Abstract
A basic question concerning zero-knowledge proof systems is whether their (sequential and/or parallel) composition is zero-knowledge too. This question is not only of natural theoretical interest, but is also of great practical importance as it concerns the use of zero-knowledge proofs as subroutines in cryptographic protocols.
We prove that the original formulation of zero-knowledge as appearing in the pioneering work of Goldwasser, Micali and Rackoff is not closed under sequential composition. This fact was conjectured by many researchers leading to the introduction of stronger formulations of zero-knowledge (e.g. black-box simulation). We also prove that the parallel composition of zero-knowledge protocols does not necessarily result in a new zero-knowledge protocol: we present two protocols, both being zero-knowledge in a strong sense yet their parallel composition is not zero-knowledge (not even in a weak sense).
We present a lower bound on the round complexity of zero-knowledge proofs. We prove that only BPP languages have 3-round interactive proofs which are black-box simulation zero-knowledge. Moreover, we show that languages having constant-round Arthur-Merlin proofs that are black-box simulation zero-knowledge are in BPP. These results have significant implications to the parallelization of zero-knowledge proofs. In particular it follows that the "parallel versions" of the original interactive proofs systems for quadratic residuosity, graph isomorphism and any language in NP, are not black-box simulation zero-knowledge, unless the corresponding languages are in BPP. This resolves an open problem arising from the early works on zero-knowledge. Other consequences are a proof of optimality for the round complexity of various known zero-knowledge protocols, and a structure theorem for the hierarchy of Arthur-Merlin zero-knowledge languages.
Extended Abstract
Research was partially supported by the Fund for Basic Research Administered by the Israeli Academy of Sciences and Humanities.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
References
Babai, L., “Trading Group Theory for Randomness”, Proc. 17th STOC, 1985, pp. 421–429.
Bellare, M., Micali S. and Ostrovsky R., "Perfect Zero-Knowledge in Constant Rounds", to appear in Proc. 22nd STOC, 1990.
Brassard, G., D. Chaum, and C. Crépau, "Minimum Disclosure Proofs of knowledge", JCSS, Vol. 37, No. 2, 1988, pp. 156–189.
Feige, U., M.Sc. Thesis, Weizmann Institute, 1987.
Feige, U., and A. Shamir, "Zero knowledge proofs of knowledge in two rounds", Proceedings of Crypto89, 1989.
Goldreich, O., and Krawczyk, H., "Sparse Pseudorandom Distributions", Crypto89. Extended version: Technical Report 553, Computer Science Dept., Technion, Haifa, 1989.
Goldreich, O., and Kahan, A., "Using Claw-Free Permutations to Construct Constant-Round Zero-Knowledge Proofs for NP", in preparation, 1989.
Goldreich, O., S. Micali, and A. Wigderson, "Proofs that Yield Nothing But their Validity and a Methodology of Cryptographic Protocol Design", Proc. 27th FOCS, 1986, pp. 174–187. Submitted to J. of the ACM.
Goldreich, O., S. Micali, and A. Wigderson, "How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority", Proc. 19th STOC, 1987, pp. 218–229.
Goldwasser, S., and S. Micali, "Probabilistic Encryption", JCSS, Vol. 28, No. 2, 1984, pp. 270–299.
Goldwasser, S., S. Micali, and C. Rackoff, "Knowledge Complexity of Interactive Proofs", Proc. 17th STOC, 1985, pp. 291–304.
Goldwasser, S., S. Micali, and C. Rackoff, "The Knowledge Complexity of Interactive Proof Systems", SIAM Jour. on Computing, Vol. 18, 1989, pp. 186–208.
Goldwasser, S., and M. Sipser, “Private Coins vs. Public Coins in Interactive Proof Systems”, Proc. 18th STOC, 1986, pp. 59–68.
A. Joffe, "On a Set of Almost Deterministic k-Independent Random Variables", the Annals of Probability, 1974, Vol. 2, No. 1, pp. 161–162.
Oren, Y., “On the Cunning Power of Cheating Verifiers: Some Observations About Zero-Knowledge Proofs”, Proc. of the 28th IEEE Symp. on Foundation of Computer Science, 1987, pp. 462–471.
Simon, D., M.Sc. Thesis, University of Toronto, 1989.
Tompa, M., and H. Woll, “Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information”, Proc. of the 28th IEEE Symp. on Foundation of Computer Science, 1987, pp. 472–482.
Yao, A.C., “How to Generate and Exchange Secrets”, Proc. 27th FOCS, pp. 162–167, 1986.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1990 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Goldreich, O., Krawczyk, H. (1990). On the composition of zero-knowledge proof systems. In: Paterson, M.S. (eds) Automata, Languages and Programming. ICALP 1990. Lecture Notes in Computer Science, vol 443. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0032038
Download citation
DOI: https://doi.org/10.1007/BFb0032038
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-52826-5
Online ISBN: 978-3-540-47159-2
eBook Packages: Springer Book Archive