. unveils for , who gets .

5. sends to (recall that this was pre-agreed in step 1.(c))

6. responds to with .

7. accepts if and only if all of the following conditions are met:

• All commitments which have been unveiled are valid.

• did not reject in the two previous cases.

The proofs of security can be found in appendix 0.A.

What is the minimal simulator advantage needed for achieving zero-knowledge for ?

It is clear that signalling simulators can succeed in the above protocol. This is the zero-knowledge simulator of standard MIPs. We can summarize this as

 ZKSIGMIP∅∅=NEXP,

where is a signalling correlator.

Signalling is however unnecessary, as the binding condition of commitment used above (protocol 5.2) can be broken given -boxes. This is what the proof of security shows in appendix 0.A. Thus, the simulator’s advantage can be lowered to -boxes, or

 ZKPRMIP∅∅=NEXP.

If the verifiers were willing to tolerate approximately of errors in the provers’ unveiling string ( or ), then it is possible to break binding with shared entanglement [33] while maintaining soundness against local provers. Making this slight change in the protocol reduces the simulator advantage further:

 ZKENTMIP∅∅=NEXP,

where denotes polynomial amount of shared entanglement for the simulators.

Ideally, the simulators would not need any non-local advantage over the verifiers. However, we are unable to find a zero-knowledge MIP where the simulators are local which can accept , or prove that it is impossible. We make the following conjecture:

###### Conjecture 1

, where is the set of languages with statistical zero-knowledge interactive proofs without computational assumptions (i.e., graph isomorphism).

### 5.2 Soundness Against No-Signalling Provers

As a further example of the drastic differences between MIP simulators’ non-local advantages and single-prover IP simulators’ advantages (e.g., rewinding), consider the following:

###### Theorem 5.4

Suppose that the provers in protocol 5.3 have access to PR-boxes (thus they are no-signalling, but not local), then the protocol is not sound.

###### Proof

The provers adopt the simulators’ strategy. Since commitment binding is broken with the aid of PR-boxes, the verifiers will always accept.

This is the sense to which we referred to as “eavesdrop indistinguishable” from “transcript indistinguishable” earlier. A prover having the ability to rewind computations, although enough for simulators in IPs, is not enough to break soundness. We will generalize the above theorem in a future work, on the relationship between zero-knowledge and soundness.

#### 5.2.1 Another Example

In appendix E a zero-knowledge protocol for is extracted from [34]. This protocol is not only sound against local provers but also against entangled provers. It is zero-knowledge in both cases. However, since the ZK simulator (also provided in appendix E) can be implemented as no-signalling simulators, this same protocol cannot be sound against no-signalling provers since they can adopt exactly the simulators’ strategy.

## 6 Conclusions and Future Work

Zero-knowledge simulators need advantages in order to function. In the case of MIPs, it was always implicitly assumed this advantage is necessarily signaling. We have shown that this is not true, and that this aspect of zero-knowledge remains unexplored. LE-MIPs make this explicit, while providing a template for relativistic implementations of the no-signaling assumption.

We close with three open questions.

First, although the provers and verifiers of protocol 5.3 are local, the simulators are not – they use PR-boxes. We do not know whether it is possible to simulate protocol 5.3 with local simulators. In fact, we conjecture that there does not exist a protocol for any language outside .

Second, as we have sketched out in section 5.1, by weakening the commitment scheme used, we get . What is a minimal such that ?

Third, what is the relationship between zero-knowledge and soundness in MIPs? As we have shown in section 5.2, some simulators’ strategy can be adopted by provers to break soundness, if only the provers had some additional (in this case, non-local) resources. Is there a relationship between the non-local resources needed to achieve zero-knowledge and those that are forbidden in order to achieve soundness?

## Acknowledgements

We would like to thank G. Brassard, A. Chailloux, S. Fehr, J. Kilian, S. Laplante, J. Li, A. Leverrier, A. Massenet, S. Ranellucci, L. Salvail, C. Schaffner, and T. Vidick for various discussions about earlier versions of this work. We would also like to thank Jeremy Clark for his insightful comments. Finally, we are grateful to Raphael Phan and Moti Yung for inviting us to publish a lead-up paper to this work as an Insight Paper at MyCrypt 2016.

## References

• [1] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proof-systems,” SIAM. J. Computing, vol. 18, pp. 186–208, Feb. 1989.
• [2] L. Babai, “Trading group theory for randomness,” in

Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing

, pp. 421–429, May 1985.
• [3] M. Ben-Or, S. Goldwasser, J. Kilian, and A. Wigderson, “Multi-prover interactive proofs: How to remove intractability assumptions,” in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, (New York, NY, USA), pp. 113–131, ACM, 1988.
• [4] A. Shamir, “IP = PSPACE,” J. ACM, vol. 39, pp. 869–877, Oct. 1992.
• [5] R. Impagliazzo and M. Yung, “Direct minimum-knowledge computations,” in Advances in Cryptology: Proceedings of Crypto ’87 (C. Pomerance, ed.), vol. 293, pp. 40–51, Springer-Verlag, 1988.
• [6] M. Ben-Or, O. Goldreich, S. Goldwasser, J. Håstad, J. Kilian, S. Micali, and P. Rogaway, “Everything provable is provable in zero-knowledge,” in Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’88, (London, UK, UK), pp. 37–56, Springer-Verlag, 1990.
• [7] L. Fortnow, J. Rompel, and M. Sipser, “On the power of multi-prover interactive protocols,” Theor. Comput. Sci., vol. 134, pp. 545–557, Nov. 1994.
• [8] L. Babai, L. Fortnow, and C. Lund, “Non-deterministic exponential time has two-prover interactive protocols,” Comput. Complex., vol. 2, pp. 374–374, Dec. 1992.
• [9] J. Kilian, Uses of randomness in algorithms and protocols. MIT Press, 1990.
• [10] U. Feige and J. Kilian, “Two prover protocols: low error at affordable rates,” in Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, 23-25 May 1994, Montréal, Québec, Canada (F. T. Leighton and M. T. Goodrich, eds.), pp. 172–183, ACM, 1994.
• [11] C. Dwork, U. Feige, J. Kilian, M. Naor, and S. Safra, “Low communication 2-prover zero-knowledge proofs for NP,” in Advances in Cryptology - CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings (E. F. Brickell, ed.), vol. 740 of Lecture Notes in Computer Science, pp. 215–227, Springer, 1992.
• [12] U. Feige and J. Kilian, “Two-prover protocols - low error at affordable rates,” SIAM J. Comput., vol. 30, no. 1, pp. 324–346, 2000.
• [13] T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, S. Wehner, and H. Zbinden, “Practical relativistic bit commitment,” Phys. Rev. Lett., vol. 115, p. 030502, Jul 2015.
• [14] O. Goldreich, S. Micali, and A. Wigderson, “Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems,” J. ACM, vol. 38, pp. 690–728, July 1991.
• [15] J. Kilian, “Personal e-mail communication,” July 2018.
• [16] D. Lapidot and A. Shamir, “Fully parallelized multi prover protocols for nexp-time (extended abstract),” in 32nd Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 1-4 October 1991, pp. 13–18, IEEE Computer Society, 1991.
• [17] U. Feige and L. Lovász, “Two-prover one-round proof systems: Their power and their problems (extended abstract),” in Proceedings of the Twenty-fourth Annual ACM Symposium on Theory of Computing, STOC ’92, (New York, NY, USA), pp. 733–744, ACM, 1992.
• [18] D. Lapidot and A. Shamir, “Fully parallelized multi-prover protocols for nexp-time,” J. Comput. Syst. Sci., vol. 54, no. 2, pp. 215–220, 1997.
• [19] T. Ito and T. Vidick, “A multi-prover interactive proof for nexp sound against entangled provers,” in Proceedings of the 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, FOCS ’12, (Washington, DC, USA), pp. 243–252, IEEE Computer Society, 2012.
• [20] Y. T. Kalai, R. Raz, and R. D. Rothblum, “How to delegate computations: The power of no-signaling proofs,” in Proceedings of the Forty-sixth Annual ACM Symposium on Theory of Computing, STOC ’14, (New York, NY, USA), pp. 485–494, ACM, 2014.
• [21] A. Natarajan and J. Wright, “ in *,” CoRR, vol. abs/1904.05870, 2019.
• [22] A. Chiesa, M. A. Forbes, T. Gur, and N. Spooner, “Spatial isolation implies zero knowledge even in a quantum world,” Electronic Colloquium on Computational Complexity (ECCC), vol. 25, p. 44, 2018.
• [23] A. B. Grilo, W. Slofstra, and H. Yuen, “Perfect zero knowledge for quantum multiprover interactive proofs,” CoRR, vol. abs/1905.11280, 2019.
• [24] M. Bellare, U. Feige, and J. Kilian, “On the role of shared randomness in two prover proof systems,” in Third Israel Symposium on Theory of Computing and Systems, ISTCS 1995, Tel Aviv, Israel, January 4-6, 1995, Proceedings, pp. 199–208, IEEE Computer Society, 1995.
• [25] J. Kilian, “Strong separation models of multi prover interactive proofs,” in DIMACS Workshop on Cryptography, 1990.
• [26] A. Kent, “Unconditionally secure bit commitment,” Phys. Rev. Lett., vol. 83, pp. 1447–1450, Aug 1999.
• [27] E. Adlam and A. Kent, “Deterministic relativistic quantum bit commitment,” CoRR, vol. abs/1504.00943, 2015.
• [28] A. Chailloux and A. Leverrier, “Relativistic (or 2-prover 1-round) zero-knowledge protocol for NP secure against quantum adversaries,” in Advances in Cryptology – EUROCRYPT 2017: 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 – May 4, 2017, Proceedings, Part III, pp. 369–396, Springer International Publishing, 2017.
• [29] J. S. Bell, “On the Einstein-Podolsky-Rosen paradox,” Physics, vol. 1, pp. 195–200, 1964.
• [30] C. Crépeau, L. Salvail, J.-R. Simard, and A. Tapp, “Two provers in isolation,” in Advances in Cryptology – ASIACRYPT 2011: 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings, (Berlin, Heidelberg), pp. 407–430, Springer Berlin Heidelberg, 2011.
• [31] G. Brassard and C. Crépeau, “Zero-knowledge simulation of boolean circuits (extended abstract),” in Advances in Cryptology: Proceedings of Crypto ’86 (A. M. Odlyzko, ed.), vol. 263, pp. 223–233, Springer-Verlag, 1987.
• [32] G. Brassard and C. Crépeau, “Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond,” in Symp. of Found. of Computer Sci., pp. 188–195, IEEE, 1986.
• [33] G. Brassard, A. Broadbent, and A. Tapp, “Multi-party pseudo-telepathy,” in Algorithms and Data Structures (F. Dehne, J.-R. Sack, and M. Smid, eds.), (Berlin, Heidelberg), pp. 1–11, Springer Berlin Heidelberg, 2003.
• [34] C. Crépeau, A. Y. Massenet-Oshima, L. Salvail, L. S. Stinchcombe, and N. Yang, “Zero-knowledge s for sound against entangled provers using a tiny amount of commitments,” in (submitted to) Theory of Cryptography, Springer International Publishing, 2019.
• [35] A. Acín, T. Fritz, A. Leverrier, and A. B. Sainz, “A combinatorial approach to nonlocality and contextuality,” Communications in Mathematical Physics, vol. 334, pp. 533–628, Mar 2015.
• [36] H. Barnum, C. A. Fuchs, J. M. Renes, and A. Wilce, “Influence-free states on compound quantum systems,” CoRR, vol. quant-ph/0507108v1, 2005.
• [37] J. Barrett, N. Linden, S. Massar, S. Pironio, S. Popescu, and D. Roberts, “Nonlocal correlations as an information-theoretic resource,” Phys. Rev. A, vol. 71, p. 022101, Feb 2005.
• [38] M. Forster and S. Wolf, “Bipartite units of nonlocality,” Phys. Rev. A, vol. 84, p. 042112, Oct 2011.
• [39] T. Ito, H. Kobayashi, D. Preda, X. Sun, and A. C. Yao, “Generalized tsirelson inequalities, commuting-operator provers, and multi-prover interactive proof systems,” in Proceedings of the 23rd Annual IEEE Conference on Computational Complexity, CCC 2008, 23-26 June 2008, College Park, Maryland, USA, pp. 187–198, IEEE Computer Society, 2008.
• [40] C. Crépeau and N. Yang, “Multi-prover interactive proofs: Unsound foundations,” in Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology: Second International Conference, Mycrypt 2016, Kuala Lumpur, Malaysia, December 1-2, 2016, Revised Selected Papers, pp. 485–493, Springer International Publishing, 2017.

## Appendix 0.A Proofs of Security for Protocol 5.3

#### 0.a.0.1 Locality

Since the protocol is written as an LE-MIP in which , the protocol is local by definition 7.

#### 0.a.0.2 Completeness

Completeness follows from the completeness of the underlying protocol [8], and the fact that the commitment protocol (protocol 5.2) is well-defined for honest provers (who will never send a commitment that they cannot unveil).

#### 0.a.0.3 Soundness

Without loss of generality, we may assume that the soundness error in the BFL protocol to be

, through sequential amplification. The probability that our commitment scheme (protocol

5.2) fails binding is exponentially small in . Local probabilistic provers are equivalent to local deterministic provers. This is because the success probability of randomized provers of breaking soundness is an average over the randomized provers’ random tapes. Each instance of a random tape represents a deterministic strategy. Therefore there is a deterministic strategy which succeeds with probability at least , and hence we only need to consider local deterministic provers.

Since is deterministic, we may unambiguously consider what happens if we were to “rewind” the prover machine. Suppose that at some point unveils a particular commitment to . We rewind and let make different choices before that point. Suppose that, with these alternate choices, then unveils to (an attempt to break binding). Because of locality, ’s behavior is independent of what receives (namely ). Therefore, there is only one such which will ultimately accept as a valid unveiling of in both ways (recall that our commitment is statistically binding).

Therefore, in the worst case, for every commitment there exists a sequence of interactions between and such that will attempt to break the binding of that commitment. Each such commitment-breaking corresponds to at most one string that will actually work.

Let us denote the set of such binding-breaking strings by . If , then the provers will not break binding, and the soundness error is reduced to that of the underlying protocol (at most ). On the other hand, since , the probability that is at most .

Therefore, the soundness error of our protocol is at most

 Pr[z2∉B and underlying protocol accepts]+Pr[z2∈B]≤13+poly(k)2k.

#### 0.a.0.4 Zero-Knowledge

The simulation will be divided in two parts. In the first part, the simulator produces a transcript of the pre-computation, multilinearity test and sumcheck with oracle parts, which involves only interactions with . In the second part, the simulator will fake a valid consistency test.

###### Protocol 0.A.1
( Perfectly Indistinguishable, -Local Simulator for Protocol 5.3, Part 1)

The setup:

• Let be a set of locality-explicit simulators.

• and can send an index along with a bit.

• completes the indexed box (protocol 5.2) for both simulators.

The simulation strategy:

1. The simulators agree on unique indices for every commitment used in the protocol.

2. interacts with the way would. Whenever should commit, commits to random bits, just like the single-simulator from section 5.

3. For each commitment, sends a string . sends to the index of the commitment and .

4. runs the box (protocol 5.2) and replies with ’s half of the output.

5. Whenever needs to unveil a commitment, it can be unveiled in the way desires by sending the corresponding index and bit to .

6. completes the corresponding box which outputs . sends to .

7. sends to .

The second part (the consistency test) can be done by having the simulators ignore the question.

###### Protocol 0.A.2
( Perfectly Indistinguishable, -Local Simulator for Protocol 5.3, Part 2)

1. sends to .

2. computes .

3. Using to break binding, convinces that is actually .

4. unveils for , who gets .

5. sends to .

6. responds with .

By the properties of the strongly-universal-2 hash , if then . Otherwise with probability exponentially close to one. This produces the result as desired. The simulators then feed the transcripts to , and terminates simulation.

## Appendix 0.B Babai, Fortnow and Lund’s MIP for Languages in NEXP

This section describes a variant of the multi-prover protocol for oracle-3-SAT found in [8]. We refer to this as the BFL protocol, or BFL classic.

###### Definition 10

Let be integers. Let be strings of variables, where and . Let be a Boolean formula in variables. A Boolean function is a 3-satisfying oracle for if

 B(z,b1,b2,b3,A(b1),A(b2),A(b3))=1

for every string .

is oracle-3-satisfiable if such a function exists.

The Oracle-3-SAT problem asks whether a Boolean formula is oracle-3-satisfiable, where and denote the lengths of and , as above.

###### Lemma 2

Oracle-3-SAT is -complete.

###### Definition 11

Let be an arbitrary field. Let be a Boolean function. An arithmetization of is a polynomial such that for all , . A specific one is given in [8], proposition 3.1 .

Equivalently, the condition can be replaced with .

###### Protocol 0.B.1
( Sumcheck Protocol )

Let be the 3-CNF formula which the prover is trying to show to be a tautology to a verifier . Let be a field of sufficient size (of order at least will suffice where is the number of clauses of ).

1. takes and computes its arithmetization according to [8] Proposition 3.1 and sends it to .

2. and agree on a set of size at least where is the degree of .

3. assigns , which is supposed to be equal to the sum

 1∑x1=0…1∑xm=0f(x1,…,xm)2=0
4. .

5. sends the coefficients of the univariate polynomial in ,

 gi(x)=h(r1,…,ri−1,x)=1∑xi+1=0…1∑xm=0f(r1,…,ri−1,x,xi+1,…,xm)2
6. checks whether . If not, abort.

7. chooses a random , computes and sends to .

8. If then and go to step 4.

9. checks whether .

###### Protocol 0.B.2
( Babai, Fortnow and Lund’s MIP for Oracle-3-SAT )

Given as common input.

1. (sumcheck with oracle) and execute protocol 0.B.1. Let be ’s questions during this phase.

2. (multilinearity test) asks to simulate an oracle storing the function . queries with random, linearly related values in . If any response does not satisfy linearity, abort protocol. Let be ’s questions during this phase.

3. (non-adaptiveness test) chooses uniformly at random an such that and asks to . If ’s answer differs from that of , reject. Otherwise accept.

## Appendix 0.C Non-Locality – an introduction

In this section we solely focus on the two-party single-round games and strategies that are sufficient to discuss and analyze most of the MIPs. Definitions and proofs for complete generalizations to multi-party multi-round games and strategies will appear in a forthcoming paper with co-author Adel Magra.

#### 0.c.0.1 Games:

Let be a predicate on (for some finite sets and ) and let

be a probability distribution on

. Then and define a (single-round) game as follows: A pair of questions is randomly chosen according to distribution , and is sent to Alice and is sent to Bob. Alice must respond with an answer and Bob with an answer . Alice and Bob win if evaluates to 1 on and lose otherwise.

#### 0.c.0.2 Strategies: Two-Party Channels

A strategy for Alice and Bob is simply a probability distribution describing exactly how they will answer on every pair of questions . We now breakdown the set of all possible strategies for Alice and Bob according to their non-locality.

#### 0.c.0.3 Deterministic and Local Strategies:

A strategy is deterministic if there exists functions such that

 P(x,y|a,b)={1if x=fA(a) and y=fB(b)0otherwise.

A deterministic strategy corresponds to the situation where Alice and Bob agree on their individual actions before any knowledge of the values is provided to them. In this case they use only their own input to determine their individual output.

A strategy is local if there exists a finite set and functions such that

 P(x,y|a,b)=|{r∈R:x=fA(a,r) and y=fB(b,r)||R|.

A local strategy corresponds to the situation where Alice and Bob agree on a deterministic strategy selected uniformly among such possibilities. The choice of Alice and Bob’s strategy, and the choice of inputs

provided to Alice and Bob are generally agreed to be statistically independent random variables.

### 0.c.1 Local Reducibility

We now turn to the notion of locally reducing a strategy to another, that is how Alice and Bob limited to local strategies but equipped with a particular (not necessarily local) strategy are able to achieve another particular (not necessarily local) strategy . For this purpose we introduce a notion of distance between strategies in order to analyze strategies that are approaching each other asymptotically.

#### 0.c.1.1 Distances between Strategies:

Several distances could be selected here as long as their meaning as it approaches zero are the same. In the definitions below, are strategies and is a finite set of strategies.

#### 0.c.1.2 Local extensions of Strategies:

For natural integer , we define the set of strategies that are local extensions (of order ) of to be all the strategies Alice and Bob can achieve using local strategies where strategy may be used up to times as sub-routine callsDone by selecting functions , to determine the input of each sub-routine from input and previous outputs.. If we restrict all the functions used to be polynomial-time computable we analogously define .

###### Definition 14

Locally (poly-)Reduces to () iff .

###### Definition 15

is Locally (poly-)Equivalent to () iff

#### 0.c.1.3 Non-Adaptive extensions of Strategies:

For natural integer , we define the set of strategies that are Non-Adaptive extensions (of order ) of to be all the strategies Alice and Bob can achieve using Non-Adaptive strategies where strategy may be used up to times as sub-routine calls******Done by selecting functions ,
to determine the input of each sub-routine from input only.
. If we restrict the functions used to be poly-time computable we get .

###### Definition 16

Non-Adaptively (poly-)Reduces to () iff .

###### Definition 17

is Non-Adaptively (poly-)Equivalent to () iff

In general, Non-Adaptive reducibility is a weaker notion than local reducibility. However, for certain distributions it may result that as follows.

### 0.c.2 Locality

We now define the lowest of the non-locality classes . We could define it directly from the notion of local strategies as defined above, but for analogy with the other classes we later define, is defined as all those strategies locally reducible to a complete strategy we call (see Fig. 2). Of course, any strategy is complete for this class.

###### Definition 18

and

Note: is the class of strategies that John Bell [29] considered as classical hidden-variable theories that he compared to entanglement. It is also the class of strategies that BenOr, Goldwasser, Kilian and Wigderson [3] chose to define classical Provers in Multi-Provers Interactive Proof Systems. is also those strategies Non-Adaptively reducible to

###### Definition 19

Alternatively, and

Alternatively, we can also define from an empty box as used in the core of this paper

Alternatively,

### 0.c.3 One-Way Signalling

We now turn to One-Way Signalling which allows communication from one side to the other. We name the directions arbitrarily Left and Right. We define (resp. ) as all those strategies locally reducible to a complete strategy we call (see Fig. 4) (resp. (see Fig. 5)). These classes are useful to define what it means for a strategy to signal as well as the notion of No-Signalling strategies.

and

###### Definition 22

We say that Right Signals (is -verbose††††††We define the notion of -verbose in analogy to -hard: it means “as verbose as any distribution in non-locality class ”. In consequence, a distribution is -complete if and is -verbose.) iff .

and

###### Definition 24

We say that Left Signals (is -verbose) iff .

###### Definition 25

We say that Signals iff Right Signals or Left Signals.

We prove a first result that is intuitively obvious. We show that the complete strategy cannot be approximated in and the other way around.

and .

###### Proof

Follows from a simple capacity argument. For all , all the channels in have zero left-capacity, while has non-zero left-capacity. And vice-versa.

### 0.c.4 Signalling

We are now ready to define the largest of the non-locality classes . Indeed every possible strategy is in .

and