Adaptive Zero-Knowledge Proofs and Adaptively Secure Oblivious Transfer

  • Yehuda Lindell
  • Hila Zarosim
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5444)


In the setting of secure computation, a set of parties wish to securely compute some function of their inputs, in the presence of an adversary. The adversary in question may be static (meaning that it controls a predetermined subset of the parties) or adaptive (meaning that it can choose to corrupt parties during the protocol execution and based on what it sees). In this paper, we study two fundamental questions relating to the basic zero-knowledge and oblivious transfer protocol problems:

  • Adaptive zero-knowledge proofs: We ask whether it is possible to construct adaptive zero-knowledge proofs (with unconditional soundness). Beaver (STOC 1996) showed that known zero-knowledge proofs are not adaptively secure, and in addition showed how to construct zero-knowledge arguments (with computational soundness).

  • Adaptively secure oblivious transfer: All known protocols for adaptively secure oblivious transfer rely on seemingly stronger hardness assumptions than for the case of static adversaries. We ask whether this is inherent, and in particular, whether it is possible to construct adaptively secure oblivious transfer from enhanced trapdoor permutations alone.

We provide surprising answers to the above questions, showing that achieving adaptive security is sometimes harder than achieving static security, and sometimes not. First, we show that assuming the existence of one-way functions only, there exist adaptive zero-knowledge proofs for all languages in \(\cal {NP}\). In order to prove this, we overcome the problem that all adaptive zero-knowledge protocols known until now used equivocal commitments (which would enable an all-powerful prover to cheat). Second, we prove a black-box separation between adaptively secure oblivious transfer and enhanced trapdoor permutations. As a corollary, we derive a black-box separation between adaptively and statically securely oblivious transfer. This is the first black-box separation to relate to adaptive security and thus the first evidence that it is indeed harder to achieve security in the presence of adaptive adversaries than in the presence of static adversaries.


  1. 1.
    Beaver, D.: Adaptive Zero Knowledge and Computational Equivocation. In: 28th STOC, pp. 629–638 (1996)Google Scholar
  2. 2.
    Beaver, D.: Adaptively Secure Oblivious Transfer. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 300–314. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Micali, S., Ostrovsky, R.: Perfect Zero-Knowledge in Constant Rounds. In: 22nd STOC, pp. 482–493 (1990)Google Scholar
  4. 4.
    Blum, M.: Coin Flipping by Phone. In: IEEE Spring COMPCOM, pp. 133–137 (1982)Google Scholar
  5. 5.
    Blum, M.: How to Prove a Theorem So No One Else Can Claim It. In: Proceedings of the International Congress of Mathematicians, USA, pp. 1444–1451Google Scholar
  6. 6.
    Canetti, R.: Security and Composition of Multiparty Cryptographic Protocols. Journal of Cryptology 13(1), 143–202 (2000)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Canetti, R., Fischlin, M.: Universally Composable Commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally Composable Two-Party and Multi-Party Computation. In: 34th STOC, pp. 494–503 (2002),
  9. 9.
    Coron, J.S., Patarin, J., Seurin, Y.: The Random Oracle Model and the Ideal Cipher Model are Equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Even, S., Goldreich, O., Lempel, A.: A Randomized Protocol for Signing Contracts. Communications of the ACM 28(6), 637–647 (1985)MathSciNetCrossRefMATHGoogle Scholar
  11. 11.
    Feige, U., Shamir, A.: Zero Knowledge Proofs of Knowledge in Two Rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, Heidelberg (1990)Google Scholar
  12. 12.
    Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The Relationship Between Public Key Encryption and Oblivious Transfer. In: 41st FOCS, pp. 325–335 (2000)Google Scholar
  13. 13.
    Gertner, Y., Malkin, T., Reingold, O.: On the Impossibility of Basing Trapdoor Functions on Trapdoor Predicates. In: The 42nd FOCS, pp. 126–135 (2001)Google Scholar
  14. 14.
    Goldreich, O.: Foundations of Cryptography: Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)CrossRefMATHGoogle Scholar
  15. 15.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that Yield Nothing but their Validity or All Languages in NP Have Zero-Knowledge Proof Systems. Journal of the ACM 38(1), 691–729 (1991)MathSciNetMATHGoogle Scholar
  16. 16.
    Impagliazzo, R., Luby, M.: One-way Functions are Essential for Complexity Based Cryptography. In: The 30th FOCS, pp. 230–235 (1989)Google Scholar
  17. 17.
    Impagliazzo, R., Rudich, S.: Limits on the Provable Consequences of One-way Permutations. In: 21st STOC, pp. 44–61 (1989)Google Scholar
  18. 18.
    Itoh, T., Ohta, Y., Shizuya, H.: A Language-Dependent Cryptographic Primitive. Journal of Cryptology 10(1), 37–49 (1997)MathSciNetCrossRefMATHGoogle Scholar
  19. 19.
    Kim, J.H., Simon, D.R., Tetali, P.: Limits on the Efficiency of One-Way Permutation-Based Hash Functions. In: The 40th FOCS, pp. 535–542 (1999)Google Scholar
  20. 20.
    Luby, M., Rackoff, C.: How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM Journal on Computing 17(2), 373–386 (1988)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Micciancio, D., Vadhan, S.: Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Micciancio, D., Ong, S.J., Sahai, A., Vadhan, S.: Concurrent Zero Knowledge without Complexity Assumptions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Naor, M.: Bit Commitment Using Pseudorandomness. Journal of Cryptology 4(2), 151–158 (1991)MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Reingold, O., Trevisan, L., Vadhan, S.P.: Notions of Reducibility between Cryptographic Primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Simon, D.R.: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  26. 26.
    Vadhan, S.P.: An Unconditional Study of Computational Zero Knowledge. In: The 45th FOCS, pp. 176–185 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yehuda Lindell
    • 1
  • Hila Zarosim
    • 1
  1. 1.Department of Computer ScienceBar-Ilan UniversityIsrael

Personalised recommendations