A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NP-language, outputs a uniformly distributed NP-witness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomial-time with an NP-oracle. This improves upon results of Jerrum, Valiant and Vazirani, which either require a \Sigma P 2 oracle or obtain only almost uniform generation. Our procedure utilizes ideas originating in the works of Sipser, Stockmeyer, and Jerrum, Valiant and Vazirani. Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. E-Mail: mihir@cs.ucsd.edu. URL: http://www-cse.ucsd.edu/users/mihir. Supported in part by NSF CAREER Award CCR-9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot, Israel. E-Mail: oded@wis...

A zero-knowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing to any t corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zero-knowledge proof for an NP relation R(x, w) which only makes a black-box use of any secure protocol for a related multi-party functionality f. The latter protocol is only required to be secure against a small number of “honest but curious” players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zero-knowledge, improving over previous constructions of efficient zeroknowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming one-way functions exist, we get the following types of zero-knowledge proof

Current constructions of efficient argument systems combine a short (polynomial size) PCP with a cryptographic hashing technique. We suggest an alternative approach for this problem that allows to simplify the underlying PCP machinery using a stronger cryptographic technique. More concretely, we present a direct method for compiling an exponentially long PCP which is succinctly described by a linear oracle function π: F n → F into an argument system in which the verifier sends to the prover O(n) encrypted field elements and receives O(1) encryptions in return. This compiler can be based on an arbitrary homomorphic encryption scheme. Applying our general compiler to the exponential size Hadamard code based PCP of Arora et al. (JACM 1998) yields a simple argument system for NP in which the communication from the prover to the verifier only includes a constant number of short encryptions. The main tool we use is a new cryptographic primitive which allows to efficiently commit to a linear function and later open the output of the function on an arbitrary vector. Our efficient implementation of this primitive is independently motivated by cryptographic applications.

It is known [BHZ87] that if every language in coNP has a constant-round interactive proof system, then the polynomial hierarchy collapses. On the other hand, Lund et al. [LFKN92] have shown that #SAT, the #P-complete function that outputs the number of satisfying assignments of a Boolean for-mula, can be computed by a linear-round interactive protocol. As a consequence, the coNP-complete set SAT has a proof system with linear rounds of interaction. We show that if every set in coNP has a polylogarithmic-round interactive protocol then the expo-nential hierarchy collapses to the third level. In order to prove this, we obtain an exponential version of Yap’s result [Yap83], and improve upon an exponential version of the Karp-Lipton theorem [KL80], obtained first by Buhrman and Homer [BH92].

Abstract. We consider the problem of constructing round-efficient public-coin argument systems, that is, interactive proof systems that are only computationally sound with a constant number of rounds. We focus on argument systems for NTime(T (n)) where either the communication complexity or the verifier’s running time is subpolynomial in T (n), such as Kilian’s argument system for NP [Kil92] and universal arguments [BG02,Mic00]. We begin with the observation that under standard complexity assumptions, such argument systems require at least 2 rounds. Next, we relate the existence of non-trivial 2-round argument systems to that of hard-on-average search problems in NP and that of efficient public-coin zero-knowledge arguments for NP. Finally, we show that the Fiat-Shamir paradigm [FS86] and Babai-Moran round reduction [BM88] fails to preserve computational soundness for some 3-round and 4-round argument systems.

Abstract. We present a two-round argument system for NP languages with polylogarithmic communication complexity. We introduce a novel property of private information retrieval (PIR) schemes, that we call database-awareness. We construct a concrete database-aware PIR scheme and build our argument system by combining a database-aware PIR scheme with a probabilistically checkable proof system (PCP). Dwork et.al. (2004) pointed out difficulties to prove the soundness of such constructions for arbitrary PIR schemes. But we show the restriction to database-aware PIR schemes is sufficient to overcome these difficulties.

This paper investigates the possibility that any NP statement can be proven by an argument system in two rounds of communication (i.e. one message from the verifier to the prover and one message back) while sending only relatively few bits, without relying on the existence of a random oracle. More specifically, we focus on a natural approach (suggested in [1]) for designing such an argument system by a combination of two tools: (i) The PCP (probabilistically checkable proofs) Theorem that states that for every language L ∈ NP there exist polynomial size witnesses that may be verified, with constant error probability, by probing only a constant number of locations of the proof, and (ii) Computational PIR (private information retrieval) schemes. The idea is simple: to verify an NP statement, the verifier simulates a PCP verifier where every query is performed via a (computational) PIR. Although this protocol is very natural, attempts to prove its soundness have failed. We exhibit inherent difficulties in such attempts (even when applied to extensions of this protocol). Our results give some indications of the direction one must take in order to construct efficient proof systems in this way.

Succinct non-interactive arguments of knowledge (SNARKs), and their generalization to distributed computations by proof-carrying data (PCD), are powerful tools for enforcing the correctness of computations in dynamic networks with multiple mutually-untrusting parties, with essentially minimal computational overhead. Current constructions achieve only variants with expensive setup, restricted functionality, or oracles. We present recursive composition and bootstrapping techniques that: 1. Transform any SNARK with an expensive preprocessing phase into a SNARK without such a phase. 2. Transform any SNARK into a PCD system for constant-depth distributed computations. 3. Transform any PCD system for constant-depth distributed computations into a PCD system for distributed computation over paths of fixed polynomial length. Our transformations apply to both the public and private verification settings, and assume the existence of CRHs (and FHE, for the private-verification setting). By plugging into our transformations the NIZKs of [Groth, ASIACRYPT ’10], whose security is based on a Knowledge of Exponent assumption in bilinear groups, we obtain the first publicly-verifiable

Succinct arguments of knowledge are computationally-sound proofs of knowledge for NP where the verifier’s running time is independent of the time complexity t of the nondeterministic NP machine M that decides the given language. Existing succinct argument constructions are, typically, based on techniques that combine cryptographic hashing and probabilistically-checkable proofs (PCPs). Yet, even when instantiating these constructions with state-of-the-art PCPs, the prover needs Ω(t) space in order to run in quasilinear time (i.e., time t · poly(k)), regardless of the space complexity s of the machine M. We say that a succinct argument is complexity preserving if the prover runs in time t · poly(k) and space s · poly(k) and the verifier runs in time |x | · poly(k) when proving and verifying that a t-time s-space random-access machine nondeterministically accepts an input x. Do complexity-preserving succinct arguments exist? To study this question, we investigate the alternative approach of constructing succinct arguments based on multi-prover interactive proofs (MIPs) and stronger cryptographic techniques: (1) We construct a one-round succinct MIP of knowledge, where each prover runs in time t · polylog(t) and space s · polylog(t) and the verifier runs in time |x | · polylog(t). (2) We show how to transform any one-round MIP protocol to a succinct four-message argument (with

Succinct non-interactive arguments of knowledge (SNARKs), and their generalization to distributed computations by proof-carrying data (PCD), are powerful tools for enforcing the correctness of dynamically evolving computations among multiple mutually-untrusting parties. We present recursive composition and bootstrapping techniques that: 1. Transform any SNARK with an expensive preprocessing phase into a SNARK without such a phase. 2. Transform any SNARK into a PCD system for constant-depth distributed computations. 3. Transform any PCD system for constant-depth distributed computations into a PCD system for distributed computation over paths of fixed polynomial length. Our transformations apply to both the public- and private-verification settings, and assume the existence of CRHs; for the private-verification setting, we additionally assume FHE. By applying our transformations to the NIZKs of [Groth, ASIACRYPT ’10], whose security is based on a Knowledge of Exponent assumption in bilinear groups, we obtain the first publicly-verifiable SNARKs and PCD without preprocessing in the plain model. (Previous constructions were either in the randomoracle model [Micali, FOCS ’94] or in a signature oracle model [Chiesa and Tromer, ICS ’10].) Interestingly,