Journal of Cryptology

, Volume 7, Issue 1, pp 1–32 | Cite as

Definitions and properties of zero-knowledge proof systems

  • Oded Goldreich
  • Yair Oren


In this paper we investigate some properties of zero-knowledge proofs, a notion introduced by Goldwasser, Micali, and Rackoff. We introduce and classify two definitions of zero-knowledge: auxiliary-input zero-knowledge and blackbox-simulation zero-knowledge. We explain why auxiliary-input zero-knowledge is a definition more suitable for cryptographic applications than the original [GMR1] definition. In particular, we show that any protocol solely composed of subprotocols which are auxiliary-input zero-knowledge is itself auxiliary-input zero-knowledge. We show that blackbox-simulation zero-knowledge implies auxiliary-input zero-knowledge (which in turn implies the [GMR1] definition). We argue that all known zero-knowledge proofs are in fact blackbox-simulation zero-knowledge (i.e., we proved zero-knowledge using blackbox-simulation of the verifier). As a result, all known zero-knowledge proof systems are shown to be auxiliary-input zero-knowledge and can be used for cryptographic applications such as those in [GMW2].

We demonstrate the triviality of certain classes of zero-knowledge proof systems, in the sense that only languages in BPP have zero-knowledge proofs of these classes. In particular, we show that any language having a Las Vegas zero-knowledge proof system necessarily belongs to RP. We show that randomness of both the verifier and the prover, and nontriviality of the interaction are essential properties of (nontrivial) auxiliary-input zero-knowledge proofs.

Key words

Zero-knowledge Computational complexity Computational indistinguishability Cryptographic composition of protocols 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [AH1]
    Aiello, W., and J. Hastad, Perfect Zero-Knowledge Languages Can Be Recognized in Two Rounds, Proc. 28th FOCS, 1987, pp. 439–448.Google Scholar
  2. [AH2]
    Aiello, W., and J. Hastad, Relativized Perfect Zero-Knowledge Is Not BPP, Inform. and Comput., Vol. 93, 1992, pp. 223–240.Google Scholar
  3. [B]
    Babai, L., Trading Group Theory for Randomness, Proc. 17th STOC, 1985, pp. 421–429.Google Scholar
  4. [BCC]
    Brassard, G., D. Chaum, and C. Crepeau, Minimum Disclosure Proofs of Knowledge, J. Comput. System Sci., Vol. 37, No. 2, Oct. 1988, pp. 156–189.Google Scholar
  5. [FS]
    Feige, U., and A. Shamir, Personal communication.Google Scholar
  6. [F]
    Fortnow, L., The Complexity of Perfect Zero-Knowledge, Proc. 19th STOC, 1987, pp. 204–209.Google Scholar
  7. [Gkg]
    Goldreich, O., S. Goldwasser, and S. Micali, How To Construct Random Functions, J. Assoc. Comput. Mach., Vol. 33, No. 4, 1986, pp. 792–807.Google Scholar
  8. [GK]
    Goldreich, O., and H. Krawczyk, On the Composition of Zero-Knowledge Proof Systems, Proc. 17th ICALP, Lecture Notes in Computer Science, Vol. 443, Springer-Verlag, Berlin, 1990, pp. 268–282.Google Scholar
  9. [GMS]
    Goldreich, O., Y. Mansour, and M. Sipser, Interactive Proof Systems: Provers that Never Fail and Random Selection, Proc 28th FOCS, 1987, pp. 449–461.Google Scholar
  10. [GMW1]
    Goldreich, O., S. Micali, and A. Wigderson, Proofs that Yield Nothing but their Validity and a Methodology of Cryptographic Protocol Design, Proc. 27th FOCS, 1986, pp. 174–187.Google Scholar
  11. [GMW2]
    Goldreich, O., S. Micali, and A. Wigderson, How to Play any Mental Game or a Completeness Theorem for Protocols with Honest Majority, Proc. 19th STOC, 1987, pp. 218–229.Google Scholar
  12. [kg]
    Goldwasser, S., and S. Micali, Probabilistic Encryption, J. Comput. System Sci., Vol. 28, No. 2, 1984, pp. 270–299.Google Scholar
  13. [GMR1]
    Goldwasser, S., S. Micali, and C. Rackoff, Knowledge Complexity of Interactive Proofs, Proc. 17th STOC, 1985, pp. 291–304.Google Scholar
  14. [GMR2]
    Goldwasser, S., S. Micali, and C. Rackoff, The Knowledge Complexity of Interactive Proof Systems, SIAM J. Comput., Vol. 18, No. 1, 1989, pp. 186–208.Google Scholar
  15. [GS]
    Goldwasser, S., and M. Sipser, Arthur Merlin Games Versus Interactive Proof Systems, Proc. 18th STOC, 1986, pp. 59–68.Google Scholar
  16. [IY]
    Impagliazzo, R., and Yung, M., Direct Minimum-Knowledge Computations, Advances in Cryptology—Crypto 87 (proceedings), Lecture Notes in Computer Science, Vol. 293, Springer-Verlag, Berlin, 1987, pp. 40–51.Google Scholar
  17. [O1]
    Oren, Y., Properties of Zero-Knowledge Proofs, M.Sc. Thesis, Computer Science Department, Technion, Haifa, Nov. 1987 (in Hebrew).Google Scholar
  18. [O2]
    Oren, Y., On the Cunning Power of Cheating Verifiers: Some Observations about Zero-Knowledge Proofs, Proc. 28th FOCS, 1987, pp. 462–471.Google Scholar
  19. [S]
    A. Shamir, IP = PSPACE, Proc. 31st FOCS, 1990, pp. 11–15.Google Scholar
  20. [TW]
    Tompa, M., and H. Woll, Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information, Proc. 28th FOCS, 1987, pp. 472–482.Google Scholar
  21. [Y]
    Yao, A. C., Theory and Applications of Trapdoor Functions, Proc. 23rd FOCS, 1982, pp. 80–91.Google Scholar

Copyright information

© International Association for Cryptologic Research 1994

Authors and Affiliations

  • Oded Goldreich
    • 1
  • Yair Oren
    • 1
  1. 1.Department of Computer ScienceTechnionHaifaIsrael

Personalised recommendations