ZeroKnowledge twenty years after its invention

Oded Goldreich

Department of Computer Science and Applied Mathematics

Weizmann Institute of Science Rehovot Israel

Email odedwisdomweizmannaci l

First draft p osted in July

Current version December

Abstract

Zeroknowledge pro ofs are pro ofs that are b oth convincing and yet yield nothing b eyond

the validity of the assertion b eing proven Since their introduction ab out twenty years ago

zeroknowledge pro ofs have attracted a lot of attention and have in turn contributed to the

development of other areas of cryptography and complexity theory

We survey the main denitions and results regarding zeroknowledge pro ofs Sp ecically

we present the basic denitional approach and its variants results regarding the p ower of zero

knowledge pro ofs as well as recent results regarding questions such as the comp oseability of

zeroknowledge pro ofs and the use of the adversarys program within the pro of of security ie

nonblackbox simulation

Contents

Introduction

The Basics

Advanced Topics

Comments

I The Basics

Preliminaries

Interactive pro ofs and argument systems

Computational Diculty and OneWay Functions

Computational Indistinguishability

Denitional Issues

The Simulation Paradigm

The Basic Denition

Variants

Universal and blackbox simulation

Honest verier versus general cheating verier

Statistical versus Computational ZeroKnowledge

Strict versus exp ected probabilistic p olynomialtime

ZeroKnowledge Pro ofs for every NPset

Constructing ZeroKnowledge Pro ofs for NPsets

Using ZeroKnowledge Pro ofs for NPsets

II Advanced Topics

Comp osing zeroknowledge proto cols

Sequential Comp osition

Parallel Comp osition

Concurrent Comp osition with and without timing

Using the adversarys program in the pro of of security

Digest Witness Indistinguishability and the FLSTechnique

Pro ofs of Knowledge

How to dene pro ofs of knowledge

How to construct pro ofs of knowledge

NonInteractive ZeroKnowledge

Statistical ZeroKnowledge

Transformations

Complete problems and structural prop erties

Knowledge Complexity

Resettability of a partys randomtap e rZK and rsZK

Zeroknowledge in other mo dels

A source of inspiration for complexity theory

References

Introduction

ZeroKnowledge pro ofs introduced by Goldwasser Micali and Racko are fascinating and

extremely useful constructs Their fascinating nature is due to their seemingly contradictory de

nition zeroknowledge pro ofs are b oth convincing and yet yield nothing b eyond the validity of the

assertion b eing proven Their applicability in the domain of cryptography is vast they are typically

used to force malicious parties to b ehave according to a predetermined proto col In addition to

their direct applicability in Cryptography zeroknowledge pro ofs serve as a go o d b enchmark for

the study of various problems regarding cryptographic proto cols eg the preservation of security

under various forms of proto col comp osition and the use of of the adversarys program within

the pro of of security

In this tutorial we present the basic denitions and results regarding zeroknowledge proto cols

as well as some recent developments regarding this notion The rest of the introduction provides a

highlevel summary of the tutorial

X X is true! ??

?


























!


























?

! !

Figure Zeroknowledge pro ofs an illustration

The Basics

Lo osely sp eaking zeroknowledge pro ofs are pro ofs that yield nothing b eyond the validity of the

assertion That is a verier obtaining such a pro of only gains conviction in the validity of the asser

tion This is formulated by saying that anything that is feasibly computable from a zeroknowledge

pro of is also feasibly computable from the valid assertion itself by a socalled simulator Variants

on the basic denition include

Consideration of auxiliary inputs

Mandating of universal and blackbox simulations

Restricting attention to honest or rather semihonest veriers

The level of similarity required of the simulation

It is wellknown that zeroknowledge proofs exist for any NPset provided that oneway functions

exist This result is a p owerful to ol in the design of cryptographic proto cols b ecause it enables to

force parties to b ehave according to a predetermined proto col ie the proto col requires parties

to provide zeroknowledge pro ofs of the correctness of their secretbased actions without revealing

these secrets

Organization of Part We start with some preliminaries Section which are central to

the mindset of the notion of zeroknowledge In particular we review the denitions of inter

active pro ofs and arguments as well as the denitions of computational indistinguishability which

underlies the denition of general zeroknowledge and of oneway functions which are used in

constructions We then turn to the denitional treatment of zeroknowledge itself Section

Finally we discuss the constructibility and applicability of zeroknowledge pro ofs Section

Advanced Topics

We start with two basic problems regarding zeroknowledge which actually arise also with resp ect

to the security of other cryptographic primitives The rst question refers to the preservation of

security ie zeroknowledge in our case under various types of comp osition op erations We survey

the known results regarding sequential parallel and concurrent execution of arbitrary andor

sp ecic zeroknowledge proto cols The main facts are

Zeroknowledge with resp ect to auxiliary inputs is closed under sequential comp osition

In general zeroknowledge is not closed under parallel comp osition Yet some zeroknowledge

pro ofs for NP preserve their security when many copies are executed in parallel Further

more some of these proto col use a constant number of rounds

Some zeroknowledge pro ofs for NP preserve their security when many copies are executed

concurrently but such a result is not known for constantround proto cols

The second basic question regarding zeroknowledge refers to the usage of the adversarys program

within the pro of of security ie demonstration of the zeroknowledge prop erty For years all

known pro ofs of security used the adversarys program as a blackbox ie a universal simulator

was presented using the adversarys program as an oracle Furthermore it was b elieved that there

is no advantage in having access to the co de of the adversarys program Consequently it was

conjectured that negative results regarding blackbox simulation represent an inherent limitation

of zeroknowledge This b elieve has b een refuted recently by the presentation of a zeroknowledge

argument for NP that has imp ortant prop erties that are unachievable by blackbox simulation

For example this zeroknowledge argument uses a constant number of rounds and preserves its

security when an apriori xed p olynomial number of copies are executed concurrently

Organization of Part The comp oseability of zeroknowledge pro ofs is discussed in Section

and the use of the adversarys program within the pro of of security is discussed in Section Other

topics treated in the second part of this tutorial include pro ofs of knowledge Section Non

Interactive ZeroKnowledge pro ofs Section Statistical ZeroKnowledge Section Knowledge

Complexity Section and resettability of a partys randomtap e Section

Comments

The notion of zeroknowledge has had a vast impact on the development of cryptography In

particular zeroknowledge pro ofs of various types were explicitly used as a to ol in a variety of

applications We wish to highlight also the indirect impact of zeroknowledge on the denitional

This result falls short of achieving a fully concurrent zeroknowledge argument b ecause the number of concurrent

copies must b e xed b efore the proto col is presented Sp ecically the proto col uses messages that are longer than

the allowed number of concurrent copies

approach underlying the foundations of cryptography cf Section In addition zeroknowledge

has served as a source of inspiration for complexity theory cf Section

A Brief Historical Account regarding the main part of the tutorial The concept of zero

knowledge has b een introduced by Goldwasser Micali and Racko Although their work which

also introduced interactive pro of systems has rst app eared in STOC early versions of it have

existed as early as in and were rejected three times from ma jor conferences ie FOCS

STOC and FOCS The wide applicability of zeroknowledge pro ofs was rst demonstrated

by Goldreich Micali and Wigderson who showed how to construct zeroknowledge pro of systems

for any NPset using any commitment scheme An imp ortant technique for the design of

zeroknowledge was introduced by Feige Lapidot and Shamir based on the notion of witness

indistinguishability which was introduced by Feige and Shamir Imp ortant contributions to

the study of the sequential parallel and concurrent comp osition of zeroknowledge proto cols were

presented in and resp ectively The p ower of nonblackbox

simulators has b een recently discovered by Barak

Suggestions for further reading For further details regarding most of the material the reader

is referred to Chap For a wider p ersp ective on probabilistic pro of systems the reader is

referred to Chap

The current version This is a minor revision of the rst draft dated July

Part I

The Basics

Preliminaries

Mo dern Cryptography is concerned with the construction of ecient schemes for which it is in

feasible to violate the security feature The same concern underlies the main denitions of zero

knowledge Thus for starters we need a notion of ecient computations as well as a notion of

infeasible ones The computations of the legitimate users of the scheme ought b e ecient whereas

violating the security features via an adversary ought to b e infeasible

Ecient computations are commonly mo deled by computations that are p olynomialtime in the

security parameter The p olynomial b ounding the runningtime of the legitimate users strategy is

xed and typically explicit and small Here ie when referring to the complexity of the legitimate

users we are in the same situation as in any algorithmic setting Things are dierent when referring

to our assumptions regarding the computational resources of the adversary A common approach is

to p ostulate that the latter are p olynomialtime to o where the p olynomial is not apriori specied

In other words the adversary is restricted to the class of ecient computations and anything b eyond

this is considered to b e infeasible Although many denitions explicitly refer to this convention

this convention is inessential to any of the results known in the area In all cases a more general

statement can b e made by referring to adversaries of runningtime b ounded by any sup erp olynomial

function or class of functions Still for sake of concreteness and clarity we shall use the former

convention in our treatment

Actually in order to simplify our exp osition we will often consider as infeasible any computation

that cannot b e conducted by a p ossibly nonuniform family of p olynomialsize circuits For

simplicity we consider families of circuits fC g where for some p olynomials p and q each C has

n n

exactly pn input bits and has size at most q n

Randomized computations play a central role in the denition of zeroknowledge as well as in

cryptography at large That is we allow the legitimate users to employ randomized computations

and likewise we consider adversaries that employ randomized computations This brings up the

issue of success probability typically we require that legitimate users succeed in fullling their

legitimate goals with probability or negligibly close to this whereas adversaries succeed in

violating the security features with negligible probability Thus the notion of a negligible probability

plays an imp ortant role in our exp osition One feature required of the denition of negligible

probability is to yield a robust notion of rareness A rare event should o ccur rarely even if we

rep eat the exp eriment for a feasible number of times Likewise we consider two events to o ccur

as frequently if the absolute dierence b etween their corresp onding o ccurrence probabilities is

negligible For concreteness we consider as negligible any function N that vanishes faster

than the recipro cal of any p olynomial ie for every p ositive p olynomial p and all suciently big

n it holds that n pn

Interactive pro ofs and argument systems

Before dening zeroknowledge pro ofs we have to dene pro ofs The standard notion of static ie

noninteractive pro ofs will not do b ecause static zeroknowledge pro ofs exist only for sets that are

easy to decide ie are in BPP whereas we are interested in zeroknowledge pro ofs for arbitrary

NPsets Instead we use the notion of an interactive pro of introduced exactly for that reason by

Goldwasser Micali and Racko That is here a pro of is a multiround randomized proto col

for two parties called verier and prover in which the prover wishes to convince the verier of

the validity of a given assertion Such an interactive proof should allow the prover to convince the

verier of the validity of any true assertion whereas no prover strategy may fo ol the verier to

accept false assertions Both the ab ove completeness and soundness conditions should hold with

high probability ie a negligible error probability is allowed

We comment that interactive pro ofs emerge naturally when asso ciating the notion of e

cient verication which underlies the notion of a pro of system with probabilistic and interactive

p olynomialtime computations This asso ciation is quite natural in light of the growing acceptabil

ity of randomized and distributed computations Thus a pro of in this context is not a xed and

static ob ject but rather a randomized and dynamic ie interactive pro cess in which the verier

interacts with the prover Intuitively one may think of this interaction as consisting of tricky

questions asked by the verier to which the prover has to reply convincingly The ab ove discus

sion as well as the following denition makes explicit reference to a prover whereas a prover is

only implicit in the traditional denitions of pro of systems eg NPpro ofs

Lo osely sp eaking an interactive pro of is a game b etween a computationally b ounded verier

and a computationally unbounded prover whose goal is to convince the verier of the validity of

some assertion Sp ecically the verier is probabilistic p olynomialtime It is required that if the

assertion holds then the verier always accepts ie when interacting with an appropriate prover

strategy On the other hand if the assertion is false then the verier must reject with noticeable

probability no matter what strategy is b eing employed by the prover Indeed the error probability

in the soundness condition can b e reduced by either sequential or parallel rep etitions

Denition Interactive Pro of systems and the class IP An interactive proof system for a set

S is a twoparty game between a verier executing a probabilistic polynomialtime strategy denoted

V and a prover which executes a computationally unbounded strategy denoted P satisfying

Completeness For every x S the verier V always accepts after interacting with the prover

P on common input x

Soundness For some polynomial p it holds that for every x S and every potential strat

egy P the verier V rejects with probability at least pjxj after interacting with P on

common input x

The class of problems having interactive proof systems is denoted IP

Note that by rep eating such a pro of system for O pjxj times we may decrease the probability

pjxj

that V accepts a false statement from pjxj to Thus when constructing interactive

pro ofs we sometimes fo cus on obtaining a noticeable rejection probability for noinstances ie

obtaining soundness error b ounded away from whereas when using interactive pro ofs we typically

assume that their soundness error is negligible

Variants ArthurMerlin games aka publiccoin pro of systems introduced by Babai are a

sp ecial case of interactive pro ofs in which the verier must send the outcome of any coin it tosses

and thus need not send any other information Yet as shown in this restricted case has

essentially the same p ower as the general case introduced by Goldwasser Micali and Racko

Thus in the context of interactive pro of systems asking random questions is as powerful as asking

tricky questions As we shall see this do es not necessarily hold in the context of zeroknowledge

pro ofs Also in some sources interactive pro ofs are dened so that twosided error probability is

allowed rather than requiring p erfect completeness as done ab ove yet this do es not increase

their p ower

Arguments or Computational Soundness A fundamental variant on the notion of inter

active pro ofs was introduced by Brassard Chaum and Crepeau who relaxed the soundness

condition so that it only refers to feasible ways of trying to fo ol the verier rather than to all

p ossible ways Sp ecically the soundness condition was replaced by the following computational

soundness condition that asserts that it is infeasible to fo ol the verier into accepting false state

ments

For every p olynomial p every prover strategy that is implementable by a family of

p olynomialsize circuits fC g and every suciently large x f g n S the probability

n

that V accepts x when interacting with C is less than pjxj

jxj

We warn that although the computationalsoundness error can always b e reduced by sequential

rep etitions it is not true that this error can always b e reduced by parallel rep etitions cf

Proto cols that satisfy the computationalsoundness condition are called arguments We mention

that argument systems may b e more ecient than interactive pro ofs see

Terminology Whenever we wish to blur the distinction b etween pro ofs and arguments we will

use the term proto cols We will consider such a proto col trivial if it establishes membership in a

BPPset b ecause membership in such a set can b e determined by the verier itself On the other

hand we will sometimes talk ab out proto cols for NP when what we actually mean is proto cols

for each set in NP This terminology is quite common in the area

A related notion not discussed here is that of CSpro ofs introduced by Micali

See for further discussion of the distinction

Computational Diculty and OneWay Functions

Most p ositive results regarding zeroknowledge pro ofs are based on intractability assumptions

Furthermore the very notion of a zeroknowledge pro of is interesting only in case the assertion

b eing proven to b e valid is hard to verify in probabilistic p olynomialtime Thus our discussion

always assumes at least implicitly that IP is not contained in BPP and often we explicitly

assume more than that

In general Mo dern Cryptography is concerned with the construction of schemes that are easy to

op erate prop erly but hard to foil Thus a complexity gap ie b etween the complexity of prop er

usage and the complexity of defeating the prescrib ed functionality lies in the heart of Mo dern

Cryptography However gaps as required for Mo dern Cryptography are not known to exist they

are only widely b elieved to exist Indeed almost all of Mo dern Cryptography rises or falls with

the question of whether oneway functions exist Oneway functions are functions that are easy to

evaluate but hard on the average to invert cf That is a function f f g f g is

called oneway if there is an ecient algorithm that on input x outputs f x whereas any feasible

algorithm that tries to nd a preimage of f x under f may succeed only with negligible probability

where the probability is taken uniformly over the choices of x and the algorithms coin tosses

Asso ciating feasible computations with p ossibly nonuniform families of p olynomialsize circuits

we obtain the following denition

Denition oneway functions A function f f g f g is called oneway if the fol lowing

two conditions hold

easy to evaluate There exist a polynomialtime algorithm A such that Ax f x for every

x f g

hard to invert For every family of polynomialsize circuits fC g every polynomial p and al l

n

suciently large n

Pr C f x f f x

n

pn

n

where the probability is taken uniformly over al l the possible choices of x f g

Some of the most p opular candidates for oneway functions are based on the conjectured intractabil

ity of computational problems in number theory One such conjecture is that it is infeasible to factor

large integers Consequently the function that takes as input two equal length primes and outputs

their pro duct is widely b elieved to b e a oneway function

Terminology Some of the p ositive results mentioned b elow require stronger forms of oneway

functions eg oneway p ermutations with or without trap do or Sec and clawfree

p ermutation pairs Sec Whenever we wish to avoid the sp ecic details we will talk

ab out standard intractability assumptions In all cases the conjectured intractability of factoring

will suce

Computational Indistinguishability

A central notion in Mo dern Cryptography is that of eective similarity introduced by Gold

wasser Micali and Yao The underlying thesis is that we do not care whether or not

ob jects are equal all we care is whether or not a dierence b etween the ob jects can b e observed by

a feasible computation In case the answer is negative the two ob jects are equivalent as far as any

practical application is concerned Indeed like in many other cryptographic denitions in the def

inition of generalcomputational zeroknowledge we will freely interchange such computationally

indistinguishable ob jects

The asymptotic formulation of computational indistinguishability refers to pairs of probabil

ity ensembles which are innite sequences of nite distributions rather than to pairs of nite

distributions Sp ecically we consider sequences indexed by strings rather than by integers in

unary representation For S f g we consider the probability ensembles X fX g

S

and Y fY g where each X resp Y is a distribution that ranges over strings of length

S

p olynomial in jj We say that X and Y are computationally indistinguishable if for every feasible

def

algorithm A the dierence d n max n fjPr AX Pr AY jg is a negligible

A

fg

function in jj That is

Denition computational indistinguishability We say that X fX g and Y

S

fY g are computationally indistinguishable if for every family of polynomialsize circuits fD g

S n

p oly n

every polynomial p al l suciently large n and every f g S

jPr D X Pr D Y j

n n

pn

where the probabilities are taken over the relevant distribution ie either X or Y

n n

That is we think of D fD g as of someb o dy who wishes to distinguish two distributions based

n

on a sample given to it and think of as of D s verdict that the sample was drawn according

to the rst distribution Saying that the two distributions are computationally indistinguishable

means that if D is an ecient pro cedure then its verdict is not really meaningful b ecause the

verdict is almost as often when the input is drawn from the rst distribution as when the input

is drawn from the second distribution

We comment that indistinguishability by a single sample as dened ab ove implies indistin

guishability by multiple samples Also note that the denition would not have b een stronger if we

were to provide the distinguisher ie D with the index ie of the distributionpair b eing

tested

Denitional Issues

Lo osely sp eaking zeroknowledge pro ofs are pro ofs that yield nothing b eyond the validity of the

assertion That is a verier obtaining such a pro of only gains conviction in the validity of the

assertion This is formulated by saying that anything that can b e feasibly obtained from a zero

knowledge pro of is also feasibly computable from the valid assertion itself The latter formulation

follows the simulation paradigm which is discussed next

The Simulation Paradigm

In dening zeroknowledge pro ofs we view the verier as a p otential adversary that tries to gain

knowledge from the prescrib ed prover We wish to state that no feasible adversary strategy for

Furthermore the denition would not have b een stronger if we were to consider a sp ecialized p olynomialsize

circuit p er each S ie consider the dierence jPr D X Pr D Y j for any set of circuits

D fD g such that the size of D is p olynomial in jj

S

the verier can gain anything from the prover b eyond conviction in the validity of the assertion

Let us consider the desired formulation from a wide p ersp ective

A key question regarding the mo deling of security concerns is how to express the intuitive re

quirement that an adversary gains nothing substantial by deviating from the prescrib ed b ehavior

of an honest user Our approach is that the adversary gains nothing if whatever it can obtain

by unrestricted adversarial b ehavior can b e obtained within essentially the same computational

eort by a b enign b ehavior The denition of the b enign b ehavior captures what we want to

achieve in terms of security and is sp ecic to the security concern to b e addressed For example

in the previous paragraph we said that a pro of is zeroknowledge if it yields nothing b eyond the

validity of the assertion ie the b enign b ehavior is any computation that is based only on the

assertion itself while assuming that the latter is valid Thus in a zeroknowledge pro of no feasible

adversarial strategy for the verier can obtain more than a b enign verier which b elieves the

assertion can obtain from the assertion itself We comment that the simulation paradigm which

was rst developed in the context of zeroknowledge is pivotal also to the denition of the

security of encryption schemes cf Chap and cryptographic proto cols cf

A notable prop erty of dening security or zeroknowledge via the simulation paradigm is that

this approach is overly lib eral with resp ect to its view of the abilities of the adversary as well as

to what might constitute a gain for the adversary Thus the approach may b e considered overly

cautious b ecause it prohibits also nonharmful gains of some far fetched adversaries We

warn against this impression Firstly there is nothing more dangerous in cryptography than to

consider reasonable adversaries a notion which is almost a contradiction in terms typically the

adversaries will try exactly what the system designer has discarded as far fetched Secondly it

seems imp ossible to come up with denitions of security that distinguish breaking the scheme in a

harmful way from breaking it in a nonharmful way what is harmful is applicationdep endent

whereas a go o d denition of security ought to b e applicationindep endent as otherwise using the

scheme in any new application will require a full reevaluation of its security Furthermore even

with resp ect to a sp ecic application it is typically very hard to classify the set of harmful

breakings

The Basic Denition

Zeroknowledge is a prop erty of some prover strategies More generally zeroknowledge is a prop erty

of some interactive machines Fixing an interactive machine eg a prescrib ed prover we consider

what can b e computed by an arbitrary feasible adversary eg a verier that interacts with

the xed machine on a common input taken from a predetermined set in our case the set of valid

assertions This is compared against what can b e computed by an arbitrary feasible algorithm that

is only given the input itself An interactive strategy A is zeroknowledge on inputs from the set S

if for every feasible interactive strategy B there exists a feasible noninteractive computation

C such that the following two probability ensembles are computationally indistinguishable

def

fA B xg the output of B after interacting with A on common input x S and

xS

def

fC xg the output of C on input x S

xS

We stress that the rst ensemble represents an actual execution of an interactive proto col whereas

the second ensemble represents the computation of a standalone pro cedure called the simulator

which do es not interact with anybo dy Thus whatever can b e feasibly extracted from interaction

with A on input x S can also b e feasibly extracted from x itself This means that nothing was

gain by the interaction itself b eyond condence in the assertion x S

The ab ove denition do es not account for auxiliary information that an adversary may have

prior to entering the interaction Accounting for such auxiliary information is essential for using

zeroknowledge pro ofs as subproto cols inside larger proto cols see This is taken care of

by a more strict notion called auxiliaryinput zeroknowledge

Denition zeroknowledge revisited A strategy A is auxiliaryinput zeroknowledge

on inputs from S if for every probabilistic polynomialtime strategy B and every polynomial p there

exists a probabilistic polynomialtime algorithm C such that the fol lowing two probability ensembles

are computationally indistinguishable

def

fA B z xg the output of B when having auxiliaryinput z and inter

pjxj

xS z fg

acting with A on common input x S and

def

pjxj

fC x z g the output of C on inputs x S and z f g

pjxj

xS z fg

An interactive proof resp an argument system for S is called auxiliaryinput zeroknowledge if the

prescribed prover strategy is auxiliaryinput zeroknowledge on inputs from S

The more basic denition of zeroknowledge is obtained by eliminating the auxiliaryinput z from

Denition We comment that almost all known zeroknowledge pro ofs are in fact auxiliaryinput

zeroknowledge Notable exceptions are zeroknowledge pro ofs constructed on purp ose in order

to show a separation b etween these two notions eg in and proto cols having only non

blackbox simulators see warmup in

We stress that the zeroknowledge prop erty of an interactive pro of resp argument refers to all

feasible adversarial strategies that the verier may employ in attempt to extract knowledge from

the prescrib ed prover that tries to convince the verier to accept a valid assertion In contrast

the soundness prop erty of an interactive pro of resp the computationalsoundness prop erty of an

argument refers to all p ossible resp feasible adversarial strategies that the prover may employ

in attempt to fo ol the prescrib ed verier to accept a false assertion Finally the completeness

prop erty only refers to the b ehavior of b oth prescrib ed strategies when given as common input

a valid assertion

Variants

The reader may skip the current subsection and return to it whenever encountering esp ecially in

the second part of this tutorial a notion that was not dened ab ove

Universal and blackbox simulation

We have already discussed two variants on the basic denition ie with or without auxiliary

inputs Further strengthening of Denition is obtained by requiring the existence of a universal

We note that the following denition seems stronger than merely allowing the verier and simulator to b e

arbitrary p olynomialsize circuits The issue is that the latter formulation do es not guarantee that the simulator can

b e easily derived from the cheating verier nor that the length of the simulators description is related to the length

of the description of the verier Both issues are imp ortant when trying to use zeroknowledge pro ofs as subproto cols

inside larger proto cols or to comp ose them even sequentially For further discussion see Section

Note that the prescribed verier strategy which is a probabilistic p olynomialtime strategy that only dep ends on

the common input is always auxiliaryinput zeroknowledge In contrast typical prover strategies are implemented

by probabilistic p olynomialtime algorithms that are given an auxiliary input which is not given to the verier but

not by probabilistic p olynomialtime algorithms that are only given the common input

simulator denoted C that is given the program of the verier ie B as an auxiliaryinput that

is in terms of Denition one should replace C x z by C x z hB i where hB i denotes the

description of the program of B which may dep end on x and on z That is we eectively

restrict the simulation by requiring that it b e a uniform feasible function of the veriers program

rather than arbitrarily dep end on it This restriction is very natural b ecause it seems hard to

envision an alternative way of establishing the zeroknowledge prop erty of a given proto col

Taking another step one may argue that since it seems infeasible to reverseengineer programs

the simulator may as well just use the verier strategy as an oracle or as a blackbox This

reasoning gave rise to the notion of blackb ox simulation which was introduced and advocated in

and further studied in numerous works see eg The b elief was that imp ossibility results

regarding blackbox simulation represent inherent limitations of zeroknowledge itself However

this b elief has b een refuted recently by Barak For further discussion see Section

Honest verier versus general cheating verier

The general denition of zeroknowledge ie Denition refers to all feasible verier strategies

This choice is most natural since zeroknowledge is supp osed to capture the robustness of the prover

under any feasible ie adversarial attempt to gain something by interacting with it Thus we

typically view the verier as an adversary that is trying to cheat

A weaker and still interesting notion of zeroknowledge refers to what can b e gained by an

honest verier or rather a semihonest verier that interacts with the prover as directed with

the exception that it may maintain and output a record of the entire interaction ie even if

directed to erase all records of the interaction Although such a weaker notion is not satisfactory

for standard cryptographic applications it yields a fascinating notion from a conceptual as well

as a complexitytheoretic p oint of view Furthermore as shown in every publiccoin pro of

system that is zeroknowledge with respect to the honestverier can b e transformed into a standard

zeroknowledge pro of that maintains many of the prop erties of the original proto col and without

increasing the provers p owers or using any intractability assumptions

We stress that the denition of zeroknowledge with resp ect to the honestverier V is derived

from Denition by considering a single verier strategy B that is equal to V except that B also

maintains a record of the entire interaction including its own coin tosses and outputs this record at

the end of the interaction In particular the messages sent by B are identical to the corresp onding

messages that would have b een sent by V

Statistical versus Computational ZeroKnowledge

Recall that the denition of zeroknowledge p ostulates that for every probability ensemble of one

type ie representing the veriers output after interaction with the prover there exists a similar

ensemble of a second type ie representing the simulators output One key parameter is the

interpretation of similarity Three interpretations yielding dierent notions of zeroknowledge

have b een commonly considered in the literature cf

Perfect ZeroKnowledge PZK requires that the two probability ensembles b e identical

Actually we may incorp orate x and z in hB i and thus replace C x z hB i by C hB i

The term honest verier is more app ealing when considering an alternative equivalent formulation of Def

inition In the alternative denition the simulator is only required to generate the veriers view of the real

interaction when the veriers view includes its inputs the outcome of its coin tosses and all messages it has received

The actual denition of PZK allows the simulator to fail while outputting a sp ecial symbol with some probability

that is b ounded away from and the output distribution of the simulator is conditioned on its not failing

Statistical ZeroKnowledge SZK requires that these probability ensembles b e statistically

close ie the variation distance b etween them is negligible

Computational or rather general ZeroKnowledge CZK requires that these probability en

sembles b e computationally indistinguishable

Indeed Computational ZeroKnowledge CZK is the most lib eral notion and is the notion consid

ered in Denition as well as in most of this tutorial In particular whenever we fail to qualify the

type of zeroknowledge we mean computational zeroknowledge The only exception is Section

which is devoted to a discussion of Statistical or AlmostPerfect ZeroKnowledge SZK We note

that the class SZK contains several problems that are considered intractable

Strict versus exp ected probabilistic p olynomialtime

So far we did not sp ecify what we exactly mean by the term probabilistic p olynomialtime Two

common interpretations are

Strict probabilistic p olynomialtime That is there exist a p olynomial in the length of the

input b ound on the number of steps in each possible run of the machine regardless of the

outcome of its coin tosses

Exp ected probabilistic p olynomialtime The standard approach is to lo ok at the runningtime

as a random variable and bound its expectation by a p olynomial in the length of the input

As observed by Levin cf this denitional approach is quite problematic eg it is

not mo delindep endent and is not closed under algorithmic comp osition and an alternative

treatment of this random variable is preferable

Consequently the notion of exp ected p olynomialtime raises a variety of conceptual and technical

problems For that reason whenever p ossible one should prefer to use the more robust and

restricted notion of strict probabilistic p olynomialtime Thus with the exception of constant

round zeroknowledge proto cols whenever we talk of a probabilistic p olynomialtime verier resp

simulator we mean one in the strict sense In contrast with the exception of all results

regarding constantround zeroknowledge proto cols refer to a strict p olynomialtime verier and

an exp ected p olynomialtime simulator which is indeed a small cheat For further discussion the

reader is referred to

ZeroKnowledge Pro ofs for every NPset

A question avoided so far is whether zeroknowledge pro ofs exist at all Clearly every set in P or

rather in BPP has a trivial zeroknowledge pro of in which the verier determines membership

Sp ecically it is preferable to dene exp ected p olynomialtime as having running time that is p olynomially

related to a function that has linear exp ectation That is rather than requiring that EX p oly n one requires

n

that for some Y it holds that X p oly Y and EY O n The advantage of the latter approach is that if X

n n n n n

n

is deemed polynomial on the average then so is X which is not the case under the former approach eg X

n

n

n

with probability and X n otherwise

n

Sp ecically in b oth the verier and the simulator run in strict p olynomialtime We comment that as

shown in the use of nonblackbox is necessary for the nontriviality of constantround zeroknowledge proto cols

under the strict denition

Trivial zeroknowledge pro ofs for sets in BPP n co RP require mo difying the denition of interactive pro ofs such

that to allow a negligible error also in the completeness condition Alternatively zeroknowledge pro ofs for sets in

BPP can b e constructed by having the prover send a single message that is distributed almost uniformly cf

by itself however what we seek is zeroknowledge pro ofs for statements that the verier cannot

decide by itself

Constructing ZeroKnowledge Pro ofs for NPsets

Assuming the existence of commitment schemes which in turn exist if oneway functions ex

ist there exist auxiliaryinput zeroknowledge proofs of membership in any NPset ie

sets having eciently veriable static pro ofs of membership These zeroknowledge pro ofs rst

constructed by Goldreich Micali and Wigderson and depicted in Figure have the following

imp ortant prop erty the prescrib ed prover strategy is ecient provided it is given as auxiliaryinput

an NPwitness to the assertion to b e proven That is

Theorem using If oneway functions exist then every set S NP has a zero

know ledge interactive proof Furthermore the prescribed prover strategy can be implemented in

probabilistic polynomialtime provided it is given as auxiliaryinput an NPwitness for membership

of the common input in S

Theorem makes zeroknowledge a very p owerful to ol in the design of cryptographic schemes and

proto cols see b elow We comment that the intractability assumption used in Theorem seems

essential see

Commitment schemes are digital analogies of sealed envelopes or b etter lo cked b oxes Sending

a commitment means sending a string that binds the sender to a unique value without revealing

this value to the receiver as when getting a lo cked b ox Decommitting to the value means sending

some auxiliary information that allows to read the uniquely committed value as when sending the

key to the lo ck

def

Common Input A graph GV E Supp ose that V f ng for n jV j

Auxiliary Input to the prover A coloring V f g

The following steps are rep eated t jE j many times so to obtain soundness error expt

Provers rst step P Select uniformly a p ermutation over f g For i to n send

the verier a commitment to the value i

Veriers rst step V Select uniformly an edge e E and send it to the prover

Provers second step P Up on receiving e i j E decommit to the ith and j th values

sent in Step P

Veriers second step V Check whether or not the decommitted values are dierent ele

ments of f g and whether or not they match the commitments received in Step P

Figure The zeroknowledge pro of of Graph Colorability of Zeroknowledge

pro ofs for other NPsets can b e obtained using the standard reductions

Analyzing the proto col of Figure Let us consider a single execution of the main lo op

Clearly the prescrib ed prover is implemented in probabilistic p olynomialtime and always con

vinces the verier provided that it is given a valid coloring of the common input graph In case

Lo osely sp eaking commitment schemes are digital analogue of nontransparent sealed envelopes See further

discussion in Figure

the graph is not colorable then no matter how the prover b ehaves the verier will reject with

probability at least jE j b ecause at least one of the edges must b e improp erly colored by the

prover We stress that the verier selects uniformly which edge to insp ect after the prover has

committed to the colors of all vertices Thus Figure depicts an interactive pro of system for Graph

Colorability As can b e exp ected the zeroknowledge prop erty is the hardest to establish and we

will conne ourselves to presenting a simulator which we hop e will convince the reader without a

detailed analysis We start with three simplifying conventions which are useful in general

Without loss of generality we may assume that the cheating verier strategy is implemented

by a deterministic p olynomialsize circuit or equivalently by a p olynomialtime algorithm

with an auxiliary input This is justied by xing any outcome of the veriers coins and

observing that our uniform simulation of the various residual deterministic strategies yields

a simulation of the original probabilistic strategy

Without loss of generality it suces to consider cheating veriers that only output their

view of the interaction ie their input coin tosses and the messages the received This is

justied by observing that the output of the original verier can b e computed by an algorithm

of comparable complexity that is given the veriers view of the interaction Thus it suces

to simulate the view of that cheating veriers have of the real interaction

Without loss of generality it suces to construct a weak simulator that pro duces output

with some noticeable probability This is the case b ecause by rep eatedly invoking this weak

simulator p olynomially many times we may obtain a simulator that fails to pro duce an

output with negligible probability whereas the latter yields a simulator that never fails as

required

The simulator starts by selecting uniformly and indep endently a random color ie element of

f g for each vertex and feeding the verier strategy with random commitments to these

random colors Indeed the simulator feeds the verier with a distribution that is very dierent

from the distribution that the verier sees in a real interaction with the prover However b eing

computationallyrestricted the verier cannot tell these distributions apart or else we obtain a

contradiction to the security of the commitment scheme in use Now if the verier asks to insp ect

an edge that is prop erly colored then the simulator p erforms the prop er decommitment action and

outputs the transcript of this interaction Otherwise the simulator halts pro claiming failure We

claim that failure o ccurs with probability approximately or else we obtain a contradiction to

the security of the commitment scheme in use Furthermore based on the same hypothesis but via

a more complex pro of conditioned on not failing the output of the simulator is computationally

indistinguishable from the veriers view of the real interaction

Zeroknowledge pro ofs for other NPsets By using the standard Karpreductions to

Colorability the proto col of Figure can b e used for constructing zeroknowledge pro ofs for any

set in NP We comment that this is probably the rst time that an NPcompleteness result was used

in a p ositive way ie in order to construct something rather than in order to derive a hardness

result Subsequent p ositive uses of completeness results have app eared in the context of interactive

pro ofs probabilistically checkable pro ofs hardness versus randomness trade

os and statistical zeroknowledge

Eciency considerations The proto col in Figure calls for invoking some constantround

proto col for a nonconstant number of times At rst glance it seems that one can derive a

constantround zeroknowledge pro of system of negligible soundness error by p erforming these

invocations in parallel rather than sequentially Unfortunately as demonstrated in this

intuition is not sound See further discussions in Sections and We comment that the number

of rounds in a proto col is commonly considered the most imp ortant eciency criteria or complexity

measure and typically one desires to have it b e a constant We mention that under standard

intractability assumptions eg the intractability of factoring constantround zeroknowledge

pro ofs of negligible soundness error exists for every set in NP cf

Using ZeroKnowledge Pro ofs for NPsets

We stress two imp ortant asp ects regarding Theorem Firstly it provides a zeroknowledge

pro of for every NPset and secondly the prescrib ed prover can b e implemented in probabilistic

p olynomialtime when given an adequate NPwitness

A generic application In a typical cryptographic setting a user referred to as U has a secret

and is supp osed to take some action dep ending on its secret The question is how can other

users verify that U indeed to ok the correct action as determined by U s secret and the publicly

known information Indeed if U discloses its secret then anybo dy can verify that U to ok the

correct action However U do es not want to reveal its secret Using zeroknowledge pro ofs we

can satisfy b oth conicting requirements ie having other users verify that U to ok the correct

action without violating U s interest in not revealing its secrets That is U can prove in zero

knowledge that it to ok the correct action Note that U s claim to having taken the correct action

is an NPassertion since U s legal action is determined as a p olynomialtime function of its secret

and the public information and that U has an NPwitness to its validity ie the secret is an

NPwitness to the claim that the action ts the public information Thus by Theorem it is

p ossible for U to eciently prove the correctness of its action without yielding anything ab out its

secret Consequently it is fair to ask U to prove in zeroknowledge that it b ehaves prop erly and

so to force U to b ehave prop erly Indeed forcing prop er b ehavior is the canonical application of

zeroknowledge pro ofs see

Zeroknowledge pro ofs for all IP For the sake of elegancy we mention that under the same

assumption used in case of NP it holds that any set that has an interactive proof also has a

zeroknowledge interactive proof cf

Part II

Advanced Topics

Comp osing zeroknowledge proto cols

A natural question regarding zeroknowledge pro ofs and arguments is whether the zeroknowledge

condition is preserved under a variety of comp osition op erations Three types of comp osition op er

ation were considered in the literature sequential composition parallel composition and concurrent

composition We note that the preservation of zeroknowledge under these forms of comp osition is

not only interesting on its own sake but rather also sheds light of the preservation of the security

of general proto cols under these forms of comp osition

We stress that when we talk of comp osition of proto cols or pro of systems we mean that the

honest users are supp osed to follow the prescrib ed program sp ecied in the proto col description

that refers to a single execution That is the actions of honest parties in each execution are inde

p endent of the messages they received in other executions The adversary however may co ordinate

the actions it takes in the various executions and in particular its actions in one execution may

dep end also on messages it received in other executions

Let us motivate the asymmetry b etween the indep endence of executions assumed of honest

parties but not of the adversary Co ordinating actions in dierent executions is typically dicult

but not imp ossible Thus it is desirable to use comp osition as dened ab ove rather than to use

proto cols that include interexecution co ordinationactions which require users to keep track of

all executions that they p erform Actually trying to co ordinate honest executions is even more

problematic than it seems b ecause one may need to co ordinate executions of dierent honest parties

eg all employees of a big co op eration or an agency under attack which in many cases is highly

unrealistic On the other hand the adversary attacking the system may b e willing to go into the

extra trouble of co ordinating its attack in the various executions of the proto col

For T fsequential parallel concurrentg we say that a proto col is T zeroknowledge

if it is zeroknowledge under a comp osition of type T The denitions of T zeroknowledge are

derived from Denition by considering appropriate adversaries ie adversarial veriers that

is adversaries that can initiate a p olynomial number of interactions with the prover where these

interactions are scheduled according to the type T The corresp onding simulator which as usual

interacts with nob o dy is required to pro duce an output that is computationally indistinguishable

from the output of such a type T adversary

Sequential Comp osition

In this case the proto col is invoked p olynomially many times where each invocation follows

the termination of the previous one At the very least security eg zeroknowledge should b e

preserved under sequential comp osition or else the applicability of the proto col is highly limited

b ecause one cannot safely use it more than once

Referring to Denition we mention that whereas the simplied version ie without aux

iliary inputs is not closed under sequential comp osition cf the actual version ie with

auxiliary inputs is closed under sequential comp osition cf We comment that the same phe

nomena arises when trying to use a zeroknowledge pro of as a subproto col inside larger proto cols

Indeed it is for these reasons that the augmentation of the most basic denition by auxiliary

inputs was adopted in all subsequent works

Bottomline Every proto col that is zeroknowledge under Denition is sequentialzero

knowledge

Without loss of generality we may assume that the adversary never violates the scheduling condition it may

instead send an illegal message at the latest p ossible adequate time Furthermore without loss of generality we may

assume that all the adversarys messages are delivered at the latest p ossible adequate time

Interestingly the preliminary version of Goldwasser Micali and Racko s work used the most basic

denition whereas the nal version of this work used the augmented denition In some works the most basic

denition is used for simplicity but typically one actually needs and means the augmented denition

Parallel Comp osition

In this case p olynomially many instances of the proto col are invoked at the same time and

pro ceed at the same pace That is we assume a synchronous mo del of communication and consider

p olynomially many executions that are totally synchronized so that the ith message in all instances

is sent exactly or approximately at the same time Natural variants on this mo del are discussed

b elow as well as at the end of Section

It turns out that in general zeroknowledge is not closed under parallel comp osition A simple

counterexample to the parallel comp osition conjecture is depicted in Figure This counter

example which is adapted from consists of a simple proto col that is zeroknowledge in a

strong sense but is not closed under parallel comp osition not even in a very weak sense

n n

Consider a party P holding a random or rather pseudorandom function f f g f g and

willing to participate in the following proto col with resp ect to security parameter n The other party

called A for adversary is supp osed to send P a binary value v f g sp ecifying which of the following

cases to execute

n

For v Party P uniformly selects f g and sends it to A which is supp osed to reply with

a pair of nbit long strings denoted Party P checks whether or not f In case

equality holds P sends A some secret information

n

For v Party A is supp osed to uniformly select f g and sends it to P which selects

n

uniformly f g and replies with the pair f

Observe that P s strategy is zeroknowledge even wrt auxiliaryinputs as dened in Denition

Intuitively if the adversary A chooses the case v then it is infeasible for A to guess a passing pair

with resp ect to the random selected by P Thus except with negligible probability when it

may get secret information A do es not obtain anything from the interaction On the other hand if

the adversary A chooses the case v then it obtains a pair that is indistinguishable from a uniformly

selected pair of nbit long strings b ecause is selected uniformly by P and for any the value f

lo oks random to A

a

In contrast if the adversary A can conduct two concurrent executions with P then it may learn the

desired secret information In one session A sends v while in the other it sends v Up on

receiving P s message denoted in the rst session A sends as its own message in the second

session obtaining a pair f from P s execution of the second session Now A sends the pair

f to the rst session of P this pair passes the check and so A obtains the desired secret

a

Dummy messages may b e added in b oth cases in order to make the ab ove scheduling t the p erfectly parallel case

Figure A counterexample adapted from to the parallel rep etition conjecture

for zeroknowledge proto cols

We comment that at the s the study of parallel comp osition was interpreted mainly in the

context of roundecient error reduction cf that is the construction of fulledge zero

knowledge pro ofs of negligible soundness error by comp osing in parallel a basic zeroknowledge

proto col of high but b ounded away from soundness error Since alternative ways of constructing

constantround zeroknowledge pro ofs and arguments were found cf interest in

parallel comp osition of zeroknowledge proto cols has died In retrosp ect this was a conceptual

mistake b ecause parallel comp osition and mild extensions of this notion capture the preservation

of security in a fully synchronous or almostfully synchronous communication network We note

that the almostfully synchronous communication mo del is quite realistic in many settings although

it is certainly preferable not to assume even weak synchronism

Although in general zeroknowledge is not closed under parallel comp osition under standard

intractability assumptions eg the intractability of factoring there exists zeroknowledge pro

to cols for NP that are closed under parallel comp osition Furthermore these proto cols have a

constant number of rounds cf for pro ofs and for arguments Both results extend also

to concurrent comp osition in a synchronous communication mo del where the extension is in al

lowing proto col invocations to start at dierent synchronous times and in particular executions

may overlap but not run simultaneously

We comment that parallel comp osition is problematic also in the context of reducing the sound

ness error of arguments cf but our fo cus here is on the zeroknowledge asp ect of proto cols

regardless if they are pro ofs arguments or neither

Bottomline Under standard intractability assumptions every NPset has a constantround

parallelzeroknowledge pro of

Concurrent Comp osition with and without timing

Concurrent comp osition generalizes b oth sequential and parallel comp osition Here p olynomially

many instances of the proto col are invoked at arbitrary times and pro ceed at arbitrary pace That

is we assume an asynchronous rather than synchronous mo del of communication

In the s when extensive twoparty and multiparty computations b ecame a reality rather

than a vision it b ecame clear that it is at least desirable that cryptographic proto cols maintain

their security under concurrent comp osition cf In the context of zeroknowledge concurrent

comp osition was rst considered by Dwork Naor and Sahai Actually two mo dels of concurrent

comp osition were considered in the literature dep ending on the underlying mo del of communication

ie a purely asynchronous model and an asynchronous model with timing Both mo dels cover

sequential and parallel comp osition as sp ecial cases

Concurrent comp osition in the pure asynchronous mo del Here we refer to the standard

mo del of asynchronous communication In comparison to the timing mo del the pure asynchronous

mo del is a simpler mo del and using it requires no assumptions ab out the underlying communication

channels However it seems harder to construct concurrent zeroknowledge proto cols for this mo del

In particular for a while it was not known whether concurrent zeroknowledge pro ofs for NP

exist at all in this mo del Under standard intractability assumptions eg the intractability of

factoring this question was armatively resolved by Richardson and Kilian Following their

work research has fo cused on determining the roundcomplexity of concurrent zeroknowledge

pro ofs for NP This question is still op ened and the current state of the art regarding it is as

follows

Under standard intractability assumptions every language in NP has a concurrent zero

knowledge pro of with almostlogarithmically many rounds cf building up on which

in turn builds over Furthermore the zeroknowledge prop erty can b e demonstrated

using a blackbox simulator see denition in Sections and

Blackbox simulator cannot demonstrated the concurrent zeroknowledge prop erty of non

trivial pro ofs or arguments having signicantly less than logarithmicallymany rounds cf

In case of parallelzeroknowledge proofs there is no need to sp ecify the soundness error b ecause it can always

b e reduced via parallel comp osition As mentioned ab ove this is not the case with resp ect to arguments which were

therefore dened to have negligible soundness error

Canetti et al

Recently Barak demonstrated that the blackbox simulation barrier can b e bypassed

With resp ect to concurrent zeroknowledge he only obtains partial results constantround

zeroknowledge arguments rather than pro ofs for NP that maintain security as long as an

apriori b ounded p olynomial number of executions take place concurrently The length of

the messages in his proto col grows linearly with this apriori b ound

Thus it is currently unknown whether or not constantround proto cols for NP may b e concurrent

zeroknowledge in the pure asynchronous mo del

Concurrent comp osition under the timing mo del A mo del of naturallylimited asyn

chronousness which certainly covers the case of parallel comp osition was introduced by Dwork

Naor and Sahai Essentially they assume that each party holds a lo cal clo ck such that the

relative clo ck rates are b ounded by an apriori known constant and consider proto cols that employ

timedriven op erations ie timeout incoming messages and delay outgoing messages The

b enet of the timing mo del is that it is known to construct concurrent zeroknowledge proto cols for

it Sp ecically using standard intractability assumptions constantround arguments and pro ofs

that are concurrent zeroknowledge under the timing mo del do exist cf and resp ectively

The disadvantages of the timing mo del are discussed next

The timing mo del consists of the assumption that talking ab out the actual timing of events is

meaningful at least in a weak sense and of the introduction of timedriven operations The timing

assumption amounts to p ostulating that each party holds a lo cal clo ck and knows a global b ound

denoted on the relative rates of the lo cal clo cks Furthermore it is p ostulated that the

parties know a p essimistic b ound denoted on the messagedelivery time which also includes

the lo cal computation and handling times In our opinion these timing assumptions are most rea

sonable and are unlikely to restrict the scop e of applications for which concurrent zeroknowledge

is relevant We are more concerned ab out the eect of the timedriven op erations introduced in

the timing mo del Recall that these op erations are the timeout of incoming messages and the

delay of outgoing messages Furthermore typically the delay p erio d is at least as long as the

timeout p erio d which in turn is at least ie the timeout p erio d must b e at least as long as

the p essimistic b ound on messagedelivery time so not to disrupt the prop er op eration of the pro

to col This means that the use of these timedriven op erations yields slowing down the execution

of the proto col ie running it at the rate of the p essimistic messagedelivery time rather than at

the rate of the actual messagedelivery time which is typically much faster Still in absence of

more app ealing alternatives ie a constantround concurrent zeroknowledge proto col for the pure

asynchronous mo del the use of the timing mo del may b e considered reasonable We comment

than other alternatives to the timingmo del include various setup assumptions cf

Back to parallel comp osition Given our opinion ab out the timing mo del it is not surprising

that we consider the problem of parallel comp osition almost as imp ortant as the problem of concur

rent comp osition in the timing mo del Firstly it is quite reasonable to assume that the parties lo cal

By nontrivial pro of systems we mean ones for languages outside BPP whereas by signicantly less than

logarithmic we mean any function f N N satisfying f n olog n log log n In contrast by almostlogarithmic

we mean any function f satisfying f n log n

The rate should b e computed with resp ect to reasonable intervals of time for example for as dened b elow one

may assume that a time p erio d of units is measured as units of time on the lo cal clo ck where

clo cks have approximately the same rate and that drifting is corrected by o ccasional clo ck syn

chronization Thus it is reasonable to assume that the parties have approximatelygoo d estimate

of some global time Furthermore the global time may b e partitioned into phases each consisting

of a constant number of rounds so that each party wishing to execute the proto col just delays

its invocation to the b eginning of the next phase Thus concurrent execution of constantround

proto cols in this setting amounts to a sequence of timedisjoint almostparallel executions of the

proto col Consequently proving that the proto col is parallel zeroknowledge suces for concurrent

comp osition in this setting

Relation to resettable zeroknowledge Going to the other extreme we mention that there

exist a natural mo del of zeroknowledge that is even stronger than concurrent zeroknowledge even

in the pure asynchronous mo del Sp ecically resettable zeroknowledge as dened in Section

implies concurrent zeroknowledge

Using the adversarys program in the pro of of security

As discussed in the rst part of this tutorial zeroknowledge is dened by following the simulation

paradigm which in turn underlies many other central denitions in cryptography Recall that

the denition of zeroknowledge pro ofs states that whatever an ecient adversary can compute

after interacting with the prover can actually b e eciently computed from scratch by a socalled

simulator which works without interacting with the prover Although the simulator may dep end

arbitrarily on the adversary the need to present a simulator for each feasible adversary seems to

require the presentation of a universal simulator that is given the adversarys strategy or program

as another auxiliary input The question addressed in this section is how can the universal simulator

use the adversarys program

The adversarys program or strategy is actually a function determining for each p ossible view

of the adversary ie its input random choices and the message it has received so far which

message will b e sent next Thus we identify the adversarys program with this nextmessage

function As stated in Section until very recently all universal simulators constructed to

wards demonstrating zeroknowledge prop erties have used the adversarys program or rather its

nextmessage function as a blackbox ie the simulator invoked the nextmessage function on a

sequence of arguments of its choice Furthermore in view of the presumed diculty of reverse

engineering programs it was commonly b elieved that nothing is lost by restricting attention to

simulators called blackb ox simulators that only make blackbox usage of the adversarys program

Consequently Goldreich and Krawczyk conjectured that imp ossibility results regarding blackbox

simulation represent inherent limitations of zeroknowledge itself and studied the limitations of the

former

In particular they showed that parallel comp osition of the proto col of Figure as well

as of any constantround publiccoin proto col cannot be proven to be zeroknowledge

using a blackbox simulator unless the language ie Colorability is in BPP In fact

their result refers to any constantround publiccoin proto col with negligible soundness

error regardless of how such a proto col is obtained This result was taken as strong

evidence towards the conjecture that constantround publiccoin proto col with negligible

soundness error cannot be zeroknowledge unless the language is in BPP

Similarly as mentioned in Section it was shown that proto cols of sublogarithmic

number of rounds cannot be proven to be concurrent zeroknowledge via a blackbox

simulator and this was taken as evidence towards the conjecture that such proto cols

cannot b e concurrent zeroknowledge

In contrast to these conjectures and supp ortive evidence Barak showed how to constructed non

blackbox simulators and obtained several results that were known to b e unachievable via blackbox

simulators In particular under standard intractability assumption see also he presented

constantround publiccoin zeroknowledge arguments with negligible soundness error for any lan

guage in NP Moreover the simulator runs in strict p olynomialtime which is imp ossible for

blackbox simulators of nontrivial constantround proto cols Furthermore this proto col pre

serves zeroknowledge under a xed p olynomial number of concurrent executions in contrast to

the result of regarding blackbox simulators that holds also in that restricted case Thus

Baraks result calls for the reevaluation of many common b eliefs Most concretely it says that

results regarding blackbox simulators do not reect inherent limitations of zeroknowledge but

rather an inherent limitation of a natural way of demonstrating the zeroknowledge prop erty Most

abstractly it says that there are meaningful ways of using a program other than merely invoking

it as a blackbox

Do es this means that a metho d was found to reverse engineer programs or to understand

them We b elieve that the answer is negative Barak is using the adversarys program in a

signicant way ie more signicant than just invoking it without understanding it So how

does he use the program

The key idea underlying Baraks proto col is to have the prover prove that either the original

NPassertion is valid or that he ie the prover knows the veriers residual strategy in the sense

that it can predict the next verier message Indeed in a real interaction with the honest verier

it is infeasible for the prover to predict the next verier message and so computationalsoundness

of the proto col follows However a simulator that is given the co de of the veriers strategy and

not merely oracle access to that co de can pro duce a valid pro of of the disjunction by prop erly

executing the subproto col using its knowledge of an NPwitness for the second disjunctive The

simulation is computational indistinguishable from the real execution provided that one cannot

distinguish an execution of the subproto col in which one NPwitness ie an NPwitness for the

original assertion is used from an execution in which the second NPwitness ie an NPwitness

for the auxiliary assertion is use That is the subproto col should b e a witness indistinguishable

argument system see further discussion b elow We warn the reader that the actual implementation

of the ab ove idea requires overcoming several technical diculties cf

Perspective In retrosp ect taking a wide p ersp ective it should not come as a surprise that the

programs co de yields extra p ower b eyond blackbox access to it Feeding a program with its own

co de or part of it is the essence of the diagonalization technique and this to o is done without

reverse engineering Furthermore various nonblackbox techniques have app eared b efore in the

cryptographic setting but they were used in the more natural context of devising an attack on

an articial insecure scheme eg towards proving the failure of the Random Oracle Metho dol

ogy and the imp ossibility of software obfuscation In contrast in and the co de

of the adversary is b eing used within a sophisticated pro of of security What we wish to highlight

here is that nonblackbox usage of programs is relevant also to proving rather than to disproving

the security of systems

The proto col dep ends on the p olynomial b ounding the number of executions and thus is not known to b e

concurrent zeroknowledge b ecause the latter requires to x the proto col and then consider any p olynomial number

of concurrent executions

Digest Witness Indistinguishability and the FLSTechnique

The ab ove description of as well as several other sophisticated constructions of zeroknowledge

proto cols eg makes crucial use of a technique introduced by Feige Lapidot and

Shamir which in turn is based on the notion of witness indistinguishability introduced by

Feige and Shamir

Lo osely sp eaking for any NPrelation R an argument system for the corresp onding language

ie L is called witness indistinguishable if no feasible verier may distinguish the case in which

R

the prover uses one NPwitness to x ie w such that x w R from the case the prover is

using a dierent NPwitness to the same input x ie w such that x w R Furthermore if

x is indistinguishable from x then no feasible verier may distinguish the case in which the prover

uses w to prove x L from the case that the prover uses w to prove x L Clearly any

R R

zeroknowledge proto col is witness indistinguishable but the converse do es not necessarily hold and

it seems that witness indistinguishable proto cols are easier to construct than zeroknowledge ones

We mention that witness indistinguishable proto cols are closed under parallel comp osition

whereas this do es not hold in general for zeroknowledge proto cols

Following is a sketchy description of a sp ecial case of the FLStechnique whereas the ab ove

mentioned application uses a more general version which refers to pro ofs of knowledge as dened

in Section In this sp ecial case the technique consists of the following construction schema

which uses witness indistinguishable proto cols for NP in order to obtain zeroknowledge proto cols

for NP On common input x L where L L is the NPset dened by the witness relation R

R

the following two steps are p erformed

The parties generate an instance x for an auxiliary NPset L where L is dened by a witness

relation R The generation protocol in use must satisfy the following two conditions

a If the verier follows its prescrib ed strategy then no matter which feasible strategy is

used by the prover with high probability the proto cols outcome is a noinstance of L

b Lo osely sp eaking there exists an ecient noninteractive pro cedure for pro ducing a

random transcript of the generation proto col along with an NPwitness for the corre

sponding outcome such that the pro duced transcript is computationally indistinguishable

from the transcript of a real execution of the proto col

The parties execute a witness indistinguishable proto col for the set L dened by the witness

relation R f R R g The subproto col is such that

the corresp onding prover can b e implemented in probabilistic p olynomialtime given an NP

witness for L The subproto col is invoked on common input x x where x is

the outcome of Step and the subprover is invoked with the corresp onding NPwitness as

auxiliary input ie with w where w is the NPwitness for x given to the main prover

The computationalsoundness of the ab ove proto col follows by Prop erty a of the generation pro

to col ie with high probability x L and so x L follows by the soundness of the proto col used

in Step To demonstrate the zeroknowledge prop erty we rst generate a simulated transcript of

The additional condition yields a stronger notion cf Def but for simplicity we call it witness

indistinguishability

In the general case the generation proto col may generate an instance x in L but it is infeasible for the prover

to obtain a corresp onding witness ie a w such that x w R In the second step the subproto col in use

ought to b e a pro of of knowledge and computationalsoundness of the main proto col will follows b ecause otherwise

the prover using a knowledge extractor can obtain a witness for x L

Step with outcome x L along with an adequate NPwitness ie w such that x w L

and then emulates Step by feeding the subprover strategy with the NPwitness w Com

bining Prop erty b of the generation proto col and the witness indistinguishability prop erty of the

proto col used in Step the simulation is indistinguishable from the real execution

Pro ofs of Knowledge

This section addresses the concept of pro ofs of knowledge Lo osely sp eaking these are pro ofs in

which the prover asserts knowledge of some ob ject eg a coloring of a graph and not merely

its existence eg the existence of a coloring of the graph which in turn implies that the graph

is colorable But what is meant by saying that a machine knows something Indeed the main

thrust of this section is in addressing this question Before doing so we p oint out that pro ofs of

knowledge and in particular zeroknowledge pro ofs of knowledge have many applications to

the design of cryptographic schemes and cryptographic proto cols In fact we have already referred

to pro ofs of knowledge in Section

How to dene pro ofs of knowledge

What do es it mean to say that a machine knows something Any standard dictionary suggests

several meanings for the verb to know and most meanings are phrased with reference to awareness

a notion which is certainly inapplicable in the context of machines We must lo ok for a behavioristic

interpretation of the verb to know Indeed it is reasonable to link knowledge with ability to do

something eg the ability to write down whatever one knows Hence we will say that a machine

knows a string if it can output the string But this seems as total nonsense to o a machine

has a well dened output either the output equals or it do es not So what can b e meant by

saying that a machine can do something Lo osely sp eaking it may mean that the machine can b e

easily modied so that it do es whatever is claimed More precisely it may mean that there exists

an ecient machine that using the original machine as a blackbox or given its co de as an input

outputs whatever is claimed

So much for dening the knowledge of machines Yet whatever a machine knows or do es not

know is its own business What can b e of interest and reference to the outside is the question of

what can b e deduced ab out the knowledge of a machine after interacting with it Hence we are

interested in pro ofs of knowledge rather than in mere knowledge

For sake of simplicity let us consider a concrete question how can a machine prove that it knows

a coloring of a graph An obvious way is just to send the coloring to the verier Yet we claim

that applying the proto col in Figure ie the zeroknowledge pro of system for Colorability is

an alternative way of proving knowledge of a coloring of the graph

Lo osely sp eaking we may say that an interactive machine V constitutes a verier for knowledge

of coloring if the probability that the verier is convinced by a machine P to accept the graph G

is inversely prop ortional to the diculty of extracting a coloring of G when using machine P as

a black b ox Namely the extraction of the coloring is done by an oracle machine called an

extractor that is given access to a function sp ecifying the b ehavior P ie the messages it sends in

resp onse to particular messages it may receives We require that the exp ected running time of

the extractor on input G and access to an oracle sp ecifying P s messages b e inversely related by

a factor p olynomial in jGj to the probability that P convinces V to accept G In case P always

Indeed as hinted ab ove one may consider also nonblackbox extractors as done in However this limits

the applicability of the denitions to provers that are implemented by p olynomialsize circuits

convinces V to accept G the extractor runs in exp ected p olynomialtime The same holds in case

P convinces V to accept with noticeable probability We stress that the latter sp ecial cases do not

suce for a satisfactory denition see discussion in Sec

We mention that the concept of pro ofs of knowledge was rst introduced in but the ab ove

formulation is based mostly on A famous application of zeroknowledge pro ofs of knowledge

is to the construction of identication schemes eg the FiatShamir scheme

How to construct pro ofs of knowledge

As hinted ab ove many of the known pro of systems are in fact pro ofs of knowledge Furthermore

some but not all known zeroknowledge pro ofs resp arguments are in fact pro ofs resp argu

ments of knowledge Indeed a notable example is the zeroknowledge pro of depicted in Figure

For further discussion see Sec and

NonInteractive ZeroKnowledge

In this section we consider noninteractive zeroknowledge pro of systems The mo del introduced

in consists of three entities a prover a verier and a uniformly selected reference string

which can b e thought of as b eing selected by a trusted third party Both verier and prover can

read the reference string and each can toss additional coins The interaction consists of a single

message sent from the prover to the verier who then is left with the nal decision whether to

accept or not The basic zeroknowledge requirement refers to a simulator that outputs pairs

that should b e computationally indistinguishable from the distribution of pairs consisting of a

uniformly selected reference string and a random prover message seen in the real mo del Non

interactive zeroknowledge pro of systems have numerous applications eg to the construction of

publickey encryption and signature schemes where the reference string may b e incorp orated in the

publickey Several dierent denitions of noninteractive zeroknowledge pro ofs were considered

in the literature

In the basic denition one considers proving a single assertion of apriori b ounded length

where this length may b e smaller than the length of the reference string

A natural extension required in many applications is the ability to prove multiple assertions

of varying length where the total length of these assertions may exceed the length of the

reference string as long as the total length is p olynomial in the length of the reference

string This denition is sometimes referred to as the unbounded denition b ecause the

total length of the assertions to b e proven is not apriori b ounded

In particular note that the latter probability ie of b eing convinced may b e neither noticeable ie b ounded

b elow by the recipro cal of some p olynomial nor negligible ie b ounded ab ove by the recipro cal of every p olynomial

Thus events that o ccur with probability that is neither noticeable nor negligible cannot neither b e ignored nor o ccur

with high probability when the exp eriment is rep eated for an apriori b ounded p olynomial number of times

Arguments of knowledge are dened analogous to pro ofs of knowledge while limiting the extraction requirement

to provers that are implemented by p olynomialsize circuits In this case it is natural to allow also nonblackbox

extraction as discussed in Footnote

Note that the verier do es not eect the distribution seen in the real mo del and so the basic denition of

zeroknowledge do es not refer to it The verier or rather a pro cess of adaptively selecting assertions to b e proven

will b e referred to in the adaptive variants of the denition

Other natural extensions refer to the preservation of security ie b oth soundness and zero

knowledge when the assertions to b e proven are selected adaptivity based on the reference

string and p ossibly even based on previous pro ofs

Finally we mention the notion of simulationsoundness which is related to nonmal leability

This extension which mixes the zeroknowledge and soundness conditions refers to the sound

ness of pro ofs presented by an adversary after it obtains pro ofs of assertions of its own choice

with resp ect to the same reference string This notion is imp ortant in applications of non

interactive zeroknowledge pro ofs to the construction of publickey encryption schemes secure

against chosen ciphertext attacks see Sec

Constructing noninteractive zeroknowledge pro ofs seems more dicult than constructing interac

tive zeroknowledge pro ofs Still based on standard intractability assumptions eg intractability

of factoring it is known how to construct a noninteractive zeroknowledge pro of even in the

adaptive and nonmalleable sense for any NPset

Suggestions for further reading For a denitional treatment of the basic unbounded and

adaptive denitions see Sec Increasingly stronger variants of the nonmalleable denition

are presented in Sec and A relatively simple construction for the basic mo del is

presented in see also Sec A more ecient construction can b e found in

A transformation of systems for the basic mo del into systems for the unbounded mo del is also

presented in and Sec Constructions for increasingly stronger variants of the

adaptive nonmalleable denition are presented in Sec and

Statistical ZeroKnowledge

Recall that statistical zeroknowledge proto cols are such in which the distribution ensembles referred

to in Denition are required to b e statistically indistinguishable rather than computationally

indistinguishable Under standard intractability assumptions every NPset has a statistical zero

knowledge argument On the other hand it is unlikely that all NPsets have statistical zero

knowledge proofs Currently the intractability assumption used for constructing statistical

zeroknowledge arguments for NP seems stronger than the assumption used for constructing

computational zeroknowledge proofs for NP Assuming b oth constructs exist the question of

which to prefer dep ends on the application eg is it more imp ortant to protect the provers secrets

or to protect the verier from b eing convinced of false assertions In contrast Statistical zero

knowledge proofs whenever they exist free us from this dilemma Indeed this is one out of several

reasons for studying these ob jects That is

Statistical zeroknowledge pro ofs oer informationtheoretic security to b oth parties Thus

whenever they exist statistical zeroknowledge pro ofs may b e preferred over computational

zeroknowledge pro ofs which only oer computational security to the prover and over sta

tistical zeroknowledge arguments which only oer computational security to the verier

Statistical zeroknowledge pro ofs provide a clean mo del for the study of various questions

regarding zeroknowledge Often this study results in techniques that are applicable also for

computational zeroknowledge one example is mentioned b elow

The class of problems having statistical zeroknowledge pro ofs is interesting from a complex

ity theoretic p oint of view On one hand this class is likely to b e a prop er sup erset of BPP

eg it contains seemingly hard problems such as Quadratic Resideousity Graph Iso

morphism and a promise problem equivalent to the Discrete Logarithm Problem

On the other hand this class is contained in AM co AM cf which is b elieved not

to extend much b eyond NP co NP AM is the class of sets having tworound publiccoin

interactive pro ofs

In the rest of this section we survey the main results regarding the internal structure of the

class of sets having statistical zeroknowledge pro ofs This study was initiated to a large extent

by Okamoto We rst present transformations that when applied to certain statistical zero

knowledge proto cols yield proto cols with additional prop erties Next we consider several structural

prop erties of the class most notably the existence of natural complete problems discovered by Sahai

and Vadhan For further details see

Transformations

The rst transformation takes any publiccoin interactive pro of that is statistical zeroknowledge

with resp ect to the honest verier and returns a publiccoin statistical zeroknowledge When

applied to a publiccoin interactive pro of that is computational zeroknowledge with resp ect to

the honest verier the transformation yields a computational zeroknowledge pro of Thus this

transformation amplies the security of publiccoin proto cols from leaking nothing to the

prescrib ed verier into leaking nothing to any cheating verier

The heart of the transformation is a suitable random selection proto col which is used to emulate

the veriers messages in the original proto col Lo osely sp eaking the random selection proto col is

zeroknowledge in a strong sense and the eect of each of the parties on the proto cols outcome is

adequately b ounded For example it is imp ossible for the verier to eect the proto cols outcome

by more than a negligible amount whereas the prover cannot increase the probability that the

outcome hits any set by more than some sp ecic sup erp olynomial factor

The rst transformation calls our attention to publiccoin interactive pro ofs that are statistical

zeroknowledge with resp ect to the honest verier In general publiccoin interactive pro ofs are

easier to manipulate than general interactive pro ofs The second transformation takes any statistical

zeroknowledge with resp ect to the honest verier pro of and returns one that is of the publiccoin

type see which builds on Unfortunately the second transformation which is analogous

to a previously known result regarding interactive pro ofs do es not extend to computational

zeroknowledge

Combined together the two transformations imply that the class of sets or promise problems

having interactive pro ofs that are statistical zeroknowledge with resp ect to the honest verier

equals the class of sets having general statistical zeroknowledge pro ofs

Complete problems and structural prop erties

In the rest of this section we consider classes of promise problems rather than classes of decision

problems or sets Sp ecically we denote by SZK the class of problems having a statistical zero

knowledge pro of Recall that BPP SZK AM co AM and that the rst inclusion is b elieved

to b e strict

One remarkable prop erty of the class SZK is that it has natural complete problems ie

problems in SZK such that any problem in SZK is Karpreducible to them One such problem

is to distinguish pairs of distributions given via sampling circuits that are statistically close from

pairs that are statistically far apart Another such problem is given two distributions of

suciently dierent entropy to tell which has higher entropy It is indeed interesting that the

class statistical zeroknowledge is all ab out statistics or probability

Another remarkable prop erty of SZK is the fact that it is closed under complementation

see which builds on In fact SZK is closed under NC truthtable reductions

NonInteractive SZK A systematic study of NonInteractive Statistical ZeroKnowledge pro of

systems was conducted in The main result is evidence to the nontriviality of the class ie

it contains sets outside BPP if and only if SZK BPP

Knowledge Complexity

One of the many contributions of the seminal pap er of Goldwasser Micali and Racko is

the introduction of the concept of knowledge complexity Knowledge complexity is intended to

measure the computational advantage gained by interaction Hence something that can b e obtained

without interaction is not considered knowledge The latter phrase is somewhat qualitative and

supplies the intuition underlying the denition of zeroknowledge ie knowledge complexity zero

as surveyed ab ove Quantifying the amount of knowledge gained by interaction in case it is not

zero is more problematic We stress that the denition of zeroknowledge does not dep end on

the formulation of the amount of know ledge gained b ecause this denition addresses the case in

which no know ledge is gained

Several denitions of knowledge complexity has app eared in the literature where some are

closely related and quite robust cf Here we survey one denitional approach which we

consider most satisfactory According to this approach the amount of knowledge gained in an

interaction is b ounded by the number of bits that are communicated in an alternative interaction

that allows to simulate the original interaction That is party P is said to yield at most k bits

of knowledge on inputs in S if whatever can b e eciently computed through an interaction

with P on common input x S can also b e eciently computed through an interaction on

the same common input x with an alternative machine P that sends at most k jxj bits This

formulation can b e applied with resp ect to various types of simulations extending the various

types of zeroknowledge Our fo cus is on the extension of statistical zeroknowledge pro ofs b ecause

under standard intractability assumptions any language in IP has a computational zeroknowledge

pro of We note that without loss of generality the knowledgegivingmachine can b e made

memoryless and deterministic ie by providing it with all previous messages and with coin tosses

Hence the knowledgegivingmachine is merely an oracle and we may think of the simulation

as b eing p erformed by an oracle machine and count the number of its binary queries For further

discussion of this and other denitions the reader is referred to

A natural research pro ject is to characterize languages according to the statistical knowledge

complexity of their interactive pro of systems The main result known for the ab ove denition

is that languages with logarithmic statistical knowledgecomplexity are in AM coAM cf

building on and Thus unless the p olynomial time hierarchy collapses cf NP

complete set have sup erlogarithmic statistical knowledgecomplexity

In general it seems that quantitative notions are harder to handle than qualitative ones

Resettability of a partys randomtap e rZK and rsZK

Having gained a reasonable understanding of the security of cryptographic schemes and proto cols

as standalone cryptographic research is moving towards the study of stronger notions of security

Examples include the eect of executing several instances of the same proto col concurrently eg

the malleability of an individual proto col as well as the eect of executing the proto col con

currently to any other activity or set of proto cols Another example of a stronger notion of

security which is of theoretical and practical interest is the security of proto cols under a resetting

attack In such an attack a party may b e forced to execute a protocol several times while using the

same randomtape and without coordinating these executions eg by maintaining a joint state

The theoretical interest in this notion stems from the fact that randomness plays a pivotal role in

cryptography and thus the question of whether one needs fresh randomness in each invocation of

a cryptographic proto col is very natural The practical imp ortance is due to the fact that in many

settings it is imp ossible or undesirable to generate fresh randomness on the y or to maintain a

state b etween executions

Resettable ZeroKnowledge rZK Resettability of players in a cryptographic proto col was

rst considered in which studies what happ ens to the security of zeroknowledge interactive

pro ofs and arguments when the verier can reset the prover to use the same random tape in multiple

concurrent executions Proto cols that remain zeroknowledge against such a verier are called

resettable zeroknowledge rZK Put dierently the question of prover resettability is whether

zeroknowledge is achievable when the prover cannot use fresh randomness in new interactions

but is rather restricted to reusing a xed number of coins Resettability implies security under

concurrent executions As shown in any rZK proto col constitutes a concurrent zeroknowledge

proto col The opp osite direction do es not hold in general and indeed it was not apriori clear

whether nontrivial rZK proto cols may at all exist Under standard intractability assumptions

it was shown that resettable zeroknowledge interactive pro ofs for any NPset do exist For

related mo dels and eciency improvements see and resp ectively

ResettabllySound ZeroKnowledge rsZK Resettablysound pro ofs and arguments main

tain soundness even when the prover can reset the verier to use the same random coins in repeated

executions of the protocol This notion was studied in who obtained the following results On

one hand under standard intractability assumptions any NPset has a constantround resettably

sound zeroknowledge argument On the other hand resettablysound zeroknowledge proofs are

p ossible only for languages in P p oly The question of whether a proto col for NP can b e b oth

resettablysound and resettablyzeroknowledge is still op en

Zeroknowledge in other mo dels

As stated ab ove zeroknowledge is a prop erty of some interactive strategies regardless of the goal

or other prop erties of these strategies We have seen that zeroknowledge can b e meaningfully

applied in the context of interactive pro ofs and arguments Here we briey discuss the applicability

of zeroknowledge to other settings in which as in the case of arguments there are restrictions

on the type of prover strategies We stress that the restrictions discussed here refer to the strate

gies employed by the prover b oth in case it tries to prove valid assertions ie the completeness

condition and in case it tries to fo ol the verier to b elieve false statements ie the soundness

condition Thus the validity of the verier decision concerning false statements dep ends on

whether this restriction concerning p otential cheating prover strategies really holds The rea

son to consider these restricted mo dels is that they enable to achieve results that are not p ossible

in the general mo del of interactive pro ofs cf We consider restrictions of two

types computational and physical We start with the latter

MultiProver Interactive Pro ofs MIP In the socalled multiprover interactive proof mo del

denoted MIP cf the prover is split into several say two entities and the restriction or

assumption is that these entities cannot interact with each other Actually the formulation allows

them to co ordinate their strategies prior to interacting with the verier but it is crucial that they

dont exchange messages among themselves while interacting with the verier The multiprover

mo del is reminiscent of the common p olice pro cedure of isolating collab orating susp ects and in

terrogating each of them separately A typical application in which the twoprover mo del may b e

assumed is an ATM that veries the validity of a pair of smartcards inserted in two isolated slots of

the ATM The advantage in using such a split system is that it enables the presentation of p erfect

zeroknowledge pro of systems for any set in NP while using no intractability assumptions

Strict ComputationalSoundness aka TimedZK Recall that we have already discussed

one mo del of computationalsoundness that is the mo del of arguments refers to prover strategies

that are implementable by probabilistic p olynomialtime machines with adequate auxiliary input

A more strict restriction studied in refers to prover strategies that are implementable within

an apriori xed number of computation steps where this number is a xed p olynomial in the

length of the common input In reality the provers actual runningtime is monitored by the

verier that may run for a longer time and the provers utility is due to an auxiliary input that

it has An analogous mo del where the length of the auxiliary input is apriori xed was also

considered in

A source of inspiration for complexity theory

Throughout the years zeroknowledge has served as a source of inspiration for mo dels and tech

niques in complexity theory The rst such case is the very introduction of interactive pro ofs which

was motivated by the notion of zeroknowledge

The story b egins with Goldwasser Micali and Racko who sought a general setting for their

novel notion of zeroknowledge The choice fell on pro of systems as capturing a fundamental

activity that takes place in a cryptographic proto col Motivated by the desire to formulate the most

general type of pro ofs that may b e used within cryptographic proto cols Goldwasser Micali and

Racko introduced the notion of an interactive proof system Although the main fo cus of their

pap er is on zeroknowledge the p ossibility that interactive pro of systems may b e more p owerful

than NPpro of systems has b een p ointed out in

Similarly the main motivation for the introduction of multiprover interactive pro ofs in

came from zeroknowledge sp ecically introducing multiprover zeroknowledge pro ofs for NP

without relying on intractability assumptions Again the complexity theoretic prosp ects of the

new class denoted MI P have not b een ignored A more app ealing to our taste formulation of

the class MI P has b een subsequently presented in The latter formulation coincides with the

formulation currently known as probabilistically checkable proofs ie PCP

This is implicit in the universal quantier used in the soundness condition

A related mo del is that of CSpro ofs where the provers strategy is allowed to run in time that is p olynomial in

the time it takes to decide membership of the common input via a canonical decision pro cedure for the language

Getting more technical we mention that the notion of zeroknowledge as well as known zero

knowledge pro of systems have inspired constructions that seem unrelated to zeroknowledge A

notable example is the PCP construction of which was tailored towards obtaining tight inap

proximability results for the chromatic number

Acknowledgments

I wish to thank Yehuda Lindell for p ointing out some errors in previous versions

References

W Aiello and J Hastad Perfect ZeroKnowledge Languages can b e Recognized in Two Rounds In

th IEEE Symposium on Foundations of Computer Science pages

S Arora C Lund R Motwani M Sudan and M Szegedy Pro of Verication and Intractability of

Approximation Problems Journal of the ACM Vol pages Preliminary version in

rd FOCS

S Arora and S Safra Probabilistic Checkable Pro ofs A New Characterization of NP Journal of the

ACM Vol pages Preliminary version in rd FOCS

L Babai Trading Group Theory for Randomness In th ACM Symposium on the Theory of Com

puting pages

L Babai L Fortnow L Levin and M Szegedy Checking Computations in Polylogarithmic Time In

rd ACM Symposium on the Theory of Computing pages

L Babai L Fortnow N Nisan and A Wigderson BPP has Sub exp onential Time Simulations unless

EXPTIME has Publishable Pro ofs Complexity Theory Vol pages

B Barak How to Go Beyond the BlackBox Simulation Barrier In nd IEEE Symposium on Foun

dations of Computer Science pages

B Barak ConstantRound CoinTossing with a Man in the Middle or Realizing the Shared Random

String Mo del In th IEEE Symposium on Foundations of Computer Science to app ear

B Barak and O Goldreich Universal arguments and their applications In the th IEEE Conference

on Computational Complexity pages

B Barak O Goldreich R Impagliazzo S Rudich A Sahai S Vadhan and K Yang On the

imp ossibility of software obfuscation In Crypto SpringerVerlag Lecture Notes in Computer Science

Vol pages

B Barak and Y Lindell Strict Polynomialtime in Simulation and Extraction In th ACM Symposium

on the Theory of Computing pages

B Barak O Goldreich S Goldwasser and Y Lindell ResettablySound ZeroKnowledge and its

Applications In th IEEE Symposium on Foundations of Computer Science pages

M Bellare and O Goldreich On Dening Pro ofs of Knowledge In Crypto SpringerVerlag Lecture

Notes in Computer Science Vol pages

M Bellare R Impagliazzo and M Naor Do es Parallel Rep etition Lower the Error in Computationally

Sound Proto cols In th IEEE Symposium on Foundations of Computer Science pages

M BenOr O Goldreich S Goldwasser J Hastad J Kilian S Micali and P Rogaway Everything

Provable is Probable in ZeroKnowledge In Crypto SpringerVerlag Lecture Notes in Computer

Science Vol pages

M BenOr S Goldwasser J Kilian and A Wigderson MultiProver Interactive Pro ofs How to

Remove Intractability In th ACM Symposium on the Theory of Computing pages

M Blum A De Santis S Micali and G Persiano NonInteractive ZeroKnowledge Pro of Systems

SIAM Journal on Computing Vol No pages Considered the journal version

of

M Blum P Feldman and S Micali NonInteractive ZeroKnowledge and its Applications In th

ACM Symposium on the Theory of Computing pages See

M Blum and S Micali How to Generate Cryptographically Strong Sequences of PseudoRandom Bits

SIAM Journal on Computing Vol pages Preliminary version in rd FOCS

R Boppana J Hastad and S Zachos Do es CoNP Have Short Interactive Pro ofs Information

Processing Letters May pp

G Brassard D Chaum and C Crepeau Minimum Disclosure Pro ofs of Knowledge Journal of Com

puter and System Science Vol No pages Preliminary version by Brassard and

Crepeau in th FOCS

G Brassard and C Crepeau ZeroKnowledge Simulation of Bo olean Circuits In Crypto Springer

Verlag Lecture Notes in Computer Science Vol pages

G Brassard C Crepeau and M Yung ConstantRound Perfect ZeroKnowledge Computationally

Convincing Proto cols Theoretical Computer Science Vol pages

R Canetti Security and Comp osition of Multiparty Cryptographic Proto cols Journal of Cryptology

Vol No pages

R Canetti Universally Comp osable Security A New Paradigm for Cryptographic Proto cols In nd

IEEE Symposium on Foundations of Computer Science pages Full version with dierent

title is available from Cryptology ePrint Archive Rep ort

R Canetti O Goldreich S Goldwasser and S Micali Resettable ZeroKnowledge In nd ACM

Symposium on the Theory of Computing pages

R Canetti O Goldreich and S Halevi The Random Oracle Metho dology Revisited In th ACM

Symposium on the Theory of Computing pages Full version available online from

httpeprintiacrorg

R Canetti J Kilian E Petrank and A Rosen BlackBox Concurrent ZeroKnowledge Requires

log n Rounds In rd ACM Symposium on the Theory of Computing pages

R Canetti Y Lindell R Ostrovsky and A Sahai Universally Comp osable TwoParty and MultiParty

Secure Computation In th ACM Symposium on the Theory of Computing pages

I Damgard Ecient Concurrent ZeroKnowledge in the Auxiliary String Mo del In Eurocrypt

A De Santis G Di Crescenzo R Ostrovsky G Persiano and A Sahai Robust Noninteractive Zero

Knowledge In Crypto Springer Lecture Notes in Computer Science Vol pages

W Die and ME Hellman New Directions in Cryptography IEEE Trans on Info Theory IT

Nov pages

D Dolev C Dwork and M Naor NonMalleable Cryptography SIAM Journal on Computing Vol

No pages Preliminary version in rd STOC

C Dwork M Naor and A Sahai Concurrent ZeroKnowledge In th ACM Symposium on the Theory

of Computing pages

C Dwork and L Sto ckmeyer Round ZeroKnowledge and Pro of Auditors In th ACM Symposium

on the Theory of Computing pages

U Feige S Goldwasser L Lovasz S Safra and M Szegedy Approximating Clique is almost NP

complete Journal of the ACM Vol pages Preliminary version in nd FOCS

U Feige and J Kilian Zero knowledge and the chromatic number In th IEEE Conference on

Computational Complexity pages

U Feige D Lapidot and A Shamir Multiple NonInteractive ZeroKnowledge Pro ofs Under General

Assumptions SIAM Journal on Computing Vol pages

U Feige and A Shamir Witness Indistinguishability and Witness Hiding Proto cols In nd ACM

Symposium on the Theory of Computing pages

U Feige and A Shamir ZeroKnowledge Pro ofs of Knowledge in Two Rounds In Crypto Springer

Verlag LNCS Vol pages

A Fiat and A Shamir How to Prove Yourself Practical Solution to Identication and Signature

Problems In Crypto SpringerVerlag Lecture Notes in Computer Science Vol pages

L Fortnow The Complexity of Perfect ZeroKnowledge In th ACM Symposium on the Theory of

Computing pages

L Fortnow J Romp el and M Sipser On the p ower of multiprover interactive proto cols In Proc rd

IEEE Symp on Structure in Complexity Theory pages

M F urer O Goldreich Y Mansour M Sipser and S Zachos On Completeness and Soundness in

Interactive Pro of Systems Advances in Computing Research a research annual Vol Randomness

and Computation S Micali ed pages

O Goldreich A Uniform Complexity Treatment of Encryption and ZeroKnowledge Journal of Cryp

tology Vol No pages

O Goldreich Notes on Levins Theory of AverageCase Complexity ECCC TR Dec

O Goldreich Secure MultiParty Computation Working draft June

Available from httpwwwwisdomweizmannacilodedpphtml

O Goldreich Modern Cryptography Probabilistic Proofs and Pseudorandomness Algorithms and

Combinatorics series Vol Springer

O Goldreich Foundation of Cryptography Basic Tools Cambridge University Press

O Goldreich Foundation of Cryptography Volume Working drafts for chapters regarding encryption

schemes and signature schemes Revised

Available from httpwwwwisdomweizmannacilodedfocvolhtml

O Goldreich Concurrent ZeroKnowledge With Timing Revisited In th ACM Symposium on the

Theory of Computing pages

O Goldreich S Goldwasser and S Micali How to Construct Random Functions Journal of the ACM

Vol No pages

O Goldreich and J Hastad On the Complexity of Interactive Pro ofs with Bounded Communication

IPL Vol pages

O Goldreich and A Kahan How to Construct ConstantRound ZeroKnowledge Pro of Systems for

NP Journal of Cryptology Vol No pages Preliminary versions date to

O Goldreich and H Krawczyk On the Comp osition of ZeroKnowledge Pro of Systems SIAM Journal

on Computing Vol No February pages

O Goldreich and E Kushilevitz A Perfect ZeroKnowledge Pro of for a Decision Problem Equivalent

to Discrete Logarithm Journal of Cryptology Vol pages

O Goldreich S Micali and A Wigderson Pro ofs that Yield Nothing but their Validity or All Languages

in NP Have ZeroKnowledge Pro of Systems Journal of the ACM Vol No pages

Preliminary version in th FOCS

O Goldreich S Micali and A Wigderson How to Play any Mental Game A Completeness Theorem

for Proto cols with Honest Ma jority In th ACM Symposium on the Theory of Computing pages

See details in

O Goldreich and Y Oren Denitions and Prop erties of ZeroKnowledge Pro of Systems Journal of

Cryptology Vol No pages

O Goldreich R Ostrovsky and E Petrank Knowledge Complexity and Computational Complexity

SIAM Journal on Computing Vol pages

O Goldreich and E Petrank Quantifying Knowledge Complexity Computational Complexity Vol

pages Preliminary version in nd FOCS

O Goldreich A Sahai and S Vadhan HonestVerier Statistical ZeroKnowledge equals general

Statistical ZeroKnowledge In th ACM Symposium on the Theory of Computing pages

O Goldreich A Sahai and S Vadhan Can Statistical ZeroKnowledge b e Made NonInteractive or

On the Relationship of SZK and NISZK In Crypto SpringerVerlag Lecture Notes in Computer

Science Vol pages

O Goldreich and S Vadhan Comparing Entropies in Statistical ZeroKnowledge with Applications to

the Structure of SZK In th IEEE Conference on Computational Complexity pages

S Goldwasser and S Micali Probabilistic Encryption Journal of Computer and System Science

Vol No pages Preliminary version in th STOC

S Goldwasser S Micali and C Racko The Knowledge Complexity of Interactive Pro of Systems

SIAM Journal on Computing Vol pages Preliminary version in th STOC

S Goldwasser and M Sipser Private Coins versus Public Coins in Interactive Pro of Systems Advances

in Computing Research a research annual Vol Randomness and Computation S Micali ed pages

Extended abstract in th STOC pages

J Hastad R Impagliazzo LA Levin and M Luby A Pseudorandom Generator from any Oneway

Function SIAM Journal on Computing Volume Number pages

R Impagliazzo and M Yung Direct ZeroKnowledge Computations In Crypto SpringerVerlag

Lecture Notes in Computer Science Vol pages

J Kilian A Note on Ecient ZeroKnowledge Pro ofs and Arguments In th ACM Symposium on the

Theory of Computing pages

J Kilian and E Petrank An Ecient NonInteractive ZeroKnowledge Pro of System for NP with

General Assumptions Journal of Cryptology Vol pages

J Kilian and E Petrank Concurrent and Resettable ZeroKnowledge in Polylogarithmic Rounds In

rd ACM Symposium on the Theory of Computing pages

LA Levin Average Case Complete Problems SIAM Jour of Computing Vol pages

C Lund L Fortnow H Karlo and N Nisan Algebraic Metho ds for Interactive Pro of Systems

Journal of the ACM Vol No pages Preliminary version in st FOCS

S Micali Computationally Sound Pro ofs SICOMP Vol pages Preliminary

version in th FOCS

M Naor Bit Commitment using Pseudorandom Generators Journal of Cryptology Vol pages

T Okamoto On relationships b etween statistical zeroknowledge pro ofs In th ACM Symposium on

the Theory of Computing pages

R Ostrovsky and A Wigderson OneWay Functions are essential for NonTrivial ZeroKnowledge In

nd Israel Symp on Theory of Computing and Systems IEEE Comp So c Press pages

E Petrank and G Tardos On the Knowledge Complexity of NP In th IEEE Symposium on

Foundations of Computer Science pages

M Prabhakaran A Rosen and A Sahai Concurrent ZeroKnowledge Pro ofs in Logarithmic Number

of Rounds In rd IEEE Symposium on Foundations of Computer Science

R Richardson and J Kilian On the Concurrent Comp osition of ZeroKnowledge Pro ofs In Euro

Crypt Springer LNCS pages

R Rivest A Shamir and L Adleman A Metho d for Obtaining Digital Signatures and Public Key

Cryptosystems Communications of the ACM Vol Feb pages

A Sahai and S Vadhan A Complete Promise Problem for Statistical ZeroKnowledge In th IEEE

Symposium on Foundations of Computer Science pages

A Shamir IP PSPACE Journal of the ACM Vol No pages Preliminary

version in st FOCS

S Vadhan A Study of Statistical ZeroKnowledge Pro ofs PhD Thesis Department of Mathematics

MIT ACM Doctoral Dissertation Award To b e published by SpringerVerlag for receiving

AC Yao Theory and Application of Trapdo or Functions In rd IEEE Symposium on Foundations

of Computer Science pages

AC Yao How to Generate and Exchange Secrets In th IEEE Symposium on Foundations of

Computer Science pages