The idea of using distance and special relativity (a theory of motion justifying that the speed of light is a sort of asymptote for displacement) to prevent communication between participants to multi-prover proof systems can be traced back to Kilian
. Probably, the original authors (Ben Or, Goldwasser, Kilian and Wigderson) of had that in mind already, but it is not explicitly written anywhere. Kent was the first author to venture into sustainable relativistic commitments  and introduced the idea of arbitrarily prolonging their life span by playing some ping-pong protocol between the provers (near the speed of light). This idea was made considerably more practical by Lunghi et al. in  who made commitment sustainability much more efficient. This culminated into an actual implementation by Verbanis et al. in  where commitments were sustained for more than a day!
As nice as this may sound, such long-lasting commitments have found so far very little practical use. Consider for instance the zero-knowledge proof for Hamiltonian Cycle as introduced by Chailloux and Leverrier. Proving in Zero-Knowledge that a 500-node graph contains a Hamiltonian cycle would require transmitting bit commitments (each of a couple hundreds of bits in length) and eventually sustaining them before the verifier can announce his choice of unveiling the whole adjacency matrix or just the Hamiltonian cycle. For a graph of
vertices, this would require an estimatedbits of communication before the verifier can announce his choice (see Fig. 1). This makes the application prohibitively expensive. If you use a larger graph, you will need more time to commit, leading to more distance to implement the protocol of . Either a huge separation is necessary between the provers (so that one of them can unveil according to the verifier’s choice before he finds out the committal information used by the other prover while the former must commit all the necessary information before he can find out the verifier’s choice ) or we must achieve extreme communication speeds between prover-verifier pairs. This would only be possible by vastly parallelizing communications between them at high cost. Modern (expensive) top-of-line communication equipment may reach throughputs of roughly 1Tbits/sec. A back of the envelope calculation estimates that the distance between the verifiers must be at least 100 km to transmit commitments at such a rate.
In this work we consider the following problem: in a Multi-Prover environment, how close can we get the provers in a Zero-Knowledge IP showing the validity of an statement ? We exhibit a set of (3) novel Zero-Knowledge protocols for the 3-COLorability problem that use two (local) provers or three (entangled) provers and only require them to communicate two trits each after having each received an edge and two trits each from the verifier. This greatly improves the ability to prove Zero-Knowledge statements on very short distances with very little equipment. In comparison, the protocol of  would require transmitting millions of bits between a prover and his verifier before the latter may disclose what to unveil or not. This implies the provers would have to be very far from each other because all of these must reach the verifier before the former can communicate with its partner prover.
Although certain algebraic zero-knowledge multi-prover interactive proofs for and using explicitly no commitments at all have been presented before in ,  (sound against local provers) and , (sound against entangled provers), in the local cases making these protocols entanglement sound is absolutely non-trivial, whereas in the entangled case the multi-round structure and the amount of communication in each round makes implementing the protocol completely impractical as well. (To their defense, the protocols were not designed to be practical).
The main technical tool we use in this work is a general Lemma of Kempe, Kobayashi, Matsumoto, Toner, and Vidick to prove soundness of a three-prover protocol when the provers are entangled based on the fact that a two-prover protocol version is sound when the provers are only local. More precisely, they proved this when the three-prover version is the same as the two-prover version but augmented with an extra prover who is asked exactly the same questions as one of the other two at random and is expected to give the same exact answers.
Our protocols build on top of the earlier protocol due to Cleve, Høyer, Toner and Watrous who presented an extremely simple and efficient solution to the 3-COL problem that uses only two provers, each of which is queried with either a node from a common edge, or twice the same node. In the former case, the verifier checks that the two ends of the selected edge are of distinct colours, while in the latter case, he check only that the provers answer the same colour given the same node. On the bright side, their protocol did not use commitments at all but unfortunately it did not provide Zero-Knowledge either. Moreover, it is a well established fact that this protocol cannot possibly be sound against entangled provers, because certain graph families have the property that they are not 3-colourable while having entangled-prover pairs capable of winning the game above with probability one. This was already known at the time when they introduced their protocol. The reason this protocol is not zero-knowledge follows from the undesirable fact that dishonest verifiers can discover the (random) colouring of non-edge pairs of nodes in the graph, revealing if they are of the same colour or not in the provers’ colouring.
We are able to remedy to the zero-knowledge difficulty by allowing the provers to use commitments for the colour of their nodes. However they use these commitments in an innovative way that we call the unveil-via-commit principle (of independent interest) explained below. For this purpose we use commitments similar to those of Lunghi et al. but in their simplest form possible, over the field (or if you insist working in binary), and thus with extremely weak binding property but also minimal in communication cost: a complete execution of the basic protocol transmits exactly two node numbers (using only bits each) and two trits from verifiers to provers and two trits back from the provers to verifiers (see Fig. 2). This implies that for a fixed communication speed, the minimal distance of the provers in our protocol increases logarithmically with the number of nodes whereas the same parameter grows quadratically in . Nevertheless, this is good enough to obtain a zero-knowledge version of the protocol that remains sound against local pairs of provers. The main idea being that the provers will each commit to the colours of two requested nodes only if they form an edge of the graph. To unveil the colour of any node, the verifiers must request commitment of the same node by both provers but using different randomizations. This way the verifiers may compute the colour of a node from the linear system established by the two commitments and not by explicitly requesting anyone to unveil. This is the unveil-via-commit principle (very similar to the double-spending mechanism of the untraceable electronic cash of Chaum, Fiat and Naor). We then use the Lemma of  to prove soundness of the three-prover version of this protocol even when the provers are entangled. A positive side of the protocol of , however, is the fact that only two provers are necessary while we use three. Zero-Knowledge follows from the fact that only two edge nodes can be unveiled by requesting the same edge to both provers. Otherwise only a single node may be unveiled. Finally, we show that even the three-prover version of this protocol retains the zero-knowledge property: requesting any three edges from the provers may allow the verifiers to unveil the colours of a triangle in the graph but never two end-points that do not form an edge (going to four provers would however defeat the zero-knowledge aspect).
An actual physical implementation of this protocol is currently being developed in collaboration with Pouriya Alikhani (McGill), Nicolas Brunner, Sébastien Designolle, Weixu Shi, and Hugo Zbinden (Université de Genève).
1.1 Implementations Issues
Traditionally in the setup of Multi-Prover Interactive Proofs, there is a single verifier interacting with the many provers. However, when implementing no-communication via spatial separation (the so called relativistic setting) it is standard to break the verifier in a number of verifiers equal to the number of provers, each of them interacting at very short distance from their own prover. The verifiers can use the timing of the replies of their respective provers to judge their relative distance. In practice, this means that we can implement MIPs under relativistic assumptions if the verifier are “split” into multiple verifiers, each locally interacting with its corresponding prover. The verifiers use the distance between themselves to enforce the impossibility of the provers to communicate: no message from a verifier can be used to reply to another verifier faster than the speed of light wherever the provers are located.
Moreover, multi-prover interactive proof systems may have several rounds in addition to several provers. In general, protocols with several rounds may cause a treat to the inherent assumption that the provers are not allowed to communicate during the protocol’s execution. Nevertheless, most of the existing literature resolves this issue by providing an honest verifier that is non-adaptive. To simplify this task, most of the protocols are actually single-round. We stick to these guidelines in this work. Moreover, in order to prove soundness of our protocols against entangled provers, we use a theorem that is currently only proven for single-round protocols. The protocols we describe are indeed single-round and non-adaptive.
Random variables are said to be equivalent, denoted , if for all ,
. The class of probabilistic polynomial-time Turing machines will be denotedin the following. A Turing machine is one having access to a fresh infinite read-only tape of random values (uniform values from the set of input symbols) at the outset of the computation. In the following, adversaries will also be allowed (in some cases) to be quantum machines. The precise ways quantum and classical machines are defined is not important in the following.
For a Turing machine, we denote by it execution with on its input tape ( being a string of the tape alphabet symbols). A Turing machine (quantum or classical) augmented with read-only auxiliary-input tapes and write-only auxiliary-output tapes is called an interactive Turing machine (ITM). Read-only input tapes provide incoming messages while the write-only output tapes allow to send messages. Interactive Turing machine and are said to interact when for each of them, one of its write-only auxiliary-output tape corresponds to one read-only auxiliary-input tape of the other Turing machine. An execution of interactive Turing machines on common input is denoted . For , machine accepts the interactive computation on input if it stops in state after the execution . When the ITM that accepts a computation is clear from the context, we say that accepts when ’s final state is . In this scenario, denotes the probability that terminates in state upon common input . Quantum machines are also interacting through communication tapes the same way than for classical machines. When a quantum machine interacts with a classical machine , we suppose that the write-only auxiliary tape and the reade-only auxiliary tape of used to communicate with are classical. This is the situation we will be addressing almost all the time in the following. A quantum machine is also allowed to have a quantum auxiliary read-only input tape that may contain a part of a quantum state shared with other machines. This allows to model machines sharing entanglement at the outset of an interactive computation. Henceforth, we suppose that the (main) input tape of all machines (quantum or classical) is classical.
In the following, denotes an undirected graph with vertices and edges . If then we denote the set of vertices in by . We suppose that for all (i.e. has no loop). We denote uniquely each edge in as with . For , let be the set of edges connecting vertex in . For , we define if and have only one vertex in common. When and have four distinct vertices in , we set . Finally, when , we set . For readability, we use the following special notations: means and , while as always, simply means or .
2.2 Non-local Games, Multi-Prover Interactive Proofs, and Relativistic Proofs
Multi-provers interactive protocols are protocols involving a set of provers modelled by interactive Turing machines, each of them interacting with an interactive Turing machine called the verifier . Although all provers may share an infinite read-only auxiliary input tape at the outset of their computation, they do not not interact with each other. When the provers are quantum, an extra auxiliary read-only quantum input tape is given and can be entangled with other provers at the beginning.
Let be computationally unbounded interactive Turing machines and let be an interactive Turing machine. The ’s share a joint, infinitely long, read-only random tape (and an auxiliary reads-only quantum input tape if the provers are quantum). Each interacts with but cannot interact with for any . We call a -prover interactive protocol (–prover IP).
A -prover interactive protocol is a multi-prover interactive proof system for if it can be used to show that a public input is such that . At the end of its computation, concludes if and only if it ends up in state accept. We restrict our attention to interactive proof systems with perfect completeness since all our protocols have this property.
The –prover interactive protocol is said to be a -prover interactive proof system with perfect completeness for if there exists such that following holds:
- perfect completeness:
The parameter is called the soundness error of . Soundness can hold against classical provers or against quantum provers sharing entanglements. The former case is called sound against classical provers while to latter is called sound against entangled provers.
Consider a –prover interactive proof system (with or without perfect completeness) for executed with public input . In this situation, defines what is called a quantum game. The minimum value such that for all , is often called the classical value of game and is denoted when the provers are restricted to be classical and unable to communicate with each other upon public input . When the provers, still unable to communicate with each other, are allowed to carry their computation quantumly and share entanglements, we denote by the minimum value such that for all such quantum provers , . In this case, is called the quantum value of game . A –prover interactive proof system for is said to be symmetric if can permute the questions to all provers without changing their distribution. The following result of Kempe, Kobayashi, Matsumoto, Toner, and Vidick shows that the classical value of a symmetric one-round classical game cannot be too far from the quantum value of a modified game. Given a symmetric one-round two-prover game , one can always add a third prover and asks the same question than with probability or the same question than with probability . Then, accepts if and would be accepted in and if returns the same answer than the one returned by the prover it emulates. We call the modified game obtained that way from .
Lemma 1 (, Lemma 17)
Let be a two-prover one-round symmetric game and let be its modified version with three provers. If then where is the set of ’s possible questions to a prover in .
Lemma 1 remains true for non-symmetric two-prover one-round protocol by first making them symmetric at the cost of increasing the size of . This is always possible without changing the classical value of the game and by using twice the number of questions of the original game (Lemma 4 in ).
Let be a –prover IP. We denote by
the probability distribution of ’s outgoing and incoming messages with all provers according’s coin tosses.
Let be a -prover interactive proof system for . We say that is perfect zero-knowledge if for all interactive Turing machines there exists a machine (i.e. the simulator) having blackbox access to such that for all ,
and both random variables are equivalent. In the following, we allow to be a quantum machine but our simulators will always be classical machines with blackbox access to . If the zero-knowledge condition holds against quantum , we say that the proof system is perfect zero-knowledge against quantum verifiers.
2.3 Multi-Prover Commitments with Implicit Unveiling
Our multi-prover proof systems for 3COL use a simple 2-committer commitment scheme with a property allowing to guarantee perfect zero-knowledge. In this section, we give the description of this simple commitment scheme with its important properties four our purposes.
Assume that provers and share values where is a finite set. wants to check that these values satisfy some properties without revealing them all. Assume that is a field with operations and .
Bit commitment schemes have been used in the multi-prover model ever since it was introduced in . The original scheme was basically , a commitment to value using pre-agreed random mask and randomness provided by . Kilian had a binary version where each bit is shared among provers and (and therefore needs only to be a group). To commit , samples from and from at random. If but , immediately rejects the commitment. Otherwise either or may unveil by disclosing at a later time. Somehow, bad recollection of ’s scheme lead  to a similar but different scheme defining , a commitment to bit using pre-agreed bit mask and binary randomness provided by their corresponding verifiers. Although this form of commitment is intimately connected to the CHSH game  and the Popescu-Rohrlich box, this proximity is not relevant for the soundness and the completeness of our protocols, even against entangled provers. Although the (limited) binding property of these schemes has been established in [3, 18, 5, 19, 4, 6] against entangled provers, we only use this commitment scheme against classical provers, only sharing classical information before the execution of the protocol. The weak binding property of these schemes against entangled provers does not allow us to get sound and complete proof systems against these provers. We shall rather get completeness and soundness against entangled provers using a different technique from  that requires a third prover.
For an arbitrary field , the commitment scheme produces commitment to field element using pre-agreed field element mask (specific to value ) and random field element provided by their corresponding verifiers. Many results were proven for this specific form of the commitments. Notice however that the two versions discussed above, in the former case and in the latter have equivalent binding property(left as a simple exercice). Considering, the former as being the degree-one secret sharing  of hidden in the degree zero term, while the latter being the degree-one secret sharing of hidden in the degree one term, we decided to use the former (original BGKW form) because all the known results about secret sharing are generally presented in this form. In particular, this form is more adapted to higher degree generalizations such as being the degree-two secret sharing of hidden in the degree zero term, and so on.
Moreover, this choice turns out to simplify our (perfect) zero-knowledge simulator. For the rest of this paper, we use where and . Provers therefore commit to trits, one value for each node corresponding to its colour in a –colouring of graph . The values shared between and are therefore, for each node , the colour of that node.
Suppose that asks to commit on the colour of node using randomness . Let be the commitment returned to by . Suppose asks to commit on the colour of node using randomness . Let be the commitment issued to by . The following 3 cases are possible depending on ’s choices for , and :
(forever hiding) if then learns nothing on neither nor since and hide and with random and independent masks and respectively. Even knowing , and
are uniformly distributed in.
(the consistency test) If and then can verify that . This corresponds to the immediate rejection of in Kilian’s two-prover commitment described above. It allows to make sure that and are consistant when asked to commit on the same value.
(implicit unveiling) If and then can learn (assuming and ) the following way. simply computes (Note that over an arbitrary field whenever ). Interpreting the meaning of this test can be done when considering a strategy for and that always passes the consistency test. In this case, and are satisfied and learns the committed value .
As long as and are local (or quantum non-local) they cannot distinguish which option has picked among the three. The consistency test makes sure that if and do not commit on identical values for some then will detect it when picks the consistency test for commitment and in position .
3 Classical Two-Prover Protocol
First, consider a small variation over the protocol of Cleve et al. presented in . In their protocol, when and both know and act upon the same valid 3-colouring of , asks each prover for the colour of a vertex in . Consistency is verified when asks the same vertex to each prover and compares that the same colour has been provided. The colorability is checked when the provers are asked for the colour of two connected vertices in . This way of proceeding is however problematic for the zero-knowledge condition. could be asking two nodes that do not form an edge for which their respective colour will be unveiled. This certainly allows to learn something about ’s and ’s colouring. Indeed, repeating this many times will allow to efficiently reconstruct a complete colouring. To remedy partially this problem, is instead asking each prover the colouring of an entire edge of . The colouring is (only) checked when both provers are asked the same edge, while consistency is checked when two intersecting edges are asked to the provers.
3.1 Distribution of questions
Let be a connected undirected graph. Let us define the probability distribution for the pair that picks with probability before announcing to and to . For such that , we set so that never asks two disconnected edges in (this would give no useful information).
The first thing to do is to pick uniformly at random. With probability (to be selected later), we set , which allows for an edge-verification test. With probability , we perform a well-definition test as follows. With probability , uniformly at random and with probability , uniformly at random. In other words, the well-definition test picks the second edge with probability among the edges connecting and with probability among the edges connecting . It follows that for with , we have, for ,
We also get
It is easy to verify that is a properly defined probability distribution over pairs of edges.
3.2 A Variant Over the Two-Prover Protocol of Cleve et al.
Distribution produces two edges where
the first one is provided to while the second
one is provided to . Each prover then returns
the colour of each node of the edge to .
We denote the resulting protocol
Provers pre-agree on a random 3-colouring of : such that .
picks , sends to and to .
If then replies with .
If then replies with .
if then accepts iff .
if then accepts iff .
The perfect soundness of this protocol is not difficult to establish along the same lines of the proof of soundness for the original protocol in . On the other hand, zero-knowledge does not even hold against honest verifiers. learns the colour of each node contained in any two edges of . This is certainly information about the colouring that learns after the interaction. To some extend, the modifications we applied to the 2-prover interactive proof system of  leaks even more to . In the next section, we show that the 2-prover commitment scheme, that we introduced in Sect. 2.3, can be used in protocol to prevent this leakage completely.
4 Perfect Zero-Knowledge Two-Prover Protocol
We modify the protocol of section 3.2 to prevent from learning the colours of more than two connected nodes in . The idea is simple, and will return commitments for the colours of the nodes asked by . The implicit unveiling of the commitment scheme described in section 2.3 will allow to perform both the edge-verification and well-definition tests in a very similar way that in protocol . The commitments require to provide a random nonzero trit for each node of the edge requested to a prover.
4.1 Distribution of questions
We now define the probability distribution for ’s questions in protocol defined in the following section. It consists in one edge and two nonzero trits for each prover:
upon graph and where is the question to and is the question to . is easily derived from the distribution for the questions in , as defined in section 3.1. First, an edge is picked uniformly at random. Together with , two nonzero trits are picked at random. Then, as in , with probability (to be selected later) the second edge , in which case we always set and . This case allows for an edge-verification test. Finally, with probability , we pick with probability and pick so that the couple is produced with probability for all , and . This will allow for a well-definition test. A consequence of (1) is that for , with ,
According to (2), we also get
It is easy to verify that is a properly defined probability distribution.
4.2 The Protocol
The protocol is similar to except that instead of returning to the colour for each node of an edge in , each prover returns commitments with implicit unveilings of these colours. If asks two disjoint edges then learns nothing about the values committed by the forever-hiding property of the commitment scheme. The resulting –prover one-round interactive proof system is denoted .
and pre-agree on random masks for each and a random 3-colouring of : such that .
picks , sends to and to .
If then replies and .
If then replies and .
if and then accept iff .
If and then accepts iff .
if and then accepts iff .
If and then accepts iff .
Clearly, satisfies perfect completeness. The following theorem establishes that in addition to perfect completeness, is sound against classical provers.
The two-prover interactive proof system is perfectly complete with classical value upon any graph .
Perfect completeness is obvious. Assume and let us consider the probability that detects an error in the check phase when interacting with two local dishonest provers and . is a one-round protocol where the provers cannot communicate directly with each other nor through ’s questions since they are independent of the provers’ answers. It follows that the strategy of and can be made deterministic without damaging the soundness error by letting each prover choosing the answer that maximizes her/his probability of success given her/his question. Therefore, consider a deterministic strategy as a pair of arrays to be used by prover for (i.e. we only care about the entries where upon question ). For , is the -th component of the output pair . We let , as the order in which the vertices of an edge are given to a prover is irrelevant ( can always choose the same order). We say that for is well defined if for all such that and ,
For well defined, we set for an arbitrary such that .
We now lower bound the probability that, when is not well-defined for some and , the well-definition test will detect it. When (5) is not satisfied , we have for some . Let and be these two edges. According to (3) (and (1) when ), the well-definition test will then detect an error with probability
We can do much better. Consider for and . For and and value fixed, three cases can happen:
, in which case and are incompatibe for values and , or
, in which case and are incompatible for values and , or
and , in which case and are incompatible for value on both sides.
In other words, if are such that then for any and for any randomness associated to node , catches the provers with probability expressed on the right hand side of (6). It follows that if is not well defined then there are ways for to catch the provers and each of these has probability at least to be picked. It follows that,
Now, assume that for all and , is well-defined, which means that the commitment values produced by the provers satisfy the consistency test. As discussed in section 2.3, when the commitments are consistent, the unique values committed upon are defined by . Since , two of the nodes must be of the same colour at the end-points of at least one edge . In this case the edge-verification test will detect it when is the edge announced to both provers and if randomness is announced to then is the randomness announced to . Using (4), the probability to detect such an edge when is well defined for all and satisfies
Therefore, the detection probability of any deterministic strategy for satisfies
The result follows as the classical value of the game .
To prove (perfect) zero-knowledge, it suffices to show that if and are selected arbitrarily, can determine at most the colours of two nodes (that form an edge). The commitments prevent a dishonest prover to learn the colours of two nodes that are not connected by an edge in . Proving this is not very hard and will be done in Section 5.3 for the three-prover case (although with three provers, may also learn the colour of three nodes that form a triangle). The addition of a third prover will allow, using lemma 1, to get soundness against entangled provers without compromising zero-knowledge. As shown in , their protocol is not necessarily sound against two entangled provers. We also do not know whether is sound against two entangled provers.
5 Three-Prover Protocol Sound Against Entangled Provers
The three-prover protocol , defined below, is identical to except that is asked to repeat exactly what or has replied. The prover that is asked to emulate is picked at random by . An application of lemma 1 allows to conclude the soundness of against entangled provers. Zero-knowledge remains since the only way to provide with the colours of more than two connected nodes is if they form a complete triangle of . This reveals nothing beyond the fact that to , since all nodes will then show different colours.
5.1 Distribution of questions
The probability distribution for ’s questions to the three provers is easily obtained from the distribution for the questions in protocol . picks and sets , , and with probability or sets , , and also with probability . Defined that way, is a properly defined probability distribution for ’s three questions, each one in .
5.2 The Protocol
Provers , and pre-agree on random values for all and a random 3-colouring of : such that .
picks , sends to , sends to , and sends to .
If then replies and .
If then replies and .
If then replies