On the Implausibility of Constant-Round Public-Coin Zero-Knowledge Proofs
We consider the problem of whether there exist non-trivial constant-round public-coin zero-knowledge (ZK) proofs. To date, in spite of high interest in the problem, there is no definite answer to the question. We focus on the type of ZK proofs that admit a universal simulator (which handles all malicious verifiers), and show a connection between the existence of such proof systems and a seemingly unrelated “program functionality distinguishing” problem: for a natural class of constant-round public-coin ZK proofs (which we call “canonical,” since all known ZK protocols fall into this category), a session prefix output by the universal simulator can actually be used to distinguish a non-trivial property of the next-step functionality of the verifier’s code.
Our result can be viewed as new evidence against the existence of constant-round public-coin ZK proofs, since the existence of such a proof system will bring about either one of the following: (1) a positive result for the above functionality-distinguishing problem, a typical goal in reverse-engineering attempts, commonly believed to be notoriously hard, or (2) a major paradigm shift in simulation strategies, beyond the only known (straight-line simulation) technique applicable to their argument counterpart, as we also argue. Note that the earlier negative evidence on constant-round public-coin ZK proofs is Barack, Lindell and Vadhan [FOCS 2003]’s result, which was based on the incomparable assumption of the existence of certain entropy-preserving hash functions, now known not to be achievable from standard assumptions via black-box reduction.
The core of our technical contribution is showing that there exists a single verifier step for constant-round public-coin ZK proofs whose functionality (rather than its code) is crucial for a successful simulation. This is proved by combining a careful analysis of the behavior of a set of verifiers in the above protocols and during simulation, with an improved structure-preserving version of the well-known Babai-Moran Speedup (de-randomization) Theorem, a key tool of independent interest.
KeywordsProof System Random String Random Tape Soundness Error Honest Prover
The authors would like to thank Susumu Kiyoshima and Sanjam Garg for their valuable comments.
- 1.Babai, L.: Trading group theory for randomness. In: STOC, 1985, pp. 421–429 (1985)Google Scholar
- 2.Barak, B.: How to go beyond the black-box simulation barrier. In: FOCS 2001, pp. 106–115 (2001)Google Scholar
- 6.Barak, B., Lindell, Y.: Strict polynomial-time in simulation and extraction.In: STOC, 2002, pp. 484–493 (2002)Google Scholar
- 7.Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, pp. 444–451 (1986)Google Scholar
- 8.Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. In: FOCS 2003, pp. 384–393 (2003)Google Scholar
- 10.Bellare, M., Rompel, J.: Randomness-efficient oblivious sampling. In: FOCS 1994, pp. 276–287 (1994)Google Scholar
- 12.Deng, Y., Garay, J., Ling, S., Wang, H., Yung, M.: On the implausibility of constant-round public-coin zero-knowledge proofs. Cryptology ePrint Archive, Report 2012/508 (2012). http://eprint.iacr.org/2012/508
- 14.Goldreich, O.: The Foundations of Cryptography, Volume 1, Basic Techniques Cambridge University Press (2001)Google Scholar
- 15.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar