On the composition of zero-knowledge proof systems

  • Oded Goldreich
  • Hugo Krawczyk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 443)


A basic question concerning zero-knowledge proof systems is whether their (sequential and/or parallel) composition is zero-knowledge too. This question is not only of natural theoretical interest, but is also of great practical importance as it concerns the use of zero-knowledge proofs as subroutines in cryptographic protocols.

We prove that the original formulation of zero-knowledge as appearing in the pioneering work of Goldwasser, Micali and Rackoff is not closed under sequential composition. This fact was conjectured by many researchers leading to the introduction of stronger formulations of zero-knowledge (e.g. black-box simulation). We also prove that the parallel composition of zero-knowledge protocols does not necessarily result in a new zero-knowledge protocol: we present two protocols, both being zero-knowledge in a strong sense yet their parallel composition is not zero-knowledge (not even in a weak sense).

We present a lower bound on the round complexity of zero-knowledge proofs. We prove that only BPP languages have 3-round interactive proofs which are black-box simulation zero-knowledge. Moreover, we show that languages having constant-round Arthur-Merlin proofs that are black-box simulation zero-knowledge are in BPP. These results have significant implications to the parallelization of zero-knowledge proofs. In particular it follows that the "parallel versions" of the original interactive proofs systems for quadratic residuosity, graph isomorphism and any language in NP, are not black-box simulation zero-knowledge, unless the corresponding languages are in BPP. This resolves an open problem arising from the early works on zero-knowledge. Other consequences are a proof of optimality for the round complexity of various known zero-knowledge protocols, and a structure theorem for the hierarchy of Arthur-Merlin zero-knowledge languages.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [B]
    Babai, L., “Trading Group Theory for Randomness”, Proc. 17th STOC, 1985, pp. 421–429.Google Scholar
  2. [BMO]
    Bellare, M., Micali S. and Ostrovsky R., "Perfect Zero-Knowledge in Constant Rounds", to appear in Proc. 22nd STOC, 1990.Google Scholar
  3. [BCC]
    Brassard, G., D. Chaum, and C. Crépau, "Minimum Disclosure Proofs of knowledge", JCSS, Vol. 37, No. 2, 1988, pp. 156–189.Google Scholar
  4. [F]
    Feige, U., M.Sc. Thesis, Weizmann Institute, 1987.Google Scholar
  5. [FS]
    Feige, U., and A. Shamir, "Zero knowledge proofs of knowledge in two rounds", Proceedings of Crypto89, 1989.Google Scholar
  6. [GK]
    Goldreich, O., and Krawczyk, H., "Sparse Pseudorandom Distributions", Crypto89. Extended version: Technical Report 553, Computer Science Dept., Technion, Haifa, 1989.Google Scholar
  7. [GKa]
    Goldreich, O., and Kahan, A., "Using Claw-Free Permutations to Construct Constant-Round Zero-Knowledge Proofs for NP", in preparation, 1989.Google Scholar
  8. [GMW1]
    Goldreich, O., S. Micali, and A. Wigderson, "Proofs that Yield Nothing But their Validity and a Methodology of Cryptographic Protocol Design", Proc. 27th FOCS, 1986, pp. 174–187. Submitted to J. of the ACM.Google Scholar
  9. [GMW2]
    Goldreich, O., S. Micali, and A. Wigderson, "How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority", Proc. 19th STOC, 1987, pp. 218–229.Google Scholar
  10. [GM]
    Goldwasser, S., and S. Micali, "Probabilistic Encryption", JCSS, Vol. 28, No. 2, 1984, pp. 270–299.Google Scholar
  11. [GMR1]
    Goldwasser, S., S. Micali, and C. Rackoff, "Knowledge Complexity of Interactive Proofs", Proc. 17th STOC, 1985, pp. 291–304.Google Scholar
  12. [GMR2]
    Goldwasser, S., S. Micali, and C. Rackoff, "The Knowledge Complexity of Interactive Proof Systems", SIAM Jour. on Computing, Vol. 18, 1989, pp. 186–208.Google Scholar
  13. [GS]
    Goldwasser, S., and M. Sipser, “Private Coins vs. Public Coins in Interactive Proof Systems”, Proc. 18th STOC, 1986, pp. 59–68.Google Scholar
  14. [J]
    A. Joffe, "On a Set of Almost Deterministic k-Independent Random Variables", the Annals of Probability, 1974, Vol. 2, No. 1, pp. 161–162.Google Scholar
  15. [O]
    Oren, Y., “On the Cunning Power of Cheating Verifiers: Some Observations About Zero-Knowledge Proofs”, Proc. of the 28th IEEE Symp. on Foundation of Computer Science, 1987, pp. 462–471.Google Scholar
  16. [Si]
    Simon, D., M.Sc. Thesis, University of Toronto, 1989.Google Scholar
  17. [TW]
    Tompa, M., and H. Woll, “Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information”, Proc. of the 28th IEEE Symp. on Foundation of Computer Science, 1987, pp. 472–482.Google Scholar
  18. [Y]
    Yao, A.C., “How to Generate and Exchange Secrets”, Proc. 27th FOCS, pp. 162–167, 1986.Google Scholar

Copyright information

© Springer-Verlag 1990

Authors and Affiliations

  • Oded Goldreich
    • 1
  • Hugo Krawczyk
    • 1
  1. 1.Computer Science Dept.TechnionHaifaIsrael

Personalised recommendations