Arthur-Merlin games: a randomized proof system, and a hierarchy of complexity class
Journal of Computer and System Sciences - 17th Annual ACM Symposium in the Theory of Computing, May 6-8, 1985
The knowledge complexity of interactive proof systems
SIAM Journal on Computing
Witness indistinguishable and witness hiding protocols
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
Random-self-reducibility of complete sets
SIAM Journal on Computing
On the Composition of Zero-Knowledge Proof Systems
SIAM Journal on Computing
Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions
SIAM Journal on Computing
Foundations of Cryptography: Basic Tools
Foundations of Cryptography: Basic Tools
How to Go Beyond the Black-Box Simulation Barrier
FOCS '01 Proceedings of the 42nd IEEE symposium on Foundations of Computer Science
On basing one-way functions on NP-hardness
Proceedings of the thirty-eighth annual ACM symposium on Theory of computing
Lower bounds for non-black-box zero knowledge
Journal of Computer and System Sciences - Special issue on FOCS 2003
CCC '06 Proceedings of the 21st Annual IEEE Conference on Computational Complexity
On Worst-Case to Average-Case Reductions for NP Problems
SIAM Journal on Computing
SIAM Journal on Computing
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
SFCS '86 Proceedings of the 27th Annual Symposium on Foundations of Computer Science
Zero-knowledge proofs of knowledge without interaction
SFCS '92 Proceedings of the 33rd Annual Symposium on Foundations of Computer Science
Limits of provable security from standard assumptions
Proceedings of the forty-third annual ACM symposium on Theory of computing
Composition of zero-knowledge proofs with efficient provers
TCC'10 Proceedings of the 7th international conference on Theory of Cryptography
Point obfuscation and 3-round zero-knowledge
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
The knowledge tightness of parallel zero-knowledge
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
On the Composition of Public-Coin Zero-Knowledge Protocols
SIAM Journal on Computing
On the power of nonuniformity in proofs of security
Proceedings of the 4th conference on Innovations in Theoretical Computer Science
Unprovable security of perfect NIZK and non-interactive non-malleable commitments
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
| Hi-index | 0.00 |
The concept of witness-hiding suggested by Feige and Shamir is a natural relaxation of zero-knowledge. In this paper we identify languages and distributions for which many known constant-round public-coin protocols with negligible soundness cannot be shown to be witness-hiding using black-box techniques. One particular consequence of our results is that parallel repetition of either 3-Colorability or Hamiltonicity cannot be shown to be witness hiding with respect to some probability distribution over the inputs assuming that: the distribution assigns positive probability only to instances with exactly one witness. Polynomial size circuits cannot find a witness with noticeable probability on a random input chosen according to the distribution. The proof of security relies on a black-box reduction that is independent of the choice of the commitment scheme used in the protocol. These impossibility results conceptually match results of Feige and Shamir that use such black-box reductions to show that parallel repetition of 3-Colorability or Hamiltonicity is witness-hiding for distributions with "two independent witnesses". We also consider black-box reductions for parallel repetition of 3-Colorability or Hamiltonicity that depend on a specific implementation of the commitment scheme. While we cannot rule out such reductions completely, we show that "natural reductions" cannot bypass the limitations above. Our proofs use techniques developed by Goldreich and Krawczyk for the case of zero knowledge. The setup of witness-hiding, however, presents new technical and conceptual difficulties that do not arise in the zero-knowledge setting. The high level idea is that if a black-box reduction establishes the witness-hiding property for a protocol, and the protocol also happens to be a proof of knowledge, then this latter property can be actually used "against the reduction" to find witnesses unconditionally.