Languages with Efficient Zero-Knowledge PCPs are in SZK

Mohammad Mahmoody∗ David Xiao†

April 24, 2012

Abstract
A Zero-Knowledge PCP (ZK-PCP) is a randomized PCP such that the view of any (perhaps
cheating) efficient verifier can be efficiently simulated up to small statistical distance. Kilian,
Petrank, and Tardos (STOC ’97) constructed ZK-PCPs for all languages in NEXP. Ishai,
Mahmoody, and Sahai (TCC ’12), motivated by cryptographic applications, revisited the pos-
sibility of efficient ZK-PCPs for all L ∈ NP where the PCP is encoded as a polynomial-size
circuit that given a query i returns the ith symbol of the PCP. Ishai et al. showed that there is
no efficient ZK-PCP for NP with a non-adaptive verifier, who prepares all of its PCP queries
before seeing any answers, unless NP ⊆ coAM and polynomial-time hierarchy collapses. The
question of whether adaptive verification can lead to efficient ZK-PCPs for NP remained open.
In this work, we resolve this question and show that any language or promise problem
with efficient ZK-PCPs must be in SZK (the class of promise problems with a statistical zero-
knowledge single prover proof system). Therefore, no NP-complete problem can have an effi-
cient ZK-PCP unless NP ⊆ SZK (which also implies NP ⊆ coAM and the polynomial-time
hierarchy collapses).
We prove our result by reducing any promise problem with an efficient ZK-PCP to two in-
stances of the Conditional Entropy Approximation problem defined and studied by Vad-
han (FOCS’04) which is known to be complete for the class SZK.

Keywords: Statistical Zero-Knowledge, Probabilistically Checkable Proofs, Conditional Entropy.

∗
Cornell, mohammad@[Link]. Supported in part by NSF Award CCF-0746990, AFOSR Award FA9550-
10-1-0093, and DARPA and AFRL under contract FA8750-11-2-0211. The views and conclusions contained in this
document are those of the author and should not be interpreted as representing the official policies, either expressed
or implied, of the Defense Advanced Research Projects Agency or the US government.
†
LIAFA, CNRS, Université Paris 7. dxiao@[Link].
1 Introduction
Since their inception, interactive proofs [GMR89, BM88] have had a transformative effect on the-
oretical computer science in general and the foundations of cryptography in particular. In an
interactive proof for a language L, a computationally bounded randomized verifier V and an all-
powerful prover P are given a common input x, and P tries to convince V that x ∈ L. The proof
must be complete: P successfully convinces V that x ∈ L; as well as sound : no cheating prover
b should be able to convince V that x ∈ L when x ∈
P / L. [GMR89] showed that by allowing in-
teraction and probabilistic verification, nontrivial languages outside of BPP can be proved while
the verifier statistically “learns nothing” beyond the fact that x ∈ L. Thus in eyes of the verifier,
the interaction remains “zero-knowledge”. Shortly after, [GMW91] extend this fundamental result
to all of NP based on computational assumptions and a computational variant of the notion of
zero-knowledge.
The notion of zero-knowledge is formalized using the simulation paradigm: for each (possibly
cheating) efficient verifier, there is an efficient simulator that generates a verifier view that is in-
distinguishable from the view the verifier would obtain by honestly interacting with the prover,
and therefore anything the verifier could do using a transcript of his interaction with the prover,
he could do by using the simulator (without talking to the prover). Throughout this paper by
default we mean statistical indistinguishability and statistical zero knowledge, namely they must
hold against any (possibly computationally inefficient) distinguisher. Any discussion about com-
putational indistinguishability will be made explicit.
Motivated by the goal of unconditional security, Ben-Or et al. [BGKW88] showed that if a
verifier V interacts with multiple interactive provers (MIPs) P1 , P2 , . . . who may coordinate on a
strategy beforehand, but are unable to communicate once the interaction with V starts, then all
languages in NP can be proved in a (statistical) zero-knowledge way without any computational
assumption. Fortnow, Rompel, and Sipser [FRS94] showed that, the MIP model is essentially
equivalent to having a (perhaps exponentially long) proof, whose answers to all possible queries are
fixed before interaction begins (in contrast to the usual notion of a prover, who may choose to alter
his answers based on the queries he has seen so far). Such proof systems are now known as prob-
abilistically checkable proofs (PCPs for short) and have found applications throughout theoretical
computer science, notably in the areas of hardness of approximation through the celebrated PCP
theorem [BFL90, AS98, ALM+ 98] and communication-efficient interactive proofs [Kil92].
The existence of of ZK proofs for NP in the MIP model [BGKW88] and the “equivalence” of
MIP and PCP models (as a proof system) raised the following basic question:
Does NP have PCPs that remain zero-knowledge against malicious verifiers?
The work of [BGKW88] does not resolve this question, because their protocol, when implemented in
the PCP model, remains ZK only if cheating verifiers follows the protocol honestly. This highlights
an important point: since we have no control over the cheating verifier (except that we assume it is
efficient), if the proof is polynomial size then a cheating verifier may read the entire proof and this
is not zero knowledge. Therefore, the proof π should be super-polynomially long, and we assume
that an efficient (perhaps cheating) verifier V b is only allowed black-box access to the proof. Since
V is polynomially bounded, having black-box access to such a proof π means that V
b b will be able
to query only polynomially many symbols in the proof at will. Thus, by definition, ZK-PCPs are
incomparable to standard (statistical) zero knowledge proofs in the single or multi-prover proof
systems: (1) the zero knowledge property is harder to achieve in the PCP model because the proof

1
is fixed and there is no control on which queries the verifier chooses to make, (2) but the soundness
property may be easier to achieve in the PCP model because the soundness is required only against
fixed cheating proofs (rather than cheating provers who may adaptively manipulate their answers).
Kilian, Petrank, and Tardos [KPT97] were the first to explicitly study the question above and
(relying on the previous work of [DFK+ 92] which in turn relied on the PCP theorem) showed that
in fact every language in NEXP has a ZK-PCP. Their ZK-PCPs, however, were not efficient even
when constructed for languages in NP, where by an efficient PCP for L ∈ NP, we mean any PCP
π whose answer π(q) to any query q can be computed using a polynomial size circuit (which may
depend on the common input x ∈ L, a witness w that x ∈ L, and an auxiliary random string rπ ).
This limitation is inherent in the approach of [KPT97], since in order to be ZK, their PCP requires
more entropy than the number of queries made by any cheating verifier.
Motivated by the lack of progress for over 10 years towards giving ZK-PCPs for NP that are ZK
with respect to all efficient cheating verifiers, Ishai, Mahmoody, and Sahai [IMS12] asked whether
this may be inherently impossible. Namely, they asked the following question, which is also the
main question studied in this work.

Main Question: Are there efficient ZK-PCPs for NP?

Ishai et al. proved that any language or promise problem L with an efficient ZK-PCP where
the honest verifier’s queries are non-adaptive must satisfy L ∈ coAM. Therefore, NP does not
have such efficient ZK-PCPs unless the polynomial-time hierarchy collapses [BHZ87]. Thus, the
main question above remained open whether there exist efficient ZK-PCPs for NP if we allow the
verifier to be adaptive. In this paper we resolve this question in the negative; namely we prove:
Theorem 1.1 (Main Result). Any promise problem L with an efficient ZK-PCP is in SZK.
This strengthens the negative result of [IMS12] in two ways: (1) we lift the restriction that
the verifier be non-adaptive, and (2) we can conclude that L ∈ SZK which is stronger than
L ∈ AM ∩ coAM, since it is known that SZK ⊆ AM ∩ coAM [For89, AH91]. We emphasize that
Theorem 1.1 does not assume that the simulation is black-box.

Relation to Resettable Zero-Knowledge. The notion of resettable zero-knowledge single

prover proof systems introduced by Canetti et al. [CGGM00] is comparably stronger than the
notion of ZK-PCPs. Essentially, a resettable-ZK proof is a ZK-PCP where soundness is required
to hold even against adaptive cheating provers who may manipulate their answers based on the
queries they see (rather than just fixed cheating proofs). Canetti et al. [CGGM00] showed how
to obtain efficient PCPs that are computational zero-knowledge based on computational hardness
assumptions. But recall that in this work, the notion of ZK is statistical, and so their result does
not resolve our main question.
Recently, Garg et al. [GOVW12] showed that efficient resettable statistical ZK proof systems
exist for non-trivial languages (e.g. Quadratic Residuosity) based on computational assumptions.
Therefore under the same assumptions, these languages also possess efficient ZK-PCPs. Garg
et al. also showed that assuming the existence of exponentially hard one-way functions, statistical
zero-knowledge proof systems can be made resettable. Unfortunately this transformation does not
preserve the efficiency of the prover. Therefore, even though by the works of Micciancio, Ong,
and Vadhan [MV03, OV08] we know that SZK ∩ NP has statistical zero-knowledge proofs with an
efficient prover, the result of [GOVW12] does not necessarily preserve this efficiency.

2
 Finally note that if one can transform any statistical ZK proof into a resettable statistical ZK
proof without losing the efficiency of the prover, then together with our main result of Theorem
1.1 this would imply that the problems with efficient ZK-PCPs are exactly those in SZK ∩ NP.

Relation to Basing Cryptography on Tamper-Proof Hardware. A main motivation of

[IMS12] to study the possibility of efficient ZK-PCPs for NP comes from a recent line of work on
basing cryptography on tamper-proof hardware (e.g. [Kat07,MS08,CGS08,GKR08,GIS+ 10,Kol10,
GIMS10]). In this model, the parties can exchange classical bits as well as hardware tokens that
hide a stateful or stateless efficient algorithm. The receiver of a hardware token is only able to
use it as a black-box and call it polynomially many inputs. Using stateless hardware tokens makes
the protocol secure against “resetting” attacks where the receiver of a token is able to reset the
state of the token (say, by cutting its power). The work of Goyal et al. [GIMS10] focused on the
power and limits of stateless tamper-proof hardware tokens in achieving statistical security and
proved that statistical zero-knowledge for all of NP is possible using a single stateless token sent
from the prover to the verifier followed by O(1) rounds of classical interaction. A natural question
remaining open after the work of [GIMS10] was whether the classical interaction can be eliminated
and achieve statistical ZK for NP using only a single stateless token. It is easy to see that this
question is in fact equivalent to our main question above, and thus our Theorem 1.1 proves that a
single (efficient) stateless token is not sufficient for achieving statistical ZK proofs for NP.

2 Our Techniques
In this section we describe the ideas and techniques behind the proof of Theorem 1.1 and compare
our approach to that of [IMS12]. If L has a ZK-PCP (for now, let us assume for notational simplicity
that L is a language; the idea is identical for general promise problems), one naive approach to
decide L using its simulator is to run the simulator to obtain a view ν = (r, (q1 , a1 ), . . . , (qm , am )),
where r is the random seed of the verifier and the (qi , ai ) are queries/answers to the ZK-PCP, and
accept iff ν is an accepting view. This approach would obtain accepting views if x ∈ L due to the
zero-knowledge property, but there is no guarantee about the case x 6∈ L.
A more promising approach is to “extract” a PCP π b from the simulator Sim and run V against
π
b. Using this approach, due to the soundness of the PCP we would obtain a rejecting view if
x 6∈ L, but the issue shifts to the case x ∈ L and ensuring that the extracted PCP is a valid proof
on YES instances. Therefore, a goal could be trying to construct π b in a way that it is “close” to
an accepting PCP π ← πx,w whenever x ∈ L.
To see at a high level why this may be possible for efficient ZK-PCP’s, let πx,w denote the
true distribution of proofs on an instance x ∈ L. Since the ZK-PCP is efficient, each proof πx,y
is computable by some circuit of polynomial size; let η(n) = poly(n) be the number of bits it
takes to describe this circuit. If we look at the whole description of πx,w as a random variable, its
entropy H(πx,y ) can be at most η. Now consider V[`] , which is the cheating verifier that executes
` independent copies of V, all of them accessing the same proof π ← πx,w . Let (ν 1 , . . . , ν ` ) be the
views generated. Since H(πx,w ) ≤ η, if we pick i ← [`] then the average entropy in the answers
returned to the ith verification ν i conditioned on the views of the first i − 1 verifications ν 1 , . . . , ν i−1
is at most η/`, which can be made less than any arbitrarily small polynomial by increasing `.
Therefore, we will use the simulator for V[`] to generate views (ν 1 , . . . , ν ` ), pick i ← [`] and look
at ν i conditioned on (ν 1 , . . . , ν i−1 ). The extracted proof π
b is defined based on how the queries are

3
answered in ν i . On YES instances π b should have low entropy and therefore behave like a fixed
accepting proof (because of the statistical indistinguishability of the simulation). On NO instances,
π
b either behaves like a fixed proof and therefore is rejecting (because of soundness), or behaves
very different from a fixed proof (which we will be able to detect).
This was the approach used in [IMS12]: they give an AM (i.e. constant-round public-coin)
protocol that allows an efficient verifier to extract π
b using the help of an unbounded prover. We
also extract a PCP π b from the simulator, but our extracted PCP is defined differently from the
one in [IMS12] and this difference allows us to also use it differently: we do not use the prover to
help us construct the extracted PCP in the SZK protocol we give for L, but rather we use π b only
in the analysis to show that the SZK protocol we give is correct.

2.1 The Approach of [IMS12]

Let Sim be the simulator for V[`] . Roughly speaking, [IMS12] defines the PCP π
b based on the
simulator as follows.

b(q) ← (ai1 | ai1 answer to query q1i = q in Sim(x) conditioned on ν 1 , . . . , ν i−1 being first i − 1 views)
π

In other words, we first sample i ← [`] and generate views ν 1 , . . . , ν i−1 according to the simulator.
Then to answer any query q, we run Sim(x) conditioned on getting q as the first query of the ith
execution, then we output the answer Sim(x) gives to q. It may not be possible to sample π b(q)
efficiently, but [IMS12] show how to sample πb through an AM protocol, using the following ideas.

Simulating π b with Help of a Prover. Using old and new constant-round sampling and lower-
bound protocols [GS89, For89, AH91, GVW01, HMX10] Ishai et al. show an AM protocol using
an unbounded (but also untrusted ) prover so that if the prover is honest we get a simulation of
the oracle π
b, and if he cheats then the verifier catches him. Essentially, in the AM protocol,
Arthur uses Merlin to help repeatedly rewind the simulator back to the first query. This way, we
obtain that L and its complement are both in AM. This approach of [IMS12] is inspired by works
of [FF93, BT06, AGGM06] in the context of studing worst-case to average-case reductions in NP
where an unbounded prover (Merlin) is forced to simulate a (hard to compute) oracle.

Relying on Nonadaptivity of V. Note that if the distribution of the first and second queries
are statistically far, then by asking some second query q2 from the oracle π b we might simply get no
answer because it is possible that Sim(x) never generates q2 as the first query. But if the honest
verifier V is nonadaptive, w.l.o.g. we can assume that it randomly permutes its queries before
asking them and therefore the marginal distribution of all queries will be identical (though perhaps
correlated). [IMS12] show that if the PCP π b (as a random variable) has very low entropy, then this
implies that the view of Vπb (x) is close to a simulator-generated view, and so on YES instances by
statistical closeness of the simulator and an honest interaction, Vπb (x) is accepting. On the other
hand, since the proof π b is generated independently of the final verfication’s queries, it holds on NO
instances that Vπb (x) is rejecting because of the soundness of the ZK-PCP.

2.2 Our Approach

We use the same cheating verifier V[`] and its corresponding simulator Sim, but our extracted PCP
π
b is defined without rewinding the simulator back to the first query. Roughly speaking, our oracle

4
is defined as:
!
aij is the answer to the jth query q = qij for a random j
b(q) ←
π aij |
in Sim(x) conditioned on ν 1 , . . . , ν i−1 first i − 1 views

Notice that πb is defined without rewinding back to the first query, and so we do not require
the queries to have the same distribution and thus we do not need to assume the verifier to be
nonadaptive. Furthermore, the way we use π b differs from [IMS12] because we do not construct πb
in our SZK protocol, but only use its definition in the analysis of our reduction to SZK.
To obtain an SZK protocol for L, we give a Karp (many-to-one) reduction from L to a problem
in SZK. More formally, using the simulator, we map each x to three circuits (C1 , C2 , C3 ) such that
we will be able to verify certain statistical properties about them in SZK (the reduction is given
in Reduction 4.2). Essentially, for j ∈ {1, 2, 3}, Cj runs the simulator for the cheating verifier V[`]
on input x to obtain views (ν 1 , . . . , ν ` ). Given these executions, Cj picks a random execution i and
verifies some statistical properties about ith execution conditioned on the first (i − 1) executions.
Here, we just describe the properties that each circuit checks at a high level, and we defer the
formal discussions to Section 4. All of the following are conditioned on the first i − 1 views.
1. C1 checks that the simulated randomness of V in the ith execution is close to uniform.

2. C2 checks that, sampling a random set of queries and answers for the ith execution and picking
one query/answer pair at random, that answer has low entropy given the that query.

3. C3 checks that the ith execution is accepting.

First we argue that the reduction maps YES instances of L to (C1 , C2 , C3 ) satisfying all three
properties, and NO instances to circuits not satisfying all three properties.
• (x ∈ L). Since the simulator’s output is statistically close to the honest distribution, so the
simulated verifier’s random coins are also close to uniform, and the first property is satisfied.
Also, since the PCP is efficient and thus has entropy at most η = poly(n), it means the
average conditioned entropy of the answers to queries in the ith verification is at most η/`
which we set to be small, so the second property is also satisfied. (Actually, assuming that in
the ith execution the entire set of answers has low entropy given the entire set of queries, it
is non-trivial to show that a random answer has low entropy given its corresponding query,
because the queries may be adaptive and a random query might indirectly reveal information
about other queries and answers. Despite that, in Lemma 4.4 we prove this claim even for
adaptive verifiers.) Finally, for a YES instance the simulator produces accepting views with
high probability, so the third property is also satisfied. This is proved in Section 4.1.

• (x 6∈ L). It suffices to show that if (C1 , C2 , C3 ) satisfy the first two properties, then they do
not satisfy the third. If the verifier coins in the simulator’s output are close to uniform and
there is low entropy in the query-answer pairs, then we can show that the view output by
the simulator in the ith execution is statistically close to Vi executing against the oracle π b
i
defined above. Therefore, the verifier must reject in V because of the soundness property of
the ZK-PCP. This is proved in Section 4.2.
Finally, we note that the desired properties of the circuits C1 , C2 can be verified in SZK by two
reductions to the problem of Conditional Entropy Approximation (see Definition 3.8) which

5
is known to be SZK-complete [Vad06], while C3 can be verified in BPP ⊆ SZK. Since SZK is
closed under conjunction, disjunction, and complement (Lemma 3.6, see also [Vad99]), all three
properties can simultaneously be verified in SZK.

3 Preliminaries
Basic Terminology and Notation. We use bold letters to denote random variables (e.g. X or
x). By x ← x we mean that x is sampled according to the distribution of the random variable x.
We write Ex [·] to denote Ex←x [·], where any x appearing inside the expression in the expectation
is fixed. For any finite set S, x ← S denotes x sampled uniformly from S. Un denotes the
uniform distribution over {0, 1}n , and [n] denotes the set {1, 2, . . . , n}. For jointly distributed
random variables (x, y), and for a specific value y ← y, by (x | y) we mean the random variable
x conditioned on y = y. When we say an event occurs with negligible probability denoted by
negl(n), we mean it occurs with probability n−ω(1) . We call two random variables x, y (or their
corresponding distributions) over the support set S -close if their statistical distance ∆(x, y) =
1 P
2 · s∈S |Pr[x = s] − Pr[y = s]| is at most . By an ensemble (of random variables) {yx }x∈I we
denote a set of random variables indexed by a set I. We call two ensembles {yx }x∈I and {zx }x∈I
with the same index set statistically close if ∆(yx , zx ) = negl(|x|). We use the terms efficient and
PPT to refer to any probabilistic polynomial time (perhaps oracle-aided) algorithm. For an oracle
π and an (oracle-aided) algorithm V by Vπ we refer to an execution of V given access to π and
by ViewhVπ i we refer to the view of V in its execution given π which consists of its randomness
r and the sequence of its oracle query-answer pairs [(q1 , a1 ), (q2 , a2 ), . . . ] (having only the oracle
answers and r is sufficient to know ViewhVπ i). All logarithms are base 2. By H(X) we denote
the Shannon entropy of X defined as H(X) = EX lg(1/ Pr[X = x]). By H(X | Y), we denote
the conditional entropy as EY [H(X | Y )], and we note the conditional mutual information as
I(X; Y | Z) = H(X | Z) − (X | YZ).

3.1 Promise Problems

A language L is simply a partition of {0, 1}∗ into LY and LN (i.e. LY ∪LN = {0, 1}∗ and LY ∩LN =
∅).
A promise language (or problem) L = (LY , LN ) generalizes the notion of a language by only
requiring that LY ∩ LN = ∅ (but there could be some x ∈ {0, 1}∗ \ (LY ∪ LN )). For promise
problems, we will sometimes use x ∈ L to denote x ∈ LY .

Definition 3.1 (Operations on Promise Languages). We define the following three operations over
promise languages.
Y N
• The complement L = (L , L ) of a promise language L = (LY , LN ) is another promise
Y N
language such that L = LN and L = LY .

• For two promise languages L1 and L2 we define their conjunction L = L1 ∧ L2 as:

– x = (x1 , x2 ) ∈ LY iff x1 ∈ LY Y
1 and x2 ∈ L2 ,
– x = (x1 , x2 ) ∈ LN iff x1 ∈ LN N
1 or x2 ∈ L2 .

• For two promise languages L1 and L2 we define their disjunction L = L1 ∨ L2 as:

6
 – x = (x1 , x2 ) ∈ LY iff x1 ∈ LY Y
1 or x2 ∈ L2 ,
– x = (x1 , x2 ) ∈ LN iff x1 ∈ LN N
1 and x2 ∈ L2 .

It is easy to see that L1 ∨ L2 = L1 ∧ L1 .

Definition 3.2 (Karp Reduction). A Karp reduction R from a promise problem L1 to another
promise problem L2 is a deterministic efficient algorithm such that R(x) ∈ LY Y
2 for every x ∈ L1
N N
and R(x) ∈ L2 for every x ∈ L1 .

3.2 Interactive Proof Systems

Definition 3.3 (PCPs). A (randomized) probabilistically checkable proof (PCP for short) Π =
({πx∈L }, V) for a promise problem L consists of an ensemble of random variables {πx } for x ∈ L
whose values are oracles (also called proofs) and also a verifier V which is an oracle-aided PPT
with randomness r. We require the following properties to hold.

• Completeness: For every x ∈ LY and every π ∈ Supp(πx ) it holds that Prr [Vrπ (x) = 1] ≥ 2/3.

• Soundness: If x ∈ LN , then for every oracle π

b it holds that Prr [Vrπb (x) = 0] ≥ 2/3.

If the PCP also receives an auxiliary input w, the distribution of the oracles might depend on x
and w both, denoted as: {πx,w }. We call a PCP for problem L ∈ NP efficient, if for all x ∈ L and
witnesses w for x ∈ L, and all x ∈ Supp(πx,w ), there exists a poly(n)-sized circuit Cπ such that for
all queries q, Cπ (q) = π(q). Namely, Cπ encodes π.

Notice that this definition of efficiency is non-uniform: the distribution of proofs Cπ may depend
non-uniformly on x, w. This makes our results stronger than if we required Cπ to depend uniformly
on x, w, since we are proving a negative result.

Definition 3.4. Let Π = ({πx∈L,w }, V) be a PCP for the problem L with some auxiliary input
given to the oracle. Π is called zero-knowledge (ZK) if for every malicious poly(n)-time verifier V,
b
there exists a simulator Sim which runs in (expected) poly(n)-time and the following ensembles
are statistically close:
{Sim(x)}x∈L , {ViewhV b πx,w (x)i}x∈L .

Note that V b only has oracle access to πx,w , the auxiliary input is not given to the simulator and the
statistical indistinguishability should hold for large enough x (regardless of the witness w). We call
Π perfect ZK if the simulator distribution conditioned on not aborting is identically distributed to
the honest interaction.

Since we do not need the exact definition of the class SZK, here we only describe it at a high
level. The definition of SZK is indeed very similar to Definition 3.4 with the difference that the
soundness holds against provers (which can be thought of as stateful oracles who could answer new
queries depending on the previous queries asked.)

Definition 3.5 (Complexity Class SZK). The class SZK consists of promise problems which have
an interactive proof system with soundness error ≤ 1/3 and the view of any malicious verifier can
be simulated up to negl(n) statistical error.

7
Lemma 3.6. For a constant k, let L1 , . . . , Lk be a set of promise languages all in SZK, and let F
be a constant-size k-input formula with operations: complement, conjunction, and disjunction as
in Definition 3.1. Then F (L1 , . . . , LK ) ∈ SZK.

Here we give a sketch of the proof for completeness. (See Section 4.5 and Corollary 6.5.1
of [Vad99] for a more general and improved statement than that of Lemma 3.6.)

Proof Sketch. We will use the following:

Theorem 3.7 ( [Oka96]). The class SZK is closed under complement.
Since k is constant, we just need to prove the claim for formulas which have only a single
operation, and then the lemma follows by an induction. Moreover since L1 ∨ L2 = L1 ∧ L1 , we
just need to prove the claim for complement and conjunction operations. Theorem 3.7 proves this
for the complement. To obtain L1 ∧ L2 ∈ SZK, given the input (x1 , x2 ), the prover provides an
(interactive) SZK proof that x1 ∈ LY 1 and then (if the first interaction is accepted), he also provides
Y
a SZK proof that x2 ∈ L2 . (More formally, the prover and the verifier start with an amplified
version of the original protocols with soundness error < 1/6, the soundness error of the sequential
composition in this case remains < 1/3). On the other hand, if either of x1 ∈ LN N
1 , x2 ∈ L2 holds,
the corresponding interaction rejects with probability at leat 2/3.

3.3 Shannon Entropy and Related Computational Problems

Definition 3.8 (Conditional Entropy Approximation). The promise problem CEA is de-
fined as follows. Suppose C is a poly(n)-size circuit sampling a joint distribution (X, Y). Then
given (C, r) we have:

• (X, Y, r) ∈ CEAY
 if H(X | Y) ≥ r.

• (X, Y, r) ∈ CEAN
 if H(X | Y) ≤ r − .

Lemma 3.9. For any  > 1/ poly(n), CEA ∈ SZK.

Proof. We give a reduction from CEA to CEA, which is known to be SZK-complete [Vad06]. The
reduction maps
(X, Y, r) 7→ ((X1 , . . . , X1/ ), (Y1 , . . . , Y1/ ), r/)
where for every i ∈ [1/], (Xi1 , Xi2 ) is sampled identically to (X, Y) and independently of all other
components (i.e. by an independent copy of the circuit C). It is easy to see that
1
H((Y1 , . . . , Y1/ ) | (X1 , . . . , X1/ )) = · H(Y | X).


In our main reduction, we will reduce problems to the following problem in SZK:

Definition 3.10 (Conditional Entropy Bound). CEBα,β is the following promise problem
where inputs are poly(n)-size circuits C sampling a joint distribution (X, Y):

1. (X, Y) ∈ CEBY
α,β if H(X | Y) ≥ α.

8
 2. (X, Y) ∈ CEBN
α,β if H(X | Y) ≤ β.

The following is immediate from Lemma 3.9:

Lemma 3.11. For all α − β > 1/ poly(n), CEBα,β ∈ SZK.

3.4 Useful Facts and Lemmas

Fact 3.12 (Basic Facts about Entropy). The following hold for any random variables X, Y, Z:

1. H(X | Y) ≤ H(X).

2. I(X; Y | Z) = H(X | Z) − H(X | YZ) = H(Y | Z) − H(Y | XZ) ≥ 0

3. Data processing inequality: for any randomized function F (whose randomness is independent
of X, Y, Z), it holds that I(F(X); Y | Z) ≤ I(X; Y | Z).

In the following, define for  ∈ [0, 1] the value H() =  lg(1/) + (1 − ) lg(1/1−).

Lemma 3.13 (Bounding Statistical

p Distance from Conditional Entropy). If Supp(X) = {0, 1}n
then EY ←Y ∆(X | Y, Un ) ≤ n − H(X | Y).

Proof. We use the following definition.

Definition 3.14 (Kullback-Leibler Divergence). For random variables X, Y such that Supp(X) ⊆
Pr[X=X]
Supp(Y), the Kullback-Leibler divergence is defined as KL(X, Y) = EX lg( Pr[Y=X] ).
It can be verified by straightforward calculation that H(X) = n − KL(X, Un ). p
Pinsker’s inequality states that for any random variables x, y, it holds that ∆(x, y) ≤ KL(x, y).
Applying Pinsker’s inequality to (X | Y ) and Un for every fixed value of Y ← Y and using Jensen’s
inequality, we have:
p q p
E ∆(X | Y, Un ) ≤ E [ n − H(X | Y )] ≤ E [n − H(X | Y )] = n − H(X | Y)
Y ←Y Y ←Y Y ←Y

Lemma 3.15 (Bounding Conditional Entropy from Statistical Distance). Suppose ∆((X, Y), (X0 , Y0 )) ≤
 and Supp(X) ∪ Supp(X0 ) ⊆ {0, 1}n . Then it holds that | H(X | Y) − H(X0 | Y0 )| ≤ 4(H() +  · n).

To prove this lemma, we need the following:

Lemma 3.16. Suppose ∆((X, Y), (X0 , Y0 )) ≤  and let Z = (X00 , Y) be a random variable dis-
tributed as follows. The component Y ← Y is sampled, and then X00 conditioned on Y is distributed
similar to (X0 |Y0 = Y ). Then it holds that ∆((X, Y), Z) ≤ 2.

Proof. It is sufficient to show that ∆((X0 , Y0 ), Z) ≤ , which is true because the second components
have statistical distance at most  and the first components have statistical distance zero conditioned
on the second components being equal.

9
Proof of 3.15. We first prove the lemma for the case that Y, Y0 do not exist (i.e. ∆(X, X0 ) ≤ ).
It is well known that in this case there is a random variable X which has a measure of 1 −  in both
of X and X0 . Namely, one can think of a Boolean random variable b jointly distributed with X, X0
such that Pr[b = 0] =  and (X | b = 1) ≡ X ≡ (X0 | b = 1). Based on this “decomposition” we
get:
H(X) ≥ H(X | b) ≥ (1 − ) H(X | b = 1) = (1 − ) H(X).
On the other hand it holds that

H(X) ≤ H(b) + H(X | b) = H() +  H(X | b = 0) + (1 − ) · H(X | b = 1) ≤ H() + n + (1 − ) H(X).

Namely, both of H(X), H(X0 ) are lower-bounded by (1 − ) H(X) an upper-bounded by H() +

n + (1 − ) H(X), and therefore | H(X) − H(X0 )| ≤ H() + n.
Now, using the result above, we prove the conditional case through a hybrid argument. Given
the two pairs of random variables (X, Y), (X0 , Y0 ) define the hybrid random variable Z = (X00 , Y)
as defined in the statement of Lemma 3.16. We claim that

1. | H(X00 | Y) − H(X | Y)| ≤ 2(H() + n), and

2. | H(X00 | Y) − H(X0 | Y0 )| ≤ 2n.

Using these two bounds, Lemma 3.15 follows by a triangle inequality.

We obtain the first bound as follows.

| H(X00 | Y) − H(X | Y)| ≤ E | H(X00 | Y ) − H(X | Y )|

 
Y ←Y
≤ E H(∆(X00 | Y, X | Y )) + ∆(X00 | Y, X | Y ) · n
 
Y ←Y
E ∆(X00 | Y, X | Y ) + E ∆(X00 | Y, X | Y ) · n
 
 
(by concavity of Entropy) ≤ H
Y ←Y Y ←Y
(by Lemma 3.16) ≤ H(2) + (2) · n
(by concavity of Entropy) ≤ 2(H() +  · n).

To obtain the second bound we do as follows.

| H(X00 | Y) − H(X0 | Y0 )| = H(X0 | Y0 = Y ) − E 0 H(X0 | Y0 = Y )

   
E
Y ←Y Y ←Y
X
Pr[Y = Y ] − Pr[Y0 = y] · H(X0 | Y0 = Y )


=
Y ∈Supp(Y)∪Supp(Y 0 )
X
≤ Pr[Y = Y ] − Pr[Y0 = y] · n
Y ∈Supp(Y)∪Supp(Y 0 )

≤ 2∆(Y, Y0 ) · n

10
4 Proving the Main Result
Theorem 4.1. Suppose the promise problem L = (LY , LN ) has a ZK-PCP Π = ({πx∈L,w }, V) of
entropy at most H(πx,w ) ≤ poly(|x|). Then L ∈ SZK.

(Note that the theorem extends beyond efficient ZK-PCP’s and encompasses all ZK-PCP’s
where proofs have low entropy.) In the rest of this section we prove Theorem 4.1. Fix an efficient
ZK-PCP for L. Efficiency means there exists η = poly(n) such that every possible honest proof π
can be encoded by a circuit with binary description size at most η. This implies that for all x ∈ L
with witness w, if we let πx,w be the distribution of proofs defined by the ZK-PCP, it holds that
H(πx,w ) ≤ η.
Let V[`] = (V1 , . . . , V` ) be a verifier who executes ` independent instances of V against the
given oracle and let Vi be its ith verification. (We will fix a choice of ` = poly(n) later.) Let Sim
be the simulator that simulates the view of V[`] statistically well (i.e. Sim(x) is negl(|x|)-close to
the view of V[`] (x) when accessing πx ← πx,w for x ∈ L). The view of Vi can be represented as
ν i = (ri , q1i , ai1 , . . . , qm
i , ai ) where r i ∈ {0, 1}k is the randomness used by Vi , q i is its j th oracle
m j
query and aij is the answer to qji . We use the notation ai = (ai1 , . . . , aim ), q i = (q1i , . . . , qm
i ). The

view of V[`] consists of (ν 1 , . . . , ν ` ).

In order to prove L ∈ SZK, we show how to reduce L to a constant size formula over SZK
languages. Roundly speaking, our reduction reduces L to CEB ∧ CEB ∧ D (see Definition 3.1)
where D ∈ BPP ⊆ SZK which makes CEB ∧ CEB ∧ D ∈ SZK (see Lemma 3.6). To describe our
reduction formally we first need to define a circuit Cxsim and a promise problem Dα,β as follows.

• The circuit Cxsim takes as input rsim (for input length |x|). The circuit Cx outputs Sim(x; rsim ) =
(ν 1 , . . . , ν ` ) where for each i ∈ [`], ν i = (ri , q1i , ai1 , . . . , qm
i , ai ).
m

• For α > β, Dα,β is a promise problem whose inputs are Boolean circuits C. Suppose the
input length of C is n, then:
Y iff Pr[C(U ) = 1] ≥ α], and
1. C ∈ Dα,β n
N iff Pr[C(U ) = 1] ≤ β].
2. C ∈ Dα,β n

It is easy to see that for α − β > 1/ poly(n), Dα,β ∈ BPP.

Reduction 4.2 (Main Reduction). Given a parameter `, we map x 7→ (C1 , C2 , C3 ) as follows.

1. C1 is a circuit sampling the joint distribution (X1 , Y1 ) defined as follows. On input (rsim , i),
C1 executes the circuit Cxsim on a random rsim to get (ν 1 , . . . , ν ` ) ← Cxsim (rsim ) and sets:

X1 = ri and Y1 = (ν 1 , . . . , ν i−1 ).

2. C2 is a circuit sampling the joint distribution (X2 , Y2 ) defined as follows. On input (rsim , i, j),
C2 executes the circuit Cxsim on a random rsim to get (ν 1 , . . . , ν ` ) ← Cxsim (rsim ) and sets:

X2 = aij and Y2 = (ν 1 , . . . , ν i−1 , qji ).

We emphasize the fact that while aij , qji appear in the output of C2 , the actual index j itself
does not appear in the output.

11
 3. C3 is a circuit computing the following. On input (rsim , i), run Cxsim (rsim ) = (ν 1 , . . . , ν ` ), and
output 1 iff ν i is an accepting view of V.
Claim 4.3. Reduction 4.2 is a Karp reduction from L (specified in Theorem 4.1) to the promise
language Z = CEBk−1/200,k−1/100 ∧ CEB2η/`,1.1η/` ∧ D0.66,β for β = 1/3 + 1/10 + 2mη/`.

Proving Theorem 4.1 using Claim 4.3. By taking ` = 40mη, it holds that 2m · η/` < 1/20
in Lemma 4.8 and so β < 1/2, which implies that Dα,β ∈ BPP, Z ∈ SZK, and so L ∈ SZK.
In the following we prove Claim 4.3 by studying each cases of x ∈ LY and x ∈ LN separately.
We begin with a lemma that will be useful for the case x ∈ L.
The following lemma bounds the conditional entropy of a single answer to a single randomly
chosen verifier query by the conditional entropy of the set of all answers to the set of all verifier
queries. This is non-trivial because the verifier queries may be asked adaptively.
Lemma 4.4. Let A be any randomized algorithm that (adaptively) queries a PCP π. Let r ∈ {0, 1}k
denote the random coins of A. Let q = (q1 , . . . , qm ) be the queries that Aπ (r) makes and let
aj = π(qj ) be the corresponding answers. Let π be an arbitrary distribution over proofs, and let q
and a be the distribution over (the vectors of ) queries and answers obtained by querying π using
algorithm A on uniform random coins r. Let also j be an arbitrary distribution over [m].
Then H(aj | qj ) ≤ H(a | r) where in the notation qj the value of j is not explicitly revealed.
Proof. By the definition of conditional entropy and adding 0 = H(aj qj | π) − H(aj qj | π), we get
H(aj | qj ) = H(aj qj ) − H(aj qj | π) − (H(qj ) − H(aj qj | π)).
Since a proof π is stateless for any fixed π, given any query q asked at some point during the
execution of Aπ , the answer a = π(q) is also fixed. Therefore it holds that H(aj qj | π) = H(qj | π),
and by the definition of mutual information, we may deduce that
H(aj | qj ) = I(aj qj ; π) − I(qj ; π) ≤ I(aj qj ; π).
Since I(aj qj ; π) = H(π) − H(π | aj qj ) and since π and r are independent, Item 1 of Fact 3.12
implies that
H(aj | qj ) ≤ I(aj qj ; π) = H(π) − H(π | aj qj ) ≤ H(π | r) − H(π | aj qj r) = I(aj qj ; π | r).
Let F be the function that takes as input (a, q) and outputs (aj , qj ) by sampling j. By the data
processing inequality (Item 3 of Fact 3.12) it holds that
H(aj | qj ) ≤ I(aj qj ; π | r) = I(F(aq); π | r) ≤ I(aq; π | r) ≤ H(aq | r) = H(a | r) + H(q | ar).
Finally, since H(q | ar) = 0, this implies the proposition.

Remark 4.5. We emphasize that if π was stateful (i.e. a “prover”, rather than a “proof”), then
Lemma 4.4 would be false. Even a deterministic prover can correlate his answers to the verifier’s
queries, and so it may be that H(a | q) = 0 but H(aj | qj ) > 0. Namely, even given π (say for a
stateful prover that π gives the random coins of the prover) and a query q, the answer to q may
have entropy because π’s answer to q may be different depending on whether q was asked as the
first query or second query or third query, etc. In particular, the equality H(aj qj | π) = H(qj | π)
used in the proof of Lemma 4.4 would not hold anymore. This is one place where we crucially use
the fixed nature of a PCP.

12
4.1 Proof of Claim 4.3: the Case x ∈ LY
Y
Here we would like to show that (C1 ∈ CEBY Y
k−1/200,k−1/100 ) ∧ (C2 ∈ CEB2η/`,1.1η/` ) ∧ (C3 ∈ D0.66,β ).
We study each of the generated instances Ci for i ∈ [3]. In all these cases, we first assume that the
simulator’s output is identically distributed to the view of V[`] interacting with a prover and then
will show how remove this assumption.

The Instance C1 . If the simulator’s outputs were identically distributed to the view of V[`]
interacting with a prover, then the simulated randomness X1 = ri will be uniformly distributed
over {0, 1}k with entropy k independently of Y1 = (ν 1 , . . . , ν i−1 ). Since the simulator generates a
view that is statistically close to the honest interaction (and since k = poly(|x|) and H(negl(n)) =
negl(n)) we may apply Lemma 3.15 to deduce that H(X1 | Y1 ) ≥ k −negl(n) ≥ k − 1/200. Therefore,
C1 ∈ CEBY k−1/200,k−1/100 .

The Instance C2 . Fix an arbitrary witness w of x ∈ L, and we study the view of V[`] while
interacting with a proof generated according to the distribution πx,w whose entropy is bounded
by η. Suppose first that the simulator’s outputs were identically distributed to the view of V[`]
interacting with πx,w . In this case, by an argument similar to [IMS12], one can show that

Claim 4.6. Ei←[`] H(ai | ν 1 , . . . , ν i−1 , ri ) ≤ η/`.

Proof.

η + k` ≥ H(πx,w ) + H(r1 , . . . , r` )
(πx,w and r1 , . . . , r` are independent) = H(πx,w , r1 , . . . , r` )
(πx,w and r1 , . . . , r` determine ν 1 , . . . , ν ` ) ≥ H(ν 1 , . . . , ν ` )
X
= H(ν i | ν 1 , . . . , ν i−1 )
i∈[`]
X
i i i
(r and a determine q ) = H(ri | ν 1 , . . . , ν i−1 ) + H(ai | ν 1 , . . . , ν i−1 , ri )
i∈[`]
X
= k` + H(ai | ν 1 , . . . , ν i−1 , ri ).
i∈[`]

Therefore, by averaging over i we obtain that Ei←[`] H(ai | ν 1 , . . . , ν i−1 , ri ) ≤ η/`.

The following claim is also based on the assumption that the simulation is perfect, and thus the
distribution of (ν 1 , . . . , ν m ) generated by the simulator is identical to the view of V[`] run against
π ← πx∈L,w .

Claim 4.7. For each fixed value of i and (ν 1 , . . . , ν i−1 ), it holds that

H(aij | qij , ν 1 , . . . , ν i−1 ) ≤ H(ai | ri , ν 1 , . . . , ν i−1 ) (1)

Namely, the entropy of the answers of the ith verification gives an upper-bound on the entropy of
the answer to a randomly chosen query of the verifier without revealing its index.

13
Proof. Let (πx,w , ν 1 , . . . , ν i−1 ) be the joint distribution of an honest proof πx,w and i−1 executions
of the honest verifier V1 , . . . , Vi−1 using proof πx,w . Apply Lemma 4.4 using the distribution
over proofs given by (πx,w | ν 1 , . . . , ν i−1 ), and with the honest verifier algorithm Vi as the query
algorithm accessing the proof.

Using Claims 4.6 and 4.7, we conclude that H(X2 | Y2 ) ≤ η/`, assuming that the simulator
was perfect. If we only assume that the simulator’s output is statistically close to the view of V[`]
interacting with πx,w , then we can apply Lemma 3.15 and deduce that H(X2 | Y2 ) ≤ η/`+negl(n) <
Y
1.1η/` which implies that C2 ∈ CEB2η/`,1.1η/` .

The Instance C3 . By the completeness of Π, when V[`] = (V1 , . . . , V ` ) interacts with a proof, for
all i ∈ [`], Vi accepts with probability ≥ 2/3. Since the simulation is statistically close to the real
interaction, it holds that ν i is accepting with probability 2/3 − negl(n) ≥ 0.66, and so C3 ∈ D0.66,β
Y .

4.2 Proof of Claim 4.3: the Case x ∈ LN

N
Here we would like to show that (C1 ∈ CEBN N
k−1/200,k−1/100 ) ∨ (C2 ∈ CEB2η/`,1.1η/` ) ∨ (C3 ∈ D0.66,β ).
This follows from the following lemma.
N
Lemma 4.8. Suppose x ∈ LN , C1 6∈ CEBN k−1/200,k−1/100 , and C2 6∈ CEB2η/`,1.1η/` . Then it holds
N
that C3 ∈ D0.66,β for β = 1/3 + 1/10 + 2m · η/`.

N
Intuition. Since C2 6∈ CEB2η/`,1.1η/` , therefore, the oracle answers returned to the verifier in the
ith execution (for a random i ← [`]) all have very low entropy and thus close to a fixed proof.
Moreover, due to C1 6∈ CEBN k−1/200,k−1/100 , the randomness of verifier in this execution has almost
full entropy, and therefore, the ith execution is close to an honest execution of the verifier against
some oracle. Finally, since x ∈ LN by the soundness of the PCP, the verifier would accept with
probability at most ≈ 1/3. The formal argument goes through a hybrid argument as follows.

Experiments. The outputs of all experiments described below consist of a view of V[i] (i.e. the
first i executions of the verifier). The distribution of (ν 1 , . . . , ν i−1 ) in all of these executions is the
same and is sampled by Sim(x), and they only differ in the way they sample ν i .

• Experiment Real. Choose i ← [`], and take the output (ν 1 , . . . , ν i ) by running Sim(x).

• Experiment Ideal. Choose i ← [`], and take the output (ν 1 , . . . , ν i−1 ) by running Sim(x).
To sample ν i = (ri , qi , ai ) we first sample ri ← {0, 1}k uniformly at random, and then using
ri we run the verifier against the oracle π b defined as follows.
The Oracle π b: Suppose we have fixed (ν i , . . . , ν i−1 ). Recall the distribution ((qij , aij ) |
ν i , . . . , ν i−1 ) defined above when defining the instance C2 (i.e., (aij , qij ) is a randomly chosen
pair of query-answer pairs from the view ν i without revealing the index j). For every query
q, the oracle π b gets one sample according to a ← (aij | ν i , . . . , ν i−1 , qij = q) and sets π
b(q) = a
i i i−1
forever. If Pr[qj = q | ν , . . . , ν ] = 0, we define π b(q) = ⊥.

14
 • Experiment Hybj for j ∈ [m + 1]. These experiments are in between Real and Ideal
and for larger j they become closer to Real. Here we choose i ← [`], and take the output
(ν 1 , . . . , ν i ) by running Sim(x). Then we will re-sample parts of ν i as follows. We will keep
(ri , (q1i , ai1 ), . . . , (qj−1
i , ai
j−1 )) as sampled by Sim(x). For the remaining queries and answers
we sample an oracle π b as described in Ideal, and we let (qji , aij ), . . . , (qm
i , ai ) be the result of
m
continuing the execution of Vi using ri and the oracle π b. Note that Hybm+1 ≡ Real.

Claim 4.9. If x ∈ LN , then PrIdeal [ν i accepts ] ≤ 1/3.

Claim 4.10. If C1 6∈ CEBN

k−1/200,k−1/100 , then ∆(Ideal, Hyb1 ) ≤ 1/10.

N
Claim 4.11. If C2 6∈ CEB2η/`,1.1η/` , then Ej∈[m] ∆(Hybj , Hybj+1 ) ≤ 2η/`.

Proving Lemma 4.8. Claims 4.9, 4.10, and 4.11 together imply that
X
Pr [ν i accepts ] ≤ Pr [ν i accepts ] + ∆(Ideal, Hyb1 ) + ∆(Hybj , Hybj+1 ) ≤ 1/3 + 1/10 + 2mη/`
Real Ideal
j∈[m]

N
which proves that C3 ∈ D2/3,β . In the following we prove these claims.

b is sampled and fixed before choosing ri and executing Vi , and

Proof of Claim 4.9. Since the oracle π
because x ∈ L , by the soundness property of the PCP it holds that PrIdeal [ν i accepts ] ≤ 1/3.
N

Proof of Claim 4.10. If C1 6∈ CEBN i 1

k−1/200,k−1/100 , then it means that we have Ei←[`] [H(r | ν , . . . , ν
i−1 )] ≥

k − 1/100. By Lemma 3.13 it holds that

p
E [∆((ri | ν 1 , . . . , ν i−1 ), Uk )] ≤ 1/100 = 1/10.
i←[`],ν 1 ,...,ν i−1

But note that the only difference between Ideal and Hyb1 is the way we sample ri conditioned
on the previously sampled parts (i.e. ν 1 , . . . , ν i−1 ). Thus it holds that ∆(Ideal, Hyb1 ) ≤ 1/10.

Proof of Claim 4.11. The only difference between Hybj and Hybj+1 is the way they answer qji . In
Hybj+1 the original answer of the simulator is used, while in Hybj this answer is provided by the
oracle π
b. Thus, they are different only when the answer re-sampled by π b differs from the original
answer. Therefore, we have that:
 
i i 1 i−1
∆(Hybj , Hybj+1 ) ≤ E Pr [aj 6= π
b (qj ) | i, ν , . . . , ν ]
ν 1 ,...,ν i−1 ,i ai ,qi ,b
π

Taking an expectation over all j ← [`] we conclude Claim 4.11 as follows.

 
i i 1 i−1
E[∆(Hybj , Hybj+1 )] = E Pr [aj 6= π
b (qj ) | i, ν , . . . , ν ]
j j,i,ν 1 ,...,ν i−1 ai ,qi ,b
π
 
i i 1 i−1
= E Pr [aj 6= πb (qj ) | i, ν , . . . , ν ]
i,ν 1 ,...,ν i−1 j,ai ,qi ,b
π

15
By combining the sampling of aij , qij directly, we have that
" #
E[∆(Hybj , Hybj+1 )] = E Pr [aij 6= π
b (qij ) | i, ν 1 , . . . , ν i−1 ]
j i,ν 1 ,...,ν i−1 aij ,qij ,b
π
" #
= E 1 − Pr [aij = π
b (qij ) | i, ν 1 , . . . , ν i−1 ]
i,ν 1 ,...,ν i−1 aij ,qij ,b
π
 
= E 1 − Pr[aij = π
b (qji ) | i, ν 1 , . . . , ν i−1 ]
i,ν 1 ,...,ν i−1 ,qji ,aij π
b
" #
1
(since 1 − α ≤ lg(1/α) for α ∈ [0, 1]) ≤ E lg i =π i ) | i, ν 1 , . . . , ν i−1 ]
1
i,ν ,...,ν i−1 i i
,qj ,aj Prπ [a
b j b (q j
h i
b ) = E H(aij | ν 1 , . . . , ν i−1 , qij )
(by the definition of oracle π
i
N
(since C2 6∈ CEB2η/`,1.1η/` ) ≤ 2η/`.

References
[AGGM06] Adi Akavia, Oded Goldreich, Shafi Goldwasser, and Dana Moshkovitz. On basing one-
way functions on np-hardness. In Proceedings of the 38th Annual ACM Symposium on
Theory of Computing (STOC), pages 701–710, 2006. 4

[AH91] William Aiello and Johan Håstad. Statistical zero-knowledge languages can be recog-
nized in two rounds. Journal of Computer and System Sciences, 42(3):327–345, 1991.
Preliminary version in FOCS’87. 2, 4

[ALM+ 98] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy.
Proof verification and the hardness of approximation problems. Journal of the ACM,
45(3):501–555, 1998. Preliminary version in FOCS’92. 1

[AS98] Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs: a new characteriza-
tion of NP. Journal of the ACM, 45(1):70–122, 1998. Preliminary version in FOCS’92.
1

[BFL90] László Babai, Lance Fortnow, and Carsten Lund. Non-deterministic exponential time
has two-prover interactive protocols. In FOCS, pages 16–25, 1990. 1

[BGKW88] Michael Ben-Or, Shafi Goldwasser, Joe Kilian, and Avi Wigderson. Multi-prover in-
teractive proofs: How to remove intractability assumptions. In STOC, pages 113–131,
1988. 1

[BHZ87] Ravi B. Boppana, Johan Håstad, and Stathis Zachos. Does co-NP have short interactive
proofs? Information Processing Letters, 25:127–132, 1987. 2

[BM88] László Babai and Shlomo Moran. Arthur-merlin games: A randomized proof system,
and a hierarchy of complexity classes. J. Comput. Syst. Sci., 36(2):254–276, 1988. 1

16
[BT06] Andrej Bogdanov and Luca Trevisan. Average-case complexity. CoRR, 2006. 4

[CGGM00] Ran Canetti, Oded Goldreich, Shafi Goldwasser, and Silvio Micali. Resettable zero-
knowledge (extended abstract). In STOC, pages 235–244, 2000. 2

[CGS08] Nishanth Chandran, Vipul Goyal, and Amit Sahai. New constructions for UC secure
computation using tamper-proof hardware. In EUROCRYPT, pages 545–562, 2008. 3

[DFK+ 92] Cynthia Dwork, Uriel Feige, Joe Kilian, Moni Naor, and Shmuel Safra. Low commu-
nication 2-prover zero-knowledge proofs for np. In CRYPTO, pages 215–227, 1992.
2

[FF93] Joan Feigenbaum and Lance Fortnow. Random-self-reducibility of complete sets. SIAM
Journal on Computing, 22(5):994–1005, 1993. 4

[For89] Lance Fortnow. The complexity of perfect zero-knowledge. Advances in Computing

Research: Randomness and Computation, 5:327–343, 1989. 2, 4

[FRS94] Lance Fortnow, John Rompel, and Michael Sipser. On the power of multi-prover
interactive protocols. Theoretical Computer Science, 134(2):545–557, 1994. 1

[GIMS10] Vipul Goyal, Yuval Ishai, Mohammad Mahmoody, and Amit Sahai. Interactive lock-
ing, zero-knowledge PCPs, and unconditional cryptography. In Tal Rabin, editor,
CRYPTO, volume 6223 of Lecture Notes in Computer Science, pages 173–190. Springer,
2010. 3

[GIS+ 10] Vipul Goyal, Yuval Ishai, Amit Sahai, Ramarathnam Venkatesan, and Akshay Wadia.
Founding cryptography on tamper-proof hardware tokens. In Daniele Micciancio, edi-
tor, TCC, volume 5978 of Lecture Notes in Computer Science, pages 308–326. Springer,
2010. 3

[GKR08] Shafi Goldwasser, Yael Tauman Kalai, and Guy Rothblum. One-time programs. In
CRYPTO, Lecture Notes in Computer Science, pages 39–56. Springer, 2008. 3

[GMR89] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of
interactive proof systems. SIAM Journal on Computing, 18(1):186–208, 1989. Prelim-
inary version in STOC’85. 1

[GMW91] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their
validity or all languages in NP have zero-knowledge proof systems. Journal of the
ACM, 38(1):691–729, 1991. Preliminary version in FOCS’86. 1

[GOVW12] Sanjam Garg, Rafail Ostrovsky, Ivan Visconti, and Akshay Wadia. Resettable statis-
tical zero knowledge. In Ronald Cramer, editor, TCC, volume 7194 of Lecture Notes
in Computer Science, pages 494–511. Springer, 2012. 2

[GS89] Shafi Goldwasser and Michael Sipser. Private coins versus public coins in interactive
proof systems. Advances in Computing Research: Randomness and Computation, 5:73–
90, 1989. 4

17
[GVW01] Oded Goldreich, Salil Vadhan, and Avi Wigderson. On interactive proofs with a laconic
prover. In Proc. 28th ICALP, pages 334–345, 2001. 4

[HMX10] Iftach Haitner, Mohammad Mahmoody, and David Xiao. A new sampling protocol
and applications to basing cryptographic primitives on the hardness of NP. In IEEE
Conference on Computational Complexity, pages 76–87. IEEE Computer Society, 2010.
4

[IMS12] Yuval Ishai, Mohammad Mahmoody, and Amit Sahai. On efficient zero-knowledge
PCPs. In Ronald Cramer, editor, TCC, volume 7194 of Lecture Notes in Computer
Science, pages 151–168. Springer, 2012. 2, 3, 4, 5, 13

[Kat07] Jonathan Katz. Universally composable multi-party computation using tamper-proof

hardware. In EUROCRYPT, Lecture Notes in Computer Science, pages 115–128.
Springer, 2007. 3

[Kil92] Joe Kilian. A note on efficient zero-knowledge proofs and arguments (extended ab-
stract). In Proceedings of the 24th Annual ACM Symposium on Theory of Computing
(STOC), pages 723–732, 1992. 1

[Kol10] Vladimir Kolesnikov. Truly efficient string oblivious transfer using resettable tamper-
proof tokens. In TCC, pages 327–342, 2010. 3

[KPT97] Joe Kilian, Erez Petrank, and Gábor Tardos. Probabilistically checkable proofs with
zero knowledge. In STOC: ACM Symposium on Theory of Computing (STOC), 1997.
2

[MS08] Tal Moran and Gil Segev. David and Goliath commitments: UC computation for
asymmetric parties using tamper-proof hardware. In EUROCRYPT, pages 527–544,
2008. 3

[MV03] Daniele Micciancio and Salil Vadhan. Statistical zero-knowledge proofs with efficient
provers: lattice problems and more. In Advances in Cryptology – CRYPTO 2003,
volume 2729 of Lecture Notes in Computer Science, pages 282–298. Springer, 2003. 2

[Oka96] Tatsuaki Okamoto. On relationships between statistical zero-knowledge proofs. In

Proceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC),
pages 649–658. ACM Press, 1996. 8

[OV08] Shien Jin Ong and Salil P. Vadhan. An equivalence between zero knowledge and
commitments. In Ran Canetti, editor, TCC, volume 4948 of Lecture Notes in Computer
Science, pages 482–500. Springer, 2008. 2

[Vad99] Salil P. Vadhan. A Study of Statistical Zero-Knowledge Proofs. PhD thesis, Mas-
sachusetts Institute of Technology, Cambridge, MA, USA, 1999. 6, 8

[Vad06] Salil P. Vadhan. An unconditional study of computational zero knowledge. SIAM

Journal on Computing, 36(4):1160–1214, 2006. Preliminary version in FOCS’04. 6, 8

18