: The wide applicability of zero-knowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zero-knowledge protocols is zero-knowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zero-knowledge is not closed under sequential composition; and that even the strong formulations of zero-knowledge (e.g. black-box simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zero-knowledge proofs, with significant implications to the parallelization of zero-knowledge protocols. We prove that 3-round interactive proofs and constant-round Arthur-Merlin proofs that are black-box simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...

The notion of a "proof of knowledge," suggested by Gold- wasset, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadequate for some of the applications in which they are used. Consequently,

In this paper we investigate some properties of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. We introduce and classify two definitions of zero-knowledge: auxiliary \Gamma input zero-knowledge and blackbox \Gamma simulation zero-knowledge. We explain why auxiliary-input zero-knowledge is a definition more suitable for cryptographic applications than the original [GMR1] definition. In particular, we show that any protocol solely composed of subprotocols which are auxiliary-input zero-knowledge is itself auxiliary-input zero-knowledge. We show that blackboxsimulation zero-knowledge implies auxiliary-input zero-knowledge (which in turn implies the [GMR1] definition). We argue that all known zero-knowledge proofs are in fact blackbox-simulation zero-knowledge (i.e., were proved zero-knowledge using blackbox-simulation of the verifier). As a result, all known zero-knowledge proof systems are shown to be auxiliary-input zero-knowledge and can be used for cryptographic applications such as those in [GMW2]. We demonstrate the triviality of certain classes of zero-knowledge proof systems, in the sense that only languages in BPP have zero-knowledge proofs of these classes. In particular, we show that any language having a Las Vegas zero-knowledge proof system necessarily belongs to RP . We show that randomness of both the verifier and the prover, and non-triviality of the interaction are essential properties of (non-trivial) auxiliary-input zero-knowledge proofs.

Abstract. We examine the concurrent composition of zero-knowledge proofs. By concurrent composition, we indicate a single prover that is involved in multiple, simultaneous zero-knowledge proofs with one or multiple verifiers. Under this type of composition it is believed that standard zero-knowledge protocols are no longer zero-knowledge. We show that, modulo certain complexity assumptions, any statement in NP has k ɛ-round proofs and arguments in which one can efficiently simulate any k O(1) concurrent executions of the protocol.

"Undeniable" (or perhaps rather "invisible") signatures are digital signatures which the recipient cannot show round without the help of the signer. If forced to either acknowledge or deny a signature, however, the signer cannot deny it if it is authentic. We present the first undeniable signature scheme which is unconditionally secure for the signer (except for an exponentially small error probability). The security for the recipient is provably as secure as the discrete logarithm in certain groups. Besides, this is the first practical cryptographically strong undeniable signature scheme at all. In many cases, it is more efficient than previous signature schemes unconditionally secure for the signer. Interesting subprotocols are efficient cryptographically collision-free hash functions based on the discrete log, and efficient perfectly hiding commitments on numbers modulo a prime with particular inequality proofs.

2 k) rounds given at most k concurrent proofs. Finally, we show that a simple modification of our proof is a resettable zero-knowledge proof for NP, with!(log 2 k) rounds; previously known protocols required a polynomial number of rounds.

) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zero-knowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a complexity assumption a much weaker condition suffices to attain statistical zero-knowledge. As a result we are able to simplify statistical zero-knowledge and to better characterize, on many counts, the class of languages that possess statistical zero-knowledge proofs. 1 Introduction An interactive proof involves two parties, a prover and a verifier, who talk back and forth. The prover, who is computationally unbounded, tries to convince the probabilistic polynomial time verifier that a given theorem is true. A zero-knowledge proof is an interactive proof with an additional privacy constraint: the verifier does not learn why the theorem is true [11]. That is, whatever the polynomial-time verif...

We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem.

New zero-knowledge proofs are given for some number-theoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be super-polynomial in power. A probabilistic polynomial time prover with the appropriate trap-door knowledge is sufficient. The proofs are perfect or statistical zero-knowledge in all cases except one. 1 Introduction Many researchers have studied zero-knowledge proofs and the classes of problems which have such zero-knowledge proofs. Little attention, however, has been paid to the practicality of these proofs. It is known, for example, that, under certain cryptographic assumptions, all problems in NP have zero-knowledge proofs [19], [8], [10]. Although these proofs can be performed with probabilistic polynomial time provers who have the appropriate trapdoor information, these proofs may involve a transformation to a circuit or to an NP-complete p...

In this paper, we study connections among one-way functions, hard on the average problems, and statistical zero-knowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one.