Composition of Zero-Knowledge Proofs with Efficient Provers
MetadataShow full item record
CitationBirrell, Eleanor, and Salil Vadhan. 2010. Composition of zero-knowledge proofs with efficient provers. In Theory of Cryptography: 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland February 9-11, 2010 Proceedings. Lecture Notes on Computer Science 5978, ed. Daniele Micciancio.
AbstractWe revisit the composability of different forms of zero-knowledge proofs when the honest prover strategy is restricted to be polynomial time (given an appropriate auxiliary input). Our results are: 1.) When restricted to efficient provers, the original Goldwasser--Micali--Rackoff (GMR) definition of zero knowledge (STOC `85), here called plain zero knowledge, is closed under a constant number of sequential compositions (on the same input). This contrasts with the case of unbounded provers, where Goldreich and Krawczyk (ICALP `90, SICOMP `96) exhibited a protocol that is zero knowledge under the GMR definition, but for which the sequential composition of 2 copies is not zero knowledge. 2.) If we relax the GMR definition to only require that the simulation is indistinguishable from the verifier's view by uniform polynomial-time distinguishers, with no auxiliary input beyond the statement being proven, then again zero knowledge is not closed under sequential composition of 2 copies. 3.) We show that auxiliary-input zero knowledge with efficient provers is not closed under parallel composition of 2 copies under the assumption that there is a secure key agreement protocol (in which it is easy to recognize valid transcripts). Feige and Shamir (STOC `90) gave similar results under the seemingly incomparable assumptions that (a) the discrete logarithm problem is hard, or (b) \(UP \nsubseteq BPP \) and one-way functions exist.
Citable link to this pagehttp://nrs.harvard.edu/urn-3:HUL.InstRepos:4892999
- FAS Scholarly Articles