How to construct random functions
Journal of the ACM (JACM)
The knowledge complexity of interactive proof-systems
STOC '85 Proceedings of the seventeenth annual ACM symposium on Theory of computing
The knowledge complexity of interactive proof systems
SIAM Journal on Computing
Witness indistinguishable and witness hiding protocols
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
Journal of the ACM (JACM)
On the Composition of Zero-Knowledge Proof Systems
SIAM Journal on Computing
Foundations of Cryptography: Basic Tools
Foundations of Cryptography: Basic Tools
Everything Provable is Provable in Zero-Knowledge
CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
Zero Knowledge Proofs of Knowledge in Two Rounds
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
On Defining Proofs of Knowledge
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
How to Go Beyond the Black-Box Simulation Barrier
FOCS '01 Proceedings of the 42nd IEEE symposium on Foundations of Computer Science
Lower Bounds for Non-Black-Box Zero Knowledge
FOCS '03 Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
Sparse pseudorandom distributions
Random Structures & Algorithms
Hi-index | 0.00 |
We revisit the composability of different forms of zero- knowledge proofs when the honest prover strategy is restricted to be polynomial time (given an appropriate auxiliary input). Our results are: When restricted to efficient provers, the original Goldwasser–Micali–Rackoff (GMR) definition of zero knowledge (STOC ‘85), here called plain zero knowledge, is closed under a constant number of sequential compositions (on the same input). This contrasts with the case of unbounded provers, where Goldreich and Krawczyk (ICALP ‘90, SICOMP ‘96) exhibited a protocol that is zero knowledge under the GMR definition, but for which the sequential composition of 2 copies is not zero knowledge. If we relax the GMR definition to only require that the simulation is indistinguishable from the verifier’s view by uniform polynomial-time distinguishers, with no auxiliary input beyond the statement being proven, then again zero knowledge is not closed under sequential composition of 2 copies. We show that auxiliary-input zero knowledge with efficient provers is not closed under parallel composition of 2 copies under the assumption that there is a secure key agreement protocol (in which it is easy to recognize valid transcripts). Feige and Shamir (STOC ‘90) gave similar results under the seemingly incomparable assumptions that (a) the discrete logarithm problem is hard, or (b) ${\mathcal{UP}}\not\subseteq {\mathcal{BPP}}$ and one-way functions exist.