# On the Composition of Zero-Knowledge Proof Systems

@inproceedings{Goldreich1990OnTC, title={On the Composition of Zero-Knowledge Proof Systems}, author={Oded Goldreich and Hugo Krawczyk}, booktitle={ICALP}, year={1990} }

A basic question concerning zero-knowledge proof systems is whether their (sequential and/or parallel) composition is zero-knowledge too. This question is not only of natural theoretical interest, but is also of great practical importance as it concerns the use of zero-knowledge proofs as subroutines in cryptographic protocols.

## Topics from this paper

## 263 Citations

On the Concurrent Composition of Zero-Knowledge Proofs

- Computer ScienceEUROCRYPT
- 1999

It is shown that, modulo certain complexity assumptions, any statement in NP has kƐ-round proofs and arguments in which one can efficiently simulate any kO(1) concurrent executions of the protocol.

The power of preprocessing in zero-knowledge proofs of knowledge

- Mathematics, Computer ScienceJournal of Cryptology
- 2004

We show that, after a constant-round preprocessing stage, it is possible for a prover to prove knowledge of a witness for any polynomial-time relation without any further interaction. The number of…

Practical Proofs of Knowledge without Relying on Theoretical Proofs of Membership on Languages

- Computer Science, MathematicsTheor. Comput. Sci.
- 1997

How to construct constant-round zero-knowledge proof systems for NP

- Mathematics, Computer ScienceJournal of Cryptology
- 2004

It follows that constant-round zero-knowledge proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for Blum integers.

Constant-Round Concurrent Zero Knowledge From Falsifiable Assumptions

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2012

A constant-round concurrent zero-knowledge protocol for NP that is sound against uniform polynomial-time attackers, and relies on the existence of families of collision-resistant hash functions, and a new falsifiable intractability assumption.

Parallel repetition of zero-knowledge proofs and the possibility of basing cryptography on NP-hardness

- Mathematics, Computer Science21st Annual IEEE Conference on Computational Complexity (CCC'06)
- 2006

It is shown that, unless the polynomial-hierarchy collapses, black-box reductions cannot be used to provide positive answers to both NP-complete problem and one-way function questions.

Lower Bounds For Concurrent Zero Knowledge*

- Mathematics, Computer ScienceComb.
- 2005

Any 4 round (computational) zero-knowledge interactive proof (or argument) for a non-trivial language L is not black-box simulatable in the asynchronous setting.

On Separating Proofs of Knowledge from Proofs of Membership of Languages and Its Application to Secure Identification Schemes (Extended Abstract)

- Computer ScienceCOCOON
- 1995

A four-move protocol for quadratic residuosity is proposed and the security is discussed. An application of the proposed protocol to a cryptographic identification scheme introduces a new notion of…

A Note on the Round-Complexity of Concurrent Zero-Knowledge

- Computer Science, MathematicsCRYPTO
- 2000

It is shown that in the context of Concurrent Zero-Knowledge, at least eight rounds of interaction are essential for black-box simulation of non-trivial proof systems (i.e., systems for languages that are not in BPP).

## References

SHOWING 1-10 OF 46 REFERENCES

Proofs that yield nothing but their validity and a methodology of cryptographic protocol design

- Computer Science27th Annual Symposium on Foundations of Computer Science (sfcs 1986)
- 1986

This paper demonstrates the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff that efficiently demonstrate membership in the language without conveying any additional knowledge.

Zero Knowledge Proofs of Knowledge in Two Rounds

- Mathematics, Computer ScienceCRYPTO
- 1989

These protocols rely on two novel ideas: One for constructing commitment schemes, the other for constructing subprotocols which are not known to be zero knowledge, yet can be proven not to reveal useful information.

Random self-reducibility and zero knowledge interactive proofs of possession of information

- Computer Science28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
- 1987

It is shown that any "random self-reducible" problem has a zero knowledge interactive proof of this sort, and new zeroknowledge interactive proofs are exhibited for "knowledge" of the factorization of an integer, nonmembership in cyclic subgroups of Zp*, and determining whether an element generates Zp*.

Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems

- Computer Science, MathematicsJACM
- 1991

In this paper the generality and wide applicability of Zero-knowledge proofs, a notion introduced by Goldwasser, Micali, and Rackoff is demonstrated. These are probabilistic and interactive proofs…

Perfect zero-knowledge in constant rounds

- Mathematics, Computer ScienceSTOC '90
- 1990

This paper shows that any random self-reducible language has a 5 round perfect zero knowledge interactive proof, and shows that a language outside BPP requires more than 3 rounds from any perfect ZK proof.

Everything in NP can be Argued in Perfect Zero-Knowledge in a Bounded Number of Rounds (Extended Abstract)

- Mathematics, Computer ScienceEUROCRYPT
- 1989

The first perfect zero-knowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds is given (under a suitable cryptographic assumption).

On the cunning power of cheating verifiers: Some observations about zero knowledge proofs

- Mathematics, Computer Science28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
- 1987

It is shown that randomness of both the verifier and the prover, and nontriviality of the interaction are essential properties of non-trivial auxiliary-input zero-knowledge proofs.

Non-transitive transfer of confidence: A perfect zero-knowledge interactive protocol for SAT and beyond

- Computer Science27th Annual Symposium on Foundations of Computer Science (sfcs 1986)
- 1986

A perfect zero-knowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the…

The Knowledge Complexity of Interactive Proof Systems

- Computer ScienceSIAM J. Comput.
- 1989

A computational complexity theory of the “knowledge” contained in a proof is developed and examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and 'quadratic nonresiduosity.