On the Composition of Public-Coin Zero-Knowledge Protocols

Rafael Pass, Wei-Lung Dustin Tseng, Douglas Wikström
2011 SIAM journal on computing (Print)  
We show that only languages in BPP have public-coin black-box zero-knowledge protocols that are secure under an unbounded (polynomial) number of parallel repetitions. This result holds both in the plain model (without any set-up) and in the Bare Public-Key Model (where the prover and the verifier have registered public keys). We complement this result by constructing a public-coin black-box zero-knowledge proof based on one-way functions that remains secure under any a-priori bounded number of
more » ... oncurrent executions. A key step (of independent interest) in the analysis of our lower bound shows that any publiccoin protocol, when repeated sufficiently in parallel, satisfies a notion of "resettable soundness" if the verifier picks its random coins using a pseudorandom function. AMS Classification: 68Q17, computational difficulty of problems. * A preliminary version of this work appeared in CRYPTO '09. Zero-knowledge (ZK) interactive protocols [GMR89] are paradoxical constructs that allow one player P (called the prover) to convince another player V (called the verifier) of the validity of a mathematical statement x ∈ L, while providing zero additional knowledge to the verifier. This is formalized by requiring that the view of an adversarial verifier, V * , during an interaction with the prover P , can be efficiently reconstructed by a so-called simulator, S. A particularly attractive notion of zeroknowledge, called black-box zero-knowledge [GO94], requires the existence of a universal simulator S that can generate the view of any V * when given black-box access to V * . A fundamental question regarding zero-knowledge protocols is whether their composition remains zero-knowledge. Three basic notions of compositions are sequential composition [GMR89, GO94], parallel composition [FS90, GK96b] and concurrent composition [FS90, DNS04] . In a sequential composition, the players sequentially run many instances of a zero-knowledge protocol, one after the other. In a parallel composition, the instances instead proceed in parallel, at the same pace. Finally, in a concurrent composition, messages from different instances of the protocol may be arbitrarily interleaved. While the definition of ZK is closed under sequential composition [GO94], this no longer holds for parallel composition [GK96b] (and thus not for concurrent composition either). However, there are zero-knowledge protocols for all of NP that have been demonstrated to be secure under both parallel and concurrent composition. For the case of parallel composition, constant-round protocols are known [Gol02, FS90, GK96a]. For the case of concurrent composition, a series of work [RK99, KP01, PRS02] show feasibility ofÕ(log n)-round black-box ZK protocols; furthermore, this roundcomplexity is essentially optimal with respect to black-box ZK [KPR98, Ros00, CKPR01]. Whereas the original ZK protocols of [GMR89, GMW91, Blu86] are public-coin-i.e., the verifier's messages are its random coin-tosses-all of the aforementioned parallel or concurrent ZK protocols use private coins. Indeed, in their seminal paper, Goldreich and Krawczyk [GK96b] show that only languages in BPP have constant-round public-coin (stand-alone) black-box ZK protocols with negligible soundness error, let alone the question of parallel composition. In particular, their results imply that (unless NP ⊆ BPP) the constant-round ZK protocols of e.g., [GMW91, Blu86] with constant soundness error cannot be black-box ZK under parallel repetition (as this would yield a constant-round black-box ZK protocol with negligible soundness error). A natural question is whether the constant-round restriction imposed by the [GK96b] result is necessary. Namely, Is there a (possibly super-constant round) public-coin black-box ZK protocol that is secure under parallel (or even concurrent) composition? Our Results In this work, we provide a negative answer to the above question. Namely, we show that only languages in BPP have public-coin black-box ZK protocols that remain secure under parallel (and thus also concurrent) composition, regardless of round complexity. Theorem (Informal). If L has a public-coin argument that is black-box ZK and secure under parallel composition, then L ∈ BPP. In fact, our result establishes that any public-coin, black-box ZK protocol for a non-trivial language that remains secure under m parallel executions must haveΩ(m 1/2 ) rounds. On the positive side we show that every language in NP has a public-coin black-box ZK proof that remains secure under an a-priori bounded number of concurrent (and thus parallel) executions.
doi:10.1137/100811465 fatcat:3jaa7tv7izaphghte75n7m5dnu