Results 1 
6 of
6
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 190 (14 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
An unconditional study of computational zero knowledge
 SIAM Journal on Computing
, 2004
"... We prove a number of general theorems about ZK, the class of problems possessing (computational) zeroknowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that oneway functions exist. We establish several new characterizations of ZK ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
We prove a number of general theorems about ZK, the class of problems possessing (computational) zeroknowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that oneway functions exist. We establish several new characterizations of ZK, and use these characterizations to prove results such as: 1. Honestverifier ZK equals general ZK. 2. Publiccoin ZK equals privatecoin ZK. 3. ZK is closed under union. 4. ZK with imperfect completeness equals ZK with perfect completeness. 5. Any problem in ZK ∩ NP can be proven in computational zero knowledge by a BPP NP prover. 6. ZK with blackbox simulators equals ZK with general, nonblackbox simulators. The above equalities refer to the resulting class of problems (and do not necessarily preserve other efficiency measures such as round complexity). Our approach is to combine the conditional techniques previously used in the study of ZK with the unconditional techniques developed in the study of SZK, the class of problems possessing statistical zeroknowledge proofs. To enable this combination, we prove that every problem in ZK can be decomposed into a problem in SZK together with a set of instances from which a oneway function can be constructed.
Sorting Out ZeroKnowledge
, 1990
"... this paper is to explain the various notions involved and to offer a new terminology that emphasizes their differences. There are two orthogonal aspects to zeroknowledge interactive proofs. One is the notion of zeroknowledge and the other is the notion of interactive proof. Unfortunately, these tw ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
this paper is to explain the various notions involved and to offer a new terminology that emphasizes their differences. There are two orthogonal aspects to zeroknowledge interactive proofs. One is the notion of zeroknowledge and the other is the notion of interactive proof. Unfortunately, these two notions are often thought to be inseparable. This confusion is reminiscent of the long lasting confusion among many people between publickey encryption and digital signature. It is clear that interactive proofs make sense independently of zeroknowledge (after all, Babai's ArthurMerlin games [Ba] were invented independently of [GMR1]), but it is more subtle to see that a protocol could be zeroknowledge without being an interactive
Composition of ZeroKnowledge Proofs with Efficient Provers ∗
, 2009
"... We revisit the composability of different forms of zeroknowledge proofs when the honest prover strategy is restricted to be polynomial time (given an appropriate auxiliary input). Our results are: 1. When restricted to efficient provers, the original Goldwasser–Micali–Rackoff (GMR) definition of ze ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We revisit the composability of different forms of zeroknowledge proofs when the honest prover strategy is restricted to be polynomial time (given an appropriate auxiliary input). Our results are: 1. When restricted to efficient provers, the original Goldwasser–Micali–Rackoff (GMR) definition of zero knowledge (STOC ‘85), here called plain zero knowledge, is closed under a constant number of sequential compositions (on the same input). This contrasts with the case of unbounded provers, where Goldreich and Krawczyk (ICALP ‘90, SICOMP ‘96) exhibited a protocol that is zero knowledge under the GMR definition, but for which the sequential composition of 2 copies is not zero knowledge. 2. If we relax the GMR definition to only require that the simulation is indistinguishable from the verifier’s view by uniform polynomialtime distinguishers, with no auxiliary input beyond the statement being proven, then again zero knowledge is not closed under sequential composition of 2 copies. 3. We show that auxiliaryinput zero knowledge with efficient provers is not closed under parallel composition of 2 copies under the assumption that there is a secure key agreement protocol (in which it is easy to recognize valid transcripts). Feige and Shamir (STOC ‘90) gave similar results under the seemingly incomparable assumptions that (a) the discrete logarithm problem is hard, or (b) UP ̸ ⊆ BPP and oneway functions exist. These results first appeared in the first author’s undergraduate thesis [5] and an extended abstract will appear
Mathematical Foundations of Modern Cryptography: Computational Complexity Perspective
, 2002
"... Theoretical computer science has found fertile ground in many areas of mathematics. The approach has been to consider classical problems through the prism of computational complexity, where the number of basic computational steps taken to solve a problem is the crucial qualitative parameter. This ne ..."
Abstract
 Add to MetaCart
Theoretical computer science has found fertile ground in many areas of mathematics. The approach has been to consider classical problems through the prism of computational complexity, where the number of basic computational steps taken to solve a problem is the crucial qualitative parameter. This new approach has led to a sequence of advances, in setting and solving new mathematical challenges as well as in harnessing discrete mathematics to the task of solving realworld problems. In this talk, I will survey the development of modern cryptography — the mathematics behind secret communications and protocols — in this light. I will describe the complexity theoretic foundations underlying the cryptographic tasks of encryption, pseudorandomness number generators and functions, zero knowledge interactive proofs, and multiparty secure protocols. I will attempt to highlight the paradigms and proof techniques which unify these foundations, and which have made their way into the mainstream of complexity theory.
NonInteractive Proofs of Proximity ∗
, 2013
"... We initiate a study of noninteractive proofs of proximity. These proofsystems consist of a verifier that wishes to ascertain the validity of a given statement, using a short (sublinear length) explicitly given proof, and a sublinear number of queries to its input. Since the verifier cannot even re ..."
Abstract
 Add to MetaCart
We initiate a study of noninteractive proofs of proximity. These proofsystems consist of a verifier that wishes to ascertain the validity of a given statement, using a short (sublinear length) explicitly given proof, and a sublinear number of queries to its input. Since the verifier cannot even read the entire input, we only require it to reject inputs that are far from being valid. Thus, the verifier is only assured of the proximity of the statement to a correct one. Such proofsystems can be viewed as the N P (or more accurately MA) analogue of property testing. We explore both the power and limitations of noninteractive proofs of proximity. We show that such proofsystems can be exponentially stronger than property testers, but are exponentially weaker than the interactive proofs of proximity studied by Rothblum, Vadhan and Wigderson (STOC 2013). In addition, we show a natural problem that has a full and (almost) tight multiplicative tradeoff between the length of the proof and the verifier’s query complexity. On the negative side, we also show that there exist properties for which even a linearlylong (noninteractive) proof of proximity cannot significantly reduce the query complexity.