Composition of Zero-Knowledge Proofs with Efficient Provers

We revisit the composability of different forms of zero- knowledge proofs when the honest prover strategy is restricted to be polynomial time (given an appropriate auxiliary input). Our results are: When restricted to efficient provers, the original Goldwasser–Micali–Rackoff (GMR) definition of zero knowledge (STOC ‘85), here called plain zero knowledge, is closed under a constant number of sequential compositions (on the same input). This contrasts with the case of unbounded provers, where Goldreich and Krawczyk (ICALP ‘90, SICOMP ‘96) exhibited a protocol that is zero knowledge under the GMR definition, but for which the sequential composition of 2 copies is not zero knowledge. If we relax the GMR definition to only require that the simulation is indistinguishable from the verifier’s view by uniform polynomial-time distinguishers, with no auxiliary input beyond the statement being proven, then again zero knowledge is not closed under sequential composition of 2 copies. We show that auxiliary-input zero knowledge with efficient provers is not closed under parallel composition of 2 copies under the assumption that there is a secure key agreement protocol (in which it is easy to recognize valid transcripts). Feige and Shamir (STOC ‘90) gave similar results under the seemingly incomparable assumptions that (a) the discrete logarithm problem is hard, or (b) ${\mathcal{UP}}\not\subseteq {\mathcal{BPP}}$ and one-way functions exist.

[1]  Oded Goldreich,et al.  A uniform-complexity treatment of encryption and zero-knowledge , 1993, Journal of Cryptology.

[2]  Ronen Shaltiel,et al.  On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols , 2009, TCC.

[3]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[4]  G. Glauberman Proof of Theorem A , 1977 .

[5]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[6]  Silvio Micali,et al.  Everything Provable is Provable in Zero-Knowledge , 1990, CRYPTO.

[7]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[8]  Yehuda Lindell,et al.  Lower bounds for non-black-box zero knowledge , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[9]  GoldreichOded,et al.  Definitions and properties of zero-knowledge proof systems , 1994 .

[10]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[11]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[12]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[13]  Oded Goldreich,et al.  Zero-Knowledge twenty years after its invention , 2002, Electron. Colloquium Comput. Complex..

[14]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[15]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[16]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[17]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[18]  Oded Goldreich,et al.  Definitions and properties of zero-knowledge proof systems , 1994, Journal of Cryptology.

[19]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[20]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[21]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .

[22]  Hugo Krawczyk,et al.  Sparse Pseudorandom Distributions , 1989, CRYPTO.

[23]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[24]  Salil Vadhan,et al.  Composition of Zero-Knowledge Proofs with Efficient , 2009 .