Escolar Documentos
Profissional Documentos
Cultura Documentos
Oded Goldrei
h
Department of Computer S
ien
e and Applied Mathemati
s
Weizmann Institute of S
ien
e, Rehovot,
Email:
Israel.
odedwisdom.weizmann.a
.il
Mar
h 15, 2010
Abstra t
Zero-knowledge proofs are proofs that are both
onvin
ing and yet yield nothing beyond the
validity of the assertion being proved. Their dire
t appli
ations in
ryptography are numerous,
where they are typi
ally used to for
e mali
ious parties to behave a
ording to a predetermined
proto
ol. In addition, zero-knowledge proofs serve as an ex
ellent ben
h-mark for the study of
various problems regarding
ryptographi
proto
ols.
The rst part of this tutorial reviews the basi
denitional approa
h and its variants as well
as the main results regarding the power of zero-knowledge proofs. The se
ond part reviews
several advan
ed topi
s in
luding (1) the
omposeability of zero-knowledge proofs and (2) the
use of the adversary's program within the proof of se
urity (i.e., non-bla
k-box simulation).
Contents
1 Introdu
tion
::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::
I The Basi s
1
2
2
2 Preliminaries
:::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::
3 Denitional Issues
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::
II Advan ed Topi s
4
6
7
8
8
10
10
10
11
11
12
12
14
15
::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::
22
23
23
24
9 Statisti
al Zero-Knowledge
25
9.1 Transformations : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 26
9.2 Complete problems and stru
tural properties : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 26
10 Knowledge Complexity
26
27
28
29
Referen es
29
ii
1 Introdu
tion
Zero-Knowledge proofs, introdu
ed by Goldwasser, Mi
ali and Ra
ko [68, are fas
inating and
extremely useful
onstru
ts. Their fas
inating nature is due to their seemingly
ontradi
tory denition; zero-knowledge proofs are both
onvin
ing and yet yield nothing beyond the validity of the
assertion being proved. Their appli
ability in the domain of
ryptography is vast; they are typi
ally
used to for
e mali
ious parties to behave a
ording to a predetermined proto
ol. In addition to
their dire
t appli
ability in Cryptography, zero-knowledge proofs serve as a good ben
h-mark for
the study of various problems regarding
ryptographi
proto
ols (e.g., the \preservation of se
urity
under various forms of proto
ol
omposition" and the \use of of the adversary's program within
the proof of se
urity").
In this tutorial we present the basi
denitions and results regarding zero-knowledge proto
ols as
well as some relatively advan
ed topi
s. The rest of the introdu
tion provides a high-level summary
of the tutorial.
X
X is true!
??
111111111
000000000
000000000
111111111
000000000
111111111
000000000
111111111
000000000
111111111
000000000
111111111
000000000
111111111
000000000
111111111
!
?
!
Loosely speaking, zero-knowledge proofs are proofs that yield nothing beyond the validity of the
assertion. That is, a verier obtaining su
h a proof only gains
onvi
tion in the validity of the assertion. This is formulated by saying that anything that is feasibly
omputable from a zero-knowledge
proof is also feasibly
omputable from the (valid) assertion itself (by a so-
alled simulator). Variants
on the basi
denition in
lude:
Consideration of auxiliary inputs.
Mandating of universal and bla
k-box simulations.
Restri
ting attention to honest (or rather semi-honest) veriers.
The level of similarity required of the simulation.
It is well-known that zero-knowledge proofs exist for any NP-set, provided that one-way fun
tions
exist. This result is a powerful tool in the design of
ryptographi
proto
ols, be
ause it enables to
for
e parties to behave a
ording to a predetermined proto
ol (i.e., the proto
ol requires parties
to provide zero-knowledge proofs of the
orre
tness of their se
ret-based a
tions, without revealing
these se
rets).
1
Organization of Part 1: We start with some preliminaries (Se
tion 2), whi
h are
entral to
the \mind-set" of the notion of zero-knowledge. In parti
ular, we review the denitions of intera
tive proofs and arguments as well as the denitions of
omputational indistinguishability (whi
h
underlies the denition of general zero-knowledge) and of one-way fun
tions (whi
h are used in
onstru
tions). We then turn to the denitional treatment of zero-knowledge itself (Se
tion 3).
Finally, we dis
uss the
onstru
tibility and appli
ability of zero-knowledge proofs (Se
tion 4).
We start with two basi
problems regarding zero-knowledge, whi
h a
tually arise also with respe
t
to the se
urity of other
ryptographi
primitives. The rst question refers to the preservation of
se
urity (i.e., zero-knowledge in our
ase) under various types of
omposition operations. We survey
the known results regarding sequential, parallel and
on
urrent exe
ution of (arbitrary and/or
spe
i
) zero-knowledge proto
ols. The main fa
ts are:
Zero-knowledge (with respe
t to auxiliary inputs) is
losed under sequential
omposition.
In general, zero-knowledge is not
losed under parallel
omposition. Yet, some zero-knowledge
proofs (for NP) preserve their se
urity when many
opies are exe
uted in parallel. Furthermore, some of these proto
ol use a
onstant number of rounds.
Some zero-knowledge proofs (for NP) preserve their se
urity when many
opies are exe
uted
on
urrently, but su
h a result is not known for
onstant-round proto
ols.
The se
ond basi
question regarding zero-knowledge refers to the usage of the adversary's program
within the proof of se
urity (i.e., demonstration of the zero-knowledge property). For 15 years, all
known proofs of se
urity used the adversary's program as a bla
k-box (i.e., a universal simulator
was presented using the adversary's program as an ora
le). Furthermore, it was believed that
there is no advantage in having a
ess to the
ode of the adversary's program. Consequently it was
onje
tured that negative results regarding bla
k-box simulation represent an inherent limitation of
zero-knowledge. This belief was later refuted by the presentation of a zero-knowledge argument (for
NP) that has important properties that are una
hievable by bla
k-box simulation. For example,
this zero-knowledge argument uses a
onstant number of rounds and preserves its se
urity when an
(a-priori xed polynomial) number of
opies are exe
uted
on
urrently.
1
1.3 Comments
The notion of zero-knowledge has had a vast impa
t on the development of
ryptography. In
parti
ular, zero-knowledge proofs of various types were expli
itly used (as a tool) in a variety of
appli
ations. We wish to highlight also the indire
t impa
t of zero-knowledge on the denitional
This result falls short of a
hieving a fully
on
urrent zero-knowledge argument, be
ause the number of
on
urrent
opies must be xed before the proto
ol is presented. Spe
i
ally, the proto
ol uses messages that are longer than
the allowed number of
on
urrent
opies.
1
Suggestions for further reading: For further details regarding most of the material, the interested reader is referred to [49, Chap. 4. For a wider perspe
tive on probabilisti
proof systems,
the reader is referred to [52, Chap. 9.
Part I
The Basi
s
2 Preliminaries
Modern Cryptography, is
on
erned with the
onstru
tion of e
ient s
hemes for whi
h it is infeasible to violate the se
urity feature. The same
on
ern underlies the main denitions of zeroknowledge. Thus, for starters, we need a notion of e
ient
omputations as well as a notion of
infeasible ones. The
omputations of the legitimate users of the s
heme ought be e
ient, whereas
violating the se
urity features (via an adversary) ought to be infeasible.
E
ient
omputations are
ommonly modeled by
omputations that are polynomial-time in the
se
urity parameter. The polynomial bounding the running-time of the legitimate user's strategy is
xed and typi
ally expli
it (and small). Here (i.e., when referring to the
omplexity of the legitimate
users) we are in the same situation as in any algorithmi
setting. Things are dierent when referring
to our assumptions regarding the
omputational resour
es of the adversary. A
ommon approa
h is
to postulate that the latter are polynomial-time too, where the polynomial is not a-priori spe
ied.
In other words, the adversary is restri
ted to the
lass of e
ient
omputations and anything beyond
this is
onsidered to be infeasible. Although many denitions expli
itly refer to this
onvention,
this
onvention is inessential to any of the results known in the area. In all
ases, a more general
statement
an be made by referring to adversaries of running-time bounded by any super-polynomial
fun
tion (or
lass of fun
tions). Still, for sake of
on
reteness and
larity, we shall use the former
onvention in our treatment.
A
tually, in order to simplify our exposition, we will often
onsider as infeasible any
omputation
that
annot be
ondu
ted by a (possibly non-uniform) family of polynomial-size
ir
uits. For
2
simpli
ity we
onsider families of
ir
uits fCn g, where for some polynomials p and q, ea
h Cn has
exa
tly p(n) input bits and has size at most q(n).
Randomized
omputations play a
entral role in the denition of zero-knowledge (as well as in
ryptography at large). That is, we allow the legitimate users to employ randomized
omputations,
and likewise we
onsider adversaries that employ randomized
omputations. This brings up the
issue of su
ess probability: typi
ally, we require that legitimate users su
eed (in fullling their
legitimate goals) with probability 1 (or negligibly
lose to this), whereas adversaries su
eed (in
violating the se
urity features) with negligible probability. Thus, the notion of a negligible probability
plays an important role in our exposition. One feature required of the denition of negligible
probability is to yield a robust notion of rareness: A rare event should o
ur rarely even if we
repeat the experiment for a feasible number of times. Likewise, we
onsider two events to o
ur
\as frequently" if the absolute dieren
e between their
orresponding o
urren
e probabilities is
negligible. For
on
reteness, we
onsider as negligible any fun
tion : N ! [0; 1 that vanishes faster
than the re
ipro
al of any polynomial (i.e., for every positive polynomial p and all su
iently big
n, it holds that (n) < 1=p(n)).
3
Before dening zero-knowledge proofs, we have to dene proofs. The standard notion of stati
(i.e.,
non-intera
tive) proofs will not do, be
ause stati
zero-knowledge proofs exist only for sets that
are easy to de
ide (i.e, are in BPP ) [61 whereas we are interested in zero-knowledge proofs for
arbitrary NP-sets. Instead, we use the notion of an intera
tive proof (introdu
ed exa
tly for that
reason by Goldwasser, Mi
ali and Ra
ko [68). That is, here a proof is a (multi-round) randomized
proto
ol for two parties,
alled verier and prover, in whi
h the prover wishes to
onvin
e the verier
of the validity of a given assertion. Su
h an intera
tive proof should allow the prover to
onvin
e
the verier of the validity of any true assertion, whereas no prover strategy may fool the verier
to a
ept false assertions. Both the foregoing
ompleteness and soundness
onditions should hold
with high probability (i.e., a negligible error probability is allowed).
We
omment that intera
tive proofs emerge naturally when asso
iating the notion of e
ient veri
ation, whi
h underlies the notion of a proof system, with probabilisti
and intera
tive
polynomial-time
omputations. This asso
iation is quite natural in light of the growing a
eptability of randomized and distributed
omputations. Thus, a \proof" in this
ontext is not a xed and
stati
obje
t, but rather a randomized and dynami
(i.e., intera
tive) pro
ess in whi
h the verier
intera
ts with the prover. Intuitively, one may think of this intera
tion as
onsisting of \tri
ky"
questions asked by the verier, to whi
h the prover has to reply \
onvin
ingly". The above dis
ussion, as well as the following denition, makes expli
it referen
e to a prover, whereas a prover is
only impli
it in the traditional denitions of proof systems (e.g., NP-proofs).
Loosely speaking, an intera
tive proof is a game between a
omputationally bounded verier
and a
omputationally unbounded prover whose goal is to
onvin
e the verier of the validity of
some assertion. Spe
i
ally, the verier is probabilisti
polynomial-time. It is required that if the
assertion holds then the verier always a
epts (i.e., when intera
ting with an appropriate prover
strategy). On the other hand, if the assertion is false then the verier must reje
t with \noti
eable"
probability, no matter what strategy is being employed by the prover. Indeed, the error probability
(in the soundness
ondition)
an be redu
ed by (either sequential or parallel) repetitions.
Typi
ally, when adversaries are modeled by (non-uniform) families of polynomial-size
ir
uits, it is not ne
essary
to allow the latter to toss
oins (be
ause the best
oin-tossing sequen
e
an be hard-wired in the
ir
uit). Still, also
in this
ase we employ a probabilisti
treatment, where the probability spa
e refers to the a
tions of the legitimate
users.
3
(Intera
tive Proof systems and the
omplexity
lass IP [68): An intera
tive proof
system for a set S is a two-party game, between a verier exe
uting a probabilisti
polynomial-time
strategy (denoted V ) and a prover whi
h exe
utes a
omputationally unbounded strategy (denoted
Denition 1
P ), satisfying
Soundness:
For some polynomial p, it holds that for every x 62 S and every potential strategy P , the verier V reje
ts with probability at least 1=p(jxj), after intera
ting with P on
ommon input x.
IP .
Note that by repeating su
h a proof system for O(p(jxj) ) times, we may de
rease the probability
that V a
epts a false statement (from 1 (1=p(jxj))) to 2 p jxj . Thus, when
onstru
ting intera
tive
proofs we sometimes fo
us on obtaining a noti
eable reje
tion probability for no-instan
es (i.e.,
obtaining soundness error bounded away from 1), whereas when using intera
tive proofs we typi
ally
assume that their soundness error is negligible.
2
Variants: A restri
ted
lass of intera
tive proof systems,
alled publi
-
oin proofs (a.k.a ArthurMerlin games),
onsists of systems in whi
h the verier must send the out
ome of any
oin it tosses
(and thus need not send any other information). Yet, as shown in [69, this restri
ted
ase (introdu
ed by Babai [4) has essentially the same power as the general
ase (introdu
ed by Goldwasser,
Mi
ali and Ra
ko [68). Thus, in the
ontext of intera
tive proof systems, asking random questions is as powerful as asking \tri
ky" questions. (As we shall see, this does not ne
essarily hold
in the
ontext of zero-knowledge proofs.) Also, in some sour
es intera
tive proofs are dened so
that two-sided error probability is allowed (rather than requiring \perfe
t
ompleteness" as done
above); yet, this does not in
rease their power [45.
A fundamental variant on the notion of intera
tive proofs was introdu
ed by Brassard, Chaum and Crepeau [21, who relaxed the soundness
ondition so that it only refers to feasible ways of trying to fool the verier (rather than to all
possible ways). Spe
i
ally, the soundness
ondition was repla
ed by the following
omputational
soundness
ondition that asserts that it is infeasible to fool the verier into a
epting false statements.
For every polynomial p, every prover strategy that is implementable by a family of
polynomial-size
ir
uits fCn g, and every su
iently large x 2 f0; 1g n S , the probability
that V a
epts x when intera
ting with Cjxj is less than 1=p(jxj).
We warn that although the
omputational-soundness error
an always be redu
ed by sequential
repetitions, it is not true that this error
an always be redu
ed by parallel repetitions (
f. [14).
Proto
ols that satisfy the
omputational-soundness
ondition are
alled arguments. We mention
that argument systems may be more e
ient than intera
tive proofs (see [72, 55).
4
5
Terminology. Whenever we wish to blur the distin
tion between proofs and arguments, we will
use the term proto
ols. We will
onsider su
h a proto
ol trivial if it establishes membership in a
BPP-set (be
ause membership in su
h a set
an be determined by the verier itself). On the other
hand, we will sometimes talk about proto
ols for NP , when what we a
tually mean is proto
ols
for ea
h set in NP . (This terminology is quite
ommon in the area.)
6
Most positive results regarding zero-knowledge proofs are based on intra
tability assumptions.
Furthermore, the very notion of a zero-knowledge proof is interesting only in
ase the assertion
being proved to be valid is hard to verify in probabilisti
polynomial-time. Thus, our dis
ussion
always assumes (at least impli
itly) that IP is not
ontained in BPP , and often we expli
itly
assume more than that.
In general, Modern Cryptography is
on
erned with the
onstru
tion of s
hemes that are easy to
operate (properly) but hard to foil. Thus, a
omplexity gap (i.e., between the
omplexity of proper
usage and the
omplexity of defeating the pres
ribed fun
tionality) lies in the heart of Modern
Cryptography. However, gaps as required for Modern Cryptography are not known to exist; they
are only widely believed to exist. Indeed, almost all of Modern Cryptography rises or falls with
the question of whether one-way fun
tions exist. One-way fun
tions are fun
tions that are easy to
evaluate but hard (on the average) to invert (
f. [33). That is, a fun
tion f : f0; 1g ! f0; 1g is
alled one-way if there is an e
ient algorithm that on input x outputs f (x), whereas any feasible
algorithm that tries to nd a preimage of f (x) under f may su
eed only with negligible probability
(where the probability is taken uniformly over the
hoi
es of x and the algorithm's
oin tosses).
Asso
iating feasible
omputations with (possibly non-uniform) families of polynomial-size
ir
uits,
we obtain the following denition.
Denition 2 (one-way fun
tions): A fun
tion f : f0; 1g !f0; 1g is
alled one-way if the following
two
onditions hold:
1.
2.
easy to evaluate: There exist a polynomial-time algorithm A su
h that A(x) = f (x) for every
x 2 f0; 1g .
hard to invert: For every family of polynomial-size
ir
uits fCng, every polynomial p, and all
su
iently large n,
1
Pr[Cn (f (x)) 2 f (f (x)) <
p(n)
where the probability is taken uniformly over all the possible
hoi
es of x 2 f0; 1gn .
1
Some of the most popular
andidates for one-way fun
tions are based on the
onje
tured intra
tability of
omputational problems in number theory. One su
h
onje
ture is that it is infeasible to fa
tor
large integers. Consequently, the fun
tion that takes as input two (equal length) primes and outputs
their produ
t is widely believed to be a one-way fun
tion.
7
Terminology. Some of the (positive) results mentioned below require stronger forms of one-way
fun
tions (e.g., one-way permutations with (or without) trapdoor [49, Se
. 2.4.4 and
law-free
permutation pairs [49, Se
. 2.4.5). Whenever we wish to avoid the spe
i
details, we will talk
about standard intra
tability assumptions. In all
ases, the
onje
tured intra
tability of fa
toring
will su
e.
A
entral notion in Modern Cryptography is that of \ee
tive similarity" (introdu
ed by Goldwasser, Mi
ali and Yao [67, 91). The underlying thesis is that we do not
are whether or not
obje
ts are equal, all we
are is whether or not a dieren
e between the obje
ts
an be observed by
a feasible
omputation. In
ase the answer is negative, the two obje
ts are equivalent as far as any
pra
ti
al appli
ation is
on
erned. Indeed, like in many other
ryptographi
denitions, in the definition of general/
omputational zero-knowledge we will freely inter
hange su
h (
omputationally
indistinguishable) obje
ts.
The asymptoti
formulation of
omputational indistinguishability refers to (pairs of) probability ensembles, whi
h are innite sequen
es of nite distributions, rather than to (pairs of) nite
distributions. Spe
i
ally, we
onsider sequen
es indexed by strings (rather than by integers (in
unary representation)). For S f0; 1g , we
onsider the probability ensembles X = fX g2S
and Y = fY g2S , where ea
h X (resp., Y) is a distribution that ranges over strings of length
polynomial in jj. We say that X and Y are
omputationally indistinguishable if for every feasible
algorithm A the dieren
e dA(n) = max2f ; gn fjPr[A(X ) = 1 Pr[A(Y ) = 1jg is a negligible
fun
tion in jj. That is:
Denition 3 (
omputational indistinguishability [67, 91): We say that X = fX g2S and Y =
fY g2S are
omputationally indistinguishable if for every family of polynomial-size
ir
uits fDn g,
every polynomial p, all su
iently large n and every 2 f0; 1gn \ S ,
jPr[Dn(X )=1 Pr[Dn(Y )=1j < p(1n)
where the probabilities are taken over the relevant distribution (i.e., either Xn or Yn ).
That is, we think of D = fDn g as of somebody who wishes to distinguish two distributions (based
on a sample given to it), and think of 1 as of D's verdi
t that the sample was drawn a
ording
to the rst distribution. Saying that the two distributions are
omputationally indistinguishable
means that if D is an e
ient pro
edure then its verdi
t is not really meaningful (be
ause the
verdi
t is almost as often 1 when the input is drawn from the rst distribution as when the input
is drawn from the se
ond distribution).
We
omment that indistinguishability by a single sample (as dened above) implies indistinguishability by multiple samples. Also note that the denition would not have been stronger if we
were to provide the distinguisher (i.e., D) with the index (i.e., ) of the distribution-pair being
tested.
def
01
Furthermore, the denition would not have been stronger if we were to
onsider a spe
ialized polynomial-size
ir
uit per ea
h 2 S (i.e.,
onsider the dieren
e jPr[D (X ) = 1 Pr[D (Y ) = 1j for any set of
ir
uits
D = fD g2S su
h that the size of D is polynomial in jj).
8
3 Denitional Issues
Loosely speaking, zero-knowledge proofs are proofs that yield nothing beyond the validity of the
assertion. That is, a verier obtaining su
h a proof only gains
onvi
tion in the validity of the
assertion. This is formulated by saying that anything that
an be feasibly obtained from a zeroknowledge proof is also feasibly
omputable from the (valid) assertion itself. The latter formulation
follows the simulation paradigm, whi
h is dis
ussed next.
3.1 The Simulation Paradigm
In dening zero-knowledge proofs, we view the verier as a potential adversary that tries to gain
knowledge from the (pres
ribed) prover. We wish to state that no (feasible) adversary strategy for
the verier
an gain anything from the prover (beyond
onvi
tion in the validity of the assertion).
Let us
onsider the desired formulation from a wide perspe
tive.
A key question regarding the modeling of se
urity
on
erns is how to express the intuitive requirement that an adversary \gains nothing substantial" by deviating from the pres
ribed behavior
of an honest user. Our approa
h is that the adversary gains nothing if whatever it
an obtain
by unrestri
ted adversarial behavior
an be obtained within essentially the same
omputational
eort by a benign behavior. The denition of the \benign behavior"
aptures what we want to
a
hieve in terms of se
urity, and is spe
i
to the se
urity
on
ern to be addressed. For example,
in the previous paragraph, we said that a proof is zero-knowledge if it yields nothing beyond the
validity of the assertion (i.e., the benign behavior is any
omputation that is based (only) on the
assertion itself, while assuming that the latter is valid). Thus, in a zero-knowledge proof no feasible
adversarial strategy for the verier
an obtain more than a \benign verier", whi
h believes the
assertion,
an obtain from the assertion itself. We
omment that the simulation paradigm, whi
h
was rst developed in the
ontext of zero-knowledge [68, is pivotal also to the denition of the
se
urity of en
ryption s
hemes (
f. [50, Chap. 5) and
ryptographi
proto
ols (
f. [24, 48).
A notable property of dening se
urity (or zero-knowledge) via the simulation paradigm is that
this approa
h is \overly liberal" with respe
t to its view of the abilities of the adversary as well as
to what might
onstitute a gain for the adversary. Thus, the approa
h may be
onsidered overly
autious, be
ause it prohibits also \non-harmful" gains of some \far fet
hed" adversaries. We
warn against this impression. Firstly, there is nothing more dangerous in
ryptography than to
onsider \reasonable" adversaries (a notion whi
h is almost a
ontradi
tion in terms): typi
ally, the
adversaries will try exa
tly what the system designer has dis
arded as \far fet
hed". Se
ondly, it
seems impossible to
ome up with denitions of se
urity that distinguish \breaking the s
heme in a
harmful way" from \breaking it in a non-harmful way": what is harmful is appli
ation-dependent,
whereas a good denition of se
urity ought to be appli
ation-independent (as otherwise using the
s
heme in any new appli
ation will require a full re-evaluation of its se
urity). Furthermore, even
with respe
t to a spe
i
appli
ation, it is typi
ally very hard to
lassify the set of \harmful
breakings".
3.2 The Basi
Denition
is only given the input itself. An intera
tive strategy A is zero-knowledge on (inputs from) the set S
if, for every feasible (intera
tive) strategy B , there exists a feasible (non-intera
tive)
omputation
C su
h that the following two probability ensembles are
omputationally indistinguishable:
1. f(A; B )(x)gx2S = the output of B after intera
ting with A on
ommon input x 2 S ; and
2. fC (x)gx2S = the output of C on input x 2 S .
We stress that the rst ensemble represents an a
tual exe
ution of an intera
tive proto
ol, whereas
the se
ond ensemble represents the
omputation of a stand-alone pro
edure (
alled the \simulator"),
whi
h does not intera
t with anybody. Thus, whatever
an be feasibly extra
ted from intera
tion
with A on input x 2 S ,
an also be feasibly extra
ted from x itself. This means that nothing was
gained by the intera
tion itself (beyond
onden
e in the assertion x 2 S ).
The above denition does not a
ount for auxiliary information that an adversary may have
prior to entering the intera
tion. A
ounting for su
h auxiliary information is essential for using
zero-knowledge proofs as sub-proto
ols inside larger proto
ols (see [57, 61). This is taken
are of
by a more stri
t notion
alled auxiliary-input zero-knowledge.
Denition 4 (zero-knowledge [68, revisited [61): A strategy A is auxiliary-input zero-knowledge
def
def
on inputs from S if for every probabilisti
polynomial-time strategy B and every polynomial p there
exists a probabilisti
polynomial-time algorithm C su
h that the following two probability ensembles
are
omputationally indistinguishable:
1.
the output of B when having auxiliary-input z and intera
ting with A on
ommon input x 2 S ; and
def
01
The more basi
denition of zero-knowledge is obtained by eliminating the auxiliary-input z from
Denition 4. We
omment that almost all known zero-knowledge proofs are in fa
t auxiliary-input
zero-knowledge. (Notable ex
eptions are zero-knowledge proofs
onstru
ted on purpose in order
to show a separation between these two notions (e.g., in [57) and proto
ols having only \non
bla
k-box simulators" (see warm-up in [7).)
We stress that the zero-knowledge property of an intera
tive proof (resp., argument) refers to all
feasible adversarial strategies that the verier may employ (in attempt to extra
t knowledge from
the pres
ribed prover that tries to
onvin
e the verier to a
ept a valid assertion). In
ontrast,
10
We note that the following denition seems stronger than merely allowing the verier and simulator to be
arbitrary polynomial-size
ir
uits. The issue is that the latter formulation does not guarantee that the simulator
an
be easily derived from the
heating verier nor that the length of the simulator's des
ription is related to the length of
the des
ription of the verier. Both issues are important when trying to use zero-knowledge proofs as sub-proto
ols
inside
larger proto
ols or to
ompose them (even sequentially). For further dis
ussion, see Se
tion 5.
10 In parti
ular, the notion of auxiliary-input zero-knowledge refers to an auxiliary input that may be available to
mali
ious veriers. Sin
e the pres
ribed verier strategy does not refer to an auxiliary-input, we may think of this
strategy as ignoring su
h an input. In
ontrast, typi
ally, the pres
ribed prover strategy does refer to an auxiliaryinput (and makes extensive use of it in order to perform e
iently the pres
ribed steps). Spe
i
ally, in order to be
of pra
ti
al value, the pres
ribed prover strategy has to be implemented by a probabilisti
polynomial-time algorithm
that is given an auxiliary input (e.g., an NP-witness, whi
h is not given to the verier).
9
the soundness property of an intera
tive proof (resp., the
omputational-soundness property of an
argument) refers to all possible (resp., feasible) adversarial strategies that the prover may employ
(in attempt to fool the pres
ribed verier to a
ept a false assertion). Finally, the
ompleteness
property (only) refers to the behavior of both pres
ribed strategies (when given, as
ommon input,
a valid assertion).
3.3 Variants
The reader may skip the
urrent subse
tion and return to it whenever en
ountering (espe
ially in
the se
ond part of this tutorial) a notion that was not dened above.
We have already dis
ussed two variants on the basi
denition (i.e., with or without auxiliaryinputs). Further strengthening of Denition 4 is obtained by requiring the existen
e of a universal
simulator, denoted C , that is given the program of the verier (i.e., B ) as an auxiliary-input; that
is, in terms of Denition 4, one should repla
e C (x; z) by C (x; z; hB i), where hB i denotes the
des
ription of the program of B (whi
h may depend on x and on z). That is, we ee
tively
restri
t the simulation by requiring that it be a uniform (feasible) fun
tion of the verier's program
(rather than arbitrarily depend on it). This restri
tion is very natural, be
ause it seems hard to
envision an alternative way of establishing the zero-knowledge property of a given proto
ol.
Taking another step, one may argue that sin
e it seems infeasible to reverse-engineer programs,
the simulator may as well just use the verier strategy as an ora
le (or as a \bla
k-box"). This
reasoning gave rise to the notion of bla
k-box simulation, whi
h was introdu
ed and advo
ated in [57
and further studied in numerous works (see, e.g., [28). The belief was that impossibility results
regarding bla
k-box simulation represent inherent limitations of zero-knowledge itself. However,
this belief was refuted by Barak [7. For further dis
ussion, see Se
tion 6.
11
The (general) denition of zero-knowledge (i.e., Denition 4) refers to all feasible verier strategies.
This
hoi
e is most natural sin
e zero-knowledge is supposed to
apture the robustness of the prover
under any feasible (i.e., adversarial) attempt to gain something by intera
ting with it. Thus, we
typi
ally view the verier as an adversary that is trying to
heat.
A weaker and still interesting notion of zero-knowledge refers to what
an be gained by an
\honest verier" (or rather a semi-honest verier) that intera
ts with the prover as dire
ted, with
the ex
eption that it may maintain (and output) a re
ord of the entire intera
tion (i.e., even if
dire
ted to erase all re
ords of the intera
tion). Although su
h a weaker notion is not satisfa
tory
for standard
ryptographi
appli
ations, it yields a fas
inating notion from a
on
eptual as well as
a
omplexity-theoreti
point of view. Furthermore, as shown in [64, 90, every publi
-
oin proof
system that is zero-knowledge with respe
t to the honest-verier
an be transformed into a standard
zero-knowledge proof that maintains many of the properties of the original proto
ol (and without
in
reasing the prover's powers or using any intra
tability assumptions).
12
A
tually, we may in
orporate x and z in hB i, and thus repla
e C (x; z; hB i) by C (hB i).
The term \honest verier" is more appealing when
onsidering an alternative (equivalent) formulation of Definition 4. In the alternative denition, the simulator is \only" required to generate the verier's view of the real
intera
tion, when the verier's view in
ludes its inputs, the out
ome of its
oin tosses, and all messages it has re
eived.
11
12
10
We stress that the denition of zero-knowledge with respe
t to the honest-verier V is derived
from Denition 4 by
onsidering a single verier strategy B that is equal to V ex
ept that B also
maintains a re
ord of the entire intera
tion (in
luding its own
oin tosses) and outputs this re
ord at
the end of the intera
tion. (In parti
ular, the messages sent by B are identi
al to the
orresponding
messages that would have been sent by V .)
3.3.3 Statisti
al versus Computational Zero-Knowledge
Re
all that the denition of zero-knowledge postulates that for every probability ensemble of one
type (i.e., representing the verier's output after intera
tion with the prover) there exists a \similar"
ensemble of a se
ond type (i.e., representing the simulator's output). One key parameter is the
interpretation of \similarity". Three interpretations, yielding dierent notions of zero-knowledge,
have been
ommonly
onsidered in the literature (
f., [68, 43):
1. Perfe
t Zero-Knowledge (PZK) requires that the two probability ensembles be identi
al.
2. Statisti
al Zero-Knowledge (SZK) requires that these probability ensembles be statisti
ally
lose (i.e., the variation distan
e between them is negligible).
3. Computational (or rather general) Zero-Knowledge (CZK) requires that these probability ensembles be
omputationally indistinguishable.
Indeed, Computational Zero-Knowledge (CZK) is the most liberal notion, and is the notion
onsidered in Denition 4 as well as in most of this tutorial. (In parti
ular, whenever we fail to qualify the
type of zero-knowledge, we mean
omputational zero-knowledge.) The only ex
eption is Se
tion 9,
whi
h is devoted to a dis
ussion of Statisti
al (or Almost-Perfe
t) Zero-Knowledge (SZK). We note
that the
lass SZK
ontains several problems that are
onsidered intra
table.
13
So far, we did not spe
ify what we exa
tly mean by the term probabilisti
polynomial-time. Two
ommon interpretations are:
1. Stri
t probabilisti
polynomial-time. That is, there exist a (polynomial in the length of the
input) bound on the number of steps in ea
h possible run of the ma
hine, regardless of the
out
ome of its
oin tosses.
2. Expe
ted probabilisti
polynomial-time. The standard approa
h is to look at the running-time
as a random variable and bound its expe
tation (by a polynomial in the length of the input).
As observed by Levin [75 (
f. [47), this denitional approa
h is quite problemati
(e.g., it is
not model-independent and is not
losed under algorithmi
omposition), and an alternative
treatment of this random variable is preferable.
14
The a
tual denition of PZK allows the simulator to fail (while outputting a spe
ial symbol) with some probability
that
is bounded away from 1, and the output distribution of the simulator is
onditioned on its not failing.
14 Spe
i
ally, it is preferable to dene expe
ted polynomial-time as having running time that is polynomiallyrelated to a fun
tion that has linear expe
tation. That is, rather than requiring that E[Xn = poly(n), one requires
that for some Yn it holds that Xn = poly(Yn ) and2E[Yn = O(n). The advantage of the latter approa
h is that if Xnn
is deemed polynomial on the average then so is Xn , whi
h is not the
ase under the former approa
h (e.g., Xn = 2
with probability 2 n and Xn = n otherwise).
13
11
Consequently, the notion of expe
ted polynomial-time raises a variety of
on
eptual and te
hni
al
problems. For that reason, whenever possible, one should prefer to use the more robust (and
restri
ted) notion of stri
t (probabilisti
) polynomial-time. Thus, with the ex
eption of
onstantround zero-knowledge proto
ols, whenever we talk of a probabilisti
polynomial-time verier (resp.,
simulator) we mean one in the stri
t sense. In
ontrast, with the ex
eption of [7, 11, all results
regarding
onstant-round zero-knowledge proto
ols refer to a stri
t polynomial-time verier and
an expe
ted polynomial-time simulator, whi
h is indeed a small
heat. For further dis
ussion, the
interested reader is referred to [11, 53.
15
Assuming the existen
e of
ommitment s
hemes , whi
h in turn exist if one-way fun
tions exist [78, 70, there exist (auxiliary-input) zero-knowledge proofs of membership in any NP-set (i.e.,
sets having e
iently veriable stati
proofs of membership). These zero-knowledge proofs, rst
onstru
ted by Goldrei
h, Mi
ali and Wigderson [59 (and depi
ted in Figure 2), have the following
important property: the pres
ribed prover strategy is e
ient, provided it is given as auxiliary-input
an NP-witness to the assertion (to be proved). That is:
Theorem 5 ([59, using [70, 78): If one-way fun
tions exist then every set S 2 NP has a zero17
18
knowledge intera
tive proof. Furthermore, the pres
ribed prover strategy
an be implemented in
probabilisti
polynomial-time, provided it is given as auxiliary-input an NP-witness for membership
of the
ommon input in S .
Theorem 5 makes zero-knowledge a very powerful tool in the design of
ryptographi
s
hemes and
proto
ols (see below). We
omment that the intra
tability assumption used in Theorem 5 seems
essential; see [81, 90. We also mention that statisti
al zero-knowledge arguments for every NP-set
exist under the same assumption [79, but the
urrently known
onstru
tion is fairly involved.
Spe
i
ally, in [7, 11 both the verier and the simulator run in stri
t polynomial-time. We
omment that, as
shown in [11, the use of non-bla
k-box is ne
essary for the non-triviality of
onstant-round zero-knowledge proto
ols
under
the stri
t denition.
16 Trivial zero-knowledge proofs for sets in BPP n
oRP require modifying the denition of intera
tive proofs su
h
that to allow a negligible error also in the
ompleteness
ondition. Alternatively, zero-knowledge proofs for sets in
BPP
an be
onstru
ted by having the prover send a single message that is distributed almost uniformly (
f. [45).
17 Loosely speaking,
ommitment s
hemes are digital analogues of non-transparent sealed envelopes. See further
dis
ussion
in Figure 2, and [49, Se
. 4.4.1 for more details.
18 The auxiliary-input given to the pres
ribed prover (in order to allow for an e
ient implementation of its strategy)
is not to be
onfused with the auxiliary-input that is given to mali
ious veriers (in the denition of auxiliary-input
zero-knowledge). The former is typi
ally an NP-witness for the
ommon input, whi
h is available to the user that
invokes the prover strategy (
f. the generi
appli
ation in Se
tion 4.2). In
ontrast, the auxiliary-input that is given
to mali
ious veriers models arbitrary possible partial information that may be available to the adversary.
15
12
Commitment s
hemes are digital analogies of sealed envelopes (or, better, lo
ked boxes). Sending
a
ommitment means sending a string that binds the sender to a unique value without revealing
this value to the re
eiver (as when getting a lo
ked box). De
ommitting to the value means sending
some auxiliary information that allows to read the uniquely
ommitted value (as when sending the
key to the lo
k).
Common Input: A graph G(V; E ). Suppose that V f1; :::; ng for n def
= jV j.
Auxiliary Input (to the prover): A 3-
oloring : V ! f1; 2; 3g.
The following 4 steps are repeated t jE j many times so to obtain soundness error exp( t).
Prover's rst step (P1): Sele
t uniformly a permutation over f1; 2; 3g. For i = 1 to n, send
the verier a
ommitment to the value ((i)).
Verier's rst step (V1): Sele
t uniformly an edge e 2 E and send it to the prover.
Prover's se
ond step (P2): Upon re
eiving e = (i; j ) 2 E , de
ommit to the ith and j th values
sent in Step (P1).
Verier's se
ond step (V2): Che
k whether or not the de
ommitted values are dierent elements of f1; 2; 3g and whether or not they mat
h the
ommitments re
eived in Step (P1).
13
output with negligible probability, whereas the latter yields a simulator that never fails (as
required).
The simulator starts by sele
ting uniformly and independently a random
olor (i.e., element of
f1; 2; 3g) for ea
h vertex, and feeding the verier strategy with random
ommitments to these
random
olors. Indeed, the simulator feeds the verier with a distribution that is very dierent
from the distribution that the verier sees in a real intera
tion with the prover. However, being
omputationally-restri
ted the verier
annot tell these distributions apart (or else we obtain a
ontradi
tion to the se
urity of the
ommitment s
heme in use). Now, if the verier asks to inspe
t
an edge that is properly
olored then the simulator performs the proper de
ommitment a
tion and
outputs the trans
ript of this intera
tion. Otherwise, the simulator halts pro
laiming failure. We
laim that failure o
urs with probability approximately 1=3 (or else we obtain a
ontradi
tion to
the se
urity of the
ommitment s
heme in use). Furthermore, based on the same hypothesis (but via
a more
omplex proof),
onditioned on not failing, the output of the simulator is
omputationally
indistinguishable from the verier's view of the real intera
tion.
By using the standard Karp-redu
tions to 3Colorability, the proto
ol of Figure 2
an be used for
onstru
ting zero-knowledge proofs for any
set in NP . We
omment that this is probably the rst time that an NP-
ompleteness result was used
in a \positive" way (i.e., in order to
onstru
t something rather than in order to derive a hardness
result). Subsequent positive uses of
ompleteness results have appeared in the
ontext of intera
tive
proofs [76, 88, probabilisti
ally
he
kable proofs [5, 37, 3, 2, \hardness versus randomness tradeos" [6, and statisti
al zero-knowledge [87.
Zero-knowledge proofs for other NP-sets.
14
is an NP-assertion (sin
e U 's legal a
tion is determined as a polynomial-time fun
tion of its se
ret
and the publi
information), and that U has an NP-witness to its validity (i.e., the se
ret is an
NP-witness to the
laim that the a
tion ts the publi
information). Thus, by Theorem 5, it is
possible for U to e
iently prove the
orre
tness of its a
tion without yielding anything about its
se
ret. Consequently, it is fair to ask U to prove (in zero-knowledge) that it behaves properly, and
so to for
e U to behave properly. Indeed, \for
ing proper behavior" is the
anoni
al appli
ation of
zero-knowledge proofs (see [60 and [50, Se
. 7.4).
For the sake of elegan
e, we mention that under the same
assumption used in
ase of NP , it holds that any set that has an intera
tive proof also has a
zero-knowledge intera
tive proof (
f. [71, 15).
Part II
Advan
ed Topi
s
5 Composing zero-knowledge proto
ols
A natural question regarding zero-knowledge proofs (and arguments) is whether the zero-knowledge
ondition is preserved under a variety of
omposition operations. Three types of
omposition
operation have been
onsidered in the literature: sequential
omposition, parallel
omposition and
on
urrent
omposition. We note that the preservation of zero-knowledge under these forms of
omposition is not only interesting on its own sake, but rather also sheds light of the preservation
of the se
urity of general proto
ols under these forms of
omposition.
We stress that when we talk of
omposition of proto
ols (or proof systems) we mean that the
honest users are supposed to follow the pres
ribed program (spe
ied in the proto
ol des
ription)
that refers to a single exe
ution. That is, the a
tions of honest parties in ea
h exe
ution are independent of the messages they re
eived in other exe
utions. The adversary, however, may
oordinate
the a
tions it takes in the various exe
utions, and in parti
ular its a
tions in one exe
ution may
depend also on messages it re
eived in other exe
utions.
Let us motivate the asymmetry between the independen
e of exe
utions assumed of honest
parties but not of the adversary. Coordinating a
tions in dierent exe
utions is typi
ally di
ult
but not impossible. Thus, it is desirable to use
omposition (as dened above) rather than to use
proto
ols that in
lude inter-exe
ution
oordination-a
tions, whi
h require users to keep tra
k of
all exe
utions that they perform. A
tually, trying to
oordinate honest exe
utions is even more
problemati
than it seems be
ause one may need to
oordinate exe
utions of dierent honest parties
(e.g., all employees of a big
ooperation or an agen
y under atta
k), whi
h in many
ases is highly
unrealisti
. On the other hand, the adversary atta
king the system may be willing to go into the
extra trouble of
oordinating its atta
k in the various exe
utions of the proto
ol.
For T 2 fsequential; parallel;
on
urrentg, we say that a proto
ol is T -zero-knowledge
if it is zero-knowledge under a
omposition of type T . The denitions of T -zero-knowledge are
derived from Denition 4 by
onsidering appropriate adversaries (i.e., adversarial veriers); that
is, adversaries that
an initiate a polynomial number of intera
tions with the prover, where these
intera
tions are s
heduled a
ording to the type T . The
orresponding simulator (whi
h, as usual,
19
Without loss of generality, we may assume that the adversary never violates the s
heduling
ondition; it may
instead send an illegal message at the latest possible adequate time. Furthermore, without loss of generality, we may
19
15
In this
ase, the proto
ol is invoked (polynomially) many times, where ea
h invo
ation follows
the termination of the previous one. At the very least, se
urity (e.g., zero-knowledge) should be
preserved under sequential
omposition, or else the appli
ability of the proto
ol is highly limited
(be
ause one
annot safely use it more than on
e).
Referring to Denition 4, we mention that whereas the \simplied" version (i.e., without auxiliary inputs) is not
losed under sequential
omposition (
f. [57), the a
tual version (i.e., with
auxiliary inputs) is
losed under sequential
omposition (
f. [61). We
omment that the same phenomena arises when trying to use a zero-knowledge proof as a sub-proto
ol inside larger proto
ols.
Indeed, it is for these reasons that the augmentation of the \most basi
" denition by auxiliary
inputs was adopted in all subsequent works.
20
Bottom-line:
knowledge.
In this
ase, (polynomially) many instan
es of the proto
ol are invoked at the same time and
pro
eed at the same pa
e. That is, we assume a syn
hronous model of
ommuni
ation, and
onsider
(polynomially) many exe
utions that are totally syn
hronized so that the ith message in all instan
es
is sent exa
tly (or approximately) at the same time. (Natural variants on this model are dis
ussed
below as well as at the end of Se
tion 5.3.)
It turns out that, in general, zero-knowledge is not
losed under parallel
omposition. A simple
ounter-example (to the \parallel
omposition
onje
ture") is depi
ted in Figure 3. This
ounterexample, whi
h is adapted from [57,
onsists of a simple proto
ol that is zero-knowledge (in a
strong sense), but is not
losed under parallel
omposition (not even in a very weak sense).
We
omment that, at the 1980's, the study of parallel
omposition was interpreted mainly in the
ontext of round-e
ient error redu
tion (
f. [40, 57); that is, the
onstru
tion of full-
edge zeroknowledge proofs (of negligible soundness error) by
omposing (in parallel) a basi
zero-knowledge
proto
ol of high (but bounded away from 1) soundness error. Sin
e alternative ways of
onstru
ting
onstant-round zero-knowledge proofs (and arguments) were found (
f. [56, 41, 23), interest in
parallel
omposition (of zero-knowledge proto
ols) has died. In retrospe
t, this was a
on
eptual
mistake, be
ause parallel
omposition (and mild extensions of this notion)
apture the preservation
of se
urity in a fully syn
hronous (or almost-fully syn
hronous)
ommuni
ation network. We note
that the almost-fully syn
hronous
ommuni
ation model is quite realisti
in many settings, although
it is
ertainly preferable not to assume even weak syn
hronism.
Although, in general, zero-knowledge is not
losed under parallel
omposition, under standard
intra
tability assumptions (e.g., the intra
tability of fa
toring), there exists zero-knowledge proto
ols for NP that are
losed under parallel
omposition. Furthermore, these proto
ols have a
assume
that all the adversary's messages are delivered at the latest possible adequate time.
20 Interestingly, the preliminary version of Goldwasser, Mi
ali and Ra
ko's work [68 used the \most basi
"
denition, whereas the nal version of this work used the augmented denition. In some works, the \most basi
"
denition is used for simpli
ity, but typi
ally one a
tually needs and means the augmented denition.
16
Consider a party P holding a random (or rather pseudorandom) fun
tion f : f0; 1g2n ! f0; 1gn , and
willing to parti
ipate in the following proto
ol (with respe
t to se
urity parameter n). The other party,
alled A for adversary, is supposed to send P a binary value v 2 f1; 2g spe
ifying whi
h of the following
ases to exe
ute:
For v = 1: Party P uniformly sele
ts 2 f0; 1gn , and sends it to A, whi
h is supposed to reply with
a pair of n-bit long strings, denoted (;
). Party P
he
ks whether or not f ( ) =
. In
ase
equality holds, P sends A some se
ret information.
For v = 2: Party A is supposed
to uniformly sele
t 2 f0; 1gn , and sends it to P , whi
h sele
ts
n
uniformly 2 f0; 1g , and replies with the pair (; f ( )).
Observe that P 's strategy is zero-knowledge (even w.r.t auxiliary-inputs as dened in Denition 4):
Intuitively, if the adversary A
hooses the
ase v = 1, then it is infeasible for A to guess a passing pair
(;
) with respe
t to the random sele
ted by P . Thus, ex
ept with negligible probability (when it
may get se
ret information), A does not obtain anything from the intera
tion. On the other hand, if
the adversary A
hooses the
ase v = 2, then it obtains a pair that is indistinguishable from a uniformly
sele
ted pair of n-bit long strings (be
ause is sele
ted uniformly by P , and for any the value f ( )
looks random to A).
In
ontrast, if the adversary A
an
ondu
t two
on
urrenta exe
utions with P , then it may learn the
desired se
ret information: In one session, A sends v = 1 while in the other it sends v = 2. Upon
re
eiving P 's message, denoted , in the rst session, A sends as its own message in the se
ond
session, obtaining a pair (; f ( )) from P 's exe
ution of the se
ond session. Now, A sends the pair
(; f ( )) to the rst session of P , this pair passes the
he
k, and so A obtains the desired se
ret.
a Dummy messages may be added (in both
ases) in order to make the above s
heduling t the perfe
tly parallel
ase.
Figure 3: A
ounter-example (adapted from [57) to the parallel repetition
onje
ture
for zero-knowledge proto
ols.
onstant number of rounds (
f. [51 for proofs and [35 for arguments). Both results extend also
to
on
urrent
omposition in a syn
hronous
ommuni
ation model, where the extension is in allowing proto
ol invo
ations to start at dierent (syn
hronous) times (and in parti
ular exe
utions
may overlap but not run simultaneously).
We
omment that parallel
omposition is problemati
also in the
ontext of redu
ing the soundness error of arguments (
f. [14), but our fo
us here is on the zero-knowledge aspe
t of proto
ols
regardless if they are proofs, arguments or neither.
21
Bottom-line:
Con
urrent
omposition generalizes both sequential and parallel
omposition. Here (polynomially)
many instan
es of the proto
ol are invoked at arbitrary times and pro
eed at arbitrary pa
e. That
is, we assume an asyn
hronous (rather than syn
hronous) model of
ommuni
ation.
In the 1990's, when extensive two-party (and multi-party)
omputations be
ame a reality (rather
than a vision), it be
ame
lear that it is (at least) desirable that
ryptographi
proto
ols maintain
21 In
ase of parallel-zero-knowledge proofs, there is no need to spe
ify the soundness error be
ause it
an always
be redu
ed via parallel
omposition. As mentioned above, this is not the
ase with respe
t to arguments, whi
h were
therefore dened to have negligible soundness error.
17
their se
urity under
on
urrent
omposition (
f. [34). In the
ontext of zero-knowledge,
on
urrent
omposition was rst
onsidered by Dwork, Naor and Sahai [35. A
tually, two models of
on
urrent
omposition were
onsidered in the literature, depending on the underlying model of
ommuni
ation
(i.e., a purely asyn
hronous model and an asyn
hronous model with timing). Both models
over
sequential and parallel
omposition as spe
ial
ases.
Here we refer to the standard
model of asyn
hronous
ommuni
ation. In
omparison to the timing model, the pure asyn
hronous
model is a simpler model and using it requires no assumptions about the underlying
ommuni
ation
hannels. However, it seems harder to
onstru
t
on
urrent zero-knowledge proto
ols for this model.
In parti
ular, for a while it was not known whether
on
urrent zero-knowledge proofs for NP
exist at all (in this model). Under standard intra
tability assumptions (e.g., the intra
tability of
fa
toring), this question was armatively resolved by Ri
hardson and Kilian [85. Following their
work, resear
h has fo
used on determining the round-
omplexity of
on
urrent zero-knowledge
proofs for NP . This question is still opened, and the
urrent state of the art regarding it is as
follows:
Under standard intra
tability assumptions, every language in NP has a
on
urrent zeroknowledge proof with almost-logarithmi
ally many rounds (
f. [84, building upon [74, whi
h
in turn builds over [85). Furthermore, the zero-knowledge property
an be demonstrated
using a bla
k-box simulator (see denition in Se
tions 3.3.1 and 6).
Bla
k-box simulators
annot demonstrate the
on
urrent zero-knowledge property of nontrivial proofs (or arguments) having signi
antly less than logarithmi
ally-many rounds (
f.
Canetti et. al. [28).
Re
ently, Barak [7 demonstrated that the \bla
k-box simulation barrier"
an be bypassed.
With respe
t to
on
urrent zero-knowledge he only obtains partial results:
onstant-round
zero-knowledge arguments (rather than proofs) for NP that maintain se
urity as long as an
a-priori bounded (polynomial) number of exe
utions take pla
e
on
urrently. (The length of
the messages in his proto
ol grows linearly with this a-priori bound, whereas the number of
messages remains xed.)
Thus, it is
urrently unknown whether or not
onstant-round proto
ols for NP may be
on
urrent
zero-knowledge (in the pure asyn
hronous model).
Con
urrent
omposition in the pure asyn
hronous model.
22
Con
urrent
omposition under the timing model: A model of naturally-limited asyn
hronousness (whi
h
ertainly
overs the
ase of parallel
omposition) was introdu
ed by Dwork,
Naor and Sahai [35. Essentially, they assume that ea
h party holds a lo
al
lo
k su
h that the
relative
lo
k rates are bounded by an a-priori known
onstant, and
onsider proto
ols that employ time-driven operations (i.e., time-out in-
oming messages and delay out-going messages).
The benet of the timing model is that it is known how to
onstru
t
on
urrent zero-knowledge
proto
ols for it. Spe
i
ally, using standard intra
tability assumptions,
onstant-round arguments
and proofs that are
on
urrent zero-knowledge under the timing model do exist (
f. [35 and [51,
respe
tively). The disadvantages of the timing model are dis
ussed next.
By non-trivial proof systems we mean ones for languages outside BPP , whereas by signi
antly less than
logarithmi
we mean any fun
tion f : N ! N satisfying f (n) = o(log n= log log n). In
ontrast, by almost-logarithmi
22
18
The timing model
onsists of the assumption that talking about the a
tual timing of events is
meaningful (at least in a weak sense) and of the introdu
tion of time-driven operations. The timing
assumption amounts to postulating that ea
h party holds a lo
al
lo
k and knows a global bound,
denoted 1, on the relative rates of the lo
al
lo
ks. Furthermore, it is postulated that the
parties know a (pessimisti
) bound, denoted , on the message-delivery time (whi
h also in
ludes
the lo
al
omputation and handling times). In our opinion, these timing assumptions are most reasonable, and are unlikely to restri
t the s
ope of appli
ations for whi
h
on
urrent zero-knowledge
is relevant. We are more
on
erned about the ee
t of the time-driven operations introdu
ed in
the timing model. Re
all that these operations are the time-out of in-
oming messages and the
delay of out-going messages. Furthermore, it seems that the delay period should be related to the
time-out period, whi
h in turn is at least (i.e., the time-out period must be at least as long as the
pessimisti
bound on message-delivery time so not to disrupt the proper operation of the proto
ol).
This means that the use of these time-driven operations yields slowing down the exe
ution of the
proto
ol (i.e., running it at the rate that is slower than the rate of the a
tual message-delivery time).
However, as shown in [82, this slow-down
an be signi
antly smaller than the obvious bound of
. Indeed, various trade-os between the exe
ution slow-down and the tighteness of the se
urity
guarantee are provided in [82, in
luding the possibility of using adaptive delays that \penalize"
exe
utions that are slow anyhow. (We
omment that other alternatives to the timing-model in
lude
various set-up assumptions;
f. [26, 30.)
23
19
arbitrarily on the adversary, the need to present a simulator for ea
h feasible adversary seems to
require the presentation of a universal simulator that is given the adversary's strategy (or program)
as another auxiliary input. The question addressed in this se
tion is how
an the universal simulator
use the adversary's program.
The adversary's program (or strategy) is a
tually a fun
tion determining for ea
h possible view
of the adversary (i.e., its input, random
hoi
es and the message it has re
eived so far) whi
h message
will be sent next. Thus, we identify the adversary's program with this next-message fun
tion. As
stated in Se
tion 3.3.1, until 2000, all universal simulators (
onstru
ted towards demonstrating zeroknowledge properties) have used the adversary's program (or rather its next-message fun
tion) as
a bla
k-box (i.e., the simulator invoked the next-message fun
tion on a sequen
e of arguments of
its
hoi
e). Furthermore, in view of the presumed di
ulty of \reverse engineering" programs, it
was
ommonly believed that nothing is lost by restri
ting attention to simulators,
alled bla
k-box
simulators, that only make bla
k-box usage of the adversary's program. Consequently, Goldrei
h
and Kraw
zyk
onje
tured that impossibility results regarding bla
k-box simulation represent inherent
limitations of zero-knowledge itself, and studied the limitations of the former [57. In parti
ular,
they showed that parallel
omposition of the proto
ol of Figure 2 (as well as of any
onstant-round
publi
-
oin proto
ol)
annot be proved to be zero-knowledge using a bla
k-box simulator, unless the
language (i.e., 3-Colorability) is in BPP . In fa
t their result refers to any
onstant-round publi
-
oin
proto
ol with negligible soundness error, regardless of how su
h a proto
ol is obtained. This result
was taken as strong eviden
e towards the
onje
ture that
onstant-round publi
-
oin proto
ol with
negligible soundness error
annot be zero-knowledge (unless the language is in BPP ). Similarly, as
mentioned in Se
tion 5.3, it was shown that proto
ols of sub-logarithmi
number of rounds
annot
be proved to be
on
urrent zero-knowledge via a bla
k-box simulator [28, and this was taken as
eviden
e towards the
onje
ture that su
h proto
ols
annot be
on
urrent zero-knowledge.
In
ontrast to these
onje
tures and supportive eviden
e, Barak showed how to
onstru
t nonbla
k-box simulators and obtained several results that were known to be una
hievable via bla
k-box
simulators [7. In parti
ular, under standard intra
tability assumptions (see also [9), he presented
onstant-round publi
-
oin zero-knowledge arguments with negligible soundness error for any language in NP . (Moreover, the simulator runs in stri
t polynomial-time, whi
h is impossible for
bla
k-box simulators of non-trivial
onstant-round proto
ols [11.) Furthermore, this proto
ol preserves zero-knowledge under a xed polynomial number of
on
urrent exe
utions, in
ontrast to
the result of [28 (regarding bla
k-box simulators) that holds also in that restri
ted
ase. Thus,
Barak's result
alls for the re-evaluation of many
ommon beliefs. Most
on
retely, it says that
results regarding bla
k-box simulators do not re
e
t inherent limitations of zero-knowledge (but
rather an inherent limitation of a natural way of demonstrating the zero-knowledge property). Most
abstra
tly, it says that there are meaningful ways of using a program other than merely invoking
it as a bla
k-box.
Does this means that a method was found to \reverse engineer" programs or to \understand"
them? We believe that the answer is negative. Barak [7 is using the adversary's program in a
signi
ant way (i.e., more signi
ant than just invoking it), without \understanding" it. So how
does he use the program?
The key idea underlying Barak's proto
ol [7 is to have the prover prove that either the original
NP-assertion is valid or that he (i.e., the prover) \knows the verier's residual strategy" (in the sense
that it
an predi
t the next verier message). Indeed, in a real intera
tion (with the honest verier),
24
24 The proto
ol depends on the polynomial bounding the number of exe
utions, and thus is not known to be
on
urrent zero-knowledge (be
ause the latter requires us to x the proto
ol and then
onsider any polynomial
number of
on
urrent exe
utions).
20
it is infeasible for the prover to predi
t the next verier message, and so
omputational-soundness
of the proto
ol follows. However, a simulator that is given the
ode of the verier's strategy (and
not merely ora
le a
ess to that
ode),
an produ
e a valid proof of the disjun
tion by properly
exe
uting the sub-proto
ol using its knowledge of an NP-witness for the se
ond disjun
tive. The
simulation is
omputationally indistinguishable from the real exe
ution, provided that one
annot
distinguish an exe
ution of the sub-proto
ol in whi
h one NP-witness (i.e., an NP-witness for the
original assertion) is used from an exe
ution in whi
h the se
ond NP-witness (i.e., an NP-witness
for the auxiliary assertion) is used. That is, the sub-proto
ol should be a witness indistinguishable
argument system (see further dis
ussion below). We warn the reader that the a
tual implementation
of the above idea requires over
oming several te
hni
al di
ulties (
f. [7, 9).
In retrospe
t, taking a wide perspe
tive, it should not
ome as a surprise that the
program's
ode yields extra power beyond bla
k-box a
ess to it. Feeding a program with its own
ode (or part of it) is the essen
e of the diagonalization te
hnique, and this too is done without
\reverse engineering". Furthermore, various non-bla
k-box te
hniques have appeared before in the
ryptographi
setting, but they were used in the more natural
ontext of devising an atta
k on
an (arti
ial) inse
ure s
heme (e.g., towards proving the failure of the \Random Ora
le Methodology" [27 and the impossibility of software obfus
ation [10). In
ontrast, in [7 (and [8) the
ode
of the adversary is being used within a sophisti
ated proof of se
urity. What we wish to highlight
here is that non-bla
k-box usage of programs is relevant also to proving (rather than to disproving)
the se
urity of systems.
Perspe
tive.
The above des
ription (of [7), as well as several other sophisti
ated
onstru
tions of zero-knowledge
proto
ols (e.g., [39, 85), makes
ru
ial use of a te
hnique introdu
ed by Feige, Lapidot and
Shamir [39, whi
h in turn is based on the notion of witness indistinguishability (introdu
ed by
Feige and Shamir [40).
Loosely speaking, for any NP-relation R, an argument system for the
orresponding language
(i.e., LR ) is
alled witness indistinguishable if no feasible verier may distinguish the
ase in whi
h the
prover uses one NP-witness to x (i.e., w su
h that (x; w ) 2 R) from the
ase in whi
h the prover
is using a dierent NP-witness to the same input x (i.e., w su
h that (x; w ) 2 R). Clearly, any
zero-knowledge proto
ol is witness indistinguishable, but the
onverse does not ne
essarily hold and
it seems that witness indistinguishable proto
ols are easier to
onstru
t than zero-knowledge ones.
(We mention that witness indistinguishable proto
ols are
losed under parallel
omposition [40,
whereas this does not hold in general for zero-knowledge proto
ols.)
Following is a sket
hy des
ription of a spe
ial
ase of the FLS-te
hnique, whereas the aforementioned appli
ation uses a more general version (whi
h refers to proofs of knowledge, as dened
in Se
tion 7). In this spe
ial
ase, the te
hnique
onsists of the following
onstru
tion s
hema,
whi
h uses witness indistinguishable proto
ols for NP in order to obtain zero-knowledge proto
ols
for NP . On
ommon input x 2 L, where L = LR is the NP-set dened by the witness relation R,
the following two steps are performed:
1
25
21
1. The parties generate an instan
e x0 for an auxiliary NP-set L0, where L0 is dened by a witness
relation R0. The generation proto
ol in use must satisfy the following two
onditions:
(a) If the verier follows its pres
ribed strategy then no matter whi
h feasible strategy is
used by the prover, with high probability, the proto
ol's out
ome is a no-instan
e of L0.
(b) Loosely speaking, there exists an e
ient (non-intera
tive) pro
edure for produ
ing a
(random) trans
ript of the generation proto
ol along with an NP-witness for the
orresponding out
ome su
h that the produ
ed trans
ript is
omputationally indistinguishable
from the trans
ript of a real exe
ution of the proto
ol.
For example, L0 may
onsist of all possible out
omes of a pseudorandom generator that
stret
hes its seed by a fa
tor of two, and the generation proto
ol may
onsist of the two
parties iteratively invoking a
oin tossing proto
ol to obtain a random string. Note that
the out
ome of a real exe
ution will be an almost uniformly distributed string, whi
h is most
likely a no-instan
e of L0 , whereas it is easy to generate a (random) trans
ript
orresponding
to any desired out
ome (provided that the parties use an adequate
oin tossing proto
ol).
2. The parties exe
ute a witness indistinguishable proto
ol for the set L00 dened by the witness
relation R00 = f((; 0 ); (; 0 )) : (; ) 2 R _ (0 ; 0 ) 2 R0g. The sub-proto
ol is su
h that
the
orresponding prover
an be implemented in probabilisti
polynomial-time given an NPwitness for (; 0 ) 2 L00. The sub-proto
ol is invoked on
ommon input (x; x0 ), where x0 is
the out
ome of Step 1, and the sub-prover is invoked with the
orresponding NP-witness as
auxiliary input (i.e., with (w; ), where w is the NP-witness for x given to the main prover).
The
omputational-soundness of the above proto
ol follows by Property (a) of the generation proto
ol (i.e., with high probability x0 62 L0 , and so x 2 L follows by the soundness of the proto
ol used
in Step 2). To demonstrate the zero-knowledge property, we rst generate a simulated trans
ript of
Step 1 (with out
ome x0 2 L0) along with an adequate NP-witness (i.e., w0 su
h that (x0 ; w0 ) 2 L0),
and then emulate Step 2 by feeding the sub-prover strategy with the NP-witness (; w0 ). Combining Property (b) of the generation proto
ol and the witness indistinguishability property of the
proto
ol used in Step 2, the simulation is indistinguishable from the real exe
ution.
26
7 Proofs of Knowledge
This se
tion addresses the
on
ept of \proofs of knowledge". Loosely speaking, these are proofs in
whi
h the prover asserts \knowledge" of some obje
t (e.g., a 3-
oloring of a graph), and not merely
its existen
e (e.g., the existen
e of a 3-
oloring of the graph, whi
h in turn implies that the graph
is 3-
olorable). But what is meant by saying that a ma
hine knows something? Indeed the main
thrust of this se
tion is in addressing this question. Before doing so we point out that \proofs of
knowledge", and in parti
ular zero-knowledge \proofs of knowledge", have many appli
ations to
the design of
ryptographi
s
hemes and
ryptographi
proto
ols. In fa
t, we have already referred
to \proofs of knowledge" in Se
tion 6.
We note that this spe
i
example is not very useful sin
e it requires a highly iterative generation proto
ol.
Indeed, in order to a
hieve a
onstant-round zero-knowledge proto
ol using this s
hema, one must use a
onstantround generation proto
ol.
26
22
What does it mean to say that a ma
hine knows something? Any standard di
tionary suggests
several meanings for the verb to know, and most meanings are phrased with referen
e to awareness,
a notion whi
h is
ertainly inappli
able in the
ontext of ma
hines. We must look for a behavioristi
interpretation of the verb to know. Indeed, it is reasonable to link knowledge with ability to do
something (e.g., the ability to write down whatever one knows). Hen
e, we will say that a ma
hine
knows a string if it
an output the string . But this seems as total non-sense too: a ma
hine
has a well dened output { either the output equals or it does not. So what
an be meant by
saying that a ma
hine
an do something? Loosely speaking, it may mean that the ma
hine
an be
easily modied so that it does whatever is
laimed. More pre
isely, it may mean that there exists
an e
ient ma
hine that, using the original ma
hine as a bla
k-box (or given its
ode as an input),
outputs whatever is
laimed.
So mu
h for dening the \knowledge of ma
hines". Yet, whatever a ma
hine knows or does not
know is \its own business". What
an be of interest and referen
e to the outside is the question of
what
an be dedu
ed about the knowledge of a ma
hine after intera
ting with it. Hen
e, we are
interested in proofs of knowledge (rather than in mere knowledge).
For sake of simpli
ity let us
onsider a
on
rete question: how
an a ma
hine prove that it knows
a 3-
oloring of a graph? An obvious way is just to send the 3-
oloring to the verier. Yet, we
laim
that applying the proto
ol in Figure 2 (i.e., the zero-knowledge proof system for 3-Colorability) is
an alternative way of proving knowledge of a 3-
oloring of the graph.
Loosely speaking, we may say that an intera
tive ma
hine, V ,
onstitutes a verier for knowledge
of 3-
oloring if the probability that the verier is
onvin
ed by a ma
hine P to a
ept the graph G
is inversely proportional to the di
ulty of extra
ting a 3-
oloring of G when using ma
hine P as
a \bla
k box". Namely, the extra
tion of the 3-
oloring is done by an ora
le ma
hine,
alled an
extra
tor, that is given a
ess to a fun
tion spe
ifying the behavior P (i.e., the messages it sends
in response to parti
ular messages it may re
eive). We require that the (expe
ted) running time of
the extra
tor, on input G and a
ess to an ora
le spe
ifying P 's messages, be inversely related (by
a fa
tor polynomial in jGj) to the probability that P
onvin
es V to a
ept G. In
ase P always
onvin
es V to a
ept G, the extra
tor runs in expe
ted polynomial-time. The same holds in
ase
P
onvin
es V to a
ept with noti
eable probability. (We stress that the latter spe
ial
ases do not
su
e for a satisfa
tory denition; see dis
ussion in [49, Se
. 4.7.1.)
We mention that the
on
ept of proofs of knowledge was rst introdu
ed in [68, but the above
formulation is based mostly on [13. A famous appli
ation of zero-knowledge proofs of knowledge
is to the
onstru
tion of identi
ation s
hemes (e.g., the Fiat-Shamir s
heme [42).
27
28
As hinted above, many of the known proof systems are in fa
t proofs of knowledge. Furthermore,
some (but not all) known zero-knowledge proofs (resp., arguments) are in fa
t proofs (resp., argu-
Indeed, as hinted above, one may
onsider also non-bla
k-box extra
tors as done in [11. However, this limits
the28appli
ability of the denitions to provers that are implemented by polynomial-size
ir
uits.
In parti
ular, note that the latter probability (i.e., of being
onvin
ed) may be neither noti
eable (i.e., bounded
below by the re
ipro
al of some polynomial) nor negligible (i.e., bounded above by the re
ipro
al of every polynomial).
Note that events that o
ur with probability that is neither noti
eable nor negligible,
an neither be ignored nor be
used (be
ause using them requires having them o
ur with high probability when the experiment is repeated for an
a-priori bounded polynomial number of times).
27
23
ments) of knowledge. Indeed, a notable example is the zero-knowledge proof depi
ted in Figure 2.
For further dis
ussion, see [49, Se
. 4.7 and [11.
29
Arguments of knowledge are dened analogous to proofs of knowledge, while limiting the extra
tion requirement
to provers that are implemented by polynomial-size
ir
uits. In this
ase, it is natural to allow also non-bla
k-box
extra
tion,
as dis
ussed in Footnote 27.
30 Note that the verier does not ee
t the distribution seen in the real model, and so the basi
denition of
zero-knowledge does not refer to it. The verier (or rather a pro
ess of adaptively sele
ting assertions to be proved)
will be referred to in the adaptive variants of the denition.
29
24
9 Statisti
al Zero-Knowledge
Re
all that statisti
al zero-knowledge proto
ols are su
h in whi
h the distribution ensembles referred
to in Denition 4 are required to be statisti
ally indistinguishable (rather than
omputationally
indistinguishable). Assuming that one-way fun
tions exist, every NP-set has a statisti
al zeroknowledge argument (see [79, whi
h imporoves over [21). On the other hand, it is unlikely that all
NP-sets have statisti
al zero-knowledge proofs [43, 1. Note that the same intra
tability assumption is used for
onstru
ting statisti
al zero-knowledge arguments (for NP ) and for
onstru
ting
omputational zero-knowledge proofs (for NP ). Ignoring the
urrent dis
repan
y between the
omplexities of the known
onstru
tions, the natural question of whi
h
onstru
t to use, arises. The
answer depends on the appli
ation; that is, on whether it is more important, in this appli
ation,
to prote
t the prover's se
rets or to prote
t the verier from being
onvin
ed of false assertions. In
ontrast, Statisti
al zero-knowledge proofs, whenever they exist, free us from this dilemma. Indeed,
this is one out of several reasons for studying these obje
ts. That is:
Statisti
al zero-knowledge proofs oer information-theoreti
se
urity to both parties. Thus,
whenever they exist, statisti
al zero-knowledge proofs should typi
ally be preferred over
omputational zero-knowledge proofs (whi
h only oer
omputational se
urity to the prover) and
over statisti
al zero-knowledge arguments (whi
h only oer
omputational se
urity to the
verier).
Statisti
al zero-knowledge proofs provide a
lean model for the study of various questions
regarding zero-knowledge. Often, this study results in te
hniques that are appli
able also for
omputational zero-knowledge; one example is mentioned below.
The
lass of problems having statisti
al zero-knowledge proofs is interesting from a
omplexity theoreti
point of view. On one hand, this
lass is likely to be a proper superset of BPP
(e.g., it
ontains seemingly hard problems su
h as Quadrati
Resideousity [68, Graph Isomorphism [59, and a promise problem equivalent to the Dis
rete Logarithm Problem [58).
On the other hand, this
lass is
ontained in AM \
oAM (
f. [1, 43), whi
h is believed not
to extend mu
h beyond NP \
oNP . (AM is the
lass of sets having two-round publi
-
oin
intera
tive proofs.)
In the rest of this se
tion, we survey the main results regarding the internal stru
ture of the
lass of sets having statisti
al zero-knowledge proofs. This study was initiated to a large extent
by Okamoto [80. We rst present transformations that, when applied to
ertain statisti
al zeroknowledge proto
ols, yield proto
ols with additional properties. Next, we
onsider several stru
tural
properties of the
lass, most notably the existen
e of natural
omplete problems (dis
overed by Sahai
and Vadhan [87). For further details see [89.
25
9.1 Transformations
The rst transformation takes any publi
-
oin intera
tive proof that is statisti
al zero-knowledge
with respe
t to the honest verier, and returns a (publi
-
oin) statisti
al zero-knowledge proof [64.
When applied to a publi
-
oin intera
tive proof that is (
omputational) zero-knowledge with respe
t
to the honest verier, the transformation yields a (
omputational) zero-knowledge proof. Thus,
this transformation \amplies the se
urity" of (publi
-
oin) proto
ols, from leaking nothing to the
pres
ribed verier into leaking nothing to any
heating verier.
The heart of the transformation is a suitable random sele
tion proto
ol, whi
h is used to emulate
the verier's messages in the original proto
ol. Loosely speaking, the random sele
tion proto
ol is
zero-knowledge in a strong sense, and the ee
t of ea
h of the parties on the proto
ol's out
ome is
adequately bounded. For example, it is impossible for the verier to ee
t the proto
ol's out
ome
(by more than a negligible amount), whereas the prover
annot in
rease the probability that the
out
ome hits any set by more than some spe
i
(super-polynomial) fa
tor.
The rst transformation
alls our attention to publi
-
oin intera
tive proofs that are statisti
al
zero-knowledge (with respe
t to the honest verier). In general, publi
-
oin intera
tive proofs are
easier to manipulate than general intera
tive proofs. The se
ond transformation takes any statisti
al
zero-knowledge (with respe
t to the honest verier) proof and returns one that is of the publi
-
oin
type (see [66, whi
h builds on [80). Unfortunately, the se
ond transformation, whi
h is analogous
to a previously known result regarding intera
tive proofs [69, does not extend to
omputational
zero-knowledge,
Combined together, the two transformations imply that the
lass of sets (or promise problems)
having intera
tive proofs that are statisti
al zero-knowledge with respe
t to the honest verier
equals the
lass of sets having (general) statisti
al zero-knowledge proofs.
9.2 Complete problems and stru
tural properties
In the rest of this se
tion we
onsider
lasses of promise problems (rather than
lasses of de
ision
problems or sets). Spe
i
ally, we denote by SZK the
lass of problems having a statisti
al zeroknowledge proof. Re
all that BPP SZK AM\
oAM, and that the rst in
lusion is believed
to be stri
t.
One remarkable property of the
lass SZK is that it has natural
omplete problems (i.e.,
problems in SZK su
h that any problem in SZK is Karp-redu
ible to them). One su
h problem
is to distinguish pairs of distributions (given via sampling
ir
uits) that are statisti
ally
lose from
pairs that are statisti
ally far apart [87. Another su
h problem is, given two distributions of
su
iently dierent entropy, to tell whi
h has higher entropy [66. It is indeed interesting that \the
lass statisti
al zero-knowledge is all about statisti
s (or probability)".
Another remarkable property of SZK is the fa
t that it is
losed under
omplementation
(see [87, whi
h builds on [80). In fa
t, SZK is
losed under NC -truth-table redu
tions [87.
1
Non-Intera
tive SZK. A systemati
study of Non-Intera
tive Statisti
al Zero-Knowledge proof
systems was
ondu
ted in [65. The main result is eviden
e for the non-triviality of the
lass (i.e.,
it
ontains sets outside BPP if and only if SZK 6= BPP ).
10 Knowledge Complexity
One of the many
ontributions of the seminal paper of Goldwasser, Mi
ali and Ra
ko [68 is
the introdu
tion of the
on
ept of knowledge
omplexity. Knowledge
omplexity is intended to
26
measure the
omputational advantage gained by intera
tion. Hen
e, something that
an be obtained
without intera
tion is not
onsidered knowledge. The latter phrase is somewhat qualitative and
supplies the intuition underlying the denition of zero-knowledge (i.e., knowledge
omplexity zero)
as surveyed above. Quantifying the amount of knowledge gained by intera
tion, in
ase it is not
zero, is more problemati
. We stress that the denition of zero-knowledge does not depend on
the formulation of the amount of knowledge gained, be
ause this denition addresses the
ase in
whi
h no knowledge is gained.
Several denitions of knowledge
omplexity have appeared in the literature, where some are
losely related and quite robust (
f. [63). Here we survey one denitional approa
h, whi
h we
onsider most satisfa
tory. A
ording to this approa
h the amount of knowledge gained in an
intera
tion is bounded by the number of bits that are
ommuni
ated in an alternative intera
tion
that allows to simulate the original intera
tion. That is, party P is said to yield at most k()
bits of knowledge (on inputs in S ) if whatever
an be e
iently
omputed through an intera
tion
with P on
ommon input x 2 S ,
an also be e
iently
omputed through an intera
tion (on
the same
ommon input x) with an alternative ma
hine P 0 that sends at most k(jxj) bits. This
formulation
an be applied with respe
t to various types of simulations, extending the various
types of zero-knowledge. Our fo
us is on the extension of statisti
al zero-knowledge proofs (be
ause,
under standard intra
tability assumptions, any language in IP has a
omputational zero-knowledge
proof). We note that, without loss of generality, the \knowledge-giving-ma
hine"
an be made
memoryless and deterministi
(i.e., by providing it with all previous messages and with
oin tosses).
Hen
e, the \knowledge-giving-ma
hine" is merely an ora
le (and we may think of the simulation
as being performed by an ora
le ma
hine and
ount the number of its binary queries). For further
dis
ussion of this and other denitions, the reader is referred to [63.
A natural resear
h proje
t is to
hara
terize languages a
ording to the (statisti
al) knowledge
omplexity of their intera
tive proof systems. The main result known (for the above denition)
is that languages with logarithmi
statisti
al knowledge-
omplexity are in AM \
oAM (
f. [83,
building on [1 and [62). Thus, unless the polynomial time hierar
hy
ollapses (
f. [20), NP
omplete set have super-logarithmi
statisti
al knowledge-
omplexity.
31
In general, it seems that quantitative notions are harder to handle than qualitative ones.
27
Resettably-Sound Zero-Knowledge (rsZK). Resettably-sound proofs and arguments maintain soundness even when the prover
an reset the verier to use the same random
oins in repeated
exe
utions of the proto
ol. This notion was studied in [12, who obtained the following results: On
one hand, under standard intra
tability assumptions, any NP-set has a (
onstant-round) resettablysound zero-knowledge argument. On the other hand, resettably-sound zero-knowledge proofs are
possible only for languages in P =poly.
We mention a re
ent result of [31 by whi
h every NP-set has an argument system that is both
resettably-sound and resettably-zero-knowledge.
32
32
28
ATM. The advantage in using su
h a split system is that it enables the presentation of (perfe
t)
zero-knowledge proof systems for any set in NP , while using no intra
tability assumptions [16.
Re
all that we have already dis
ussed
one model of
omputational-soundness; that is, the model of arguments refers to prover strategies
that are implementable by probabilisti
polynomial-time ma
hines with adequate auxiliary input.
A more stri
t restri
tion, studied in [36, refers to prover strategies that are implementable within
an a-priori xed number of
omputation steps (where this number is a xed polynomial in the
length of the
ommon input). In reality, the prover's a
tual running-time is monitored by the
verier that may run for a longer time, and the prover's utility is due to an auxiliary input that
it has. (An analogous model, where the length of the auxiliary input is a-priori xed, was also
onsidered in [36.)
Stri
t Computational-Soundness (a.k.a Timed-ZK).
33
33 A related model is that of CS-proofs, where the prover's strategy is allowed to run in time that is polynomial in
the time it takes to de
ide membership of the
ommon input via a
anoni
al de
ision pro
edure for the language [77.
29
[4 L. Babai. Trading Group Theory for Randomness. In 17th ACM Symposium on the Theory of Computing, pages 421{420, 1985.
[5 L. Babai, L. Fortnow, L. Levin, and M. Szegedy. Che
king Computations in Polylogarithmi
Time. In
23rd ACM Symposium on the Theory of Computing, pages 21{31, 1991.
[6 L. Babai, L. Fortnow, N. Nisan and A. Wigderson. BPP has Subexponential Time Simulations unless
EXPTIME has Publishable Proofs. Complexity Theory, Vol. 3, pages 307{318, 1993.
[7 B. Barak. How to Go Beyond the Bla
k-Box Simulation Barrier. In 42nd IEEE Symposium on Foundations of Computer S
ien
e, pages 106{115, 2001.
[8 B. Barak. Constant-Round Coin-Tossing with a Man in the Middle or Realizing the Shared Random
String Model. In 43th IEEE Symposium on Foundations of Computer S
ien
e, pages 345{355, 2002.
[9 B. Barak and O. Goldrei
h, Universal arguments and their appli
ations. SIAM Journal on Computing,
Vol. 38, No. 5, pages 1661{1694, 2008. Preliminary version in 17th CCC, 2002.
[10 B. Barak, O. Goldrei
h, R. Impagliazzo, S. Rudi
h, A. Sahai, S. Vadhan, and K. Yang. On the
(im)possibility of software obfus
ation. In Crypto01, Springer-Verlag Le
ture Notes in Computer S
ien
e
(Vol. 2139), pages 1{18.
[11 B. Barak and Y. Lindell. Stri
t Polynomial-time in Simulation and Extra
tion. In 34th ACM Symposium
on the Theory of Computing, pages 484{493, 2002.
[12 B. Barak, O. Goldrei
h, S. Goldwasser and Y. Lindell, Resettably-Sound Zero-Knowledge and its
Appli
ations. In 42th IEEE Symposium on Foundations of Computer S
ien
e, pages 116{125, 2001.
[13 M. Bellare and O. Goldrei
h. On Dening Proofs of Knowledge. In Crypto92, Springer-Verlag Le
ture
Notes in Computer S
ien
e (Vol. 740), pages 390{420.
[14 M. Bellare, R. Impagliazzo and M. Naor. Does Parallel Repetition Lower the Error in Computationally
Sound Proto
ols? In 38th IEEE Symposium on Foundations of Computer S
ien
e, pages 374{383, 1997.
[15 M. Ben-Or, O. Goldrei
h, S. Goldwasser, J. Hastad, J. Kilian, S. Mi
ali and P. Rogaway. Everything
Provable is Probable in Zero-Knowledge. In Crypto88, Springer-Verlag Le
ture Notes in Computer
S
ien
e (Vol. 403), pages 37{56, 1990.
[16 M. Ben-Or, S. Goldwasser, J. Kilian and A. Wigderson. Multi-Prover Intera
tive Proofs: How to
Remove Intra
tability. In 20th ACM Symposium on the Theory of Computing, pages 113{131, 1988.
[17 M. Blum, A. De Santis, S. Mi
ali, and G. Persiano. Non-Intera
tive Zero-Knowledge Proof Systems.
SIAM Journal on Computing, Vol. 20, No. 6, pages 1084{1118, 1991. (Considered the journal version
of [18.)
[18 M. Blum, P. Feldman and S. Mi
ali. Non-Intera
tive Zero-Knowledge and its Appli
ations. In 20th
ACM Symposium on the Theory of Computing, pages 103{112, 1988. See [17.
[19 M. Blum and S. Mi
ali. How to Generate Cryptographi
ally Strong Sequen
es of Pseudo-Random Bits.
SIAM Journal on Computing, Vol. 13, pages 850{864, 1984. Preliminary version in 23rd FOCS, 1982.
[20 R. Boppana, J. Hastad, and S. Za
hos. Does Co-NP Have Short Intera
tive Proofs? Information
Pro
essing Letters, 25, May 1987, pages 127{132.
[21 G. Brassard, D. Chaum and C. Crepeau. Minimum Dis
losure Proofs of Knowledge. Journal of Computer and System S
ien
e, Vol. 37, No. 2, pages 156{189, 1988. Preliminary version by Brassard and
Crepeau in 27th FOCS, 1986.
[22 G. Brassard and C. Crepeau. Zero-Knowledge Simulation of Boolean Cir
uits. In Crypto86, SpringerVerlag Le
ture Notes in Computer S
ien
e (Vol. 263), pages 223{233, 1987.
[23 G. Brassard, C. Crepeau and M. Yung. Constant-Round Perfe
t Zero-Knowledge Computationally
Convin
ing Proto
ols. Theoreti
al Computer S
ien
e, Vol. 84, pages 23{52, 1991.
[24 R. Canetti. Se
urity and Composition of Multi-party Cryptographi
Proto
ols. Journal of Cryptology,
Vol. 13, No. 1, pages 143{202, 2000.
[25 R. Canetti. Universally Composable Se
urity: A New Paradigm for Cryptographi
Proto
ols. In 42nd
IEEE Symposium on Foundations of Computer S
ien
e, pages 136{145, 2001. Full version (with dierent
title) is available from Cryptology ePrint Ar
hive, Report 2000/067.
30
[26 R. Canetti, O. Goldrei
h, S. Goldwasser, and S. Mi
ali. Resettable Zero-Knowledge. In 32nd ACM
Symposium on the Theory of Computing, pages 235{244, 2000.
[27 R. Canetti, O. Goldrei
h and S. Halevi. The Random Ora
le Methodology, Revisited. In 30th ACM
Symposium on the Theory of Computing, pages 209{218, 1998. Full version available on-line from
http://eprint.ia
r.org/1998/011.
[28 R. Canetti, J. Kilian, E. Petrank and A. Rosen. Bla
k-Box Con
urrent Zero-Knowledge Requires
~ (log n) Rounds. In 33rd ACM Symposium on the Theory of Computing, pages 570{579, 2001.
[29 K.-M. Chung and F.-H. Liu. Parallel Repetition Theorems for Intera
tive Arguments. In 7th TCC,
Springer Le
ture Notes in Computer S
ien
e (Vol. 5978), pages 19{36, 2010.
[30 I. Damgard. E
ient Con
urrent Zero-Knowledge in the Auxiliary String Model. In Euro
rypt'00,
Springer Le
ture Notes in Computer S
ien
e (Vol. 1807), pages 418-430, 2000.
[31 Y. Deng, V. Goyal, and A. Sahai. Resolving the Simultaneous Resettability Conje
ture and a New
Non-Bla
k-Box Simulation Strategy. In 50th IEEE Symposium on Foundations of Computer S
ien
e,
pages 251{260, 2009.
[32 A. De Santis, G. Di Cres
enzo, R. Ostrovsky, G. Persiano and A. Sahai. Robust Non-intera
tive ZeroKnowledge. In Crypto01, Springer Le
ture Notes in Computer S
ien
e (Vol. 2139), pages 566{598.
[33 W. Die, and M.E. Hellman. New Dire
tions in Cryptography. IEEE Trans. on Info. Theory, IT-22
(Nov. 1976), pages 644{654.
[34 D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. SIAM Journal on Computing, Vol. 30,
No. 2, pages 391{437, 2000. Preliminary version in 23rd STOC, 1991.
[35 C. Dwork, M. Naor, and A. Sahai. Con
urrent Zero-Knowledge. In 30th ACM Symposium on the Theory
of Computing, pages 409{418, 1998.
[36 C. Dwork and L. Sto
kmeyer. 2-Round Zero-Knowledge and Proof Auditors. In 34th ACM Symposium
on the Theory of Computing, pages 322{331, 2004.
[37 U. Feige, S. Goldwasser, L. Lovasz, S. Safra, and M. Szegedy. Approximating Clique is almost NP
omplete. Journal of the ACM, Vol. 43, pages 268{292, 1996. Preliminary version in 32nd FOCS,
1991.
[38 U. Feige and J. Kilian. Zero knowledge and the
hromati
number. In 11th IEEE Conferen
e on
Computational Complexity, pages 278{287, 1996.
[39 U. Feige, D. Lapidot, and A. Shamir. Multiple Non-Intera
tive Zero-Knowledge Proofs Under General
Assumptions. SIAM Journal on Computing, Vol. 29 (1), pages 1{28, 1999.
[40 U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Proto
ols. In 22nd ACM
Symposium on the Theory of Computing, pages 416{426, 1990.
[41 U. Feige and A. Shamir. Zero-Knowledge Proofs of Knowledge in Two Rounds. In Crypto'89, SpringerVerlag Le
ture Notes in Computer S
ien
e (Vol. 435), pages 526{544, 1990.
[42 A. Fiat and A. Shamir. How to Prove Yourself: Pra
ti
al Solution to Identi
ation and Signature
Problems. In Crypto86, Springer-Verlag Le
ture Notes in Computer S
ien
e (Vol. 263), pages 186{189,
1987.
[43 L. Fortnow, The Complexity of Perfe
t Zero-Knowledge. In 19th ACM Symposium on the Theory of
Computing, pages 204{209, 1987.
[44 L. Fortnow, J. Rompel and M. Sipser. On the power of multi-prover intera
tive proto
ols. In Pro
. 3rd
IEEE Symp. on Stru
ture in Complexity Theory, pages 156{161, 1988.
[45 M. Furer, O. Goldrei
h, Y. Mansour, M. Sipser, and S. Za
hos. On Completeness and Soundness in
Intera
tive Proof Systems. Advan
es in Computing Resear
h: a resear
h annual, Vol. 5 (Randomness
and Computation, S. Mi
ali, ed.), pages 429{442, 1989.
[46 O. Goldrei
h. A Uniform Complexity Treatment of En
ryption and Zero-Knowledge. Journal of Cryptology, Vol. 6, No. 1, pages 21{53, 1993.
[47 O. Goldrei
h. Notes on Levin's Theory of Average-Case Complexity. ECCC, TR97-058, De
. 1997.
[48 O. Goldrei
h. Se
ure Multi-Party Computation. Working draft, June 1998.
Available from http://www.wisdom.weizmann.a
.il/oded/pp.html.
31
[49 O. Goldrei
h. Foundation of Cryptography { Basi
Tools. Cambridge University Press, 2001.
[50 O. Goldrei
h. Foundation of Cryptography { Basi
appli
ations. Cambridge University Press, to appear
(2004).
[51 O. Goldrei
h. Con
urrent Zero-Knowledge With Timing, Revisited. In 34th ACM Symposium on the
Theory of Computing, pages 332{340, 2002.
[52 O. Goldrei
h. Computational Complexity: A Con
eptual Perspe
tive. Cambridge University Press, 2008.
[53 O. Goldrei
h. On Expe
ted Probabilisti
Polynomial-Time Adversaries { A suggestion for restri
ted
denitions and their benets. Journal of Cryptology, Vol. 23, No. 1, pages 1{36, 2010.
[54 O. Goldrei
h, S. Goldwasser, and S. Mi
ali. How to Constru
t Random Fun
tions. Journal of the ACM,
Vol. 33, No. 4, pages 792{807, 1986.
[55 O. Goldrei
h and J. Hastad. On the Complexity of Intera
tive Proofs with Bounded Communi
ation.
IPL, Vol. 67 (4), pages 205{214, 1998.
[56 O. Goldrei
h and A. Kahan. How to Constru
t Constant-Round Zero-Knowledge Proof Systems for
NP. Journal of Cryptology, Vol. 9, No. 2, pages 167{189, 1996. Preliminary versions date to 1988.
[57 O. Goldrei
h and H. Kraw
zyk. On the Composition of Zero-Knowledge Proof Systems. SIAM Journal
on Computing, Vol. 25, No. 1, February 1996, pages 169{192.
[58 O. Goldrei
h and E. Kushilevitz. A Perfe
t Zero-Knowledge Proof for a De
ision Problem Equivalent
to Dis
rete Logarithm. Journal of Cryptology, Vol. 6 (2), pages 97{116, 1993.
[59 O. Goldrei
h, S. Mi
ali and A. Wigderson. Proofs that Yield Nothing but their Validity or All Languages
in NP Have Zero-Knowledge Proof Systems. Journal of the ACM, Vol. 38, No. 1, pages 691{729, 1991.
Preliminary version in 27th FOCS, 1986.
[60 O. Goldrei
h, S. Mi
ali and A. Wigderson. How to Play any Mental Game { A Completeness Theorem
for Proto
ols with Honest Majority. In 19th ACM Symposium on the Theory of Computing, pages
218{229, 1987. See details in [48.
[61 O. Goldrei
h and Y. Oren. Denitions and Properties of Zero-Knowledge Proof Systems. Journal of
Cryptology, Vol. 7, No. 1, pages 1{32, 1994.
[62 O. Goldrei
h, R. Ostrovsky and E. Petrank. Knowledge Complexity and Computational Complexity.
SIAM Journal on Computing, Vol. 27, 1998, pages 1116{1141.
[63 O. Goldrei
h and E. Petrank. Quantifying Knowledge Complexity. Computational Complexity, Vol. 8,
pages 50{98, 1999. Preliminary version in 32nd FOCS, 1991.
[64 O. Goldrei
h, A. Sahai, and S. Vadhan. Honest-Verier Statisti
al Zero-Knowledge equals general
Statisti
al Zero-Knowledge. In 30th ACM Symposium on the Theory of Computing, pages 399{408,
1998.
[65 O. Goldrei
h, A. Sahai, and S. Vadhan. Can Statisti
al Zero-Knowledge be Made Non-Intera
tive? or
On the Relationship of SZK and NISZK. In Crypto99, Springer-Verlag Le
ture Notes in Computer
S
ien
e (Vol. 1666), pages 467{484.
[66 O. Goldrei
h and S. Vadhan. Comparing Entropies in Statisti
al Zero-Knowledge with Appli
ations to
the Stru
ture of SZK. In 14th IEEE Conferen
e on Computational Complexity, pages 54{73, 1999.
[67 S. Goldwasser and S. Mi
ali. Probabilisti
En
ryption. Journal of Computer and System S
ien
e,
Vol. 28, No. 2, pages 270{299, 1984. Preliminary version in 14th STOC, 1982.
[68 S. Goldwasser, S. Mi
ali and C. Ra
ko. The Knowledge Complexity of Intera
tive Proof Systems.
SIAM Journal on Computing, Vol. 18, pages 186{208, 1989. Preliminary version in 17th STOC, 1985.
[69 S. Goldwasser and M. Sipser. Private Coins versus Publi
Coins in Intera
tive Proof Systems. Advan
es
in Computing Resear
h: a resear
h annual, Vol. 5 (Randomness and Computation, S. Mi
ali, ed.), pages
73{90, 1989. Extended abstra
t in 18th STOC, pages 59{68, 1986.
[70 J. Hastad, R. Impagliazzo, L.A. Levin and M. Luby. A Pseudorandom Generator from any One-way
Fun
tion. SIAM Journal on Computing, Volume 28, Number 4, pages 1364{1396, 1999.
[71 R. Impagliazzo and M. Yung. Dire
t Zero-Knowledge Computations. In Crypto87, Springer-Verlag
Le
ture Notes in Computer S
ien
e (Vol. 293), pages 40{51, 1987.
32
[72 J. Kilian. A Note on E
ient Zero-Knowledge Proofs and Arguments. In 24th ACM Symposium on the
Theory of Computing, pages 723{732, 1992.
[73 J. Kilian and E. Petrank. An E
ient Non-Intera
tive Zero-Knowledge Proof System for NP with
General Assumptions. Journal of Cryptology, Vol. 11, pages 1{27, 1998.
[74 J. Kilian and E. Petrank Con
urrent and Resettable Zero-Knowledge in Poly-logarithmi
Rounds In
33rd ACM Symposium on the Theory of Computing, pages 560{569, 2001.
[75 L.A. Levin. Average Case Complete Problems. SIAM Jour. of Computing, Vol. 15, pages 285{286,
1986.
[76 C. Lund, L. Fortnow, H. Karlo, and N. Nisan. Algebrai
Methods for Intera
tive Proof Systems.
Journal of the ACM, Vol. 39, No. 4, pages 859{868, 1992. Preliminary version in 31st FOCS, 1990.
[77 S. Mi
ali. Computationally Sound Proofs. SIAM Journal on Computing, Vol. 30 (4), pages 1253{1298,
2000. Preliminary version in 35th FOCS, 1994.
[78 M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages
151{158, 1991.
[79 M. Nguyen, S.J. Ong, S. Vadhan. Statisti
al Zero-Knowledge Arguments for NP from Any One-Way
Fun
tion. In 47th IEEE Symposium on Foundations of Computer S
ien
e, pages 3-14, 2006.
[80 T. Okamoto. On relationships between statisti
al zero-knowledge proofs. In 28th ACM Symposium on
the Theory of Computing, pages 649{658, 1996.
[81 R. Ostrovsky and A. Wigderson. One-Way Fun
tions are essential for Non-Trivial Zero-Knowledge. In
2nd Israel Symp. on Theory of Computing and Systems, IEEE Comp. So
. Press, pages 3{17, 1993.
[82 R. Pass, W-L.D. Tseng, and M. Venkitasubramaniam. Eye for an Eye: E
ient Con
urrent ZeroKnowledge in the Timing Model. In 7th TCC, Springer Le
ture Notes in Computer S
ien
e (Vol. 5978),
pages 518{534, 2010.
[83 E. Petrank and G. Tardos. On the Knowledge Complexity of NP. In 37th IEEE Symposium on
Foundations of Computer S
ien
e, pages 494{503, 1996.
[84 M. Prabhakaran, A. Rosen and A. Sahai. Con
urrent Zero-Knowledge Proofs in Logarithmi
Number
of Rounds. In 43rd IEEE Symposium on Foundations of Computer S
ien
e, pages 366{375, 2002.
[85 R. Ri
hardson and J. Kilian. On the Con
urrent Composition of Zero-Knowledge Proofs. In EuroCrypt99, Springer Le
ture Notes in Computer S
ien
e (Vol. 1592), pages 415{413.
[86 R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Publi
Key
Cryptosystems. Communi
ations of the ACM, Vol. 21, Feb. 1978, pages 120{126
[87 A. Sahai and S. Vadhan. A Complete Promise Problem for Statisti
al Zero-Knowledge. In 38th IEEE
Symposium on Foundations of Computer S
ien
e, pages 448{457, 1997.
[88 A. Shamir. IP = PSPACE. Journal of the ACM, Vol. 39, No. 4, pages 869{877, 1992. Preliminary
version in 31st FOCS, 1990.
[89 S. Vadhan. A Study of Statisti
al Zero-Knowledge Proofs. PhD Thesis, Department of Mathemati
s,
MIT, 1999. ACM Do
toral Dissertation Award 2000. To be published by Springer-Verlag for re
eiving
[90 S. Vadhan. An Un
onditional Study of Computational Zero Knowledge. SIAM Journal on Computing,
Vol. 36 (4), pages 1160{1214, 2006.
[91 A.C. Yao. Theory and Appli
ation of Trapdoor Fun
tions. In 23rd IEEE Symposium on Foundations
of Computer S
ien
e, pages 80{91, 1982.
[92 A.C. Yao. How to Generate and Ex
hange Se
rets. In 27th IEEE Symposium on Foundations of
Computer S
ien
e, pages 162{167, 1986.
33