On the Composition of Public-Coin Zero-Knowledge Protocols

  • Rafael Pass
  • Wei-Lung Dustin Tseng
  • Douglas Wikström
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5677)


We show that only languages in BPP have public-coin, black-box zero-knowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any set-up) and in the Bare Public-Key Model (where the prover and the verifier have registered public keys). We complement this result by showing the existence of a public-coin black-box zero-knowledge proof that remains secure under any a-priori bounded number of concurrent executions.


  1. [Bar01]
    Barak, B.: How to go beyond the black-box simulation barrier. In: FOCS 2001, pp. 106–115 (2001)Google Scholar
  2. [BG02]
    Barak, B., Goldreich, O.: Universal arguments and their applications. In: Computational Complexity, pp. 162–171 (2002)Google Scholar
  3. [BGGL01]
    Barak, B., Goldreich, O., Goldwasser, S., Lindell, Y.: Resettably-sound zero-knowledge and its applications. In: FOCS 2002, pp. 116–125 (2001)Google Scholar
  4. [BIN97]
    Bellare, M., Impagliazzo, R., Naor, M.: Does parallel repetition lower the error in computationally sound protocols? In: FOCS 1997, pp. 374–383 (1997)Google Scholar
  5. [BL02]
    Barak, B., Lindell, Y.: Strict polynomial-time in simulation and extraction. In: STOC 2002, pp. 484–493 (2002)Google Scholar
  6. [Blu87]
    Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, pp. 1444–1451 (1987)Google Scholar
  7. [BM88]
    Babai, L., Moran, S.: Arthur-merlin games: a randomized proof system, and a hierarchy of complexity class. J. Comput. Syst. Sci. 36(2), 254–276 (1988)MathSciNetCrossRefMATHGoogle Scholar
  8. [CG89]
    Chor, B., Goldreich, O.: On the power of two-point based sampling. J. Complex. 5(1), 96–106 (1989)MathSciNetCrossRefMATHGoogle Scholar
  9. [CGGM00]
    Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: STOC 2000, pp. 235–244 (2000)Google Scholar
  10. [CKPR01]
    Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zero-knowledge requires \(\tilde\omega(\log n)\) rounds. In: STOC 2001, pp. 570–579 (2001)Google Scholar
  11. [DNS04]
    Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. J. ACM 51(6), 851–898 (2004)MathSciNetCrossRefMATHGoogle Scholar
  12. [FS90]
    Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: STOC 1990, pp. 416–426 (1990)Google Scholar
  13. [GK96a]
    Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP. Journal of Cryptology 9(3), 167–189 (1996)MathSciNetCrossRefMATHGoogle Scholar
  14. [GK96b]
    Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SICOMP 25(1), 169–192 (1996)MathSciNetCrossRefMATHGoogle Scholar
  15. [GMR89]
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SICOMP 18(1), 186–208 (1989)MathSciNetCrossRefMATHGoogle Scholar
  16. [GMW91]
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 690–728 (1991)MathSciNetCrossRefMATHGoogle Scholar
  17. [GO94]
    Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. Journal of Cryptology 7, 1–32 (1994)MathSciNetCrossRefMATHGoogle Scholar
  18. [Gol02]
    Goldreich, O.: Concurrent zero-knowledge with timing, revisited. In: STOC 2002, pp. 332–340 (2002)Google Scholar
  19. [HILL99]
    Håstad, J., Impagliazzo, R., Levin, L., Luby, M.: A pseudorandom generator from any one-way function. SICOMP 28, 12–24 (1999)MathSciNetCrossRefMATHGoogle Scholar
  20. [Hol07]
    Holenstein, T.: Parallel repetition: simplifications and the no-signaling case. In: STOC 2007, pp. 411–419 (2007)Google Scholar
  21. [HPPW08]
    Håstad, J., Pass, R., Pietrzak, K., Wikström, D.: An efficient parallel repetition theorem (2008) (manuscript)Google Scholar
  22. [HRS09]
    Haitner, I., Rosen, A., Shaltiel, R.: On the (im)possibility of arthur-merlin witness hiding protocols. In: TCC 2009, pp. 220–237 (2009)Google Scholar
  23. [IJK07]
    Impagliazzo, R., Jaiswal, R., Kabanets, V.: Chernoff-type direct product theorems. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 500–516. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. [IW97]
    Impagliazzo, R., Wigderson, A.: P = BPP if e requires exponential circuits: Derandomizing the xor lemma. In: STOC 1997, pp. 220–229 (1997)Google Scholar
  25. [Kat08]
    Katz, J.: Which languages have 4-round zero-knowledge proofs? In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 73–88. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  26. [KP01]
    Kilian, J., Petrank, E.: Concurrent and resettable zero-knowledge in poly-logarithmic rounds. In: STOC 2001, pp. 560–569 (2001)Google Scholar
  27. [KPR98]
    Kilian, J., Petrank, E., Rackoff, C.: Lower bounds for zero knowledge on the internet. In: FOCS 1998, pp. 484–492 (1998)Google Scholar
  28. [Lin03]
    Lindell, Y.: Bounded-concurrent secure two-party computation without setup assumptions. In: STOC 2003, pp. 683–692 (2003)Google Scholar
  29. [Nao91]
    Naor, M.: Bit commitment using pseudorandomness. Journal of Cryptology 4, 151–158 (1991)MathSciNetCrossRefMATHGoogle Scholar
  30. [PRS02]
    Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity. In: FOCS 2002, pp. 366–375 (2002)Google Scholar
  31. [PV07]
    Pass, R., Venkitasubramaniam, M.: An efficient parallel repetition theorem for arthur-merlin games. In: STOC 2007, pp. 420–429 (2007)Google Scholar
  32. [Raz98]
    Raz, R.: A parallel repetition theorem. SICOMP 27(3), 763–803 (1998)MathSciNetCrossRefMATHGoogle Scholar
  33. [RK99]
    Richardson, R., Kilian, J.: On the concurrent composition of zero-knowledge proofs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 415–432. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  34. [Ros00]
    Rosen, A.: A note on the round-complexity of concurrent zero-knowledge. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 451–468. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Rafael Pass
    • 1
  • Wei-Lung Dustin Tseng
    • 1
  • Douglas Wikström
    • 2
  1. 1.Cornell UniversityUSA
  2. 2.KTH Royal Institute of TechnologySweden

Personalised recommendations