On the composition of zero-knowledge proof systems
A basic question concerning zero-knowledge proof systems is whether their (sequential and/or parallel) composition is zero-knowledge too. This question is not only of natural theoretical interest, but is also of great practical importance as it concerns the use of zero-knowledge proofs as subroutines in cryptographic protocols.
We prove that the original formulation of zero-knowledge as appearing in the pioneering work of Goldwasser, Micali and Rackoff is not closed under sequential composition. This fact was conjectured by many researchers leading to the introduction of stronger formulations of zero-knowledge (e.g. black-box simulation). We also prove that the parallel composition of zero-knowledge protocols does not necessarily result in a new zero-knowledge protocol: we present two protocols, both being zero-knowledge in a strong sense yet their parallel composition is not zero-knowledge (not even in a weak sense).
We present a lower bound on the round complexity of zero-knowledge proofs. We prove that only BPP languages have 3-round interactive proofs which are black-box simulation zero-knowledge. Moreover, we show that languages having constant-round Arthur-Merlin proofs that are black-box simulation zero-knowledge are in BPP. These results have significant implications to the parallelization of zero-knowledge proofs. In particular it follows that the "parallel versions" of the original interactive proofs systems for quadratic residuosity, graph isomorphism and any language in NP, are not black-box simulation zero-knowledge, unless the corresponding languages are in BPP. This resolves an open problem arising from the early works on zero-knowledge. Other consequences are a proof of optimality for the round complexity of various known zero-knowledge protocols, and a structure theorem for the hierarchy of Arthur-Merlin zero-knowledge languages.
Unable to display preview. Download preview PDF.
- [B]Babai, L., “Trading Group Theory for Randomness”, Proc. 17th STOC, 1985, pp. 421–429.Google Scholar
- [BMO]Bellare, M., Micali S. and Ostrovsky R., "Perfect Zero-Knowledge in Constant Rounds", to appear in Proc. 22nd STOC, 1990.Google Scholar
- [BCC]Brassard, G., D. Chaum, and C. Crépau, "Minimum Disclosure Proofs of knowledge", JCSS, Vol. 37, No. 2, 1988, pp. 156–189.Google Scholar
- [F]Feige, U., M.Sc. Thesis, Weizmann Institute, 1987.Google Scholar
- [FS]Feige, U., and A. Shamir, "Zero knowledge proofs of knowledge in two rounds", Proceedings of Crypto89, 1989.Google Scholar
- [GK]Goldreich, O., and Krawczyk, H., "Sparse Pseudorandom Distributions", Crypto89. Extended version: Technical Report 553, Computer Science Dept., Technion, Haifa, 1989.Google Scholar
- [GKa]Goldreich, O., and Kahan, A., "Using Claw-Free Permutations to Construct Constant-Round Zero-Knowledge Proofs for NP", in preparation, 1989.Google Scholar
- [GMW1]Goldreich, O., S. Micali, and A. Wigderson, "Proofs that Yield Nothing But their Validity and a Methodology of Cryptographic Protocol Design", Proc. 27th FOCS, 1986, pp. 174–187. Submitted to J. of the ACM.Google Scholar
- [GMW2]Goldreich, O., S. Micali, and A. Wigderson, "How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority", Proc. 19th STOC, 1987, pp. 218–229.Google Scholar
- [GM]Goldwasser, S., and S. Micali, "Probabilistic Encryption", JCSS, Vol. 28, No. 2, 1984, pp. 270–299.Google Scholar
- [GMR1]Goldwasser, S., S. Micali, and C. Rackoff, "Knowledge Complexity of Interactive Proofs", Proc. 17th STOC, 1985, pp. 291–304.Google Scholar
- [GMR2]Goldwasser, S., S. Micali, and C. Rackoff, "The Knowledge Complexity of Interactive Proof Systems", SIAM Jour. on Computing, Vol. 18, 1989, pp. 186–208.Google Scholar
- [GS]Goldwasser, S., and M. Sipser, “Private Coins vs. Public Coins in Interactive Proof Systems”, Proc. 18th STOC, 1986, pp. 59–68.Google Scholar
- [J]A. Joffe, "On a Set of Almost Deterministic k-Independent Random Variables", the Annals of Probability, 1974, Vol. 2, No. 1, pp. 161–162.Google Scholar
- [O]Oren, Y., “On the Cunning Power of Cheating Verifiers: Some Observations About Zero-Knowledge Proofs”, Proc. of the 28th IEEE Symp. on Foundation of Computer Science, 1987, pp. 462–471.Google Scholar
- [Si]Simon, D., M.Sc. Thesis, University of Toronto, 1989.Google Scholar
- [TW]Tompa, M., and H. Woll, “Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information”, Proc. of the 28th IEEE Symp. on Foundation of Computer Science, 1987, pp. 472–482.Google Scholar
- [Y]Yao, A.C., “How to Generate and Exchange Secrets”, Proc. 27th FOCS, pp. 162–167, 1986.Google Scholar