Resettably-Sound Resettable Zero Knowledge Arguments for NP

We construct resettably-sound resettable zero knowledge arguments for NP based on standard hardness assumption (the existence of claw-free permutations) in the plain model. This proves the simultaneous resettability conjecture posed by Barak et al. in [FOCS 2001]. Our construction, inspired by the paradigm for designing concurrent zero knowledge protocols, makes crucial use of a tool called instance-dependent resettably-sound resettable WIargument of knowledge (IDWIAOK (and a special-purpose variant), introduced recently by Deng and Lin in [Eurocrypt 2007]). Roughly speaking, for a NP statement of the formx0∨x1,IDWIAOK is an argument for which resettable WI property holds when both x0 and x1 areYES instances, and resettably-sound argument of knowledge property holds when x0 is a NOinstance. The heart of the simulator for our protocol is a new technique that allows us to embed the (non-black-box) straight-line simulation strategy in the (black-box) recursive rewinding simulation strategy. 1 The problem and our result It is well known that randomness is essential to zero knowledge proofs/arguments[17]. More-over, in the multi-executions of a zero knowledge protocol, we often require that all partiesuse independent randomness in each execution for security purpose. This gives rise to naturalquestions: Is it possible to achieve zero knowledge when the prover uses the same random-ness in multi-executions? Is it possible to achieve soundness when the verifier uses the samerandomness in multi-executions? Both questions were resolved in the positive. Canetti etal. [6] put forward and realized the concept of resettable zero knowledge (stronger than theconcept of concurrent zero knowledge[12]) argument, which allows an honest prover to usethe same random tape in polynomially many executions without sacrificing the zero knowl-edge property; Barak et al. [3] put forward and realized the concept of resettably-soundzero knowledge argument, which allows an honest verifier to use the same random tape inpolynomially many executions without sacrificing the soundness property.It should be noted that the above two questions were answered separately : the proofsystem presented by Canetti et al. is resettable zero knowledge but not resettably-sound,whereas the argument system presented by Barak et al. is resettably-sound but not reset-table zero knowledge. This leaves a challenge in this line of research: Can we construct asingle argument system for some nontrivial language that remains resettable zero knowledgeand resettably-soundness simultaneously? Indeed, Barak et al. conjectured the following [3]: Simultaneous resettability conjecture: there exist resettably-sound resettable ZK ar-guments for NP. We stress that this conjecture is for the case of argument system (rather than proofsystem) and non-black box zero knowledge. Previous work [3] showed that, for non-trivial ? submitted on Nov. 18.