# On the composition of zero-knowledge proof systems

## Abstract

A basic question concerning zero-knowledge proof systems is whether their (sequential and/or parallel) composition is zero-knowledge too. This question is not only of natural theoretical interest, but is also of great practical importance as it concerns the use of zero-knowledge proofs as subroutines in cryptographic protocols.

We prove that the original formulation of zero-knowledge as appearing in the pioneering work of Goldwasser, Micali and Rackoff is not closed under *sequential composition*. This fact was conjectured by many researchers leading to the introduction of stronger formulations of zero-knowledge (e.g. black-box simulation). We also prove that the *parallel composition* of zero-knowledge protocols does not necessarily result in a new zero-knowledge protocol: we present two protocols, both being zero-knowledge in a strong sense yet their parallel composition is not zero-knowledge (not even in a weak sense).

We present a lower bound on the round complexity of zero-knowledge proofs. We prove that only BPP languages have 3-round interactive proofs which are black-box simulation zero-knowledge. Moreover, we show that languages having constant-round Arthur-Merlin proofs that are black-box simulation zero-knowledge are in BPP. These results have significant implications to the parallelization of zero-knowledge proofs. In particular it follows that the "parallel versions" of the original interactive proofs systems for quadratic residuosity, graph isomorphism and any language in NP, are not black-box simulation zero-knowledge, unless the corresponding languages are in BPP. This resolves an open problem arising from the early works on zero-knowledge. Other consequences are a proof of optimality for the round complexity of various known zero-knowledge protocols, and a structure theorem for the hierarchy of Arthur-Merlin zero-knowledge languages.

## Preview

Unable to display preview. Download preview PDF.

### References

- [B]Babai, L., “Trading Group Theory for Randomness”,
*Proc. 17th STOC*, 1985, pp. 421–429.Google Scholar - [BMO]Bellare, M., Micali S. and Ostrovsky R., "Perfect Zero-Knowledge in Constant Rounds", to appear in
*Proc. 22nd STOC*, 1990.Google Scholar - [BCC]Brassard, G., D. Chaum, and C. Crépau, "Minimum Disclosure Proofs of knowledge",
*JCSS*, Vol. 37, No. 2, 1988, pp. 156–189.Google Scholar - [F]Feige, U., M.Sc. Thesis, Weizmann Institute, 1987.Google Scholar
- [FS]Feige, U., and A. Shamir, "Zero knowledge proofs of knowledge in two rounds", Proceedings of
*Crypto89*, 1989.Google Scholar - [GK]Goldreich, O., and Krawczyk, H., "Sparse Pseudorandom Distributions",
*Crypto89*. Extended version: Technical Report 553, Computer Science Dept., Technion, Haifa, 1989.Google Scholar - [GKa]Goldreich, O., and Kahan, A., "Using Claw-Free Permutations to Construct Constant-Round Zero-Knowledge Proofs for NP", in preparation, 1989.Google Scholar
- [GMW1]Goldreich, O., S. Micali, and A. Wigderson, "Proofs that Yield Nothing But their Validity and a Methodology of Cryptographic Protocol Design",
*Proc. 27th FOCS*, 1986, pp. 174–187. Submitted to*J. of the ACM*.Google Scholar - [GMW2]Goldreich, O., S. Micali, and A. Wigderson, "How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority",
*Proc. 19th STOC*, 1987, pp. 218–229.Google Scholar - [GM]Goldwasser, S., and S. Micali, "Probabilistic Encryption",
*JCSS*, Vol. 28, No. 2, 1984, pp. 270–299.Google Scholar - [GMR1]Goldwasser, S., S. Micali, and C. Rackoff, "Knowledge Complexity of Interactive Proofs",
*Proc. 17th STOC*, 1985, pp. 291–304.Google Scholar - [GMR2]Goldwasser, S., S. Micali, and C. Rackoff, "The Knowledge Complexity of Interactive Proof Systems",
*SIAM Jour. on Computing*, Vol. 18, 1989, pp. 186–208.Google Scholar - [GS]Goldwasser, S., and M. Sipser, “Private Coins vs. Public Coins in Interactive Proof Systems”,
*Proc. 18th STOC*, 1986, pp. 59–68.Google Scholar - [J]A. Joffe, "On a Set of Almost Deterministic
*k*-Independent Random Variables",*the Annals of Probability*, 1974, Vol. 2, No. 1, pp. 161–162.Google Scholar - [O]Oren, Y., “On the Cunning Power of Cheating Verifiers: Some Observations About Zero-Knowledge Proofs”,
*Proc. of the 28th IEEE Symp. on Foundation of Computer Science*, 1987, pp. 462–471.Google Scholar - [Si]Simon, D., M.Sc. Thesis, University of Toronto, 1989.Google Scholar
- [TW]Tompa, M., and H. Woll, “Random Self-Reducibility and Zero-Knowledge Interactive Proofs of Possession of Information”,
*Proc. of the 28th IEEE Symp. on Foundation of Computer Science*, 1987, pp. 472–482.Google Scholar - [Y]Yao, A.C., “How to Generate and Exchange Secrets”,
*Proc. 27th FOCS*, pp. 162–167, 1986.Google Scholar