On the Implausibility of Constant-Round Public-Coin Zero-Knowledge Proofs

  • Yi DengEmail author
  • Juan Garay
  • San Ling
  • Huaxiong Wang
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9841)


We consider the problem of whether there exist non-trivial constant-round public-coin zero-knowledge (ZK) proofs. To date, in spite of high interest in the problem, there is no definite answer to the question. We focus on the type of ZK proofs that admit a universal simulator (which handles all malicious verifiers), and show a connection between the existence of such proof systems and a seemingly unrelated “program functionality distinguishing” problem: for a natural class of constant-round public-coin ZK proofs (which we call “canonical,” since all known ZK protocols fall into this category), a session prefix output by the universal simulator can actually be used to distinguish a non-trivial property of the next-step functionality of the verifier’s code.

Our result can be viewed as new evidence against the existence of constant-round public-coin ZK proofs, since the existence of such a proof system will bring about either one of the following: (1) a positive result for the above functionality-distinguishing problem, a typical goal in reverse-engineering attempts, commonly believed to be notoriously hard, or (2) a major paradigm shift in simulation strategies, beyond the only known (straight-line simulation) technique applicable to their argument counterpart, as we also argue. Note that the earlier negative evidence on constant-round public-coin ZK proofs is Barack, Lindell and Vadhan [FOCS 2003]’s result, which was based on the incomparable assumption of the existence of certain entropy-preserving hash functions, now known not to be achievable from standard assumptions via black-box reduction.

The core of our technical contribution is showing that there exists a single verifier step for constant-round public-coin ZK proofs whose functionality (rather than its code) is crucial for a successful simulation. This is proved by combining a careful analysis of the behavior of a set of verifiers in the above protocols and during simulation, with an improved structure-preserving version of the well-known Babai-Moran Speedup (de-randomization) Theorem, a key tool of independent interest.


Proof System Random String Random Tape Soundness Error Honest Prover 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors would like to thank Susumu Kiyoshima and Sanjam Garg for their valuable comments.


  1. 1.
    Babai, L.: Trading group theory for randomness. In: STOC, 1985, pp. 421–429 (1985)Google Scholar
  2. 2.
    Barak, B.: How to go beyond the black-box simulation barrier. In: FOCS 2001, pp. 106–115 (2001)Google Scholar
  3. 3.
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., Kalai, Y.T., López-Alt, A., Wichs, D.: Why “Fiat-Shamir for Proofs” lacks a proof. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 182–201. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Barak, B., Lindell, Y.: Strict polynomial-time in simulation and extraction.In: STOC, 2002, pp. 484–493 (2002)Google Scholar
  7. 7.
    Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, pp. 444–451 (1986)Google Scholar
  8. 8.
    Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. In: FOCS 2003, pp. 384–393 (2003)Google Scholar
  9. 9.
    Babai, L., Moran, S.: Arthur-Merlin games: a randomized proof system, and a hierarchy of complexity classes. J. Comput. Syst. Sci. 36(2), 254–276 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Bellare, M., Rompel, J.: Randomness-efficient oblivious sampling. In: FOCS 1994, pp. 276–287 (1994)Google Scholar
  11. 11.
    Canetti, R., Chen, Y., Reyzin, L.: On the correlation intractability of obfuscated pseudorandom functions. In: Kushilevitz, E., et al. (eds.) TCC 2016-A. LNCS, vol. 9562, pp. 389–415. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49096-9_17 CrossRefGoogle Scholar
  12. 12.
    Deng, Y., Garay, J., Ling, S., Wang, H., Yung, M.: On the implausibility of constant-round public-coin zero-knowledge proofs. Cryptology ePrint Archive, Report 2012/508 (2012).
  13. 13.
    Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs under general assumptions. SIAM J. Comput. 29, 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Goldreich, O.: The Foundations of Cryptography, Volume 1, Basic Techniques Cambridge University Press (2001)Google Scholar
  15. 15.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar
  16. 16.
    Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM. J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Hada, S.: Zero-knowledge and code obfuscation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 443–457. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Landi, W.: Undecidability of static analysis. J. LOPLAS 1(4), 323–337 (1992)CrossRefGoogle Scholar
  21. 21.
    Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467–1471 (1994)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Yi Deng
    • 1
    Email author
  • Juan Garay
    • 2
  • San Ling
    • 3
  • Huaxiong Wang
    • 3
  • Moti Yung
    • 4
  1. 1.SKLOIS, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Yahoo ResearchSunnyvaleUSA
  3. 3.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  4. 4.Snapchat and Columbia UniversityNew YorkUSA

Personalised recommendations