# On the Composition of Zero-Knowledge Proof Systems

@inproceedings{Goldreich1990OnTC,
title={On the Composition of Zero-Knowledge Proof Systems},
author={Oded Goldreich and Hugo Krawczyk},
booktitle={International Colloquium on Automata, Languages and Programming},
year={1990}
}
• Published in
International Colloquium on…
1 July 1990
• Mathematics, Computer Science
The wide applicability of zero-knowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. [] Key Result Other consequences are a proof of optimality for the round complexity of various known zero-knowledge protocols and the necessity of using secret coins in the design of "parallelizable" constant-round zero-knowledge proofs.
490 Citations
• Mathematics, Computer Science
IACR Cryptol. ePrint Arch.
• 2009
It is shown that auxiliary-input zero knowledge with efficient provers is not closed under parallel composition of 2 copies under the assumption that there is a secure key agreement protocol (in which it is easy to recognize valid transcripts).
It is shown that auxiliary-input zero knowledge with efficient provers is not closed under parallel composition of 2 copies under the assumption that there is a secure key agreement protocol (in which it is easy to recognize valid transcripts).
• Computer Science, Mathematics
ArXiv
• 2001
The proof system presented is the only known proof system that retains the zero-knowledge property when copies of the proof are allowed to run in an asynchronous environment and has $\tilde{O}(\log^2 k)$ rounds.
A nonblack-box simulatable 3-round zero-knowledge proof system for NP is presented, which is secure even when the prover has unbounded computational resources, and a proof of knowledge framework is provided in which to view this type of non-standard assumption.
It is shown that in the context of Concurrent Zero-Knowledge, at least eight rounds of interaction are essential for black-box simulation of non-trivial proof systems (i.e., systems for languages that are not in BPP).
• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2000
This paper presents a concurrent zero-knowledge proof for all languages in NP with a drastically improved complexity: the proof requires only a poly-logarithmic, specifically, ω(log2 k) number of rounds.
This thesis closes the gap between these upper and lower bounds of any cZK proof system for a language outside BPP, whosecZK property is proved using black-box simulation, requires (log n= log log n) rounds of interaction.
• Computer Science, Mathematics
ICICS
• 1997
A protocol for all known random self-reducible languages is presented, and a well-known lower bound for the number of rounds of zero-knowledge proofs of membership is extended to the “decision power model”.
• Computer Science, Mathematics
Journal of Cryptology
• 2004
It is shown that randomness of both the verifier and the prover, and nontriviality of the interaction are essential properties of (nontrivial) auxiliary-input zero-knowledge proofs.
• Mathematics, Computer Science
CRYPTO
• 2005
The impossibility of 3-round concurrent (and thus resettable) black-box zero-knowledge argument systems with sequential soundness for non-trivial languages is shown.

## References

SHOWING 1-10 OF 39 REFERENCES

• Yair Oren
• Computer Science, Mathematics
28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
• 1987
It is shown that randomness of both the verifier and the prover, and nontriviality of the interaction are essential properties of non-trivial auxiliary-input zero-knowledge proofs.
• Computer Science, Mathematics
STOC '90
• 1990
This paper shows that any random self-reducible language has a 5 round perfect zero knowledge interactive proof, and shows that a language outside BPP requires more than 3 rounds from any perfect ZK proof.
• Computer Science, Mathematics
JACM
• 1991
In this paper the generality and wide applicability of Zero-knowledge proofs, a notion introduced by Goldwasser, Micali, and Rackoff is demonstrated. These are probabilistic and interactive proofs
• Mathematics, Computer Science
STOC '85
• 1985
A computational complexity theory of the “knowledge” contained in a proof is developed and examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and 'quadratic nonresiduosity.
• Computer Science, Mathematics
EUROCRYPT
• 1989
The first perfect zero-knowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds is given (under a suitable cryptographic assumption).
• Mathematics, Computer Science
28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
• 1987
It is shown that any "random self-reducible" problem has a zero knowledge interactive proof of this sort, and new zeroknowledge interactive proofs are exhibited for "knowledge" of the factorization of an integer, nonmembership in cyclic subgroups of Zp*, and determining whether an element generates Zp*.
• Computer Science, Mathematics
CRYPTO
• 1986
A zero-knowledge interactive proof is a protocol by which Alice can convince a polynomially-bounded Bob of the truth of some theorem without giving him any hint as to how the proof might proceed.
• Computer Science, Mathematics
27th Annual Symposium on Foundations of Computer Science (sfcs 1986)
• 1986
This paper demonstrates the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff that efficiently demonstrate membership in the language without conveying any additional knowledge.
• Computer Science, Mathematics
27th Annual Symposium on Foundations of Computer Science (sfcs 1986)
• 1986
A perfect zero-knowledge interactive proof is a protocol by which Alice can convince Bob of the truth of some theorem in a way that yields no information as to how the proof might proceed (in the
• Computer Science
STOC '86
• 1986
The probabilistic, nondeterministic, polynomial time Turing machine is defined and shown to be equivalent in power to the interactive proof system and to BPP much as BPP is the Probabilistic analog to P.