Composition of zero-knowledge proofs with efficient provers

  • Authors:

  • Eleanor Birrell;Salil Vadhan

  • Affiliations:

  • Department of Computer Science, Cornell University;School of Engineering and Applied Sciences and Center for Research on Computation and Society, Harvard University

  • Venue:
  • TCC'10 Proceedings of the 7th international conference on Theory of Cryptography
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

We revisit the composability of different forms of zero- knowledge proofs when the honest prover strategy is restricted to be polynomial time (given an appropriate auxiliary input). Our results are: When restricted to efficient provers, the original Goldwasser–Micali–Rackoff (GMR) definition of zero knowledge (STOC ‘85), here called plain zero knowledge, is closed under a constant number of sequential compositions (on the same input). This contrasts with the case of unbounded provers, where Goldreich and Krawczyk (ICALP ‘90, SICOMP ‘96) exhibited a protocol that is zero knowledge under the GMR definition, but for which the sequential composition of 2 copies is not zero knowledge. If we relax the GMR definition to only require that the simulation is indistinguishable from the verifier’s view by uniform polynomial-time distinguishers, with no auxiliary input beyond the statement being proven, then again zero knowledge is not closed under sequential composition of 2 copies. We show that auxiliary-input zero knowledge with efficient provers is not closed under parallel composition of 2 copies under the assumption that there is a secure key agreement protocol (in which it is easy to recognize valid transcripts). Feige and Shamir (STOC ‘90) gave similar results under the seemingly incomparable assumptions that (a) the discrete logarithm problem is hard, or (b) ${\mathcal{UP}}\not\subseteq {\mathcal{BPP}}$ and one-way functions exist.